AI & Compliance

How TherapyCoach uses AI responsibly, protects your data, and aligns with Australian regulatory frameworks.

Our approach to AI in clinical training

TherapyCoach uses AI to simulate client interactions and generate coaching feedback for educational purposes. It is not a therapeutic service, a clinical decision-support tool, or a medical device. All scenarios are fictional and all feedback is generated by AI — it should be treated as one learning input among many, not as clinical guidance.

This positioning matters because it determines which regulatory frameworks apply. TherapyCoach operates as a professional education and training tool, not as a health intervention or diagnostic system. We have designed it accordingly, with appropriate safeguards for this context.

AI model and data processing

TherapyCoach uses OpenAI's GPT-4o model via the OpenAI API. Conversation content is sent to OpenAI for processing and is subject to OpenAI's API data usage policy, which states that API data is not used for model training. We do not use consumer-facing ChatGPT — the API provides enterprise-grade data handling with no training on user inputs.

All user data is stored in Supabase (hosted on AWS infrastructure in the Asia-Pacific region). Conversation transcripts, progress data, and account information are stored in a PostgreSQL database with row-level security, ensuring each user can only access their own data. For full details, see our Privacy Policy.

AI safety guardrails

Because TherapyCoach simulates clinical scenarios that may involve sensitive topics (e.g., suicidal ideation as part of a risk assessment training exercise), we have implemented safety measures appropriate to a training context. These include crisis language detection that surfaces immediate safety messaging and helpline information when crisis-related language is detected in user input, content filtering to maintain appropriate boundaries for a training tool, clear and persistent disclaimers that all scenarios are fictional, and rate limiting to prevent misuse. These guardrails reduce risk but are not infallible. Users are encouraged to report any content that appears inappropriate to support@therapycoach.app.

Relevant Australian frameworks

TherapyCoach has been designed with reference to the following Australian regulatory and ethical frameworks. These do not all apply directly to a training tool, but they inform the design decisions and safeguards we have put in place.

Australia's AI Ethics Principles

The Australian Government's voluntary AI Ethics Principles provide guidance on the responsible design and use of AI systems. TherapyCoach aligns with these principles through transparency about our AI model and its limitations, human oversight (users apply their own clinical judgement to all feedback), and accountability through clear terms and a complaints process.

View the AI Ethics Principles

Privacy Act 1988 — Australian Privacy Principles (APPs)

TherapyCoach collects and handles personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth). We collect only the information necessary to operate the service, store it securely, and provide users with access to and deletion of their data on request. Full details are set out in our Privacy Policy.

View the Australian Privacy Principles

Australian Consumer Law

Our Terms of Use are drafted in compliance with the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)). We do not exclude consumer guarantees that cannot be excluded by agreement, and we provide clear complaints and refund processes.

View the Australian Consumer Law

TGA — Software as a Medical Device

The Therapeutic Goods Administration (TGA) regulates software that meets the definition of a medical device, including clinical decision-support systems. TherapyCoach is not a clinical decision-support tool — it does not diagnose, treat, or provide guidance for real clinical situations. It is a training simulator for educational use. As such, it does not fall within the TGA's regulatory scope for software as a medical device. We maintain this boundary by design: all scenarios are explicitly fictional, no real client data is accepted, and all coaching feedback carries disclaimers about its AI-generated nature.

View TGA guidance on software-based medical devices

National Safety and Quality Digital Mental Health Standards

The Australian Commission on Safety and Quality in Health Care publishes standards for digital mental health services. While TherapyCoach is a training tool rather than a digital mental health service, we have drawn on these standards in designing our safety guardrails, particularly around content involving self-harm and suicidal ideation in simulated scenarios.

View the Digital Mental Health Standards

NHMRC — National Statement on Ethical Conduct in Human Research

TherapyCoach was developed by a researcher affiliated with an Australian university. The platform's design has been informed by the ethical principles in the National Statement, particularly regarding informed consent (users are clearly informed about what data is collected and how AI is used), voluntary participation (no coercion — users can delete their account and all data at any time), and transparency about risks and limitations.

View the National Statement

Notifiable Data Breaches Scheme

Under the Privacy Act 1988, organisations with an annual turnover of more than $3 million (or that handle health information) are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in the event of a data breach likely to result in serious harm. While TherapyCoach may not currently meet the turnover threshold, we operate as though the scheme applies — because it is good practice and because our users trust us with their learning data. We maintain security controls including encrypted connections (TLS), security headers, input sanitisation, and row-level database security.

View the Notifiable Data Breaches Scheme

Data sovereignty

User account data and session records are stored in Supabase infrastructure hosted on AWS in the Asia-Pacific region (ap-south-1, Mumbai). Conversation content is processed by OpenAI's API, which uses infrastructure primarily located in the United States. This means that conversation content transits through and is temporarily processed in the US, subject to OpenAI's data handling policies. We disclose this in our Privacy Policy so users can make informed decisions.

Clinical framework alignment

TherapyCoach's coaching feedback and assessment scoring are calibrated against established clinical fidelity instruments. For Motivational Interviewing, coaching feedback is informed by the Motivational Interviewing Treatment Integrity (MITI 4.2.1) coding manual. For Cognitive Behavioural Therapy, feedback is informed by the Revised Cognitive Therapy Scale (CTS-R). For Dialectical Behaviour Therapy, feedback is informed by the DBT Adherence Coding Scale. These instruments are used as reference frameworks for structuring feedback — TherapyCoach does not claim to produce validated MITI, CTS-R, or DBT adherence scores. AI-generated scores are approximations intended to support learning, not to replace formal competency assessment. See our Evidence page for the research base.

Continuous improvement

We use aggregated, de-identified engagement data (e.g., session counts, feature usage, modality distribution) to understand how the platform is performing and to prioritise improvements. We do not sell or share personal data with any third party. Individual conversation content is not reviewed by staff unless a user reports an issue or gives explicit consent. Our approach to product improvement is set out in our Privacy Policy.

Questions or concerns

If you have questions about how TherapyCoach handles AI, data, or compliance, or if you would like to discuss the platform's suitability for use in your organisation or training programme, contact us at support@therapycoach.app.

Last updated: May 2026