Privacy Policy

1. Information We Collect

Health Information

To provide speech therapy services, we collect:

• Your name, date of birth, contact information
• Insurance information (policy numbers, member ID)
• Medical history and clinical notes from your SLP
• Treatment records and session notes
• Diagnoses and treatment plans
• Communication with your SLP

Account Information

• Email address and password
• Payment information (credit card, processed securely by Stripe)
• Device information and IP address
• Usage data (pages visited, features used)

2. How We Use Your Information

For Your Care

• Connecting you with licensed speech-language pathologists
• Scheduling and managing your therapy sessions
• Facilitating video sessions and secure messaging
• Storing clinical documentation created by your SLP

For Billing & Insurance

• Verifying your insurance benefits
• Submitting claims to your insurance company
• Processing copays and payments
• Handling billing questions and disputes

Platform Operations

• Account management and customer support
• Security monitoring and fraud prevention
• Platform improvements (using de-identified data)
• Legal compliance and regulatory reporting

3. Who We Share Your Information With

Your Speech Therapist

We share your information with the licensed SLP providing your care. They are independent healthcare providers with their own HIPAA obligations.

Your Insurance Company

We submit claims to your health plan for payment, which includes diagnosis codes, treatment dates, and provider information.

HIPAA-Compliant Service Providers

We work with trusted vendors who have signed Business Associate Agreements to protect your data:

• Amazon Web Services: Secure cloud hosting with encryption
• Stripe: Payment processing (PCI-compliant)
• Daily.co: HIPAA-compliant video sessions
• Stedi: Insurance claim processing

4. How We Protect Your Information

Security Measures

• Encryption: All data is encrypted in storage and during transmission (AES-256 and TLS 1.3)
• Access controls: Only authorized personnel can access your information
• Audit logs: We track all access to your health records
• Regular security testing: We conduct security assessments and vulnerability testing
• Employee training: All staff complete HIPAA training annually

Breach Notification

If a data breach affects your health information, we will notify you within 60 days as required by HIPAA, along with steps you can take to protect yourself.

5. Your Privacy Rights

Access Your Records

You have the right to view and receive a copy of your medical records. We will provide them within 30 days of your request. The first copy per year is free.

Request Corrections

If you believe your records contain errors, you can request corrections. Clinical notes can only be amended by your treating SLP.

See Who Accessed Your Information

You can request a list of who we've shared your information with (outside of treatment, payment, and operations) for the past 6 years.

Request Restrictions

You can ask us to limit how we use or share your information. We'll consider all requests but aren't always required to agree.

File a Complaint

If you believe your privacy rights have been violated, you can file a complaint with us at privacy@onlark.com or with the U.S. Department of Health and Human Services at www.hhs.gov/ocr/privacy/hipaa/complaints/.

We will not retaliate against you for filing a complaint.

6. California Privacy Rights (CCPA)

Note: Most information is protected health information under HIPAA, which is exempt from CCPA. The following applies to non-health information.

California residents have additional rights:

• Right to know: What personal information we collect and how we use it
• Right to delete: Request deletion of your data (subject to legal retention requirements)
• Right to opt-out: We don't sell data, so no opt-out is needed
• Right to non-discrimination: We won't penalize you for exercising your rights

To exercise CCPA rights, email privacy@onlark.com with "CCPA Request" in the subject line.

7. Cookies and Tracking

We use cookies for:

• Essential functions: Keeping you logged in and platform security (required)
• Preferences: Remembering your settings and language (optional)
• Analytics: Understanding how people use our platform to make improvements (optional, de-identified)

We do NOT store health information in cookies. You can manage cookie preferences in your browser settings or account settings.

8. Data Retention

• Medical records: 7 years from last session (required by law)
• Billing records: 7 years for tax and compliance purposes
• Account data: Until you close your account, then 90 days for fraud prevention

You can close your account anytime by emailing support@onlark.com. We'll delete your account data but must retain medical records as required by healthcare regulations.

9. Children's Privacy

Our platform is for adults 18+. If you're creating an account for a child receiving speech therapy, you must be the parent or legal guardian and consent on their behalf. We collect health information about minor patients only as necessary for treatment, with parental/guardian consent.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be announced via email at least 30 days before taking effect. The "Last Updated" date will be revised accordingly.

11. Contact Us