Effective Date: March 5, 2026 — Version: 2026-03-10-alpha
Harborlight is a provider-to-provider directory platform designed exclusively for licensed mental health professionals. It enables clinicians to create professional profiles, search for colleagues, send referrals, exchange direct messages, and participate in a community feedback board. By creating an account or using any part of this platform, you acknowledge that you have read, understood, and agree to be bound by these Terms of Service in their entirety.
Harborlight is currently in alpha. This means the platform is under active development, features may be added, modified, or removed without prior notice, and stored data — including profile information, referral records, and messages — may be reset at any time during this phase. You should not rely on the platform for any purpose that requires guaranteed data persistence or uninterrupted availability.
These Terms apply to all users of the platform. If you are accessing Harborlight on behalf of an organization or practice, you represent that you have the authority to bind that organization to these Terms. If you do not agree to these Terms, you must not use the platform. Continued use of the platform after any posted update to these Terms constitutes acceptance of the revised Terms.
Harborlight is not a clinical tool, electronic health record system, telehealth platform, or patient-facing service of any kind. It is a professional networking and referral coordination resource for licensed providers. Nothing on this platform constitutes clinical advice, a clinical recommendation, or a standard of care.
You are responsible for maintaining the confidentiality of your account credentials. Your account is personal and non-transferable. You must not share your password with any other person or allow any other individual to access the platform using your credentials. Harborlight uses authenticated session tokens managed through Supabase Auth to recognize your account. You are solely responsible for all activity that occurs under your account.
You agree to provide accurate, current, and complete information when creating and maintaining your profile. Your profile may include your name, email address, professional credentials, license numbers, specialties, accepted insurances, and practice information. You are solely responsible for the accuracy of this information and for keeping it up to date. Inaccurate or misleading profile information is a violation of these Terms.
Harborlight does not verify, validate, or confirm the accuracy of any credential, license, specialty, or other information provided by any user. The presence of a profile on this platform is not an endorsement, credentialing decision, or confirmation that any provider is licensed, qualified, or in good standing in any jurisdiction. You are responsible for independently verifying the credentials and suitability of any provider before making a referral or engaging in a professional relationship.
You must be a licensed mental health professional to create an account. By registering, you represent and warrant that you hold a valid professional license in at least one jurisdiction and that your license is not currently suspended, revoked, or subject to any disciplinary order that would prohibit you from practicing. Harborlight reserves the right to suspend or terminate any account that it has reason to believe was created under false pretenses, though it has no obligation to actively audit or investigate user credentials.
Harborlight collects the information you voluntarily provide during registration and profile creation, including your name, email address, professional credentials, license details, specialties, accepted insurances, and practice information. This information is stored in a PostgreSQL database hosted through Supabase. Passwords are handled through Supabase Auth and are not stored in Harborlight's application database in plain text.
Direct messages sent through the platform are stored in the database and are subject to soft deletion — meaning that when a message is deleted by a user, it is marked as deleted and hidden from the interface but the underlying data is retained in the database. Messages are not encrypted at rest. You should be aware of this when deciding what to include in direct messages on this platform.
Harborlight does not sell your personal information to third parties. Harborlight does not use your data for advertising or marketing purposes, and does not share your information with third parties except where required by applicable law, a valid legal process, or to protect the safety and integrity of the platform. Aggregate, de-identified usage data may be used internally to improve the platform.
The handling of Protected Health Information (PHI) is governed separately by the PHI Prohibition Agreement, which all users must acknowledge. Please review that document carefully. These Terms of Service do not supersede or replace the PHI Prohibition Agreement.
The directory search feature allows providers to search for other providers based on profile attributes such as specialty, location, insurance, and credentials. Search results reflect only the information that providers have self-reported in their profiles. Harborlight makes no representation that search results are complete, accurate, or current, and does not guarantee that any listed provider is currently accepting referrals or new clients.
The referral feature allows you to send a referral to another provider. Referrals include a free-text field called Clinical Context, which is intended for brief notes relevant to the referral. You must understand that the contents of the Clinical Context field are visible to all providers on the platform who view that referral record, not only the intended recipient. You are solely responsible for what you enter in this field. Do not include patient names, dates of birth, contact information, insurance identifiers, diagnosis codes, or any other information that could identify an individual. The use of this field is subject to the PHI Prohibition Agreement.
The direct messaging feature allows providers to communicate with one another within the platform. These messages are not end-to-end encrypted and are not encrypted at rest. They should not be used to transmit sensitive clinical information, PHI, or confidential patient data of any kind. Harborlight is not a HIPAA-compliant communication platform.
The community feedback board allows providers to post comments and discuss platform features and professional topics. Content on the feedback board is visible to all registered providers. You are responsible for anything you post. Harborlight may remove posts that violate these Terms but has no obligation to monitor the board or to act on any particular post within any given timeframe.
Because the platform is in alpha, any feature may be unavailable, broken, changed, or removed at any time. Harborlight makes no commitment to maintain any particular feature, interface, or data structure during the alpha period.
THE PLATFORM IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. HARBORLIGHT EXPRESSLY DISCLAIMS ALL WARRANTIES, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, TITLE, AND NON-INFRINGEMENT. HARBORLIGHT DOES NOT WARRANT THAT THE PLATFORM WILL BE UNINTERRUPTED, ERROR-FREE, SECURE, OR FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.
HARBORLIGHT DOES NOT VERIFY USER CREDENTIALS, LICENSES, OR QUALIFICATIONS. ANY RELIANCE YOU PLACE ON INFORMATION IN ANOTHER PROVIDER'S PROFILE IS ENTIRELY AT YOUR OWN RISK. HARBORLIGHT IS NOT RESPONSIBLE FOR ANY CLINICAL DECISION, REFERRAL OUTCOME, OR PATIENT HARM THAT ARISES FROM USE OF OR RELIANCE ON THE PLATFORM.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, HARBORLIGHT AND ITS AFFILIATES, OFFICERS, EMPLOYEES, AND CONTRACTORS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF DATA, LOSS OF REVENUE, LOSS OF PROFESSIONAL STANDING, OR HARM TO PATIENTS, ARISING OUT OF OR RELATED TO YOUR USE OF OR INABILITY TO USE THE PLATFORM, EVEN IF HARBORLIGHT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
IN NO EVENT SHALL HARBORLIGHT'S TOTAL CUMULATIVE LIABILITY TO YOU FOR ANY CLAIMS ARISING OUT OF OR RELATED TO THESE TERMS OR THE PLATFORM EXCEED ONE HUNDRED DOLLARS ($100.00). THIS LIMITATION APPLIES REGARDLESS OF THE THEORY OF LIABILITY, INCLUDING CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE.
You agree to indemnify, defend, and hold harmless Harborlight and its affiliates, officers, employees, and contractors from and against any claims, liabilities, damages, losses, and expenses — including reasonable attorneys' fees — arising out of or in any way connected with your access to or use of the platform, your profile content, your referral submissions including any Clinical Context you enter, your messages, your posts on the community feedback board, your violation of these Terms, or your violation of any applicable law or third-party right.
You agree not to use the platform to transmit, post, or otherwise make available any content that is false, misleading, defamatory, harassing, threatening, obscene, discriminatory, or otherwise objectionable. You agree not to impersonate any person or entity or misrepresent your professional credentials, licensure status, or affiliations.
You agree not to use the platform in any way that could damage, disable, overburden, or impair the platform or its underlying infrastructure. You agree not to attempt to gain unauthorized access to any part of the platform, other user accounts, or any system or network connected to the platform. Automated scraping, crawling, or bulk data extraction is prohibited without express written permission.
As described in the PHI Prohibition Agreement, you must not enter patient-identifying information anywhere on the platform — including but not limited to profile fields, referral Clinical Context fields, direct messages, and community board posts. Violation of this prohibition is a material breach of these Terms and may result in immediate account termination.
Harborlight reserves the right, but not the obligation, to review, remove, or restrict access to any content or account that it reasonably believes violates these Terms. Harborlight is not liable for any failure to act on violating content.
Harborlight reserves the right to modify these Terms at any time. When changes are made, the version identifier at the top of this document will be updated and the revised Terms will be posted within the platform. Your continued use of the platform after the revised Terms are posted constitutes your acceptance of those changes. If you do not agree to a revised version of the Terms, you must stop using the platform and may request deletion of your account.
Because the platform is in alpha, significant changes to Terms, features, data structures, or policies may occur with limited notice. Harborlight will make reasonable efforts to notify registered users of material changes to these Terms via email or in-platform notification, but cannot guarantee advance notice in all cases.
You may close your account at any time by contacting Harborlight. Upon account closure, your profile will be removed from the public directory. However, data retained for platform integrity purposes — including soft-deleted messages and referral records — may be retained in the database consistent with these Terms and applicable law.
Harborlight may suspend or terminate your account at any time, with or without notice, for any reason, including but not limited to: breach of these Terms, credential misrepresentation, violation of the PHI Prohibition Agreement, conduct that Harborlight reasonably believes is harmful to the platform or its users, or any decision by Harborlight to discontinue the platform entirely. Termination of your account does not limit any other remedies Harborlight may have at law or in equity.
These Terms are governed by the laws of the applicable jurisdiction without regard to conflict of law principles. Any disputes arising out of or related to these Terms or your use of the platform shall be resolved through binding arbitration or in a court of competent jurisdiction, as determined by Harborlight in its discretion. These Terms constitute the entire agreement between you and Harborlight with respect to your use of the platform and supersede all prior agreements or understandings on that subject, except that the PHI Prohibition Agreement remains in full force and is incorporated herein by reference.
Version: 2026-03-05-alpha
Protected Health Information (PHI) is defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations (45 C.F.R. Parts 160 and 164) as individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. For the purposes of this agreement, you must apply a broad, conservative interpretation of what qualifies as PHI. If you are uncertain whether a piece of information constitutes PHI, you must treat it as PHI and refrain from entering it on this platform.
PHI includes, but is not limited to, the following categories of information when they relate to a client's past, present, or future physical or mental health condition, the provision of care to that client, or payment for such care: (1) client names, including first name, last name, initials, or any combination thereof; (2) dates of birth, admission dates, discharge dates, or any dates directly associated with an individual; (3) geographic identifiers smaller than a state, including street addresses, city or town names, county or precinct designations, and ZIP codes; (4) telephone numbers, fax numbers, and voicemail contact information; (5) email addresses; (6) Social Security numbers; (7) medical record numbers and health plan beneficiary numbers; (8) insurance member IDs, subscriber IDs, and group plan identifiers; (9) account numbers tied to billing or payment for clinical services; (10) certificate and license numbers uniquely tied to a specific client file; (11) vehicle identifiers and serial numbers, including license plate numbers; (12) device identifiers and serial numbers; (13) web URLs and internet protocol (IP) addresses associated with a client; (14) biometric identifiers, including finger and voice prints; (15) full-face photographs and any comparable photographic or video images; and (16) any other unique identifying number, characteristic, or code that could be used alone or in combination with other information to identify a specific individual.
Beyond the HIPAA enumerated identifiers, PHI on this platform also includes: diagnoses, diagnostic impressions, DSM or ICD codes, or clinical presentations tied to an identifiable individual; treatment plans, progress notes, session summaries, or clinical recommendations associated with a specific client; medication names, dosages, or prescription histories tied to an individual; insurance coverage details, explanation of benefits, or claim information associated with a specific client; intake forms, consent documents, or release-of-information authorizations; billing codes (CPT, HCPCS) tied to a specific client episode; case descriptions that include two or more identifying details that, in combination, could reasonably identify a specific individual even if no single detail is a direct identifier; and any information a reasonable clinician would recognize as identifying or potentially identifying a specific person under their care.
The HIPAA Safe Harbor de-identification standard (45 C.F.R. § 164.514(b)) requires the removal of all 18 enumerated identifiers listed in the regulation, plus any residual information that, alone or in combination, the covered entity has actual knowledge could be used to identify the individual. Satisfying the Safe Harbor standard is the minimum baseline for content you share on this platform. Satisfying the Expert Determination method (45 C.F.R. § 164.514(b)(1)) is a higher standard that you may also elect to apply. Meeting either standard does not transfer liability to Harborlight — you remain solely responsible for the accuracy of your de-identification determination.
Harborlight is designed for provider-to-provider professional communication and referral coordination. The platform does permit limited clinical context to be shared for the purpose of facilitating appropriate referrals and professional discourse, provided that all such content is fully de-identified in accordance with the standards described in this agreement. The following categories of content are permitted when properly de-identified.
De-identified referral demographics are permitted in the referral Clinical Context field and in direct messages. This includes general age ranges (e.g., 'adolescent,' 'adult aged 30–40,' 'older adult'), broad geographic descriptors (e.g., state name or general region, not street address or specific ZIP code), general care preferences (e.g., 'prefers telehealth,' 'seeking female-identifying provider,' 'needs sliding-scale availability'), and broad insurance categories (e.g., 'Medicaid-insured' or 'self-pay') without any accompanying member ID, claim number, or other identifier.
General clinical context that does not identify any individual is permitted. Examples of permissible general clinical context include: 'seeking trauma-informed care for an adolescent client,' 'looking for a provider experienced in OCD with ERP,' 'client has expressed preference for a provider with lived experience,' or 'seeking someone accepting Medicaid for an adult with a mood disorder history.' These descriptions characterize a type of clinical need without anchoring that need to any identifiable person.
Professional discussions about treatment modalities, clinical frameworks, evidence-based approaches, and general practice topics are permitted anywhere on the platform, including the community feedback board and direct messages, provided they are conducted at a general or population level and do not reference any identifiable individual's case.
Anonymized case discussions are permitted only where no identifying details are present — meaning not just that direct identifiers have been removed, but that no combination of disclosed details could reasonably be used to identify the individual. Before sharing any case-based content, you must make an independent professional judgment that the content is genuinely de-identified and could not identify your client even to someone with knowledge of your practice or geographic area. The burden of that determination rests entirely with you. Harborlight does not review content prior to submission and cannot make that determination on your behalf.
The following actions are strictly prohibited on Harborlight. Violation of any prohibition in this section constitutes a material breach of this agreement and may result in immediate account suspension or permanent termination without prior notice, in addition to any other remedies available to Harborlight or any affected party.
You must not include PHI of any kind in the referral Clinical Context field. This prohibition is absolute. The Clinical Context field is not a private or secure channel — its contents are visible to all authenticated providers on the platform, not only the provider to whom you are sending the referral. Entering a client's name, date of birth, diagnosis, insurance ID, contact information, or any other PHI in this field exposes that information to every provider currently registered on Harborlight. There is no technical control that limits the audience of this field. You bear full responsibility for every character you type into it.
You must not include PHI in any direct message sent through the platform. Direct messages on Harborlight are stored in a server-side database, are not end-to-end encrypted, and are not encrypted at rest. Messages that are deleted by users are soft-deleted, meaning the underlying data is retained in the database even after it is hidden from the interface. There is no guarantee that a deleted message containing PHI has been permanently destroyed. Treat direct messages as non-secure, non-HIPAA-compliant communications at all times.
You must not include PHI in any post, comment, or submission on the community feedback board. Feedback posts are visible to all registered providers and may be exported in CSV format. Any PHI entered into the feedback board is potentially exposed to the full registered user base and may be retained in exported records held by other users.
You must not include PHI in any other platform feature, field, input form, or communication mechanism, including but not limited to: your provider profile fields; search filters or search query strings; referral subject lines or referral titles; any file or attachment uploaded to the platform; and any future feature introduced during or after the alpha period unless a separate, specific authorization is provided in writing.
You must not upload, attach, or transmit clinical records, intake forms, consent documents, treatment documentation, progress notes, session summaries, authorization forms, or any document that contains PHI, regardless of the format (PDF, image, Word document, spreadsheet, or otherwise).
You must not share client contact information — including phone numbers, email addresses, mailing addresses, or any other means of reaching a specific individual — through any platform feature. The referral process on this platform is intended to facilitate provider-to-provider coordination, not to transmit client-identifiable data.
By using Harborlight, you accept full personal and professional liability for any PHI you enter, transmit, upload, or otherwise introduce into the platform. Harborlight assumes zero responsibility for any PHI submitted by users. The platform provides no content review, no automated PHI detection, and no pre-submission filtering. You are the sole responsible party for every piece of content associated with your account.
Harborlight is not a HIPAA-covered entity as defined under 45 C.F.R. § 160.103. Harborlight is not acting as a Business Associate with respect to any covered entity using this platform. Harborlight does not execute Business Associate Agreements (BAAs) with users or their practices. If your use of Harborlight implicates HIPAA — including if you are a covered entity or business associate considering entering PHI on the platform — you are on notice that no BAA is available and that entering PHI would constitute a violation of this agreement as well as your own HIPAA obligations.
You are independently bound by HIPAA and all applicable state privacy and confidentiality laws, including but not limited to state mental health confidentiality statutes, psychotherapist-patient privilege protections, and any consent-based disclosure limitations imposed by your licensing jurisdiction. Your obligations under those laws exist entirely independently of this platform and are not altered, satisfied, or waived by your use of Harborlight. The fact that a platform feature technically accepts text input does not constitute authorization to enter PHI into that field.
If you violate this agreement by entering PHI on the platform, Harborlight may suspend or permanently terminate your account immediately and without prior notice. Account termination may be communicated after the fact or may not be communicated at all, at Harborlight's discretion. Harborlight is not required to give you an opportunity to cure a PHI violation before taking action. Termination does not relieve you of any liability arising from the violation.
You acknowledge that a PHI violation on this platform may expose you to significant consequences entirely independent of any action taken by Harborlight. These include, without limitation: investigation and enforcement action by the U.S. Department of Health and Human Services Office for Civil Rights; civil monetary penalties under HIPAA (up to $1,993,200 per calendar year per violation category as of current regulatory caps); state attorney general enforcement actions; professional licensing board complaints, disciplinary proceedings, and sanctions including license suspension or revocation; civil litigation by or on behalf of affected clients; and reputational harm within your professional community. Harborlight has no obligation to notify you in advance of, or to protect you from, any of these consequences.
You agree to indemnify, defend, and hold harmless Harborlight and its affiliates, officers, employees, and contractors from and against any and all claims, demands, investigations, penalties, fines, regulatory actions, liabilities, damages, losses, judgments, and expenses — including reasonable attorneys' fees and costs — arising out of or in any way related to PHI you have entered, uploaded, transmitted, or caused to appear on the platform, your violation of HIPAA or any applicable state privacy law, or any third-party claim resulting from your disclosure of PHI through this platform.
If you discover content on the platform that you believe constitutes PHI posted in violation of this agreement, you are strongly encouraged to report it to Harborlight immediately. You can submit a report by contacting Harborlight through the platform's designated support channel or email address. Your report should identify, to the extent possible without yourself further propagating the PHI: the location of the content (e.g., the specific feature, the approximate time of posting), the nature of the violation, and why you believe the content constitutes PHI. Do not reproduce the PHI in your report beyond what is minimally necessary to identify the content.
Upon receiving a report, Harborlight will take reasonable steps to review the flagged content and, where a violation is confirmed, to remove or suppress the content from the platform interface promptly. Harborlight does not commit to a specific response time for PHI removal requests, though it treats such reports as high-priority. The complexity of database operations required to fully purge soft-deleted or referenced content may affect how quickly removal can be accomplished.
Harborlight may investigate the account responsible for the reported violation and may take action against that account, including suspension or permanent termination, based on its own assessment of the violation. Harborlight is not obligated to share the outcome of any investigation with the reporting party. Reporting a violation does not make the reporting party a party to any enforcement or disciplinary action taken by Harborlight.
Reporting a PHI violation to Harborlight does not constitute a report to any regulatory authority, does not satisfy any HIPAA breach notification obligation you may independently have, and does not guarantee that the PHI will be removed before it has been viewed, copied, exported, or otherwise accessed by other users. If PHI has been posted on the platform, exposure may have already occurred. Reporting to Harborlight is a necessary step in containing further exposure, but it does not undo prior exposure and does not shift liability for the original violation from the party who posted the PHI to Harborlight.