Senayah

Privacy Policy

Last updated: February 2026

1. Introduction

Senayah ("we", "us", "our") is committed to protecting your privacy and the security of your personal information. This Privacy Policy describes how we collect, use, disclose, and protect information when you use the Senayah platform ("Platform").

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), the Personal Health Information Protection Act (PHIPA), and other applicable Canadian privacy legislation.

2. Information We Collect

2.1 Account Information

When you register, we collect:

  • Full name and email address
  • Phone number (optional, for SMS notifications)
  • Country code and address
  • Account role (client or practitioner)

2.2 Practitioner Information

Practitioners additionally provide:

  • Professional license information and number
  • Area of practice and specializations
  • Professional bio and profile photo
  • Session rates and availability

2.3 Health Information

Clients may provide health-related information through:

  • Intake forms (encrypted at rest)
  • Session notes created by practitioners (encrypted at rest)
  • Exercise submissions
  • Messages with practitioners

2.4 Payment Information

Payment card details are collected and processed by Stripe, our third-party payment processor. We do not store full credit card numbers on our servers.

2.5 Usage Information

We automatically collect technical information including session join/leave timestamps, pages visited, and device information to improve service quality and troubleshoot issues.

3. How We Use Your Information

We use your information to:

  • Provide and maintain the Platform and its features
  • Facilitate bookings, video sessions, and messaging between clients and practitioners
  • Process payments and generate invoices
  • Send appointment reminders and notifications (email and SMS, based on your preferences)
  • Respond to support inquiries
  • Ensure Platform security and prevent fraud
  • Comply with legal obligations

4. Data Security

We implement robust security measures to protect your information:

  • Encryption at rest: Sensitive data including intake forms, session notes, and calendar integration tokens are encrypted using AES encryption before storage.
  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS/HTTPS.
  • Row-Level Security: Database access controls ensure users can only access data they are authorized to view.
  • Secure video: Video sessions use encrypted peer-to-peer connections through our video infrastructure provider.
  • Access controls: Strict role-based access controls limit data access to authorized personnel.

5. Data Sharing and Disclosure

We do not sell your personal information. We share data only as follows:

  • Between clients and practitioners: Information necessary for the therapeutic relationship (appointment details, intake forms, messages).
  • Service providers: We use third-party services including Supabase (database hosting), Stripe (payments), Daily.co (video sessions), Resend (email), and Twilio (SMS). These providers are contractually obligated to protect your data.
  • Calendar providers: If you connect your Google or Outlook calendar, appointment information is shared with the respective provider at your direction.
  • Legal requirements: We may disclose information when required by law, court order, or to protect safety.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. Health records are retained in accordance with applicable professional regulations (typically a minimum of 10 years after the last session). When you delete your account, we will anonymize or delete your personal data, except where retention is required by law.

7. Your Rights

Under applicable privacy laws, you have the right to:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your account and personal data (subject to legal retention requirements).
  • Data portability: Request a copy of your data in a portable format.
  • Withdraw consent: Withdraw consent for optional data processing (e.g., marketing communications, SMS notifications).

To exercise these rights, visit your account settings or contact us at the address below.

8. Consent

By creating an account and using the Platform, you consent to the collection, use, and disclosure of your information as described in this policy. For health information, explicit consent is obtained through intake forms and consent records before services begin.

9. Cookies and Tracking

We use essential cookies required for Platform functionality (authentication, session management). We do not use advertising trackers or sell data to third parties.

10. Children's Privacy

The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by email or through a notice on the Platform. Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact our Privacy Officer at:

Email: privacy@senayah.ca

You may also file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.