Client Portal Privacy Policy

 

Last Updated: September 2, 2022

This Privacy Policy describes how SimplePractice LLC (“SimplePractice,” “we,” “us,” or “our”) collects, uses and discloses the Personal Information (as defined below) of our Customer’s patients and clients (“Clients,” “you,” or “your”) when using the client web portal and client mobile application (including telehealth services) controlled by their healthcare or wellness Provider (our “Customer” or your “Provider”) (collectively, the “Client Portal” or the “Services”).

Certain SimplePractice Services may use a different privacy policy to provide notice to you about how we use and disclose the Personal Information we collect in the context of that Service. To the extent that we post or reference a different privacy policy, that different privacy policy, not this Privacy Policy, will apply to your Personal Information collected in the context of that Service.

1. Note to SimplePractice Customers and their Clients

Our treatment of Client Personal Information is governed by our agreements with our Customers, including our SimplePractice Terms of Service and HIPAA Business Associate Agreement, as applicable (our “Agreement”). If any provision in our Agreement with our Customers conflicts with any provision in this Privacy Policy, the provision in the Agreement will control to the extent of such conflict.

We will also direct Clients to their Providers, the controller of their personal information. Please see the “California Privacy Statement” and “Additional State Privacy Laws” sections of this privacy policy for more details.

If you are a Client of one of our Customers, we may retain your Personal Information on behalf of that Customer. If you have questions about how we process your Personal Information, we encourage you to reach out to the appropriate Customer or visit our Help Center.

 

2. Personal Information We Collect

“Personal Information” is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household, such as your name, email address, IP address, telephone number, and broader categories of information such as your professional, educational or health information, commercial information and internet activity. In the course of you using the Client Portal, we may collect Personal Information directly from you or indirectly from you, such as through your Provider. The categories of Personal Information we collect about you depends upon your interactions with us and how you utilize the Client Portal. For example, we may collect:

  • Identifiers and contact information, such as your name, email address, mailing address, phone numbers, and IP addresses. We collect this information directly from you or indirectly from your Provider when your Provider creates or edits your Client Profile, for allowing your Provider to communicate with you and provide their services to you, to enable you to access the Client Portal, and to enable your electronic signature on certain documents or agreements.
  • Billing information, such as your insurance information, invoices, name, email address, mailing address, phone number, Provider information, date of services, and services received. We store this information on behalf of you and your Provider so that your Provider may process your payments to them, and so that you may view and manage your billing information in the Client Portal.
  • Audio, electronic and visual information, such as your photographs or images, your voice and other similar information. We process this information to enable you and your Provider to use our Telehealth service, if applicable, and to allow you to create file attachments in the Client Portal.
  • Internet, device, and other electronic network activity information, such as your browsing history, search history, device and connectivity data, and your navigation and interactions within and with our Services. We collect this information in an anonymized format, in which your identity is not verifiable. We collect this information through a third-party source or through our cookies and other tracking technologies in order to conduct business analytics or to improve our business functionality and the Services. The appropriate contracts are in place with third-party sources to ensure they do not use this information beyond the purpose of providing services to us. Please review the “Data Collection Technologies and Cookies” section below to learn more about our use of cookies and data collection technologies.
  • Profile information and inferences, such as information about your preferences and characteristics. We collect profile information by drawing inferences from the above categories of Personal Information, in an anonymized format, in order to understand Client patterns and preferences, and to enable us to tailor and update our Services and communications.
  • Appointment Information, such as date, time and location of your appointments with your Provider. We store this information on behalf of your Provider so that you and your Provider can view and manage your appointments.
  • Sensitive personal information, collected on behalf of your Provider in the course of providing their services to you, such as your race or ethnic origin, sexual orientation, credit or debit card number, health status, driver’s license or subsequent form of identification, or secure messages exchanged between you and your Provider. We may store this information on behalf of your Provider to ensure they can manage your Client Profile, provide their services and/or care to you, verify your identity and insurance information, and to allow them to process payments from you. We also store this information so that you may manage your payments to your Provider and so that you may securely communicate with your Provider in the Client Portal. This information is not accessed or used outside of what is described in this privacy policy and is in accordance with HIPAA privacy law. Please contact your Provider for questions regarding how they handle your sensitive personal information.

  • Information we receive from authentication services you connect to our Services. Some parts of our Services may allow you to login through a third-party social network or authentication service such as Google. These services will authenticate your identity and provide you the option to share certain personal information with us, which may include your name, email address, or other information. The data we receive is dependent on that third party’s policies and your privacy settings on that third-party site. We will treat Personal Information collected from third party sources in accordance with this Privacy Policy, but we are not responsible for the accuracy of information provided by third parties or for their policies or practices. If you choose to connect a Google or Gmail account to our Services, we will ask you to grant us application permissions to access your Gmail account. These permissions are necessary to sustain the functionality of our Services. We will store your authentication token and account email address. This data will be securely stored to be used by us to provide you with the Services (including, but not limited to, allowing you to access the Client Portal). This data will not be voluntarily shared with any third parties, but we may provide this information to legal authorities upon their lawful request. You may choose to disconnect your Gmail account at any time. We do not use data obtained from Clients (from their Google accounts) for advertising purposes. We may need access to the user data to resolve a support issue, provide advice on service usage or provide any other help requested by the Client, or as such access may be necessary for a security investigation or to comply with applicable laws. We use this information to operate, maintain, and provide to you the features and functionality of the Services.  We may also send you service-related emails or messages (e.g. Client support, changes, or updates to features of the Services, or technical and security notices).

3. How We Use Personal Information

In addition to the purposes for collection described above, we also collect your Personal Information for the following general purposes:

  • To maintain your Client Profile, to send you requested product and Client Portal information, and to send you product and Client Portal updates;
  • To respond to your support or help center requests and address your questions and concerns;
  • To process billing information and transactions within the Client Portal;
  • To authenticate your identity and allow you to view, fill out, and sign documents in the Client Portal;
  • To administer, measure, and improve our Services and Client Portal experience, including measuring the effectiveness and functionality of the Services, aggregating statistical information on site usage, diagnosing problems with our servers, and analyzing traffic;
  • To detect security incidents, to protect against malicious, deceptive, fraudulent or illegal activity, and to comply with our policies and procedures;
  • To comply with our legal, regulatory and risk management obligations, including establishing, exercising and/or defending legal claims, responding to law enforcement requests and as required by applicable law, court order, or governmental regulations, and to comply with applicable state and federal laws, including, but not limited to laws related to protecting Client and public health and safety;
  • Any other purpose with your consent.

4. How We Share and Disclose Your Personal Information

We may share your Personal Information in the following circumstances:

  • To your Providers/our Customers: We share your Personal Information with your Providers/our Customers in order to provide you with the Services and facilitate our agreements with our Customers.
  • To Service Providers: We may share your Personal Information with companies that provide services to us, such as for hosting, marketing and communication services, analytics services, and payment processing (“Service Providers”). Our policy is to authorize these Service Providers to use your Personal Information only as necessary to provide services for us, and we require that the appropriate contracts are in place to ensure they do not use or disclose your Personal Information for any other purpose.
  • To parties outside of SimplePractice:
    • We may share your Personal Information with our parent and affiliate companies in order for them to provide analytics across the entire corporate family and for other internal business purposes.
    • From time to time, we may be required to provide Personal Information to a third party in order to comply with a subpoena, court order, government investigation, or similar legal process.
    • We may also share your Personal Information to third parties, such as law enforcement agencies, when we, in good faith, believe that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
    • To any other third party for whom you have given your consent for us to share your Personal Information.
  • In a corporate transaction: If SimplePractice is involved in a corporate transaction, such as a bankruptcy, merger, acquisition, reorganization, or sale of all or a portion of its assets, we may share or transfer your Personal Information as part of any such transaction.

5. Access and Choice

 

Client Portal Contents: If your Personal Information changes, it can be modified by contacting your Provider and requesting that they update your Personal Information. Only certain information, such as your billing information, can be modified by you in the Client Portal.

Push Notification Preferences: We may send you emails or banners in the Client Portal relative to your relationship with your Provider, with us, and your transactions. This may include, but is not limited to alerts, push notifications, appointment reminders and updates, and updates to our products, services, and policies. You can edit your push notification preferences in the “Notification Settings” section of the Client Portal.

Client Profile Deletion: We provide our customers a software service for which they can manage their Client’s information. We control a limited amount of your data. If you wish to have your information within the Client Portal deleted, please contact your Provider. Please note that this may affect your Provider’s ability to provide you with their services and that this data may be subject to certain data privacy laws and regulations. If you wish to delete other information that SimplePractice collects about you as outlined in this privacy policy please refer to our “California Privacy Statement” and “Additional State Privacy Laws” sections in this privacy policy.

Please understand that we will not be able to provide you Services if you are not a Client of a SimplePractice Customer.

6. Data Collection Technologies and Cookies

As is true of many digital properties, we and our third-party partners may automatically collect certain information from or in connection with your device when visiting or interacting with our Services, such as:

  • Log Data, including internet protocol (IP) address, operating system, device type and version, browser type and version, browser id, the URL entered and the referring page/campaign, date/time of visit, other user agent string data, the time spent on our Services, and any errors that may occur during the visit to our Services). Log data may overlap with the other categories of data below.
  • Analytics Data, including the electronic path you take to our Services, through our Services and when exiting our Services, UTM source, as well as your usage and activity on our Services, such as the time zone, activity information (first and last active date and time), usage history (emails opened, total log-ins) as well as the pages and links you view, click or otherwise interact with.
  • Location Data, such as general geographic location which can be inferred based on your IP address.

We and our third-party Service Providers may use (i) cookies or small data files that are sent to your browser from a web server and stored on your computer’s hard drive and (ii) other, related technologies, such as web beacons, pixels, SDKs, embedded scripts, and logging technologies (“cookies”) to automatically collect this information. We may use this information to monitor and analyze how you use and interact with our Services.

We use information gathered from these technologies so that we can analyze trends, administer the Services, and track users’ movements around the Services.

If you would prefer not to accept cookies, most browsers will allow you to change the setting of cookies by adjusting the settings on your browser to: (i) notify you when you receive a cookie, which lets you choose whether or not to accept it; (ii) disable existing cookies; or (iii) set your browser to automatically reject cookies.  Be aware that disabling cookies may negatively affect the functionality of this and many other websites that you visit.  Disabling cookies may result in also disabling certain functionalities and features of the Services.

Depending on your device and operating system, you may not be able to delete or block all cookies. In addition, if you want to reject cookies across all your browsers and devices, you will need to do so on each browser on each device you actively use. You may also set your email options to prevent the automatic downloading of images that may contain technologies that would allow us to know whether you have accessed our email and performed certain functions with it.

Do Not Track: Please note that the Services are not presently configured to respond to DNT or “do not track” signals from web browsers or mobile devices. As such, we do not recognize or respond to Do Not Track requests.

7. Retention and Security

We will retain your Personal Information and sensitive Personal Information for as long as your information resides in our Customer’s Clients and Contacts list, as needed to provide you Services, and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

We follow generally accepted standards to protect the Personal Information submitted to us, both during transmission and once we receive it. For example, when you enter sensitive information (such as when you submit your intake forms), we encrypt the transmission of that information using secure socket layer technology (SSL). However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security.

8. California Privacy Statement

California residents have certain rights under the California Shine the Light law, the California Consumer Privacy Act (“CCPA”), and the California Privacy Rights Act (“CPRA”). The CPRA provided amendments and updates to the CCPA.

CCPA and CPRA Disclosures: In general, within the preceding 12 months:

  • We have collected the categories of Personal Information listed in Section 2 above.
  • We have collected these categories of Personal Information directly from you, indirectly from your Provider or our Customer, and when you use the Client Portal and our Services, for the purposes described in Section 3 above.
  • We have disclosed the following categories of Personal Information for business purposes: Billing and transactional information; internet, device, and network activity information; and profile information and inferences.
  • We have not sold your Personal Information.

CPRA and CCPA Privacy Rights: Certain California residents are entitled to privacy rights under the CPRA and CCPA. Clients who wish to exercise these rights should send an email to privacy@simplepractice.com or fill out this form, and also direct their requests to the Customer who controls their Personal Information.

  • The right to know. You have the right to request to know (i) the specific pieces of Personal Information we have about you; (ii) the categories of Personal Information we have collected about you in the last 12 months; (iii) the categories of sources from which that Personal Information was collected; (iv) the categories of your Personal Information that we sold or disclosed in the last 12 months; (v) the categories of third parties to whom your Personal Information was sold or disclosed in the last 12 months; and (vi) the purpose for collecting and selling your Personal Information.
  • The right to deletion. You have the right to request that we delete the Personal Information that we, including our third-party Service Providers, have collected or maintain about you. We may deny your request under certain circumstances, such as if we need to comply with our legal obligations or complete a transaction for which your Personal Information was collected. If we deny your request for deletion, we will let you know the reason why.
  • The right to correct. You have the right to request correction of any inaccurate Personal Information we have about you.
  • The right to opt-in and opt-out of sharing and selling of your Personal Information. We do not sell your Personal Information. We only share your Personal Information as outlined in this privacy policy to provide our Services to you.
  • The right to limit use and disclosure of sensitive personal information. You have the right to restrict the ways in which we use and disclose your sensitive personal information. We do not use, share, or disclose your sensitive personal information in any way, except as outlined in this privacy policy for the purposes of providing our Services to you. We do not exchange this information for cross-contextual behavioral advertising nor for any commercial or monetary purposes.
  • The right to equal service. If you choose to exercise any of these rights, we will not discriminate or retaliate against you in any way. If you exercise certain rights, understand that you may be unable to use or access certain features of our Services.

You may exercise your right to know and your right to deletion twice a year free of charge. Currently, there is no limitation on your right to correct, although this is forthcoming. The remainder of your privacy rights are not subject to limitations. To exercise your privacy rights please contact us at privacy@simplepractice.com or fill out this form.

We will take steps to verify your identity before processing your privacy rights requests. We will not fulfill your request unless you have provided sufficient information for us to verify you are the individual about whom we collected Personal Information. If you have a Client Profile and use our Services, we will use our existing authentication practices to verify your identity. If you do not have a Client Profile, we may request additional information about you to verify your identity. We will only use the Personal Information provided in the verification process to verify your identity or authority to make a request and to track and document request responses, unless you initially provided the information for another purpose.

You may use an authorized agent to submit a privacy rights request. When we verify your agent’s request, we may verify both your and your agent’s identity and request a signed document from you that authorizes your agent to make the request on your behalf. To protect your Personal Information, we reserve the right to deny a request from an agent that does not submit proof that they have been authorized by you to act on their behalf.

Shine the Light: Our California Clients are also entitled to request and obtain from SimplePractice once per calendar year information about any of your Personal Information shared with third parties for their own direct marketing purposes, including the categories of information and the names and addresses of those businesses with which we have shared such information. However, we do not share your information with third parties for their own direct marketing purposes.

9. Additional State Privacy Laws

SimplePractice takes our Customers’ and Clients’ privacy and data protection very seriously, and we work vigorously to ensure we remain compliant with applicable federal and state privacy laws.

Under the Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023, Virginia residents have additional privacy rights. Clients who wish to exercise these rights should send an email to privacy@simplepractice.com and also direct their requests to the Customer who controls their Personal Information.

  • The right to know, access and confirm personal data. You have the right to know whether or not we are processing your personal data and to access such personal data.
  • The right to deletion. You have the right to request that we delete the Personal Information that we, including our third-party service Providers, have collected or maintain about you. We may deny your request under certain circumstances, such as if we need to comply with our legal obligations or complete a transaction for which your Personal Information was collected. If we deny your request for deletion, we will let you know the reason why.
  • The right to correct. You have the right to request correction of any inaccurate Personal Information we have about you.
  • The right to data portability. You have the right to easy and portable access to all pieces of Personal Information that we have collected or maintain about you.
  • The right to opt-out of the processing of personal data for targeted advertising purposes. We do not use your Personal Information for targeted advertising. We may use your Personal Information, however, to provide updates to you about our product and Services and other necessary communications in the course of providing our services to you and your Provider.
  • The right to opt-out of the sale of personal data. We do not sell your Personal Information. We only share your Personal Information as outlined in this privacy policy to provide our Services to you.
  • The right to opt-out of profiling based upon personal data. You have the right to opt-out of any processing of personal data for the purposes of profiling for decisions that produce legal effects or similarly significant effects on you. We do not use your Personal Information for this purpose.
  • The right to equal service. If you choose to exercise any of these rights, we will not discriminate or retaliate against you in any way. If you exercise certain rights, understand that you may be unable to use or access certain features of our Services.

Per the VCDPA, information provided in response to your requests shall be provided by us, free of charge, up to twice annually per Client. We will update this privacy policy periodically and as necessary to maintain compliance with the evolving privacy landscape.

10. Additional Information


Information for Visitors and Users from Outside of the United States
: We are committed to complying with this Privacy Policy and the data protection laws that apply to our collection and use of your Personal Information. We are located in the United States, where the laws may be different and, in some cases, less protective than the laws of other countries. By providing us with your Personal Information and using the Services, you acknowledge that your Personal Information will be transferred to and processed in the United States and other countries where we and our vendors operate.

Links to Other Sites: The Services may contain links to other sites that are not owned or controlled by SimplePractice. This may include, but is not limited to, links to add appointments to your calendar or links for directions to your Provider’s office. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage you to be aware when you leave our site and to read the privacy statements of each and every website that collects Personal Information. This Privacy Policy applies only to information collected or stored in or by our Services.

Children’s Privacy: Our Services are not directed towards, nor do we knowingly collect any Personal Information from children under 13, unless they are a Client of our Customer. Please contact your Provider for information on how they collect and handle information from a Client who is under the age of 13.

Changes to This Policy: We may update this Privacy Policy to reflect changes to our information practices. If we make any material changes, we will notify you by email (sent to the email address specified in your Client Profile) or by means of a notice in our applications or on our websites prior to or upon the change becoming effective. We encourage you to review this page periodically for the latest information on our privacy practices.

11. Contact Us

If you have any questions in connection with this Privacy Policy or other privacy-related matters, please visit our Help Center.

Rev. Sept. 2022/ © 2022 SimplePractice, LLC All rights reserved.