How therappai Is Built to Meet Regulatory Compliance Standards Across U.S. States

Ensuring user safety, data protection, and clinical reliability is at the heart of therappai. As we prepare for launch and expand into the United States, we are deliberately building the platform to align with the mental-health, data-privacy, AI-safety, and telehealth-adjacent regulatory frameworks required in many U.S. states.

Even though therappai is not a medical provider and does not replace licensed therapy, the U.S. regulatory landscape still places expectations on digital mental-health tools — especially those that use AI, store sensitive emotional data, or operate support features like crisis escalation.

Below is an overview of what we’re doing to make sure the app meets (and exceeds) the standards expected across multiple U.S. states.

1. Data Privacy & Security (HIPAA-Aligned Practices)

Many U.S. states evaluate mental-health apps using HIPAA-style benchmarks even when the product itself does not fall under HIPAA as a covered entity. To support trust and enterprise adoption, therappai is built with HIPAA-aligned technical and organisational safeguards.

Encrypted Data Handling

• End-to-end encryption following AES-256 (as recommended by the NIST Cybersecurity Guidelines)

• Encrypted data in transit (TLS 1.2+)

• Zero plaintext logging of therapy content

Access Controls

• Role-based access control (RBAC) aligned with SOC-2

• No internal access to user messages unless explicitly authorised

• Multi-factor authentication across internal systems

Data Minimisation

• No advertising trackers or behavioural profiling

• Minimal data collection aligned with OECD Data Minimisation Principles

Audit Trails

• HIPAA-style access logging

• Continuous monitoring for anomalies or unauthorised access

💬 Learn more about how therappai works:

therappai – How It Works

2. Compliance With State-Level U.S. Privacy Laws

therappai’s data rights and consent system is designed to comply with key U.S. state privacy laws:

• California Privacy Rights Act (CPRA / CCPA)

• Virginia Consumer Data Protection Act (VCDPA)

• Colorado Privacy Act (CPA)

• Connecticut Data Privacy Act (CTDPA)

• Utah Consumer Privacy Act (UCPA)

therappai supports:

• Opt-in consent for data processing

• Full right to access, delete, and export data

• Transparent privacy disclosures

• No selling, renting, or trading of personal data

• Do-Not-Track compliance

Learn more:

therappai – Privacy Policy

3. Crisis Safety Standards (Meeting U.S. State & National Requirements)

States like Washington, California, and New York emphasise safe digital crisis support.

therappai’s Crisis Buddy system aligns with these expectations.

Real-Time AI Safety Indicators

• Distress detection aligned with guidance from SAMHSA

• Conservative risk thresholds to avoid false negatives

User-Controlled Escalation

• Users choose their trusted Crisis Buddy

• Alerts triggered only when a risk threshold is clearly met

Resource-First Protocol

• Immediate access to the 988 Suicide & Crisis Lifeline

• U.S. state-specific emergency resources provided where necessary

• System defaults to “safety-first” options when uncertain

4. AI Governance & Emerging State Regulations

therappai is aligned with leading AI governance frameworks, including:

• The NIST AI Risk Management Framework

• The U.S. White House AI Safety Executive Order

• California’s emerging AI safety legislation (SB 1047)

Model Transparency

• Clear disclosure that users are interacting with AI

• No diagnostic or medical claims

• Explanation of how AI responses are generated

Guardrails

• Human-curated CBT/DBT content

• Strict clinical boundary protection

• Bias testing and demographic fairness checks

5. Enterprise-Grade Compliance for U.S. Employers

For workplaces—including mining, construction, first-response, and corporate sectors—compliance is essential. therappai is developing:

• SOC-2 aligned encryption and system monitoring

• HIPAA-aligned data protection practices

• SSO & SCIM integration

• Zero-knowledge reporting for employee privacy

• Clear data-flow documentation for procurement teams

• Enterprise Data Processing Agreements (DPAs)

External references employers expect:

• SOC-2 Overview

• NIST Cybersecurity Framework

For enterprise customers:

therappai – Enterprise

6. Clear Clinical Boundary Compliance

To meet U.S. regulatory expectations for non-clinical wellbeing apps, therappai:

❌ Does not diagnose

❌ Does not prescribe

❌ Does not provide clinical assessments

✔ Provides emotional support

✔ Provides AI video, chat, and voice therapy sessions

✔ Provides CBT/DBT exercises

✔ Supports individuals between human therapy sessions

✔ Offers crisis alerts and mood/insight tracking

This approach aligns with:

• The Federation of State Medical Boards

• The American Psychological Association’s AI Guidelines

7. User Rights & Consent Framework

therappai supports all major U.S. user rights protections:

• Right to delete

• Right to access and export

• Right to correction

• Consent withdrawal

• Opt-out of analytics

• Age-appropriate protections

• Transparent consent notices

therappai terms of use:

therappai – Terms

Building a Global-Standard Mental-Wellbeing Platform

The U.S. regulatory landscape is complex, but the core principle is simple: protect users, respect their data, and commit to safety.

therappai is built from the ground up to meet these expectations. Through HIPAA-aligned safeguards, AI governance, crisis-response best practices, and comprehensive U.S. state privacy compliance, we’re building a platform that can confidently scale across the United States—supporting individuals and workplaces with trust and transparency.