Privacy Policy

Privacy Policy

Effective Date: August 12, 2025
Last Reviewed: August 12, 2025

ReNewNM Therapy, LLC (“ReNewNM Therapy,” “we,” “our,” or “us“) respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit renewnmtherapy.com (the “Site”), schedule or receive our services, or otherwise interact with us.

HIPAA Notice

If you are a client or prospective client, the confidentiality of your health‑related information is also protected under the Health Insurance Portability and Accountability Act (HIPAA). Our separate Notice of Privacy Practices describes, in detail, our legal duties and your rights with respect to your Protected Health Information (PHI). This website Privacy Policy supplements—but does not replace—those HIPAA obligations.

1. Scope & Application

This Policy applies to the personal information of all website visitors, registered users, prospective or current clients, job applicants, and other individuals whose data we process. It covers information collected online, by phone, in‑person, or via third‑party platforms (e.g., telehealth portals, appointment‑scheduling tools, or electronic health‑records vendors).

We use UserCentrics as our consent‑management platform. When you first arrive on the Site, you will see a banner that lets you accept, decline, or customize cookies and similar technologies, including exercising global opt‑out signals such as Global Privacy Control (GPC).

2. Information We Collect

2.1 Information You Provide Voluntarily

• Contact information (name, postal address, email, phone)
• Account credentials (username, password) if you create an online account
• Appointment & billing information (insurance details, payment card data)
• Communications you send to us (emails, phone calls, form submissions)
• Feedback & survey responses

2.2 Health & Therapy‑Related Information (PHI)

If you inquire about or receive counseling or therapy services, we may collect PHI such as treatment history, clinical notes, or demographic data. PHI is handled in accordance with HIPAA and applicable state law.

2.3 Information Collected Automatically

When you browse the Site or open our emails, we and our service providers automatically collect:

• Log and usage data (IP address, browser type, referring URL, pages visited, date/time stamps)
• Device data (device IDs, operating system, mobile network information)
• Cookies & tracking technologies (see Section 8)

2.4 Information from Third Parties

We may obtain information about you from insurance companies, referral partners, analytics providers, scheduling platforms, or payment processors, consistent with your privacy settings and their policies.

3. How We Use Your Information

We process personal information for the following purposes and legal bases:

Purpose	Legal Basis (GDPR)
Provide, schedule, and manage therapy services; process payments & insurance claims	Contract performance; legal obligation
Operate, secure, and improve the Site; debug & monitor usage	Legitimate interests
Communicate with you about appointments, resources, newsletters (marketing messages are sent only with your consent)	Consent; legitimate interests
Personalize content and measure marketing effectiveness	Consent; legitimate interests
Conduct analytics & performance tracking	Legitimate interests
Protect rights, security, health, or property of clients and the public	Legal obligation; vital interests
Comply with HIPAA, tax, and other regulations	Legal obligation
Detect, prevent, and respond to fraud or security incidents	Legitimate interests; legal obligation
Automated decision‑making & profiling (e.g., to suppress remarketing ads for minors or sensitive conditions)	Legitimate interests; consent where required

We do not use fully automated decisions that produce legal or similarly significant effects without human review.

4. How We Share Information

We do not sell personal information. We share data only as outlined below and under data‑processing agreements that restrict further use:

Recipient	Purpose
Service Providers / “Contractors” (cloud hosting, appointment scheduling, UserCentrics CMP, email & SMS delivery, analytics, marketing tools, payment processors)	Operate Site & services on our behalf
Professional Advisors (auditors, attorneys, accountants)	Business operations, compliance
Authorities & Law Enforcement	Respond to legal requests, protect rights & safety
Business Transfers	Corporate transactions (merger, acquisition, asset sale) subject to confidentiality

We enter into Data Processing Agreements (DPAs) with all processors that access personal information.

5. Data Storage & Protection

• Hosting Locations: U.S.‑based, HIPAA compliant secure servers. International transfers (e.g., to EU‑based subcontractors) occur under Standard Contractual Clauses (SCCs) or other lawful mechanisms.
• Encryption: TLS for data in transit and industry‑standard encryption for data at rest where feasible.
• Access Controls: Role‑based access, MFA, and least‑privilege principles.
• Monitoring & Audits: Continuous security monitoring, vulnerability scanning, annual penetration tests.
• Retention: We keep data only as long as necessary to fulfill the purposes described above and to meet legal or regulatory record‑keeping requirements (e.g., psychotherapy notes retention under New Mexico law).

6. Data Breach Notification

We maintain an Incident Response Plan that complies with the HIPAA Breach Notification Rule, GDPR Articles 33‑34, and applicable U.S. state breach‑notification statutes. If a breach poses a significant risk to your rights and freedoms, we will notify affected individuals and relevant regulators without undue delay, but no later than the timelines required by law.

7. International Transfers

If you access the Site from outside the United States, understand that your information will be transferred to—and processed in—the United States, which may have different data‑protection standards than your home jurisdiction. We rely on SCCs, adequacy decisions, or your explicit consent for such transfers when required by law.

8. Cookies & Tracking Technologies

We use first‑party and third‑party cookies, pixels, and scripts for site functionality, analytics, personalization, and advertising.
UserCentrics CMP enables you to:

1. Accept All cookies
2. Reject Non‑Essential cookies
3. Customize Preferences by cookie category

We honor the Global Privacy Control (GPC) browser signal as an opt‑out of the sale or sharing of personal information and out of targeted advertising, in jurisdictions where such recognition is mandated.

For details, view our full Cookie Policy at renewnmtherapy.com/cookies.

9. Your Privacy Rights

9.1 HIPAA Rights

See our Notice of Privacy Practices.

9.2 GDPR / UK GDPR Rights

• Right of access, rectification, erasure, restriction, data portability, objection, and withdraw consent.
• Right to lodge a complaint with a supervisory authority.
  EU data subjects may contact our EU representative at euprivacy@renewnmtherapy.com.

9.3 U.S. State Privacy Rights

We provide the following additional disclosures and rights for residents of California, Colorado, Connecticut, Utah, Virginia, Texas, and Florida:

Right	Description	How to Exercise
Know / Access	Request the categories and specific pieces of personal information collected, sources, purposes, and categories disclosed.	Email or call (see Section 12).
Delete	Request deletion of personal information, subject to legal exceptions.	Same as above
Correct	Request correction of inaccurate personal information.	Same as above
Opt‑Out of Sale / Sharing / Targeted Ads	We do not sell personal information. If we ever do, or if we share data for cross‑context behavioral advertising, you may opt out via “Do Not Sell or Share My Personal Information” link or via the GPC signal.	CMP banner, footer links, or contact us
Limit Use of Sensitive PI	Limit processing of SPI to permitted purposes.	Same as above
No Discrimination	Receive equal service and price even if you exercise privacy rights.	—

9.3.1 CPRA/CPPA Sensitive Personal Information (SPI) We Collect

Therapy & mental‑health data, biometric identifiers (if collected for telehealth identity verification), precise geolocation (only if you enable it), race/ethnicity (optional), and payment information. We do not use SPI for purposes beyond those allowed by law without your consent.

A complete table describing Categories of PI Collected → Sources → Business/Commercial Purposes → Categories Disclosed in the past 12 months is provided in Appendix A.

10. Children’s Privacy

The Site is not directed to children under 18. We do not knowingly collect personal information from minors without verifiable parental consent. If we learn that we have inadvertently done so, we will delete such data promptly. Parents may contact us to review, correct, or delete a child’s information.

11. Accessibility

We strive to make this Privacy Policy accessible to individuals with disabilities. Alternative formats are available upon request by contacting us.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, or if you wish to exercise your rights, please contact us:

• Email: staff@renewnmtherapy.com
• Phone: +1 (505) 207‑8580
• Mail: ReNewNM Therapy, LLC
  6330 Riverside Plaza Lane, Suite 210
  Albuquerque, NM 87109 USA

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in legal requirements, technology, or our practices. We will post the revised Policy on this page with a new “Last Reviewed” date, and will notify you of material changes via email or a Site banner when required.

By continuing to use our Site or services after such changes take effect, you acknowledge the revised Privacy Policy.

Appendix A – California Personal Information Chart (Last 12 Months)

Category of PI (Cal. Civ. Code §1798.140)	Examples	Collected	Sources	Business / Commercial Purpose	Disclosed for Business Purpose	Sold / Shared
A. Identifiers	Real name, postal address, email, IP address	✔	Directly from you; cookies	Account creation; service delivery; billing	Service providers	❌
B. Customer records	Name, address, phone, insurance, payment card	✔	Directly from you	Billing; claims; support	Billing & insurance partners	❌
C. Protected classifications	Gender, age, race (optional)	⚠ (if provided)	Directly from you	Service personalization; required reporting	Service providers	❌
D. Commercial information	Transaction details, appointment history	✔	Directly from you; portal	Service delivery; analytics	Service providers	❌
E. Biometric information	Audio/video recordings for telehealth	⚠ (if used)	Directly from you	Identity verification; treatment	Telehealth vendor	❌
F. Internet & network activity	Browsing history, interactions with Site	✔	Cookies	Analytics; security	Analytics vendors	❌
G. Geolocation	Approximate location via IP; precise (opt‑in)	✔ / ⚠	Cookies; your device	Content personalization; fraud‑detection	Service providers	❌
H. Sensory data	Voicemails, call recordings (support)	✔	Phone system	Quality assurance	Service providers	❌
I. Professional or employment info	Occupation (if provided during intake)	⚠	Directly from you	Treatment planning	—	❌
J. Education info	Education history (if provided)	⚠	Directly from you	Treatment planning	—	❌
K. Inferences	Profile preferences derived from other PI	✔	Analytics tools	Personalization	Service providers	❌

⚠ = collected only if voluntarily provided or necessary for a particular service.