Privacy Policy
Last updated: May 2026
1. Overview
This Privacy Policy explains how Kaufmann Health (the "Platform") collects, uses, and protects personal data when you use our website and services. We have written it to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), as well as applicable US state privacy laws.
We are a body psychotherapy directory and practice-software platform. We do not provide therapy ourselves. Some data we process is sensitive (health-related), and we treat it accordingly.
HIPAA notice. Kaufmann Health is not a healthcare provider, health plan, or healthcare clearinghouse, and is not a HIPAA covered entity. The HIPAA Privacy Rule does not apply to information you submit to us. We protect health-related information under GDPR Article 9, the CCPA/CPRA sensitive-personal-information framework, and the safeguards described in this Policy.
No sale or sharing. Kaufmann Health does not sell personal information and does not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We do not transmit personal data to advertisers for retargeting and we do not use third-party cookies for advertising.
Global Privacy Control. We honor Global Privacy Control (GPC) signals as opt-out requests for the sale or sharing of personal information where applicable under California, Colorado, Connecticut, and other US state privacy laws that recognize universal opt-out mechanisms.
2. Data Controller
The controller responsible for processing your personal data is:
Kaufmann Earth LLC
a New York limited liability company (Registration No. 250730021764)
trading as Kaufmann Health
2427 Stanton Road
New Woodstock, NY 13122, USA
Contact: hello@kaufmann-health.com
3. EU Representative (GDPR Art. 27)
For matters relating to personal data of individuals in the European Union, our representative under Article 27 GDPR is:
Michael Strobel-Kaufmann
Bergischer Ring 31
58095 Hagen, Germany
4. Data We Collect
We collect the following categories of personal data:
a. Information you provide
- Contact details: name, email address, phone number
- Intake responses: preferences, language, scheduling, and other information you choose to share so we can match you with a suitable practitioner
- Account credentials and authentication tokens
- Communications you send us (email, support requests)
- For practitioners: profile details, qualifications, photos, payment account information
b. Technical data
- Device and browser information (user agent, screen size)
- Approximate location derived from IP address
- Pages visited, actions taken, referring URLs
- Cookies and similar identifiers (see Section 9)
c. Health-related data (special category under GDPR Art. 9)
When you complete an intake or contact a practitioner, you may share information about your reasons for seeking therapy, prior treatment, or health context. We treat this data as a special category of personal data and process it only with your explicit consent for the purpose of matching you with a practitioner.
d. Payment data
Where applicable, payment card or bank details are collected directly by our payment processor (Stripe) and never stored on our servers. We retain transaction metadata (amount, date, status) for accounting and tax compliance.
e. Mapping to CCPA categories (California residents)
For California residents, the following table maps the data we collect to the enumerated categories under Cal. Civ. Code § 1798.140:
| CCPA category | What we collect |
|---|---|
| Identifiers | Name, email address, phone number, account ID, IP address (hashed for security logs) |
| Customer records | Account credentials, billing contact (for practitioner subscriptions), transaction metadata |
| Commercial information | Subscriptions and services purchased by practitioners |
| Internet/network activity | Pages visited, actions taken, referring URLs, session data, device/browser info |
| Geolocation (approximate, not precise) | City/region derived from IP address for security and fraud prevention |
| Professional/employment | For practitioners: qualifications, credentials, profile content |
| Sensitive personal information | Health-related intake responses; account credentials (login) |
| Inferences | None used to build profiles. Matching is performed manually by our team, not algorithmically. |
We do not collect biometric information, sensory data (audio, visual surveillance), or precise geolocation.
5. How We Use Your Data and Legal Bases
We use personal data for the following purposes:
- Matching and service delivery — to introduce Clients to Practitioners and provide booking, scheduling, and communication tools.
Legal basis: performance of a contract (GDPR Art. 6(1)(b)); for special category data, explicit consent (Art. 9(2)(a)). - Account administration — registration, authentication, support.
Legal basis: performance of a contract (Art. 6(1)(b)). - Communication — confirmations, reminders, service updates, responding to your inquiries.
Legal basis: performance of a contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)). - Service operation, security, and abuse prevention — logging, fraud detection, infrastructure monitoring.
Legal basis: legitimate interests in maintaining a secure service (Art. 6(1)(f)). - Analytics and product improvement — understanding how the Platform is used so we can improve it. We use privacy-preserving analytics that mask form inputs and do not build personal profiles.
Legal basis: legitimate interests (Art. 6(1)(f)); where required by law, consent. - Marketing measurement — measuring the effectiveness of our advertising via Enhanced Conversions (hashed identifiers transmitted to Google).
Legal basis: your consent (Art. 6(1)(a)) given when you submit a form with privacy acknowledgement. - Legal compliance — tax records, lawful disclosure, dispute response.
Legal basis: legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)).
6. Third-Party Processors and Providers
We engage the following service providers to operate the Platform. Each has a data processing agreement with us where required. Personal data is shared with them only to the extent necessary for the listed purpose.
Hosting and infrastructure
- Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA) — application hosting and edge delivery.
- Supabase Inc. (9700 Great Hills Trail #150, Austin, TX 78759, USA) — database and authentication storage.
- Railway Corp. (San Francisco, CA, USA) — infrastructure hosting our self-hosted Cal.com scheduling service.
Communication
- Resend Inc. (2261 Market Street #5039, San Francisco, CA 94114, USA) — transactional email delivery. Data shared: recipient email, subject, body.
- Twilio Inc. (101 Spear Street, Suite 500, San Francisco, CA 94105, USA) — SMS notifications and verification codes. Data shared: phone number, message content.
- Google Workspace (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) — business email and document collaboration.
Payments
Stripe Payments Europe, Limited (1 Grand Canal Street Lower, Dublin, Ireland) — payment processing certified to PCI-DSS Level 1. For practitioners receiving payments, Stripe Connect handles identity verification under applicable financial regulations. Data shared: payer name and email, payment method, amount, invoice details. Stripe processes EU data within the EU; transfer to Stripe Inc. (US parent) occurs under the EU-US Data Privacy Framework. See Stripe Privacy Policy.
Analytics
- Microsoft Clarity (Microsoft Corporation, Redmond, WA, USA) — session replay and heatmaps for usability analysis. Form inputs and sensitive content are automatically masked; admin areas and test users are excluded; no personal profiles are built; IP addresses are processed in anonymized form by Microsoft.
- Vercel Analytics — privacy-preserving page-view analytics from our hosting provider. No personal identifiers, no cookies.
Advertising measurement
Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) — Google Ads conversion measurement, including Enhanced Conversions (server- side transmission of hashed email addresses, only with consent). We do not sell or share personal data for cross-context behavioral advertising in the CCPA/CPRA sense.
7. International Data Transfers
Because the Platform operator is based in the United States and several processors are US-based, personal data may be transferred outside the European Economic Area, the UK, or your country of residence.
Where data is transferred from the EU/EEA or UK to the United States or another third country, we rely on one or more of the following safeguards:
- EU-US Data Privacy Framework (for certified recipients, where the adequacy decision is in force)
- Standard Contractual Clauses adopted by the European Commission (Art. 46 GDPR)
- Your explicit consent for specific transfers, where applicable (Art. 49(1)(a) GDPR)
Copies of safeguards and processing agreements are available on request at hello@kaufmann-health.com.
8. Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by applicable law. Typical retention periods:
- Account data — for the duration of your account; deleted within 30 days of account closure unless retention is required by law.
- Contact form / intake responses — up to 24 months after last interaction, unless a matching or booking flow is in progress.
- Booking and transaction records — retained for the period required by US and applicable foreign tax and accounting law (typically 7-10 years).
- Communication logs — up to 24 months for support quality and dispute response.
- Technical and security logs — typically 30-180 days; PII is hashed before storage.
- Analytics data — retained per the processor's default (Microsoft Clarity: typically 13 months; Vercel Analytics: rolling window).
9. Cookies and Similar Technologies
We use cookies and similar technologies to operate the Platform and, with your consent, to measure usage and advertising effectiveness. Categories:
- Strictly necessary — required for the Platform to function (authentication, session, security). No consent required.
- Analytics — Microsoft Clarity analytics cookie to group page views into sessions. Used only with your consent.
- Marketing measurement — Enhanced Conversions transmission to Google Ads is server-side and consent-gated; no marketing cookie is set on your device.
You can change your consent at any time using the "Cookie Settings" link in the footer. Withdrawing consent does not affect the lawfulness of prior processing.
10. Your Rights
Depending on where you reside, you have one or more of the following rights:
Under GDPR / UK GDPR
- Right to access a copy of your personal data (Art. 15)
- Right to rectification of inaccurate or incomplete data (Art. 16)
- Right to erasure ("right to be forgotten") (Art. 17)
- Right to restrict processing in certain circumstances (Art. 18)
- Right to data portability — receive your data in a structured, machine-readable format (Art. 20)
- Right to object to processing based on legitimate interests (Art. 21)
- Right to withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3))
- Right to lodge a complaint with a supervisory authority (Art. 77), in particular in the EU member state of your residence, place of work, or alleged infringement
Under California law (CCPA/CPRA)
- Right to know what personal information we collect, use, disclose, and (if applicable) sell or share
- Right to delete personal information we collected from you
- Right to correct inaccurate personal information
- Right to opt out of the "sale" or "sharing" of personal information — note: we do not sell personal information and do not share it for cross-context behavioral advertising
- Right to limit the use of sensitive personal information (SPI) — see below
- Right to non-discrimination for exercising your rights
Right to Limit Use of Sensitive Personal Information
Health-related intake responses you share with us are sensitive personal information under Cal. Civ. Code § 1798.140(ae). California consumers can require us to use SPI only for the narrow business purposes permitted under Cal. Code Regs. tit. 11, § 7027 (such as providing the service you requested, security, and short-term operational uses). To exercise this right, email us at hello@kaufmann-health.com with subject "Limit SPI." We will confirm receipt and apply the limitation within the timeframe required by law.
Authorized agents. California residents may designate an authorized agent to make requests on their behalf. We may require the agent to provide written, signed authorization from you and may verify your identity directly before responding to substantive requests.
Other US states with comprehensive privacy laws
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Florida, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island have rights under their state's comprehensive privacy law that are substantially similar to those listed above, including rights of access, deletion, correction, portability, and opt-out from sale, sharing, and targeted advertising where applicable. To exercise any such right, email us at hello@kaufmann-health.com.
Washington and Nevada. Kaufmann Health is not currently available to residents of Washington State or Nevada, in light of the Washington My Health My Data Act (RCW 19.373) and Nevada SB 370 governing the collection and sharing of consumer health data. We do not knowingly collect personal information from residents of these states. If you reside in Washington or Nevada and have submitted information through the Platform, contact us and we will delete it.
11. How to Exercise Your Rights
Email us at hello@kaufmann-health.com with your request. We may ask for information to verify your identity before responding. We will respond within the timeframes required by applicable law (typically one month under GDPR; 45 days under CCPA, extendable once).
If you believe we have not adequately addressed your request, you may complain to the relevant supervisory authority. In Germany, complaints may be addressed to the State Commissioner for Data Protection of the relevant federal state; a list is available at bfdi.bund.de. In California, complaints may be addressed to the California Privacy Protection Agency.
12. Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (HTTPS), encryption at rest where supported by our infrastructure providers, access controls based on the principle of least privilege, audit logging, and regular security review. No system is perfectly secure; in the event of a personal data breach affecting your rights, we will notify you and the relevant supervisory authority as required by applicable law.
13. Children's Data
The Platform is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered users or via a notice on the Platform. The "Last updated" date at the top of this page reflects the most recent change. Continued use of the Platform after a change takes effect constitutes acceptance of the updated Policy.
15. Contact
For privacy questions, requests, or concerns, contact us at hello@kaufmann-health.com.
See also our Imprint and Terms of Service.
Last updated: May 2026