StillpointStillpoint
How It Works
Features
Pricing
Log InGet Started
Legal

Privacy Policy

Last updated: March 8, 2026

This policy explains what information Stillpoint collects, how we use it, and your rights regarding your data. We recommend reviewing this page periodically as we update it to reflect new features and practices.

1. Information We Collect

Account information. When you create a Stillpoint account, we collect your name, email address, phone number (optional), and practice details such as your practice name and timezone.

Client information. When clients book appointments through your booking page or an embedded booking form, we collect the following on behalf of the practitioner:

  • Full name
  • Email address
  • Phone number (if provided)
  • Booking details (service, date, time)
  • Appointment history
  • Session preferences and notes

This data is stored on behalf of the practitioner and shared with them to manage appointments and provide their services.

Clinical records. If you use Stillpoint’s clinical notes features, we store the content of session notes, SOAP notes, and note templates that you create. All clinical content is encrypted at rest using AES-256 encryption. This data is stored solely on your behalf and is not accessed by Stillpoint for any purpose other than providing the service.

Billing and invoicing data. Stillpoint stores invoice records, insurance claim details, procedure codes, and related billing information that you enter. This data is used to generate invoices and manage claims within the platform.

Payment information. All payment data is processed securely by Stripe. We do not store credit card numbers, bank account details, or other financial information on our servers.

Website content. If you use our hosted website feature, we store the text, images, and configuration you provide to build and display your practice website.

Usage data. We collect standard server logs including IP addresses, browser type, and timestamps. We use Google Analytics to understand how visitors interact with our marketing site, booking pages, and practitioner dashboard. See Section 4 for details on analytics cookies.

2. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Stillpoint scheduling platform
  • Store and display clinical notes and records on your behalf
  • Generate and manage invoices and insurance claims
  • Provide practice analytics and reporting
  • Process payments through Stripe Connect
  • Send appointment confirmations and reminders via email
  • Send SMS notifications for bookings and cancellations (when enabled)
  • Host and display your practice website (when published)
  • Respond to support requests
  • Improve the reliability and performance of our service

We do not sell your data. We do not use your data for advertising.

3. Third-Party Services

Stillpoint relies on a small number of trusted third-party services to operate. Each provider receives only the data necessary to perform its function.

  • Supabase — database hosting, authentication, and file storage. Privacy policy
  • Stripe — payment processing (PCI-DSS compliant). Stripe receives client payment details directly and Stillpoint never handles or stores card data. Privacy policy
  • Resend — transactional email delivery for confirmations, reminders, and notifications. Privacy policy
  • Twilio — SMS delivery for appointment notifications. Privacy policy
  • Vercel — web hosting and custom domain management for practice websites. Privacy policy
  • Google Analytics — anonymized usage analytics on our marketing site, booking pages, and practitioner dashboard. Google Analytics collects data such as pages visited, button clicks, device type, and browser information using cookies. No personally identifiable information is sent to Google Analytics. You can opt out using the Google Analytics opt-out browser add-on. Privacy policy
  • Google Fonts — typography loaded on booking pages and hosted websites. Google may collect usage data when fonts are served. Privacy policy
  • Amazon Web Services (AWS) — HIPAA-eligible infrastructure used for storing protected health information (PHI), including clinical notes, intake forms, and session records. Data is hosted on AWS RDS PostgreSQL in the US with encryption at rest and in transit. Privacy policy
  • OpenAI — powers the Clio AI practice assistant. Conversation messages sent to the assistant are processed through OpenAI’s API. No clinical records, session notes, or PHI are sent to OpenAI. Data sent to OpenAI is not used to train their models. Privacy policy
  • Railway — cloud hosting for the Clio AI worker service. Privacy policy

4. Cookies & Authentication

Stillpoint uses cookies for authentication and session management. We set authentication cookies across the .withstillpoint.com domain to enable seamless login between your dashboard, booking pages, and hosted website.

We also use Google Analytics cookies to collect anonymized usage data on our marketing site, booking pages, and practitioner dashboard. These cookies help us understand how our platform is used so we can improve it. Google Analytics does not collect personally identifiable information.

We do not use advertising cookies or participate in any ad networks.

5. Hosted Websites

If you publish a hosted website through Stillpoint, your website is served at a .withstillpoint.com subdomain or your own custom domain. Standard web server logs (IP address, browser, timestamps) are collected from visitors to your website. No tracking scripts or analytics are added by Stillpoint.

Stillpoint does not add any analytics or tracking scripts to practitioner-hosted websites. Google Fonts may be loaded for typography. Custom domains are routed through Vercel and are subject to Vercel’s privacy practices.

6. Embedded Booking Forms

Your booking form can be embedded on third-party websites via an iframe. Data collected during the booking process (name, email, phone, notes) is transmitted to and processed by Stillpoint regardless of where the form is embedded.

Payment information entered within an embedded booking form is handled directly by Stripe. Authentication cookies may be set within the iframe for session management.

7. SMS & Email Communications

Stillpoint sends transactional messages on behalf of practitioners, including booking confirmations, appointment reminders, and cancellation notices. Practitioners also receive notifications when clients book or cancel.

Practitioners can control notification preferences (email and SMS) from the Settings page. Client reminders can be disabled by setting the reminder lead time to zero. Emails are sent via Resend and SMS messages are sent via Twilio.

8. Data Security

All data is encrypted in transit (HTTPS) and at rest. Clinical notes, intake forms, and session records are stored in a dedicated HIPAA-eligible database on AWS RDS PostgreSQL, separate from the primary application database. This PHI database uses AES-256 encryption at rest and TLS encryption in transit. Authentication uses industry-standard JWTs issued by Supabase. Row-level security policies ensure that practice data is isolated between tenants — one practice cannot access another’s data.

Payment information is processed by Stripe (PCI-DSS compliant) and never stored on Stillpoint servers. All API communication occurs over HTTPS.

9. Data Retention

Account and practice data — including clinical notes, invoices, and insurance claims — is retained for as long as your account is active. If you request account deletion, we will remove your data within a reasonable timeframe, except where retention is required by law (for example, payment records and billing documentation). Server logs are retained for a limited period for debugging and security purposes.

10. Your Rights (Practitioners)

As a practitioner, you have the right to:

  • Export your data — including client records and clinical notes — at any time from your practice settings
  • Request deletion of your account and data
  • Opt out of SMS notifications from your settings
  • Unpublish your hosted website at any time

For any privacy-related requests, contact us at hello@withstillpoint.com.

10a. Client Data Rights

If you are a client who has booked an appointment through Stillpoint, you may contact us at hello@withstillpoint.com to:

  • Request information about the data we hold about you
  • Request corrections to your personal information
  • Request deletion of your data, subject to the practitioner’s recordkeeping obligations

We will respond to verified requests within 30 days.

11. Contact

For privacy questions or concerns, reach us at hello@withstillpoint.com.

StillpointStillpoint

Scheduling software for wellness practitioners. Beautiful, simple, and built with care.

MADE IN CANADA

FEATURES

  • Booking & Intake
  • Team Scheduling
  • Payments
  • Reminders
  • Clinical Notes
  • Practice Website
  • AI Assistant
  • HIPAA Compliance
  • Easy Data Import
  • Multiple Locations
  • Waitlists
  • Analytics

PRODUCT

  • Features
  • Pricing
  • How It Works
  • About

LEGAL

  • Privacy Policy
  • Terms of Service

SUPPORT

  • help@withstillpoint.com

© 2026 Stillpoint. All rights reserved.

Built for the people who help people.