CIRCATHERA PRIVACY POLICY

Effective Date: January 15, 2026 | Last Updated: December 15, 2025

​

1. INTRODUCTION

CircaThera Corp. ("CircaThera," "Company," "we," "us," or "our") is committed to protecting the privacy and security of personal information. This Privacy Policy describes how we collect, use, disclose, store, and safeguard information in connection with our Circle of Care platform—a multidisciplinary, AI-powered clinical care ecosystem uniting therapists, educators, families, and learners in coordinated treatment and educational services.

 

Our Mission: To provide science-backed, compassionate technology that breaks down silos between Applied Behavior Analysis (ABA), Speech-Language Pathology (SLP), Occupational Therapy (OT), Physical Therapy (PT), behavioral health, mental health, and special education—creating a unified Circle of Care centered on every learner.

​

This Privacy Policy applies to:

​

• Our cloud-based platform and mobile applications

• AI-powered clinical and educational tools

• Revenue Cycle Management (RCM) services

• Website, marketing communications, and customer support

• All services where this Privacy Policy is referenced

 

BY ACCESSING OR USING CIRCATHERA'S SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS PRIVACY POLICY.

​

2. DEFINITIONS

"Personal Information" means any information that identifies, relates to, describes, or could reasonably be linked to an identified or identifiable individual.

​

"Protected Health Information" or "PHI" means individually identifiable health information as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations.

 

"Education Records" means student records protected under the Family Educational Rights and Privacy Act ("FERPA").

 

"Services" means CircaThera's Circle of Care platform, including all applications, tools, integrations, and related services.

 

"Customer" means organizations (clinics, schools, agencies, practices) that subscribe to our Services.

 

"User" means individuals who access Services through a Customer, including therapists, educators, administrators, and families.

 

"Learner" means individuals receiving treatment, therapy, or educational services through the Services.

 

3. INFORMATION WE COLLECT

​

3.1 Information Provided Directly

Account Information: Name, email address, phone number, job title, professional credentials, licensure information, organization affiliation.

​

Learner Information: Name, date of birth, diagnosis, medical history, IEP/treatment goals, progress notes, assessment results, session documentation, behavioral data, family information. All Learner Information is provided to CircaThera solely by or on behalf of the Customer.

​

Clinical Documentation: Therapy session notes, progress reports, evaluation results, treatment plans, goal tracking data, behavior intervention plans, parent/guardian consents.

​

Billing Information: Insurance details, authorization codes, CPT codes, claim information (processed through secure third-party payment processors—we do not store complete payment card information).

​

Communications: Messages sent through our platform, support requests, feedback, survey responses.

 

3.2 Information Collected Automatically

Usage Data: Features accessed, time spent, actions taken, navigation patterns, session logs.

 

Device Information: IP address, browser type and version, operating system, device identifiers, mobile network information.

 

Log Data: Access times, pages viewed, errors encountered, referring URLs, clickstream data.

 

Cookies & Tracking Technologies: Session cookies, analytics cookies, preference cookies. See Section 10 for detailed information.

​

3.3 Information from Third Parties

• Single Sign-On (SSO) providers

• Electronic Health Record (EHR) and Student Information Systems (SIS)

• Insurance verification and eligibility services

• Professional credential verification services

 

4. HOW WE USE INFORMATION

​

4.1 To Provide and Improve Services

• Deliver clinical documentation, scheduling, billing, and reporting features

• Generate AI-powered insights and evidence-based treatment recommendations

• Enable multidisciplinary collaboration across therapists, educators, and families

• Process billing, insurance claims, and revenue cycle management

• Provide customer support and technical assistance

• Improve platform performance, security, and functionality

 

4.2 To Ensure Safety and Compliance

• Verify user identities and professional credentials

• Detect and prevent fraud, abuse, or security threats

• Comply with HIPAA, FERPA, state licensing laws, and other applicable regulations

• Respond to legal requests and enforce our Terms of Service

• Maintain audit logs for regulatory compliance and quality assurance

 

4.3 For Research and Development

We may use de-identified and aggregated data (data that cannot be linked back to individuals) to: 

• Conduct clinical research and outcome studies

• Train and improve AI models for therapy and educational recommendations

• Develop new features and evidence-based interventions

• Publish research findings and industry benchmarks

 

Important: De-identified data is permanently stripped of identifiers and cannot be re-linked to individual Learners, patients, or Users.

​

CircaThera does not use identifiable Personal Information, or PHI to train AI models

 

4.4 For Communication and Marketing

• Send service announcements, updates, and security alerts

• Provide educational resources and clinical best practice guidance

• Send promotional materials (with opt-out option available)

• Conduct surveys and gather feedback to improve Services

 

5. HOW WE SHARE INFORMATION

WE DO NOT SELL PERSONAL INFORMATION. We share information only in the following limited circumstances:

 

5.1 With Consent or Direction

We share information when you explicitly authorize us to do so, such as sharing Learner data with family members or coordinating care with external providers.

 

5.2 Within the Circle of Care

Authorized Users within your organization (therapists, educators, administrators, families) may access Learner information necessary for providing coordinated, multidisciplinary care, subject to role-based access controls.

 

5.3 Service Providers and Subprocessors

We engage trusted third-party service providers who assist with:

​

• Cloud hosting and infrastructure (Amazon Web Services)

• Payment processing and billing services

• Analytics and platform monitoring

• Customer support tools and communication services

• Email delivery and marketing automation

 

All service providers are contractually required to protect information and use it only for specified purposes. HIPAA-covered service providers execute Business Associate Agreements.

​

5.4 Legal Obligations

We may disclose information when required by law, including:

​

• Responding to subpoenas, court orders, or legal processes

• Complying with government investigations or regulatory requests

• Protecting rights, property, or safety of CircaThera, Users, or the public

• Reporting suspected child abuse, neglect, or harm (as mandated by law)

 

5.5 Business Transfers

If CircaThera is involved in a merger, acquisition, reorganization, or sale of assets, Personal Information may be transferred. We will provide notice and ensure continued protection under this Privacy Policy or require the acquirer to do so.

 

6. DATA SECURITY

We implement industry-leading technical, administrative, and physical safeguards to protect your information:

 

6.1 Technical Safeguards

• Encryption: AES-256 encryption at rest; TLS 1.3+ encryption in transit

• Access Controls: Role-based access, multi-factor authentication (MFA), least-privilege principles

• Network Security: Firewalls, intrusion detection systems (IDS), DDoS protection

• Monitoring: 24/7 security monitoring, automated threat detection, comprehensive audit logging

• Infrastructure: AWS-powered cloud hosting with SOC 2 Type II, HIPAA, and ISO 27001 compliance

 

6.2 Administrative Safeguards

• Mandatory workforce training on security and privacy best practices

• Background checks for employees with access to sensitive data

• Incident response and breach notification procedures

• Regular security risk assessments and penetration testing

• Third-party security audits and ongoing compliance certifications

 

6.3 Physical Safeguards

Data is stored in secure, access-controlled AWS data centers with physical security measures including biometric access, 24/7 surveillance, and environmental controls.

​

Disclaimer: While we implement robust security measures, no system is completely secure. Users should protect their login credentials, enable MFA where available, and report suspicious activity immediately.

 

7. DATA RETENTION

7.1 Active Account Data

We retain Personal Information for as long as your account is active or as needed to provide Services, comply with legal obligations, resolve disputes, and enforce agreements.

​

7.2 Retention Periods

• Clinical/Education Records: At least 7 years, or longer if required by applicable law. (per federal and state laws)

• Billing Records: 7 years (per IRS and healthcare regulations)

• Account Data: Retained during active subscription; archived for 3 years post-termination

• Audit Logs: 7 years (for security and compliance purposes)

• De-identified Data: Retained indefinitely for research and AI model training

 

7.3 Data Deletion

After retention periods expire, we securely delete or anonymize data using industry-standard methods including cryptographic erasure and secure overwriting. Customers may request early deletion subject to applicable legal requirements.

 

8. HIPAA COMPLIANCE

​

8.1 When HIPAA Applies

When Customers are HIPAA-covered entities (healthcare providers, health plans) or business associates, and they use CircaThera to create, receive, maintain, or transmit PHI, we act as a Business Associate under HIPAA.

 

8.2 Business Associate Agreement

Customers subject to HIPAA must execute a Business Associate Agreement (BAA) with CircaThera. The BAA governs permitted uses and disclosures of PHI, safeguards, breach notification, patient rights, subcontractor management, and data return procedures. Our BAA is available separately and incorporated by reference into our Terms of Service.

 

8.3 Patient Rights Under HIPAA

If you are a patient whose PHI is stored in CircaThera:

• Right to Access: Request a copy of your PHI

• Right to Amend: Request corrections to inaccurate PHI

• Right to Accounting: Request a list of PHI disclosures

• Right to Restrict: Request restrictions on certain uses/disclosures

• Right to Confidential Communications: Request PHI be sent to an alternative address

 

To exercise these rights, contact the covered entity providing your care (your doctor, clinic, therapy center). We will assist them as required under our BAA.

​

8.4 Breach Notification

In the event of a breach of unsecured PHI, we will notify affected Customers (covered entities) without unreasonable delay and no later than 60 days after discovery, and cooperate fully with their breach notification obligations to patients and HHS.

 

9. FERPA COMPLIANCE

 

9.1 When FERPA Applies

When Customers are educational agencies or institutions subject to FERPA, and they use CircaThera to store or manage student Education Records, we comply with FERPA requirements as a "school official" with a "legitimate educational interest."

 

9.2 Student and Parent Rights

If you are a student or parent whose Education Records are in CircaThera:

• Right to Inspect: Request access to education records

• Right to Amend: Request correction of inaccurate or misleading records

• Right to Consent: Control disclosure of personally identifiable information

• Right to File Complaint: File complaints with the Family Policy Compliance Office (FPCO)

To exercise these rights, contact your school or educational institution directly.

 

10. COOKIES & TRACKING

​

10.1 Types of Cookies

• Essential Cookies (always active): Authentication, security, platform functionality

• Analytics Cookies (can be declined): Usage patterns, performance monitoring

• Marketing Cookies (can be declined): Campaign tracking, email engagement

 

10.2 Your Choices

You can manage cookies through browser settings or our cookie consent manager. Blocking essential cookies may affect platform functionality.

​

11. YOUR RIGHTS

• Access and Correction: Request access to or correction of Personal Information

• Data Portability: Request data in machine-readable format (CSV, JSON)

• Deletion: Request deletion (subject to legal retention requirements)

• Marketing Opt-Out: Unsubscribe from promotional emails

• State-Specific Rights: California, Virginia, Colorado residents have additional rights

 

12. INTERNATIONAL TRANSFERS

CircaThera is based in the United States. If you access Services from outside the U.S., your information will be transferred to, stored, and processed in the United States. We implement appropriate safeguards including Standard Contractual Clauses for EEA/UK transfers including applicable state student data privacy laws.

 

13. CHILDREN'S PRIVACY

CircaThera serves Learners of all ages, including children under 13. We comply with COPPA by collecting children's information only through COPPA-compliant Customers (schools, clinics) with proper parental consent mechanisms. Parents/guardians may request access, correction, or deletion by contacting the school/clinic or emailing privacy@circathera.com.

 

14. CHANGES TO THIS POLICY

We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated policy with a new "Last Updated" date, sending email notifications, and displaying in-app notifications. Continued use after changes become effective constitutes acceptance.

 

​

15. CONTACT US

CircaThera Corp.

Privacy Team

Email: compliance@circathera.com

Phone: 1-888-725-4249

Mail: 400 Tenafly Road, 1092, Tenafly NJ, 07670

​

​

"Unified by Science. Driven by Compassion."