TheraNest Privacy Policy

This Policy was last updated on July 24, 2018.

Introduction

We are committed to protecting the privacy and security of the personal information we receive or collect from you.  We also believe in transparency and are committed to informing you about how we treat your personal information.

TheraNest (also referred to as “we,” “us,” and “our”) has established this Privacy Policy, together with our Terms of Service (https://www.theranest.com/terms) and any documents referenced therein, to provide you with clear and concise information regarding the nature of the information collected via (a) the public portions of www.theranest.com and www.therapadapp.com (the “Websites”); (b) our cloud-based electronic health record and practice management software, accessible via the password-protected portions of the Websites and the TheraNest and TheraPad mobile applications (together, the “Apps”); (c) our telehealth platform, which is accessible via the Websites (the “Telehealth Platform”); and (d) those portions of the Apps which may be accessed by patients at the direction of the health care providers who subscribe to TheraNest (the “Client Portal”) (The Websites, the Apps, the Telehealth Platform, and the Client Portal are collectively referred to herein as the “Services”) as well as the ways in which we use and share this information.  This Policy also describes certain rights and options that you have with regard to your personal information.

PLEASE READ THIS PRIVACY POLICY CAREFULLY TO UNDERSTAND HOW WE TREAT YOUR PERSONAL INFORMATION AND WHAT CHOICES AND RIGHTS YOU HAVE IN THIS REGARD.  IF YOU DO NOT AGREE WITH THE TERMS AND CONDITIONS OF THIS POLICY, YOU SHOULD NOT ACCESS OR USE THE SERVICES.

Who is Responsible for your Personal Information?

TheraNest and its customers are responsible for implementing the applicable data protection principles and for safeguarding the personal information provided to us through our Services. In general, with respect to the Apps, the Telehealth Platform, and the Client Portal, TheraNest provides services as a business associate, as that term is defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and as a data processor, as that term is defined under the EU General Data Protection Regulation, 2016/679 (the “GDPR”).

If you are a user in the European Union (the “EU”) or the European Economic Area (the “EEA”), for purposes of the GDPR, TheraNest also acts as the data controller for the personal information we collect from you via the public portions of our Websites.  However, as noted above, TheraNest acts as the data processor with respect to the personal information provided to us via the Apps and the Client Portal. TheraNest’s customers act as the data controllers with respect to the personal information provided to us via the Apps and the Client Portal.  Questions regarding the data controller’s practices should be directed to the data controller.  THE TELEHEALTH PLATFORM IS ONLY INTENDED FOR USERS LOCATED IN THE UNITED STATES, AND IS NOT INTENDED FOR USERS LOCATED IN OTHER JURISDICTIONS, INCLUDING THE EU AND THE EEA.  BY USING THE TELEHEALTH PLATFORM YOU ACKNOWLEDGE AND AGREE THAT YOU ARE USING THE TELEHEALTH PLATFORM FROM, AND ONLY FOR VIDEO AND AUDIO CHAT SESSIONS WITH PERSONS WITHIN, THE UNITED STATES.

If you are a patient of a TheraNest customer and would no longer like to be contacted by that customer, please directly contact the customer/data controller with whom you interact (your health care provider).  If you contact or exchange information in person or through a means other than our Services, such activity is not covered by this Policy.

What information do we collect?

We may collect and process the following personal information from you for the purposes set forth below:

Category

Types of Data and Purpose

Contact Information

When you visit our Websites or use our Telehealth Platform or the Apps, including a free trial, we may ask you for your name, address, telephone number, email address, or other contact details in order to respond to your request or inquiry or to verify your identity.

 

TheraNest processes the contact information of a patient via the Client Portal and the Telehealth Platform at the direction of the health care provider/data controller.  The health care provider/data controller may direct a patient to complete intake paperwork via the Client Portal. The health care provider/data controller may contact a patient via SMS messages via the Apps.  TheraNest’s customers act as the data controllers with respect to the personal information provided to us via the Apps, the Telehealth Platform, and the Client Portal.  Questions regarding the data controller’s practices will be directed to the data controller.

Business Information

When you seek services from us in the course of contractual or customer relationships between you and/or your organization and us, we collect business contact information and other personal information in order to provide you with the services you have requested.

Location Information

When you use our Websites, the Apps, the Telehealth Platform, and the Client Portal we collect information about your use of our Websites, the Apps, the Telehealth Platform, and the Client Portal, including your interaction with advertising and analytics services on the Websites, the Apps, the Telehealth Platform, and the Client Portal, in order to (a) serve you the content and functionality you request, and (b) to maintain the privacy and security of the Services.  Location information collected includes your Internet Protocol (IP) address or unique device identifier.

Cookies

When you visit our Websites and the Telehealth Platform, we may collect cookies and use similar technologies to, among other things, provide you with a more personal and interactive experience on our Websites and the Telehealth Platform, to improve our marketing efforts, and for usage analytics purposes (e.g., page response times, download errors, length of visit, webpages visited, etc.).  If you choose to disable cookies and similar technologies, some areas and features of the Websites and the Telehealth Platform may not work properly.  We do not use cookies or similar technologies in the Apps or the Client Portal.

Automated Information

When you visit our Websites, the Apps, the Telehealth Platform, and the Client Portal, we automatically collect information from your browser or your mobile device, which includes your Internet Protocol (IP) address or unique device identifier, as well as cookies and data about which pages you visit, in order to allow us to operate and provide the Websites, the Apps, the Telehealth Platform, and the Client Portal.  This information is used to understand how you interact with the Websites, the Apps, the Telehealth Platform, and the Client Portal and to provide you with advertising and a more personalized experience. We do not use cookies or similar technologies in the Apps or the Client Portal.

Email Interconnectivity

If you receive email communications from us, we may use certain tools to capture data related to if/when you open our message, click on any links or banners it contains, and make purchases.  Other information collected through this email tracking feature includes: your email address, the date and time of your “click” on the email, a message number, the name of the list from which the number was sent, a tracking URL number, and a destination page.  We use this information to enhance our marketing efforts.  We do not sell or distribute this information to third parties.

Feedback / Support / Inquiries

If you provide us with feedback or contact us for support or to ask us questions, we will collect your name, email address, other contact information, and other information needed to respond to your feedback, provide the requested support, or to answer your question.

Mailing List/Newsletter

When you sign up for one of our mailing lists, we collect your contact information, including your email address.

Sensitive Personal Information

Patients: At the direction of the data controller, TheraNest processes sensitive personal information regarding a data controller’s patients, which may include: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, financial information, sex life or sexual orientation.  TheraNest’s customers act as the data controllers with respect to the personal information provided to us via the Apps, the Telehealth Platform, and the Client Portal.  Questions regarding the data controller’s practices will be directed to the data controller.

Information Received as Business Associate

Some of our US-based customers (such as healthcare providers) may be subject to laws and regulations governing the use and disclosure of the health information they create or receive, including the Health Insurance Portability and Accountability Act and the regulations adopted thereunder (HIPAA).  TheraNest will only use or disclose such information as permitted by the controlling business associate agreement or as otherwise permitted by law.  TheraNest limits access to “protected health information” in accordance with HIPAA. TheraNest’s workforce members are trained on the privacy and security requirements applicable to protected health information, and TheraNest’s “business associates” are required, pursuant to the terms of their agreements with us, to implement required safeguards.

Telehealth Platform

TheraNest receives the name and email address of each individual who utilizes the Telehealth Platform in order to provide the services requested and to verify the identities of the participants.  The duration of each treatment session on the Telehealth Platform is also recorded for billing purposes.  The TeleHealth Platform incorporates technology provided by TokBox, and Tokbox’s privacy policy is available at: https://tokbox.com/support/privacy-policy.

Messaging Services

The Apps permit TheraNest’s customers to send appointment reminders to their patients via SMS and voice messages.  To provide the messaging services as a part of the Apps, TheraNest receives individual’s telephone numbers and sends messages as directed by the health care provider (TheraNest’s customer).  The messaging service portion of the Apps incorporates technology from Twilio, and Twilio’s privacy policy is available at: https://www.twilio.com/legal/privacy.

 

THE MESSAGING SERVICE FUNCTIONALITY WITHIN THE APPS IS ONLY INTENDED FOR PERSONS LOCATED IN THE UNITED STATES, AND IS NOT INTENDED FOR PERSONS LOCATED IN OTHER JURISDICTIONS, INCLUDING THE EU AND THE EEA.  BY SUBSCRIBING TO AND USING THE MESSAGING SERVICE, YOU ACKNOWLEDGE AND AGREE THAT YOU ARE USING THE MESSAGING SERVICE FROM, AND ONLY FOR PROVIDING APPOINTMENT REMINDERS TO PERSONS WITHIN, THE UNITED STATES.

Employment

If you apply for a job, or become an employee, we collect personal information necessary to process your application or employment.  This may include, among other things, your contact information, your social security number, employment history, etc. Online applications are submitted via www.workable.com, whose privacy policy is available at: www.workable.com/privacy.

Financial and Payment Information

If you choose to purchase Services from us, you will need to give personal information and authorization for us to obtain information from various credit services. We may collect your bank account and other data necessary to process payments, including credit card numbers, security codes, expiration dates, and other related billing information.  For example, you may need to provide the following information:

·      Name

·      Mailing address

·      Email address

·      Credit card number

·      Home and business phone number

 

Please note that credit card numbers and account information are not stored on our server in order to ensure your security.

 

By submitting your payment card information, you expressly consent to the sharing of your information with third-party payment processers and other third-party services (including but not limited to vendors who provide fraud detection services to us and other third parties).  We do not store your payment information.

 

What do we use your information for?

When TheraNest is acting as a data processor, TheraNest collects and uses the types of personal information listed above in accordance with the instructions provided by the data controller.

When TheraNest is acting as a data controller and where the GDPR does not apply, TheraNest collects and uses the types of personal information listed above an effort to improve your experience on the Websites, the Apps, the Telehealth Platform, and the Client Portal and to provide the Services to you.  Additionally, we may use your personal information in the following ways:

When TheraNest is acting as a data controller and where the GDPR does not apply, we may process your personal information in connection with any of the purposes and uses set out in this Policy on one or more of the following legal grounds:

We do not use your personal information for making any automated decisions affecting or creating profiles other than as described above.

We rely on your express opt-in consent to (1) send marketing communications; (2) for third-party data-sharing relating to advertising; and (3) for the use of cookies and similar technologies.

Finally, our Services allow our health care provider customers (who are the data controllers under the GDPR) to store personal information and health information about their patients.  Our Services also permit those health care providers to share all or certain portions of their or their patients’ information with third parties, including the patient, other health care providers, and third-party payors. TheraNest processes information as instructed by the health care provider/data controller.  We are not responsible for the actions of the health care provider/data controller, and any information that is provided to a health care provider/data controller will be subject to the terms of the agreement with that health care provider/data controller and not this Policy.

Do we disclose any information to outside parties?

When TheraNest is acting as a data controller and where the GDPR does not apply, we may share your personal information in the following contexts. When TheraNest is acting as a data processor or a business associate, disclosures in the following contexts will be limited in accordance with the instructions from the data controller or the terms of the business associate agreement:

Category

Disclosure Contexts

Subsidiaries and Acquisitions

We may share your personal information with our corporate parents, subsidiaries, and affiliates.  In addition, we may disclose your personal information in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our company assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our website users is among the assets transferred.  For example, if another company acquires TheraNest, we will share your personal information with that company.

 

Disclosures With Your Consent

We may ask if you would like us to share your personal information with other unaffiliated third parties who are not described elsewhere in this Policy.  We will only disclose your personal information in this context with your consent.

 

Disclosures Without Your Consent

We may disclose your personal information in response to subpoenas, warrants, court orders or other legal process, or to comply with relevant laws.  We may also share your personal information in order to establish or exercise our legal rights, to defend against a legal claim, to investigate, prevent, or take action regarding possible illegal activities, suspected fraud, safety of person or property or a violation of our Terms of Service (https://www.theranest.com/terms).

 

Directories

You may consent through account registrations to having your contact information shared with other account holders.

 

Third Parties, including your health care providers

We may provide personal information about you to third parties that offer products and services specifically requested by you.

Service Providers

We may share your personal information with our service providers.  Among other things, service providers may help us to administer the Websites, the Apps, the Telehealth Platform, and the Client Portal and support our provision of the Services requested by you; provide technical support; send marketing, promotions, and communications to you about our services; provide payment processing; and assist with other legitimate purposes permitted by law.

 

Aggregated Data

We may disclose aggregated information about our users, and information that does not identify any specific individual, such as groupings of demographic data and customer preferences, for new product and marketing development. When permitted, aggregated data is only created in accordance with HIPAA and any controlling business associate agreement.


How long do we store your personal information?

TheraNest will retain personal information as needed to fulfill the purposes for which it was collected.  We will retain and use personal information as long as necessary to comply with our business requirements and legal obligations, to resolve disputes, to protect our assets, to provide our services, and to enforce our agreements. We will retain personal information we process on behalf of our customers for as long as needed to provide services to our customers.

When we no longer have a purpose to retain personal information, we will securely destroy the personal information in accordance with applicable law and our policies. We take reasonable steps to delete the personal information we collect if your registration to use our Services lapses and you opt out of receiving further communications from us, or if you ask us to delete information, unless we determine that doing so would violate our existing, legitimate legal, regulatory, dispute resolution, contractual, or similar obligations.  We may retain and use anonymous and aggregated information for performance reporting, benchmarking, and analytic purposes and for product and service improvement. When permitted, aggregated and de-identified data is only created in accordance with HIPAA and any controlling business associate agreement.

Choices

If you no longer wish to receive communications from us via email, you may opt-out by contacting us at info@theranest.com and providing the name of the service for which information was provided, your full name, mailing address, phone number and email address so that we may identify you in the opt-out process. Once we receive your instruction, we will promptly take corrective action.

How do we protect information?

TheraNest has put in place reasonable and appropriate administrative, technical, and security measures to protect personal information from being accidentally lost, used or accessed in an unauthorized manner, altered, or disclosed.  While our security measures seek to protect the integrity, availability, and confidentiality of your personal information in our possession, no security system is perfect and TheraNest cannot promise that your personal information will remain absolutely secure in all circumstances.

The safety and security of your personal information also depends on you. Where you use a password for access to the Apps, the Telehealth Platform, and the Client Portal, you are responsible for keeping the password confidential.  Do not share your password with anyone.

If a security breach causes an unauthorized intrusion into our Websites, Apps, Client Portal, or systems that compromises your data, we will notify you and any applicable regulator when we are required to do so by applicable law.

Updating Your Personal Information

If any of the personal information provided to us changes, please let us know.  For instance, if your email changes, you wish to cancel any request you have made of us, or if you become aware of inaccurate personal information about you, use our Contact Us details provided at the end of this Policy to update your information.  You may also edit your account details if you have a user account through our Websites, the Apps, the Telehealth Platform, or the Client Portal.

Requests regarding any information provided to a health care provider, who is a TheraNest customer, should be directed directly to the health care provider.   

We are not responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.

Your Rights To Access And Control Your Personal Information

Please use the Contact Us details at the end of this Policy to exercise your rights and choices under this Policy.  If you would like to manage, change, limit or delete your personal information or you no longer want to receive any email, postal mail, or telephone contact from us or our affiliates in the future, such requests may be submitted via the Contact Us details at the end of this Policy.  Requests regarding any information provided to a health care provider who is a TheraNest customer should be sent directly to the health care provider.

Right of Access.  If required by law (e.g., under the GDPR), upon request, we will grant reasonable access to the personal information that we hold about you. An individual who seeks access under the GDPR to their personal information provided to a health care provider who is a TheraNest customer should send their request directly to the health care provider (TheraNest’s customer), who is the data controller. An individual who seeks to access or amend their “protected health information” under HIPAA should direct such inquiries to his or her health care provider (TheraNest’s customer). 

Accuracy.  Our goal is to keep your personal information accurate, current and complete.  Please contact us if you believe your information is not accurate or changes.  Requests regarding any information provided to a health care provider who is a TheraNest customer should be sent directly to the health care provider.

Right to Object. In certain circumstances, as permitted under applicable law, you have the right to object to processing of your personal information and to ask us to erase or restrict our use of your personal information.  If you would like us to stop using your personal information, please contact us, and we will let you know if are able to agree to your request. Requests regarding any information provided to a health care provider who is a TheraNest customer should be sent directly to the health care provider.

Right to Erasure and Deletion of Your Personal Information. You may have a legal right (for instance, if you are located in the EU or EEA under the GDPR) to request that we delete your personal information when it is no longer necessary for the purposes for which it was collected, or when, among other things, your personal information has been unlawfully processed.  All deletion requests made to TheraNest should be sent to the address noted in the Contact Us section of this Policy.  However, requests regarding any information provided to a health care provider who is a TheraNest customer should be sent directly to the health care provider.

We may decide to delete your personal information if we believe it is incomplete, inaccurate or that our continued storage of your personal information is contrary to our legal obligations or business objectives.  When we delete personal information, it will be removed from our active servers and databases and our Websites, the Apps, the Telehealth Platform, and the Client Portal, but it may remain in our archives when it is not practical or possible to delete it.  We may also retain your personal information as needed to comply with our legal obligations, resolve disputes, or enforce any agreements.

Right to Withdraw Consent.  If you have provided your consent to the collection, processing and transfer of your personal information, you have the right to fully or partially withdraw your consent.  To withdraw your consent, please notify us using the information in the Contact Us section of this Policy and you may follow opt-out links on any marketing communications sent to you.  However, requests regarding any information provided to a health care provider who is a TheraNest customer should be sent directly to the health care provider.

Once we have received notice that you have withdrawn your consent, in whole or in part, we will no longer process your information for the purpose(s) to which you originally consented and have since withdrawn unless there are compelling legitimate grounds for further processing that override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. 

Withdrawal of consent to receive marketing communications will not affect the processing of personal information for the provision of our services.

Right to Complain. If you believe that your rights relating to your personal information have been violated, you have a right to lodge a complaint with the applicable enforcement authority, or to seek a remedy through the courts.  You may also lodge a complaint with us by contacting us using the information provided in the Contact Us section of this Policy. You may also lodge a complaint directly with your health care provider regarding any information provided to the health care provider.

Online Tracking.  We do not currently recognize browser settings or signals of tracking preferences, which may include “Do Not Track” instructions.  “Do Not Track” is a web browser setting that seeks to disable the tracking of individual users’ browsing activities.  It is a standard that is currently under development. As it is not yet finalized, we adhere to the standards set out in this Policy and do not currently respond to “Do Not Track” signals on our Websites, the Telehealth Platform, the Apps, the Client Portal, or on third-party websites or online services where we may collect information.

California Residents. California residents may be entitled under California Civil Code Section 1798.83 to ask us for a notice describing what categories of personal information (if any) we share with third parties or affiliates for those parties to use for direct marketing.  If you are a California resident and would like a copy of such notice, please submit a written request to us using the information in the “Contact Us” section of this Policy. Because we value your privacy we have taken the necessary precautions to be in compliance with the California Online Privacy Protection Act. We therefore will not distribute your personal information to outside parties without your consent.  As part of the California Online Privacy Protection Act, customers may make any changes to their information at any time by logging into TheraNest and going to the 'Manage Profile' page.

European Union or European Economic Area Residents.  If you are located in the EU or EEA and believe we have not processed your personal information in accordance with applicable provisions of the EU GDPR, you may lodge a complaint with your local data protection or supervisory authority.

Cross Border Transfers of Personal Information

TheraNest is located and established in the United States and, therefore, your personal information may be transferred to, stored or processed in the United States.  While the data protection, privacy and other laws of the United States might not be as comprehensive as those in your country, we take necessary and appropriate steps to protect the privacy and security and privacy of your personal information.  By using our Websites, the Apps, and the Client Portal or by requesting other services from us, you understand and consent to the collection, storage, processing and transfer of your information to our facilities in the United States and those third parties with whom we share it as described in this Policy.

THE TELEHEALTH PLATFORM IS ONLY INTENDED FOR PERSONS LOCATED IN THE UNITED STATES, AND IS NOT INTENDED FOR PERSONS LOCATED IN OTHER JURISDICTIONS, INCLUDING THE EU AND THE EEA.  BY USING THE TELEHEALTH PLATFORM YOU ACKNOWLEDGE AND AGREE THAT YOU ARE USING THE TELEHEALTH PLATFORM FROM THE UNITED STATES.

Residents of the EU / EEA. When storing, hosting, or otherwise processing your information (including personal data), we may send such data outside of the European Union (EU) and the European Economic Area (EEA). When we transfer information to the United States or other countries, we do so for the purposes set forth in this Privacy Policy and in accordance with applicable law.  We rely on recognized legal bases to lawfully conduct cross-border/international transfers of personal information outside of the EU and EEA, such as your express informed consent to do so (as noted above), when transfer is necessary for us to deliver services pursuant to an agreement between us and you, or when the transfer is subject to safeguards that assure the protection of your personal information, such as the European Commission’s approved standard contractual clauses.

Links to Other Sites

The Websites may contain links to, and media and other content from, third party websites.  These links are to external websites and third parties with which we have no relationship.  Because of the dynamic media capabilities of the Websites, it may not be clear to you which links are to the Websites and which are to external, third party websites.  If you click on an embedded third-party link, you will be redirected away from the Websites to the external third-party website.  You can check the URL to confirm that you have left our Websites. 

TheraNest cannot and does not (i) guarantee the adequacy of the privacy and security practices employed by, or the content and media provided by, any third parties or their websites, (ii) control third parties’ independent collection or use or your personal information, or (iii) endorse any third party information, products, services, or websites that may be reached through embedded links on the Websites.

Any personal information provided by you or automatically collected from you by a third party will be governed by that party’s privacy policy and terms of use.  If you are unsure whether a website is controlled, affiliated, or managed by us, you should review the privacy policy and practices applicable to each linked website.

Children’s Online Privacy Protection Act Compliance

The Children's Online Privacy Protection Act (“COPPA”), as well as other data privacy regulations, restrict the collection, use, or disclosure of personal information from and about children on the internet.  Our Websites, the Apps, the Client Portal, and the services we provide are not directed to children aged 18 or younger, nor is information knowingly collected from children under the age of 18.  No one under the age of 18 may access, browse, or use the Websites, the Apps, or the Client Portal, or provide any information to or on the Websites, the Apps, or the Client Portal.  If you are under 18, please do not use or provide any information on the Websites, the Apps, or the Client Portal.  If we learn that we have collected or received personal information from a child under the age of 18 without a parent's or legal guardian's consent, we will take steps to stop collecting that information and delete it.

For more information about COPPA, please visit the Federal Trade Commission’s website at: https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule.

Online Privacy Policy Only

This online privacy policy applies only to information collected through our Websites, the Apps, the Telehealth Platform, and the Client Portal and not to information collected offline.

Terms and Conditions

Please also visit our Terms and Conditions section establishing the use, disclaimers, and limitations of liability governing the use of our Websites, the Apps, the Telehealth Platform, and the Client Portal at https://www.theranest.com/terms.  

Changes to our Privacy Policy

We reserve the right to update and change this Policy from time to time in order to reflect any changes to the way in which we treat personal information or in response to changes in law.  Should the Privacy Policy change, we will post all changes we make to this Policy on this page.  If we make material changes to how we treat your personal information, we will also notify you through a notice posted prominently on the home page of our website for a reasonable period of time.  The date on which this Policy was last revised is identified at the top of this Policy.

Contacting Us

For more information, or if you (a) have questions or concerns regarding TheraNest’s Privacy Policy, (b) wish to access personal information we hold about you, (c) believe the personal information we have about you is incorrect, or (d) wish to lodge a complaint with us about how we have handled your personal information, you may email us at the address provided below or you can send correspondence to the following address, and we will do our best to assist you.

TheraNest

Attn: Privacy Officer

1500 1st Avenue North, Suite L135
Birmingham, AL 35203
Email: info@theranest.com

Questions regarding information provided to a health care provider who is a TheraNest customer should be sent directly to the health care provider.