Banyan Health – Privacy Policy

Effective Date: 11/4/2025

Banyan Health ("Banyan Health," "we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our Site or use our telehealth Services.

1. Scope

This policy applies to all visitors, clients, and users of our Site and tele-health Services. It explains how we handle both general information and Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and California law.

Note: This Privacy Policy should be read in conjunction with our separate HIPAA Notice of Privacy Practices, which provides additional details about how we use and disclose your health information.

2. Information We Collect

We collect information in the following ways:

a. Information You Provide

When you complete an intake form, schedule an appointment, or communicate with us, we may collect:

• Name, date of birth, contact details (email, phone, address)

• Medical history, medications, current health concerns, and other health-related data shared during sessions

• Payment and billing information

• Communications or messages you send us

b. Automatically Collected Information

When you visit the Site, we may automatically collect limited data such as:

• IP address and browser type

• Device and operating system information

• Date/time of visit and referring URLs

• Cookie or analytics data (for site performance monitoring)

c. Third-Party Sources

We may receive information from scheduling or payment processors (such as Acuity Scheduling) to facilitate appointments and transactions.

3. How We Use Information

We use information to:

• Provide and improve our telehealth and related Services

• Schedule appointments and communicate with you about your care

• Process payments and send confirmations or invoices

• Maintain internal records and ensure quality of care

• Comply with legal or regulatory obligations

• Conduct de-identified or aggregated analytics for practice improvement

We do not sell or rent your personal or health information to any third party.

4. How We Share Information

We may share information only as necessary to:

• Coordinate care between our licensed clinicians

• Use trusted service providers (e.g., Acuity Scheduling, payment processors, HIPAA-compliant video platforms) who are contractually bound to protect your data through Business Associate Agreements (BAAs)

• Comply with law, regulation, subpoena, or government request

• Prevent or address suspected fraud, security, or safety concerns

• Complete a business transfer such as a merger or acquisition (subject to confidentiality obligations)

We may also share de-identified data (information stripped of personal identifiers) for analytics or research.

Business Associate Agreements

All third-party vendors who handle Protected Health Information on our behalf have signed Business Associate Agreements (BAAs) as required by HIPAA, ensuring they maintain the same privacy and security standards we uphold.

5. Data Security

We implement administrative, technical, and physical safeguards consistent with HIPAA to protect your information from unauthorized access, disclosure, alteration, or destruction.

Security measures include:

• Encrypted data transmission and storage

• Secure, password-protected systems

• Limited access to PHI on a need-to-know basis

• Regular security assessments and updates

• HIPAA-compliant telehealth platforms

Despite these measures, no system is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your login credentials and for accessing our Services from a secure location.

6. Breach Notification

In the unlikely event of a data breach involving your Protected Health Information, we will:

• Notify you without unreasonable delay and no later than 60 days from discovery of the breach

• Provide details about what information was involved

• Describe steps we are taking to mitigate harm

• Inform you of your rights and steps you can take to protect yourself

• Notify appropriate regulatory authorities as required by law

7. Patient Rights Under HIPAA

You have the right to:

• Access or obtain a copy of your health record

• Request amendments or corrections to your record

• Receive an accounting of certain disclosures

• Request restrictions on how we use or disclose your information

• Request confidential communications by alternative means (e.g., email only, specific phone number)

• Receive a paper copy of this Privacy Policy or our Notice of Privacy Practices upon request

• File a complaint if you believe your privacy rights have been violated

To exercise any of these rights, please contact us at info@banyan-health.com.

You will not be retaliated against for filing a complaint or exercising your privacy rights.

8. Communication Security

Email and Text Messaging

While we use secure systems when possible, standard email and text messaging are not completely secure. By providing your email address or phone number, you consent to receive appointment reminders, administrative communications, and other non-sensitive information via these methods.

For sensitive health information, we will:

• Use secure patient portals when available

• Minimize PHI in email/text communications

• Only communicate via unencrypted methods with your express consent

You may opt out of email or text communications at any time by contacting us.

9. Cookies & Tracking Technologies

Our Site may use cookies or analytics tools (such as Google Analytics) to improve performance and user experience. These tools may collect:

• Pages visited and time spent on the Site

• Referring website or search terms

• General location data (city/state level)

You can control cookies through your browser settings. Disabling cookies may affect certain features of the Site.

Do Not Track Signals

Our Site does not currently respond to "Do Not Track" signals from web browsers. You may disable tracking through your browser settings or third-party tools.

10. Third-Party Services

Acuity Scheduling

We use Acuity Scheduling for online appointment booking. Acuity is HIPAA-compliant when used on their Premium or Enterprise plans, and we have signed a Business Associate Agreement with them. When you use Acuity, your data is also processed under their privacy policy. We encourage you to review Acuity's privacy policy before submitting information through their system.

Payment Processors

Payment information may be processed through third-party payment processors. We do not store complete credit card information on our servers.

11. Data Storage and Retention

Domestic Storage

All patient data is stored on servers located within the United States. We do not transfer Protected Health Information internationally.

Retention Period

We retain your health information as required by California law (minimum 7 years from last date of service for adults) and as needed to provide ongoing care. When data is no longer required, we securely delete or de-identify it in compliance with HIPAA guidelines.

12. Children's Privacy

Our Services are intended for adults 18 and older. We do not knowingly collect information from individuals under 18. If we learn that a minor has submitted data, we will delete it promptly and notify the appropriate parties.

13. California Privacy Rights

California residents may have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to:

• Know what personal information is collected, used, shared, or sold

• Access the specific pieces of personal information we have about you

• Request deletion of personal information (subject to medical record retention laws and other exceptions)

• Opt out of sale of personal information (we do not sell data)

• Non-discrimination for exercising your privacy rights

To exercise these rights, contact us at info@banyan-health.com. We will verify your identity before processing requests.

14. Updates to This Policy

We may revise this Privacy Policy periodically to reflect changes in our practices or legal requirements. The updated version will be posted on this page with a new "Effective Date." Continued use of our Site or Services after updates means you accept the revised policy.

For material changes, we will provide notice through email or a prominent Site notification.

15. Severability

If any provision of this Privacy Policy is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary, and the remaining provisions will remain in full force and effect.

16. Contact Us

For privacy or data-related questions, or to exercise your patient rights:

Banyan Health
Attn: Privacy Officer
Email: info@banyan-health.com

To file a complaint about our privacy practices:

• Contact our Privacy Officer using the information above, or

• File a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/ocr/privacy/hipaa/complaints/

You will not be penalized or retaliated against for filing a complaint.