Features Privacy & Compliance
Privacy by Design

Substance use data demands the highest protection. We built it that way from day one.

Cannabis use disorder records are sensitive health data — protected by HIPAA, GDPR, and the strictest US law governing substance use treatment records: 42 CFR Part 2. SmokingTracker was designed around these requirements, not retrofitted to them.

HIPAA CompliantGDPR Compliant42 CFR Part 2EU Data Residency
Start Free View Data Processing Agreement
Compliance Frameworks

Three frameworks. One platform. Zero compromise.

Cannabis treatment data crosses multiple regulatory regimes depending on where your clients are. SmokingTracker meets all three simultaneously.

HIPAA

Health Insurance Portability and Accountability Act

Required for any US-based clinician or organisation handling Protected Health Information. SmokingTracker signs a Business Associate Agreement (BAA) with all clinical accounts.

  • Business Associate Agreement available
  • Access controls — role-based, per-client
  • Audit logs for all data access events
  • Breach notification procedures in place
  • Encryption at rest and in transit (TLS 1.2+)
GDPR

General Data Protection Regulation

Applies to any EU/EEA client data regardless of where the clinician is based. SmokingTracker offers EU data residency and a signed Data Processing Agreement for all accounts.

  • Data Processing Agreement (DPA) available
  • EU server residency option
  • Right to access, rectification, and erasure
  • Explicit consent collection on signup
  • Data minimisation — only necessary fields collected
42 CFR Part 2

Confidentiality of Substance Use Disorder Records

The strictest US federal standard — more protective than HIPAA — governing substance use disorder treatment records. Any platform used in SUD treatment must meet these requirements.

  • Explicit written consent before disclosure
  • Data never shared without patient authorisation
  • No disclosure to law enforcement without consent
  • Separate access controls for SUD data
  • Prohibition on re-disclosure built into DPA
Technical security

Encrypted, access-controlled, and audited at every layer

Compliance is not just a policy document — it requires technical controls. SmokingTracker encrypts all data at rest and in transit, implements role-based access so clients only see their own data, and maintains a full audit trail of all access events.

  • AES-256 encryption at rest — all client data
  • TLS 1.2+ in transit — all API and web traffic
  • Role-based access — practitioners see only their clients
  • Full access audit log — timestamped, tamper-evident
Read the full security overview →
Client settings showing counselor connection and privacy controls
Client consent & control

Clients control what they share and with whom

The therapeutic relationship requires trust. SmokingTracker's consent model puts clients in control: they choose which clinician sees their data, they can revoke access at any time, and no data leaves the system without explicit authorisation. Clients see exactly what their clinician can access.

  • Clinician connection requires client-initiated confirmation
  • Clients can disconnect from a clinician at any time
  • Clients can see exactly what data their clinician can view
  • Full account and data deletion available on request
Read the Data Processing Agreement →
Client counselor settings with privacy and access controls
Getting Compliant

What compliance looks like in practice

1

Sign the BAA / DPA

All clinical accounts are offered a Business Associate Agreement (US/HIPAA) and a Data Processing Agreement (EU/GDPR). Both are available during or after onboarding.

2

Invite clients with consent

When a client accepts your invitation and creates an account, they complete a consent flow covering data collection, access permissions, and their rights under GDPR or HIPAA as applicable.

3

Operate with confidence

All data access is logged. All exports are tied to the clinician account. You can provide documentation of your compliance posture to supervisors, employers, or auditors at any time.

Related Features

EMA Logging

Real-time session capture — all data is collected with full consent and encrypted at the point of entry.

Learn more →

Clinical Reports

PDF exports are tied to clinician accounts and covered by the same BAA/DPA framework.

Learn more →

Practitioner Dashboard

Role-based access ensures each clinician sees only their own clients' data.

Learn more →

Get compliant from day one during the free pilot

BAA and DPA available from day one. No setup fee. No automatic charges.

Start Free Security Overview

Want to see it in action?

Request access and see how SmokingTracker can support your treatment center during the current free pilot.

Start Free See Pricing
Currently free until October 2026 · No setup fee · No automatic charges