Trust Center

Last updated: February 10, 2026

Privacy Is At The Core Of How We Built Tamloot

Tamloot is built for professionals who run on conversations — coaches, therapists, consultants, advisors, and the many others whose work depends on what happens in a 1-on-1. We know how sensitive those conversations are, and every layer of the platform is designed to protect the privacy of the people you work with.

HIPAA — for professionals who need it (In Progress)

Some of the professionals who use Tamloot — such as therapists and other licensed healthcare providers — are Covered Entities under the Health Insurance Portability and Accountability Act (HIPAA). For those customers, Tamloot is actively working toward operating as a Business Associate and processing Protected Health Information (PHI) on their behalf. If HIPAA does not apply to your practice, the same privacy and security controls described on this page still protect your data.

Business Associate Agreements (BAAs): We are working to offer BAAs to customers whose practice requires one. If you need a BAA, please contact us at contact@tamloot.cc and we will work with you to provide one.

PHI we process (when applicable): session recordings, transcripts, AI-generated notes, contact details for the people you work with, and meeting preparation materials.

Rights of the people you work with: if you are someone whose practitioner uses Tamloot and HIPAA applies to that practitioner, your HIPAA rights (such as access, amendment, and accounting of disclosures) are exercised through them — the Covered Entity — not directly through Tamloot. Please contact your practitioner to exercise these rights.

Data Handling

Every piece of data — including any health information we process on behalf of regulated customers — moves through a secure pipeline designed for confidentiality at every step:

Session recordings are captured via our desktop app, Chrome extension, mobile app, or file upload, transmitted over TLS, and stored encrypted at rest (AES-256).
Transcripts are generated by our transcription provider under a BAA, then stored encrypted in our database.
AI-generated notes (summaries, key themes, action items) are produced by our AI provider with zero data retention and never used to train AI models.
Data about the people you work with (names, contact information, session history) is stored in our database with Row Level Security (RLS), ensuring each user can only access their own data.

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption. Row Level Security in our database ensures complete user isolation — your data is never accessible to other users.

Sub-Processors

The following vendors process data on our behalf. For customers operating under HIPAA, we maintain Business Associate Agreements with the sub-processors that handle Protected Health Information.

Vendor	Role	Data Accessed	BAA Status
Supabase	Database & authentication	All PHI (encrypted at rest)	In place
AWS	Cloud infrastructure & audio storage	Audio files, compute	In place
Anthropic	AI notes, meeting prep, copilot	Transcripts (zero retention)	In place
ElevenLabs	Speech-to-text transcription	Audio recordings	In place
Vercel	AI API hosting & web hosting	Transcripts (in transit)	In place
Recall.ai	Desktop meeting recording	Meeting audio/video	In place
Hookdeck	Webhook routing	Webhook payloads (in transit)	In place
Google	Authentication & calendar	OAuth tokens, calendar events	N/A (no PHI)
Zoom	Video conferencing integration	Meeting links	N/A (no PHI)

Security Controls

Encryption at rest — All data stored in our databases and file storage is encrypted using AES-256.
Encryption in transit — All data transmitted to and from our servers uses TLS 1.2 or higher.
Row Level Security (RLS) — PostgreSQL policies enforce that users can only access their own data at the database level.
Access controls — Role-based access controls limit internal access to production systems and data.
Webhook signature verification — All incoming webhooks are verified using HMAC-SHA256 signatures to prevent tampering.
Secure infrastructure — Our services run on AWS and Supabase with industry-standard security configurations.
Authentication — User authentication is handled via Supabase Auth with support for Google OAuth, Apple Sign-In, and email/password.

Planned enhancements: We are committed to implementing multi-factor authentication (MFA) for dashboard access and comprehensive audit logging for all PHI access events.

Data Retention

Account data — Retained while your account is active and for 30 days after deletion for recovery.
Client and session data — Retained until you delete it or close your account.
Session recordings — Retained according to your account settings or until you delete them.
Usage logs — Retained for up to 12 months for security and analytics.
Audit logs — Retained for a minimum of 6 years in line with HIPAA requirements (compliance in progress).

For complete details, see our Privacy Policy.

Incident Response

We are building a breach notification procedure that meets HIPAA requirements for customers who need it and follows good security practice for everyone else. In the event of a breach affecting your data:

We will notify affected customers without undue delay, and within 60 days for customers operating as HIPAA Covered Entities, in line with HIPAA breach notification requirements.
Our notification will include the nature of the breach, the types of information involved, the steps we are taking, and recommendations for affected individuals.

If you have a security concern or want to report a potential vulnerability, please contact us at contact@tamloot.cc.

Ask a Question or Request a BAA

Have questions about our security posture, how we handle data, or how we protect the people you work with? Need a Business Associate Agreement for a HIPAA-regulated practice? We're here to help.

contact@tamloot.cc