Steady
← Back

Privacy

Effective May 18, 2026

Steady is health software. Privacy isn't a footnote — it's the architecture. This page explains what we collect on this site, what happens inside the product, and what your rights are.

What this page covers

Two surfaces, two different rules. The marketing site (this domain) is what you're reading now. The Steady product is the EHR your therapist uses. PHI only ever exists inside the product, never on this site.

What we collect on the marketing site

When you join the waitlist

  • Email address — to reach out when there's a slot in the alpha and once at launch.
  • Hashed IP and user agent — to prevent abuse. Hashed with SHA-256, never stored in plain text.
  • UTM parameters and referrer — to understand which channels work, not who you are.

We don't email you marketing newsletters. The two emails we promise are the only emails we'll send unless you sign up for the product.

Analytics

We use self-hosted PostHog on our own infrastructure to count visits. No identity is sent to a third party. We do not use Google Analytics, Meta Pixel, or third-party ad cookies on this site.

What happens inside the product

Steady is built for HIPAA from the schema up. Every PHI table carries a tenant boundary enforced at the database level (Postgres row-level security), so application bugs cannot leak data across practices. Highlights:

  • BAA on file with every covered entity (your practice). We sign before you upload any client data.
  • Encryption at rest and in transit. AWS RDS storage encryption, TLS 1.2+ on every connection.
  • Audit logs are append-only. Every read and write of a PHI record is recorded with actor, IP, and reason. You can export your audit trail anytime.
  • AI processing is private. Note drafts run on Amazon Bedrock under our BAA. Transcripts and prompts are not used to train any model. We do not send PHI to OpenAI, Anthropic's public API, or any other third party without a BAA.
  • No PHI in analytics, ever. Product analytics events are validated server-side; any field that looks like PHI is dropped at the edge.

Your data is yours

  • Export anytime. Full chart export in standard formats (PDF, JSON, CCDA where applicable). No fee, no friction.
  • Retention follows the law. We keep records for the longest of: seven years; until a minor client turns twenty-six; or the retention period set by your state's licensing board. After that, hard-deleted on a scheduled job.
  • Deletion on close. Closing your account starts the retention clock; PHI is purged at the end of it.

Sharing

We do not sell, rent, or share personal data. Required sub-processors (AWS for hosting, Stripe for payments, AWS SES for email) each operate under a BAA where PHI is involved. We maintain the current list at /legal/subprocessors once we ship the product page.

Cookies

First-party cookies only. We use them for session, CSRF protection, and remembering your sign-in. No advertising cookies on this site.

Children

The Steady product is purchased by therapists and used to manage care for adults and minors. Minor records are governed by the same BAA and retention rules; legal guardians retain access rights consistent with state law.

Changes

Material changes to this notice are emailed to the address on your account at least thirty days before they take effect. The effective date at the top of this page reflects the most recent revision.

Contact

Privacy questions, data export requests, or a suspected incident: privacy@steadych.art. We acknowledge every request within two business days.