Trust Center

Last updated: February 10, 2026

Your Clients' Privacy Is Our Priority

Tamloot is designed with healthcare privacy at its core. As a service built for therapists, coaches, and wellness professionals, we understand the sacred nature of the conversations you have with your clients. Every aspect of our platform is built to protect the confidentiality of those interactions.

HIPAA Compliance (In Progress)

Tamloot is actively working toward full HIPAA compliance. We are in the process of establishing our role as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). Our therapist customers are Covered Entities, and we process Protected Health Information (PHI) on their behalf.

Business Associate Agreements (BAAs): We are working to offer BAAs to therapists who need one for their practice. If you require a BAA, please contact us at contact@tamloot.cc and we will work with you to provide one.

PHI we process: Session recordings, transcripts, AI-generated notes, client data entered into the platform, and meeting preparation materials.

Patient rights: If you are a patient whose therapist uses Tamloot, your HIPAA rights (such as access, amendment, and accounting of disclosures) are exercised through your therapist — the Covered Entity — not directly through Tamloot. Please contact your therapist to exercise these rights.

Data Handling

We process Protected Health Information through a secure pipeline designed for confidentiality at every step:

Session recordings are captured via our desktop app, Chrome extension, or file upload, transmitted over TLS, and stored encrypted at rest (AES-256).
Transcripts are generated by our transcription provider under a BAA, then stored encrypted in our database.
AI-generated notes (summaries, key themes, action items) are produced by our AI provider under a BAA, with zero data retention for training.
Client data (names, contact information, session history) is stored in our database with Row Level Security (RLS), ensuring each user can only access their own data.

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption. Row Level Security in our database ensures complete user isolation — your data is never accessible to other users.

Sub-Processors

The following vendors process data on our behalf. We maintain Business Associate Agreements with all sub-processors that handle Protected Health Information.

Vendor	Role	Data Accessed	BAA Status
Supabase	Database & authentication	All PHI (encrypted at rest)	In place
AWS	Cloud infrastructure & audio storage	Audio files, compute	In place
Anthropic	AI notes, meeting prep, copilot	Transcripts (zero retention)	In place
ElevenLabs	Speech-to-text transcription	Audio recordings	In place
Vercel	AI API hosting & web hosting	Transcripts (in transit)	In place
Recall.ai	Desktop meeting recording	Meeting audio/video	In place
Hookdeck	Webhook routing	Webhook payloads (in transit)	In place
Google	Authentication & calendar	OAuth tokens, calendar events	N/A (no PHI)
Zoom	Video conferencing integration	Meeting links	N/A (no PHI)

Security Controls

Encryption at rest — All data stored in our databases and file storage is encrypted using AES-256.
Encryption in transit — All data transmitted to and from our servers uses TLS 1.2 or higher.
Row Level Security (RLS) — PostgreSQL policies enforce that users can only access their own data at the database level.
Access controls — Role-based access controls limit internal access to production systems and data.
Webhook signature verification — All incoming webhooks are verified using HMAC-SHA256 signatures to prevent tampering.
Secure infrastructure — Our services run on AWS and Supabase with industry-standard security configurations.
Authentication — User authentication is handled via Supabase Auth with support for Google OAuth, Apple Sign-In, and email/password.

Planned enhancements: We are committed to implementing multi-factor authentication (MFA) for dashboard access and comprehensive audit logging for all PHI access events.

Data Retention

Account data — Retained while your account is active and for 30 days after deletion for recovery.
Client and session data — Retained until you delete it or close your account.
Session recordings — Retained according to your account settings or until you delete them.
Usage logs — Retained for up to 12 months for security and analytics.
Audit logs — Retained for a minimum of 6 years in line with HIPAA requirements (compliance in progress).

For complete details, see our Privacy Policy.

Incident Response

We are building a breach notification procedure in accordance with HIPAA requirements (compliance in progress). In the event of a breach of unsecured Protected Health Information:

We will notify affected Covered Entities (therapists) within 60 days of discovering a breach, in line with HIPAA requirements.
Our notification will include the nature of the breach, the types of information involved, steps we are taking, and recommendations for affected individuals.

If you have a security concern or want to report a potential vulnerability, please contact us at contact@tamloot.cc.

Request a BAA or Ask a Question

Need a Business Associate Agreement for your practice? Have questions about our security posture or data handling? We're here to help.

contact@tamloot.cc