Privacy Policy

Last updated: May 2, 2026

Introduction

curavidas is a scheduling platform designed for therapists and their clients. This Privacy Policy describes how we collect, use, and protect your personal information when you use our services, including our website, booking widget, and related tools. By using curavidas, you agree to the practices described in this policy.

Information We Collect

We collect different types of information depending on how you interact with curavidas:

From clients:

  • Name
  • Email address
  • Phone number
  • Appointment type and scheduling details
  • Meeting mode preference (video or phone)
  • IP address
  • Timezone

From therapists:

  • Email address
  • Name
  • Profile image
  • Timezone and calendar provider preference
  • Google Calendar list metadata (calendar names, access roles, and IDs) used to let you choose which calendars to sync
  • Your calendar selection — which calendar is your primary (where appointments are created) and which additional calendars are checked for busy-time conflicts
  • Widget customization settings (colors, fonts, logos, header text)
  • Encrypted OAuth tokens (for calendar and video integrations)

How We Use Your Information

We use the information we collect for the following purposes:

  • Scheduling and managing appointments between therapists and clients
  • Listing your Google calendars so you can choose which ones to sync with curavidas
  • Creating, updating, and removing calendar events on your selected primary calendar when appointments are booked, rescheduled, or cancelled
  • Querying free/busy times across your selected calendars to prevent double-booking
  • Receiving real-time notifications from Google when your primary calendar changes, so appointment availability stays up to date
  • Periodically verifying that your calendar connection is still active
  • Sending transactional emails, including appointment confirmations, reminders, reschedule notices, and cancellation notices
  • Tracking email delivery status (such as whether an email was delivered or bounced) to ensure reliable communication
  • Abuse prevention through rate limiting using IP addresses
  • Audit logging to maintain the security and integrity of our platform, including recording actions, IP addresses, and user agent information
  • Monitoring platform performance and reliability through privacy-friendly analytics

HIPAA and Protected Health Information

curavidas recognizes that scheduling data associated with therapy services may constitute Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). curavidas operates as a Business Associate under HIPAA when handling data on behalf of therapists who are Covered Entities.

To protect PHI, curavidas maintains the following safeguards:

  • Sensitive credentials and authentication tokens are encrypted at rest using AES-256-GCM encryption.
  • All data is transmitted over TLS-encrypted connections.
  • Transactional emails are sent through a HIPAA-compliant, HITRUST-certified email service with an executed Business Associate Agreement (BAA).
  • Infrastructure and hosting services are provided by HIPAA-eligible vendors with executed BAAs.
  • Access to PHI is limited to the therapist who owns the data and authorized platform administrators for support purposes only.
  • Audit logs record access to and actions performed on data containing PHI.

Therapists who are Covered Entities under HIPAA may request a Business Associate Agreement by contacting us at gregory@curavidas.com.

Data Security

We take the security of your data seriously. curavidas implements the following measures to protect your information:

  • OAuth credentials are encrypted at rest using AES-256-GCM encryption before being stored in our database.
  • All connections between your browser, our servers, and third-party services are encrypted using TLS.
  • Rate limiting is applied to all public-facing endpoints to prevent abuse.
  • Audit logs track actions performed on the platform for security monitoring.
  • Error tracking, when enabled, is configured to scrub personally identifiable information before data leaves our servers.

Cookies & Local Storage

curavidas uses only essential cookies required for the service to function. We do not use tracking cookies or any third-party advertising cookies.

  • Session cookie: A single essential cookie managed by NextAuth to maintain your authenticated session.
  • Local storage: We may store widget preferences in your browser's localStorage on an opt-in basis. This data stays on your device and is not transmitted to our servers.

Analytics and Monitoring

curavidas uses the following first-party, privacy-friendly tools to monitor platform performance. No third-party advertising trackers are used.

  • Vercel Analytics: Collects basic, anonymized session-level usage data to help us understand how the platform is used.
  • Vercel Speed Insights: Collects web performance metrics (Core Web Vitals) to help us maintain a fast, responsive experience.
  • Error tracking (Sentry): When enabled, collects error reports to help us identify and fix issues. Error reports are configured to scrub personally identifiable information, including client names, email addresses, and phone numbers, before transmission.

Third-Party Services

We integrate with the following third-party services to provide our platform:

  • Google Workspace (Google Calendar, Google Meet): For listing your calendars, creating and managing appointment events, querying free/busy availability across your selected calendars, receiving real-time calendar change notifications, and generating video meeting links.
  • Zoom: For video appointment links.
  • Paubox: For HIPAA-compliant transactional email delivery, including booking confirmations and appointment reminders.
  • Supabase: For database hosting and infrastructure.
  • Vercel: For application hosting, analytics, and performance monitoring.

Appointment details, including appointment type names and scheduling information, may be shared with these services as necessary to provide the platform's functionality. Each of these services has its own privacy policy. We encourage you to review their policies for information on how they handle your data.

Email Communications

curavidas sends transactional emails related to appointment scheduling, including booking confirmations, reminders, reschedule notices, and cancellation notices. These emails are delivered through Paubox, a HIPAA-compliant, HITRUST-certified email service. We track email delivery status (such as whether an email was successfully delivered or bounced) to ensure reliable communication. You may unsubscribe from non-essential email communications at any time using the unsubscribe link included in each email.

Embeddable Booking Widget

When our booking widget is embedded on a third-party website, client data submitted through the widget is transmitted directly to curavidas and is subject to this Privacy Policy. Analytics tools or tracking scripts already present on the host website may independently collect data about your interaction with the widget. curavidas does not control the data collection practices of third-party websites. Please refer to the privacy policy of the website where you are using the widget for more information.

Data Retention

  • Appointment records are retained for as long as the therapist's account is active, consistent with professional record-keeping requirements for healthcare providers.
  • Audit logs and notification records are retained for operational and compliance purposes.
  • Rate limiting data is automatically purged when the tracking window expires.
  • Calendar cache data is temporary and expires within 24 to 48 hours.

Your Rights

You have the following rights regarding your personal information:

  • Access: You may request a copy of the personal data we hold about you.
  • Deletion: You may request that we delete your personal data. We will respond to deletion requests within 30 days, subject to any legal or professional record-keeping obligations.
  • Opt-out of emails: You can unsubscribe from non-essential emails at any time using the unsubscribe link included in each message.

California residents (CCPA): We do not sell personal information. California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information is collected, to request deletion, and to non-discrimination for exercising these rights.

State privacy law rights: Depending on your state of residence, you may have additional privacy rights under applicable state laws. Please contact us to exercise any of these rights.

Children's Privacy

curavidas is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us so we can take appropriate action.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Your continued use of curavidas after any modifications constitutes acceptance of the revised policy. We encourage you to review this page periodically.

Contact Information

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

curavidas

7514 Girard Ave Ste 1 PMB 801

La Jolla, CA 92037

United States

gregory@curavidas.com