Privacy Policy for Session Clock

Last Updated: April 8, 2026

Thank you for using Session Clock ("we," "us," or "our"). This Privacy Policy explains what information we collect, how we use it, and how we protect it when you use our web application at https://sessionclock.com (the "Service").

By using the Service, you agree to the terms of this Privacy Policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

- Email address — used for authentication, password resets, and service communications
- Password — securely hashed using bcrypt before storage; we never store or have access to your plaintext password

1.2 Payment Information

When you subscribe to a paid plan, your payment details (card number, billing address) are collected and processed directly by Stripe, our third-party payment processor. We do not store your payment card details on our servers. We store only your Stripe customer ID to manage your subscription.

1.3 Schedule and Session Data

When you use the Service, you may enter:

- Client names (first names only, as entered by you)
- Appointment times and durations
- Session titles (e.g., "Swedish Massage")
- Session notes

This data is stored in our database and is accessible only to you through your authenticated account.

1.4 Calendar Sync Data

If you use the Calendar Sync feature, you may provide an iCal feed URL from your booking platform (e.g., Jane App, Google Calendar). Here is exactly what happens with that data:

- Your calendar URL is encrypted using AES-256-GCM before being stored in our database
- When you sync, our server fetches your calendar feed, extracts only client names, appointment times, and durations, then discards the raw feed immediately
- We never store the raw calendar feed on our servers
- We do not read or extract addresses, phone numbers, email addresses, clinical notes, or any other information from your calendar
- Only you can trigger a sync — it never happens automatically in the background
- You can disconnect your calendar and delete your URL at any time from Settings

1.5 Non-Personal Data

We may use cookies and similar technologies to maintain your session. We do not use third-party analytics or tracking services.

2. How We Use Your Information

We use the information we collect to:

- Authenticate your account and maintain your session
- Store and display your schedule and session data to you
- Process subscription payments through Stripe
- Send transactional emails (password resets, subscription confirmations)
- Improve and secure the Service

3. Data Isolation and Access Control

Your data is strictly isolated to your account:

- All API requests require authentication — your data cannot be accessed without your login credentials
- Each user's data is stored with their unique user ID; there is no way for one user to view another user's schedule or settings
- Our admin panel is restricted to the site owner and is used only for account management (granting access, not viewing schedules)

4. Data Sharing

We do not sell, rent, trade, or share your personal data or client information with any third parties, except:

- Stripe — receives your payment information to process subscriptions
- Resend — our email provider, receives your email address to send transactional emails (password resets, account confirmations)

We do not share your schedule data, client names, or calendar information with anyone.

5. Data Storage and Security

- All data is transmitted over HTTPS (TLS encryption in transit)
- Passwords are hashed with bcrypt before storage
- Calendar feed URLs are encrypted with AES-256-GCM at rest
- Our database is hosted on MongoDB Atlas with access restricted to the application
- We follow the principle of least privilege for all data access

6. Your Rights and Data Deletion

You have the right to:

- Access all your data through the Service at any time
- Delete your calendar URL from Settings at any time
- Request deletion of your account and all associated data by contacting us
- Export your schedule data as visible in the application

To exercise these rights, contact us at support@sessionclock.com.

7. Children's Privacy

Session Clock is not intended for children under the age of 13. We do not knowingly collect personal information from children.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated date. Continued use of the Service after changes constitutes acceptance of the updated policy.

9. Contact

If you have questions about this Privacy Policy or how your data is handled, contact us at:

Email: support@sessionclock.com