Privacy Policy

Effective Date: February 1, 2026 | Last Updated: February 1, 2026

At ZipHealthy, we are committed to protecting your privacy and maintaining the confidentiality of your personal and health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services. This Privacy Policy applies to information collected through our website (ziphealthy.com) and in the course of providing clinical services.

1. Information We Collect

We collect information that you provide directly to us, including:

• Personal Information: Name, email address, phone number, mailing address, date of birth
• Insurance Information: Insurance provider, policy number, group number, subscriber information
• Health Information: Mental health history, symptoms, treatment goals, diagnoses, and other clinical information shared during intake and sessions
• Payment Information: Credit card details, billing address (processed through secure third-party payment processors — we do not store full credit card numbers on our systems)
• Communication Records: Emails, messages, and other correspondence with our practice
• Website Usage Data: Information automatically collected when you visit our website, including IP address, browser type, pages viewed, and referring URL (see Section 6 below)

2. How We Use Your Information

We use the information we collect for the following purposes:

• Treatment: To provide mental health therapy, coaching, and related services
• Scheduling: To manage appointments and send reminders
• Billing: To process payments and submit insurance claims on your behalf
• Communication: To respond to your inquiries and provide important service updates
• Quality Improvement: To improve our services and client experience
• Legal Compliance: To comply with applicable laws and regulations

3. HIPAA Compliance

ZipHealthy is a HIPAA-covered entity committed to complying with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. Your Protected Health Information (PHI) is handled with the utmost care and in accordance with HIPAA regulations.

• We maintain administrative, technical, and physical safeguards to protect your PHI
• Our staff receives regular HIPAA training
• We use HIPAA-compliant technology platforms for telehealth and electronic records
• Our complete HIPAA Notice of Privacy Practices, which describes in detail how we may use and disclose your PHI and your rights under HIPAA, is available at our Telehealth Consent & HIPAA Notice page. You may also request a paper copy at any time by contacting our office.

4. Information Sharing

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

• With Your Consent: When you provide written authorization for us to share information with specific individuals or organizations
• Treatment, Payment, and Operations: To coordinate your care, submit claims to your insurance company, and conduct healthcare operations as described in our HIPAA Notice of Privacy Practices
• Legal Requirements: When required by law, court order, or to comply with legal processes
• Safety Concerns: When necessary to prevent serious and imminent harm to yourself or others, as required or permitted by law
• Public Health and Safety: As required for public health reporting, abuse or neglect reporting, and other disclosures mandated by federal or state law
• Business Associates: With trusted service providers who assist in our operations (e.g., electronic health records systems, billing services), under HIPAA-compliant Business Associate Agreements that require them to safeguard your information

5. Data Security

We implement robust security measures to protect your information:

• All data transmitted through our website is encrypted using SSL/TLS technology
• Electronic health records are stored in secure, HIPAA-compliant systems with access controls and audit logging
• Physical records are stored in locked, secure locations
• Access to client information is restricted to authorized personnel on a need-to-know basis
• We conduct regular security assessments and updates

Breach Notification

In the event of a breach of unsecured Protected Health Information, ZipHealthy will notify affected individuals without unreasonable delay and no later than sixty (60) days after discovery of the breach, consistent with the requirements of the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D). We will also notify the U.S. Department of Health and Human Services and, if required, prominent media outlets as specified by law.

6. Cookies, Tracking Technologies, and Data Processors

Our website uses cookies and similar technologies to enhance your browsing experience and understand how visitors interact with our site. The following list identifies each category, the specific vendor involved, and what data they process:

• Essential Cookies: Required for basic website functionality (e.g., cookie consent preferences). These operate automatically.
• Server-Side Tag Management (Stape): We route our analytics and advertising tags through a server-side Google Tag Manager container hosted by Stape.io at our subdomain sst.ziphealthy.com. Server-side tagging means your browser sends one request to our own subdomain; our server then forwards only the minimum necessary data to downstream vendors (Google, Meta, Microsoft). This architecture gives us more control over what data leaves your device, reduces third-party cookies, and does not change the underlying purpose of the downstream tools. Stape acts as a processor under our instructions and has signed a Data Processing Agreement.
• Analytics (Google Analytics 4): We use Google Analytics 4 to understand aggregate website traffic patterns such as pages visited, time on site, device type, and referring sources. Data is collected in anonymized or pseudonymized form. IP anonymization is enabled. Cross-domain linking is configured for our own subdomains (ziphealthy.com, www.ziphealthy.com, shop.ziphealthy.com, usvi.ziphealthy.com, sst.ziphealthy.com). Analytics data is processed by Google in accordance with Google's Privacy Policy.
• Analytics Data Warehouse (Google BigQuery): A daily export of our Google Analytics 4 data is sent to Google BigQuery in our own Google Cloud project, where we run aggregate reports (e.g., weekly traffic trends, landing page performance, funnel analysis). The BigQuery dataset contains the same analytics data described above — no Protected Health Information, no form contents, and no identifiers beyond the anonymized or pseudonymized ones already in GA4. Data is retained per our Data Retention section below.
• User Experience Analytics (Microsoft Clarity): We use Microsoft Clarity, a user experience analytics tool that provides heatmaps and anonymized session replay data to help us understand how visitors navigate our website. Clarity does not capture any text you type into forms, Protected Health Information, passwords, or other sensitive personal data; form fields and text inputs are masked by default. Session replay does not record any content from clinical sessions or patient portals. Clarity processes data in accordance with Microsoft's Privacy Statement.
• Advertising (Google Ads): We use Google Ads conversion tracking and remarketing to measure the effectiveness of our advertising campaigns and to show relevant information to people who have previously visited our website. Google Ads may set cookies (subject to your consent) to attribute website actions — such as scheduling a consultation — to specific ad interactions. No Protected Health Information is shared with Google Ads.
• Advertising (Meta/Facebook Pixel and Conversions API): We use the Meta Pixel on the client and Meta's Conversions API (CAPI) server-side via our Stape sGTM container, to measure, optimize, and build audiences for our advertising campaigns on Facebook and Instagram. Events may record page visits and button clicks (subject to your consent) to help us understand which content is most helpful to visitors. No Protected Health Information, clinical details, or form submissions are transmitted to Meta. Meta processes this data in accordance with Meta's Data Policy.
• Performance and Security (Cloudflare): Our website is served through Cloudflare's content delivery network and Web Application Firewall. Cloudflare processes your IP address and HTTP request metadata to deliver the site quickly, mitigate bot and denial-of-service attacks, and enforce our security rules. Cloudflare acts as a processor under our instructions and is HIPAA-compliant under a signed Business Associate Addendum for applicable workloads. Details: Cloudflare's Privacy Policy.
• Booking and Payments (Square): Appointment scheduling and card payments are handled by Square (Block, Inc.). When you book an appointment or pay a bill, Square collects the information needed to process your booking or transaction (name, email, phone, card data). We receive the booking confirmation and a transaction reference — not your full card number. Square's practices are described in Square's Privacy Notice.
• Online Store (Shopify): Digital products (e.g., printable workbooks, toolkits) are sold through our Shopify store at shop.ziphealthy.com. Shopify collects the information needed to fulfill your order and processes data per Shopify's Privacy Policy. No clinical information is collected through the store.

AI and Automated Analysis

We use artificial intelligence tools in two narrow, clearly bounded ways:

• Website analytics review: We use AI-assisted tools to summarize and interpret the aggregate, anonymized analytics data described above (for example, "which landing pages convert best," "what devices visitors use"). These tools do not have access to Protected Health Information, client records, or individually identifying website activity.
• Content drafting: Educational articles and marketing copy on this website may be drafted with AI writing assistance and then reviewed, edited, and signed off by licensed clinicians before publication. No client data, session content, or clinical records are ever used as input to these tools.

We do not use AI to make clinical decisions, generate clinical documentation for individual clients on this website, or profile individual visitors. Clinical AI use within our practice (e.g., documentation assistants used in session) is governed by separate Business Associate Agreements, occurs inside our HIPAA-compliant electronic health record system, and is never connected to this public website.

AI and Search-Engine Web Crawlers

Automated crawlers operated by AI companies and search engines may access public pages of this website to train language models or to index content for answer engines. Our robots.txt file identifies which crawlers we allow and which we disallow. Because these crawlers access only public pages, they do not and cannot access any client portal, booking information, or Protected Health Information.

No Sale of Data

We do not sell your personal information to third parties for advertising or any other purpose. We do not participate in "targeted advertising" of sensitive categories. Optional analytics and advertising cookies only run with your consent via our cookie banner.

Do Not Track and Global Privacy Control

Our website does not currently respond to Do Not Track (DNT) browser signals, which lack a consistent industry standard. We do honor the Global Privacy Control (GPC) signal where applicable. You may also manage your cookie preferences at any time using the cookie banner on our site or by clicking the "Manage cookies" link at the bottom of any page.

7. Your Rights

You have the following rights regarding your personal information:

• Access: Request a copy of the information we hold about you, including your clinical records
• Amendment: Request corrections to inaccurate or incomplete information in your health record. We may deny an amendment request in certain circumstances as permitted by HIPAA, and you have the right to submit a statement of disagreement.
• Restriction: Request that we limit how we use or disclose your information. We are required to agree to restrictions on disclosures to your health plan for services you pay for in full out of pocket.
• Confidential Communications: Request that we communicate with you in a specific manner or at a specific location (e.g., only by mail to a particular address)
• Accounting of Disclosures: Request an accounting of certain disclosures of your PHI made in the six (6) years prior to the request
• Deletion of Non-Clinical Data: Request deletion of your personal information that is not part of your designated health record. Please note: under HIPAA, we are required to maintain your clinical records for the minimum period required by applicable law and may deny requests to delete PHI from your designated record set.

To exercise any of these rights, please contact us using the information provided below. We will respond to your request within thirty (30) days, as required by law.

You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your privacy rights have been violated. Complaints may be filed online at hhs.gov/hipaa/filing-a-complaint or by calling (800) 368-1019. You may also contact your state or territorial Attorney General's office. We will not retaliate against you for filing a complaint.

8. Data Retention

We retain your information as follows:

• Clinical Records (Adults): Maintained for a minimum of seven (7) years after the last date of service, or longer as required by applicable law or professional licensing standards
• Clinical Records (Minors): Maintained until the patient reaches the age of twenty-one (21) or for seven (7) years after the last date of service, whichever is later
• Billing and Financial Records: Retained in accordance with applicable tax, insurance, and regulatory requirements
• Website Analytics Data: Retained per the default retention settings configured in our analytics platforms (typically 14–26 months for Google Analytics)

After the applicable retention period, records are securely destroyed in accordance with HIPAA requirements.

9. Children's Privacy

We provide services to minors only with parental or guardian consent. For children under 13 years of age, a parent or legal guardian must provide consent before we collect any personal information, consistent with the Children's Online Privacy Protection Act (COPPA). Parents and guardians have the right to review, request deletion of, and refuse further collection of their child's information. For minors aged 13 and older, certain confidentiality protections may apply under the laws of the jurisdiction in which services are provided regarding mental health treatment records.

10. Third-Party Links

Our website may contain links to third-party websites or resources (such as insurance verification portals, crisis hotlines, or educational materials). We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party sites you visit. Inclusion of a link does not imply our endorsement of the linked site.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated policy on this page with a new "Last Updated" date. For material changes that reduce your rights or expand our use of your information, we will provide advance notice via email (to the email address associated with your account) at least thirty (30) days before the changes take effect, where required by law. We encourage you to review this policy periodically.

12. Contact Information

If you have questions about this Privacy Policy, wish to exercise your rights, or need to file a complaint, please contact us:

ZipHealthy PLLC
Attn: Privacy Officer
240 S Main St, Suite #270
Bentonville, AR 72712
Email: [email protected]
Phone: (479) 259-1390