Live demo See plans

Privacy Policy

What my-cbt collects about you, what it doesn't and what you can do about it.

Last updated: 2026-05-12

This policy explains what data my-cbt collects, what we use it for and what you can do about it. It applies to my-cbt.com, demo.my-cbt.com, portal.my-cbt.com and any my-cbt application installed on your domain.

We do not have access to your clients’ data. The portal that holds it runs on a Cloudflare account in your name, with a database in your name. We never receive a copy of it, do not maintain a backdoor into it and cannot read its contents.

1. Who we are

my-cbt is the company that builds, sells and supports the my-cbt CBT practice management application. We are the controller for the personal data we hold about you, the subscribing therapist or practice. Privacy questions go to [email protected].

2. The data we hold about you

We hold your name, business email, the domain we installed on, the date you signed up and your account password stored as a one-way hash.

Freemius is our authorized reseller and processes your payments. Freemius holds your card details. We receive only the metadata needed to operate your subscription, including license ID, plan, status, country of billing and the email used at checkout.

We hold any message you send our support team, any message you exchange with a business coach assigned to you and any audit log entry generated when you or we change your account.

When you log into portal.my-cbt.com or your install, your browser holds a session cookie. When you visit my-cbt.com, our analytics records visit-level data without cookies and without fingerprinting.

Subscription state means which plan you are on, your billing status, whether the Coaching add-on is active and when payments last cleared.

3. Data we do not hold

We do not hold:

  • case files, session notes, worksheet submissions, scheduling data or any other clinical record
  • client names, addresses, phone numbers or contact details
  • audio, video or any session recording
  • any data your clients enter through the portal

That data sits in your database, in your Cloudflare account, under your administrative control. We have no access path to it. When we deploy software updates, the scoped token we use can write application code only and cannot read your data. Updates do not read, copy, alter or delete anything in your database.

4. Why we hold what we hold

We use your data only to operate the service:

  • to deliver the portal application and its updates to your domain (legal basis: contract performance)
  • to bill you and process subscription changes through Freemius (contract performance)
  • to handle your support tickets and run your Coaching add-on (contract performance)
  • to detect abuse, fraud and security incidents (legitimate interest)
  • to meet tax, accounting and other legal obligations (legal obligation)
  • to send transactional emails about your account and the service (contract performance)

We do not use any of this data for advertising or profiling. We do not sell it. We do not train AI models on it.

5. Who we share it with

Payment is processed by Freemius, our authorized reseller. When you check out, Freemius receives your name, email, billing address, country and payment details, and operates under its own privacy policy. We never receive or store your card details.

We do not sell, rent or trade your personal data. We do not share it with advertisers, data brokers or anyone outside what is needed to operate your account.

6. International transfers

my-cbt is based in Israel. The European Commission has determined that Israel provides an adequate level of data protection for commercial transfers from the EU and EEA (Decision 2011/61/EU), so your account data can be transferred to and stored in Israel without additional safeguards.

7. Cookies

my-cbt.com does not set advertising or tracking cookies. The analytics we use on the marketing site is cookieless and does not fingerprint visitors.

On portal.my-cbt.com and on your installed portal, the only cookies set are session cookies needed to keep you and your authorized users logged in. Disabling them prevents the portal from functioning.

8. How long we keep your data

We keep your account data while your subscription is active and afterward only as long as needed for legal obligations, typically up to seven years for tax and accounting records. After that, the data is deleted or anonymized.

Support and coaching messages are retained while your account is active and for a reasonable period afterward to handle follow-up. Audit logs are kept for security and regulatory purposes.

If you cancel, your data in your Cloudflare account stays under your control. There is nothing on our end to delete on your behalf for the clinical data, because we never received it.

9. Your rights

You have the following rights over the personal data we hold about you:

  • access: request a copy of the data
  • rectification: correct anything inaccurate or incomplete
  • erasure: request deletion, subject to legal retention obligations
  • restriction: ask us to limit how we use your data in specific cases
  • portability: receive your data in a structured, machine-readable format
  • objection: object to processing based on legitimate interest
  • withdrawal of consent: withdraw consent where processing relies on it
  • complaint: lodge a complaint with your local data protection authority

To exercise any of these, write to [email protected]. We respond within 30 days.

If you are a California resident, you have rights under the CCPA and CPRA. These include the right to know what we collect, the right to delete, the right to correct and the right not to be discriminated against for exercising your rights. We do not sell or share your personal information for cross-context behavioral advertising.

For any data your clients enter into your portal, you are the controller. Requests from your clients go to you and not to us.

10. Security

We protect the data we hold with technical and organizational measures appropriate to its sensitivity. Passwords are stored as one-way hashes. Connections to our servers run over TLS. Access to internal systems is limited to authorized personnel and is logged. Backups are encrypted at rest.

No system is fully immune to compromise. If we discover an incident affecting your data, we will notify you and the relevant authorities as required by law.

The data in your Cloudflare account is protected by Cloudflare’s security measures, not by ours. Reading Cloudflare’s security and breach-notification policy is part of the due diligence we expect you to do.

11. Children

my-cbt is sold to professionals. We do not knowingly collect personal data from anyone under 18. If you believe we have, write to us and we will delete it.

12. Automated decisions

We do not use automated decision-making or profiling to make decisions that have a legal or similarly significant effect on you.

13. Marketing emails

We send transactional emails about your account, billing and service. We may, occasionally, send product news about my-cbt. You can opt out of product news by replying “unsubscribe” or by using the link in any such email. Transactional emails cannot be opted out of while your account is active.

14. Calendar and other integrations

Your installed portal can integrate with calendar services such as Apple Calendar and Google Calendar, depending on how you configure it. Those integrations run between your portal and the third-party provider, under that provider’s privacy terms. We do not see the traffic.

15. Changes to this policy

If we change this policy in a way that materially affects your privacy, we will email you at the address on your account at least 14 days before the change takes effect. The “Last updated” line at the top of this page shows the most recent revision.

16. Contact

Privacy questions and any request under section 9 go to [email protected].