How Aluma handles information.

Aluma currently processes account details, role information, profile data, scheduling records, relationship invitations, session metadata, and practitioner-controlled session materials such as uploaded audio, transcripts, structured notes, and Journey Maps.

Where clients are linked to practitioners, Aluma also stores relationship-scoped profile, onboarding, agreement, and booking information so each side of care can work from the same operational record.

The product uses this information to authenticate users, route practitioners and clients into the correct workspace, manage care relationships, schedule and document sessions, and generate practitioner-facing or client-facing outputs when a practitioner chooses to run those workflows.

Transactional emails such as invitations, account confirmation messages, and relationship updates are also part of the current service operation.

Supabase is used for authentication, session handling, database storage, and application-level security rules.

OpenAI is used for note and Journey Map generation, ElevenLabs is used for speech-to-text transcription, Resend is used for transactional email delivery, and Google Calendar or Zoom are used only when a practitioner explicitly connects those integrations.

Aluma limits access by role and relationship so practitioners and clients see only the parts of the workspace relevant to them. Account access still depends on each user protecting their own sign-in credentials and using the platform only for material they are permitted to process.

AI-assisted outputs are workflow tools, not automatic clinical truth. Practitioners remain responsible for review, judgment, and any decision to retain, send, or act on generated content.

Because Aluma is a care-operations system, records may be retained for continuity, auditability, and practitioner workflow needs until they are archived, updated, or deleted under the applicable relationship and operating rules.

Requests for access, correction, or deletion should be handled through the responsible care relationship and the Aluma support channel. Some records may still need to be retained where retention is required for legal, security, fraud-prevention, safety, or continuity reasons.

Depending on where you are located and which privacy laws apply, you may have the right to request access to personal information we hold about you, request correction of inaccurate or incomplete information, request deletion or erasure, request restriction of processing, object to certain processing, receive a portable copy of eligible information, withdraw consent where processing depends on consent, or lodge a complaint with your local data protection or privacy regulator. California residents may also have rights to know, correct, delete, and limit certain uses of sensitive personal information, along with the right not to be discriminated against for exercising applicable privacy rights.

To exercise a privacy right, email support@meetaluma.com with the subject line Privacy Request and include your full name, account email, whether you are using Aluma as a practitioner or client, the practice or relationship involved if relevant, the right you want to exercise, and enough detail for us to locate the relevant records. We may ask for additional information to verify your identity or authority before acting on the request.

Aluma will review and respond to privacy requests without undue delay and within the time required by applicable law. If we cannot fulfill a request in full, we will explain why, describe any legal or operational limits that apply, and, where relevant, explain the next step available to you.