Data Protection Policy
WisePractice.io

Effective Date: 3/11/2025
Last Updated: 3/17/2025

1. Introduction

WisePractice.io (“we,” “us,” “our”) is committed to ensuring the security and protection of the personal data that we process and to provide a compliant and consistent approach to data protection. This policy outlines our compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA) where applicable.

2. Scope

This policy applies to all individuals who interact with WisePractice.io, including customers, clients, employees, contractors, and partners. It governs how we collect, store, process, transfer, and dispose of personal and sensitive data.

3. Principles of Data Protection

We adhere to the following key data protection principles:

• Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and transparently.
• Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
• Data Minimization: We collect only the personal data necessary for the intended purposes.
• Accuracy: We take reasonable steps to ensure that personal data is accurate and kept up to date.
• Storage Limitation: We retain personal data only for as long as necessary to fulfill its purpose.
• Integrity and Confidentiality: We implement appropriate security measures to protect personal data against unauthorized access, loss, destruction, or damage.

4. Data Collection & Processing

WisePractice.io collects and processes personal data in compliance with legal and regulatory requirements. Personal data collected may include, but is not limited to:

• User Identifiers: Name, email, phone number, and address
• Account Information: Login credentials, account activity logs
• Financial Data: Payment information, billing details
• Health Data (where applicable): For services related to therapy and healthcare professionals

We collect data directly from users or through automated means (e.g., cookies, analytics, and tracking technologies).

5. Legal Basis for Processing

We process personal data based on at least one of the following legal grounds:

• Consent: Users provide explicit consent for data processing.
• Contractual Necessity: Data is processed to fulfill a contract.
• Legal Obligation: Processing is necessary to comply with a legal obligation.
• Legitimate Interests: Data is processed for our legitimate business interests, provided these do not override individual rights.

6. Data Sharing & Third Parties

We do not sell personal data. We may share data with:

• Service Providers: Third-party vendors assisting in operations (e.g., hosting, payments, customer support)
• Legal Authorities: Where required by law, we disclose data to law enforcement or regulatory bodies.
• Affiliated Businesses: With prior user consent, for business transactions or partnerships.

All third-party service providers processing personal data on our behalf are contractually obligated to ensure data security and compliance with this policy.

7. International Data Transfers

If we transfer data outside the European Economic Area (EEA) or other jurisdictions, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)
• Adequacy decisions under applicable law

8. Data Security Measures

We implement robust security measures, including:

• Encryption of sensitive data
• Multi-factor authentication for system access
• Regular security audits and penetration testing
• Role-based access controls
• Data breach response protocols

9. Data Retention & Disposal

We retain personal data only for the necessary duration required by law or business needs. Upon expiration, data is securely deleted or anonymized.

10. Data Subject Rights

Individuals have the following rights under GDPR, CCPA, and other relevant laws:

• Right to Access: Request a copy of personal data we hold.
• Right to Rectification: Request corrections to inaccurate or incomplete data.
• Right to Erasure (“Right to be Forgotten”): Request deletion of personal data, subject to legal limitations.
• Right to Restriction of Processing: Limit processing under specific circumstances.
• Right to Data Portability: Receive data in a portable format.
• Right to Object: Object to processing for direct marketing purposes.
• Rights Related to Automated Decision-Making: Challenge automated decisions affecting them.

To exercise these rights, users may contact us at [Insert Contact Email]. We respond within legally mandated timelines.

11. Compliance with HIPAA (If Applicable)

Where WisePractice.io processes Protected Health Information (PHI) in relation to healthcare providers, we comply with HIPAA regulations, including:

• Implementing Administrative, Technical, and Physical Safeguards
• Ensuring Business Associate Agreements (BAAs) with vendors handling PHI
• Conducting HIPAA-compliant data processing and access controls

12. Data Breach Response

In case of a data breach, WisePractice.io follows a strict incident response plan, including:

1. Identifying and containing the breach
2. Assessing the impact and mitigating further risks
3. Notifying affected individuals and regulatory authorities as required
4. Implementing corrective actions to prevent recurrence

13. Changes to This Policy

WisePractice.io reserves the right to update this policy periodically. Users will be notified of significant changes via email or website announcements.

14. Contact Information

For any questions regarding this Data Protection Policy or to exercise rights, please contact:

WisePractice.io Data Protection Officer (DPO)
JJ Steelman
support@wisepractice.io