Privacy Policy

1. Introduction

Sessionably ("we," "our," or "us") is committed to protecting your privacy and the privacy of your patients' Protected Health Information (PHI). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Electronic Health Record (EHR) platform located at https://sessionably.com (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide to us when you:

• Register for an account: Name, email address, username, password, professional credentials
• Use the Service: Patient records, clinical notes, appointment information, billing data, documents, and other Protected Health Information (PHI)
• Contact us: Name, email address, phone number, and any other information you choose to provide
• Payment information: Billing address, payment card information (processed securely through Stripe)

2.2 Information Automatically Collected

When you use our Service, we automatically collect certain information:

• Usage data: Pages visited, features used, time spent on the Service
• Device information: IP address, browser type, operating system, device type
• Log data: Access times, dates, and pages viewed
• Cookies and tracking technologies: Session data, preferences, authentication tokens

2.3 Protected Health Information (PHI)

As a healthcare platform, we handle Protected Health Information as defined by HIPAA, including:

• Patient names, dates of birth, addresses, phone numbers, email addresses
• Medical records, clinical notes, treatment plans
• Appointment information
• Billing and insurance information
• Any other information that could identify a patient or their health status

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Provision

• To provide, maintain, and improve our EHR platform
• To process transactions and send related information
• To manage your account and authenticate users
• To store and manage patient records and clinical data
• To enable communication between clinicians and patients

3.2 Communication

• To send you service-related notifications (appointments, invoices, document signatures)
• To respond to your inquiries and provide customer support
• To send you important updates about our Service
• To send SMS notifications via Twilio (with patient consent)

3.3 Legal and Compliance

• To comply with legal obligations, including HIPAA requirements
• To respond to legal requests and prevent fraud
• To enforce our Terms of Service
• To maintain audit logs as required by law

3.4 Business Operations

• To analyze usage patterns and improve our Service
• To conduct research and analytics (using de-identified data only)
• To detect and prevent security threats
• To maintain system security and integrity

4. How We Share Your Information

4.1 Service Providers (Business Associates)

We share information with third-party service providers who perform services on our behalf and who have signed Business Associate Agreements (BAAs):

• Backblaze B2: Cloud storage for patient documents and records
• Twilio: SMS notifications for appointments and reminders
• Stripe: Payment processing for invoices
• Vercel: Application hosting and serverless functions

4.2 Legal Requirements

We may disclose information if required by law or in response to:

• Court orders, subpoenas, or legal process
• Government requests
• Law enforcement investigations
• Protection of our rights, property, or safety
• Protection of patient safety or public health

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

4.4 With Your Consent

We may share information with your explicit consent or at your direction.

5. Your Rights and Choices

5.1 Access and Correction

You have the right to:

• Access your personal information and patient records
• Request corrections to inaccurate information
• Request deletion of your information (subject to legal retention requirements)
• Export your data in a portable format

5.2 Account Settings

You can:

• Update your account information through your profile settings
• Change your password at any time
• Manage your communication preferences
• Request account deletion

5.3 HIPAA Patient Rights

Patients have additional rights under HIPAA, including:

• Right to access their PHI
• Right to request amendments to their PHI
• Right to receive an accounting of disclosures
• Right to request restrictions on use and disclosure
• Right to confidential communications
• Right to file complaints

See our HIPAA Notice of Privacy Practices for detailed information about patient rights.

5.4 Opt-Out Options

You can opt out of:

• Marketing emails (by clicking "unsubscribe" in any marketing email)
• SMS notifications (by replying STOP to any SMS)
• Non-essential cookies (through your browser settings)

Note: You cannot opt out of service-related communications necessary for the operation of the Service.

6. Data Security

We implement industry-standard security measures to protect your information:

6.1 Technical Safeguards

• Encryption in transit: TLS 1.2+ encryption for all data transmission
• Encryption at rest: AES-256 encryption for stored data
• Access controls: Role-based access control and authentication
• Audit logging: Comprehensive logging of all PHI access
• Regular security assessments: Ongoing monitoring and testing

6.2 Administrative Safeguards

• HIPAA compliance: Full compliance with HIPAA Security and Privacy Rules
• Business Associate Agreements: All service providers sign BAAs
• Staff training: Regular HIPAA and security training
• Incident response plan: Procedures for security incidents

6.3 Physical Safeguards

• Cloud infrastructure: Secure data centers with physical access controls
• No local storage: All data stored in secure cloud environments

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

7.1 Retention Periods

We retain information for the following periods:

• Active accounts: For the duration of your account
• Inactive accounts: 6 years after account closure (HIPAA requirement)
• Audit logs: 6 years (HIPAA requirement)
• Patient records: 6 years after last patient contact or as required by state law
• Billing records: 7 years (tax and accounting requirements)

7.2 Deletion

You can request deletion of your account and data. However, we may retain certain information:

• As required by law (HIPAA, tax, accounting)
• To resolve disputes and enforce agreements
• To prevent fraud or abuse
• In anonymized or aggregated form for analytics

8. International Data Transfers

Our Service is hosted in the United States. If you access our Service from outside the United States, your information may be transferred to, stored, and processed in the United States. By using our Service, you consent to such transfers.

9. Children's Privacy

Our Service is not intended for children under the age of 18. We do not knowingly collect information from children under 18. If we become aware that we have collected information from a child under 18, we will take steps to delete such information promptly.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending you an email notification (for significant changes)

Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Sessionably
Email: support@sessionably.com
Phone: 720-808-2150
Address: 75 Manhattan Dr. Ste. 206 Boulder, CO 80303

HIPAA Compliance Officer: Steady Hand LLC
Email: support@sessionably.com

For HIPAA-related inquiries: support@sessionably.com

12. Complaints

If you believe we have violated your privacy rights, you may file a complaint with:

U.S. Department of Health and Human Services (HHS)
Office for Civil Rights
Website: https://www.hhs.gov/hipaa/filing-a-complaint
Phone: 1-877-696-6775

---

This Privacy Policy is effective as of January 20, 2025.