Privacy Policy

This Privacy Policy applies to everyone who visits mypracticeacademy.com, creates an MPA account, purchases a course or dashboard subscription, or uses any MPA tool (“you”). MPA is operated by My Practice Academy, founded by Faisal Darwiche, NP.

MPA is an educational service for licensed healthcare professionals. MPA is not a covered entity under HIPAA, does not provide healthcare services, and is not intended as a repository or transmission medium for patient-identifiable protected health information (PHI). Many MPA members are themselves covered entities or workforce members of covered entities — which is why we ask you to keep patient PHI out of MPA entirely. See Section 9 for the HIPAA boundary and Anthropic-specific notes on Ask Sal.

We collect the following categories of information:

• Account information — name, email, password hash, profession, state of licensure, practice characteristics you share in your profile.
• Purchase information — processed by Stripe. We receive a transaction confirmation, last-four and card brand, billing zip, and whether the charge succeeded. We do not store full card numbers.
• Assessment responses — answers to MPA assessments, journey quizzes, goals, and survey inputs you voluntarily provide.
• Ask Sal conversations — messages you send to Sal and the responses Sal generates. Stored to power continuity across sessions and to improve the service.
• Google OAuth data (optional) — if you choose to connect Calendar or Gmail for the dashboard Cockpit, we receive read-only tokens for those APIs. Scopes requested: calendar.readonly and gmail.readonly. We store the refresh token encrypted and use it to render upcoming events and recent messages in your dashboard. We do not send email from your account and do not read message content beyond what the Cockpit card displays.
• Usage data — pages visited, features used, timestamps, device/browser type, IP address (truncated for analytics), referral source.
• Cookies & local storage — used to keep you signed in, remember preferences, and measure product usage.

We process your information for the following purposes:

• To deliver the service you bought (contract). Account login, courses, dashboard tools, Sal, Cockpit integrations.
• To operate the business (legitimate interest). Billing, customer support, product analytics, security, fraud prevention.
• To communicate with you (contract + legitimate interest). Account notifications, product updates, billing receipts, and — if you opt in — marketing.
• To improve the product (legitimate interest). Aggregate usage analysis, feature prioritization, AI model evaluation.
• To comply with law (legal obligation). Tax records, subpoena response, regulatory reporting where required.

We do not sell your personal information. We share limited information with a narrow set of service providers who help us run MPA:

• Stripe — payment processing. Stripe receives your card data directly; we receive a transaction record.
• Supabase — our database and authentication host. Your account data, course progress, and Sal conversations are stored in Supabase (US region).
• Anthropic— powers Ask Sal. When you chat with Sal, your messages are sent to Anthropic’s API to generate a response. Anthropic’s terms govern how they handle that data; we pass only the content needed to generate the reply.
• Google — when you connect Calendar or Gmail, Google provides the data to us under your consent via OAuth. See their privacy policy for their practices.
• Email + analytics vendors — we use transactional email and product analytics providers on a strict data-processing basis. They may not use your data for their own purposes.
• Law enforcement or regulators — only when legally required (e.g., valid subpoena), and we narrow production where possible.
• Successor in interest — if MPA is acquired or merges, your data may transfer under terms no less protective than this policy.

Account data and course progress are retained while your account is active and for up to 24 months after you close the account, for recordkeeping, tax, and customer-support purposes. Ask Sal transcripts are retained for up to 24 months unless you ask us to delete them sooner. Payment records are retained for the period required by applicable tax and accounting law (typically 7 years in the US). Backups may persist longer but are rotated on a rolling schedule and are not used for active processing.

Subject to applicable law, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Request deletion of your account and associated data.
• Export your data in a portable format.
• Opt out of marketing email at any time (link in every marketing email).
• Object to or restrict certain processing.

To exercise any of these rights, email support@mypracticeacademy.com. We respond within 30 days. We may ask you to verify your identity before acting.

We use strictly necessary cookies to keep you signed in and the service working. We use functional cookies to remember your preferences. We use analytics cookies to measure product usage in aggregate. You can control cookies in your browser settings; turning off strictly necessary cookies may break the service.

We do not use tracking pixels or session-replay tools on pages where you enter sensitive information (checkout, Sal, dashboard clinical tools). Marketing pages may use a small number of attribution pixels (for example, to measure ad performance); we do not share personal identifiers with those networks beyond what the pixel itself transmits.

MPA is a service for licensed healthcare professionals and is not directed to children. We do not knowingly collect information from anyone under 18. If you believe a child has provided us with personal information, email support@mypracticeacademy.com and we will delete it.

Do not upload patient-identifiable protected health information into MPA. MPA is an educational service for clinicians, not a covered entity or business associate under HIPAA. Fields in MPA courses, Sal chats, documents, and SOP generators are not designed to receive PHI, and we have not executed business associate agreements for that purpose. If you need to discuss a clinical scenario with Sal, de-identify it first (use initials, scrub DOB/MRN/specific dates, remove any field a reasonable person could trace back to a named patient).

How Ask Sal handles your messages. When you send a message to Sal, the message is transmitted in real time to Anthropic’s API to generate Sal’s response. Anthropic’s own terms govern how they handle that data on their infrastructure. If you inadvertently include PHI in a Sal message, that PHI will have already been transmitted off MPA infrastructure before we can remove it on our side. This is why the de-identification rule above is the practical control, not the “contact us to remove” workflow below.

If PHI was inadvertently transmitted. Email support@mypracticeacademy.com with the subject line “PHI purge” and include the approximate date/time and clinical-tool surface (Sal chat, document field, etc.). We will (a) purge the affected chat or record from our database within 72 hours, (b) flag the retention carve-out so the record is excluded from standard 24-month retention, and (c) submit a delete request to Anthropic’s retention systems where technically available. We cannot guarantee retroactive removal from Anthropic’s side beyond what Anthropic’s policies permit.

Members who are themselves covered entities.If you are a covered entity or part of a covered-entity workforce, you may have an independent HIPAA obligation to assess whether using MPA tools to discuss clinical work (even in de-identified form) is compatible with your own policies, your BAA obligations to patients, and your facility’s data-governance rules. MPA cannot make that determination for you.

If you live in California, the California Consumer Privacy Act and California Privacy Rights Act give you additional rights, including the right to know what personal information we collect, to delete it, to correct it, to opt out of any “sale” or “sharing” of personal information, and to limit the use of sensitive personal information.

We do not sell personal information.We do not “share” personal information for cross-context behavioral advertising in a way that would trigger a CCPA opt-out obligation as of the date of this policy. Exercise any CCPA right by emailing support@mypracticeacademy.com with the phrase “CCPA request” in the subject line.

We use industry-standard security practices: TLS in transit, encrypted storage at rest, hashed passwords, role-based access control, and audit logging. No system is perfectly secure. If we discover a breach of your personal information, we will notify you as required by applicable law.

MPA is operated from the United States and our servers are in the United States. If you access MPA from outside the US, you consent to transferring your information to the US and to processing it under US law.

When we make a material change, we will update the “Last updated” date and, for active subscribers, send an email notice. Non-material changes (clarifications, formatting) may be made without notice.

Privacy questions or requests: support@mypracticeacademy.com.