Privacy Policy

Information We Collect

We collect the following personal data:

For visitors browsing our public marketing websites, we also collect limited technical and usage information through cookies and similar technologies (as described below) and any information you voluntarily submit (for example, an email address on a waitlist or contact form).

How We Collect Data

We collect information through the TheraPrac product (web and mobile applications), through our business operations (such as billing and support), and through our public marketing websites. Information you enter into the platform is collected as needed to provide the service. When you browse our public sites, technical and usage data may be collected automatically as described in the “Cookies and Similar Technologies” section.

How We Use Your Data

Your data will be used for the following purposes:

• Scheduling
• Billing
• Health records management
• Processing insurance claims
• Payment processing
• Understanding how our public websites are used and improving our marketing materials (for example, through aggregated analytics)

HIPAA Compliance: Business Associate

From a HIPAA perspective, TheraPrac operates as a Business Associate to healthcare customers that qualify as Covered Entities. TheraPrac executes a Business Associate Agreement (BAA) with Covered Entity customers, which governs how Protected Health Information (PHI) is handled and the parties' respective HIPAA obligations. This Privacy Policy does not itself constitute a Business Associate Agreement.

Data Sharing

We may share your personal data with third parties only when necessary to provide our services:

• Insurance Providers & Clearing Houses: To process insurance claims
• Payment Processors: To process payments securely
• Google (Google Tag Manager and Google Analytics): On our public marketing websites we use Google Tag Manager and Google Analytics (GA4) to measure traffic and engagement. Google processes information according to its terms. You can read Google’s privacy policy at policies.google.com/privacy.
• Other service providers: We use vendors for hosting, security, communications, fonts, and other business operations (for example, Adobe Fonts/Typekit on marketing pages). We require service providers to use data only as directed and with appropriate safeguards.

We do not sell your personal information. We do not share personal information with third parties for cross-context behavioral advertising. If our practices change, we will update this policy.

Data Storage and Security

We implement the following measures to protect your data:

• Encryption: Sensitive data, including PHI and payment details, is encrypted in transit and at rest using encryption protocols appropriate to the sensitivity of the data.
• Secure Servers: Your data is stored on secure servers located in the United States, protected by firewalls and access control technologies.
• Access Control: Only authorized personnel have access to your data, and they receive regular data protection and privacy training.
• Backups and Recovery: TheraPrac uses backup mechanisms designed to support recovery in the event of operational incidents.
• Internal Security Reviews: We conduct internal security reviews as part of normal operations, including code review on changes, automated dependency monitoring, and review of security findings from cloud-provider tooling.

Data Retention

TheraPrac retains personal data for as long as necessary to fulfill the purposes for which it was collected and to comply with legal, accounting, or reporting obligations:

• PHI: Retained in accordance with customer instructions, applicable law, and the terms of the applicable Business Associate Agreement (BAA).
• Billing and Transaction Data: Retained for 7 years to comply with tax and accounting requirements.
• Inactive Accounts: Data from inactive accounts is retained for so long as TheraPrac has a legitimate business or legal reason to do so, and may be deleted or anonymized at TheraPrac's discretion.
• HIPAA Records: Where HIPAA requires retention of records relating to PHI (such as policies, accountings of disclosure, and BAA records), TheraPrac retains those records for at least six (6) years as required by 45 CFR §164.530(j).
• User-Requested Deletion: Users can request data deletion, and we will comply with such requests in accordance with legal requirements.
• Marketing site analytics (GA4): Retained according to retention options configured in our Google Analytics property (including event and user-level retention where applicable) and Google’s own policies.

User Rights

Users have the following rights regarding their data:

• Access: Users can access their data via the application.
• Correction: Users can correct their data through the application.
• Deletion: Users can request data deletion, and we will comply where legally permitted, noting that some data may need to be retained for regulatory purposes.

If you are a resident of certain U.S. states, you may have additional rights under applicable privacy laws (such as rights to know, delete, or appeal certain decisions), subject to legal exceptions. To make a request, contact us at privacy@theraprac.com with enough detail for us to verify and process your request.

Data from Minors

We may collect health data from minors only with parental or guardian consent, as required by law.

Cookies and Similar Technologies (Public Websites)

Our public marketing sites use cookies, local storage, and similar technologies needed to operate the pages, deliver content, and measure how they are used. You may be able to control some of these technologies through your browser or device settings.

Analytics and tag management. We use Google Tag Manager (GTM) and Google Analytics (GA4) on our marketing site. These tools may set first-party cookies or use comparable storage to distinguish browsers and sessions. They collect information such as pages viewed, referral information, and interactions we configure for measurement (for example, certain button clicks). That data is typically pseudonymous (such as an analytics identifier tied to a browser) and is used in aggregate to improve our website and understand interest in our products. We configure marketing-site measurement to avoid collecting protected health information (PHI) or the contents of clinical records.

Fonts. We use Adobe Fonts (Typekit) to display typography; Adobe may process limited technical information needed to serve fonts, as described in Adobe’s privacy disclosures.

Advertising and remarketing. We do not run advertising or remarketing pixels (such as social or display ad tags) on our marketing site today. If we add them, we will update this policy and, where required, adjust consent or opt-out mechanisms.

Data Breach Notification

In the unlikely event of a data breach involving personal data, TheraPrac will provide notice as required by applicable law and contractual obligations. For incidents involving Protected Health Information (PHI) maintained on behalf of Covered Entity customers, breach and security incident notification obligations are governed by the applicable Business Associate Agreement (BAA).

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. When we make changes, we will notify you by updating the “Last updated (effective date)” at the top of this page and, where appropriate, by sending an email notification. Please review this policy periodically for updates.

Contact Us

If you have any questions or concerns about this Privacy Policy, or if you would like to exercise your rights regarding your data, please contact us at:

TheraPrac Privacy Officer Email: privacy@theraprac.com