Privacy Policy

This policy applies to practitioners and practice staff who create or use an account on HerbalClient, and to visitors of our marketing website. Clients of a practitioner interact with their practitioner's workspace through a separate client portal; their personal and health information is governed by the practitioner's own privacy notice, with HerbalClient acting as a processor on the practitioner's behalf.

Account information. Name, email, business details, and authentication credentials you provide when you sign up or configure your workspace.

Billing information. Subscription plan, invoices, and payment metadata. Card numbers are handled directly by Stripe; we do not store full card details on our servers.

Practice and clinical data you enter. Notes, forms, schedules, messages, and other records you create in your workspace. This includes personal health information about your clients when you choose to enter it. We act as a processor for this data — you remain the custodian.

Technical information. IP address, browser and device information, and logs of interactions with our service, used to keep the product secure and operational.

We use this information to provide and improve the service, process payments, send operational email (receipts, security notifications, account updates), respond to support requests, and meet legal obligations. We do not sell personal information, and we do not share client health data with third parties for marketing or analytics purposes.

HerbalClient is currently hosted on Supabase infrastructure located in the United States (Oregon). Canadian-region hosting is planned for a future platform upgrade. We are telling you this directly so you can make an informed choice. If your professional obligations require Canadian data residency today, please contact us before onboarding clinical data — we will let you know when the migration is scheduled and help you evaluate whether HerbalClient is the right fit now or after the move.

Data in transit is protected with TLS 1.2 or higher. Data at rest is encrypted using AES-256 by our hosting provider.

We rely on a small number of specialized vendors to operate the service. Each processes data only as instructed and is bound by a data processing agreement:

• Supabase — primary database, authentication, and file storage.
• Stripe — subscription billing and payment processing.
• Twilio — SMS and voice messaging (where you enable these features).
• Resend — transactional email delivery.
• Google (Gemini) — AI-assisted features such as Practice Assist. Prompts may be sent for generation; the service is configured to not use your content to train foundation models.

Depending on where you live, you have the right to access, correct, export, or request deletion of your personal information. You can withdraw consent at any time for uses that depend on it. Canadian residents have rights under PIPEDA (and PHIPA, in Ontario); United States residents may have state-specific rights; EU/UK residents have rights under the GDPR and UK GDPR. To exercise any of these rights, email privacy@effectwellness.com from the address on file, or use the in-product export and deletion controls in your account settings where available.

Account and practice data are retained for the life of your subscription. If your subscription is canceled, you have 90 days to export your data before it is permanently deleted. Some records may be retained longer where required by law (for example, Ontario PHIPA imposes a 10-year minimum retention on adult clinical records for the responsible health information custodian). Backups containing your data roll off on the schedule published in our security documentation.

We use essential cookies to keep you signed in and to protect against abuse. We do not use cross-site advertising trackers. See our Cookie Policy for details, including plans for optional analytics in a future release.

Technical and organizational controls are documented on our Security page. If you believe you have found a vulnerability, please report it to privacy@effectwellness.com so we can respond promptly.

HerbalClient is a professional practice-management product and is not directed to children. Practitioners are responsible for any client data they enter, including data relating to minors, in accordance with the laws of their jurisdiction and the consent of the parent or legal guardian.

We may update this policy as the product and our obligations evolve. Material changes will be announced by email to account owners, and the “last updated” date above will change. Continued use after the effective date constitutes acceptance of the revised policy.