Start for Free
Back home
Legal

Privacy Policy

Last updated: May 28, 2026

1. Introduction

mePro ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you use the mePro platform, including our web application, iOS application (distributed via the Apple App Store), and Android application (distributed via the Google Play Store) (collectively, the "Platform").

mePro is an AI-powered Electronic Health Record (EHR) and mental health management platform. We comply with the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Apple App Store Review Guidelines, and the Google Play Developer Program Policies (including the Health Apps and User Data policies).

2. Information We Collect

We collect the following categories of information:

  • Account Information , name, email address, phone number, password (hashed), professional credentials (for clinicians), and organisation affiliation.
  • Health & Clinical Data (PHI) , mood logs, journal entries, session notes, treatment plans, assessments, and AI-generated insights. This data is highly sensitive and treated as Protected Health Information.
  • Communications Data , secure messages between clients and clinicians, scheduling information, and consent records.
  • Device & Technical Data , device identifiers (IDFA, AAID where consented), operating system, app version, IP address, crash logs, and diagnostic information.
  • Usage Data , feature interaction, page views, session duration, and aggregated analytics.
  • Payment Data , handled by Stripe (web), Apple Pay (iOS), and Google Pay (Android). mePro does not store full card numbers.
  • Optional Health Integrations , with your explicit consent, data from Apple HealthKit (iOS) or Google Health Connect / Fit (Android), such as steps, sleep, heart rate, or mindfulness minutes.

3. How We Use Your Information

  • Provide, operate, and maintain the Platform and its clinical features.
  • Facilitate care between clients, therapists, clinics, and employers.
  • Generate AI-assisted insights, summaries, and progress analytics.
  • Process payments and manage subscriptions.
  • Detect, prevent, and respond to fraud, abuse, or security incidents.
  • Comply with legal, regulatory, and clinical record-keeping obligations.
  • Communicate service updates, security notices, and (with consent) marketing.

We do not sell personal information or PHI. We do not use PHI for advertising. We do not share health data with data brokers.

4. AI Models & Voice Processing

mePro leverages artificial intelligence to enhance clinical workflows, generate insights, and process voice recordings. We partner with the following AI providers, each governed by HIPAA Business Associate Agreements (BAAs) and strict data-processing terms:

  • OpenAI , we use OpenAI's language models to generate session summaries, clinical insights, progress analytics, and AI-assisted documentation. All PHI sent to OpenAI is processed under a HIPAA-compliant BAA. No data is used to train OpenAI's models or improve their services.
  • AssemblyAI , we use AssemblyAI's speech-to-text and audio intelligence services to transcribe voice recordings, session notes, and other audio content submitted by clinicians or clients. All audio data and transcripts are processed under a HIPAA-compliant BAA. AssemblyAI does not retain, store, or use your audio data beyond the temporary processing required to deliver the transcription.

Both providers process data in real time or near-real time. We do not use AI-generated outputs for advertising, marketing, or any purpose unrelated to delivering clinical features. You may opt out of AI-assisted features via your account settings where available.

5. Google OAuth Authentication

mePro offers Sign In with Google as an optional authentication method. When you choose to sign in using your Google account, we access the following information through Google's OAuth 2.0 service, limited strictly to the scopes you authorise:

  • Basic Profile , your Google account email address, name, and profile picture (if available), used solely to create or link your mePro account.
  • Authentication Token , Google issues an OAuth token that we validate server-side to confirm your identity. We do not store your Google password.

We use this information only for authentication and account management. We do not use Google authentication data for advertising, marketing, or profiling beyond what is necessary to operate the Platform. You may unlink your Google account at any time via your account settings; doing so will not delete your mePro account, but you will need to set a password or use another sign-in method.

Google OAuth is governed by Google's Privacy Policy and Google API Services User Data Policy, including the Limited Use requirements.

6. Google Calendar Integration

With your explicit consent, mePro can integrate with your Google Calendar to streamline appointment scheduling and session management. This integration requires you to authorise read and write access to your calendar through Google's OAuth 2.0 service.

  • Read Access , we may read calendar events, dates, times, titles, and attendee information (if present) to display your availability, avoid scheduling conflicts, and show upcoming appointments within the Platform.
  • Write Access , we may create, update, or delete calendar events on your behalf when you or your clinician schedule, reschedule, or cancel appointments through the Platform. Event titles and descriptions may include non-PHI identifiers (e.g. "mePro Session") unless you configure additional detail.
  • Data Handling , calendar data is processed in real time and cached only for the duration of your active session where technically necessary. We do not retain a persistent copy of your full Google Calendar on our servers. Any calendar data we temporarily process is subject to the same security and confidentiality safeguards as other Platform data.

You may revoke Google Calendar access at any time via your Google Account permissions page or through the integration settings within mePro. Revocation will prevent future synchronisation but will not delete past events already written to your calendar.

We do not use Google Calendar data for advertising, marketing, or any purpose unrelated to scheduling and appointment management. We do not share your calendar data with third parties except as necessary to provide the integration (i.e. Google's API services), and never with data brokers or advertisers.

7. Apple HealthKit Data (iOS)

In accordance with Apple's HealthKit terms, any data you choose to share from Apple Health:

  • Is used solely to provide health and wellness features within mePro.
  • Is never used for advertising, marketing, or sold to third parties.
  • Is never shared with third parties for their own purposes.
  • Is not stored in iCloud through mePro and may be revoked by you at any time via the iOS Health app or system Settings.

8. Google Health Connect & Android Permissions

In accordance with the Google Play Health Apps policy and the Health Connect by Android terms:

  • We request only the permissions necessary to deliver clinical and wellness features you have explicitly enabled.
  • Health Connect data is used solely within mePro and is never sold or used for advertising.
  • You may revoke any granted permission at any time in Android Settings or the Health Connect app.
  • We do not transfer Health Connect data to any third party except as required to deliver the requested feature, and never to data brokers, ad networks, or for credit/insurance decisioning.

9. Children's Privacy

mePro is intended for users 18 and over. Minors may only use the Platform under the supervision and verifiable consent of a parent, guardian, or licensed clinician, in accordance with COPPA (US), GDPR-K (EU), and the Apple/Google policies governing apps for children. We do not knowingly collect personal data from children under 13 without verifiable parental consent.

10. Legal Bases for Processing (GDPR)

  • Consent , for optional health integrations, marketing, non-essential cookies, and Google Calendar access.
  • Contract , to provide the Platform and fulfil our agreement with you, including authentication via Google OAuth and AI-assisted features.
  • Legal Obligation , clinical record retention, tax, and regulatory reporting.
  • Vital Interests , to protect a person's life in a clinical emergency.
  • Legitimate Interests , security, fraud prevention, and service improvement, balanced against your rights.

11. How We Share Information

We share information only as follows:

  • Care team , between authorised clients, therapists, and clinic administrators on a need-to-know basis.
  • Service providers (subprocessors) , cloud hosting (Lovable Cloud / Supabase / AWS), AI processing (OpenAI, AssemblyAI), payment processing (Stripe, Apple, Google), email (SendGrid), calendar synchronisation (Google Calendar API), and analytics, all bound by HIPAA Business Associate Agreements or GDPR Data Processing Agreements where applicable.
  • Legal authorities , when compelled by valid legal process or to protect rights, safety, or property.
  • Business transfers , in the event of a merger or acquisition, with continued protection under this Policy.

12. Data Retention

We retain PHI and clinical records for the period required by applicable healthcare law (typically 7-10 years after the last treatment date), and for the lifetime of minors plus the legally required period after they reach majority. Account and operational data is retained while your account is active and deleted or anonymised within 90 days of account closure, subject to legal hold requirements.

Google Calendar integration data is not retained on our servers beyond the temporary processing required for real-time synchronisation. OAuth tokens for Google services are stored securely and rotated regularly; they are deleted when you unlink your account or close your mePro account.

13. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access, correct, or obtain a copy of your personal data.
  • Request deletion ("right to be forgotten"), subject to legal retention obligations.
  • Restrict or object to certain processing.
  • Withdraw consent at any time (without affecting prior lawful processing), including for Google Calendar integration, Google OAuth linking, and AI-assisted features.
  • Data portability , receive your data in a structured, machine-readable format.
  • Lodge a complaint with your local data protection authority.
  • Opt out of the "sale" or "sharing" of personal information (CCPA) , note that mePro does not sell personal information.

To exercise any right, contact info@mepro.ai.

14. Security

We implement administrative, technical, and physical safeguards including AES-256 encryption at rest, TLS 1.2+ in transit, role-based access control, audit logging, regular penetration testing, and SOC 2 / HIPAA-aligned operational practices. No method of transmission or storage is 100% secure; we will notify affected users and regulators of any qualifying breach within the timeframes mandated by law (e.g. 72 hours under GDPR, 60 days under HIPAA).

15. International Data Transfers

Your data may be processed in countries other than your own, including the United States and the European Union. Where required, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms to protect your data.

16. Cookies & Tracking

Our web application uses essential cookies for authentication and security, and (with consent where required) analytics cookies to improve the service. We do not use advertising or cross-site tracking cookies. On iOS, we comply with App Tracking Transparency (ATT) and will request your permission before any tracking. On Android, we comply with the Advertising ID policy and do not link advertising IDs to PHI.

17. Third-Party Services & SDKs

mePro integrates limited third-party services and SDKs strictly for service delivery (e.g. authentication via Google OAuth, calendar synchronisation via Google Calendar API, AI processing via OpenAI and AssemblyAI, crash reporting, payment processing, push notifications). A current list of subprocessors is available on request. We do not embed advertising SDKs in our mobile apps.

18. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notice or email at least 30 days before taking effect. Continued use after the effective date constitutes acceptance.

19. Contact Us

mePro

Privacy enquiries: info@mepro.ai

Data Protection Officer: info@mepro.ai

General: info@mepro.ai

Not sure about how it works?

Book a demo to see mePro in action, ask questions, and explore how the platform can support your practice at every stage.

Start for Free

One connected, AI-powered platform for care, engagement, and growth.

Platform

Solutions

Resources

Company

©2026 mePro. All rights reserved.

TermsPrivacy PolicyCookie PolicyCookie PreferencesStatus