Your privacy isn't a feature — it's the foundation
Privacy Policy
OutSession was built by a cybersecurity engineer. We designed the access model around the realities of therapy, not the conventions of SaaS. This policy explains exactly what we collect, what we don't, and why.
Anonymous by design
We believe therapy clients shouldn't need to hand over personal information to use a reflection tool. Our service doesn't require email addresses, real names, or any identifying information from therapist-connected clients.
Clients log in with a short code and PIN, handed to them in session. No welcome emails. No app icon that needs explaining. No account tied to a real identity. We don't know who you are when you use our tool — and that's by design.
What we collect
Practitioner codes
If you use a practitioner code, we record its usage to enable worksheet sharing with your therapist. The code is never associated with your identity. Your therapist may use an alias internally, but OutSession holds no identifiable information.
Worksheet content
We store the worksheets generated through our tool. This is done to maintain quality, improve the tool based on usage patterns, and for clinical safety audit. No personal information or identifiable data is stored alongside this content.
Session cookies
We use HttpOnly, Secure, SameSite=Strict cookies solely for authentication. These are functional cookies required for the service to work — not tracking cookies.
What we don't collect
We've been deliberate about what we leave out. No tracking cookies. No behavioural profiling. No analytics pixels. No data shared with external parties. Your prompts don't train anyone's model — AI calls are routed through Cloudflare's AI Gateway.
You can use OutSession without concern for data tracking or profiling. We store what's needed for clinical safety and nothing more.
Sharing and visibility
Everything a client creates stays private by default. Sharing is always opt-in, always controlled by the client. The therapist can't access the studio after handoff — clients are forced to change their PIN on first login.
If a therapist invites a two-way connection, the client must explicitly accept. Content created before an upgrade stays private. Visibility is always the client's decision.
Data protection
Encryption
All data is encrypted in transit via SSL/TLS. Cookies are HttpOnly, Secure, and SameSite=Strict. Infrastructure runs on Cloudflare's global network.
GDPR alignment
We are aligned with GDPR principles. We minimise data collection, process only what's necessary, and don't share data with third parties. Users can request deletion of their data at any time.
No third-party sharing
Your data is never sold, shared, or made available to external parties. Your reflections stay yours.
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for operational, legal, or regulatory reasons. We will notify users of any significant changes by updating the effective date at the top of this policy.
We encourage you to review this policy periodically. If anything isn't clear, we'd rather you asked than assumed.
Your privacy matters to us
If you have questions about this policy or how we handle your data, reach out. We'll answer directly.
Out|Session 2026|Give Feedback