Version 1.0 · Trial
Terms & Privacy
Plain-English summary: SESA only stores client initials, age, and clinical scores. Names, addresses, birthdates, phone numbers, and emails are blocked or auto-removed before anything is saved. SESA is not a HIPAA-covered entity, but the data it stores is de-identified per HIPAA Safe Harbor.
What SESA stores
- Client initials (e.g. "J.D.") · never full names
- Client age in whole years · never birthdates
- Domain selection, scores (1–4 per item), and assessment counts
- Clinician-entered free text in the Notes and Learner Context fields. These are automatically scrubbed at save time to remove HIPAA-identifying patterns.
- AI-generated clinical write-ups produced from the above
What SESA does NOT store
- Client full names, family member names, caregiver names
- Birthdates, full addresses, phone numbers, email addresses
- Social Security numbers, medical record numbers, insurance IDs
- Photos, audio, video, or any biometric data
- Any of the 18 identifiers listed in 45 CFR §164.514(b)(2)
HIPAA Safe Harbor
SESA's data architecture is designed to satisfy the Safe Harbor de-identification standard at 45 CFR §164.514(b)(2). Under that rule, data is not Protected Health Information (PHI) when all 18 specified identifiers have been removed. As a result, SESA does not require a Business Associate Agreement (BAA) from its underlying infrastructure providers.
The de-identification is enforced in three layers:
- Schema: the database has no columns for prohibited identifiers
- Server scrub: every free-text field is passed through a regex + AI classifier filter at save time, replacing any detected identifier with a generic placeholder
- Acknowledgment: every clinician confirms before each session that they will use initials only
Your responsibilities
- You are a licensed or credentialed professional (or a supervised trainee under appropriate oversight) using SESA within your professional scope.
- You will obtain appropriate informed consent from the client's parent or legal guardian before administering any assessment.
- You will follow your employer's privacy policies and applicable state/federal laws.
- You will use initials only and will not attempt to circumvent the scrub layer.
AI-generated content
SESA uses Anthropic's Claude API to generate clinical summaries, parent training plans, and natural-environment teaching activities from the assessment data. AI output is a clinical-thinking aid, not a substitute for professional judgment. You retain full responsibility for clinical decisions and any documents you derive from SESA's output.
Security
- All traffic to SESA is encrypted in transit (HTTPS).
- The database (Supabase Postgres) enforces Row Level Security: each clinician can read and write only their own clients' records.
- Authentication is email + password via Supabase Auth.
Trial period
SESA is currently in private trial for invited colleagues of Natasha K. Bauer, BCBA. The tool is not for public distribution. Tash may revise these terms, the data model, or the trial features at any time. Trial users will be notified of material changes.
Contact
Questions, concerns, or feedback: use the 💬 button inside the app, or email natasha@tashbauer.com.
© 2026 Natasha K. Bauer, BCBA · Last updated May 4, 2026 · This document is informational and not legal advice. SESA users should consult their own counsel for the legal requirements that apply to their practice.