Privacy Policy

We collect the following categories of information:

• Contact information: name, email address, phone number, mailing address (for mobile sessions).
• Health intake: medical conditions, medications, recent injuries, pregnancy status, pressure preferences, contraindications.
• Session records: SOAP notes (Subjective, Objective, Assessment, Plan), body-map annotations, therapist notes from each session.
• Payment information: processed directly by Stripe. We store only a reference token and the last four digits of your card.
• Usage data: pages visited, buttons clicked, approximate location (from IP). Collected via Microsoft Clarity and Google Analytics 4 (with your consent).
• Appointment history: dates, services, amounts paid, modalities applied.

We collect and process this information to (a) provide the therapeutic massage services you request, (b) comply with massage-therapy recordkeeping requirements under Colorado law, (c) process payments, (d) communicate with you about your appointments and our practice, and (e) improve our services. For sensitive health information, your explicit consent at intake is the legal basis for processing.

We share information with the following service providers ("processors"), each of whom is bound by contracts limiting their use of your data to providing services to us:

• Supabase (database + authentication hosting, US)
• Vercel (website hosting, US)
• Stripe (payment processing, US)
• Resend (transactional email, US)
• Twilio (SMS reminders — only if you opt in, US)
• Microsoft Clarity (session analytics with cookie consent, US)
• Google Analytics 4 / Google Tag Manager (site analytics with cookie consent, US)

We do not sell your personal information. We do not share health-related information with analytics providers.

Session records (SOAP notes, body-map markers) are retained for seven (7) years to comply with Colorado massage-therapy recordkeeping requirements. Contact information is retained for as long as you have an active account or have received services from us in the last three (3) years. You may request earlier deletion subject to our legal retention obligations.

We employ industry-standard security: encrypted database connections, row-level-security policies enforcing per-user data isolation, signed webhook verification, HTTPS-only transport, and pgcrypto envelope encryption for the most sensitive PHI columns. Access to client records is restricted to the treating therapist.

Under Colorado Privacy Act (CPA) and applicable US laws, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your data (subject to legal retention obligations).
• Opt out of targeted advertising and the sale of personal data. (We do not sell or use data for targeted advertising.)
• Port your data in a machine-readable format.
• Revoke consent for optional processing (analytics, marketing).

To exercise any right, email hello@hirayamassage.com. We respond within 45 days.

We use strictly necessary cookies for authentication and session management. Optional analytics cookies (Clarity, GA4) are loaded only after you accept them via our cookie banner. You can change your consent any time via the cookie settings link in the footer.

Our services are intended for adults and emancipated minors. We do not knowingly collect information from children under 13. Clients under 18 require written parental consent on file before booking.

We may update this Privacy Policy. Material changes will be communicated by email, and the "Last updated" date will reflect the change.