Tall windows in a calm modern office space with a warm wooden floor and a plant — soft architectural daylight

Legal

Privacy Policy

Last updated: 2026-05-03

Who we are

MentalSpace Therapy ("we", "our", "the practice") is an online behavioral-health practice serving residents of Georgia. This policy explains how we collect, use, store, and share information when you visit mentalspacetherapy.com or use our services.

Protected Health Information (PHI) — anything you tell a clinician in session, in your client portal, or that's otherwise part of your medical record — is governed by HIPAA and our HIPAA Notice of Privacy Practices. This Privacy Policy covers everything else: information you give us through this website, marketing forms, cookies, and analytics.

What we collect

Information you give us directly: Name, email, phone, date of birth, gender, state, presenting concerns, and insurance information when you submit our matching, contact, or feedback forms. We do not collect payment card information through this website — billing happens in our HIPAA-compliant EHR after the intake call.

Information collected automatically: Standard web analytics — IP address, browser type, device, pages visited, referrer, and approximate location (city level). We use this to understand how the site performs and to improve it.

Cookies & tracking: We use first-party cookies for site functionality and, where consented, third-party tools for analytics and advertising effectiveness (Google Analytics, Google Ads, Facebook/Meta Pixel, TikTok Pixel, Microsoft UET). You can opt out via your browser settings or our cookie banner.

How we use it

  • To respond to your inquiry and provide care if you become a client.
  • To verify your insurance benefits and coordinate billing.
  • To send you appointment confirmations, reminders, and clinically relevant updates.
  • To improve our website, our matching process, and our clinical operations.
  • To comply with legal, regulatory, and ethical obligations (HIPAA, GA professional licensing, court orders).
  • With your specific written consent, to coordinate care with other providers.

We do not sell your personal information. Ever.

How we share it

We share information only in these circumstances:

  • Service providers we've carefully vetted and have signed Business Associate Agreements with — for example, our HIPAA-compliant EHR, our video-session platform, and our email infrastructure.
  • Insurance, where applicable — only the minimum needed to process your claim (diagnosis, dates, CPT codes — never session content).
  • Legal compliance — when required by law, court order, or to prevent imminent harm to you or others.
  • With your written consent — for coordination of care with other providers, schools, EAP programs, or anyone you specifically authorize.

How long we keep it

Marketing and form-submission data: up to two years after last interaction, then deleted or de-identified. Clinical records: per Georgia's record-retention rules, generally seven years after your last session (or longer for minor clients). Analytics data: aggregated and de-identified after 14 months by default.

How we protect it

We use industry-standard security: TLS 1.3 in transit, AES-256 at rest, multi-factor authentication for staff, role-based access controls, audit logging, and annual security risk assessments. Our infrastructure (Vercel for the website, Supabase for our forms database, Resend for transactional email) is configured to U.S. data residency.

Your rights

Under Georgia law, HIPAA, and applicable U.S. consumer privacy frameworks, you have the right to:

  • Access your information and obtain copies of your records.
  • Correct inaccuracies in your information.
  • Request deletion of marketing data (clinical records have separate retention requirements).
  • Withdraw consent for non-essential cookies and tracking.
  • File a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

To exercise these rights, email [email protected] and we'll respond within 30 days.

Children

This website is not directed at children under 13. Our teen therapy services (12–18) require parental or legal-guardian consent at intake. We do not knowingly collect personal information from anyone under 13 through this website.

Changes to this policy

We may update this policy as our services or legal obligations change. The "Last updated" date at the top will reflect the latest revision. Material changes will be highlighted on the homepage for 30 days.

Contact

Privacy questions, requests, or complaints: