How Vochella stays compliant — everywhere you practice
Privacy law differs by state and province. Vochella automatically applies the right consent rules, data retention schedules, and user rights based on where your clinic is located — with no manual setup required.
This page is generated from Vochella's live compliance rule engine — the same code that runs in the app.
How it works
Compliance is automatic. Here is what Vochella does under the hood so you don't have to think about it.
We detect your clinic's location
When an SLP sets up their clinic profile with a country and state or province, Vochella automatically resolves which privacy laws apply — no manual configuration required.
Rules are applied at every layer
Data-handling rules, consent requirements, session recording notices, biometric opt-ins, and data retention schedules are all enforced at the database and API level — not just the UI.
Clients see the right consent forms
Before recording, using AI features, or starting home practice, clients are shown consent modals tailored to their jurisdiction. Quebec clients see French or English based on their preference.
Everything is logged and auditable
Every consent event is stored with the full text shown, version number, and timestamp. SLPs can see consent history. Withdrawals trigger a cleanup job. Breach procedures are documented.
Jurisdiction coverage
50 US states · 4 Canadian provinces — states with specific laws shown as cards, federal-baseline states grouped below
California
CARetention
7 yr
Breach window
60 days
Age of majority
18
Colorado
CORetention
7 yr
Breach window
60 days
Age of majority
18
Connecticut
CTRetention
7 yr
Breach window
60 days
Age of majority
18
Delaware
DERetention
7 yr
Breach window
60 days
Age of majority
18
Florida
FLRetention
7 yr
Breach window
60 days
Age of majority
18
Illinois
ILRetention
7 yr
Breach window
60 days
Age of majority
18
Indiana
INRetention
7 yr
Breach window
60 days
Age of majority
18
Iowa
IARetention
7 yr
Breach window
60 days
Age of majority
18
Maryland
MDRetention
7 yr
Breach window
60 days
Age of majority
18
Massachusetts
MARetention
7 yr
Breach window
60 days
Age of majority
18
Minnesota
MNRetention
7 yr
Breach window
60 days
Age of majority
18
Montana
MTRetention
7 yr
Breach window
60 days
Age of majority
18
Nebraska
NERetention
7 yr
Breach window
60 days
Age of majority
19
Nevada
NVRetention
7 yr
Breach window
60 days
Age of majority
18
New Hampshire
NHRetention
7 yr
Breach window
60 days
Age of majority
18
New Jersey
NJRetention
7 yr
Breach window
60 days
Age of majority
18
New York
NYRetention
7 yr
Breach window
30 days
Age of majority
18
Oregon
ORRetention
7 yr
Breach window
60 days
Age of majority
18
Rhode Island
RIRetention
7 yr
Breach window
60 days
Age of majority
18
Tennessee
TNRetention
7 yr
Breach window
60 days
Age of majority
18
Texas
TXRetention
7 yr
Breach window
60 days
Age of majority
18
Utah
UTRetention
7 yr
Breach window
60 days
Age of majority
18
Virginia
VARetention
7 yr
Breach window
60 days
Age of majority
18
Washington
WARetention
7 yr
Breach window
60 days
Age of majority
18
Alberta
CA-ABRetention
10 yr
Breach window
72h
Age of majority
18
British Columbia
CA-BCRetention
10 yr
Breach window
72h
Age of majority
19
Ontario
CA-ONRetention
10 yr
Breach window
72h
Age of majority
18
Quebec
CA-QC FRRetention
10 yr
Breach window
72h
Age of majority
18
26 states — HIPAA + COPPA federal baseline
These states have no additional state-specific privacy laws beyond federal requirements. One-party recording consent applies (except where highlighted below).
Data sourced from lib/domain/jurisdictionRules.ts in the Vochella app codebase. Scroll to expand each card for full detail. Adding a new jurisdiction requires one code change in that file.
What we serve — and how it is covered
Every feature Vochella offers maps to a specific compliance layer. Here is what each service does and the protection behind it.
SLP practice management
Client records, scheduling, goals, SOAP notes
All PHI stored with row-level security. SLPs only access their own clients. HIPAA / PHIPA minimum-necessary enforced.
Voice & video recording
Home practice audio, in-session video submissions
Recording consent collected before first use. All-party notice shown in 13 two-party US states. Signed URLs expire in 1 hour. Biometric consent for IL / WA / QC.
AI session prep & analysis
AI-generated SOAP drafts, speech analysis, daily briefings
AI consent obtained separately from recording consent. Client names stripped before AI transmission where feasible. Processed through BAA-covered OpenAI edge functions only.
Children's services (COPPA)
Clients under 13, minor clients, parental accounts
Verifiable Parental Consent (VPC) email sent to guardian before onboarding under-13 clients. QC age-14 self-consent rule applied. Capable-minor toggle for ON / BC clinics.
Billing & payments
Invoices, Stripe Connect, receipts, subscriptions
Stripe descriptions use generic terms ('Treatment Session') — no diagnosis in transaction metadata. Receipt access is logged in audit tables before data is returned.
Data export & deletion
Self-serve export, account deletion requests
Clients can export profile + consent records from the app. Deletion requests are timestamped and processed within 30 days subject to medical retention requirements (HIPAA: 7 yr).
54
Specific jurisdictions covered
32
Privacy frameworks tracked
7+
Consent types with versioned text
72h
Fastest breach notification window
Shared responsibilities
Vochella handles the technical compliance layer. A few obligations remain with your practice.
Vochella handles
- Row-level security on every database table
- Jurisdiction-aware consent modals
- Biometric & recording consent gates
- Signed URLs that expire in 1 hour
- AI data processed via BAA-covered edge functions
- Consent audit log with full text + version
- Breach notification infrastructure
- Self-serve export & deletion
Your practice handles
- Signing + filing the BAA (included with every paid plan)
- Completing a HIPAA risk analysis
- Training staff on your internal HIPAA policies
- Verifying client identity & guardian status
- School / district BAAs when accessing IEP records (FERPA)
- Province-specific IM agreements in Alberta (HIA)
- Quebec PIA (Privacy Impact Assessment) filing with CAI
- Retaining a Privacy Officer
Always consult counsel for
- BIPA public retention schedule (Illinois)
- Quebec CAI filings & French legal pages
- Regulatory filings in any new jurisdiction
- Children's Privacy Notice on marketing site
- SOC 2 Type II audit planning
- CASL commercial messaging compliance
- Any new framework not yet in our rule engine
Ready to run a compliant SLP practice?
Every paid plan includes a BAA covering HIPAA, PHIPA, and PIPEDA. Questions about a specific jurisdiction? Our team can help.
This page is for informational purposes only and does not constitute legal advice. Vochella is not a law firm. Engage qualified counsel for regulatory filings, BAA execution, and jurisdiction-specific obligations. Compliance data last updated: April 2026.