Product Privacy Policy
This Product Privacy Policy ("Privacy Policy") applies to products and services of CentralReach, LLC and its affiliates, including, without limitation, avail® by CentralReach, CR Essentials® by CentralReach, CR Assessments® by CentralReach, Thread Learning® by CentralReach, PrecisionX® by CentralReach, and LiftEd™ by CentralReach (“CentralReach,” “we,” “us,” and “our”).
We respect your privacy rights and value your trust. This Privacy Policy describes how we collect, receive, use, store, share, transfer, and process your personal information, as well as your rights in determining what we do with the information that we collect or hold about you.
This Privacy Policy describes how CentralReach collects and uses the personal information our customer organizations (“Customers”) provide in connection with our products and services (collectively “Products”). The use of information collected through our Products shall be limited to the purpose of providing the service for which our Customers have engaged CentralReach. We maintain a separate privacy policy with respect to our website. To view our Website Privacy Policy, click here.
Unless otherwise specified, this Privacy Policy applies in the same manner to you and your personal information.
This Privacy Policy does not apply to information collected by us offline or through any other means, including on any other website operated by CentralReach or any third party, or information collected by any third party through any application or content (including advertising) that may link to or be accessible from the Website (for further information, see below, “Do we link to other websites?”).
Please read this Privacy Policy carefully to understand our practices regarding your information and how we will treat it. If you do not agree with our policies and practices, then please do not use our products and services. By using our products and services, you agree to the terms of this Privacy Policy. This Privacy Policy may change from time to time (see below, “Changes”). Your continued use of our products and services after we make changes is deemed to be acceptance of those changes, so please check the Privacy Policy periodically for updates.
This Privacy Policy should be read in conjunction with the Terms of Service into which this Privacy Policy is incorporated by reference.
EU-U.S. Data Privacy Framework with UK Extension to the EU-U.S. Data Privacy Framework, and Swiss-U.S. Data Privacy Framework
CentralReach, LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. CentralReach, LLC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. CentralReach, LLC has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov.
In the context of onward transfers, CentralReach, LLC is accountable for the processing of personal data it receives, under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF and subsequently transfers to a third party acting as an agent on its behalf. CentralReach, LLC remains liable under the EU-U.S. DPF Principles, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles if the CentralReach, LLC’s agent processes personal information in a manner inconsistent with the EU-U.S. DPF Principles, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles, unless CentralReach, LLC proves that it is not responsible for the event giving rise to damage.
The Federal Trade Commission has jurisdiction over CentralReach’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain situations, CentralReach may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, CentralReach, LLC commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact CentralReach, LLC at: privacy@centralreach.com.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, CentralReach, LLC commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.trustarc.com/watchdog/request for more information or to file a complaint. These dispute resolution services are provided at no cost to you.
For complaints regarding EU-U.S. DPF, the UK Extension to the EU-U.S DPF, and Swiss-U.S. DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website: https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.
What information do we collect?
Our Products collect information used by our Customers to provide medical and related services. CentralReach’s Customers input data and information into CentralReach’s Products, and CentralReach processes such information on behalf of our Customers. Accordingly, CentralReach has no direct relationship with the individuals whose personal data it processes on behalf of our Customers. If you are a client or employee of one of our Customers and would no longer like to be contacted by that Customer or have any questions or concerns about data or information that Customer may have entered into our Products, please contact that Customer directly. We may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements between us and our Customers, and between us and such third parties.
For purposes of this Privacy Policy, "personal information" refers to information that relates directly or indirectly to an identified or identifiable individual ("you"). The personal information that we collect about you is dependent on our Customers use of the Products and the data that they enter into our Products relating to you, and varies depending on the services you are receiving from our Customer.
Information Collected Through Our Products
Our Products collect information about you entered by our Customers. Our Customers will collect information about you that they determine to be necessary or advisable in connection with the service they are providing to you. If you desire to obtain a specific list of all data collected about you, you must contact the Customer directly. CentralReach does not control or possess the data entered into our Products by our Customers.
In addition, Customers may enter certain information regarding their employees into our Products. If you are an employee of one of our Customers and desire to obtain a specific list of all data collected about you, you must contact the Customer employing you directly. CentralReach does not control or possess the employee data entered into our Products by our Customers.
Customers are solely responsible for providing all requisite notices to control or possess your data entered into our Products. Information about you that may be collected by our Customers in our Products are identified below.
| Category | Examples | Collected |
|---|---|---|
| Identifiers. | A real name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name. | YES |
| Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. | YES |
| Protected classification characteristics. | Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). | YES |
| Commercial information. | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | NO |
| Sensitive Personal Information. | Precise geolocation, Social Security number, driver’s license, state identification card, passport number, account log-in, financial account, debit card, credit card number with security, or access code or password, racial or ethnic origin, religious/philosophical beliefs, or union membership, contents of mail, email, and text messages, genetic data and processing of biometric information, health and sexual orientation. | YES |
| Biometric information. | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | YES |
| Internet or other similar network activity. | Browsing history, search history, information on a consumer's interaction with CentralReach’s website, application, or advertisement. | YES |
| Geolocation data. | Physical location or movements. | YES |
| Sensory data. | Audio, electronic, visual, thermal, olfactory, or similar information. | NO |
| Professional or employment-related information. | Current or past job history or performance evaluations. | YES |
| Non-public education information. | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | YES |
| Inferences drawn from other Personal Information. | Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | YES |
Duration. The length of time we intend to retain each category of Personal Information, including sensitive Personal Information, if any, is for as long as reasonably necessary to carry out CentralReach’s intended business purpose for such information.
Information We Collect Automatically
While you use our Products, certain information, including personal information, is collected about your use of our Products, as follows:
Device and Usage Information: Information about your hardware and software, IP address, browser type and version, operating system, browsing history and page views, length of visit, referral/exiting sources, device identifiers such as Apple IDFA or Google Advertising ID, cookie identifiers, other pseudonymous identifiers, and information about the timing, frequency, and patterns of your usage.
Location Information: We may collect information about your actual or non-precise physical location when you voluntarily tell us, or when you provide this information via sharing your device's IP address or mobile device's GPS, Wi-Fi, or cellular signal information. You may control, enable or disable the use of location-based services from within your device's settings or mobile application's permissions.
Server log files: We automatically gather server log file information when you use our Products. This includes IP address, browser type, referring and exit web pages, and your operating system.
What is the information used for?
The information collected through our Products is used by CentralReach to provide our Customers with practice management, clinical and related cloud-based software solutions, which, among other things:
- Improves customer service
- Helps us administer your account
- Enables us to respond to your questions and concerns
- Facilitates customer relationships
- Allows us to render billing and invoicing services
- Obtains payment for health care services
- Provides health care operations
- Manages medical and/or health records
- Monitors treatment adherence
- Facilitates our Customers in rendering medical services
- Manages employment relationships
We collect and use personal information solely with the objective of fulfilling those purposes specified above and for other compatible purposes, unless you provide your consent or as required by law.
Do we disclose your information?
We share your personal information according to this Privacy Policy, with your consent or as necessary to provide you the products or services you request, as well as to operate our business. The ways in which we share your personal information are set forth below.
Third Party Service Providers/Vendors: We share your information with contracted third parties who provide services on our behalf to help with our business activities. These companies are authorized to use your personal information only as necessary to provide these services to us, pursuant to written instructions. In such cases, these companies must abide by our data privacy and security requirements, and are not allowed to use personally identifiable information, including protected health information, they receive from us for any other purpose. Representative business processes that our service providers/vendors assist us with may include:
- Promotional, marketing and sales efforts
- Network or cybersecurity monitoring and intrusion detection
- Web or application development/management
- Payment processing
- Insurance and payor invoicing
- Providing customer service
- Providing cloud computing infrastructure/storage/processing, etc.
- Technical administration, such as hosting, managing and maintaining our sites, services, applications, networks, etc.
- Analytics for research and development purposes, including products usage data, and benchmarking research and services on an de-identified basis.
- Educational development relating to training, certification, course development and related activities
Legal Compliance: In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose your personal information as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
Corporate Transactions: If CentralReach is involved in a merger, acquisition, dissolution, sale of all or a portion of its assets, or other fundamental corporate transaction, we reserve the right to sell or transfer your information as part of the transaction.
Artificial Intelligence: Some CentralReach products may provide you the opportunity to subscribe to artificial intelligence services (“AI Services”). If you choose to subscribe to AI Services, you grant CentralReach permission to use the data that you provide, including any Personal Information, in such AI Services in order to provide you the services that you have requested from CentralReach. You acknowledge and agree that it is your responsibility to obtain any required consents, and to comply with all applicable laws, with regard to providing data, including any Personal Information, to CentralReach for use in AI Services, and by subscribing to such AI Services you are representing and warranting to CentralReach that you have obtained all such consents and complied with all such laws. CentralReach’s AI Terms of Use Addendum applies to AI Services.
How can I exercise my choices?
Whenever possible and within its authority, CentralReach will offer you the opportunity to choose (opt-out) whether your personal information is to be used by CentralReach for a purpose other than the purpose for which it was originally collected or subsequently authorized by you. CentralReach will provide you with reasonable mechanisms to exercise your choices.
How can I access my account?
Our Customers access their accounts by password-protected logins as a part of their subscription to our Products and may enter and delete (subject to applicable law regarding medical records) information directly. An individual who seeks access, or who seeks to correct, amend, or delete data entered by one of our Customers should direct their inquiry directly to the Customer (the data controller). If requested by a Customer to remove data we will respond within a reasonable timeframe which will not exceed thirty (30) days or as otherwise required by law. If the process of removal will require in excess of thirty (30) days (or such other period as required by law) we will inform the Customer.
How long will my information be retained?
CentralReach will retain personal data we process on behalf of a Customer for as long as needed to provide services to such Customer. Our Customers are solely responsible for exporting all data stored in our Products prior to the termination of our services. CentralReach will retain all such data for a minimum of sixty (60) days after the termination of our services to a Customer as a safeguard in case the Customer requires more time to export its data. Customers will be responsible during this sixty (60) day period to make any requests for additional data. CentralReach reserves the right to retain such data beyond such sixty (60) day period to the extent CentralReach determines necessary to satisfy other reasonable business purposes, such as complying with legal obligations, resolving disputes, or enforcing our agreements.
Do our Products use web cookies, beacons, and widgets?
We may use cookies and similar tracking technologies, for example, to keep track of your session use within the Products. Cookies are also used to collect general usage and performance data, including volume statistical information that does not include personal information.
Most web browsers support cookies, and users can control the use of cookies at the individual browser level. Please note that if you choose to disable cookies, it may limit your use of certain features or functions on our Products.
We maintain a separate Cookie Policy. To learn more about cookies generally, including how to disable them, view our Website Cookie Policy.
International Transfer
To facilitate our operations, we may transfer, store and process your personal information in jurisdictions other than where you live, including in the United States. Laws in these countries may differ from the laws applicable to your country of residence. For instance, if you are a European Economic Area (EEA) data subject and your personal information is shared with our affiliates, partners, or third-party service providers acting on our behalf outside of the EEA, then it is done so pursuant to necessary means to ensure an adequate level of protection.
What rights do I have if I am a California consumer?
Pursuant to California Civil Code Section § 1798.83, we will not disclose or share your personal information with third parties for the purposes of third-party marketing to you without your prior consent.
Other than as disclosed in this Privacy Policy, our Products do not track users over time and across third-party websites to provide targeted advertising. Therefore, the Products do not operate any differently when they receive Do Not Track (“DNT”) signals from your internet web browser.
If you are a California consumer, as defined by the California Consumer Privacy Act of 2018 (“CCPA”), you may be afforded additional rights with respect to your “Personal Information” as that term is explicitly defined under California law. Any Personal Information we collect is collected for the commercial purpose of effectively providing our Products to you, as well as enabling you to learn more about, and benefit from, our Products. For purposes of our Products, CentralReach operates as a “service provider” under the CCPA. As such, and in line with other representations in this Privacy Policy, we may not have the authority to fulfill your requests under the CCPA and as provided in the below section of this Privacy Policy. Rather, you may need to direct such request to our Customers as “businesses” as defined under the CCPA.
What rights do I have if I am a European Union (“EU”), United Kingdom (“U.K”) or Swiss consumer?
Under the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, or “GDPR”, Swiss Federal Act of 25 September 202 on Data Protection (“FADP”), and the GDPR, as it forms part of the law of England and Wales, Scotland and Northern Ireland (“UK GDPR”) as provided in the U.K. Data Protection Act of 2018 (“DPA”), individuals in the EU, U.K. and Switzerland are afforded specific rights with respect to their Personal Information, or “personal data” as defined under the GDPR, FADP, UK GDPR and DPA. For the purposes of this Privacy Policy, the Company operates as a data processor. Any personal data provided to the Company is processed in the United States and under the terms of this Privacy Policy.
Any Personal Information we collect is collected for the commercial purpose of effectively providing our Products to you, as well as enabling you to learn more about, and benefit from, our Products. For purposes of our Products, CentralReach operates as a “data processor”. As such, and in line with other representations in this Privacy Policy, we may not have the authority to fulfill your requests under the GDPR, FADP, UK GDPR and DPA, and as provided in the below section of this Privacy Policy. Rather, you may need to direct such request to our Customers as “data controllers”.
U.S. State Privacy (e.g., California), EU, Swiss and U.K. Consumer Rights.
To the extent we have the authority to respond to your exercising of the rights below, you may do so subject to our verification of your identity. In the event you use a third party agent to make any such request of Central Reach under this section, we may require additional confirmation of your authorization of such a request before processing your request.
Access. You may email us at privacy@centralreach.com to request a copy of the Personal Information our Products databases currently contain.
Correction or Rectification. You can correct what Personal Information our Products databases currently contains by accessing your account linked to your Product directly, or by emailing us at privacy@centralreach.com to request that we correct or rectify any Personal Information that you have provided to us. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause information to be incorrect. Where applicable, we will ensure such changes are shared with trusted third parties.
Automated Processing and Decision-Making. When applicable and to the extent our Products use automated processing and decision making, you may email us at privacy@centralreach.com to request that we stop using your Personal Information for automated processing, such as profiling. In your email, please explain how you wish us to restrict automated processing of your Personal Information. When such restrictions are not possible, we will advise you accordingly. You can then choose to exercise any other rights under this Policy, to include withdrawing your consent to the processing of your Personal Information.
Prohibit Data Sharing/Opt-out of Processing. When applicable, you may prohibit the sharing of your Personal Information by CentralReach submitting a request via email to privacy@centralreach.com. In your email, please explain how you wish us to prohibit the sharing of your personal data, and which categories of third parties you want to prohibit from receiving your Personal Information. When such prohibitions are not possible to provide our services to you, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Policy.
Portability. Upon request and when possible, we can provide you with copies of your Personal Information. You may submit a request via email to privacy@centralreach.com. When such a request cannot be honored, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Policy.
Object to Processing. When applicable, you have the right to object to the processing of your Personal Information by submitting a request via email to privacy@centralreach.com. When such objections are not possible, (for example, such objection would make the use of our Products impossible), we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Policy, to include withdrawing your consent to the processing of your Personal Information. Where applicable, we will ensure such changes are shared with trusted third parties.
Deletion. If you should wish to cease use of our Products and have your Personal Information deleted from our Products, then you may submit a request by emailing us at privacy@centralreach.com. Upon receipt of such a request for deletion, we will confirm receipt and if you are our Customer, we will confirm once your Personal Information has been deleted, and if you are a client of one our Customers, we will forward your request to such Customer controlling your data. Where applicable, we will ensure such changes are shared with trusted third parties.
Withdrawing Consent. At any time, you may withdraw your consent to our processing of your Personal Information through our Products by notifying us via email at privacy@centralreach.com. Using the same email address associated with your Website account linked to the Products, simply type the words “WITHDRAW CONSENT” in the subject line of your email. Upon receipt of such a withdrawal of consent, we will confirm receipt and proceed to stop processing your Personal Information. Where applicable, we will ensure such changes are shared with trusted third parties.
We do not sell your Personal Information. If we ever decide to sell Personal Information, we will update you via this Privacy Policy and include a link entitled “Do Not Sell My Personal Information,” to provide you with an opportunity to opt out of sales of your Personal Information. In addition to the email address provided above, you may also submit requests at the following toll-free telephone number: 1-800-939-5414.
In addition, if a California, EU, U.K. or Swiss resident exercises their rights under applicable law, including the CCPA, GDPR, FADP, UK GDPR or DPA, we shall not discriminate against said resident by denying our goods or services, charging different prices or rates to similarly situated consumers, providing a different level or quality of our goods or services, or taking any other adverse action.
In accordance with and subject to then current requirements of the applicable laws, requests relating to the type of data we collect or process, or requests to delete data will be responded to within 10 business days of our receipt of the request, and completion of requested action shall occur within 45 days (or within 90 days if we advise you that additional time is required due to reasonable restraints, limitations or conditions).
How do you secure my information?
We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security. To report a security violation, please promptly call us at 1-800-939-5414 or email us at privacy@centralreach.com.
Changes
CentralReach may revise and update this Privacy Policy at any time, without notice to you. If we propose to make any material changes, we will notify you by means of a notice on this page prior to the change becoming effective. We encourage you to periodically reread this Privacy Policy, to see if there have been any changes to our policies that may affect you.
Contacting Us
If there are any questions regarding on our Privacy Policy please write to us at the below address or email us at: privacy@centralreach.com. We will respond to your concerns within 30 days of receipt or as otherwise required by applicable law.
CentralReach, LLC
ATTN: Privacy Officer
101 Crawfords Corner Road, Suite 2201
Holmdel, New Jersey 07733
Effective Date: February 21, 2025