Privacy Policy
Effective date: March 14, 2026
1. Who we are
Liminal ("we," "us," or "our") provides a web-based EMDR protocol navigator for licensed mental health clinicians. Our service is designed to assist clinicians in following the Standard EMDR Protocol during therapy sessions. Liminal is not an electronic health record (EHR) and is not intended to replace clinical documentation systems.
For privacy-related questions, contact us at [email protected].
2. HIPAA compliance
Liminal is designed and operated as a HIPAA-compliant service. We serve as a Business Associate under HIPAA when you use Liminal to store or process Protected Health Information (PHI) on behalf of your practice. A Business Associate Agreement (BAA) is provided to and accepted by every clinician subscriber before accessing clinical features.
Our technical safeguards include AES-256-GCM client-side encryption, meaning that session data is encrypted on your device before it is transmitted to our servers. Our servers store only ciphertext and cannot access the plaintext contents of your session data. The encryption key is derived from your account credentials using PBKDF2 with 100,000 iterations and is never transmitted to our servers.
Administrative safeguards include workforce training, access controls, and a documented breach notification procedure. In the event of a breach of unsecured PHI, we will notify affected Covered Entities within 60 days of discovery, in accordance with 45 CFR § 164.410.
3. What data we collect
Account data (stored on our servers)
- Your name and email address (provided at sign-up)
- Subscription status and billing identifiers (Stripe customer ID, subscription ID)
- BAA acceptance record (timestamp, IP address, BAA version)
- Audit log entries (action type, timestamp, IP address, user agent)
Session data (encrypted, stored on our servers)
When you use the encrypted sync feature, the following data is encrypted on your device before upload. Our servers store only the ciphertext and cannot read this data:
- Client names and identifiers
- Session targets, SUDS scores, VOC scores
- Negative and positive cognitions
- Session notes and progress summaries
Local-only data (never transmitted)
If you do not use the sync feature, all session data remains exclusively in your browser's IndexedDB and is never transmitted to our servers.
4. How we use your data
We use account data solely to:
- Authenticate you and maintain your session
- Process your subscription and send billing-related communications
- Provide customer support
- Comply with legal obligations
- Maintain audit logs as required by HIPAA
We do not sell, rent, or share your personal data or PHI with third parties for marketing purposes. We do not use session data for any purpose other than providing the sync service you have requested.
5. Third-party services
We use the following third-party services to operate Liminal. Each has been selected for HIPAA compatibility:
| Service | Purpose | BAA available |
|---|---|---|
| Stripe | Payment processing | Yes |
| AWS (via Manus) | Cloud infrastructure, encrypted storage | Yes |
6. Data retention and deletion
Account data is retained for the duration of your subscription and for up to 90 days after cancellation, after which it is permanently deleted. Encrypted session data is retained for the duration of your subscription. Upon cancellation, encrypted session data is deleted within 30 days.
You may request deletion of your account and all associated data at any time by contacting us at [email protected]. We will process deletion requests within 30 days.
7. Security
Liminal implements the following security measures in accordance with HIPAA's Technical Safeguard requirements (45 CFR § 164.312):
- AES-256-GCM client-side encryption for all PHI before transmission
- PBKDF2 key derivation with 100,000 iterations (SHA-256)
- TLS 1.2+ encryption for all data in transit
- Per-user access controls enforced at the API layer
- Audit logging of all PHI access events
- Automatic session timeout after inactivity
8. Your rights
Depending on your jurisdiction, you may have the right to access, correct, or delete your personal data. To exercise these rights, contact us at [email protected].
As a HIPAA Covered Entity or Business Associate, you retain all rights to the PHI you process through Liminal. Liminal acts solely as a Business Associate and will comply with all requests to access, amend, or account for disclosures of PHI in accordance with HIPAA.
9. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the application. Continued use of Liminal after the effective date of any changes constitutes acceptance of the updated policy.
10. Contact
For privacy-related questions, HIPAA inquiries, or to report a security concern, contact us at: [email protected]