BASIL THERAPY, INC.

Privacy Policy

Last Updated: July, 2025

1. Introduction

This Privacy Policy explains how Basil Therapy, Inc. d.b.a TheraDriver ("TheraDriver," "we," "us," or "our") collects, uses, discloses, and safeguards your information, including Personal Information and Protected Health Information (PHI), when you use the TheraDriver Platform (the “Platform”) through TheraDriver’s website at https://www.theradriver.ai/ (the “Website”) or TheraDriver’s mobile application (the “App”). Basil Therapy, Inc. is a healthcare technology company that offers software solutions to support behavioral health providers. The Company provides a platform that facilitates treatment planning, patient engagement, and data-driven clinical workflows. Basil Therapy serves enterprise healthcare customers and integrates with third-party electronic health record (EHR) systems to streamline provider operations.

As a Business Associate, we are committed to maintaining the privacy and security of your personal information and PHI in accordance with all applicable legal requirements, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable U.S. federal and state laws, the Lei Geral de Proteção de Dados (LGPD) of Brazil, and the Personal Information Protection and Electronics Document Act of 2000 (PIPEDA) of Canada.

Please read this Privacy Policy carefully to understand our policies and practices regarding your information and how we will treat it. By accessing or using our Website, App, and Platform, you agree to accept all the terms contained in this Privacy Policy and acknowledge and agree with the practices described herein. If you do not agree with the terms of this Privacy Policy, please do not access and use our Website, App, and Platform.

We will post any changes to this Privacy Policy in a notice of the change at the bottom of our web page with a hyperlink thereto. We will also send you an email describing such changes. Please regularly review this Privacy Policy. Notwithstanding, if you continue to use our services, you are bound by any changes that we make to this Privacy Policy.

2. Definitions

  • "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including but not limited to the categories of information described in Section 3 below.
  • "Sensitive Personal Information" means a subset of Personal Information that includes a consumer's social security number, driver's license number, financial account information, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail/email/text messages, genetic data, biometric information, health information, and sexual orientation.
  • "Protected Health Information" or "PHI" means individually identifiable health information that is transmitted or maintained in any form or medium by a Covered Entity or Business Associate, including demographic information collected from an individual, that: (i) Relates to the past, present, or future physical or mental health or condition of an individual; (ii) Relates to the provision of health care to an individual; (iii) Relates to the past, present, or future payment for the provision of health care to an individual; and (iv) Identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. PHI includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.
  • "Covered Entity" means a health plan, healthcare clearinghouse, or healthcare provider that transmits health information in electronic form in connection with a transaction for which the U.S. Department of Health and Human Services has adopted standards.
  • "Business Associate" means a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a Covered Entity.
  • "Personal Data" (for EU/EEA residents) means any information that identifies you as an individual, such as name, address, email address, IP address, phone number, business address, business title, business email address, company, etc.
  • "Personal Information" (for Canadian users) means any information about an identifiable individual, whatever may be the physical form or characteristics of a particular regime for "business contact information" (name, position, title, address, professional phone number, etc.).

3. What Information Do We Collect?

We collect the following categories of Personal Information, some of which may also be considered Sensitive Personal Information or PHI:

  • Identifiers: Full name, maiden name, aliases, postal address, email address, telephone numbers, Social Security number, driver's license number, passport number, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, device identifiers, IP addresses, online identifiers, cookies, beacons, pixel tags, mobile ad identifiers.
  • Personal Information Categories Listed in the California Customer Records Statute: Financial information (e.g., bank account numbers, credit card numbers, insurance information), medical information (e.g., diagnoses, treatment information, medication history), health insurance information (e.g., policy numbers, subscriber information), physical characteristics or description, signature. (Note: We currently do not collect or store any credit card or bank information, as we are using a third-party payment processor. We will update this Privacy Policy when we start using and storing such information.)
  • Protected Classifications Under California or Federal Law: Age, race, color, ancestry, national origin, religion, creed, sex (including gender, gender identity, gender expression), medical condition, physical or mental disability, genetic information, marital status, sexual orientation, veteran or military status.
  • Commercial Information: Products or services purchased, obtained, or considered, purchasing or consuming histories or tendencies, service utilization records.
  • Biometric Information: Fingerprints, retina scans, facial recognition data, voice recordings and recognition data, health or exercise data.
  • Internet or Other Electronic Network Activity Information: Browse history, search history, information regarding a consumer's interaction with our website, application, or advertisement, access logs and usage data.
  • Geolocation Data: Precise physical location or movements, travel history.
  • Sensory Data: Audio, electronic, visual, thermal, olfactory, or similar information, photographs, and video recordings.
  • Professional or Employment-Related Information: Current or past job history, performance evaluations, professional certifications, licenses.
  • Education Information: Education records directly related to a student maintained by an educational institution, academic transcripts, degrees, certifications.
  • Inferences Drawn from Other Personal Information: Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes, health assessment information.
  • Business Contact Information: Name, Business Address, Business Email Address, Business Telephone Number, IP Address, Business Title, Employer.

We collect this information through various sources, including:

  • Direct interactions with you (e.g., when you register for our services, fill out forms, or communicate with us).
  • Healthcare providers, insurance companies, and other entities involved in your healthcare.
  • Automated technologies or interactions (e.g., cookies, server logs, web beacons), when you navigate through our Website, App, or Platform.
  • Through mobile and desktop applications your downloads from our Website, App, or Platform, which provides dedicated non-browser based interaction.
  • When you interact with our advertising and applications on third-party website and services, if those applications or advertising include a link to this Privacy Policy.
  • From you placing an order, which includes details of transactions you carry out on our Website, App, or Platform.
  • When you subscribe to a newsletter.
  • From your responses to a survey.
  • From search queries on our Website, App, or Platform.
  • When you post information to be published or displayed on our Website, App, or Platform.
  • Third parties (e.g., business partners, subcontractors, service providers).

Our data mapping and inventory processes have identified these specific types of PHI and other personal information that we collect and handle, and we maintain a comprehensive record of data flows to ensure compliance with applicable laws.

4. How We Use Your Information

We use your Personal Information, including Sensitive Personal Information and PHI, for the following purposes:

4.1 Treatment, Payment, and Healthcare Operations

  • Providing, coordinating, and managing your healthcare and related services.
  • Obtaining payment for services provided to you.
  • Conducting quality assessment and improvement activities.
  • Reviewing the competence or qualifications of healthcare professionals.
  • Conducting training programs for healthcare professionals.
  • Conducting or arranging for medical review, legal services, and auditing functions.
  • Business planning and development, business management, and general administrative activities.

4.2 Service Provision and Improvement

  • Personalize your experience in using our Platform.
  • Provide you with information, products, or services requested from us.
  • Present our Website, App, and Platform and their contents to you.
  • Providing, maintaining, and improving our products and services.
  • Processing and fulfilling your requests, orders, and transactions.
  • Developing new products, services, features, and functionality.
  • Allow you to participate in interactive features on our Website, App, and Platform.
  • Improve the Website, App, and Platform.
  • Improve our customer service.
  • Administer contests, promotions, and surveys or other Website, App, and Platform features.
  • Anonymize data and aggregate data for statistics.

4.3 Communication

  • Communicating with you about our products, services, and promotions.
  • Providing you with notices about account and/or subscription, including expiration and renewal notices.
  • Notifying you about changes to our Website, App, and Platform and any products or services.
  • Responding to your inquiries, comments, and requests.
  • Providing customer service and support.
  • Sending administrative information, such as changes to our terms, conditions, and policies.
  • Sending you periodic emails, in accordance with the CAN-SPAM Act of 2003 as detailed in Section 14, via the email address provided by you to (i) send information, respond to inquiries, and/or other requests or questions; (ii) process orders and send information and updates pertaining to such orders; (iii) send additional information related to your product and/or service; and (iv) market to our mailing list or continue to send email to you after the original transaction has occurred.

4.4 Security and Compliance

  • Preventing and detecting security incidents.
  • Protecting against malicious, deceptive, fraudulent, or illegal activity.
  • Prosecuting those responsible for harmful activities.
  • Debugging to identify and repair errors that impair existing functionality.
  • Verifying your identity and preventing fraud.
  • Complying with our legal and regulatory obligations, including HIPAA, GDPR, and CCPA/CPRA requirements.
  • Carry out obligations and enforce rights arising from contracts entered into between you and us, including billing and collection.

4.5 Research and Analytics

  • Undertaking internal research for technological development and demonstration.
  • Creating aggregated, de-identified or anonymized data for analytics purposes.
  • Measuring the effectiveness of our services and marketing efforts.

4.6 Other Purposes

  • Contact you for other purposes with your consent.
  • Contact you about our products and services that may be of interest.
  • Contact you about third parties’ goods and services.
  • Enable the display of advertisements to our advertisers’ target audiences, although personal information is not shared with advertisers without your consent.
  • Other purposes as described to you at the time of collection.
  • Purposes compatible with the context in which the Personal Information was collected.
  • Purposes for which we have obtained your consent.

5. Our Cookie Policy

Cookies are small pieces of text used to store information on web browsers. Cookies are used to store and receive identifiers and other information on computers, phones, and other devices. Other technologies, including data we store on your web browser or device, identifiers associated with your device, and other software, are used for similar purposes. In this Privacy Policy, we refer to all of these technologies as “Cookies.”

We use Cookies on our Website and App to (a) help remember and process items in the shopping cart, (b) understand and save your preferences for future visits, (c) keep track of advertisements, (d) compile aggregate data about site traffic and site interactions in order to offer better site experiences and tools in the future, and (e) allow trusted third-party services that track this information on our behalf.

You can set your browser to refuse all or some browser Cookies, but it may affect your user experience. We honor Do Not Track signals and, if one is in place, we will not track, plant cookies, or use advertising.

We allow third party behavioral tracking and links to third-party web pages. Occasionally, at our discretion, we may include or offer third-party products or services on our Website, App, or Platform. These third-party sites have separate and independent privacy policies. We, therefore, have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our Website, App, or Platform and welcome any feedback about these sites.

Google AdSense and Google Analytics

Google, as a third-party vendor, uses Cookies to serve advertisements to Users on our Website, App, and Platform. Google uses first-party Cookies, such as Google Analytics Cookies, to compile data regarding User interactions with ad impressions and other ad service functions as they relate to our Platform. We currently use Google Analytics to collect and process certain Website and App usage data. To learn more about Google Analytics and how to opt-out, please visit https://policies.google.com/privacy/google-partners.

We have implemented advertising features on our Website, App, and Platform including: (a) remarketing with Google AdSense; (b) Google Display Network Impression Reporting; (c) Google Demographics and Interests Reporting; and (d) Google’s DoubleClick platform integration.

We use these Cookies to compile data regarding User interactions with ad impressions and other ad service functions as they relate to our Website or App.

6. How We Protect Information We Collect & Data Security Measures

As a [HIPAA Covered Entity/Business Associate], we implement comprehensive administrative, technical, and physical safeguards to protect your Personal Information, including PHI, from unauthorized access, use, or disclosure.

6.1 Administrative Safeguards

  • Designation of a Privacy Officer and Security Officer responsible for the development and implementation of our privacy and security policies and procedures.
  • Regular risk assessments and management programs.
  • Workforce security clearance procedures, training, and management.
  • Information access management.
  • Security incident procedures.
  • Contingency planning.
  • Regular evaluations of our security program.

6.2 Physical Safeguards

  • Facility access controls.
  • Workstation use and security policies.
  • Device and media controls, including disposal procedures.
  • Physical security measures such as locked doors, security cameras, and visitor management.

6.3 Technical Safeguards

  • Access controls, including unique user identification, automatic logoff, and encryption.
  • Audit controls to record and examine activity.
  • Integrity controls to prevent improper alteration or destruction of PHI.
  • Transmission security measures, including encryption of data in transit.
  • Authentication protocols to verify that the person seeking access is authorized.
  • Intrusion detection and prevention systems.
  • Regular security updates and patches.
  • Vulnerability scanning and penetration testing.

Our Website and App are reasonably scanned to meet or exceed PCI Compliance, receive regular security scans and penetration tests, and regular malware scans. In addition, our Website and App use an SSL certificate as an added security measure. We require username and passwords for our employees who can access your personal information that we store and/or process on our Platform and servers. In addition, we actively prevent third parties from getting access to your personal information that we store and/or process on our Platform and servers.

We accept payment by credit card through a third party credit card processor on our behalf. We will implement reasonable security measures every time you (a) place an order, or (b) enter, submit, or access your information, (c) register, or (d) access our Platform, on our Website and App.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, App, or Platform, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Website, App, or Platform. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on our Website, App, or Platform.

In the event of a personal data breach, we will notify you within fifteen (15) days via (i) email and/or (ii) our Platform notification system on our Website and/or App. We agree to the individual redress principle, which requires that individuals have a right to pursue legally enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or a government agency to investigate and/or prosecute non-compliance by data processors.

7. Disclosure of Personal Information

We do not sell your personal information, nor do we intend to do so. We do not give access to your personal information to third parties except to subprocessors to assist us in the provision of our services to you. We do not sell, trade, rent, or otherwise transfer personal information to others, unless we provide you with advance notice. This does not include our hosting partners and other parties who assist us in operating our Website, App, or Platform, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We do not provide non-personally identifiable visitor information for marketing purposes.

There are times when we may share Personal Information that you have shared with us to enable us to provide you our Services, including contractors, service providers, and third parties (“Partners”). We will ensure that our Partners protect your Personal Information.

We may disclose your Personal Information, including Sensitive Personal Information and PHI, to the following categories of third parties:

7.1 Healthcare Providers and Partners

  • Healthcare providers are directly involved in your care.
  • Health plans and insurance companies for payment purposes.
  • Healthcare clearinghouses that process healthcare transactions.
  • Other covered entities for treatment, payment, or healthcare operations purposes.

7.2 Service Providers and Business Associates

  • IT and system maintenance providers.
  • Data analytics providers.
  • Payment processors and financial institutions.
  • Customer service and support providers.
  • Professional advisers, including lawyers, auditors, and insurers.

For all service providers who handle PHI on our behalf, we have entered into HIPAA-compliant Business Associate Agreements (BAAs) that:

  • Establish the permitted and required uses and disclosures of PHI.
  • Prohibit the Business Associate from using or disclosing PHI other than as permitted or required by the BAA or as required by law.
  • Require appropriate safeguards to prevent unauthorized use or disclosure of PHI.
  • Require reporting of any unauthorized use or disclosure, security incident, or breach of PHI.
  • Ensure that any subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions.
  • Make PHI available for access, amendment, and accounting of disclosures as required by HIPAA.
  • Return or destroy all PHI at the termination of the agreement when feasible.

We maintain an inventory of all BAAs and conduct regular audits to ensure our Business Associates comply with their obligations under these agreements.

We may disclose aggregated, de-personalized information about you that does not identify any individual to other parties without restriction, such as for marketing, advertising, or other uses. We may disclose personal information to our subsidiaries and affiliates. We may disclose personal information to contractors, services providers, and other third parties. We require all contractors, service providers, and other third parties to whom we disclose your personal information to be under contractual obligations to keep personal information confidential and to use it only for the purposes for which we disclose them.

7.3 Legal and Regulatory Authorities

  • Law enforcement agencies when required by applicable law.
  • Regulatory bodies and government agencies for compliance purposes.
  • Courts and other legal authorities in response to lawful requests.
  • To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
  • To enforce or apply our Terms of Use or Terms of Service and other agreements, including for billing and collection purposes.
  • If we believe it is necessary or appropriate to protect the rights, property, or safety of TheraDriver, our customers or others, and/or if it is necessary or appropriate to protect the rights, property, or safety of TheraDriver, our customers, or others, and this includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

7.4 Corporate Transactions

  • Actual or potential buyers (and their agents and advisers) in connection with any actual or proposed purchase, merger, or acquisition of any part of our business.
  • Other third parties as part of a corporate transaction, such as a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock.

7.5 Other Third Parties

  • With your consent or at your direction.
  • To protect our rights, privacy, safety, or property, or that of our customers or others.
  • To enforce our terms and conditions.
  • To investigate and address fraud or illegal activity.
  • To market their products and services to you if you have either consented or not opted out of these disclosures.
  • We require all other Partners, to whom we disclose your personal information, to enter into contracts with us to keep personal information confidential and use it only for the purposes for which we disclose it to such Partners.
  • To fulfill the purpose for which you have provided it, for instance, if you gave us an email address to use the “email a friend” feature of the Platform.
  • For any other purpose for which you have provided it.
  • As described in this Privacy Policy or your consent.

We maintain detailed records of all disclosures of PHI as required by HIPAA, including the date of disclosure, the name of the entity or person who received the PHI, a brief description of the PHI disclosed, and a brief statement of the purpose of the disclosure.

Choices Users Have About How TheraDriver Uses and Discloses Information

  • Tracking Technologies and Advertising: You can set your browser to refuse some or all the browser cookies, but if you disable or refuse cookies, some parts of our Website may not be accessible or function properly.
  • Disclosure of Users’ Information for Third-Party Advertising: Users can opt-out by (i) checking the relevant form when we collect the data; (ii) logging into the Website, App, or Platform and adjusting their preferences in their account profile by checking or unchecking the relevant boxes, or (iii) emailing us their opt-out request at privacy@theradriver.com. Users receiving promotional email can opt-out by sending a return email requesting to be omitted from future promotional email distributions. This opt-out will not apply to information provided by TheraDriver for product purchases, warranty registration, or other transactions.
  • Disclosure of User’s Information for Targeted Advertising: Users can opt-out by (i) checking the relevant form when we collect the data, (ii) logging into the Website, App, or Platform and adjusting their preferences in their account profile by checking or unchecking the relevant boxes, or (iii) emailing us their opt-out request at privacy@theradriver.com.

8. Your Privacy Rights

You have the following rights with respect to your Personal Information, including your PHI:

8.1 HIPAA Rights

  • Right to Access: You have the right to inspect and obtain a copy of your PHI that we maintain in designated record sets, subject to certain exceptions.
  • Right to Amendment: You have the right to request that we amend your PHI if you believe it is incorrect or incomplete.
  • Right to an Accounting of Disclosures: You have the right to request an accounting of certain disclosures of your PHI that we have made.
  • Right to Request Restrictions: You have the right to request restrictions on certain uses and disclosures of your PHI, including disclosures to family members or others involved in your care.
  • Right to Request Confidential Communications: You have the right to request that we communicate with you about medical matters in a certain way or at a certain location.
  • Right to Receive Notice of a Breach: You have the right to be notified if we or one of our Business Associates discover a breach of unsecured PHI.
  • Right to a Paper Copy of the Notice of Privacy Practices: You have the right to receive a paper copy of our Notice of Privacy Practices upon request.

8.2 CCPA/CPRA Rights (California Residents)

  • Right to Know: Upon request, we will provide you with (i) a list of all Personal Information that we have collected on you, (ii) from whom we obtained such Personal Information, (iii) the reason why we collected such Personal Information, and (iv) with whom (if any) we have shared such Personal Information. If we sell your Personal Information or disclose your Personal Information to third parties, upon request, we will provide you with (i) a list of the Personal Information that we have collected on you, (ii) a list of the Personal Information that we sell or disclose to others on you, and (iii) to whom we have sold or disclosed your Personal Information. A consumer can make such a request only twice in a 12-month period.
  • Right to Delete: You have the right to request that we delete Personal Information that we have collected from you, subject to certain exceptions. If we delete your Personal Information as requested, we will no longer be able to provide our services to you and we may need to keep such Personal Information for a while during the shutting down and billing process.
  • Right to Correct: You have the right to request that we correct inaccurate Personal Information that we maintain about you.
  • Right to Opt-Out of Sale or Sharing: You have the right to opt-out of the sale or sharing of your Personal Information. Upon your request, we will stop selling your Personal Information (sometimes called your Opt Out Right). You may send the request to Opt Out (i) to privacy@theradriver.com, (ii) by phone at our toll-free number [TOLL-FREE NUMBER], or (iii) by writing to us at Privacy Officer, 1 Bluxome Street Apt 411 San Francisco, CA 94107. We will not sell your Personal Information if you are under the age of 16 unless we have the consent of your parent or your guardian nor will we sell it if you ask us not to do so.
  • Right to Limit Use and Disclosure of Sensitive Personal Information: You have the right to limit the use and disclosure of your Sensitive Personal Information to certain permitted purposes.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. Unless permitted by the CCPA, we will not: Deny you goods or services; Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; Provide you a different level or quality of goods or services; Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services. However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.

8.3 GDPR Rights (EU/EEA Residents)

  • Right to Access: You have the right to obtain confirmation as to whether we process your Personal Information and, if so, access to that Personal Information. You can request more information about the Personal Information we hold about you. You can also request a copy of the Personal Information.
  • Right to Rectification: You have the right to have inaccurate Personal Information corrected and incomplete Personal Information completed. If you believe that any Personal Information we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. Please contact us as soon as possible upon noticing any such inaccuracy or incompleteness.
  • Right to Erasure: You have the right to have your Personal Information erased in certain circumstances. You can request that we erase some or all of your Personal Information from our systems.
  • Right to Restriction of Processing: You have the right to restrict the processing of your Personal Information in certain circumstances. You can ask us to restrict further processing of your Personal Information.
  • Right to Data Portability: You have the right to receive your Personal Information in a structured, commonly used, and machine-readable format and to transmit that data to another controller. You can also request that we transmit the data to another entity where technically feasible.
  • Right to Object: You have the right to object to the collection or use of your Personal Information for certain purposes. You have the right to object to the processing of your Personal Information in certain circumstances.
  • Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you.
  • Right to Withdraw Consent: If we are processing your Personal Information based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, it may limit your ability to use some/ all of our Services or Platform and you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Information, if such use or disclosure is necessary to enable you to utilize some or all of our Services and Platform.
  • Right to File Complaint: You have the right to lodge a complaint about our practices with respect to your Personal Information with the supervisory authority of your country or EU Member State. Please go to https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm to locate your Data Protection Authority in the EU. You may contact the UK’s Information Commissioner at https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113.

8.4 Canadian Users' Rights

  • Right to Access Personal Information: You can request to access your personal information we hold about you. We will first confirm whether you have requested such information, explain how we have used your information, provide a list of names with whom your information has been shared and provide a copy of your information in an accessible format and make alternative formats available if requested.
  • Right to Correction/Limited Right to Deletion: You can request us to correct or delete your information IF you demonstrate that the personal information we hold on you is inaccurate. We will delete or correct your information within thirty (30) calendar days. When we delete/correct your personal information we will inform the third parties with whom we have shared your information.
  • Right to be Forgotten: Your information will be kept with us for as long as it is required for the fulfillment of the purposes of TheraDriver platform. Unless we otherwise give you notice, we will retain your Information on the TheraDriver Platform on your behalf until such times as you or we terminate your User Account.

9. How to Exercise Your Rights

To exercise your privacy rights, including your rights related to your PHI, you can:

9.1 HIPAA Rights

To exercise your HIPAA rights, please submit a written request to our Privacy Officer at:

TheraDriver
Attn: Privacy Officer
1 Bluxome Street Apt 411 San Francisco, CA 94107
[COMPANY PHONE NUMBER]
privacy@theradriver.com

Your request should include your full name, contact information, and a clear description of the right you wish to exercise. We may ask you to provide additional information to verify your identity before processing your request. We will respond to your request within the timeframes required by HIPAA, generally within 30 days of receipt. If we need additional time to respond, we will notify you in writing of the reason for the delay and the date by which we will respond.

9.2 CCPA/CPRA Rights

To exercise your CCPA/CPRA rights, you can:

  • Submit a request via our online privacy portal at [PRIVACY PORTAL URL].
  • Call our toll-free number at [TOLL-FREE NUMBER].
  • Email us at privacy@theradriver.com.
  • Complete and submit the form available at [FORM URL].

To verify your identity, we may ask you to provide information such as your full name, date of birth, address, email address, phone number, and/or a copy of a government-issued ID. We will only use this information to verify your identity and process your request. We will respond to your request within 45 days of receipt. If we need more time (up to an additional 45 days), we will inform you of the reason and extension period in writing.

9.3 GDPR Rights

To exercise your GDPR rights, you can:

  • Submit a request via our online privacy portal at [PRIVACY PORTAL URL].
  • Email our Data Protection Officer at privacy@theradriver.com.
  • Write to us at TheraDriver, Attn: Data Protection Officer, 1 Bluxome Street Apt 411 San Francisco, CA 94107.

We will respond to your request without undue delay and at the latest within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay.

9.4 Brazilian Users' Rights

To make any requests regarding your rights under the LGPD, please contact our Brazilian Privacy and Data Protection Officer, Raj Semlawat, at privacy@theradriver.com. We will respond within thirty (30) days of the receipt.

9.5 Canadian Users' Rights

You may contact our Canadian Privacy and Data Protection Officer, Raj Semlawat, at privacy@theradriver.com or by writing to us at Privacy Officer, at 1 Bluxome Street Apt 411 San Francisco, CA 94107 to (i) make a Personal Information Request, (ii) correct or delete your personal information, or (iii) discuss our Privacy Policy and/or anything that has to do with it. We will respond within thirty (30) calendar days of receiving such a request or query. Additionally, in order for us to respond to your request or query, we will need to collect information from the requesting party to verify their identity.

10. Data Retention and Deletion

10.1 Data Retention Periods

We retain your Personal Information, including PHI, for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations. Specifically:

  • PHI in Designated Record Sets: We retain PHI in accordance with HIPAA's record retention requirements, which generally require retention for at least six years from the date of creation or the date when it was last in effect, whichever is later. For certain types of records, such as medical records, state laws may require longer retention periods.
  • Personal Information Subject to CCPA/CPRA: We retain this information for as long as necessary to fulfill the purposes for which it was collected, and in accordance with our data retention schedule, which considers factors such as the nature of the information, legal and regulatory requirements, and operational needs.
  • Personal Information Subject to GDPR: We retain this information for no longer than is necessary for the purposes for which it is processed, taking into account legal and regulatory requirements, the amount, nature, and sensitivity of the data, and the potential risk of harm from unauthorized use or disclosure.

10.2 Data Deletion Procedures

When Personal Information, including PHI, is no longer needed, we will securely delete or destroy it in accordance with our data retention and destruction policies. Our deletion procedures include:

  • Physical Records: Shredding, pulping, or incineration of paper records containing Personal Information or PHI.
  • Electronic Records: Secure deletion using methods that render the data unrecoverable, such as overwriting, degaussing, or physical destruction of storage media.
  • Backup Data: Regular rotation and secure destruction of backup media according to our backup retention schedule.
  • Third-Party Systems: Ensuring that our service providers and Business Associates delete Personal Information and PHI in accordance with our instructions and applicable laws.

10.3 Data Minimization

We implement data minimization principles to limit the collection, use, and retention of Personal Information, including PHI, to what is necessary for the intended purposes. This includes:

  • Regularly reviewing our data collection practices to ensure we only collect what is needed.
  • Implementing technical measures to automatically delete or anonymize data when it is no longer needed.
  • Conducting periodic data inventories and purging unnecessary data.
  • Training our workforce on data minimization principles and practices.

11. International Data Transfers

11.1 Cross-Border Data Transfers

We may transfer your Personal Information, including PHI, to countries outside the jurisdiction in which you are located. When we transfer Personal Information internationally, we implement appropriate safeguards to ensure that your information receives an adequate level of protection, including:

  • Standard Contractual Clauses: We use European Commission-approved Standard Contractual Clauses for data transfers from the EU/EEA to third countries. On June 4, 2021, the EU promulgated a new set of SCCs (the “New SCCs”), which replaced the old SCCs which had been in place for over a decade. We now comply with the New SCCs with respect to the transfer of Personal Data from the EU to the US and other countries for Processing. If there is any conflict between the terms and conditions in this Privacy Policy and your rights under the New SCCs, the terms and conditions in the new SCCs will govern. As of now, we and our customers are using the New SCCs to transport Personal Data from the EU to other countries including the US for processing by us.
  • Binding Corporate Rules: Where applicable, we rely on Binding Corporate Rules approved by relevant data protection authorities.
  • Adequacy Decisions: We transfer data to countries that have been deemed to provide an adequate level of protection by relevant authorities.
  • Derogations: In limited circumstances, we may rely on specific derogations provided under applicable law, such as your explicit consent or the necessity of the transfer for the performance of a contract.

Your Personal Information, which you give to us during registration or use of our Website, App or Platform, may be accessed by or transferred to us in the United States. If you are visiting our Web site or registering for our Services from outside the United States, be aware that your Personal Information may be transferred to, stored, and processed in the United States. Our servers or our third-party hosting services partners are located in the United States. By using our site, you consent to any transfer of your Personal Information out of Europe, UK, or Switzerland for processing in the US or other countries.

11.2 GDPR Compliance for International Transfers

For transfers of Personal Information from the EU/EEA, we ensure that:

  • The recipient country provides an adequate level of protection as determined by the European Commission, or
  • Appropriate safeguards are in place, such as Standard Contractual Clauses, Binding Corporate Rules, or approved certification mechanisms, or
  • A specific derogation applies under Article 49 of the GDPR.

You are the Controller, as defined in the GDPR, and the Exporter, as defined in the New SCCs, of the Personal Data and we are a processor, as defined in the GDPR, and the Importer of such Personal Data. You agree to comply with the GDPR rules that apply to Controllers and the New SCCs rules that apply to Data Exporters. We agree to comply with the GDPR rules that apply to Processors and the New SCCs rules that apply to Data Importers.

We agree to fully comply with the letter and the spirit of the GDPR and the New SCCs with respect to the transfer or your Personal Data for Processing outside the EU. We hereby notify you that we will be processing the Personal Data of your Authorized Users (i.e., those individuals whom you have authorized to access our Platform and to use our Services) in the US, Canada, and Turkey for us to be able to provide the Services to you that we have agreed to do in our definitive service agreement between you and us.

Upon request, we will provide you with a list of your Personal Data that we will process and a copy of the New SCCs under which we will transport your Personal Data for processing. We hereby warrant that, at the time of agreeing to the SCCs for the transport of your Personal Data, we have no reason to believe that the laws and practices applicable to us as a data processor and a data importer, including those of the US, Canada, and Turkey are not in line with the requirements of the New SCCs. If we cannot satisfy any request or dispute to your satisfaction, we will agree to arbitrate or litigate the dispute in the EU jurisdiction in which your reside.

Your Personal Data will be transferred and stored in an encryption format. Only our employees, who have a need to access your Personal Data to enable us to meet our contractual and legal obligations to you, will be given access to your Personal Data. Such employees will be given a User Name and Password to access your Personal Data. We will keep an automated record of all persons who have accessed your Personal Data.

11.3 HIPAA Compliance for International Transfers

For transfers of PHI outside the United States, we ensure that:

  • All HIPAA requirements continue to apply to the PHI regardless of its location.
  • Business Associate Agreements are in place with any overseas recipients who handle PHI on our behalf.
  • Additional security measures are implemented to address any increased risks associated with international data transfers.

12. Children's Privacy (COPPA Compliance)

The Children’s Online Privacy Protection Act (“COPPA”) is a federal legislation that applies to entities that collect and store “Personal Information,” as the term is defined under COPPA, from children under the age of 13. We are committed to ensure compliance with COPPA. Our Website, App, and Platform are not meant for use by children under the age of 13. Our Website, App, and Platform do not target children under the age of 13, but we do not age-screen or otherwise prevent the collection, use, and personal disclosure of persons identified as under 13.

We do not knowingly collect Personal Information from children under the age of 13 (or the relevant age of consent in your jurisdiction) without parental consent. If we learn that we have collected Personal Information from a child without parental consent, we will take steps to delete that information as soon as possible. If you are a parent or guardian and believe that your child has provided us with Personal Information without your consent, please contact us using the information provided in the "Contact Us" section below.

13. CAN-SPAM Act of 2003

The CAN-SPAM Act establishes requirements for commercial messages, gives recipients the right to have businesses stop emailing them, and spells out penalties for violations.

Per the CAN-SPAM Act, we will:

  • Not use false or misleading subjects or email addresses.
  • Identify the email message as an advertisement in some reasonable way.
  • Include the physical address of TheraDriver, which is 1 Bluxome Street Apt 411 San Francisco, CA 94107.
  • Monitor third-party email marketing services for compliance, if one is used.
  • Honor opt-out/unsubscribe requests quickly.
  • Give an “opt-out” or “unsubscribe” option.

If you wish to opt out of email marketing, follow the instructions at the bottom of each email or contact us at privacy@theradriver.com and we will promptly remove you from all future marketing correspondences.

14. Modifications to Our Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, and other factors. When we make material changes to this Privacy Policy, we will:

  • Post the updated Privacy Policy on our website.
  • Update the "Effective Date" at the top of this Privacy Policy.
  • Provide notice through our services or by other means as required by applicable law.
  • For material changes regarding PHI, provide notice as required by the HIPAA Privacy Rule.

We encourage you to review this Privacy Policy periodically to stay informed about our privacy practices. Your continued use of our services after the revised Privacy Policy has become effective indicates that you have read, understood, and agreed to the current version of this Privacy Policy.

15. List of Third-Party Service Providers

TheraDriver uses the following third-party service providers for the provision of services as detailed under the Terms of Use or Terms of Service, as applicable:

Name of Third-Party Service Provider

Contact Information

Amazon Web Services Inc. (North Virginia, US) 

Website: https://aws.amazon.com/premiumsupport/knowledge-center/aws-phone-support/

Address: 410 Terry Avenue North, Seattle, WA 98109-5210

Stripe, Inc. 

Email: info@stripe.com 

Address: 510 Townsend St, San Francisco, CA 94103

Google Cloud

Website: www.support@google.com 

Telephone: (855) 817-0841

Microsoft Azure  

Website: https://support.microsoft.com/en-us/contactus/ 

Address: 1 Microsoft Way, Redmond, WA 98052-6399

PayPal

Website: https://www.paypal.com/us/smarthelp/contact-us

Address: 2211 North First Street San Jose, CA 95131

DigitalOcean, LLC

Website: https://www.digitalocean.com/company/contact/

Address: 101 6th Avenue, New York, NY 10013

Heroku, Inc.

Website: https://www.heroku.com/contact 

Address:  50 Fremont St, Suite 300, San Francisco, California 94105

AWeber Systems, Inc.

Website: https://www.aweber.com/contact.htm 

Address: 1100 Manor Drive, Chalfont, Pennsylvania 18914

Mailchimp operated by The Rocket Science Group LLC

Website: https://mailchimp.com/contact/

Address: 675 Ponce de Leon Ave NE, Suite 5000. Atlanta, Georgia 30308 


Additionally, if you have any questions or concerns about our third-party service providers, please email us at privacy@theradriver.com.

16. Copyright Infringement/DMCA Notice

If you believe that any content on our Website, App, or Platform violates your copyright, and you wish to have the allegedly infringing material removed, the following information in the form of a written notification (pursuant to the Digital Millennium Copyright Act of 1998 (“DMCA Takedown Notice”)) must be provided to our designated Copyright Agent:

  • Your physical or electronic signature.
  • Identification of the copyrighted work(s) that you claim to have been infringed.
  • Identification of the material on our Website, App, or Platform that you claim is infringing and that you request us to remove.
  • Sufficient information to permit us to locate such material.
  • Your address, telephone number, and email address.
  • A statement that you have a good faith belief that use of the objectionable material is not authorized by the copyright owner, its agent, or under the law.
  • A statement that the information in the notification is accurate, and under penalty of perjury, that you are either the owner of the copyright that has allegedly been infringed or that you are authorized to act on behalf of the copyright owner.

TheraDriver’s Copyright Agent to receive DMCA Takedown Notices is Raj Semlawat, at privacy@theradriver.com and at TheraDriver, Attn: DMCA Notice, 1 Bluxome Street Apt 411 San Francisco, CA 94107. You acknowledge that for us to be authorized to take down any content, your DMCA Takedown Notice must comply with all the requirements of this Section. Please note that, pursuant to 17 U.S.C. § 512(f), any misrepresentation of material fact (falsities) in a written notification automatically subjects the complaining party to liability for any damages, costs and attorney’s fees incurred by TheraDriver in connection with the written notification and allegation of copyright infringement.

17. Anti-Bribery Compliance

TheraDriver represents and warrants that it is fully aware of and will comply with, and in the performance of its obligations hereunder will not take any action or omit to take any action that would cause it or its customers to be in violation of, (i) U.S. Foreign Corrupt Practices Act, (ii) U.K. Anti-Bribery Act, (iii) India Prevention of Corruption Act of 1988, or (iv) any other applicable anti-bribery statutes and regulations, and (v) any regulations promulgated under any such laws.

TheraDriver represents and warrants that neither it nor any of its employees, officers, or directors is an official or employee of any government (or any department, agency or instrumentality of any government), political party, state owned enterprise or a public international organization such as the United Nations, or a representative or any such person (each, an “Official”).

TheraDriver further represents and warrants that, to its knowledge, neither it nor any of the Supplier Personnel has offered, promised, made or authorized to be made, or provided any contribution, thing of value or gift, or any other type of payment to, or for the private use of, directly or indirectly, any Official for the purpose of influencing or inducing any act or decision of the Official to secure an improper advantage in connection with, or in any way relating to, (A) any government authorization or approval involving TheraDriver, or (B) the obtaining or retention of business by TheraDriver.

Supplier further represents and warrants that it will not in the future offer, promise, make or otherwise allow to be made or provide any payment and that it will take all lawful and necessary actions to ensure that no payment is promised, made or provided in the future by any of the Supplier Personnel.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Privacy Officer
TheraDriver
1 Bluxome Street Apt 411 San Francisco, CA 94107
[COMPANY PHONE NUMBER]
Email: privacy@theradriver.com

For matters specifically related to your PHI or HIPAA rights, please contact our Privacy Officer at the address above.

For matters related to GDPR compliance, you can contact our Data Protection Officer at:

TheraDriver
Attn: Data Protection Officer
1 Bluxome Street Apt 411 San Francisco, CA 94107
privacy@theradriver.com
[DPO PHONE NUMBER]

If you are not satisfied with our response to your concern, you may have the right to lodge a complaint with a supervisory authority in the EU/EEA (for GDPR-related matters) or with the Office for Civil Rights of the U.S. Department of Health and Human Services (for HIPAA-related matters).

PLEASE NOTE: IF YOU USE OUR WEBSITE, APP, OR PLATFORM, YOU HAVE AGREED TO AND ACCEPTED THE PRACTICES DESCRIBED IN THIS PRIVACY POLICY AND THE TERMS AND CONDITIONS SET FORTH IN OUR TERMS OF USE OR OUR TERMS OF SERVICE, AS APPLICABLE. IF YOU DO NOT AGREE WITH THE TERMS OF THIS PRIVACY POLICY OR OUR TERMS OF SERVICE, PLEASE DO NOT USE OUR WEBSITE, APP, OR PLATFORM.

theraDriver

SOLUTION
For Clinics
About
About UsTerms Of ServicePrivacy PolicyHIPPA Compliance
© TheraDriver 2025