Privacy Policy for Stored Credit Card Information

Effective Date: June 25, 2026

1. Introduction
We respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how Sapience Therapy ("we", "us", or "our") collects, stores, uses, and discloses credit card information that you authorize us to retain on file. This Policy is designed to comply with applicable federal and state laws, including the Massachusetts Data Protection Act (201 CMR 17.00) and Massachusetts Breach Notification Law (M.G.L. c. 93H and c. 66A), as well as industry standards such as the Payment Card Industry Data Security Standard (PCI DSS).

2. Scope
This Policy applies to all credit card information collected in the course of providing goods or services, including information obtained in person, online, or via telephone, when you elect to have your credit card data stored on file for future transactions.

3. Information Collected
We collect the following information when you authorize us to store your credit card on file:

  • Cardholder name

  • Credit card number

  • Expiration date

  • Card verification value (CVV/CVC) when initially provided

4. Purpose of Storage
We retain your credit card information for the sole purpose of processing recurring or future transactions you have authorized, such as subscription payments or installment billing. We do not use stored credit card data for any other purpose without your express consent.

5. Data Security and Storage
We implement and maintain appropriate administrative, technical, and physical safeguards to protect credit card information from unauthorized access, disclosure, alteration, or destruction, consistent with 201 CMR 17.00 and PCI DSS requirements. Key measures include:

  • Stripe as Processor: All card data is processed and stored only through Stripe, a PCI DSS–certified service provider. Stripe encrypts data at rest and in transit using industry-standard AES-256 and TLS protocols.

  • Secure Network Architecture: The Stripe network is segmented to isolate cardholder data environments, with firewalls and intrusion detection systems configured according to best practices.

  • Access Controls: Only authorized Sapience Therapy personnel with a legitimate business need may access card data, and all access is logged and periodically reviewed.

  • Employee Training: Employees who handle payment information receive regular training on data security, privacy best practices, and Stripe’s handling procedures.

  • Regular Testing: Stripe conducts vulnerability assessments, penetration tests, and review security controls at least annually, in coordination with Stripe’s own assessments.

6. PCI DSS Compliance
We maintain compliance with PCI DSS (Version 4.0) through our partnership with Stripe. Stripe’s PCI certification covers the storage, processing, and transmission of cardholder data.

7. Data Retention and Disposal

  • We retain stored credit card information only as long as needed to fulfill the purposes outlined in Section 4, or as required by law.

  • Upon request or when no longer needed, we securely delete or render unreadable all stored card data in our possession, following Stripe’s secure deletion processes and industry best practices.

8. Third-Party Service Providers
We engage Stripe as our primary payment processor. Stripe is contractually obligated to implement and maintain security measures at least as protective as those described in this Policy, including encryption, access controls, and routine security testing.

9. Disclosure of Information
We will not disclose your stored credit card information to any unaffiliated third parties, except:

  • To process authorized transactions via Stripe.

  • As required by law (e.g., subpoena or court order).

10. Breach Notification
In the event of a security breach compromising stored credit card information, we will follow Massachusetts breach notification requirements:

  • Notify affected individuals without undue delay, and in no case later than 90 days after discovery, providing information about the breach and steps to protect themselves.

  • Notify the Massachusetts Attorney General and Division of Data Protection pursuant to M.G.L. c. 93H and 201 CMR 17.00.

11. Your Rights
You have the right to:

  • Request access to or correction of your stored credit card information.

  • Request deletion of your stored credit card data (subject to our ability to satisfy outstanding authorized transactions).

  • Withdraw consent for storage of your credit card on file at any time.

To exercise these rights, please contact us as provided below.

12. Changes to This Policy
We may update this Policy from time to time. We will post the revised Policy on our website with a new "Effective Date." Your continued use of our services following any changes constitutes acceptance of the updated Policy.

13. Contact Information
Sapience Therapy
25 Bank Row St, Suite 3
Greenfield, MA 01301
Email: info@sapiencetherapy.com
Phone: (413) 825-9922