Privacy Policy

Last updated: March 26, 2026

1. Introduction

yssa ("we", "our", or "us") operates the yssa clinic management platform available at yssa.app. We are committed to protecting the privacy and security of personal and health information entrusted to us by our users and their patients.

This Privacy Policy describes how we collect, use, disclose, and safeguard personal information, including Protected Health Information (PHI) and Personal Health Information as defined under applicable law. It applies to all users of the yssa platform, including clinic administrators, therapists, staff, and patients.

2. Regulatory Compliance

yssa is designed and operated in compliance with:

  • HIPAA — the Health Insurance Portability and Accountability Act (United States), including the Privacy Rule, Security Rule, and Breach Notification Rule.
  • PIPEDA — the Personal Information Protection and Electronic Documents Act (Canada), which governs the collection, use, and disclosure of personal information in the course of commercial activities.
  • PHIPA — the Personal Health Information Protection Act (Ontario, Canada), governing the collection, use, and disclosure of personal health information by health information custodians.
  • CASL — Canada's Anti-Spam Legislation, governing commercial electronic messages.

Clinics using yssa that qualify as Covered Entities or Business Associates under HIPAA may request a Business Associate Agreement (BAA) by contacting us at yssaapp1@gmail.com.

3. Information We Collect

3.1 Clinic Account Information

When a clinic registers, we collect:

  • Clinic name, address, and contact details
  • Administrator name and email address
  • Account credentials (passwords are hashed and never stored in plain text)

3.2 Patient Information

Clinics may input or collect on behalf of their patients:

  • Name, date of birth, contact information
  • Medical history, diagnoses, and treatment notes
  • Appointment records and billing information
  • Signed consents and intake forms
  • Payment method information (tokenized via Stripe — we do not store raw card numbers)

3.3 Usage Data

We automatically collect certain technical information including IP addresses, browser type, pages visited, and session duration for security monitoring and product improvement.

4. How We Use Information

We use the information we collect to:

  • Provide, maintain, and improve the yssa platform
  • Process appointments, billing, and clinical records on behalf of clinics
  • Send appointment reminders and notifications to patients (with consent)
  • Ensure platform security and detect fraudulent activity
  • Comply with legal obligations and enforce our Terms of Service
  • Respond to support requests

We do not sell, rent, or share personal health information with third parties for marketing purposes. We do not use patient data to train machine learning models.

5. Data Storage and Security

We implement industry-standard technical and organizational safeguards to protect your information:

  • Encryption in transit: All data is transmitted over TLS 1.2 or higher (HTTPS).
  • Encryption at rest: Database records are encrypted at rest.
  • Access controls: Role-based access ensures users only see data relevant to their role.
  • Audit logging: All significant data access and modifications are logged with timestamps and user identity.
  • Session security: Sessions automatically expire after 30 minutes of inactivity.
  • Password security: Passwords are hashed using bcrypt and subject to minimum complexity requirements.
  • Payment security: Credit card data is tokenized via Stripe and never stored on our servers. Stripe is PCI DSS Level 1 certified.

6. Data Retention

We retain personal information for as long as a clinic account remains active, and for a reasonable period thereafter to comply with legal obligations. Clinics may request deletion of their data at any time by contacting us. Upon verified request, we will delete or de-identify personal information within 30 days, subject to any legal retention requirements.

7. Disclosure of Information

We may disclose personal information only in the following circumstances:

  • With your consent: We will share information when you have provided explicit consent.
  • Service providers: We work with third-party providers (such as database hosting and email delivery) who process data only on our behalf and are bound by confidentiality obligations.
  • Legal requirements: We may disclose information if required by law, court order, or government authority.
  • Safety: We may disclose information to prevent serious harm to a person.

We do not disclose personal health information to any party for commercial purposes.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Request deletion of your personal information
  • Withdraw consent for certain uses of your information
  • Receive a copy of your data in a portable format
  • Lodge a complaint with a relevant privacy regulator

To exercise any of these rights, please contact us at yssaapp1@gmail.com. We will respond within 30 days.

9. Breach Notification

In the event of a data breach that involves personal health information, we will notify affected clinics and individuals in accordance with applicable law, including HIPAA's Breach Notification Rule and PIPEDA's mandatory breach reporting requirements. Notifications will be provided without unreasonable delay and, where required, within 72 hours of becoming aware of the breach.

10. Cookies and Tracking

We use session cookies strictly necessary for authentication and platform functionality. We also use Google Analytics to collect anonymized usage data to improve the platform. You may opt out of Google Analytics by using the Google Analytics Opt-out Browser Add-on.

11. Children's Privacy

The yssa platform is intended for use by healthcare professionals and their adult patients. We do not knowingly collect personal information from children under the age of 13 without verifiable parental consent.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will notify clinic administrators by email. Continued use of the platform after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy Officer at:

yssa Privacy Officer

Email: yssaapp1@gmail.com

Website: yssa.app