Website Privacy Policy

Last Updated: January 17, 2026

We at FrameShare ("FrameShare," "we," "us," or "our") created this Website Privacy Policy ("Privacy Policy") because we know that you care about how your information is used and shared. This Privacy Policy describes the information that we collect from or about you in connection with our online services available through FrameShare.org ("Website"). This Privacy Policy applies only to information that identifies or could identify, whether directly or together with other information that we collect, a particular natural person ("Personal Data"). It also describes our practices for maintaining and protecting your Personal Data, as well as the rights and choices you may have with respect to it.

This Privacy Policy includes the following sections:

  • Defined Terms
  • What Is Not Covered by this Privacy Policy?
  • How Do We Collect Personal Data?
  • What Personal Data Do We Collect?
  • How Do We Use Personal Data?
  • How Do We Share Personal Data?
  • What Personal Data May Be Collected or Shared During a Session?
  • How Do We Protect Personal Data?
  • Your Privacy Rights and Choices
  • How to Contact Us
  • Changes to this Privacy Policy

Defined Terms

The following terms have the same meaning throughout this Privacy Policy:

  • "Services" means the features, functionalities, and tools that FrameShare makes available on the Website.
  • "Account Owner" means an individual or entity that registers for and administers an account on the Website ("Account"). Account Owners have special access and use privileges with respect to Personal Data depending on their selected payment plan ("Subscription").
  • "Provider" means an Account Owner who is a licensed or certified healthcare professional under applicable legal or industry standards that authorize the provision of therapeutic or clinical services, and who uses the Website to provide or facilitate such services. Providers are responsible for verifying their professional status, credentials, and compliance with all relevant laws and regulations, including whether they are using the Website as a "Covered Entity," as defined in and regulated by HIPAA.
  • "Session" means an interactive, real-time engagement initiated by an Account Owner that includes drawing, audio, video, chat, file-sharing, and note-taking features.
  • "User" means any individual or entity that accesses or uses the Website, including individuals who follow a link inviting them to join a Session ("Session Link"), whether or not they ultimately enter a Session.
  • "Participant" means a User who joins a Session that is hosted on another's Account, whether or not the Participant has their own Account.
  • "Host" means the Account Owner who initiates or controls a Session through their Account.
  • "Protected Health Information" (or "PHI") means individually identifiable health information that is held or transmitted by a Covered Entity and relates to the past, present, or future physical or mental health condition of an individual, provision of healthcare to that individual, or payment for the provision of healthcare to that individual, as defined in HIPAA's Privacy Rule.
  • "Business Associate Agreement" (or "BAA") means a written agreement executed between FrameShare and a Covered Entity during registration that governs FrameShare's use and disclosure of Protected Health Information associated with the Account as required for compliance with HIPAA.
  • "Usage Information" means Personal Data generated by your use of our Services that relates to how you use the Services.
  • "Device Information" means Personal Data relating to the device you use when interact with the Website.
  • "Session Information" means Personal Data generated during a Session by you, the Host, or other Participants that does not fall within the definition of "Health Information" below.
  • "Participant Information" means Personal Data associated with an actual or potential Participant that is generated outside of a Session, for example in connection with Account administration, and does not fall within the definition of "Health Information" below.
  • "Health Information" means Personal Data identifying your past, present, or future physical or mental health status that is not governed by HIPAA, for example, because your Provider is not a Covered Entity. When applicable, some US state and international privacy laws treat Health Information as sensitive information.
  • "Account Information" means Personal Data about an Account Owner that relates to the formation and management of their Account.
  • "Support Information" means Personal Data about a User that is conveyed in or related to the User's communications with us, including support requests, feedback, and other inquiries.
  • "Session Features" means the features made available to Users during a Session that are designed to approximate the conditions and quality of in-person art therapy and creative expression.
  • "Crafting Table" means the Session Feature that allows Users to collaborate in real time to create and share visual content with others in the Session.
  • "Chat Messages" means the feature allows Users to send typed messages during a Session.
  • "Video and Audio Conferencing" means the features that allow live conferencing during a Session. The video and audio components may be used or disabled individually.
  • "Session Notes" means the feature that allows Hosts to take notes during a Session that can be reviewed after the Session expires through their Account.
  • "Export" means the feature that allows Users to save the Crafting Table as a file on their device during a Session.
  • "Session Summaries" means the feature that automatically summarizes and averages brush stroke statistics, including the tool chosen, starting location, speed, length, and color for each stroke made by Participants during the Session, after the Session expires for the Host to review.

What Is Not Covered by this Privacy Policy?

This Privacy Policy does not cover online services, such as apps and websites, that are not maintained or controlled by FrameShare, including those you may access to through links or embedded features on our Website. Those services may have their own privacy policies, which we encourage you to review before sharing information with them.

This Privacy Policy also does not explain our practices with respect to information that is regulated by HIPAA. Some Providers who use our Services are Covered Entities, which means that HIPAA imposes special obligations and limitations with respect to how they use, disclose, and secure your PHI. When FrameShare stores, processes, or transmits PHI on behalf of such Providers, we do so as a business associate in accordance with the terms of our BAA. Generally, we cannot use or disclose PHI in a way that a covered Provider may not. We are also required to apply reasonable and appropriate measures to safeguard the confidentiality, integrity, and availability of any PHI that we store or process on behalf of such Providers.

It is the covered Provider's obligation to ensure that their patients have provided all consents required under HIPAA before using our Services to provide care. If you are a patient seeking to access or amend PHI created or transmitted through our Services, please contact your Provider directly.

How Do We Collect Personal Data?

We may collect your Personal Data in the following ways:

  • Directly from you, for example, when you create an Account, adjust your settings, or communicate with us.
  • From others, for example, when an Account Owner enters demographic information about you to manage their Sessions.
  • Automatically, for example, through tracking technologies when you interact with the Website.

What Personal Data Do We Collect?

FrameShare collects different types of Personal Data depending on the Services you use and how you use them. We may collect the following categories of Personal Data:

  • Usage Information, including the pages you visit on the Website, the time and date of those visits, the duration of your visits, and other such interactions with the Website. We generally collect Usage Information automatically.
  • Device Information, including persistent identifiers, such as your IP address (to infer general location at the state level only), device attributes, browser type, and other connection information. Our Website is not currently configured to implement 'Do Not Track' signals from your browser. We generally collect Device Information automatically.
  • Session Information, such as your voice and facial image. We generally collect Session Information directly from you or from others in the form of images, audio, video, chat messages, files, and Session Notes.
  • Participant Information, such as your full name, date of birth, email address, phone number, and other contact information, is generally provided by you or an Account Owner. For example, your Provider may choose to share your name when scheduling a Session with you.
  • Health Information, such as your past diagnoses and treatments, or details relating to the therapy services you have received, or may receive, through our Services. We generally collect Health Information directly from you or from your Provider.
  • Account Information, including contact information, such as your name and email address, billing and transaction information, and other Account details. If you choose to provide it, Account Information may also include information about your employment, such as your professional title, office location, and educational background. We generally collect Account Information directly from you when you register for an Account or update your Account.
  • Support Information, such as your name, email address, and other contact information you provide when you submit support requests, feedback, or other inquiries about our Services. We generally collect Support Information directly from you.

How Do We Use Personal Data?

We may use Personal Data for the following purposes:

  • To operate, maintain, administer, and enhance the Website, including by aggregating Usage Information to monitor the effectiveness of and improve our Services.
  • To provide, review, and develop the Services, including by initiating and managing Session Features and delivering customer support.
  • To communicate with you about the Services, your Account, and changes to our policies and terms, including by responding to your questions about this Privacy Policy.
  • To ensure the safety of Users and the security of the Services, including by authenticating accounts; detecting, investigating, and preventing malicious conduct, fraudulent activity, or unsafe experiences; and addressing potential security threats.
  • To comply with applicable law and valid legal processes, including by responding to law enforcement requests, court orders, and government inquiries.
  • To carry out our contractual obligations and enforce our rights, including by investigating potential violations of our Terms of Service or other policies.

We do not process Personal Data for targeted advertising. We also do not use Personal Data for profiling in furtherance of fully automated decisions that affect the provision or denial of health care services to you.

How Do We Share Personal Data?

We may share Personal Data with third parties in the following circumstances:

  • For operational purposes, we may share Personal Data with vendors and service providers who perform services on our behalf, such as data hosting, storage, analytics, security, and related support. We may also share Personal Data with professional advisors, such as auditors, law firms, and accounting firms.
  • At your direction or with your consent, we may share Personal Data with third parties, such as healthcare providers and insurance companies, if you request or authorize such sharing by making use of certain features on our Services.
  • For legal reasons, we may share Personal Data as necessary to comply with applicable law, legal obligations, and lawful requests by public authorities; to enforce our terms and policies; and to protect the safety, security, and integrity of Users and our Services.
  • For a change in control, we may share Personal Data with actual or prospective acquirers and their advisors in connection with a merger, acquisition, restructuring, or other change in control involving all or part of FrameShare's business or assets, including in bankruptcy or similar proceedings.

We do not sell your Personal Data or share it with third parties for their direct marketing purposes.

What Personal Data May Be Collected or Shared During a Session?

Sessions are designed to facilitate communications between a Host and one or more Participant. Whether and how Personal Data is collected and shared during a Session depends on which features are enabled and how they are used.

The Crafting Table feature transmits your actions, such as brush strokes, shapes, text, and file uploads, through FrameShare's servers before relaying them to the Host and other Participants. It may, for example, contain Session Information and Participant Information. After a Session has expires, we create an encrypted image of the Crafting Table that may be reviewed and downloaded only by the Host. However, any Participant may make a copy of the Crafting Table during a Session, for example, using the Export feature as described below. On some occasions, we may also restore a Session, including the Crafting Table, to allow you to continue creating, such as when there are connection issues.

The Chat Messages feature transmits typed messages between Users in a Session. Chat Messages are temporarily stored in your browser during a Session. After a Session expires, Chat Messages are stored as encrypted text in FrameShare's AWS database so that they may be retrieved by the Host. However, Participants may copy Chat Messages onto their device during a Session to preserve and share them with others without our knowledge.

The Audio and Video Conferencing features relay audio and video streams through FrameShare's servers before they reach other Users in the Session. Any User may disable audio or video for themselves at any time.

The Session Notes feature records notes taken by the Host on the Host's Account after the Session has expired. Session Notes are stored on FrameShare's servers in encrypted form. Session Notes are not visible to Participants during a Session.

The Export feature converts the Crafting Table into a file and downloads it to your device. Any Participant may take advantage of this feature, regardless of whether they contributed to the Crafting Table.

The Session Summary feature automatically prepares a summary of Crafting Table activity that appears for the Host when the Session ends. Session Summaries are not provided to Participants. We store Session Summaries in encrypted form on our AWS database so that the Host may review an expired Session with you.

FrameShare aims to limit its collection of Personal Data from Sessions. For example, we do not use marketing pixels or tracking scripts in Session areas. After a Session expires, only the Host may have continued access to Personal Data shared during the Session through our Services, subject to any limitations imposed by the applicable Subscription plan.

Other Participants, however, may take steps during the Session to retain any Personal Data that you choose to share. For example, other Participants may use screen capture to save an image of your likeness on their device if you chose to enable Video Conferencing. Except for Session Notes and the Session Summary, all other features are visible to all Participants and should be used cautiously to avoid undesired disclosures.

How Do We Protect Personal Data?

We safeguard your Personal Data with tested technical and organizational security measures. All Personal Data that we retain is stored in encrypted form on our AWS database located in the United States and we maintain a full audit trail for each access. We also train our personnel regarding this Privacy Policy and related privacy and security responsibilities.

By using safeguards when we store your Personal Data and when we dispose of it, we aim to minimize the risk that your Personal Data will be accessed or acquired without authorization. If such a data breach nevertheless occurs, we will give notice to Users whose Personal Data was, or is reasonably believed to have been, accessed or acquired by the breach as required by applicable law.

Session Privacy

Personal Data collected during a Session is encrypted in transit and at rest. At any time during a Session, you may disable certain features, such as Audio or Video Conferencing, to reduce the amount of your Personal Data that can be shared. Disabling features may affect communication during a Session, but we offer such choices to give you control over your Personal Data while using our Services.

Retention

We retain Personal Data only as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by applicable law. We take into account following considerations in determining the appropriate retention period for your Personal Data:

  • The nature and duration of your engagement with our Services, including whether the relationship is ongoing.
  • Actions taken by Account Owners regarding Personal Data associated with their Account, including modification or deletion.
  • Our legal obligations and position, for example related to enforcing agreements, resolving disputes, and applicable statutes of limitations or investigations.

At your request and as required by applicable law, we dispose of your Personal Data so that it cannot be read or reconstructed. We use manual deletion methods for all encrypted data.

Your Privacy Rights and Choices

Jurisdictional Data Rights

If you are in the European Economic Area ("EEA") or the United Kingdom ("UK"), please refer to the European Data Privacy Addendum for additional rights and disclosures.

Otherwise, upon your request and as required by applicable law, we will:

  • Inform you of what Personal Data is under our control and provide you with access to it.
  • Correct or update your Personal Data or your privacy preferences with respect to it.
  • Provide you with a copy of your Personal Data in a portable and, to the extent technically feasible, readily useable format for further transmission.
  • Delete your Personal Data or direct you to means for doing so.

Where legally permitted, we may decline to process requests that are unreasonably repetitive or systematic, require disproportionate technical effort, conflict with our legal obligations, or jeopardize the privacy of others.

To exercise your rights over Personal Data controlled by FrameShare, please contact us at support@frameshare.org. We aim to respond to your requests promptly and within a reasonable time, as defined by applicable law. You can also raise a concern or lodge a complaint with a data protection authority or other official in your jurisdiction.

Children

We do not allow children under the age of 18 to create an Account. However, children under the age of 13 may access certain Services without an Account, for example, by following a Session Link and joining a Session as a Participant. In those cases, we may collect Personal Data from a child, such as a name, email address, facial image, voice, age, or other similar persistent identifiers.

In accordance with the Children's Online Privacy Protection Act ("COPPA"), we require a parent or legal guardian to provide consent before FrameShare collects, uses, or shares Personal Data from a child under 13. Parents or guardians also may request to review or delete the Personal Data of a child by contacting us as described below. We take steps to verify the identity of anyone making a request regarding a child's Personal Data for the safety of that child.

For comprehensive information about how we handle Personal Data we collect from children under 13 in the United States, please refer to our Privacy Notice for Parents.

How to Contact Us

If you have any questions or comments related to this Privacy Policy or wish to exercise your rights, please contact us by email at support@frameshare.org or by mail at: FrameShare, 85 Broad St Fl 18, New York, NY 10004-2783 USA.

Changes to this Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our collection and processing of Personal Data. We will post the updated Privacy Policy on our Website with a revised "Last Updated" date at the top. If we make material changes, we will notify you by displaying a notice on the Website and give you an opportunity to review the updates. Your continued use of the Services following the effective date of the updated Privacy Policy constitutes your consent.