Back to Home
Legal

Privacy Policy.

Last updated: April 21, 2026

Introduction

LMT Assistant ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and the client-facing booking pages you share with your clients.

Information We Collect

We collect information that you provide directly to us, including:

  • Account information (name, email address, password)
  • Professional information (business name, license details, insurance policies, continuing education credits)
  • Client information that you enter into the app (names, contact details, addresses, intake history)
  • Appointment and session data (scheduling, session notes, SOAP notes)
  • Financial information for invoicing, expense tracking, income tracking, and 1099 records
  • Mileage and location data for travel tracking (when you choose to use this feature)
  • Photos, images, and PDFs of documents you upload for AI scanning (receipts, credentials, tax forms, insurance documents, booking screenshots)
  • Booking submissions from your client-facing booking page (see Online Booking section below)
  • Therapist network contacts (professional contacts you choose to save)
  • Subscription and purchase data (managed by RevenueCat through Apple/Google)
  • Push notification tokens (for appointment reminders, booking requests, and credential expirations)
  • Referral code usage (code entered, redemption date, linked to your account for promotional tracking)
  • Usage data and app analytics

How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process transactions and send related information
  • Process uploaded images and PDFs through AI services to extract text data from receipts, credentials, tax documents, insurance documents, and booking screenshots
  • Calculate mileage for business travel deductions
  • Accept, route, and confirm bookings submitted through your client-facing booking page
  • Generate reports and business insights
  • Send push notifications for appointment reminders, incoming booking requests, and credential renewal alerts
  • Manage your subscription through RevenueCat
  • Display advertisements in the free tier through Google AdMob
  • Send you technical notices, reminders, and support messages
  • Respond to your comments and questions
  • Protect against fraudulent or illegal activity
  • Track referral code redemptions for promotional programs

Account Authentication and Password Reset

When you sign up, we send a confirmation email containing a secure link to verify your email address. When you request a password reset, we send a secure one-time link to your registered email. These links contain temporary authentication tokens that expire after a short period and can only be used once. Clicking these links redirects you back to the app to complete the verification or set a new password. We do not store password reset tokens beyond their expiration.

AI-Powered Document Processing

When you use the App's scanning features (for receipts, 1099 forms, credentials, insurance documents, or booking screenshots), your images and PDFs are transmitted to OpenAI for structured data extraction:

  • OpenAI (Responses API, GPT-4o vision): The sole AI provider used for analyzing all document types and extracting structured data

Important details about AI processing:

  • Images and PDFs are transmitted over HTTPS through our server-side edge function, which applies additional security hardening before forwarding to OpenAI
  • HEIC images (common on iPhones) may be converted to JPEG before transmission for compatibility
  • Images and PDFs are processed solely for text extraction and are not stored by OpenAI beyond the processing request
  • Extracted PHI fields (client names, addresses) are encrypted using AES-256 before being stored in our database
  • AI scanning is optional. You can always enter information manually

Online Booking and Client Submissions

The App generates a unique, shareable booking link tied to your account. When your clients open that link and submit the booking form, they may provide:

  • Their name, phone number, and email address
  • Address (for mobile/outcall visits)
  • Preferred appointment date and time
  • Selected service and location type (studio or mobile)
  • Intake notes, health history, and consent acknowledgement

Booking submissions are delivered to your practice as pending requests that you review and approve. When you approve a booking, an automatic SMS confirmation is sent to the client's phone number. You remain the controller of this data within your account, and any personally identifying fields are encrypted with AES-256 before being stored. You are responsible for the privacy disclosures shown to your own clients on the booking form.

Data Security and Encryption

We implement robust technical and organizational measures to protect your personal information:

  • Encryption: All Protected Health Information (PHI) including client names, addresses, phone numbers, email addresses, intake notes, and SOAP notes are encrypted using AES-256-CBC encryption with PBKDF2 key derivation
  • Per-User Keys: Each user's data is encrypted with unique, per-user encryption keys derived from secure random salts
  • Encrypted Backups: Data exports and backups are fully encrypted before leaving the device
  • Offline Security: Data queued while offline is encrypted per-user with automatic 30-day expiration
  • Session Security: Automatic session timeout after 15 minutes of inactivity
  • Biometric Authentication: Optional biometric (Face ID / Touch ID) authentication for enhanced security
  • Row-Level Security: Database-level policies ensure users can only access their own data
  • Audit Logging: Sensitive operations are logged for security monitoring

We follow HIPAA guidelines for handling protected health information (PHI).

Data Retention

We retain your information for as long as your account is active or as needed to provide you services. You can request deletion of your account and associated data at any time through the app settings.

Third-Party Services

We share information with third-party service providers who perform services on our behalf:

  • Supabase: Database, authentication, and file storage (data stored in the United States)
  • OpenAI: AI-powered document scanning and text extraction (see AI Processing section above)
  • Google Maps, Places, and Directions APIs: Location services, address lookup, and mileage calculation
  • RevenueCat: Subscription management (processes through Apple's App Store and Google Play; we do not access your payment details)
  • Google AdMob: Displays advertisements in the free tier of the App
  • Apple and Google Sign-In: Optional authentication methods
  • Spotify: Optional music integration (opens playlists externally; requires separate authorization)
  • Sentry: Anonymous crash reporting and error tracking (not linked to your identity)
  • Expo Push Notifications (APNs/FCM): For delivering appointment alerts, booking request alerts, and credential renewal reminders
  • SMS delivery providers: Used to send booking confirmation texts to clients when you approve a booking request

Each third-party service has its own privacy policy governing the data they receive.

Therapist Network Data

The App includes a Therapist Network feature for storing professional contacts. When sharing another therapist's contact information:

  • You are responsible for obtaining permission before sharing a therapist's contact information with clients
  • Contact information you store (name, phone, website, social media) is encrypted on our servers
  • We do not share therapist network data with third parties

Your Rights

You have the right to:

  • Access your personal information
  • Correct inaccurate information
  • Request deletion of your information
  • Export your data (encrypted backups)
  • Opt out of marketing communications
  • Opt out of AI scanning by entering information manually

Advertising

The free tier of the App displays advertisements through Google AdMob. AdMob may collect device information and use advertising identifiers to serve relevant ads. You can opt out of personalized advertising through your device settings. Upgrading to the Pro subscription removes all advertisements.

Children's Privacy

The App is designed for licensed massage therapy professionals and is not intended for use by children under 17. We do not knowingly collect information from children.

Contact Us

If you have questions about this Privacy Policy, please contact us at:

Suite 327 Development LLC
Email: admin@suite-327.com

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.