Privacy Policy
Last updated: 29 June 2026
1. Who we are
ERA (Evidence-based Rehabilitation Assistant) is operated by The Speech Boutique Pty Ltd, trading as Speech Path Tech, an Australian company. We are the data controller for personal data you provide to ERA. Contact: hello@speechpath.tech.
2. ERA is not a clinical record system
Do not enter Protected Health Information (PHI), patient identifiers, or personally identifiable client data into ERA. ERA is an evidence-retrieval assistant, not an electronic health record, and we do not offer HIPAA Business Associate Agreements (BAAs). The composer blocks prompts that appear to contain names, dates of birth, medical record numbers, addresses, phone numbers, or other common identifiers, but you remain responsible for what you submit.
3. What we collect
- Account data: email address and authentication identifiers (via Google Sign-In or email/password).
- Content you create: chat threads, messages, uploaded PDFs, article metadata, highlights, notes, folders, and filter presets.
- Billing data: subscription status and identifiers issued by Stripe. We never see or store card numbers.
- Operational logs: per-day prompt counts (to enforce the free-tier limit), webhook delivery records, and an access log of article opens visible only to you.
4. What we do NOT collect
- No advertising trackers, behavioural analytics, session replays, heatmaps, or third-party marketing pixels.
- No selling, sharing, or licensing of your content to data brokers or model-training vendors.
5. Subprocessors
The following services receive narrow slices of your data:
| Service | Receives | Purpose |
|---|---|---|
| Lovable AI Gateway | Chat prompts, message history, embedding text | LLM responses and library indexing |
| MediSearch | Your query text + filters | Medical-literature search |
| Tavily | Your query text | Web search of vetted SLP sources |
| Crossref, Unpaywall, Europe PMC | DOI or title strings | Article metadata + open-access PDF lookup |
| Stripe | Email + billing details | Subscription processing |
| Supabase (managed backend) | All app data | Database, authentication, file storage |
We do not transmit user data to any service outside this list. Data may be processed in the United States, the European Union, and Australia depending on the subprocessor's region.
6. Security
All data is encrypted in transit (TLS) and at rest. Per-user row level security isolates every thread, message, article, annotation, and uploaded PDF — a signed-in user cannot read or delete another user's data. Uploaded PDFs live in a private storage bucket scoped to your user ID.
7. Your rights
You can export your highlights and notes from any article, and you can permanently delete your account and all associated data from the Billing page. Deletion is immediate and cascades to threads, messages, articles, chunks, annotations, folders, and uploaded files.
7.1 Australia (Privacy Act 1988 / APPs)
You have the right to access and correct personal information we hold about you, and to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
7.2 European Union & United Kingdom (GDPR / UK GDPR)
You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to withdraw consent at any time. Our legal bases are contract (delivering the service you signed up for) and legitimate interest (preventing abuse, debugging, billing). You may lodge a complaint with your local supervisory authority. We do not have an EU representative; contact us directly at hello@speechpath.tech.
7.3 United States (CCPA / CPRA & state laws)
California, Colorado, Connecticut, Utah, Virginia, and other applicable-state residents have the right to know, delete, correct, and limit use of their personal information. We do not sell or share personal information for cross-context behavioural advertising. We do not use sensitive personal information for any purpose other than providing the service. To exercise any right, email hello@speechpath.tech with the subject "Privacy request". You can also authorise an agent to make a request on your behalf.
7.4 Canada (PIPEDA)
Canadian users may access and challenge the accuracy of personal information we hold and may complain to the Office of the Privacy Commissioner of Canada. Data may be processed outside Canada by the subprocessors listed above.
8. Retention
We retain account data and content for the life of your account. Deleted threads and folders are kept in a soft-deleted state for up to 30 days to allow restoration, then permanently removed. Billing records are retained for 7 years to meet Australian tax-law requirements.
9. Children
ERA is intended for licensed clinicians, supervised students, and educators in allied-health fields. It is not directed to children under 16, and we do not knowingly collect data from them.
10. Changes
If we change this policy materially, we'll show an in-app notice before the change takes effect.
See also our Terms of Service and Clinical Disclaimer.