Effective Date:
Introduction
At Harmonise, we believe that privacy is not a compliance checkbox — it is a foundation of trust. The nature of our work means you may share deeply personal information with us, and we take the responsibility of protecting that information with the utmost seriousness.
This Privacy Policy explains what information we collect, how we use it, who we may share it with, and the rights you have over your data. It applies to our website at harmonise.co, our client portal, our mobile application, and all services offered by Harmonise Wellness LLC ("Harmonise," "we," "our," or "us").
Please read this policy carefully. By using our services, you acknowledge that you have read and understood it. If you have any questions, our Privacy Team is reachable at privacy@harmonise.co.
1. Who We Are
Harmonise Wellness LLC is a therapy and wellness practice based in Portland, Oregon, providing individual therapy, couples therapy, mindfulness-based stress reduction, and group wellness programmes — delivered both in-person and virtually.
As a healthcare provider, Harmonise is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. Your protected health information (PHI) is governed by both this Privacy Policy and our separate HIPAA Notice of Privacy Practices, which is provided to all clients at the commencement of care.
Data Controller: Harmonise Wellness LLC 248 Pine Street, Portland, OR 97201 hello@harmonise.co (503) 555-0194
2. Information We Collect
We collect two broad categories of information: information you provide to us directly, and information collected automatically when you interact with our digital platforms.
2.1 Information You Provide
Enquiry and Intake Information When you complete a contact form, enquiry, or intake questionnaire, we collect your name, email address, phone number, general location, and the nature of your enquiry. We also collect any health-related information you choose to share as part of the intake process, including presenting concerns, relevant history, and insurance details.
Account and Booking Information When you create a client account or book a session, we collect login credentials, billing address, and payment method information. Payment card data is processed exclusively by Stripe and is never stored on Harmonise systems.
Protected Health Information (PHI) Once you become a client of Harmonise, we collect and maintain clinical records as part of your treatment. This includes session notes, treatment plans, assessments, progress records, and any communications with your therapist. This information is subject to HIPAA and our Notice of Privacy Practices.
Communications If you contact us by email, telephone, or through our secure messaging portal, we retain a record of that correspondence. If you contact our crisis line, we record the date, time, and nature of the contact for continuity of care and safety purposes.
Voluntary Submissions If you participate in a testimonial, survey, or our Journal newsletter, we collect the content you submit and, where provided, your name and image.
2.2 Information Collected Automatically
Usage Data When you visit our website or use our client portal, we automatically collect information about your device and interaction, including your IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages, and clickstream data.
Cookies and Tracking Technologies We use cookies, pixel tags, and similar technologies as described in Section 7 of this policy.
Telehealth Session Data For virtual sessions, our HIPAA-compliant video platform collects connection metadata (duration, device type, network quality). Sessions are never recorded without your explicit written consent.
3. How We Use Your Information
We use the information we collect for the following purposes:
Providing and Improving Care To schedule and conduct therapy sessions, maintain clinical records, coordinate care among members of your treatment team (with your authorisation), send appointment reminders, and process payments.
Communications To respond to your enquiries, send you administrative notices, notify you of changes to our services or policies, and — where you have opted in — send you our Journal newsletter and wellness resources.
Safety To identify, investigate, and address safety concerns, including compliance with our mandatory reporting obligations under applicable law.
Legal and Regulatory Compliance To comply with HIPAA, state licensing requirements, applicable tax law, and any lawful requests from regulatory or law enforcement bodies.
Research and Service Improvement We may use de-identified or aggregated data (data from which all personal identifiers have been removed) to understand how our services are used and to improve our clinical offerings. This data cannot be used to identify you.
Security To detect, prevent, and investigate fraudulent or unauthorised use of our systems.
We do not use your personal or health information to train artificial intelligence or machine learning models. We do not sell your data. Ever.
4. Legal Bases for Processing
Where the General Data Protection Regulation (GDPR) or UK GDPR applies (for example, if you are located in the European Economic Area or the United Kingdom), our legal bases for processing your personal data are as follows:
Performance of a contract — to deliver the services you have engaged us for, including scheduling and billing.
Legal obligation — to comply with HIPAA, mandatory reporting laws, and other applicable legal requirements.
Legitimate interests — for website analytics, fraud prevention, and improving our services, where those interests are not overridden by your rights and interests.
Consent — for marketing communications and any processing not covered by the above. You may withdraw consent at any time without affecting the lawfulness of prior processing.
For the processing of special category data (health information), we rely on the provision of healthcare and treatment, and where applicable, your explicit consent.
5. Sharing Your Information
We do not sell, rent, or trade your personal information. We share information only as described below.
5.1 Service Providers
We engage carefully selected third-party vendors who process data on our behalf under written data processing agreements. These include:
Provider | Purpose | Data Shared |
|---|---|---|
Stripe | Payment processing | Billing details, transaction data |
SimplePractice | Electronic health records & scheduling | PHI, appointment data |
Twilio | Secure messaging & SMS reminders | Phone number, message content |
Mailchimp | Newsletter distribution | Name, email (newsletter subscribers only) |
Google Workspace | Internal communications | Staff email only |
Amazon Web Services | Cloud infrastructure & storage | Encrypted clinical records |
All vendors who handle PHI are bound by a HIPAA Business Associate Agreement (BAA).
5.2 Treatment Team
With your written authorisation, we may share your health information with other healthcare providers involved in your care (for example, a referring psychiatrist or your primary care physician).
5.3 Legal Requirements
We may disclose your information if required to do so by law, court order, or subpoena; to protect the rights or safety of Harmonise, our staff, or others; or to comply with our mandatory reporting obligations (for example, in cases of suspected child abuse or imminent risk of harm).
5.4 Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred to the successor entity. We will notify you by email and/or prominent notice on our website at least 30 days before any such transfer, and any successor will be required to uphold the terms of this policy.
5.5 With Your Consent
We will share your information with any other party only with your explicit prior consent.
6. Data Retention
We retain different categories of data for different periods, in accordance with legal requirements and our clinical obligations.
Clinical records (PHI): Retained for a minimum of seven (7) years from the date of last service, or seven years from a minor client's 18th birthday, whichever is later — in accordance with Oregon state law.
Billing and financial records: Retained for seven (7) years in accordance with tax and accounting regulations.
Website usage data and cookies: Retained for up to 13 months from collection.
Newsletter and marketing data: Retained until you unsubscribe, plus one (1) year for suppression list purposes.
Enquiry and pre-intake communications: Retained for two (2) years if you do not become a client.
When data reaches the end of its retention period, it is securely deleted or anonymised. Clinical records are destroyed in accordance with HIPAA standards (shredding for physical records; secure digital erasure for electronic records).
7. Cookies and Tracking
Our website uses the following categories of cookies:
Strictly Necessary Cookies Required for the website to function and cannot be switched off. They are set in response to actions you take such as logging in or completing a form. These do not require your consent.
Analytics Cookies We use Plausible Analytics, a privacy-focused analytics tool that does not use cookies, does not collect personal data, and is fully GDPR-compliant. Aggregate, anonymised traffic data helps us understand which pages are most useful.
Preference Cookies These remember your settings and preferences (for example, accessibility settings) to improve your experience.
Marketing Cookies We do not currently use marketing or advertising cookies. If we introduce these in future, we will update this policy and seek your consent beforehand.
You can manage your cookie preferences at any time using the Cookie Settings link in the footer of our website.
8. Security
We take the security of your information seriously and implement administrative, technical, and physical safeguards appropriate to the sensitivity of the data we hold.
Our security measures include:
AES-256 encryption for all data at rest and TLS 1.3 encryption for all data in transit
HIPAA-compliant telehealth video infrastructure (end-to-end encrypted)
Multi-factor authentication required for all staff accessing clinical systems
Role-based access controls ensuring staff access only the data necessary for their role
Annual third-party security audits and penetration testing
Staff HIPAA training conducted annually and upon onboarding
Incident response plan reviewed quarterly
In the event of a data breach that affects your information, we will notify you and the relevant regulatory authorities as required by HIPAA and applicable law, within the required timeframes.
No system is completely secure. If you believe your account has been compromised, please contact us immediately at security@harmonise.co.
9. Your Rights
Depending on your location, you have the following rights over your personal information:
9.1 Rights Under HIPAA (All US Clients)
As a client of Harmonise, you have the right to:
Access your medical records and receive a copy (we will respond within 30 days)
Request an amendment to your records if you believe they are inaccurate or incomplete
Request restrictions on how we use or disclose your PHI (we will consider all requests, though we may not be able to agree to all restrictions)
Receive an accounting of disclosures of your PHI for the six years prior to your request
Request confidential communications (for example, to be contacted only by email rather than phone)
Receive a paper copy of our HIPAA Notice of Privacy Practices upon request
9.2 Rights Under GDPR / UK GDPR (EEA and UK Residents)
If you are located in the European Economic Area or the United Kingdom, you also have the right to:
Access the personal data we hold about you
Rectification of inaccurate or incomplete data
Erasure ("right to be forgotten") — subject to our legal and clinical retention obligations
Restriction of processing in certain circumstances
Data portability — receive your data in a structured, machine-readable format
Object to processing based on legitimate interests
Withdraw consent at any time, where processing is based on consent
Lodge a complaint with your local supervisory authority (in the UK, the ICO; in the EU, your national data protection authority)
9.3 Rights Under the California Consumer Privacy Act (California Residents)
California residents have additional rights, including the right to know what categories of personal information we collect and share, the right to delete personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your rights.
To exercise any of your rights, please contact us at privacy@harmonise.co or by post at the address in Section 1. We will respond within 30 days (or as required by applicable law) and will not charge a fee for reasonable requests.
We may ask you to verify your identity before processing your request.
10. Children's Privacy
Our services are intended for adults aged 18 and over. We do provide therapy services to minors with the involvement and consent of a parent or legal guardian, in accordance with applicable law and our clinical and ethical obligations. In those cases, the parent or guardian provides consent for the processing of the minor's health information.
We do not knowingly collect personal information from children under 13 through our website without verifiable parental consent. If you believe a child under 13 has provided us with personal information without parental consent, please contact us at privacy@harmonise.co and we will promptly delete it.
11. International Data Transfers
Our primary operations are based in the United States. If you access our services from outside the United States, your information may be transferred to and processed in the US, which may have different data protection laws than your country of residence.
Where we transfer data from the EEA or UK to the US or other third countries, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, and the UK's International Data Transfer Agreement (IDTA) where applicable.
12. Third-Party Links
Our website may contain links to third-party websites, such as mental health resources, professional associations, or insurance portals. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies before providing any personal information.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will notify you by email (to the address associated with your account) and by posting a prominent notice on our website at least 14 days before the changes take effect. The "Last Updated" date at the top of this policy will always reflect the date of the most recent revision.
We encourage you to review this policy periodically. Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Privacy Team — Harmonise Wellness LLC 248 Pine Street, Portland, OR 97201 privacy@harmonise.co (503) 555-0194
For HIPAA-related enquiries specifically, you may also contact: HIPAA Privacy Officer: hipaa@harmonise.co
If you are not satisfied with our response, you have the right to file a complaint with the US Department of Health and Human Services (HHS) Office for Civil Rights at hhs.gov/ocr, or with your local data protection authority.
Begin Your Journey
No long waitlists. No confusing intake forms. Just a warm, honest conversation.