Therapii (“we,” “us,” or “our”) operates the Therapii mobile application and the website located at therapii.net (collectively, the “Platform”). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Platform. By accessing or using Therapii, you agree to the terms of this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

• Account Information. When you create a Therapii account, we collect your name, email address, phone number, and role selection (client, provider, partner, or admin).
• Provider Credentials. If you register as a provider, we collect professional license numbers, insurance documentation, certification details (including experience start dates), and uploaded credential documents. This information is used to verify your qualifications and maintain platform trust.
• Partner Space Information. If you register as a space partner, we collect business details, space descriptions, operating hours, photos, and related documentation.
• Payment Information. Payment card details are collected and processed by our payment processor, Stripe. We do not store full card numbers on our servers. We store Stripe customer IDs and payment method references to facilitate transactions.
• Booking and Appointment Data. When you book or provide services, we collect service preferences, scheduling information, location choices, client notes, gender preferences, and session details.
• Guest Client Information. If you attend an event, sign up for a shift appointment, or are added as a party booking guest, the organizer or provider may provide your name, phone number, and gender on your behalf.
• Reviews and Ratings. We collect reviews, star ratings, and comments you submit about providers and services, including reviews submitted via tokenized guest review links.
• Communications. We collect messages sent through the in-app messaging system, as well as any communications you send to our support team.

1.2 Information Collected Automatically

• Location Data. With your permission, we collect precise location data to match you with nearby providers, verify appointment check-ins (within approximately 1,000 feet), and determine service area eligibility. You can disable location services at any time through your device settings.
• Device and Usage Information. We collect device type, operating system, app version, push notification tokens, and general usage patterns to improve our services and deliver notifications.

1.3 Information from Third Parties

• Background Checks. For providers, we receive background check results from Checkr, Inc. including check status and disposition (clear, consider, or adverse action). We do not receive or store the underlying criminal record details.
• Payment Processing. Stripe provides us with transaction confirmations, payout statuses, and Connect account verification results.

2. How We Use Your Information

We use the information we collect to:

• Operate, maintain, and improve the Platform
• Match clients with qualified, available providers based on service type, location, scheduling, credentials, and preferences
• Process payments, calculate commissions, and distribute payouts to providers and partners
• Verify provider credentials, licenses, insurance, and background check status
• Send transactional notifications about bookings, appointments, reviews, and account activity via in-app notifications, push notifications, and SMS
• Facilitate reviews and ratings to maintain service quality
• Enforce cancellation and no-show policies
• Provide customer support
• Comply with legal obligations, including tax reporting (1099-K via Stripe)
• Detect and prevent fraud, abuse, and security threats
• Maintain safety features, including appointment timer monitoring

3. SMS Communications

Therapii uses SMS messaging (powered by Twilio) for certain transactional communications:

• Event Confirmations. When you sign up for an event time slot and provide your phone number, you will receive an SMS confirming your appointment details, including a cancellation link and a link to change your time slot.
• Review Links. After receiving a service, guest clients may receive an SMS with a link to leave a review of their experience.
• Account Signup Links. Event attendees may receive an SMS with a link to create a Therapii account, tied to the provider who served them.

These SMS messages are sent only when a phone number has been voluntarily provided during event sign-up or at the point of service. Message frequency is limited to the specific service interaction. SMS messages are rate-limited to prevent duplicate sends.

Opting Out: You can opt out of SMS messages at any time by replying STOP to any message. Reply HELP for assistance. Message and data rates may apply. Message frequency varies.

4. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

• Between Platform Participants. When a booking is created, relevant information (name, service details, scheduling, location, and contact information) is shared between the client, provider, and space partner involved in that transaction. Provider profiles, including ratings, credentials status, and services offered, are visible to clients during the booking process.
• Service Providers. We share information with third-party services that help us operate the Platform:
  • Stripe — payment processing, payouts, and tax reporting
  • Checkr — provider background checks
  • Twilio — SMS message delivery
  • Expo — push notification delivery
  • Supabase — database hosting and authentication
• Legal Requirements. We may disclose information when required by law, court order, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers. In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of that transaction. We will notify you of any such change.

5. Data Security

We implement appropriate technical and organizational measures to protect your information:

• All data is transmitted over HTTPS/TLS encryption
• Authentication is handled via Supabase Auth with secure token management
• Row-level security (RLS) policies restrict database access so users can only view their own data unless explicitly shared through a booking or platform relationship
• Payment card data is handled entirely by Stripe and never stored on our servers
• Sensitive credentials (API keys, secrets) are stored in secure environment variables, not in application code
• Background check results are limited to status information; detailed reports are retained only by Checkr
• SMS logs are accessible only to service-role functions and are not exposed to end users

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

• Account Data. We retain your account information for as long as your account is active. You may request account deletion at any time.
• Booking and Payment Records. Transaction records are retained as required for financial reporting, tax compliance, and dispute resolution purposes.
• Notifications. Read notifications are automatically purged after a configurable retention period (default 90 days). Unread notifications are retained until read or account deletion.
• SMS Logs. SMS delivery logs are retained for rate-limiting, auditing, and TCPA compliance purposes.
• Reviews. Reviews and ratings are retained indefinitely to maintain provider rating accuracy and platform trust, unless you request removal.

7. Your Rights and Choices

• Access and Correction. You can view and update your profile information at any time through the app.
• Account Deletion. You may request deletion of your account and associated data by contacting us at support@therapii.com. Certain data may be retained as required by law or for legitimate business purposes (e.g., financial records, dispute resolution).
• Location Data. You can disable location services through your device settings. Note that this may limit certain features such as provider matching and appointment check-in verification.
• Push Notifications. You can disable push notifications through your device settings. In-app notifications will continue to be delivered regardless.
• SMS Messages. Reply STOP to any SMS message to opt out. Reply HELP for assistance.

8. State Privacy Rights

Depending on where you reside, you may have additional privacy rights under state law. The following is a summary of rights available under various state consumer privacy laws, including the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), Texas Data Privacy and Security Act (TDPSA), Oregon Consumer Privacy Act (OCPA), Montana Consumer Data Privacy Act (MCDPA), and similar laws enacted in Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, and Minnesota.

Subject to applicable law and certain exceptions, you may have the right to:

• Right to Know / Access. Request information about the categories and specific pieces of personal information we have collected about you, and how we use and share it.
• Right to Delete. Request deletion of your personal information, subject to certain legal exceptions (e.g., records required for tax compliance or dispute resolution).
• Right to Correct. Request correction of inaccurate personal information we hold about you.
• Right to Opt Out of Sale or Targeted Advertising. We do not sell your personal information, and we do not use your personal information for targeted advertising based on cross-site tracking.
• Right to Non-Discrimination. We will not discriminate against you for exercising any of your privacy rights.
• Right to Data Portability. Where applicable, request a copy of your personal information in a portable, readily usable format.
• Right to Appeal. If we deny your privacy request, you may have the right to appeal that decision. We will provide instructions for submitting an appeal with any denial.

To exercise any of these rights, contact us at support@therapii.com. We will verify your identity before processing your request and respond within the timeframe required by applicable law (typically 45 days, with extensions where permitted).

Additional California Disclosures (CCPA/CPRA)

In the preceding 12 months, we have collected the categories of personal information described in Section 1 of this policy. We collect this information for the business purposes described in Section 2. We do not sell personal information as defined under the CCPA. We share personal information with the categories of third parties described in Section 4 for business purposes. California residents may designate an authorized agent to submit requests on their behalf by providing written authorization to the agent and verifying their identity with us.

9. Children's Privacy

Therapii is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will take steps to delete that information promptly.

10. Third-Party Links

The Platform may contain links to third-party websites or services (such as Stripe Express dashboards for provider earnings and tax forms). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the Platform or by other means. The “Last Updated” date at the top of this page indicates when the policy was most recently revised. Continued use of the Platform after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

• Email: support@therapii.com
• Phone: (424) 446-1660
• Location: Murrieta, CA

1. Introduction & Scope

Therapii (“we,” “us,” or “our”) operates a three-sided wellness marketplace connecting clients, service providers, and space partners through the Therapii mobile application and the website located at therapii.net (collectively, the “Platform”). This Data Protection Policy (“Policy”) describes how we collect, process, store, and protect personal data across all Platform participants.

This Policy applies to all individuals who interact with the Platform, including:

• Clients — individuals who book wellness services such as massage, bodywork, and biohacking treatments
• Providers — licensed wellness professionals who offer services through the Platform
• Partners — space owners who rent physical locations to providers via the Platform's sell, community, and staffing marketplace modes
• Guest Clients — non-registered individuals whose information is provided by organizers in connection with shift appointments, party bookings, or multi-provider events
• Website Visitors — individuals who access therapii.net without creating an account

This Policy supplements the Privacy Policy above with additional technical and procedural detail regarding data protection safeguards. Where this Policy and the Privacy Policy conflict, the more protective provision shall control. This Policy should also be read in conjunction with our Terms and Conditions, which govern use of the Platform.

2. Data Controller

Therapii is the data controller responsible for determining the purposes and means of processing personal data collected through the Platform. As data controller, Therapii is accountable for ensuring that all processing activities comply with applicable data protection laws.

For all inquiries regarding data protection, you may contact us at:

• Email: support@therapii.com
• Phone: (424) 446-1660
• Location: Murrieta, CA, United States

Where providers or partners independently determine how they use personal data obtained through the Platform (for example, a provider maintaining their own client records outside the Platform), they act as independent data controllers and are responsible for their own compliance with applicable data protection laws.

3. Legal Basis for Processing

We process personal data only when we have a valid legal basis to do so. The legal bases upon which we rely include:

3.1 Contractual Necessity

Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This includes creating and managing your account, facilitating bookings between clients and providers, processing payments, distributing payouts, verifying provider credentials, and operating the marketplace.

3.2 Legitimate Interest

Processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights. Our legitimate interests include maintaining platform safety and integrity, preventing fraud and abuse, improving the quality and performance of our services, operating the provider matching algorithm (which scores providers based on rating, experience, and review count), and conducting analytics to enhance the user experience.

3.3 Consent

Where required by law, we obtain your explicit consent before processing certain categories of data. This includes collecting precise GPS location data (which you may revoke at any time via device settings), sending push notifications, and sending SMS messages to guest clients. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

3.4 Legal Obligation

Processing is necessary for compliance with a legal obligation to which Therapii is subject. This includes maintaining financial and tax records (e.g., data required for 1099-K reporting via Stripe Connect), responding to lawful requests from law enforcement or regulatory authorities, complying with the Fair Credit Reporting Act (FCRA) in connection with background checks conducted through Checkr, and retaining records as required by the Telephone Consumer Protection Act (TCPA) for SMS communications.

4. Data We Collect

We collect and process the following categories of personal data, organized by type:

4.1 Personal Identification Data

• Full name (first and last)
• Email address
• Phone number
• Mailing address (city, state, ZIP code)
• Profile photo
• Gender (optional; used for client matching preferences)
• Bio and personal description (providers and partners)
• Role selection (client, provider, partner)

4.2 Professional Credentials

For providers who register on the Platform, we collect:

• Professional license numbers and issuing state
• Insurance policy documentation and expiration dates
• Certification details, including experience start month and year
• Uploaded credential documents (license images, insurance certificates)
• State-by-state credential approval status (computed from submitted credentials and maintained in the provider state approvals system)

4.3 Financial Data

• Stripe Customer IDs — role-specific identifiers (client, provider, and partner) that reference your payment profile within Stripe. We do not store full credit card numbers, CVVs, or bank account numbers on our servers.
• Stripe Connect Account IDs — for providers and partners who receive payouts through the Platform via Stripe Express accounts
• Payment method references — tokenized references to saved cards or payment methods, stored by Stripe
• Transaction records — amounts, dates, booking references, commission calculations, payout statuses, and tip amounts
• Space fee and pricing data — base rates, premium fees, resale markup amounts for partner spaces

4.4 Location Data

• GPS coordinates — collected with your permission for provider-client matching, appointment check-in verification (within approximately 1,000 feet of the service location), and no-show documentation
• Service areas — provider-defined geographic service regions used for matching
• Partner space locations — addresses and coordinates of registered partner spaces

4.5 Booking & Appointment Records

• Service type, duration, and pricing selections
• Scheduling information (date, time, recurring patterns)
• Booking status lifecycle (pending, confirmed, initiated, completed, cancelled, no-show)
• Party booking details (party ID, position, treatment type, simultaneous vs. sequential)
• Multi-provider event records (provider assignments, headcount)
• Shift booking details (staffing mode assignments, shift rates)
• Cancellation records and policy tier applied
• Client notes and special requests
• Gender preferences

4.6 Communication Records

• In-app messages between platform participants
• In-app notification history (booking updates, review prompts, credential alerts)
• SMS delivery logs (message content, recipient, delivery status, timestamps)
• Push notification delivery records
• Support communications

4.7 Guest Client Data

For individuals who receive services through shift appointments, party bookings, or multi-provider events without holding a Platform account, we collect data provided by the booking organizer or partner:

• Name
• Phone number
• Gender (for provider matching preferences)
• Appointment details and service received
• Review data (if submitted via tokenized guest review link)

Guest client data is provided by third parties (organizers, partners) on behalf of the guest. Guest clients who receive SMS communications may opt out by replying STOP to any message.

4.8 Background Check Status

For providers, we receive background check status information from Checkr, Inc., our FCRA-compliant background check provider. We store only the check status and disposition (e.g., clear, consider, adverse action) and the status flow progression (invited, invitation completed, pending, engaged, clear/consider/adverse action). We do not receive, store, or have access to the underlying criminal history records or detailed background check reports. Those records are retained and managed by Checkr in accordance with their own privacy practices and FCRA requirements.

4.9 Device & Usage Data

• Push notification tokens (Expo push tokens for notification delivery)
• Device operating system and version
• Application version
• General usage patterns and feature interactions
• Authentication session data (secure tokens managed by Supabase Auth)

5. Data Processing Activities

The following table summarizes our primary data processing activities, the categories of data involved, the legal basis for each activity, and the applicable retention period:

6. Data Storage & Security

We implement comprehensive technical and organizational measures to protect your personal data throughout its lifecycle:

6.1 Infrastructure & Database

• Supabase (PostgreSQL). All Platform data is stored in a managed PostgreSQL database hosted by Supabase on cloud infrastructure with SOC 2 Type II compliance. Data is encrypted at rest using AES-256 encryption.
• Row-Level Security (RLS). Database-level access control policies ensure that users can only access their own data unless explicitly authorized through a booking relationship or platform function. RLS policies are enforced at the database engine level, not the application layer, providing defense-in-depth against unauthorized data access.
• Security Definer Functions. Cross-user data reads required for platform operations (e.g., displaying provider profiles during booking, reading push tokens for notifications) are mediated through security-definer PostgreSQL functions that limit exposed data to only what is necessary for the operation.

6.2 Encryption & Transport Security

• All data in transit is encrypted using HTTPS/TLS (minimum TLS 1.2)
• API communications between the mobile application and backend services are encrypted end-to-end
• Authentication tokens are managed by Supabase Auth with secure JWT-based session management
• All edge functions require JWT authentication before processing requests

6.3 Payment Data Security

• Stripe PCI DSS Level 1. All payment card data is collected, processed, and stored by Stripe, which is certified as a PCI DSS Level 1 Service Provider — the highest level of certification in the payment card industry. Therapii never receives or stores full card numbers, CVVs, or bank account details.
• Tokenization. Saved payment methods are represented as Stripe payment method tokens. Only tokenized references and Stripe customer IDs are stored in our database.

6.4 Secrets & API Key Management

• All API keys and secrets (Stripe, Checkr, Twilio, Expo) are stored in secure environment variables within the Supabase infrastructure
• Secrets are never embedded in client-side application code or version control
• Stripe secret keys are mode-aware (test vs. live), retrieved dynamically at runtime via application settings

6.5 Background Check Data Segregation

Detailed background check reports and underlying criminal history records are retained exclusively by Checkr, Inc. in accordance with FCRA requirements. Therapii stores only status information (e.g., clear, consider, adverse action) and does not have access to the full reports. This segregation ensures that sensitive criminal history data is handled by the specialized, FCRA-compliant provider.

6.6 Security Assessments

We conduct regular security assessments of our Platform, including reviews of RLS policies, edge function authentication, data access patterns, and third-party integration security. Identified vulnerabilities are prioritized and remediated according to severity.

7. Data Retention Schedule

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The following table summarizes our retention periods:

Upon expiration of the applicable retention period, data is securely deleted or anonymized so that it can no longer be associated with an identifiable individual. Where anonymized data is retained for analytics, it is aggregated and stripped of all personal identifiers.

8. Your Data Rights

Depending on your jurisdiction, you may have certain rights regarding the personal data we hold about you. The following rights are recognized under one or more applicable state privacy laws. We honor these rights regardless of your state of residence to the extent practicable.

8.1 Right to Know / Access

You have the right to request information about the categories and specific pieces of personal data we have collected about you, the purposes for which it is processed, the categories of sources from which it was collected, and the categories of third parties with whom it has been shared. You may also request a copy of the personal data we hold about you.

8.2 Right to Delete

You have the right to request deletion of your personal data. Please note that we may be unable to fully comply with a deletion request where retention is necessary for:

• Completing a transaction or providing a service you requested
• Compliance with tax record-keeping requirements (booking and payment records must be retained for 7 years)
• Detecting security incidents or protecting against fraud
• Exercising or defending legal claims, including dispute resolution
• Compliance with a legal obligation
• Internal uses reasonably aligned with your expectations

8.3 Right to Correct

You have the right to request correction of inaccurate personal data. You can update most account information directly through the Platform. For data that cannot be self-corrected (e.g., historical booking records), contact us and we will correct verifiable inaccuracies.

8.4 Right to Opt Out of Sale

Therapii does not sell personal data to third parties as defined under any applicable state privacy law. We do not engage in the sale of personal information, nor do we use personal data for targeted advertising based on cross-context behavioral tracking. Because we do not sell data, there is no opt-out mechanism required; however, if this practice ever changes, we will provide a clear and conspicuous opt-out mechanism prior to any such sale.

8.5 Right to Non-Discrimination

We will not discriminate against you for exercising any of your data protection rights. You will not receive a different level of service, different pricing, or a different quality of service as a result of exercising your rights under this Policy or applicable law.

8.6 Right to Data Portability

Where applicable under state law, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV). Upon verified request, we will provide an export of your account data, booking history, review history, and other personal data we maintain, formatted for portability.

8.7 Right to Appeal

If we decline a data rights request in whole or in part, you have the right to appeal that decision. We will provide the reason for the denial and instructions for submitting an appeal with any denial response. Appeals will be reviewed by a different team member than the one who made the initial determination. If your appeal is denied, we will provide information about how to contact the applicable state attorney general or data protection authority.

8.8 Right to Limit Use of Sensitive Personal Information

Under certain state laws (including CCPA/CPRA), you may have the right to limit the use and disclosure of sensitive personal information to only what is necessary for performing services you have requested. Sensitive personal information we may process includes precise geolocation data and information regarding your health-related service bookings. We limit our use of such data to what is strictly necessary for providing Platform services, and we do not use sensitive personal information for any secondary purposes.

8.9 State-Specific Applicability

The following table summarizes which rights are available under each state's consumer privacy law. Additional states may enact similar legislation; we will update this table as new laws take effect.

* California does not have a statutory appeal right, but consumers may contact the California Attorney General's office with complaints. Additional states with comprehensive privacy laws (Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota) provide substantially similar rights; we comply with each as applicable.

9. Data Sharing & Third Parties

We do not sell personal data. We share personal data only as described below, and only to the extent necessary for the stated purpose:

9.1 Between Platform Participants

When a booking is created, relevant information is shared between the parties involved in that transaction. This includes the client's name, service preferences, scheduling details, and contact information shared with the assigned provider; provider profile information (name, credentials status, ratings, services) shared with clients during the booking process; and partner space details shared with both clients and providers for location-based bookings. Data sharing between participants is limited to the context of specific bookings and does not extend to general browsing or marketing purposes.

9.2 Stripe (Payment Processing)

We share personal data with Stripe, Inc. for payment processing, payout distribution, and tax reporting. Data shared includes names, email addresses, transaction amounts, and banking information (for Connect Express accounts). Stripe is a PCI DSS Level 1 certified processor. Stripe also facilitates 1099-K tax reporting for providers and partners who meet the IRS reporting threshold; necessary tax identification information is collected and managed by Stripe through its Express dashboard.

9.3 Checkr (Background Checks)

We share provider identification data with Checkr, Inc. to initiate and process background checks. Checkr is an FCRA-compliant consumer reporting agency. Data shared includes provider name, date of birth, Social Security number, and address as required for the background check. Checkr retains the full background check report; Therapii receives only status and disposition information. Providers must consent to the background check before data is shared with Checkr.

9.4 Twilio (SMS Delivery)

We share phone numbers and message content with Twilio Inc. for transactional SMS delivery. This includes review invitation links sent to guest clients and account signup links sent to event attendees. Twilio processes this data as a sub-processor acting on our instructions. SMS messages are transactional only and are not used for marketing purposes.

9.5 Expo (Push Notifications)

We share push notification tokens and notification content with Expo for delivery of push notifications to mobile devices. Push tokens are device-specific identifiers that do not contain personal information. Notification content may include booking details, provider names, and appointment times necessary to convey the transactional alert. Push notifications are best-effort; all notifications are also stored in the in-app notifications table for guaranteed delivery.

9.6 Supabase (Infrastructure)

Supabase provides our database hosting, authentication, file storage, and edge function infrastructure. As our infrastructure provider, Supabase has access to all data stored in our database and storage buckets. Supabase acts as a data processor under our instructions and maintains SOC 2 Type II compliance. Supabase does not independently use, sell, or share our users' personal data.

9.7 Law Enforcement & Legal Requirements

We may disclose personal data when required to do so by law, court order, subpoena, or other legal process, or when we believe in good faith that disclosure is necessary to: comply with a legal obligation; protect and defend the rights or property of Therapii; prevent or investigate possible wrongdoing in connection with the Platform; protect the personal safety of users or the public; or protect against legal liability. We will notify affected users of such disclosures unless prohibited by law or court order.

9.8 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, personal data may be transferred as part of that transaction. We will provide notice to affected users before their personal data becomes subject to a different privacy policy. The acquiring entity will be bound by the commitments made in this Policy with respect to data collected prior to the transfer.

10. International Data Transfers

Therapii is based in the United States, and all personal data collected through the Platform is processed and stored in the United States. Our infrastructure providers (Supabase, Stripe) primarily process data within the United States.

If you access the Platform from outside the United States, please be aware that your personal data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Platform, you consent to such transfer.

Where personal data is transferred from a jurisdiction that requires additional safeguards (such as the European Economic Area, United Kingdom, or Switzerland), we will ensure that appropriate transfer mechanisms are in place, including:

• Standard Contractual Clauses (SCCs). We use EU-approved standard contractual clauses where required to provide adequate safeguards for international data transfers.
• Adequacy Decisions. Where the European Commission or other relevant authority has determined that a jurisdiction provides an adequate level of data protection, we may rely on that adequacy decision as the basis for transfer.
• Data Processing Agreements. We maintain data processing agreements with our sub-processors that include appropriate data protection obligations and transfer safeguards.

11. Data Breach Response Protocol

Therapii maintains a data breach response protocol to ensure swift and effective handling of any security incidents involving personal data. Our protocol includes the following phases:

11.1 Detection & Containment (Immediate)

Upon detection or credible report of a suspected data breach, we will immediately initiate containment measures, including: isolating affected systems or accounts; revoking compromised credentials or API keys; preserving evidence and audit logs for forensic analysis; and activating our incident response team. The priority at this stage is to stop the breach from spreading and limit the scope of data exposure.

11.2 Authority Notification (Within 72 Hours)

Where required by applicable law, we will notify the appropriate regulatory authority within 72 hours of becoming aware of a breach involving personal data. The notification will include: the nature of the breach, including the categories and approximate number of individuals affected; the categories of personal data involved; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects. For California residents, we will comply with the California data breach notification requirements under Civil Code Section 1798.82. For residents of other states with breach notification laws, we will comply with the applicable state requirements.

11.3 User Notification (Without Undue Delay)

If a breach is likely to result in a risk to your rights, we will notify affected individuals without undue delay. Notification will be provided via email, in-app notification, and/or Platform announcement, and will include: a description of the breach in plain language; the types of personal data involved; the steps we have taken to address the breach; recommendations for protective measures you can take (e.g., changing passwords, monitoring financial accounts); and contact information for our data protection team.

11.4 Investigation & Remediation

Following containment, we will conduct a thorough investigation to determine the root cause, full scope, and impact of the breach. Remediation measures will be implemented to prevent recurrence, which may include: patching vulnerabilities; updating access controls and RLS policies; enhancing monitoring and alerting; requiring credential resets for affected accounts; and revising security procedures and training.

11.5 Documentation

All data breach incidents will be documented in a breach register, including: the facts surrounding the breach; its effects; the remedial actions taken; and the decision-making process regarding notification obligations. This documentation will be retained for a minimum of five years and made available to regulatory authorities upon request.

12. Children's Data

The Platform is not directed to individuals under 18 years of age. We do not knowingly collect, process, or store personal data from children under 18. Account registration requires users to affirm that they are at least 18 years old.

If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete that data from our systems and terminate the associated account. If you believe that a child under 18 has provided personal data to Therapii, please contact us immediately at support@therapii.com so that we can take appropriate action.

Guest client data provided by organizers for shift appointments, party bookings, or events should only include individuals who are 18 years of age or older. Organizers and partners are responsible for ensuring that they do not provide personal data of minors through the Platform.

13. Automated Decision-Making

Therapii uses automated processing in certain aspects of the Platform. We are transparent about how these systems work and the role they play in our services.

13.1 Provider Matching Algorithm

When a client creates a general booking (where no specific provider is selected), our provider matching algorithm automatically evaluates eligible providers using a sequential filtering and scoring process. The algorithm filters providers based on: service category and duration match; geographic proximity and service area; partner space approval status; state credential verification (license, insurance); schedule availability (accounting for existing bookings, calendar blocks, and buffer times); and client preferences (such as gender preference). Eligible providers are then scored based on a composite formula that considers: universal rating (weighted combination of in-app and external ratings); number of reviews (capped contribution); and years of experience.

13.2 Availability Checking

The Platform automatically evaluates provider availability by cross-referencing recurring schedules, calendar events, existing bookings, and partner space hours. This automated process determines which time slots are presented to clients during the booking process.

13.3 Credential Verification

State approval status for providers is computed automatically based on submitted credentials (licenses, insurance, certifications) and refreshed periodically. This affects whether a provider appears in matching results for bookings in a given state. New providers without credentials may receive a temporary grace period.

13.4 Human Oversight

No fully automated decision with legal or similarly significant effect is made without the possibility of human review. Providers always have the ability to accept or decline booking offers generated by the matching algorithm. Credential reviews and background check dispositions marked as “consider” or “adverse action” are reviewed by an administrator before any account action is taken. Users who believe an automated decision has negatively affected them may contact us to request human review.

14. SMS & Communication Data

Therapii uses SMS messaging (powered by Twilio) for transactional communications. This section describes our SMS practices and your rights under the Telephone Consumer Protection Act (TCPA) and related regulations.

14.1 TCPA Compliance

• Consent. SMS messages are sent only when a phone number has been voluntarily provided during event sign-up, at the point of service, or through account registration. We obtain prior express consent before sending any SMS messages.
• Transactional Only. All SMS messages sent by Therapii are transactional in nature (e.g., event sign-up confirmations, review invitation links, account signup links, booking confirmations). We do not use SMS for marketing or promotional purposes.
• Rate Limiting. SMS messages are rate-limited to prevent duplicate or excessive sends. Our system tracks delivery status and prevents redundant messages to the same recipient for the same event.

14.2 Opt-Out

You may opt out of SMS messages at any time by replying STOP to any message received from Therapii. Reply HELP for assistance. After opting out, you will receive a single confirmation message and no further SMS communications. Opting out of SMS does not affect in-app notifications or push notifications, which are controlled separately through device settings.

14.3 Message & Data Rates

Message and data rates may apply depending on your mobile carrier and plan. Message frequency varies based on your interactions with the Platform (e.g., number of shift appointments, event participation). Therapii is not responsible for any charges imposed by your mobile carrier.

14.4 SMS Data Retention

SMS delivery logs (including recipient phone number, message content, delivery status, and timestamps) are retained for TCPA compliance, rate-limiting enforcement, and audit purposes. These logs are accessible only to service-role functions and administrative personnel and are not exposed to end users.

15. Policy Updates

We may update this Data Protection Policy from time to time to reflect changes in our data practices, legal requirements, or Platform features. When we make changes:

• Material Changes. For material changes to this Policy (such as changes to data sharing practices, new categories of data collected, or changes to retention periods), we will provide at least 30 days' advance notice through the Platform via in-app notification and/or email.
• Non-Material Changes. Minor clarifications, formatting updates, or changes that do not materially affect your rights may be made without advance notice, though the “Last Updated” date will always reflect the most recent revision.
• Continued Use. Your continued use of the Platform after the effective date of any updated Policy constitutes your acceptance of the changes. If you do not agree with the updated Policy, you should discontinue use of the Platform and may request account deletion.

We encourage you to review this Policy periodically. This Policy should be read together with the Privacy Policy above and our Terms and Conditions.

16. Contact & Exercising Rights

To exercise any of the data rights described in this Policy, or if you have questions, concerns, or complaints about our data protection practices, please contact us using any of the following methods:

• Email: support@therapii.com
• Phone: (424) 446-1660
• Location: Murrieta, CA, United States

Verification & Response Timeline

When you submit a data rights request, we will verify your identity before processing the request. Verification may require you to confirm your email address, provide identifying information matching your account records, or authenticate via your Platform account.

We will acknowledge receipt of your request within 10 business days and provide a substantive response within 45 calendar days. If additional time is needed due to the complexity or volume of requests, we may extend this period by up to an additional 45 days as permitted by applicable law, and we will notify you of the extension and the reason.

You may designate an authorized agent to submit a request on your behalf. We may require the authorized agent to provide written proof of authorization and may separately verify your identity before processing the request.

If you are not satisfied with our response to your data rights request, you may appeal the decision (see Section 8.7) or contact the attorney general or data protection authority in your state of residence.

Related Policies

This Data Protection Policy should be read in conjunction with:

• Terms and Conditions — governing your use of the Platform