Privacy Policy

1. Who We Are

Clinlytics LLC ("Clinlytics," "we," "us," or "our") is a Georgia-based software company providing authorization intelligence and revenue management tools for ABA therapy clinics. Our principal office is at 713 Landing Pointe, Stockbridge, GA 30281.

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform, website, or any related services. It applies to all users, including clinic administrators, BCBAs, billing specialists, and any other staff members with platform access.

2. What We Collect

Account & Business Information

When you register or use our Services, we collect:

• Name, email address, phone number, and job title
• Clinic name, address, and business information
• Payment information (processed securely via Stripe — we do not store full card numbers)
• Login credentials (passwords are hashed and never stored in plain text)

Platform Usage Data

We automatically collect information about how you use the Services:

• Pages visited and features used within the platform
• Session duration and frequency of use
• Device type, browser, and operating system
• IP address and approximate geographic location
• Error logs and performance data

Client & Authorization Data (PHI)

When you use the platform for its core purpose, you may enter data about your ABA clients, including authorization details, CPT codes, insurance information, and session records. This data may constitute Protected Health Information (PHI) under HIPAA. See Section 5 for how we handle PHI.

3. How We Use Your Data

We use the information we collect to:

• Provide, operate, and maintain the Clinlytics platform
• Process transactions and manage your subscription
• Send you transactional emails (account confirmations, billing receipts, alert notifications)
• Respond to support requests and troubleshoot issues
• Monitor and analyze platform usage to improve our services
• Detect, prevent, and address fraud, security incidents, or technical issues
• Comply with legal obligations, including HIPAA requirements
• Send product updates or feature announcements (you may opt out at any time)

4. How We Share Data

Clinlytics does not sell, rent, or trade your personal information. We may share data in the following limited circumstances:

Service Providers (Sub-processors)

We work with trusted third-party vendors who help us deliver our Services. These vendors are contractually bound to use your data only as directed by us and to maintain appropriate security standards:

• Stripe — Payment processing
• Amazon Web Services (AWS) — Cloud infrastructure and data storage
• EmailJS / SendGrid — Transactional email delivery

Legal Requirements

We may disclose your information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred to the acquiring entity. We will notify you of any such change via email or prominent notice on our website prior to the transfer.

5. HIPAA & Protected Health Information

Clinlytics operates as a HIPAA Business Associate when processing PHI on behalf of covered entities (ABA clinics). We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 CFR Part 164).

Our Commitments Under HIPAA

• We will not use or disclose PHI except as permitted by our Business Associate Agreement and applicable law
• We implement appropriate safeguards to prevent unauthorized use or disclosure
• We will report any breach of unsecured PHI to you within the timeframes required by law
• We will make our internal practices available to the Secretary of HHS for compliance audits
• We will return or destroy all PHI upon termination of the Business Associate Agreement

All clinic subscribers must execute a Business Associate Agreement (BAA) with Clinlytics before entering PHI into the platform. Contact legal@clinlytics.com to request or review the BAA.

6. Cookies & Tracking

We use essential cookies and similar technologies to operate the platform, including:

• Session cookies — to maintain your login state during a session
• Preference cookies — to remember your settings and configuration
• Analytics cookies — to understand how the platform is used (aggregated, non-identifiable data)

We do not use third-party advertising cookies or tracking pixels for ad targeting. You can configure your browser to refuse cookies, though some features of the platform may not function properly without them.

7. Data Security

We implement industry-standard security measures designed to protect your information from unauthorized access, disclosure, alteration, or destruction:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest
• Role-based access controls limiting staff access to only what their role requires
• Regular security assessments and vulnerability scanning
• Audit logging for all access to PHI and sensitive data
• Secure, SOC 2-compliant cloud infrastructure (AWS)

While we take reasonable precautions, no security system is impenetrable. In the event of a security breach affecting your data, we will notify you promptly and in compliance with applicable law.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide you with the Services. Specifically:

• Account data — retained for the duration of your subscription plus 90 days after cancellation
• PHI and client authorization data — retained per your BAA terms; typically deleted within 30 days of a written deletion request following account termination
• Billing records — retained for 7 years as required by financial regulations
• Support communications — retained for 3 years
• Usage and analytics data — retained for up to 24 months in aggregated form

You may request deletion of your account and associated data at any time by contacting privacy@clinlytics.com.

9. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you
• Correction — Request that we correct inaccurate or incomplete data
• Deletion — Request deletion of your personal data (subject to legal retention obligations)
• Export — Request your data in a portable, machine-readable format
• Opt-out of marketing — Unsubscribe from non-essential communications at any time via the unsubscribe link in any email or by contacting us

To exercise any of these rights, contact us at privacy@clinlytics.com. We will respond within 30 days.

10. Children's Privacy

The Clinlytics platform is designed for use by healthcare professionals and clinic staff. It is not directed at individuals under the age of 18 and we do not knowingly collect personal information from minors. Note that ABA client data (which may include minors) entered by clinic staff is subject to the clinic's own HIPAA and privacy obligations, not this policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will notify you by email and by posting a prominent notice in the platform at least 14 days before the changes take effect.

Your continued use of the Services after the effective date of any updated Privacy Policy constitutes your acceptance of the changes. We encourage you to review this page periodically.

12. Contact Us

For questions, concerns, or to exercise your privacy rights, please contact us:

• Clinlytics LLC — Privacy
• 713 Landing Pointe, Stockbridge, GA 30281
• Email: privacy@clinlytics.com
• Legal: legal@clinlytics.com