This document is a template and has not been reviewed by legal counsel. Professional legal review is required before launch.

HIPAA Notice

Last updated: April 12, 2026

1. HIPAA Alignment Approach

HERR™ (Human Existential Response and Reprogramming) by ECQO Holdings™ is a wellness platform, not a healthcare provider. As such, ECQO Holdings™ is not a HIPAA covered entity and is not subject to the Health Insurance Portability and Accountability Act (HIPAA) as defined under 45 CFR Part 160.

However, because HERR™ collects sensitive personal information, including existential wellness assessments, voice recordings, and behavioral data, we voluntarily align our data practices with HIPAA principles to provide our members with the highest standard of data protection.

This means we apply HIPAA-inspired safeguards even though we are not legally required to do so. We believe this is the responsible approach for a platform that sits at the intersection of technology and mental wellness.

2. What Is and Isn't Covered

What our HIPAA alignment covers:

  • +Existential wellness assessment responses
  • +Voice recordings and voice clone data
  • +Activity mode preferences and listening history
  • +Community posts and messages
  • +Crisis detection logs (maintained for clinical safety review)

What is NOT covered:

  • Data collected by HERR™ is not Protected Health Information (PHI) under HIPAA
  • HERR™ does not establish a provider-patient relationship
  • Live sessions with Bianca D. McCall, LMFT are group wellness sessions, not psychotherapy
  • HERR™ does not submit claims to insurance providers

3. Data Encryption

All data transmitted between your device and HERR™ servers is encrypted using TLS 1.2 or higher (encryption in transit). Data stored in our databases is encrypted at rest using AES-256 encryption, the same standard used by healthcare organizations and financial institutions.

Voice recordings are encrypted before storage in our cloud infrastructure (Supabase Storage) and are accessible only to the member who created them and authorized HERR™ systems for affirmation generation.

4. Access Controls

Access to member data is restricted on a need-to-know basis:

  • +Members can only access their own data through authenticated sessions
  • +Row-Level Security (RLS) policies enforce data isolation at the database level
  • +Administrative access is limited to Bianca D. McCall, LMFT (founder) and authorized technical personnel
  • +All administrative access is logged and auditable
  • +Third-party service providers (Stripe, ElevenLabs, Supabase) are selected for their own compliance standards

5. Breach Notification

In the event of a data breach that compromises member information, ECQO Holdings™ will:

  • 1.Notify affected members within 72 hours of discovering the breach
  • 2.Provide a clear description of what data was affected
  • 3.Describe the measures taken to address the breach and prevent future occurrences
  • 4.Offer guidance on steps members can take to protect themselves
  • 5.Report the breach to relevant regulatory authorities as required by applicable law

6. Your Rights

Regardless of HIPAA's technical applicability, we extend the following rights to all HERR™ members:

  • +Right to access: You may request a copy of all data we hold about you
  • +Right to correction: You may request correction of inaccurate personal data
  • +Right to deletion: You may request deletion of your account and all associated data, including voice clone data
  • +Right to portability: You may request your data in a machine-readable format
  • +Right to revoke voice consent: You may revoke voice cloning consent at any time through Settings

To exercise any of these rights, contact us at privacy@h3rr.com.

7. Contact

For questions about this HIPAA Notice or our data protection practices, contact:

ECQO Holdings™

Attn: Privacy & Data Protection

privacy@h3rr.com

HERR™ is a wellness platform, not a healthcare provider. If you are in crisis, call or text 988.

© 2026 ECQO Holdings™. All rights reserved.