Security & Compliance

Built for regulated healthcare environments.

HerbalClient is designed to meet the compliance requirements of nutrition professionals practicing in Canada and the United States. Privacy, security, and data handling are not add-ons — they are built into the platform architecture.

HIPAA

PIPEDA

PHIPA

GDPR

Encrypted at rest and in transit — All client data is AES-256 encrypted at rest. All data in transit uses TLS 1.2 or higher.

No data sold, ever — HerbalClient does not sell, share, or monetize client health data. Period.

Practitioner-controlled access — Practitioners control what team members can see. Clients control their own portal access.

Audit logs on every action — Every read, write, and export is logged and available to account administrators.

Privacy

Your clients' data belongs to your clients.

Our data-handling practices are designed to support Canadian and US privacy regulations. Retention policy and deletion rights are configurable by practitioners and clients, within the limits imposed by professional and legal requirements.

• Primarily hosted in the United States today; Canadian-region migration planned

• Configurable retention and deletion policy

• Client right-to-erasure supported

• No third-party data sharing without explicit consent

Security

Infrastructure built for healthcare.

The platform runs on hardened cloud infrastructure with continuous security monitoring and ongoing vulnerability management.

• AES-256 encryption at rest

• TLS 1.2+ in transit

• Continuous uptime monitoring

• Third-party penetration testing planned ahead of regulated-deployment GA

Access

The right people see the right records.

Role-based access control lets practice owners define exactly what each team member can read, write, and export. Session tokens expire automatically. Multi-factor authentication is available on all plans.

• Role-based permissions per team member

• Session timeout and auto-logout

• MFA available on all plans

• Audit log for all data access events

Client rights

Clients stay informed and in control.

Clients can view their own records, request data exports, and withdraw consent at any time. NutriClient's consent management tools are built into the client portal — no manual process required.

• Client-facing data export on request

• Consent collection and audit trail

• Portal access revocation by practitioner

• Breach notification process documented

Regulation	Jurisdiction	What it covers	Our posture
HIPAA	United States	Protected health information (PHI)	Designed to support
PIPEDA	Canada (federal)	Personal information in commercial activity	Designed to support
PHIPA	Ontario, Canada	Personal health information in Ontario	Designed to support
GDPR	EU / international	Personal data of EU residents	Working toward

NutriClient is currently hosted on Supabase infrastructure in the United States (Oregon). Canadian-region hosting is planned for a future platform upgrade. We disclose this directly so practitioners can make informed decisions; see the Privacy Policy and Compliance pages for details.

Related policies

The rest of our documentation.

What we collect, how we use it, and your rights.

The legal relationship between you and Effect Wellness Inc.

Compliance overview

HIPAA, PIPEDA, and PHIPA posture in plain language.

Cookie Policy

Session cookies today; analytics plans tomorrow.

Acceptable Use Policy

What is not allowed on the service.

Accessibility Statement

Our WCAG target and how to report barriers.

Additional privacy and security documentation is available on request. For compliance questions, data-handling inquiries, or to request a BAA, email privacy@effectwellness.com. For general or product questions, email hello@herbalclient.com.