Privacy Policy

We collect the following categories of information:

Information you provide directly. When you complete a contact form, consultation request, insurance verification form, newsletter subscription, or other interactive feature on the Site, we collect the information you submit. This typically includes your name, email address, telephone number, and the content of your inquiry. Insurance verification submissions may include insurance carrier name, member ID, group number, and a brief description of your treatment interest. We ask that you do not include detailed medical history, diagnoses, or other sensitive health information in general website forms.

Information collected automatically. When you visit the Site, our servers and analytics tools automatically collect technical information including your IP address (hashed before storage where feasible), browser type and version, device type, operating system, referring URL, pages visited, date and time of visit, and approximate geographic location derived from IP address.

Cookies and similar technologies. We use first-party cookies necessary for Site functionality (for example, CSRF protection on forms) and may use analytics cookies to measure Site performance. You can disable cookies through your browser settings, though some Site functions may not work correctly if you do.

We use the information described above to:

• Respond to your inquiries, schedule consultations, and provide the information you have requested;
• Verify insurance benefits and coordinate authorization for services you are exploring;
• Operate, maintain, secure, and improve the Site;
• Send transactional communications (appointment confirmations, replies to inquiries);
• Send marketing or educational communications only where you have opted in, and only until you opt out;
• Detect, prevent, and respond to fraud, abuse, security incidents, and unlawful activity;
• Comply with applicable legal obligations and respond to lawful requests from public authorities.

We do not use information collected through the Site to make automated decisions that produce legal or similarly significant effects concerning you.

We share information only as described below:

Service providers. We share information with vendors that perform services on our behalf — for example, website hosting, analytics, email delivery, CRM and lead management, and insurance verification support. These providers are contractually limited to using your information for the purposes for which we engaged them.

Legal and safety. We may disclose information when required by law, subpoena, court order, or other legal process, or where we have a good-faith belief that disclosure is necessary to protect the rights, property, or safety of Healing TMS Clinic, our patients, our staff, or the public.

Business transfers. In the event of a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to the receiving party's commitment to honor this Privacy Policy.

With your consent. We share information for any other purpose disclosed to you at the time we collect it or with your express consent.

We do not sell personal information as the term "sell" is defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"). We do not share personal information for cross-context behavioral advertising.

We maintain administrative, technical, and physical safeguards designed to protect information against loss, misuse, unauthorized access, disclosure, alteration, and destruction. These include encryption in transit (TLS), restricted access on a need-to-know basis, security headers on the Site, rate limiting on submission endpoints, and ongoing monitoring. No method of transmission over the internet or method of electronic storage is, however, 100% secure.

We retain information collected through the Site only as long as reasonably necessary for the purposes for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce our agreements. Inquiry records are typically retained for the duration of the inquiry plus a reasonable follow-up period; analytics data is retained according to the configured retention windows of our analytics provider. PHI collected in the course of treatment is retained according to the longer of the period required by California law and the period described in our HIPAA Notice of Privacy Practices.

If you are a California resident, you have the following rights with respect to personal information we have collected about you:

• Right to know the categories and specific pieces of personal information we have collected, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we have shared the information.
• Right to delete personal information we have collected from you, subject to applicable exceptions (for example, when retention is required to complete a transaction, comply with a legal obligation, or detect security incidents).
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. (As stated above, we do not sell or share personal information for cross-context behavioral advertising.)
• Right to limit the use of sensitive personal information, where such use exceeds what is reasonably necessary to provide the goods or services you have requested.
• Right to non-discrimination for exercising your privacy rights.

To exercise any of these rights, contact us using the information in Section 10. We will verify your request using information sufficient to confirm you are the person to whom the personal information relates. You may designate an authorized agent to make a request on your behalf in accordance with applicable law.

The Site is intended for adults. We do not knowingly collect personal information from children under 13. Clinical care for adolescent patients is provided through our clinical intake processes and is governed by HIPAA and applicable law, not by this Site Privacy Policy.

The Site may contain links to third-party websites and services we do not control. This Privacy Policy does not apply to those third-party properties. We encourage you to review the privacy practices of any third party before providing information.

We may update this Privacy Policy from time to time. Material changes will be reflected by an updated "Effective Date" and "Last Updated" date at the top of this page, and where appropriate by a more prominent notice on the Site. Your continued use of the Site after an update constitutes acceptance of the revised Privacy Policy.

If you have questions about this Privacy Policy or want to exercise a privacy right described above, contact our Privacy Officer:

Healing TMS Clinic — Privacy Officer Nestor C., Practice Manager 5475 East La Palma Avenue, Suite 204 Anaheim, CA 92807 Email: nestor@htmsclinic.com Telephone: (657) 656-5611

For matters concerning Protected Health Information specifically, please refer to the HIPAA Notice of Privacy Practices, which describes how PHI is handled and how to file a HIPAA-specific complaint.