1. The current product stage
Cost Plus PT currently provides a public product preview, account authentication, a patient-interface foundation, and a guided-session interaction prototype. It does not currently provide a clinically validated diagnosis or treatment service. Recovery goals, check-ins, progress, and session responses that you enter are product-study records, not a clinical record or treatment decision.
2. Information we collect
Account information may include your email address, authentication identifiers, account timestamps, and a profile name you choose to add. Security systems may record login, authorization, rate-limit, device/browser, and network information needed to prevent abuse and investigate incidents.
The authenticated recovery preview can save a goal, a repeatable function measure, symptom intensity, confidence, delayed activity response, optional short notes, structured session responses, and a reason when you report that something changed. These user-reported records are scoped to your signed-in account and stored only in this browser’s local storage in the current release. They are not sent to the Cost Plus PT server, reviewed by a clinician, or used as a clinical record. Avoid including names or details that are not needed for the preview.
The public movement check keeps its answers in browser memory for that page. The guided session can open a local camera preview after you choose to enable it. Cost Plus PT does not record, upload, score, or retain those camera frames. Raw voice, recognized transcripts, and the temporary session event trail are not retained by Cost Plus PT.
3. Voice and camera
Camera and microphone permissions are denied across the site except on the focused guided-session route. Permission is still requested only after you act. Spoken coaching uses the browser’s text-to-speech feature. Optional speech recognition may be processed by your browser or operating-system provider under its own terms; the current prototype does not send recognized transcripts to Cost Plus PT or save them.
4. How we use information
We use current account and technical information to create and secure accounts, maintain sessions, provide requested product features, prevent fraud and abuse, respond to support and privacy requests, debug failures, and meet applicable legal obligations. We do not use health-related interactions for targeted advertising.
5. Service providers and disclosure
The current architecture uses specialized providers for hosting, authentication, database infrastructure, and transactional email. They may process limited information on our behalf under their service terms. We may also disclose information when required by law, to protect users or the service, or as part of a business transaction subject to appropriate safeguards.
Cost Plus PT does not sell personal information, movement information, camera content, or health information. It does not place advertising pixels or general-purpose session-replay tools inside authenticated health, camera, or voice flows.
6. Cookies
We use first-party session cookies needed for authentication and security. We do not currently use third-party advertising cookies in the treatment product.
7. Retention
Account profile information is generally retained while the account is active and removed through the account-deletion process, subject to narrow legal, security, backup, or fraud-prevention needs. Audit and security records may be retained in de-identified or access-restricted form. Browser-held recovery-preview data remains on that browser until you clear its site data, use the clear control in You, or successfully delete the account from that browser. Signing out does not clear it. Because it is device-local, clearing it on one browser does not affect another browser. The current product does not retain raw session video or audio.
8. Your choices and rights
Signed-in users can correct profile information, download the server-held account export, and request account deletion from Account & security. The separate You page lets you download or clear the recovery-preview data held in the current browser. If you use a shared device, sign out and clear the recovery preview when you are finished. You may also contact us about access, correction, deletion, or other rights that apply where you live. We will verify requests before acting.
9. Security and breaches
We use access controls, encryption in transit and at rest where supported, audit logging, security headers, rate limiting, and restricted administrative access. No system is perfectly secure. If a covered health-information breach occurs, we will investigate and provide notices required by applicable law.
10. HIPAA and other health privacy rules
A direct-to-consumer health app is not automatically covered by HIPAA. Other federal and state privacy, consumer-protection, and breach-notification laws may still apply. The FTC explains that its amended Health Breach Notification Rule reaches many health apps outside HIPAA; HHS also provides a mobile-health-app regulatory tool. See the FTC health breach guidance and HHS mobile health app resources.
11. Adults only
The current account and first proposed pathway are intended for adults 18 and older. We do not knowingly design this preview for children or knowingly collect children’s personal information through it.
12. Changes and contact
We will update this policy as the product, vendors, or legal obligations change and will revise the effective date above. Material changes will receive an appropriate notice. Contact hello@costpluspt.com or use the contact page.