Privacy Policy

Think Beyond Practice LLC | Last Updated: June 1, 2026

1. Introduction

This Privacy Policy describes how Think Beyond Practice, LLC ("Think Beyond Practice," "we," "us," or "our") collects, uses, shares, discloses, and retains (cumulatively “Process” or “Processes”) Personal Information (as defined below) about you when visiting our Website (www.thinkbeyondpractice.com) or using the services provided through our Think Beyond Practice Platform, comprised of the Practice Hub, the Credentialing Hub and the Community and Education (C&E) Hub, as well as all tools, features and services provided through those Hubs (collectively, the "Platform"), and our practices for protecting that Personal Information.

"Personal Information" is information that identifies, relates to, or describes, directly or indirectly, you as an individual, such as your name, email address, telephone number, home address, or payment information (for example, credit card number), and any other identifier we may use to identify you or contact you. Health information Processed through the Platform is Protected Health Information (PHI) that we Process solely on behalf of clinician Members pursuant to a Business Associate Agreement, as described in Sections 2.2 and 4. We do not collect consumer health data (i.e., health information falling outside HIPAA and governed by state consumer health privacy laws).

This Privacy Policy applies to Personal Information we collect:

This Policy does not apply to Personal Information or other information:

Collected by us offline or through any other means (other than those specified in this Policy), including on any other website operated by us or any third party that does not link to this Policy;

That we process from employees, job applicants, and other individuals that we interact with in an employment context; or

Collected from third parties, including through any application or content (including advertising), that may link to or be accessible from or through the Platform.

This Privacy Policy should be read together with our Terms of Service, and is in addition to any state-specific privacy policies that may supplement this Policy - to include our California Privacy Statement [HYPERLINK TO CCPA PRIVACY NOTICE] - as well as, where applicable, the Business Associate Agreement executed between licensed healthcare professionals (“Members”) and Think Beyond Practice LLC.

By using our website or the Platform, you consent to the practices described in this Privacy Policy.

We may provide additional or different privacy policies that are specific to certain features, services, or activities, when applicable.

2. Information We Collect

2.1 Categories of Information You Provide Directly

When you visit our website or use the Platform, access content, [view/engage in] demonstrations, communicate with us, create an account, [subscribe], we collect information you provide, which may include:

If you are a California resident, to access our supplemental California privacy statement, visit [HYPERLINK TO CCPA PRIVACY NOTICE FOR CALIFORNIA RESIDENTS].

Some Personal Information, such as may be considered “Sensitive Personal Information” under certain laws. If required under applicable law, we will collect and process Sensitive Personal Information only with your consent. If you choose not to provide or allow us to collect some information, we may not be able to provide you with requested features, services, or information.

For users of the Credentialing Hub specifically, additional information may include credentialing-specific data such as malpractice insurance details, work history, references, hospital affiliations, sanctions and disciplinary history (where you provide it), and payer-specific application data.

2.2 Protected Health Information (PHI) About Patients (Limited and Time-Bound)

The Practice Hub require Members to input Protected Health Information (“PHI”) about their patients solely for the purpose of generating outputs (such as letters, assessments, treatment plans, chart note content, or reference materials). PHI that may be Processed includes:

Important: The Platform is designed to minimize PHI persistence, but some PHI is retained for a limited, defined period. Most patient-facing features (such as letters, chart note content, and treatment plans) Process PHI transiently and auto-delete it after delivery to the Member. Certain features, however, retain PHI for a defined period in order to function, as follows:

Assessments. Where a Member sends a patient a validated self-report questionnaire, the secure link expires fourteen (14) days after it is sent and may be used only once. Completed patient responses are retained for up to thirty (30) days following completion so that the Member can retrieve and review the result, and are then automatically deleted. A Member may delete results sooner. After deletion, only de-identified summary metadata (such as scores and dates, without patient identifiers) is retained, which is used to display the patient's progress trend over time to that Member.

Recurring (scheduled) assessments. A Member may schedule questionnaires to be sent to a patient automatically on a recurring basis (weekly, monthly, or quarterly). Delivery is by email only. Where a Member creates such a schedule, the patient's email address and the schedule are retained for as long as the schedule remains active, so that the Platform can send the scheduled questionnaires without further input from the Member. The Member may pause or end a schedule at any time, and the patient may opt out from any message they receive. The Member is responsible for obtaining the patient's consent to receive health information by email before scheduling recurring sends.

PHI retained by these features is retained solely to provide the feature the Member has requested, is accessible only to the Member who created the record, and remains subject to the BAA between the Member and Think Beyond Practice. PHI is not stored at rest in user-accessible databases beyond the periods described above.

To the extent the Platform processes Protected Health Information (PHI) on behalf of a Member who is a Covered Entity under HIPAA, this processing is governed by the BAA executed between the Member and Think Beyond Practice, LLC.

2.3 Categories of Information Collected Automatically

When you use the Platform, we automatically collect certain information, including:

We do not use this information to identify individual patients of Members. Where this information is associated with a Member's account, it may be used to improve the Platform and inform feature development.

Statistics or aggregated information. Statistical or aggregated data does not directly identify a specific person, but we may derive non-personal statistical or aggregated data from Personal Information. For example, we may aggregate Personal Information to calculate the percentage of users accessing a specific Platform feature.

If we combine or connect non-personal statistical or technical data with Personal Information so that it directly or indirectly identifies an individual, we Process the combined information as Personal Information.

2.4 Information We May Receive from Third Parties

We may receive Personal Information about you from other sources. For example, we may obtain information about you from service providers that we engage to perform services on our behalf, such as

We do not control these third parties, nor the data that they collect/retain. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider(s) directly.

3. How We Use Personal Information

We use the Personal information we collect to:

3.1 Provide and Operate the Platform

3.2 Improve the Platform

3.3 Communicate With You

3.4 Maintain Security and Compliance

3.5 Specific to PHI

PHI Processed through the Platform is solely for the purpose of providing the specific tool/feature the Member has requested (such as generating an assessment summary, drafting a letter, or producing a treatment plan), and is Processed pursuant to an agreement between the Platform and the Member - known as a Business Associate Agreement - in which we agree to Process and safeguard that Information in accordance with HIPAA. PHI is not used for advertising, sold to third parties, or used to train AI models, and is not retained beyond the periods described in Sections 2.2 and 6.2.

4. AI Features and PHI

The Platform includes AI-assisted features, to include:

We do not use PHI to train Think Beyond Practice's own AI features. Where AI training occurs, it uses de-identified data (de-identified in accordance with HIPAA) or synthetic data (data that is generated and does not derive from any real patient), or content explicitly contributed by Members under the user-generated content provisions of our Terms of Service.

5. How We Share Information

WE DO NOT SELL PERSONAL INFORMATION.

We may Share Personal Information that we collect or you provide to us, with our ] trusted contractors, service providers, sub-processors and other third parties we use to support our organization, and for operating and maintaining the Platform [, each of whom are bound by contractual obligations to keep Personal Information confidential and use it only for the purposes for which we disclose it to them.] These third parties include:

A current list of subprocessors that may Process information on our behalf is available at https://thinkbeyondpractice.com/subprocessors. Where these providers Process PHI on our behalf, we maintain BAAs with them, as required by HIPAA.

5.2 The Categories of Personal Information we may Share with Third Parties include:

5.3 Members Forum and Community Features

Information you choose to share through the Community and Education Hub (such as your name, professional credentials, posts, and comments) is visible to other Members and, where applicable, to the public in general. As such, please do not share information through our Community and Education Hub that you do not want to be visible to others.

5.4 Sharing For Legal and Safety Purposes

We may Share Personal Information when we believe in good faith that disclosure is necessary to:

5.5 Sharing in the Case of Business Transfers

Sharing of Personal Information may occur if Think Beyond Practice, LLC is involved in a merger, acquisition, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information is among the assets transferred. We will provide notice before your Personal Information becomes subject to a different privacy policy.

5.6 Sharing With Your Consent

We may share information for any other purpose with your explicit consent.

6. Data Retention

We keep the categories of Personal Information described in this Policy for as long as reasonably necessary to fulfill the purposes described, or as otherwise legally permitted or required, to include for:

•Maintaining and providing the Platform and offering services

•operating our company

•complying with our legal, regulatory or court-ordered obligations

•processing payment

•tax purposes

•resolving disputes

•enforcing agreements, and

•for safety, security, and fraud prevention.

We retain different categories of information for different periods:

6.1 Member Account Information Retained for as long as your account is active. After account closure, we retain account information for a reasonable period to comply with tax, accounting, and legal obligations (typically up to seven years for financial records). Some information may be retained longer if required by law, legal hold, dispute resolution, or regulatory compliance.

6.2 PHI provided by Members Most PHI is auto-deleted after delivery of the requested output to the Member. Where a feature requires retention in order to function, the following periods apply: assessment links expire fourteen (14) days after being sent; completed patient assessment responses (which are PHI) are retained for up to thirty (30) days following completion and are then automatically deleted (a Member may delete them sooner); de-identified summary metadata (scores and dates, without patient identifiers) is retained after that deletion in order to display a progress trend to the Member; and where a Member has created a recurring assessment schedule, the patient's email address and the schedule are retained for as long as that schedule remains active, and are deleted when the Member ends the schedule. Some non-identifying metadata (such as timestamps of feature use) may be retained for usage analytics.

6.3 Forum Content Forum posts, comments, and contributed content remain on the Platform after your account closure unless you specifically request deletion. Anonymized or aggregated forum content may be retained for community continuity.

6.4 Communications With Us Support emails, feedback, and other communications are typically retained for two years after the conversation ends, unless retained longer for legal or operational reasons.

6.5 Backups Information in encrypted backups may persist for a limited period after deletion from production systems - generally no more than thirty (30) days - before being overwritten through our normal backup rotation.

At the end of the retention period, Personal Information will be [deleted or de-identified.

As noted above, we do not control third parties’ processing of Personal Information, and thus retention of that information will be in accordance with those third parties’ retention policies.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect information, including your Personal Information, from accidental or unauthorized access, use, alteration, and destruction, including:

No security measures are perfect. While we work to protect your Personal Information, we cannot guarantee absolute security. Likewise, email, texts, and other communications may not be secure, so you should carefully decide what information you send to us via such communications channels. Any transmission of Personal Information is at your own risk.

You are responsible for maintaining the confidentiality of your account credentials and notifying us promptly of any suspected compromise at privacy@thinkbeyondpractice.com.

8. Cookies and Tracking Technologies

The Platform uses automated technologies - subject to visitor/Member consent -to:

The automated technologies we may use for this include:

Most browsers allow you to refuse or accept cookies. Please note that, by default, the only cookies we place are strictly necessary cookies (those required for security, authentication, session management, and core site functionality). All other categories - including analytics, performance, and advertising cookies - are denied by default and are only set if you affirmatively opt in through our cookie banner. We implement this through Google Consent Mode v2, under which analytics storage, ad storage, ad user data, and ad personalization all default to denied. We also honor the Global Privacy Control (GPC): where a browser transmits a GPC signal, we continue to treat non-essential categories as denied. Declining non-essential cookies does not affect your ability to use the Platform or its tools, which do not depend on analytics or advertising cookies to function. .

Authenticated Platform pages versus public pages. We handle these differently. Analytics and advertising technologies (including Google Analytics and the Meta Pixel) are used only on our public, non-authenticated pages - our marketing website and our continuing-education site - and only where a visitor has affirmatively opted in, as described above. We do not place analytics or advertising cookies, pixels, or beacons on authenticated Platform pages (the pages Members use after logging in, including the Practice Hub tools, the Credentialing Hub, and the Community and Education Hub), nor on our publicly accessible demonstration pages. Cookies used on authenticated Platform pages are limited to those strictly necessary to authenticate you, maintain your session, and operate the tools you have requested.

We honor "Do Not Track" (DNT) signals where technically feasible, though there is no industry consensus on how DNT signals should be handled.

Some browsers and browser extensions support the Global Privacy Control (“GPC”), which sends a signal to opt you out from certain types of data processing, including 3rd party Sharing, as defined under certain laws. When we detect such a signal, we will make reasonable efforts to respect your choices - indicated by the GPC setting - as required by applicable law.

9. Your Privacy Rights

We extend the same privacy rights to all Members and visitors regardless of state of residence. We extend these rights as a matter of practice, drawing on the standards set by the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) and other state privacy laws, regardless of whether a given law applies to us.

9.1 Your Rights

You have the right to:

If you believe we have not handled your request appropriately, or disagree with an Appeal finding, you may:

9.2 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@thinkbeyondpractice.com with:

You may also submit requests by mail to the address listed in Section 15.

9.3 Verification and Response Timeframes

We will respond to your request within forty-five (45) days. We may extend the response period by an additional forty-five (45) days where reasonably necessary, in which case we will notify you of the extension and the reason.

To protect your privacy, we will verify your identity before responding to requests. The verification process may require you to provide Personal Information that matches information we already have on file. For sensitive requests, we may require additional verification steps.

9.4 Limitations and Exceptions

We may decline to fulfill a request, or fulfill it only partially, where:

If we decline a request in whole or in part, we will explain the reason and describe any rights you have to appeal.

9.5 Patient Rights Under HIPAA

Patients of Members seeking to exercise rights under HIPAA (including access to records, amendment requests, accounting of disclosures, etc.) should direct those requests to their healthcare provider, not to Think Beyond Practice. As a Business Associate, we will support Members in responding to patient requests as required by our BAA with Members.

10. Payments

We use third-party service provider Stripe for payment processing. Stripe may collect Personal Information including via cookies and similar technologies. The Personal Information Stripe collects may include transactional data and identifying information about devices that connect to its services.

We do not store your payment card details. That information is provided directly by you to Stripe whose use of your Personal Information is governed by their privacy policy. Personal Information collected by Stripe may include name, email address, billing address, and payment information (e.g., credit card number and associated data) and/or payment account ID, as applicable. The Platform will generally have access to certain anonymized, limited and/or truncated versions of payment/transaction information, such as customer name and email, the amount of the transaction, the last four digits of the card used, the card brand, and the date.

Stripe uses this information to operate and improve the services it provides to us, including for fraud prevention and detection, authentication, analytics related to the performance of its services, and to enhance and customize the user experience.

Stripe adheres to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express, and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

For more information about the privacy practices of Stripe, please visit their privacy policy: https://stripe.com/us/privacy.]

11. Children's Privacy

Our website and the Platform are intended for use by adult Members and visitors that are 18 years of age or older . We do not knowingly collect information directly from children under eighteen. If you believe a child under eighteen has provided information to us directly, please contact privacy@thinkbeyondpractice.com so we can take appropriate action.

To the extent Members provide information about minor patients through use of the Platform, processing is governed by the Member's HIPAA obligations, their Notice of Privacy Practices and the BAA which they have signed with the Platform.

12. Where Our Services Are Available

Our services are available only to users located in the United States, and are designed for and directed to U.S. residents. We do not knowingly target or market to individuals outside the United States, or to individuals temporarily visiting or residing in the U.S. from other countries. [To help us maintain this geographic limitation, we use technology such as IP address detection to identify where visitors are accessing our Services from. If our systems detect that you're trying to access our Services from outside the U.S., we may restrict your access.]

13. Third-Party Links and Services

The Platform may contain links to third-party websites or services that we do not control. This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices or content of third-party services. Review the privacy policies of any third-party services you use.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Continued use of the Platform after the effective date of the updated Privacy Policy constitutes acceptance of the updated policy. If you do not agree to the updated policy, you must stop using the Platform.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your information, contact us at:

Think Beyond Practice, LLC: 9631 N Nevada St, Suite 209 Spokane, WA 99218

Privacy and Security: privacy@thinkbeyondpractice.com General Support: support@thinkbeyondpractice.com Legal Notices: legal@thinkbeyondpractice.com

For HIPAA-related concerns where you believe your protected health information has been mishandled, contact privacy@thinkbeyondpractice.com. You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at https://www.hhs.gov/hipaa/filing-a-complaint/.