Logo

Gestalt Practice Library

Loading...

Privacy Policy

Effective Date: October 8, 2024

Aretetic LLC ("Aretetic," "we," "us," or "our") is committed to protecting the privacy of our customers, users, and employees. This Privacy Policy explains how we collect, use, and share personal information, as well as your rights under the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). This policy applies to all data collected by Aretetic and outlines how we ensure compliance with relevant privacy laws.

1. Data Collection

Aretetic collects personal information from various sources, including:

  • Data provided directly by individuals, such as personal health information (PHI), personally identifiable information (PII), and other sensitive data.
  • Data automatically collected through your use of our services, including logs, analytics data, and metadata.
  • Data from third-party services that are integrated into our platform.

Types of Data Collected:

  • Personally Identifiable Information (PII): Includes names, email addresses, telephone numbers, and other contact information.
  • Personal Health Information (PHI): Includes health history, medical conditions, and treatment details.
  • Financial Data: Includes payment information and transaction history.
  • Technical Data: Includes IP addresses, browser types, device identifiers, and logs related to your use of our services.
2. Purpose of Data Collection

We collect and process personal information to:

  • Provide and improve our services.
  • Comply with regulatory and legal obligations, including HIPAA and GDPR.
  • Protect the rights and privacy of individuals.
  • Facilitate healthcare outcomes, patient-reported outcomes, and data analytics within the bounds of consent.
  • Enhance user experience by offering customized services.
  • Maintain records for operational, legal, and auditing purposes.
3. Lawful Basis for Processing (GDPR)

Under GDPR, we process personal data based on the following lawful bases:

  • Consent: We collect and process personal data with the consent of the individual. Consent may be withdrawn at any time.
  • Contractual Necessity: We process data as part of providing services or fulfilling contractual obligations.
  • Legal Obligation: We process personal data to comply with legal obligations under HIPAA, GDPR, and other applicable laws.
  • Legitimate Interests: We process personal data for legitimate business purposes, such as improving service delivery, provided these interests do not override the individual’s fundamental rights and freedoms.
4. HIPAA Compliance

Aretetic complies with HIPAA regulations to safeguard protected health information (PHI). This includes:

  • Data Encryption: All PHI is encrypted at rest and in transit.
  • Access Controls: Access to PHI is restricted to authorized personnel and roles.
  • Confidentiality Agreements: Employees handling PHI sign confidentiality agreements and undergo regular training.
  • Breach Notification: In the event of a data breach involving PHI, we will notify affected individuals as required by law.
5. Data Classification

Aretetic classifies data into three categories to determine the appropriate level of protection:

  • Confidential Data: Includes PHI, PII, financial data, authentication credentials, source code, and other sensitive information.
  • Restricted Data: Includes internal business documents, policies, and communications. This data is protected but less sensitive than confidential data.
  • Public Data: Includes data that can be freely shared, such as marketing materials and product descriptions.
6. Data Handling and Storage

Aretetic enforces strict data handling and storage procedures based on data classification.

Confidential Data Handling:

  • Access is restricted to authorized personnel with explicit approval from data owners.
  • Data is encrypted at rest and in transit.
  • Confidential data is not stored on personal devices or removable media.
  • Hardcopy documents are avoided where possible and securely disposed of when no longer needed.

Restricted Data Handling:

  • Access is limited to those with a business need-to-know.
  • Data is securely stored and disposed of following company policies.

Public Data Handling:Public data requires no special handling and can be freely distributed.

7. Data Retention

Aretetic retains personal data only for as long as necessary to fulfill the purposes for which it was collected or to meet regulatory or contractual obligations. Once data is no longer needed, it is securely deleted or archived in compliance with our Data Management Policy.

  • PII and PHI Retention: PII and PHI are deleted or de-identified when no longer necessary for business or legal purposes.
  • Retention Periods: Retention periods for various types of data are documented in our Data Retention Matrix.
8. Data Security

We implement security measures to protect personal data from unauthorized access, disclosure, alteration, and destruction:

  • Encryption: All sensitive data is encrypted using industry-standard encryption protocols.
  • Access Controls: Role-based access control ensures that only authorized individuals can access certain data.
  • Monitoring: We regularly monitor systems for unauthorized access or vulnerabilities.
  • Incident Response: In case of a security incident, we follow our incident response plan to mitigate harm and notify affected individuals where required.
9. Third-Party Data Sharing

Aretetic shares personal data with third parties only when necessary to provide our services or comply with legal obligations. Third-party vendors are assessed for data security and compliance with our data disposal and protection standards.

We share data with:

  • Service Providers: For data storage, payment processing, and analytics.
  • Legal and Regulatory Authorities: As required to comply with legal obligations.
  • Business Partners: Where necessary, with explicit consent from individuals or as part of contractual agreements.
10. Data Subject Rights (GDPR)

Individuals in the European Economic Area (EEA) have specific rights under GDPR, including:

  • Right to Access: You have the right to request access to the personal data we hold about you.
  • Right to Rectification: You can request correction of inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data when it is no longer necessary for the purpose it was collected.
  • Right to Data Portability: You can request that we transfer your data to another organization in a structured, commonly used format.
  • Right to Object: You can object to the processing of your personal data for direct marketing or legitimate interest purposes.
  • Right to Restriction of Processing: You can request limitation of how your personal data is processed.

To exercise these rights, please contact our Data Protection Officer at DataRights@Aretetic.com.

11. Data Disposal

When data is no longer needed, Aretetic securely disposes of it in accordance with our Data Management Policy. Disposal methods include:

  • Digital Data: Secure wiping or encryption of hard drives and devices.
  • Physical Data: Shredding or secure disposal of paper records.
12. Breach Notification

In the event of a data breach that compromises personal data, Aretetic will notify affected individuals and regulatory authorities in accordance with HIPAA and GDPR requirements.

13. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes via email or through our website.

14. Contact Information

If you have any questions or concerns about this Privacy Policy or your personal data, you can contact us at:

Aretetic Solutions, LLC
8680 Miralani Dr. Suite 120 San Diego, CA 92126
(858) 215-1822
Info@Aretetic.com