Technology and Our Privacy — Guided Wanderings

Last updated: June 2026

I am very aware (perhaps hyperaware!) of online privacy. Therefore, all of the programs I use to communicate with you are as privacy-focused as possible. I provide links to programs so you can read more, and I gain no financial benefits from you reading more.

Several of these services are self-hosted — meaning they run on a server I own and control, in my home. No third party ever touches that data. There are no ads, no tracking, and no data selling. These services do generate server logs (timestamps, IP addresses, and activity metadata), which are retained on my encrypted server for HIPAA compliance purposes only.

All external links open in a new tab.

Service	What It's Used For	How Your Privacy Is Protected	What Information It Receives About You
DocuSealSelf-hosted	Filling out and e-signing practice consent forms	Self-hosted on my encrypted server.	Only what you directly provide: form responses; server logs for HIPAA compliance and your signature; server logs for HIPAA compliance
Ivy Pay	Financial contribution collection	HIPAA-compliant with a signed Business Associate Agreement. Data encrypted in transit and at rest. PCI-DSS compliant for payment security.	Your initials, phone number, payment information, session date/time, and diagnostic code if needed for insurance reimbursement
NextcloudSelf-hosted	Forms and hosting this site	Self-hosted on my encrypted server.	Only what you directly provide: form responses; server logs for HIPAA compliance
Nextcloud Talk	Privacy-first virtual meetings	Self-hosted on my encrypted server. End-to-end encrypted calls.	Only what you directly provide during the call; server logs for HIPAA compliance
Proton Calendar	Calendar and scheduling	End-to-end encrypted. Event titles, descriptions, locations, and attendees are encrypted — even Proton cannot read them. Based in Switzerland under strong privacy laws.	Event start/end times and recurrence rules (needed to send notifications); your name and email address; all other event details are encrypted
Proton Drive	Shared document folder between usFor supervision and consultation only	End-to-end encrypted. Proton cannot read the contents of your files. Based in Switzerland under strong privacy laws.	Your email address (to share the folder); file metadata (names, sizes, timestamps)
Proton Mail	Email communication	End-to-end encrypted between Proton users. Zero-access encryption means even Proton cannot read your emails. No ads, no tracking.	Your email address, message content, and metadata (sender, recipient, timestamps)
Proton Meet	Default virtual meetings	End-to-end encrypted using Messaging Layer Security (MLS). Proton cannot access call contents. No tracking, no data collection, no AI training.	Minimal metadata; call contents are fully encrypted and inaccessible to Proton
SignalSecure messaging	Preferred between-session communication	End-to-end encrypted by default. Open source and independently audited. Signal cannot read your messages. Messages can be set to auto-delete.	Your phone number; the date you registered; the date you last connected.
SnikketXMPP · Self-hosted	Client communication	Self-hosted on my encrypted server. End-to-end encrypted using OMEMO.	Only what you directly provide: messages and any files you send; server logs for HIPAA compliance

AI usage: The table on this page was researched and written by claude.ai based on each service's published privacy policies and documentation. Dr. Perri reviewed and approved the content. As with the rest of this site, all final decisions about what to include were Dr. Perri's.

Digital Privacy Policy

This policy explains how I collect, use, and protect your personal information in the context of our therapeutic work together.

What Information I Collect

In the course of providing therapy services, I may collect the following types of information:

Your name, contact information (phone number, email address), and emergency contact
Scheduling and appointment information
Intake forms, consent documents, and session notes
Payment information (processed through a HIPAA-compliant third party)
Communication content (emails, messages, and voicemails related to your care)

I do not collect any information beyond what is necessary to provide care and meet legal obligations.

How Your Information Is Used

Your information is used solely for the purpose of providing and coordinating your care. This includes:

Scheduling and managing appointments
Communicating with you between sessions
Storing intake forms and signed documents
Processing payment for services
Meeting mandatory reporting and legal obligations as required by Colorado law

I do not sell, rent, or share your information with any third party for marketing or commercial purposes.

How Your Information Is Protected

I am a HIPAA-covered provider. All electronic protected health information (ePHI) is stored on hardware I own and control, encrypted at rest and in transit. The digital services I use in my practice have been selected for their privacy and security practices, as detailed in the table above.

Key protections include:

All stored ePHI is encrypted on a LUKS-encrypted drive on my own server — no cloud provider holds your health data
Business Associate Agreements (BAAs) are in place with all third-party vendors that handle ePHI
All devices used for practice-related work require authentication to access
Proton Mail and Proton Drive use end-to-end and zero-access encryption; even Proton cannot read your files or messages

Email and Messaging

Standard email and SMS are not secure channels. If you contact me through a standard email address or a non-encrypted text, I will respond but cannot guarantee confidentiality on your end.

For sensitive communication, I use and recommend:

Signal — end-to-end encrypted messaging, my preferred between-session channel
Proton Mail — fully encrypted email when both parties use Proton
Snikket — self-hosted, end-to-end encrypted XMPP messaging

Video Sessions

All video session platforms I use are HIPAA-compliant and covered by a signed BAA. You have the option to choose the platform that works best for you — accessibility matters as much as privacy.

Your Rights

Under HIPAA, you have the right to:

Access your health information
Request corrections to your records
Receive an accounting of disclosures of your information
Request restrictions on how your information is used or shared
Receive a copy of this Notice of Privacy Practices
File a complaint if you believe your privacy rights have been violated

To exercise any of these rights, contact me directly at perri@guidedwanderings.com.

Data Retention and Disposal

Client records are retained for a minimum of seven years following the end of treatment, or seven years after a minor client turns 18, whichever is later — as required by Colorado law. When records are no longer required to be retained, they are securely deleted or physically destroyed.

Breach Notification

In the unlikely event of a data breach involving your protected health information, I will notify you in writing within 60 days of discovering the breach, as required by the HIPAA Breach Notification Rule. The notification will describe what happened, what information was involved, steps I have taken, and what you can do to protect yourself.

Changes to This Policy

I may update this policy from time to time. The date at the top of the page reflects when it was last revised. Material changes will be communicated to active clients directly.

← Back Next →