Features Privacy & Compliance
Privacy by Design

Substance use data demands the highest protection. We built it that way from day one.

Cannabis use disorder records are sensitive health data — protected by HIPAA, GDPR, and the strictest US law governing substance use treatment records: 42 CFR Part 2. SmokingTracker was designed around these requirements, not retrofitted to them.

HIPAA Ready GDPR Compliant 42 CFR Part 2 Aligned EU Data Residency
Start Free View Data Processing Agreement
Compliance Frameworks

Three frameworks. One platform. Zero compromise.

Cannabis treatment data crosses multiple regulatory regimes depending on where your clients are. SmokingTracker meets all three simultaneously.

HIPAA

Health Insurance Portability and Accountability Act

Required for any US-based clinician or organization handling Protected Health Information. A HIPAA Business Associate Agreement (BAA) is available to any US-based clinical account that requires one — contact us to request it.

  • Business Associate Agreement available on request
  • Access controls — role-based, per-client
  • Audit logs for all data access events
  • Breach notification procedures in place
  • Encryption at rest and in transit (TLS 1.2+)
GDPR

General Data Protection Regulation

Applies when clients are located in the EU or EEA, regardless of where the clinician or organization is based. SmokingTracker offers EU data residency and a signed Data Processing Agreement for all accounts.

  • Data Processing Agreement (DPA) available
  • EU server residency option
  • Right to erasure and data deletion on request
  • Explicit consent collection on signup
  • Data minimisation — only necessary fields collected
42 CFR Part 2

Confidentiality of Substance Use Disorder Records

The strictest US federal standard — more protective than HIPAA — governing substance use disorder treatment records. SmokingTracker is designed to support these requirements, with consent-gating, DPA language, and access controls aligned to its obligations.

  • Explicit written consent before disclosure
  • Data never shared without client authorization
  • Strong protections against unauthorized law enforcement disclosure — stricter than HIPAA
  • Separate access controls for SUD data
  • Prohibition on re-disclosure built into DPA
Technical Security

Encrypted, access-controlled, and audited at every layer

Compliance is not just a policy document — it requires technical controls. SmokingTracker encrypts all data at rest and in transit, implements role-based access so clients only see their own data, and maintains a full audit trail of all access events.

  • Data stored on encrypted servers
  • TLS in transit — all API and web traffic via HTTPS
  • Role-based access — practitioners see only their clients
  • Full access audit log — timestamped entries on all data events
Read the full security overview
Client settings showing counselor connection and privacy controls
Client Consent & Control

Clients control what they share and with whom

The therapeutic relationship requires trust. SmokingTracker's consent model puts clients in control: they choose which clinician sees their data, they can revoke access at any time, and no data leaves the system without explicit authorization.

  • Clinician connection requires client-initiated confirmation
  • Clients can disconnect from a clinician at any time
  • Clients can see exactly what data their clinician can view
  • Full account and data deletion available on request
Read the Data Processing Agreement
Client counselor settings with privacy and access controls
Getting Compliant

What compliance looks like in practice

01

Sign the BAA / DPA

All clinical accounts are offered a Business Associate Agreement (US/HIPAA) and a Data Processing Agreement (EU/GDPR). Both are available during or after onboarding.

02

Invite clients with consent

When a client accepts your invitation and creates an account, they complete a consent flow covering data collection, access permissions, and their rights under GDPR or HIPAA as applicable.

03

Operate with confidence

All data access is logged. All exports are tied to the clinician account. You can provide documentation of your compliance posture to supervisors, employers, or auditors at any time.

Related Features

EMA Logging

Real-time session capture — all data is collected with full consent and encrypted at the point of entry.

Learn more

Clinical Reports

PDF exports are tied to clinician accounts and covered by the same BAA/DPA framework.

Learn more

Practitioner Dashboard

Role-based access ensures each clinician sees only their own clients' data.

Learn more

Get compliant from day one during the free pilot

BAA and DPA available from day one. No setup fee. No automatic charges.

Start Free Security Overview

Get started today

Start with one client.
See how it works.

Full access at no cost through October 2026. No setup fee, no automatic charges, no commitment required.

Start Free View Pricing
Free until October 2026  ·  No credit card  ·  No automatic charges