How We Protect Your Data
Session Clock is built by a registered massage therapist who understands that client confidentiality is non-negotiable. Here is exactly how your data is protected.
The short version
- Only you can see your data. Period.
- Your calendar URL is encrypted before storage.
- We never store the raw calendar feed — only the names and times you import.
- We never share, sell, or give anyone access to your client information.
- You can delete your data at any time.
Data Isolation
Every piece of data you create — schedules, settings, calendar URLs — is tied to your unique account ID. All API requests require authentication, and the server only ever returns data that belongs to you.
There is no way for one user to view, search, or access another user's data. Even our admin panel is limited to account management (granting access, managing subscriptions) and cannot browse individual users' schedules or client names.
Calendar Sync Security
When you connect your booking platform (Jane App, Google Calendar, etc.) via Calendar Sync, here is the exact data flow:
- You paste your iCal feed URL into Settings.
- The URL is encrypted with AES-256-GCM before being saved to our database. Even if someone gained access to the database, they could not read your calendar URL without the encryption key.
- When you tap "Sync from Calendar," our server decrypts the URL, fetches your calendar feed, and extracts only the event summary (client name), start time, and end time.
- The parsed sessions are sent to your browser for preview. The raw calendar feed is immediately discarded — it is never written to our database.
- If you confirm the import, only the extracted session data (name, time, duration) is saved to your schedule.
What we never read from your calendar:
- Addresses / locations
- Phone numbers
- Email addresses
- Clinical or session notes
- Attendee lists
- Recurring event rules
Encryption
- In transit: All connections use HTTPS (TLS). Calendar feeds are only fetched over HTTPS.
- At rest: Calendar feed URLs are encrypted with AES-256-GCM before database storage. Passwords are hashed with bcrypt.
- Payment data: Handled entirely by Stripe. We never see or store your card number.
No Third-Party Data Sharing
We do not sell, rent, or share your data with any third party. The only external services that receive any of your information are:
- Stripe — receives payment information to process your subscription. They never see your schedule or client data.
- Resend — our email provider, receives your email address to deliver transactional emails (password resets, subscription confirmations).
No analytics companies, advertising networks, or data brokers have access to any of your information.
Your Control
- Disconnect anytime: Remove your calendar URL from Settings with one tap. The encrypted URL is immediately deleted from our database.
- Delete your account: Contact us at support@sessionclock.com and we will permanently delete your account and all associated data.
- No lock-in: Your schedule data is always visible and accessible to you in the app. Cancel your subscription at any time through the Stripe customer portal.
Who Built This
Session Clock is built and maintained by a single developer who is also a registered massage therapist. This app was built to solve a real problem — keeping track of time and clients during back-to-back sessions. Your data security is taken as seriously as client confidentiality in a treatment room, because it comes from the same place.