Product Privacy Policy

This Product Privacy Policy ("Privacy Policy") applies to products and services of CentralReach, LLC and its affiliates, including, without limitation, avail® by CentralReach, CR Essentials® by CentralReach, CR Assessments® by CentralReach, Thread Learning® by CentralReach, PrecisionX® by CentralReach, and LiftEd™ by CentralReach (“CentralReach,” “we,” “us,” and “our”).

 

We respect your privacy rights and value your trust. This Privacy Policy describes how we collect, receive, use, store, share, transfer, and process your personal information, as well as your rights in determining what we do with the information that we collect or hold about you.

 

This Privacy Policy describes how CentralReach collects and uses the personal information our customer organizations (“Customers”) provide in connection with our products and services (collectively “Products”). The use of information collected through our Products shall be limited to the purpose of providing the service for which our Customers have engaged CentralReach. We maintain a separate privacy policy with respect to our website. To view our Website Privacy Policy, click here.

 

Unless otherwise specified, this Privacy Policy applies in the same manner to you and your personal information.

 

This Privacy Policy does not apply to information collected by us offline or through any other means, including on any other website operated by CentralReach or any third party, or information collected by any third party through any application or content (including advertising) that may link to or be accessible from the Website (for further information, see below, “Do we link to other websites?”).

 

Please read this Privacy Policy carefully to understand our practices regarding your information and how we will treat it. If you do not agree with our policies and practices, then please do not use our products and services. By using our products and services, you agree to the terms of this Privacy Policy. This Privacy Policy may change from time to time (see below, “Changes”). Your continued use of our products and services after we make changes is deemed to be acceptance of those changes, so please check the Privacy Policy periodically for updates.

 

This Privacy Policy should be read in conjunction with the Terms of Service into which this Privacy Policy is incorporated by reference.

 

EU-U.S. Data Privacy Framework with UK Extension, and Swiss-U.S. Data Privacy Framework
CentralReach participates in and has certified its compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. CentralReach has certified to the U.S Department of Commerce that it adheres to the EU-US Data Privacy Framework principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S DPF and from the United Kingdom (and Gibraltar) under the UK Extension to the EU-U.S DPF. CentralReach has certified to the U.S Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF), and to view our certification, visit https://www.dataprivacyframework.gov.

 

CentralReach is responsible for the processing of personal data it receives, under each Data Privacy Framework, and subsequently transfers to a third party acting as an agent on its behalf. CentralReach complies with the Data Privacy Framework Principles for all onward transfers of personal data from the EU, the UK and Switzerland, including the onward transfer liability provisions.

 

The Federal Trade Commission has jurisdiction over CentralReach’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain situations, CentralReach may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

 

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, CentralReach commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. These dispute resolution services are provided at no cost to you.

 

Under certain conditions, more fully described on the Data Privacy Framework website at https://www.dataprivacyframework.gov/s/article/How-to-Submit-a-Complaint-Relating-to-a-Participating-Organization-s-Compliance-with-the-DPF-Principles-dpf, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

 

What information do we collect?
Our Products collect information used by our Customers to provide medical and related services. CentralReach’s Customers input data and information into CentralReach’s Products, and CentralReach processes such information on behalf of our Customers. Accordingly, CentralReach has no direct relationship with the individuals whose personal data it processes on behalf of our Customers. If you are a client or employee of one of our Customers and would no longer like to be contacted by that Customer or have any questions or concerns about data or information that Customer may have entered into our Products, please contact that Customer directly. We may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements between us and our Customers, and between us and such third parties.

 

For purposes of this Privacy Policy, "personal information" refers to information that relates directly or indirectly to an identified or identifiable individual ("you"). The personal information that we collect about you is dependent on our Customers use of the Products and the data that they enter into our Products relating to you, and varies depending on the services you are receiving from our Customer.

 

Information Collected Through Our Products
Our Products collect information about you entered by our Customers. Our Customers will collect information about you that they determine to be necessary or advisable in connection with the service they are providing to you. If you desire to obtain a specific list of all data collected about you, you must contact the Customer directly. CentralReach does not control or possess the data entered into our Products by our Customers.

 

In addition, Customers may enter certain information regarding their employees into our Products. If you are an employee of one of our Customers and desire to obtain a specific list of all data collected about you, you must contact the Customer employing you directly. CentralReach does not control or possess the employee data entered into our Products by our Customers.

 

Customers are solely responsible for providing all requisite notices to control or possess your data entered into our Products. Information about you that may be collected by our Customers in our Products include:

Category Examples Collected
Identifiers. A real name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name. YES
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. YES
Protected classification characteristics. Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). YES
Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. NO
Sensitive Personal Information. Precise geolocation, Social Security number, driver’s license, state identification card, passport number, account log-in, financial account, debit card, credit card number with security, or access code or password, racial or ethnic origin, religious/philosophical beliefs, or union membership, contents of mail, email, and text messages, genetic data and processing of biometric information, health and sexual orientation. YES
Biometric information. Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. YES
Internet or other similar network activity. Browsing history, search history, information on a consumer's interaction with CentralReach’s website, application, or advertisement. YES
Geolocation data. Physical location or movements. YES
Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information. NO
Professional or employment-related information. Current or past job history or performance evaluations. YES
Non-public education information. Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. YES
Inferences drawn from other Personal Information. Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. YES

Information We Collect Automatically
While you use our Products, certain information, including personal information, is collected about your use of our Products, as follows:

 

Device and Usage Information: Information about your hardware and software, IP address, browser type and version, operating system, browsing history and page views, length of visit, referral/exiting sources, device identifiers such as Apple IDFA or Google Advertising ID, cookie identifiers, other pseudonymous identifiers, and information about the timing, frequency, and patterns of your usage.

 

Location Information: We may collect information about your actual or non-precise physical location when you voluntarily tell us, or when you provide this information via sharing your device's IP address or mobile device's GPS, Wi-Fi, or cellular signal information. You may control, enable or disable the use of location-based services from within your device's settings or mobile application's permissions.

 

Server log files: We automatically gather server log file information when you use our Products. This includes IP address, browser type, referring and exit web pages, and your operating system.

 

What is the information used for?
The information collected through our Products is used by CentralReach to provide our Customers with practice management, clinical and related cloud-based software solutions, which, among other things:

 

We collect and use personal information solely with the objective of fulfilling those purposes specified above and for other compatible purposes, unless you provide your consent or as required by law.

 

Do we disclose your information?
We share your personal information according to this Privacy Policy, with your consent or as necessary to provide you the products or services you request, as well as to operate our business. The ways in which we share your personal information are set forth below.

 

Third Party Service Providers/Vendors: We share your information with contracted third parties who provide services on our behalf to help with our business activities. These companies are authorized to use your personal information only as necessary to provide these services to us, pursuant to written instructions. In such cases, these companies must abide by our data privacy and security requirements, and are not allowed to use personally identifiable information, including protected health information, they receive from us for any other purpose. Representative business processes that our service providers/vendors assist us with may include:

 

Legal Compliance: In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose your personal information as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

 

Corporate Transactions: If CentralReach is involved in a merger, acquisition, dissolution, sale of all or a portion of its assets, or other fundamental corporate transaction, we reserve the right to sell or transfer your information as part of the transaction.

 

Artificial Intelligence: Some CentralReach products may provide you the opportunity to subscribe to artificial intelligence services (“AI Services”). If you choose to subscribe to AI Services, you grant CentralReach permission to use the data that you provide, including any Personal Information, in such AI Services in order to provide you the services that you have requested from CentralReach. You acknowledge and agree that it is your responsibility to obtain any required consents, and to comply with all applicable laws, with regard to providing data, including any Personal Information, to CentralReach for use in AI Services, and by subscribing to such AI Services you are representing and warranting to CentralReach that you have obtained all such consents and complied with all such laws. CentralReach’s AI Terms of Use Addendum applies to AI Services.

 

How can I exercise my choices?
Whenever possible and within its authority, CentralReach will offer you the opportunity to choose (opt-out) whether your personal information is to be used by CentralReach for a purpose other than the purpose for which it was originally collected or subsequently authorized by you. CentralReach will provide you with reasonable mechanisms to exercise your choices.

 

How can I access my account?
Our Customers access their accounts by password-protected logins as a part of their subscription to our Products and may enter and delete (subject to applicable law regarding medical records) information directly. An individual who seeks access, or who seeks to correct, amend, or delete data entered by one of our Customers should direct their inquiry directly to the Customer (the data controller). If requested by a Customer to remove data we will respond within a reasonable timeframe which will not exceed thirty (30) days or as otherwise required by law. If the process of removal will require in excess of thirty (30) days (or such other period as required by law) we will inform the Customer.

 

How long will my information be retained?
CentralReach will retain personal data we process on behalf of a Customer for as long as needed to provide services to such Customer. Our Customers are solely responsible for exporting all data stored in our Products prior to the termination of our services. CentralReach will retain all such data for a minimum of sixty (60) days after the termination of our services to a Customer as a safeguard in case the Customer requires more time to export its data. Customers will be responsible during this sixty (60) day period to make any requests for additional data. CentralReach reserves the right to retain such data beyond such sixty (60) day period to the extent CentralReach determines necessary to satisfy other reasonable business purposes, such as complying with legal obligations, resolving disputes, or enforcing our agreements.

 

Do our Products use web cookies, beacons, and widgets?
We may use cookies and similar tracking technologies, for example, to keep track of your session use within the Products. Cookies are also used to collect general usage and performance data, including volume statistical information that does not include personal information.

 

Most web browsers support cookies, and users can control the use of cookies at the individual browser level. Please note that if you choose to disable cookies, it may limit your use of certain features or functions on our Products.

 

We maintain a separate Cookie Policy. To learn more about cookies generally, including how to disable them, view our Website Cookie Policy.

 

International Transfer
To facilitate our operations, we may transfer, store and process your personal information in jurisdictions other than where you live, including in the United States. Laws in these countries may differ from the laws applicable to your country of residence. For instance, if you are a European Economic Area (EEA) data subject and your personal information is shared with our affiliates, partners, or third-party service providers acting on our behalf outside of the EEA, then it is done so pursuant to necessary means to ensure an adequate level of protection.

 

What rights do I have if I am a California consumer?
Pursuant to California Civil Code Section § 1798.83, we will not disclose or share your personal information with third parties for the purposes of third-party marketing to you without your prior consent.

 

Other than as disclosed in this Privacy Policy, our Products do not track users over time and across third-party websites to provide targeted advertising. Therefore, the Products do not operate any differently when they receive Do Not Track (“DNT”) signals from your internet web browser.

 

If you are a California consumer, as defined by the California Consumer Privacy Act of 2018 (“CCPA”), you may be afforded additional rights with respect to your “Personal Information” as that term is explicitly defined under California law. Any Personal Information we collect is collected for the commercial purpose of effectively providing our Products to you, as well as enabling you to learn more about, and benefit from, our Products. For purposes of our Products, Central Reach operates as a “service provider” under the CCPA. As such, and in line with other representations in this Privacy Policy, we may not have the authority to fulfill your requests under the CCPA and as provided in this section of this Privacy Policy. Rather, you may need to direct such request to our Customers as “businesses” as defined under the CCPA.

 

To the extent we have the authority to respond to your exercising of the rights below, you may do so subject to our verification of your identity. In the event you use a third party agent to make any such request of Central Reach under this section, we may require additional confirmation of your authorization of such a request before processing your request.

 

Access: You may email us at privacy@centralreach.com to request a copy of the Personal Information our Products databases currently contain.

 

Prohibit Data Sharing. When applicable, you may prohibit the sharing of your Personal Information by CentralReach submitting a request via email to privacy@centralreach.com. In your email, please explain how you wish us to prohibit the sharing of your personal data, and which categories of third parties you want to prohibit from receiving your Personal Information. When such prohibitions are not possible to provide our services to you, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Policy.

 

Portability. Upon request and when possible, we can provide you with copies of your Personal Information. You may submit a request via email to privacy@centralreach.com. When such a request cannot be honored, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Policy.

 

Deletion. If you should wish to cease use of our Products and have your Personal Information deleted from our Products, then you may submit a request by emailing us at privacy@centralreach.com. Upon receipt of such a request for deletion, we will confirm receipt and if you are our Customer, we will confirm once your Personal Information has been deleted, and if you are a client of one our Customers, we will forward your request to such Customer controlling your data. Where applicable, we will ensure such changes are shared with trusted third parties.

 

We do not sell your Personal Information. If we ever decide to sell Personal Information, we will update you via this Privacy Policy and include a link entitled “Do Not Sell My Personal Information,” to provide you with an opportunity to opt out of sales of your Personal Information. In addition to the email address provided above, you may also submit requests at the following toll-free telephone number: 1-800-939-5414.

 

In addition, if a California resident exercises his or her rights under California law, including the CCPA, we shall not discriminate against that California resident by denying our goods or services, charging different prices or rates to similarly situated consumers, providing a different level or quality of our goods or services, or taking any other adverse action.

 

In accordance with and subject to then current requirements of the CCPA, requests from California residents relating to the type of data we collect or process, or requests to delete data will be responded to within 10 business days of our receipt of the request, and completion of requested action shall occur within 45 days (or within 90 days if we advise you that additional time is required due to reasonable restraints, limitations or conditions).

 

How do you secure my information?
We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security. To report a security violation, please promptly call us at 1-800-939-5414 or email us at privacy@centralreach.com.

 

Changes
CentralReach may revise and update this Privacy Policy at any time, without notice to you. If we propose to make any material changes, we will notify you by means of a notice on this page prior to the change becoming effective. We encourage you to periodically reread this Privacy Policy, to see if there have been any changes to our policies that may affect you.

 

Contacting Us
If there are any questions regarding on our Privacy Policy please write to us at the below address or email us at: privacy@centralreach.com. We will respond to your concerns within 30 days of receipt or as otherwise required by applicable law.

 

CentralReach, LLC
ATTN: Privacy Officer
101 Crawfords Corner Road, Suite 2201
Holmdel, New Jersey 07733

 

Effective Date: January 17, 2024