Privacy Policy

Personal Information
We may collect personal information that you voluntarily provide to us when you register for an account, express interest in obtaining information about us or our Services, participate in activities on the Services, or otherwise contact us. The personal information we collect may include:

• Name and contact information (email address, phone number, mailing address)
• Practice/business information (practice name, specialty, size, location)
• Login credentials (username and password)
• Payment and billing information
• Communications with us (including support tickets and feedback)

Patient Information
In connection with the referral services, you may provide us with patient information. We treat all patient information as Protected Health Information (PHI) under HIPAA. This may include:

• Patient names and contact information
• Referral history and status
• Appointment information
• Healthcare service information related to referrals

Automatically Collected Information
When you access our Services, we may automatically collect certain information, including:

• Device and browser information
• IP address and location data
• Usage data and analytics
• Cookies and similar tracking technologies

We use the information we collect for various purposes, including:

Service Delivery
• To provide, maintain, and improve our Services
• To process transactions and send related information
• To manage your account and provide customer support
• To send you technical notices, updates, and administrative messages

Communication
• To respond to your inquiries and fulfill your requests
• To send promotional communications (with your consent)
• To notify you about changes to our Services or policies

Analytics and Improvement
• To analyze usage patterns and trends
• To develop new products, services, and features
• To improve user experience and service quality

Legal and Security
• To comply with legal obligations
• To protect against fraudulent, unauthorized, or illegal activity
• To enforce our terms, conditions, and policies

ReferShark is designed to be compliant with the Health Insurance Portability and Accountability Act (HIPAA). As a Business Associate to healthcare providers, we:

Safeguarding PHI
• Implement administrative, physical, and technical safeguards to protect PHI
• Maintain encryption for data at rest and in transit
• Conduct regular security assessments and audits
• Train our workforce on HIPAA requirements

Business Associate Agreements
• Enter into Business Associate Agreements (BAAs) with covered entities
• Ensure our subcontractors comply with HIPAA requirements
• Report any breaches in accordance with HIPAA regulations

Patient Rights
• Support your patients' rights to access their information
• Assist with requests for amendments to PHI
• Maintain audit trails of PHI access and disclosures

Minimum Necessary Standard
• Limit access to PHI to authorized personnel only
• Use and disclose only the minimum necessary information
• Implement role-based access controls

We may share your information in the following situations:

With Your Consent
We may disclose your personal information for any purpose with your consent.

Service Providers
We may share your information with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf, such as:
• Payment processors
• Cloud hosting providers
• Email service providers
• Analytics providers

All service providers are required to maintain the confidentiality of your information and are prohibited from using it for any purpose other than providing services to us.

Legal Requirements
We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, judicial proceedings, court orders, or legal process.

Business Transfers
We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

We Do Not Sell Your Data
We do not sell, rent, or lease your personal information to third parties for their marketing purposes.

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

Technical Safeguards
• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Secure authentication mechanisms
• Regular security testing and vulnerability assessments
• Intrusion detection and prevention systems

Administrative Safeguards
• Access controls based on job responsibilities
• Employee background checks and security training
• Incident response procedures
• Regular policy reviews and updates

Physical Safeguards
• Secure data center facilities (SOC 2 compliant)
• Environmental controls and monitoring
• Access logging and surveillance

However, no security system is impenetrable, and we cannot guarantee the security of our systems 100%. In the event of a security breach, we will notify you and any applicable regulator when required by law.

We will retain your personal information only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your information to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our policies.

Retention Periods
• Account information: Duration of account plus 7 years
• PHI/Patient information: As required by HIPAA (minimum 6 years)
• Transaction records: 7 years for tax and audit purposes
• Usage logs: 2 years for analytics and security purposes

Account Termination
When you request deletion of your account:
• We will delete or anonymize your personal information within 30 days
• PHI will be retained as required by law and our BAAs
• Backup copies will be deleted according to our backup retention schedule

Depending on your location, you may have certain rights regarding your personal information:

Access and Portability
You have the right to request access to your personal information and receive a copy in a portable format.

Correction
You have the right to request correction of inaccurate or incomplete personal information.

Deletion
You have the right to request deletion of your personal information, subject to certain exceptions (such as legal retention requirements).

Opt-Out
You may opt out of promotional communications by following the unsubscribe instructions in our emails or contacting us directly.

California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and how it is used, and the right to non-discrimination for exercising your privacy rights.

Exercising Your Rights
To exercise any of these rights, please contact us at privacy@refershark.com. We may require verification of your identity before processing your request.

We use cookies and similar tracking technologies to collect information about your browsing activities and to distinguish you from other users of our Services.

Types of Cookies We Use
• Essential Cookies: Required for the operation of our Services
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how visitors interact with our Services
• Marketing Cookies: Used to deliver relevant advertisements (only with consent)

Managing Cookies
Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all or some cookies, or to alert you when cookies are being sent. However, if you disable or refuse cookies, some parts of our Services may become inaccessible or not function properly.

Do Not Track
Some browsers include a "Do Not Track" feature that signals to websites that you do not want to have your online activity tracked. We honor Do Not Track signals where technically feasible.

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at privacy@refershark.com. If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to delete that information.

Your information may be transferred to, stored, and processed in countries other than the country in which you reside. Our servers are located in the United States. If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities and by third parties with whom we may share your information in the United States and other countries.

If you are a resident of the European Economic Area (EEA), we will take appropriate measures to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it, including through the use of Standard Contractual Clauses approved by the European Commission.

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact us:

ReferShark LLC

Email: privacy@refershark.com
General Support: support@refershark.com
Phone: (253) 400-2151

Mailing Address:
ReferShark LLC
Attn: Privacy Officer
[Address on file]

For HIPAA-related inquiries or to report a potential breach, please contact our Privacy Officer directly at privacy@refershark.com.