Information We Collect
We collect information that you provide directly, information generated through your use of our platform, and information from third parties. The categories below describe what we collect and why.
Personal Information
When you create an account or use our services, we collect identifying information such as your name, email address, phone number, professional license number, credentials, organization name, and billing information. For patients, we also collect contact details, emergency contact information, and insurance data as provided by your therapy provider.
Health and Clinical Information
As a healthcare platform, we process protected health information (PHI) on behalf of our covered entity customers. This includes clinical notes, SOAP documentation, treatment plans, outcome measures, progress reports, voice recordings from sessions, patient-reported outcomes, imaging or exercise attachments, and care coordination communications. We do not use PHI for our own purposes. We only process it as directed by our customers under applicable Business Associate Agreements.
Usage and Technical Data
We automatically collect information about how you interact with HaloPT, including pages visited, features used, session duration, device type, operating system, browser information, IP address, and diagnostic data. We also collect performance metrics and error logs to maintain platform reliability and security.
How We Use Information
We use the information we collect for the following purposes:
Service Delivery
Providing, maintaining, and improving our platform. Processing clinical documentation. Enabling secure messaging between therapists, patients, and referring physicians. Generating AI-assisted SOAP drafts from voice recordings.
Communication
Sending service updates, appointment reminders, care coordination notifications, and support responses. We do not send marketing communications to patient users without explicit consent.
Platform Improvement
Analyzing usage patterns to improve user experience, training our AI models for more accurate clinical documentation (using only de-identified data), and developing new features based on therapist and patient needs.
Security and Compliance
Monitoring for unauthorized access, enforcing our terms of service, maintaining audit trails, and complying with legal obligations including HIPAA and state privacy laws.
Billing and Operations
Processing payments, managing subscriptions, generating practice analytics for our customers, and supporting our business operations.
Information Sharing
We are transparent about who we share information with and under what circumstances.
We Do Not Sell Your Information
HaloPT does not sell, rent, or trade your personal information or protected health information to any third party for monetary or other consideration. This is a firm commitment, not a conditional policy.
Service Providers
We work with trusted third-party service providers who help us operate our platform, including cloud infrastructure providers, payment processors, email delivery services, and customer support tools. Each provider is bound by contractual obligations that require them to protect your information and use it only for the specific services they provide to us. All service providers who handle PHI sign Business Associate Agreements.
Legal Requirements
We may disclose information when required by law, regulation, legal process, or enforceable governmental request. This includes responding to court orders, subpoenas, or regulatory investigations. We may also disclose information to protect the rights, property, or safety of HaloPT, our users, or the public when we believe disclosure is appropriate in good faith.
With Your Consent
We may share information with your explicit consent for purposes not described in this policy. You may withdraw consent at any time by contacting us directly.
Data Security
We implement industry-standard security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. Our security framework includes:
Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Voice recordings and clinical documents receive additional encryption layers.
Access Controls
Role-based access control (RBAC) ensures users can only access information necessary for their role. Multi-factor authentication is required for all therapist and administrator accounts.
Audit Logging
Every access to protected health information is logged with immutable audit trails. We record who accessed what, when, and from where. These logs are retained in accordance with HIPAA requirements and are available to our customers for their own compliance activities.
Infrastructure Security
Our infrastructure is hosted on AWS with SOC 2 Type II certified data centers. We conduct regular penetration testing, vulnerability assessments, and security audits.
Incident Response
We maintain a documented incident response plan and will notify affected customers within 24 hours of any confirmed security incident involving their data.
HIPAA Compliance
HaloPT is designed and operated to support our customers compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Business Associate Agreements
When our customers are covered entities under HIPAA, we execute a Business Associate Agreement (BAA) that defines our responsibilities as a business associate. The BAA is included automatically for all Professional and Enterprise plans. Customers on the Essential plan may request a BAA by contacting our compliance team.
Protection of PHI
We implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule. Our platform supports our customers in meeting the HIPAA Privacy Rule requirements, including minimum necessary access, patient authorization management, and accounting of disclosures.
Patient Rights
Our platform enables covered entity customers to fulfill patient rights under HIPAA, including the right to access their health information, request amendments, receive an accounting of disclosures, and request restrictions on uses and disclosures. While HaloPT provides the tools to support these rights, the covered entity customer remains responsible for responding to patient requests within the timelines required by law.
Breach Notification
In the event of a breach of unsecured PHI, we will notify affected customers without unreasonable delay and no later than 24 hours after discovery, in accordance with the HIPAA Breach Notification Rule. We will provide all information necessary for our customers to meet their own notification obligations.
Your Rights
Depending on your jurisdiction and role within our platform, you may have the following rights regarding your personal information:
Right to Access
You may request a copy of the personal information we hold about you. We will respond within 30 days. For PHI, requests should be directed through your covered entity provider.
Right to Correction
If you believe the information we hold about you is inaccurate or incomplete, you may request correction. We will review and respond within 30 days.
Right to Deletion
You may request deletion of your personal information. We will comply unless the information is needed for legal obligations, dispute resolution, or enforcement of our agreements. Clinical records are retained according to applicable medical record retention laws.
Right to Portability
You may request a portable, machine-readable copy of your data in a commonly used format such as CSV or JSON. This applies to your account data and, for patients, your health records through your therapy provider.
Right to Opt Out
You may opt out of marketing communications at any time using the unsubscribe link in our emails. You may also restrict certain cookies through your browser settings.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your privacy rights. Your access to our services will not be affected.
To exercise any of these rights, contact us at privacy@halopt.com. We will verify your identity before processing your request.
Children's Privacy
HaloPT is not directed to children under the age of 18. We do not knowingly collect personal information from children under 18 without verifiable parental consent.
In cases where a healthcare provider collects health information for a minor patient through our platform, the provider (as the covered entity) is responsible for obtaining appropriate parental or guardian consent in accordance with HIPAA and applicable state laws. Our platform supports configurable consent workflows for our customers.
If we learn that we have collected personal information from a child under 18 without proper consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@halopt.com.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this policy.
- Notify our active users via email or in-app notification at least 30 days before material changes take effect.
- Post the updated policy on our website with a clear summary of material changes.
Your continued use of HaloPT after the effective date of an updated policy constitutes your acceptance of the changes. We encourage you to review this policy periodically.
Contact Us
If you have questions about this Privacy Policy, our privacy practices, or wish to exercise your rights, please contact us:
HaloPT, Inc.
Privacy Team
Email: privacy@halopt.com
Address: HaloPT, Inc., Attn: Privacy Officer
We aim to respond to all privacy-related inquiries within 5 business days.