Pricing Security
Start 14-day free trial See plans
Legal

California Privacy Rights Addendum

Last updated: July 8, 2026

This California Privacy Rights Addendum (“Addendum”) supplements our Privacy Policy and applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this Addendum to comply with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (together, the “CCPA”). Any terms defined in the CCPA have the same meaning when used in this Addendum. In the event of a conflict between this Addendum and our Privacy Policy with respect to California consumers, this Addendum controls.

Information Exempt From This Addendum (HIPAA / Medical Information)

The CCPA does not apply to protected health information (“PHI”) collected by a covered entity or business associate governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), or to medical information governed by California's Confidentiality of Medical Information Act (“CMIA”).

Because we operate the Platform as a Business Associate to Health Care Providers, PHI and medical information we process on a Provider's behalf are exempt from the CCPA and are instead governed by HIPAA, the CMIA, and the applicable Business Associate Agreement. This Addendum therefore applies only to personal information that is not exempt — for example, account registration information, billing and subscription information, marketing preferences, and website/application usage data.

Information We Collect

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). Within the last twelve (12) months, we have collected the following categories of personal information (excluding HIPAA/CMIA-exempt information described above):

  • A. Identifiers — such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, or account name.
  • B. California Customer Records information — such as name, contact information, and payment/billing information.
  • C. Protected classification characteristics — we do not intentionally collect these for non-exempt purposes.
  • D. Commercial information — such as records of products or services purchased or subscriptions obtained.
  • E. Biometric information — not collected.
  • F. Internet or other network activity — such as browsing activity on our website and application interaction information.
  • G. Geolocation dataapproximate location (such as city and state) derived from IP address. We do not collect precise geolocation.
  • H. Sensory data — audio processed transiently to provide session and optional AI Notes features (to the extent not exempt as PHI).
  • I. Professional or employment-related information — such as a Provider's specialty, NPI, or practice information.
  • J. Non-public education information — not collected.
  • K. Inferences — limited inferences drawn to operate and improve the Platform.

We obtain these categories of personal information from you directly, automatically through your use of the Platform, and from service providers acting on our behalf.

Sensitive Personal Information

The CCPA defines certain information as “sensitive personal information” (“SPI”), such as precise geolocation, account log-in credentials, and the contents of certain communications. We collect account log-in credentials to authenticate you. We do not collect precise geolocation (our geolocation is approximate only), and we do not use or disclose SPI for the purpose of inferring characteristics about you. We use SPI only for the purposes permitted by the CCPA without a right to limit (such as providing the Platform you request and securing your account). PHI is exempt and is handled under HIPAA and the applicable BAA.

Use of Personal Information

We may use the personal information we collect to: create and manage your account; provide, support, and secure the Platform; process transactions and subscriptions; administer referral and promotional programs; communicate with you, including service and (with your consent where required) marketing messages; detect and prevent fraud and abuse; and comply with legal obligations and respond to lawful requests.

Sharing Personal Information

We may disclose personal information to service providers and contractors who process it on our behalf and for our business purposes, under written contracts that restrict their use of the information. The categories of personal information we have disclosed for a business purpose in the last twelve (12) months include Identifiers, California Customer Records information, Commercial information, Internet activity, and approximate Geolocation data.

No Sale or Sharing of Personal Information

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. In the preceding twelve (12) months, we have not sold or shared the personal information of consumers, including the personal information of consumers we actually know are under 16 years of age.

Your California Privacy Rights

Subject to certain exceptions and to the HIPAA/CMIA exemption above, California consumers have the following rights:

  • Right to Know / Access. You may request that we disclose the categories and specific pieces of personal information we collected about you, the categories of sources, the business or commercial purpose for collecting it, and the categories of third parties to whom we disclosed it.
  • Right to Data Portability. You may request a copy of your personal information in a portable format.
  • Right to Delete. You may request that we delete personal information we collected from you, subject to exceptions (such as completing a transaction, detecting fraud, or complying with a legal obligation).
  • Right to Correct. You may request that we correct inaccurate personal information we maintain about you.
  • Right to Opt Out of Sale or Sharing. Because we do not sell or share personal information, there is nothing to opt out of; if this changes, we will update this Addendum and provide a “Do Not Sell or Share My Personal Information” mechanism.
  • Right to Limit Use of Sensitive Personal Information. Because we do not use or disclose SPI for purposes that trigger this right, no limitation mechanism is required; if this changes, we will provide a “Limit the Use of My Sensitive Personal Information” mechanism.
  • Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights.

Global Privacy Control and Opt-Out Preference Signals

Where we engage in activity for which an opt-out is required, we will treat a recognized opt-out preference signal, such as the Global Privacy Control (GPC), as a valid request to opt out for that browser or device. Because we do not currently sell or share personal information, no opt-out is presently required.

Retention of Personal Information

We retain each category of personal information for as long as reasonably necessary for the purpose for which it was collected, to provide the Platform, and to comply with our legal obligations. For example, account and billing information is retained while your account is active and for a reasonable period afterward; website/log data is retained for a limited period for security and operations. Retention of PHI is governed by HIPAA and the applicable BAA. See the “Data Retention” section of our Privacy Policy for additional detail.

Exercising Your Rights to Know, Delete, or Correct

To exercise the rights described above, please submit a verifiable consumer request to us by either:

  • Email: request@hipaalink.net or contact@hipaalink.net
  • Mail: HIPAALINK.net, Inc., Attn: CA Privacy Dept., 744 South Street #1081, Philadelphia, PA 19147

Only you, or someone legally authorized to act on your behalf (an “authorized agent”), may make a verifiable consumer request related to your personal information. We must be able to verify your identity or authority to make the request before responding. We cannot respond to your request or provide personal information if we cannot verify your identity or authority and confirm that the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us.

Response Timing and Format

We will confirm receipt of your request within ten (10) business days. We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to a total of 90 days), we will inform you of the reason and extension period in writing. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights, including by denying you services, charging different prices or rates, or providing a different level or quality of services. We may offer certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels; any such incentive will be provided consistent with the CCPA, and you may withdraw from it at any time.

Changes to This Addendum

We reserve the right to amend this Addendum at our discretion and at any time. When we make changes, we will post the updated Addendum and revise the “Last updated” date.

Contact Information

If you have any questions or comments about this Addendum, our Privacy Policy, or our privacy practices, please contact us at request@hipaalink.net.