Privacy Policy

2.1 Protected Health Information (PHI)

When you use our Services as a healthcare provider, we process PHI on your behalf as your Business Associate. PHI includes any individually identifiable health information, including but not limited to: patient names, dates of birth, addresses, Social Security Numbers or Social Insurance Numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses when linked to an individual, biometric identifiers, full-face photographs, and any other unique identifying number or code. PHI is processed strictly in accordance with our Business Associate Agreement and applicable law, and is never used for any purpose beyond providing the contracted Services.

2.2 Account and Practice Information

When a healthcare practice subscribes to our Services, we collect information about the practice and its authorized users, including: practice name, address, phone number, tax identification number (EIN or BN), National Provider Identifier (NPI), professional license numbers, billing information, names and contact details of authorized staff members, and login credentials.

2.3 Website and Usage Data

When you visit our website or use our platform, we automatically collect certain technical information, including: IP address, browser type and version, operating system, referring URLs, pages viewed, time spent on pages, click patterns, session identifiers, and device identifiers. This information is collected through cookies, web beacons, and similar tracking technologies as described in Section 9 of this Policy.

2.4 Communications Data

We collect information you provide when you contact us for support, complete intake forms, respond to surveys, or communicate with us by email, phone, or live chat, including the content of those communications and any attachments.

2.5 Payment Information

Billing and payment information is collected and processed by our PCI-DSS compliant payment processor. We do not store full credit card numbers on our servers. We retain only the last four digits of payment card numbers, expiration dates, and billing addresses for account management purposes.

3.1 Providing and Improving the Services

We use the information we collect to: operate, maintain, and improve our EHR and practice management platform; process transactions and send related information; provide customer support and respond to inquiries; send technical notices, updates, security alerts, and administrative messages; and develop new features and functionality.

3.2 Processing PHI as a Business Associate

As a Business Associate, we process PHI solely as directed by and on behalf of our Covered Entity clients, for the purposes of: treatment, payment, and healthcare operations as permitted under HIPAA; performing functions and activities specified in the Business Associate Agreement; and as otherwise required by law. We do not use PHI for our own marketing, research, or commercial purposes without explicit authorization.

3.3 Legal Compliance and Safety

We may use or disclose information as necessary to: comply with applicable laws, regulations, legal processes, or governmental requests; enforce our Terms of Service and other agreements; protect the rights, property, or safety of Pryme Practice, our clients, patients, or the public; and detect, prevent, or address fraud, security, or technical issues.

3.4 Analytics and Business Operations

We use aggregated, de-identified data — which cannot reasonably be used to identify any individual — for internal analytics, product development, benchmarking, and business reporting. De-identification is performed in accordance with the HIPAA Expert Determination or Safe Harbor methods, as applicable.

3.5 Marketing Communications

We may send marketing communications to healthcare providers and practice administrators who have expressed interest in our Services or who are existing clients, subject to applicable opt-out rights. We do not send marketing communications to patients. You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any email or contacting us at [email protected].

4.1 Service Providers and Subcontractors

We engage third-party service providers ("Subcontractors") to assist in operating our platform and delivering our Services. These include cloud infrastructure providers, payment processors, email delivery services, customer support platforms, and analytics tools. All Subcontractors who may access PHI are required to execute Business Associate Agreements and are contractually obligated to maintain the same level of privacy and security protections as Pryme Practice. A current list of our Subcontractors is available upon request.

4.2 Covered Entity Clients

We disclose information to our Covered Entity clients as necessary to provide the Services. Healthcare practices retain ownership and control of all PHI entered into the platform and may request export or deletion of their data at any time in accordance with our data retention policies.

4.3 Legal Requirements

We may disclose information when required by law, including in response to valid subpoenas, court orders, government investigations, or other legal processes. Where permitted by law, we will notify affected parties before disclosing their information in response to such requests.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, information held by us may be transferred to the successor entity. We will provide notice of any such transfer and the choices available to you, and any successor entity will be required to honor the commitments made in this Policy.

4.5 Consent

We may share information with third parties when you have given us explicit consent to do so.

4.6 What We Do Not Do

We do not sell, rent, or trade personal information or PHI to third parties for their own marketing or commercial purposes. We do not use PHI to market non-healthcare products or services. We do not share PHI with employers, life insurers, or any entity for purposes unrelated to healthcare treatment, payment, or operations without explicit written authorization.

5.1 Business Associate Obligations

Pryme Practice is a Business Associate under HIPAA. We have implemented administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C) to protect the confidentiality, integrity, and availability of electronic PHI ("ePHI"). Our safeguards include: risk analysis and risk management programs; workforce training and access controls; audit controls and activity logging; encryption of ePHI at rest and in transit; contingency planning and disaster recovery; and regular security assessments.

5.2 Notice of Privacy Practices

Healthcare providers using our platform are responsible for providing their patients with a Notice of Privacy Practices as required by the HIPAA Privacy Rule. Pryme Practice provides template notices and tools to assist Covered Entities in meeting this obligation.

5.3 Patient Rights Under HIPAA

Patients have the following rights regarding their PHI, which must be exercised through the healthcare provider (Covered Entity) that maintains their records: the right to access and receive a copy of their PHI; the right to request amendment of inaccurate or incomplete PHI; the right to an accounting of disclosures; the right to request restrictions on certain uses and disclosures; the right to request confidential communications; and the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

5.4 Breach Notification

In the event of a breach of unsecured PHI, Pryme Practice will notify affected Covered Entities without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HITECH Breach Notification Rule (45 CFR Part 164, Subpart D). Covered Entities are responsible for notifying affected individuals and, where required, the Secretary of HHS and the media.

6.1 PIPEDA Compliance

For Canadian clients and individuals, Pryme Practice complies with the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation. We collect, use, and disclose personal information only with knowledge and consent, except where otherwise permitted or required by law. We collect only the minimum information necessary for the identified purposes, and we retain personal information only as long as necessary to fulfill those purposes.

6.2 Provincial Health Privacy Legislation

We comply with applicable provincial health privacy legislation, including: Alberta's Health Information Act ("HIA"); Ontario's Personal Health Information Protection Act ("PHIPA"); British Columbia's Personal Information Protection Act ("PIPA"); and Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25 / Bill 64). Where provincial legislation provides greater protection than PIPEDA, we apply the higher standard.

6.3 Cross-Border Data Transfers

Some personal information processed by Pryme Practice may be stored or processed in the United States. We take appropriate contractual and technical measures to ensure that personal information transferred across borders receives equivalent protection to that required under Canadian law, including executing data processing agreements and implementing standard contractual clauses where applicable.

6.4 Rights of Canadian Individuals

Individuals in Canada have the right to: access their personal information held by us; challenge the accuracy and completeness of their information and have it amended; withdraw consent to the collection, use, or disclosure of their personal information (subject to legal or contractual restrictions); and file a complaint with the Office of the Privacy Commissioner of Canada or the applicable provincial privacy commissioner.

6.5 Privacy Officer

Pryme Practice has designated a Privacy Officer responsible for overseeing compliance with Canadian privacy legislation. Our Privacy Officer can be contacted at [email protected].

7.1 Applicability

This section applies to California residents whose personal information is collected by Pryme Practice in a non-PHI context (e.g., website visitors, practice administrators, and sales contacts). PHI processed under HIPAA is exempt from the CCPA.

7.2 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information from California residents: identifiers (name, email address, IP address); commercial information (subscription and billing records); internet or other electronic network activity information (browsing history on our website); professional or employment-related information (job title, practice affiliation); and inferences drawn from the above to create a profile about preferences and characteristics.

7.3 California Consumer Rights

California residents have the right to: know what personal information we collect, use, disclose, and sell; request deletion of their personal information; opt out of the sale or sharing of their personal information (we do not sell personal information); correct inaccurate personal information; and not be discriminated against for exercising their privacy rights. To exercise these rights, submit a verifiable consumer request to [email protected] or call us at the number listed in Section 12.

7.4 Shine the Light

California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes under California Civil Code Section 1798.83. We do not disclose personal information to third parties for their direct marketing purposes.

9.1 Types of Cookies We Use

Our website uses the following types of cookies and similar tracking technologies:

9.2 Cookie Management

You can control cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified when a cookie is set. Please note that disabling certain cookies may affect the functionality of our website. For more information about managing cookies, visit www.allaboutcookies.org.

9.3 Do Not Track

Some browsers transmit "Do Not Track" signals to websites. We honor Do Not Track signals and do not track, plant cookies, or use advertising when a Do Not Track browser mechanism is in place.

United States — HIPAA Complaints:

U.S. Department of Health and Human Services, Office for Civil Rights 200 Independence Avenue, S.W., Washington, D.C. 20201 Website: www.hhs.gov/ocr Phone: 1-800-368-1019

Canada — Federal:

Office of the Privacy Commissioner of Canada 30 Victoria Street, Gatineau, Quebec K1A 1H3 Website: www.priv.gc.ca Phone: 1-800-282-1376

Alberta:

Office of the Information and Privacy Commissioner of Alberta Website: www.oipc.ab.ca

Ontario:

Information and Privacy Commissioner of Ontario Website: www.ipc.on.ca

British Columbia:

Office of the Information and Privacy Commissioner for British Columbia Website: www.oipc.bc.ca

California:

California Privacy Protection Agency Website: cppa.ca.gov

Pryme Practice Inc.

Privacy Officer Email: [email protected] Website: www.prymepractice.com