Privacy Policy

Last updated: May 8, 2026

This policy explains what information Stillpoint Technologies Inc. (“Stillpoint,” “we,” “us,” or “our”) collects, how we use it, and your rights regarding your data. We recommend reviewing this page periodically as we update it to reflect new features and practices.

1. Information We Collect

Account information. When you create a Stillpoint account, we collect your name, email address, phone number (optional), and practice details such as your practice name and timezone.

Client information. When clients book appointments through your booking page or an embedded booking form, we collect the following on behalf of the practitioner:

• Full name
• Email address
• Phone number (if provided)
• Booking details (service, date, time)
• Appointment history
• Session preferences and notes

This data is stored on behalf of the practitioner and shared with them to manage appointments and provide their services.

Family member information. Clients may add family members or dependents to their account and book appointments on their behalf. We collect the same information (name, email, phone) for dependents as for primary clients.

Clinical records.If you use Stillpoint’s clinical notes features, we store the content of session notes, SOAP notes, and note templates that you create. All clinical content is encrypted at rest using AES-256 encryption. This data is stored solely on your behalf and is not accessed by Stillpoint for any purpose other than providing the service.

AI-generated clinical content. If you use the AI Scribe feature, audio from clinical sessions may be recorded, transcribed, and used to generate structured session notes. Audio recordings are processed by Amazon Transcribe Medical and clinical note generation is powered by AWS Bedrock (Anthropic Claude). Audio files are stored temporarily and deleted after transcription is complete.

Billing and invoicing data. Stillpoint stores invoice records, insurance claim details, procedure codes, and related billing information that you enter. This data is used to generate invoices and manage claims within the platform.

Payment information. All payment data is processed securely by Stripe. We do not store credit card numbers, bank account details, or other financial information on our servers.

Stored payment methods. With your authorization, practitioners may store a payment method on file via Stripe for future charges, including recurring session fees, no-show fees, and autopay. Card details are held securely by Stripe and never stored on Stillpoint servers.

Website content. If you use our hosted website feature, we store the text, images, and configuration you provide to build and display your practice website.

Usage data. We collect standard server logs including IP addresses, browser type, and timestamps. We use Google Analytics to understand how visitors interact with our marketing site, booking pages, and practitioner dashboard. See Section 4 for details on analytics cookies.

2. How We Use Your Information

We use the information we collect to:

• Provide and operate the Stillpoint scheduling platform
• Store and display clinical notes and records on your behalf
• Generate and manage invoices and insurance claims
• Provide practice analytics and reporting
• Process payments through Stripe Connect
• Send appointment confirmations and reminders via email
• Send SMS notifications for bookings and cancellations (when enabled)
• Host and display your practice website (when published)
• Respond to support requests
• Improve the reliability and performance of our service

We do not sell your data. We do not use your data for advertising.

3. Third-Party Services

Stillpoint relies on a small number of trusted third-party services to operate. Each provider receives only the data necessary to perform its function. Stillpoint data is hosted on AWS infrastructure in the United States, so data from Canadian and other international practitioners and their clients is transferred to and stored in the United States.

• Supabase — primary application database, authentication, and file storage. Hosted on AWS in the United States (Oregon, us-west-2). Privacy policy
• Stripe — payment processing (PCI-DSS compliant). Stripe receives client payment details directly and Stillpoint never handles or stores card data. Privacy policy
• Resend — transactional email delivery for confirmations, reminders, and notifications. Privacy policy
• Twilio — SMS delivery for appointment notifications. Privacy policy
• Vercel — web hosting and custom domain management for practice websites. Privacy policy
• Google Analytics — anonymized usage analytics on our marketing site, booking pages, and practitioner dashboard. Google Analytics collects data such as pages visited, button clicks, device type, and browser information using cookies. No personally identifiable information is sent to Google Analytics. You can opt out using the Google Analytics opt-out browser add-on. Privacy policy
• Google Fonts — typography loaded on booking pages and hosted websites. Google may collect usage data when fonts are served. Privacy policy
• Amazon Web Services (AWS) — HIPAA-eligible infrastructure used for storing protected health information (PHI), including intake forms, medical history, medications, allergies, insurance records, consent records, and uploaded health documents. Data is hosted on AWS RDS PostgreSQL in the United States (us-east-1, N. Virginia) with KMS-managed AES-256 encryption at rest and TLS in transit. AWS Bedrock (Anthropic Claude) is used for AI-powered clinical note generation and expansion. Amazon Transcribe Medical is used for clinical audio transcription. All AWS services operate under our Business Associate Agreement. Privacy policy
• OpenAI— powers the Clio AI practice assistant. Conversation messages sent to the assistant are processed through OpenAI’s API. Clio does not have access to clinical notes or protected health information. Data sent to OpenAI is not used to train their models. Privacy policy
• Railway — cloud hosting for the Clio AI worker service. Privacy policy
• Stedi — healthcare data clearinghouse used for insurance eligibility verification. When a practitioner performs an eligibility check, patient information (name, date of birth, member ID, and provider details) is transmitted to Stedi to verify insurance coverage. Privacy policy
• Google Calendar — optional calendar integration. When connected, appointment data (times, service names, client names) is synced between Stillpoint and Google Calendar. Privacy policy
• Microsoft (Outlook Calendar) — optional calendar integration. When connected, appointment data is synced between Stillpoint and Microsoft 365 via the Microsoft Graph API. Privacy policy
• Google Maps Platform— used for address autocomplete when entering location details. Address input is sent to Google’s Places API. Privacy policy

4. Cookies & Authentication

Stillpoint uses cookies for authentication and session management. We set authentication cookies across the .withstillpoint.com domain to enable seamless login between your dashboard, booking pages, and hosted website.

We also use Google Analytics cookies to collect anonymized usage data on our marketing site, booking pages, and practitioner dashboard. These cookies help us understand how our platform is used so we can improve it. Google Analytics does not collect personally identifiable information.

We do not use advertising cookies or participate in any ad networks.

5. Hosted Websites

If you publish a hosted website through Stillpoint, your website is served at a .withstillpoint.com subdomain or your own custom domain. Standard web server logs (IP address, browser, timestamps) are collected from visitors to your website. No tracking scripts or analytics are added by Stillpoint.

Stillpoint does not add its own analytics or tracking scripts to practitioner-hosted websites. However, practitioners may optionally add their own Google Analytics tracking ID in the website editor. If a practitioner enables Google Analytics, visitor data on that hosted website will be collected by Google in accordance with Google’s privacy practices. Google Fonts may be loaded for typography. Custom domains are routed through Vercel and are subject to Vercel’s privacy practices.

6. Embedded Booking Forms

Your booking form can be embedded on third-party websites via an iframe. Data collected during the booking process (name, email, phone, notes) is transmitted to and processed by Stillpoint regardless of where the form is embedded.

Payment information entered within an embedded booking form is handled directly by Stripe. Authentication cookies may be set within the iframe for session management.

7. SMS & Email Communications

Stillpoint sends transactional messages on behalf of practitioners, including booking confirmations, appointment reminders, and cancellation notices. Practitioners also receive notifications when clients book or cancel.

Practitioners can control notification preferences (email and SMS) from the Settings page. Client reminders can be disabled by setting the reminder lead time to zero. Emails are sent via Resend and SMS messages are sent via Twilio.

In addition to transactional messages, Stillpoint may send automated marketing communications on behalf of practitioners, including re-engagement campaigns for lapsed clients, birthday messages, review requests, welcome sequences for new clients, and no-show follow-up messages. These messages are sent based on practitioner-configured automation rules.

Clients may manage their email preferences through the client portal or by using the unsubscribe link included in automated messages. Stillpoint complies with CAN-SPAM and CASL requirements for all automated email communications.

7a. AI Features & Clinical Data

Stillpoint offers AI-powered features that process clinical data:

AI Scribe. The AI Scribe feature allows practitioners to record clinical sessions, which are transcribed using Amazon Transcribe Medical and processed by AWS Bedrock (Anthropic Claude) to generate structured SOAP notes. Audio recordings are stored temporarily in encrypted storage and deleted after transcription is complete. Practitioners are responsible for obtaining patient consent before recording sessions.

Clinical note expansion. Practitioners may use AI to expand brief clinical notes into full SOAP format. Note content is sent to AWS Bedrock (Anthropic Claude) for processing. All AI processing occurs within HIPAA-eligible AWS infrastructure under our Business Associate Agreement.

AI practice assistant (Clio).The Clio chatbot helps with scheduling, navigation, and practice management. Clio is powered by OpenAI’s GPT-4o-mini and does not have access to clinical notes or PHI.

AI website copy. Practitioners may use AI to generate content for their practice website. Practice information (name, services, descriptions) is sent to AWS Bedrock for content generation.

8. Data Security

All data is encrypted in transit (HTTPS) and at rest. Most protected health information, including intake forms, medical history, medications, allergies, insurance records, consent records, and uploaded health documents, is stored in a dedicated HIPAA-eligible database on AWS RDS PostgreSQL (us-east-1, N. Virginia), separate from the primary application database. This PHI database uses KMS-managed AES-256 encryption at rest, TLS encryption in transit, and audit logging via AWS CloudTrail and PostgreSQL pgaudit.

Clinical notes, including SOAP notes and note templates, are encrypted at the application layer with AES-256-GCM (a unique key per environment, with a fresh initialization vector per field) before being written. They are currently stored in our primary application database hosted by Supabase. We are migrating clinical notes into the same dedicated AWS RDS instance as our other PHI; the application-layer encryption will remain in place after the move as defense in depth.

Authentication uses industry-standard JWTs issued by Supabase. Row-level security policies and per-practice scoping isolate data between tenants, so one practice cannot access another’s data.

Payment information is processed by Stripe (PCI-DSS compliant) and never stored on Stillpoint servers. All API communication occurs over HTTPS.

9. Data Retention

Account and practice data — including clinical notes, invoices, and insurance claims — is retained for as long as your account is active. If you request account deletion, we will remove your data within a reasonable timeframe, except where retention is required by law (for example, payment records and billing documentation). Server logs are retained for a limited period for debugging and security purposes.

10. Your Rights (Practitioners)

As a practitioner, you have the right to:

• Export your data — including client records and clinical notes — at any time from your practice settings
• Request deletion of your account and data
• Opt out of SMS notifications from your settings
• Unpublish your hosted website at any time

For any privacy-related requests, contact us at help@withstillpoint.com.

10a. Client Data Rights

If you are a client who has booked an appointment through Stillpoint, you may contact us at help@withstillpoint.com to:

• Request information about the data we hold about you
• Request corrections to your personal information
• Request deletion of your data, subject to the practitioner’s recordkeeping obligations

We will respond to verified requests within 30 days.

10b. Client Portal

Stillpoint provides a client portal where clients can:

• View and manage upcoming appointments
• Access billing information and payment history
• Complete intake forms
• Manage family members and dependents
• Leave reviews for practitioners
• Set communication preferences

The client portal requires authentication. Data displayed in the portal is limited to information relevant to the client’s relationship with their practitioner.

11. Contact

For privacy questions or concerns, reach us at help@withstillpoint.com. You may also reach us by mail at PO Box 5121, Victoria PO 9, BC V8R 6N4, Canada.