Skip to content

Privacy Policy

Last updated: April 13, 2026

CoreJourney ("we," "us," or "our") operates a HIPAA-compliant practice management platform designed for psychedelic facilitators and wellness practitioners. This Privacy Policy describes how we collect, use, store, and protect your information when you use our website at corejourney.co and our platform services.

Information We Collect

Account Information

When you create a CoreJourney account, we collect:

  • Full name and professional credentials
  • Email address
  • Phone number (optional)
  • Practice name and business address
  • Billing and payment information (processed securely by Stripe)

Protected Health Information (PHI)

When facilitators use our platform to manage their practice, they may input client health information including intake forms, session notes, treatment plans, and communication records. This data is classified as Protected Health Information under HIPAA. CoreJourney acts as a Business Associate and handles all PHI in accordance with HIPAA regulations and the terms of our Business Associate Agreement (BAA).

Usage and Analytics Data

We automatically collect certain technical information when you visit our website or use our platform:

  • IP address and approximate geographic location
  • Browser type, operating system, and device information
  • Pages visited, time spent, and navigation patterns
  • Referring URLs and search terms

This data is collected through Google Analytics and does not include any PHI.

How We Use Your Information

  • Providing and maintaining the CoreJourney platform
  • Processing payments and managing your subscription
  • Sending transactional communications (account confirmations, security alerts, billing notices)
  • Improving our platform based on aggregated, de-identified usage patterns
  • Responding to your support requests and inquiries
  • Complying with legal obligations, including HIPAA requirements

We do not sell, rent, or trade your personal information or any PHI to third parties. We do not use PHI for marketing purposes.

HIPAA Obligations

CoreJourney is committed to compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. As a Business Associate, we:

  • Execute a Business Associate Agreement (BAA) with every customer during onboarding
  • Encrypt all PHI at rest using AES-256 encryption and in transit using TLS 1.2 or higher
  • Maintain comprehensive audit logs of all access to PHI
  • Implement role-based access controls to limit PHI access to authorized personnel only
  • Conduct regular security assessments and vulnerability testing
  • Train all employees on HIPAA requirements and data handling procedures

Third-Party Services

We use the following third-party services to operate our platform:

Stripe

Payment processing. Stripe handles all credit card and billing information directly. CoreJourney does not store your full payment card details on our servers. Stripe is PCI DSS Level 1 certified.

Google Analytics

Website analytics and usage tracking on our marketing site only. Google Analytics does not have access to any PHI or platform data. You may opt out of Google Analytics tracking by using a browser extension or adjusting your cookie preferences.

Any third-party service that may access PHI is bound by a BAA and must meet our security and compliance requirements.

Data Retention

We retain your information for as long as your account is active or as needed to provide services. Specific retention periods:

  • Account information: retained for the duration of your subscription and up to 30 days after account closure
  • PHI: retained in accordance with HIPAA requirements and applicable state laws. Facilitators may export or request deletion of client records at any time.
  • Billing records: retained for 7 years to comply with financial reporting requirements
  • Usage analytics: aggregated data retained indefinitely; individual session data deleted after 26 months

Upon account termination, all PHI is securely deleted or returned to the facilitator within 30 days, as specified in the BAA.

Your Rights

You have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your personal information, subject to legal retention requirements
  • Export your data in a standard, machine-readable format
  • Withdraw consent for optional data processing (such as marketing communications)
  • File a complaint if you believe your privacy rights have been violated

For facilitators managing client PHI, your clients retain their individual rights under HIPAA, including the right to access, amend, and receive an accounting of disclosures of their health information.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Your continued use of the platform after changes take effect constitutes acceptance of the revised policy.

Questions?

Contact us at hello@corejourney.co