Privacy Policy

Effective Date: 9/1/2025

Privacy Notice for Partner Clinics, Organizations, and Practitioners

How TouchpointPT Collects, Uses, and Protects Partner Information

This agreement describes how Genuine Intelligence, LLC ("TouchpointPT," "we," "us," or "our") collects, uses, stores, and protects information in connection with clinics, group practices, healthcare organizations, and individual licensed practitioners (each a "Partner") that use the TouchpointPT platform to deliver care to their patients. By registering as a Partner or using the platform, you acknowledge and agree to the practices described in this agreement.

1. Roles Under This Policy

TouchpointPT acts as a technology platform provider and, with respect to any Protected Health Information (PHI) that flows through the platform, as a Business Associate and data custodian on behalf of the Partner. TouchpointPT does not own any patient data or PHI. All patient information and clinical records created, transmitted, or stored through the platform are owned by the Partner and/or the applicable patient. TouchpointPT holds such data solely in its capacity as a data custodian, at the direction of and on behalf of the Partner.

TouchpointPT's obligations regarding PHI are governed by the Business Associate Agreement (BAA) executed between TouchpointPT and the Partner.

This agreement addresses information TouchpointPT collects about Partners themselves - including organizational, account, and platform usage information - and the safeguards TouchpointPT maintains for patient data processed through the platform on the Partner's behalf.

2. Information We Collect from Partners

When a Partner registers for and uses the TouchpointPT platform, we may collect the following types of information:

  • Organizational Information: Practice or organization name, business address, tax identification numbers, and entity type.
  • Practitioner Information: Names, professional license numbers, license states and types, NPI numbers, and contact details for licensed practitioners associated with the Partner account.
  • Account & Billing Information: Authorized administrator names, email addresses, payment and billing details for platform subscription fees.
  • Usage Data: Log data, IP addresses, device and browser information, and records of platform interactions generated when Partners and their staff use the platform.
  • Content & Clinical Data: Care plan templates, exercise content, forms, and other materials Partners create or upload to the platform, as well as patient records and PHI created or transmitted through the platform on behalf of the Partner's patients.

3. How We Use Partner Information

We use the information collected from Partners to:

  • Provision, maintain, and improve the TouchpointPT platform and its features.
  • Verify Partner credentials and eligibility during registration and throughout the partnership.
  • Process platform subscription fees and manage billing.
  • Provide technical support and respond to Partner inquiries.
  • Communicate with Partners about platform updates, policy changes, and service-related notices.
  • Comply with legal, regulatory, and contractual obligations.
  • Detect, investigate, and prevent security incidents or misuse of the platform.

We do not use Partner information for marketing purposes beyond communicating about TouchpointPT's own services, and we do not sell Partner information to third parties.

4. Patient Data Processed on Partners' Behalf

When Partners use the platform to deliver care, patient health information and PHI may be created, transmitted, or stored through the platform. TouchpointPT processes this data solely as a Business Associate and data custodian acting on behalf of the Partner. TouchpointPT does not claim any proprietary interest in patient data or PHI. The Partner retains full ownership of all patient information at all times, including during and after the term of the subscription.

  • TouchpointPT will not use or disclose patient PHI except as permitted under the BAA and applicable law.
  • TouchpointPT will support Partners in fulfilling patient rights requests (e.g., access, amendment) to the extent required by the BAA.

5. How We Share Partner Information

We do not sell Partner information. We may share Partner information with the following categories of recipients as necessary to provide the platform and comply with applicable law:

  • Amazon Web Services (AWS): For secure cloud hosting, data storage, and infrastructure services. AWS is a HIPAA-eligible service provider.
  • Payment Processors: To facilitate billing and collection of platform subscription fees. TouchpointPT uses Stripe, Inc. as its payment processor for platform subscription fees. Stripe may collect and process billing and payment information in accordance with its own Privacy Policy, available at stripe.com/privacy.
  • Professional Services Providers: Legal, accounting, and compliance advisors bound by confidentiality obligations.
  • Law Enforcement or Regulatory Authorities: When required by applicable law, court order, or to protect the rights, property, or safety of TouchpointPT, Partners, patients, or the public.
  • Successor Entities: In the event of a merger, acquisition, or sale of all or substantially all of our assets, subject to appropriate confidentiality protections.

All third-party vendors with access to PHI are required to execute a BAA with TouchpointPT and implement HIPAA-compliant safeguards.

6. Data Security

TouchpointPT implements administrative, technical, and physical safeguards designed to protect Partner information and patient PHI against unauthorized access, disclosure, alteration, or destruction. These safeguards include:

  • Encryption of data in transit and at rest.
  • Role-based access controls limiting platform access to authorized personnel.
  • Audit logging to monitor and detect unauthorized access or anomalous activity.
  • Regular security assessments and vulnerability management.
  • Use of HIPAA-eligible cloud infrastructure through AWS.

To report any suspected security incidents, contact us at support@touchpointpt.com.

7. Data Retention & Post-Termination Obligations

We retain Partner account and organizational information for the duration of the partnership and for a reasonable period thereafter as necessary to fulfill legal, regulatory, and contractual obligations.

Patient PHI processed through the platform on behalf of Partners is retained in accordance with the applicable BAA and applicable law, including the HIPAA minimum retention requirements. TouchpointPT retains data for a minimum of seven (7) years to satisfy both HIPAA and any applicable state laws that may require longer retention periods.

Upon termination or non-renewal of a Partner's subscription, TouchpointPT will communicate data disposition options in accordance with the applicable Partner Agreement and BAA, including long-term archival storage, transfer to a HIPAA-compliant third-party provider, account continuation under separate billing, or export for self-managed retention.

8. Payment Processing & Stripe

Partners who use the TouchpointPT platform to collect payments from patients are required to connect a Stripe Standard account. In connection with the payment integration, TouchpointPT may share certain Partner account and transaction-related information with Stripe, Inc. as necessary to facilitate the processing of patient payments.

  • Stripe acts as an independent data controller for information it collects directly from Partners in connection with the Stripe onboarding and account verification process, including business identity, banking, and tax identification information. This information is collected and governed by Stripe's Privacy Policy (available at stripe.com/privacy) and Stripe's Connected Account Agreement.
  • TouchpointPT does not store Partner banking, routing, or payout account details. This information is held directly by Stripe and is subject to Stripe's security and privacy practices.
  • Transaction records (e.g., charge amounts, timestamps, and reference identifiers) generated through the platform's Stripe integration may be retained by TouchpointPT as necessary to support dispute resolution, platform operations, and compliance with applicable law.
  • TouchpointPT does not have access to patients' full payment card numbers, bank account numbers, or other sensitive financial instruments. Such data is collected and handled solely by Stripe.

For questions about how Stripe handles data collected through the payment integration, Partners and patients should refer to Stripe's Privacy Policy at stripe.com/privacy.

9. Breach Notification

In the event of a security incident involving Partner information or patient PHI processed through the platform, TouchpointPT will notify the affected Partner as required under the BAA and applicable HIPAA Breach Notification Rules.

TouchpointPT will cooperate with Partners in any breach investigation and will implement remediation measures to prevent future incidents.

10. Cookies and Platform Analytics

We use cookies and similar tracking technologies within the platform portal to support authentication, maintain session state, and gather aggregate analytics about platform usage. Partners and their staff may adjust browser settings to limit cookies, though some platform features may not function properly without them.

We do not use cookies to track individuals across unaffiliated websites or to serve third-party advertising.

11. Changes to This Part

We may update this agreement from time to time. If we make material changes, we will notify Partners via email or in-platform notification at least thirty (30) days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy. Partners who do not agree to material changes should discontinue use and notify TouchpointPT in writing.

12. Contact Us

For questions about this agreement or about how TouchpointPT handles your data as a Partner, contact us at: support@touchpointpt.com.

TouchpointPT has designated a Privacy and Security Officer responsible for overseeing compliance with HIPAA and this Privacy Policy. For privacy-related questions, concerns, or to report a suspected privacy or security incident, contact the Privacy Officer at: support@touchpointpt.com.