Privacy Policy

TouchpointPT acts as a technology platform provider and, with respect to any Protected Health Information (PHI) that flows through the platform, as a Business Associate and data custodian on behalf of the Partner. TouchpointPT does not own any patient data or PHI. All patient information and clinical records created, transmitted, or stored through the platform are owned by the Partner and/or the applicable patient. TouchpointPT holds such data solely in its capacity as a data custodian, at the direction of and on behalf of the Partner.

The Partner, as the Covered Entity (or as a Business Associate of another Covered Entity), is primarily responsible for the privacy and security of patient health information under HIPAA and applicable state law. TouchpointPT's obligations regarding PHI are governed by the Business Associate Agreement (BAA) executed between TouchpointPT and the Partner.

This Part 1 addresses information TouchpointPT collects about Partners themselves — including organizational, account, and platform usage information — and the safeguards TouchpointPT maintains for patient data processed through the platform on the Partner's behalf.

When a Partner registers for and uses the TouchpointPT platform, we may collect the following types of information:

• Organizational Information: Practice or organization name, business address, tax identification numbers, and entity type.
• Practitioner Information: Names, professional license numbers, license states and types, NPI numbers, and contact details for licensed practitioners associated with the Partner account.
• Account & Billing Information: Authorized administrator names, email addresses, payment and billing details for platform subscription fees.
• Usage Data: Log data, IP addresses, device and browser information, and records of platform interactions generated when Partners and their staff use the platform.
• Content & Clinical Data: Care plan templates, exercise content, forms, and other materials Partners create or upload to the platform, as well as patient records and PHI created or transmitted through the platform on behalf of the Partner's patients.

We use the information collected from Partners to:

• Provision, maintain, and improve the TouchpointPT platform and its features.
• Verify Partner credentials and eligibility during registration and throughout the partnership.
• Process platform subscription fees and manage billing.
• Provide technical support and respond to Partner inquiries.
• Communicate with Partners about platform updates, policy changes, and service-related notices.
• Comply with legal, regulatory, and contractual obligations.
• Detect, investigate, and prevent security incidents or misuse of the platform.

We do not use Partner information for marketing purposes beyond communicating about TouchpointPT's own services, and we do not sell Partner information to third parties.

When Partners use the platform to deliver care, patient health information and PHI may be created, transmitted, or stored through the platform. TouchpointPT processes this data solely as a Business Associate and data custodian acting on behalf of the Partner. TouchpointPT does not claim any proprietary interest in patient data or PHI. The Partner retains full ownership of all patient information at all times, including during and after the term of the subscription.

• TouchpointPT will not use or disclose patient PHI except as permitted under the BAA and applicable law.
• Partners are responsible for ensuring they have obtained all necessary patient consents and authorizations before transmitting PHI through the platform.
• Partners are responsible for their own HIPAA compliance, including providing patients with a Notice of Privacy Practices and honoring patient rights with respect to their health information.
• TouchpointPT will support Partners in fulfilling patient rights requests (e.g., access, amendment) to the extent required by the BAA.

We do not sell Partner information. We may share Partner information with the following categories of recipients as necessary to provide the platform and comply with applicable law:

• Amazon Web Services (AWS): For secure cloud hosting, data storage, and infrastructure services. AWS is a HIPAA-eligible service provider.
• Payment Processors: To facilitate billing and collection of platform subscription fees.
• Professional Services Providers: Legal, accounting, and compliance advisors bound by confidentiality obligations.
• Law Enforcement or Regulatory Authorities: When required by applicable law, court order, or to protect the rights, property, or safety of TouchpointPT, Partners, patients, or the public.
• Successor Entities: In the event of a merger, acquisition, or sale of all or substantially all of our assets, subject to appropriate confidentiality protections.

All third-party vendors with access to PHI are required to execute a BAA with TouchpointPT and implement HIPAA-compliant safeguards.

TouchpointPT implements administrative, technical, and physical safeguards designed to protect Partner information and patient PHI against unauthorized access, disclosure, alteration, or destruction. These safeguards include:

• Encryption of data in transit and at rest.
• Role-based access controls limiting platform access to authorized personnel.
• Audit logging to monitor and detect unauthorized access or anomalous activity.
• Regular security assessments and vulnerability management.
• Use of HIPAA-eligible cloud infrastructure through AWS.

While we take all reasonable measures to protect data, no system is completely secure. Partners should implement their own appropriate security measures and promptly report any suspected security incidents to TouchpointPT at support@touchpointpt.com.

We retain Partner account and organizational information for the duration of the partnership and for a reasonable period thereafter as necessary to fulfill legal, regulatory, and contractual obligations.

Patient PHI processed through the platform on behalf of Partners is retained in accordance with the applicable BAA and applicable law, including the HIPAA minimum retention requirement of seven (7) years. Because TouchpointPT acts solely as a data custodian — and not as the data owner — the Partner remains fully responsible for ensuring continued HIPAA-compliant retention of patient PHI for the entirety of any applicable retention period, including after termination of the subscription.

Upon termination or non-renewal of a Partner's subscription, the Partner must arrange for the ongoing storage of patient PHI through one of the options set forth in the Partner Agreement (long-term archival storage through TouchpointPT, transfer to a third-party HIPAA-compliant storage provider, a transferred account under the Partner's own billing, or self-managed download and retention). Partners who do not make a timely election will be contacted by TouchpointPT, and data may be permanently deleted if no arrangement is made within the period specified in the Partner Agreement. TouchpointPT bears no liability for regulatory penalties arising from a Partner's failure to arrange compliant post-termination data retention.

In the event of a security incident involving Partner information or patient PHI processed through the platform, TouchpointPT will notify the affected Partner as required under the BAA and applicable HIPAA Breach Notification Rules.

Partners are responsible for notifying their patients and applicable regulatory authorities of any breach in accordance with HIPAA and applicable state law.

TouchpointPT will cooperate with Partners in any breach investigation and will implement remediation measures to prevent future incidents.

We use cookies and similar tracking technologies within the platform portal to support authentication, maintain session state, and gather aggregate analytics about platform usage. Partners and their staff may adjust browser settings to limit cookies, though some platform features may not function properly without them.

We do not use cookies to track individuals across unaffiliated websites or to serve third-party advertising.

We may update this Part 1 from time to time. If we make material changes, we will notify Partners via email or in-platform notification at least thirty (30) days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy. Partners who do not agree to material changes should discontinue use and notify TouchpointPT in writing.

For questions about this Part 1 or about how TouchpointPT handles your data as a Partner, contact us at: support@touchpointpt.com.

Your Clinic is the Covered Entity under HIPAA and is the owner and primary custodian of your Protected Health Information (PHI). TouchpointPT acts only as a Business Associate and data custodian of your Clinic — we hold and process PHI solely on your Clinic's behalf, at their direction, and under the terms of our Business Associate Agreement with them. TouchpointPT does not own your health information and has no independent rights over it.

• Questions about how your clinical records are used, shared, or stored should be directed to your Clinic.
• Requests to access, amend, or restrict your health records should be made to your Clinic, who has primary responsibility for honoring HIPAA patient rights.
• Your Clinic is required by law to provide you with a Notice of Privacy Practices explaining how they handle your PHI. If you haven't received one, contact your Clinic directly.
• TouchpointPT will support your Clinic in responding to your rights requests as required under our Business Associate Agreement with your Clinic.

TouchpointPT collects certain information in connection with providing you access to the platform:

• Account Information: Name, email address, and login credentials when you register for a patient account.
• Health and Clinical Information: Medical history, treatment plans, exercise programs, session notes, assessments, and other health information shared through the platform as part of your care from your Clinic.
• Media: Recorded videos, images, and other media you share through the platform for purposes such as exercise demonstration and form review, as directed by your Clinic.
• Technical Information: Device information, IP address, browser type, and platform usage data generated when you access the platform.

Health and clinical information is owned by your Clinic (and you, as applicable). TouchpointPT processes this information solely as a data custodian and Business Associate of your Clinic, to enable the platform's features. Account and technical information is collected by TouchpointPT to operate and maintain the platform.

As part of the Services, your Clinic may ask you to share videos, images, or other media through the platform for clinical purposes such as exercise review, form correction, and progress tracking. These recordings are reviewed by your Provider and are part of your clinical record maintained by your Clinic.

All media is stored securely on encrypted servers hosted by Amazon Web Services (AWS). Access is restricted to your Provider and authorized clinical staff at your Clinic. TouchpointPT does not access your media except as necessary to maintain and support the platform.

If you wish to request deletion of specific recordings, contact your Clinic. Requests may be subject to applicable legal and professional record retention requirements.

TouchpointPT uses the information it collects to:

• Provide you with access to the platform and its features as configured by your Clinic.
• Facilitate secure communication and data exchange between you and your Clinic.
• Support your Clinic in delivering care, including scheduling, messaging, exercise programming, and progress tracking.
• Maintain and improve platform security, performance, and functionality.
• Comply with legal and regulatory obligations.

TouchpointPT does not use your health information for advertising or marketing purposes, and does not sell your personal or health information to third parties.

TouchpointPT does not sell your information. Your information may be shared in the following circumstances:

• With Your Clinic and its authorized clinical staff: As necessary to facilitate your care through the platform.
• With Amazon Web Services (AWS): For secure cloud hosting and data storage. AWS is a HIPAA-eligible provider.
• With payment processors: If your Clinic has arranged for payment processing through the platform.
• With professional service providers: Legal and compliance advisors bound by confidentiality obligations.
• With law enforcement or regulatory authorities: When required by applicable law or court order, or to protect the safety of individuals.
• With successor entities: In the event of a merger, acquisition, or sale of assets, subject to appropriate privacy protections.

All vendors who may access PHI are required to execute a Business Associate Agreement with TouchpointPT and implement HIPAA-compliant safeguards.

TouchpointPT is committed to maintaining HIPAA-compliant safeguards for all PHI processed through the platform. These safeguards include encryption in transit and at rest, role-based access controls, audit logging, and regular security assessments.

As a Business Associate and data custodian acting on behalf of your Clinic, TouchpointPT does not own your PHI and has no independent rights over it. TouchpointPT's use and disclosure of your PHI is strictly governed by its Business Associate Agreement with your Clinic and applicable HIPAA rules. TouchpointPT will not use or disclose your PHI in ways that are not permitted under that agreement or applicable law.

TouchpointPT may send you platform-related communications, such as account notices and security alerts. Your Clinic may communicate with you through the platform using secure video, messaging, and other features.

Some communication methods, such as email, may not be fully encrypted end-to-end. By using the platform, you acknowledge and consent to these communication methods and their associated risks. If you have concerns about communication security, contact your Clinic or reach us at support@touchpointpt.com.

Your data is stored on HIPAA-eligible infrastructure provided by Amazon Web Services (AWS), which implements industry-standard security measures including encryption in transit and at rest.

TouchpointPT implements administrative, technical, and physical safeguards to protect your information from unauthorized access, use, or disclosure. While we take all reasonable precautions, no system is completely secure, and we cannot guarantee absolute security.

TouchpointPT retains platform account and technical information for as long as necessary to provide the platform Services and comply with legal obligations.

Your clinical and health information is owned by your Clinic and is retained in accordance with your Clinic's policies and applicable legal and professional record retention requirements, including the HIPAA minimum seven (7) year retention period. TouchpointPT acts only as a data custodian for this information on behalf of your Clinic. If your Clinic ends its subscription with TouchpointPT, your Clinic is responsible for ensuring your records continue to be stored in a HIPAA-compliant manner for the remainder of any applicable retention period. For questions about the retention of your health records, contact your Clinic.

In the event of a security breach involving your PHI or personal information, TouchpointPT will notify your Clinic as required under the applicable Business Associate Agreement and HIPAA Breach Notification Rule.

Your Clinic, as the Covered Entity, is responsible for notifying you of breaches involving your PHI as required by HIPAA and applicable state law. TouchpointPT will cooperate fully with your Clinic in investigating and remediating any breach.

With respect to your clinical health records, your HIPAA rights — including the right to access, amend, restrict, or receive an accounting of disclosures — are exercised through your Clinic. Please contact your Clinic to make any such requests.

With respect to your platform account information held directly by TouchpointPT, you may:

• Request access to your platform account information.
• Request correction of inaccurate account information.
• Request deletion of your platform account (subject to applicable legal and contractual limitations).

To exercise rights related to your TouchpointPT account information, contact us at support@touchpointpt.com.

We may use cookies and similar technologies to support platform authentication, session management, and aggregate usage analytics. You can adjust your browser settings to limit cookies, though some features may not function properly as a result.

We do not use cookies to track you across unaffiliated websites or for third-party advertising purposes.

The platform is not directed to children under 13 (or under 16 in some jurisdictions). We do not knowingly collect information from patients under 18 without verifiable parental or guardian consent. If you believe a minor's information has been collected without appropriate consent, contact us at support@touchpointpt.com.

If you access the platform from outside the United States, your information may be processed and stored in the U.S., which may have different data protection laws than your jurisdiction. By using the platform, you consent to the transfer and processing of your information in the U.S.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the platform or by email at least fourteen (14) days before changes take effect. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.

For questions about this Privacy Policy or about your platform account information, contact us at: support@touchpointpt.com.

For questions about your clinical health records and HIPAA rights, please contact your Clinic directly.