Plain-language privacy.

When you sign up and use the program, we store:

• Account: email address (for magic-link sign-in; no passwords).
• Payment: handled by Stripe — we never see your card number. We store the Stripe customer + session identifiers so we can match a purchase to your account.
• Program activity:which Steps and Parts you've completed, your Self-Assessment answers, your Captures (open-loop items you save), your Steady Work responses, and your Journal entries.
• Operational logs: anonymized analytics events (PostHog) and error reports (Sentry). We use anonymized enrollment identifiers — never your email, never the body of a Journal entry, Capture, or Assessment answer. Our public marketing landing page uses Umami (self-hosted, cookieless) to measure visits, traffic sources, and landing-page interactions separately from your program data.

If you record a voice note to create to-dos, the audio is sent to Steady's own servers, transcribed, and turned into suggested to-dos that you review before anything is saved. The recording is processed in the moment and is not storedonce the to-dos are returned. Transcription and to-do extraction run on self-hosted models on our own infrastructure — your words are never sent to a third-party AI service, and the model is used only to pull out tasks, never to assess you. The resulting to-dos are treated like any other Capture: private to you and never shared with a Coach. We may still use ordinary non-content Capture lifecycle metadata for analytics, but no audio, transcript, or to-do/Capture body text is sent to analytics.

The hard rule, the one that makes the rest of this policy meaningful: Kevin (your Coach) cannot read your Journal entries, your Captures, your Steady Work responses, or your Self-Assessment answers. Database row-level security enforces this; it is not a matter of trust.

In v1 of Steady, the Coach has no per-Enrollee dashboard at all. The Program is self-serve: the content is the support, and you control your own data.

Data is stored in Supabase (Postgres) in the US-East region. Files (handouts, lesson assets, data exports) live in Supabase Storage. Sessions are HTTPS only. At-rest encryption is enabled by our hosting providers.

We use the following sub-processors to deliver the program. Each handles a narrow slice of data; none receives more than they need.

• Supabase — database, authentication, storage (US-East).
• Vercel — application hosting (US-East).
• Stripe — payment processing, billing portal, invoices.
• Mux — video hosting + playback for lesson videos.
• Resend — transactional email (sign-in links, export-ready notifications, lesson-ready notifications).
• PostHog — anonymized usage analytics (event-level only; no content of Captures, Journal entries, or Assessment answers).
• Sentry — error and performance monitoring; session replay is disabled.
• Better Stack — uptime monitoring; receives only public endpoint health checks, never your data.

You can, at any time:

• Export a copy of everything we hold about you from /portal/me. The export is a JSON file delivered via a signed link.
• Delete your account from /portal/me. Soft-delete is immediate; you have 14 days to change your mind by emailing kevin@newtreecounseling.com. After 14 days, your account and all linked data are permanently purged.
• Cancel billing from /portal/me/billing (Stripe Customer Portal).
• Ask us questions — email kevin@newtreecounseling.com.

California and EU/UK residents: the rights above (access, deletion, portability) satisfy the corresponding CCPA / GDPR obligations. There is no sale or sharing of personal information for cross-context behavioral advertising.

When you delete your account, Stripe retains its own transaction history per its tax + fraud-prevention obligations. We delete our link to that history; Stripe keeps the underlying records under its own privacy terms.

We use a Supabase session cookie to keep you signed in. We do notuse third-party advertising cookies. Our public marketing landing page uses Umami (self-hosted analytics) to measure visits, traffic sources, and landing-page interactions; it does not set analytics cookies. If you opt out via your browser's Do Not Track signal, we honor it.

Steady is for adults. We do not knowingly collect data from anyone under 18. If you believe a minor has signed up, email kevin@newtreecounseling.com and we will close the account.

If we change how we use data in a way that affects you, we will update the “Last updated” date at the top of this page and email signed-in Enrollees ahead of the change taking effect.

New Tree Counseling, P.C. — Kevin Barr, LMFT.
kevin@newtreecounseling.com