Effective Date: February 1, 2026
Last Updated: February 1, 2026
1. Introduction and Scope
This Privacy Policy describes how [Company Name] (“we,” “us,” or “our”) collects, uses, and discloses information through our website and services. As a premier provider, we adhere to the highest standards of data integrity, including the Health Insurance Portability and Accountability Act (HIPAA) and 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records), as well as the California Privacy Rights Act (CPRA).
2. Information We Collect
We collect information that identifies, relates to, or could reasonably be linked to you (“Personal Information”).
A. Categories of Information Collected
- Identifiers: Name, alias, postal address, unique personal identifier, IP address, email address, and Social Security number.
- Sensitive Personal Information: Healthcare data, including Substance Use Disorder (SUD) information, genetic data, and Neural Data (as defined by 2026 California regulations).
- Commercial Information: Services purchased or considered.
- Internet/Network Activity: Browsing history, search history, and interactions with our website.
3. Substance Use Disorder (SUD) Records (42 CFR Part 2)
Pursuant to the February 16, 2026 compliance deadline, we provide the following specific protections for SUD records:
- Heightened Confidentiality: SUD records are subject to stricter protections than standard PHI. We will not disclose your status as a patient or any identifying SUD information without your written consent, except in cases of medical emergency, audit/evaluation, or a specific court order.
- Legal Proceedings: In no event will we use or disclose your Part 2 records (or testimony describing them) in any civil, criminal, administrative, or legislative proceedings against you without your express written consent or a qualifying court order.
- Single Consent: We may request a single, general consent for all future disclosures for treatment, payment, and healthcare operations (TPO). You have the right to revoke this consent at any time.
4. How We Use Your Information
We do not sell your personal information. We use your data to:
- Provide Services: Facilitate referrals, care coordination, and treatment placement.
- Security: Detect and prevent fraudulent or illegal activity.
- Compliance: Fulfill legal obligations under state and federal law.
- ADMT Transparency: If we use Automated Decision-Making Technology (ADMT) to assist in care recommendations, we provide you the right to opt-out of such automated processing and request information on the logic involved.
5. Your Rights and Choices
As a user of a high-tier platform, you are afforded the following rights:
- Right to Access: Request a copy of the specific pieces of personal information we have collected about you since January 1, 2022 (no 12-month limit).
- Right to Correct: Request that we rectify inaccurate information.
- Right to Delete: Request deletion of your data, subject to medical record retention laws.
- Global Privacy Control (GPC): Our site recognizes and honors GPC signals. If your browser sends a GPC signal, we will automatically opt you out of any “sharing” of data for cross-contextual behavioral advertising.
6. Disclosure of Personal Information
We only share information with Business Associates (BAs) who have signed rigorous Business Associate Agreements (BAAs). These partners are contractually obligated to provide the same level of privacy protection as required by HIPAA and 42 CFR Part 2.
7. Data Security
We implement “Medical-Grade” security, including:
- AES-256 Encryption for data at rest.
- TLS 1.3 for data in transit.
- Multi-Factor Authentication (MFA) for all internal access to sensitive databases.
8. Contact Information
To exercise your rights or file a complaint regarding your privacy, contact our Privacy Officer:
Attn: Privacy Office
Email: privacy@couplesrehab.com
Phone: (888) 500-2110
Crucial Implementation Note for a $15M Asset
A privacy policy is only “super compliant” if the site architecture matches the prose. To protect a high-value asset, ensure you have:
- A Consent Management Platform (CMP): That displays “Accept” and “Reject” buttons with equal visual prominence (to avoid “Dark Pattern” violations).
- Server-Side Tracking: Move your Meta/Google pixels to a server-side container to strip PII before it reaches third-party servers.
- Opt-Out Confirmation: In 2026, you must provide a visible confirmation message (e.g., a toast notification) whenever a user opts out or sends a GPC signal.
