Policies

Who We Are

Highbar Physical Therapy is the data controller responsible for the personal data described in this Privacy Policy.

Email: hello@highbarhealth.com
Address: 4 Richmond Square Suite 400
Providence, RI 02906

What Data We Collect

We collect the following types of personal data when you use our website and services to register and pay for continuing education courses, apply for jobs, and request appointments through our online appointment request system:

Cookie consent preferences (your choices about cookies and similar technologies, recorded through our consent management system).

Device and connection information (such as IP address, browser type, device type, and similar technical information needed to load and protect the website).

Course registration and account information (such as your name, email address, login credentials, and information you provide when registering for continuing education courses).

Payment and billing information (such as billing details and payment-related information needed to process your purchase; payment card details are handled by payment processors).

Appointment request information (such as your contact details and the information you submit through the online appointment request system).

Job application information (such as your contact details and the information you submit as part of an application, including resume/CV and related materials you choose to provide).

Marketing email information (such as your email address and your marketing communication preferences, where you choose to receive marketing emails).

Usage data via analytics (information about how you interact with the website, collected through analytics technologies that require your consent).

Social media data (information associated with social media features on our website, such as interactions with embedded content or social media tools, where those features are used).

Sources of data:
We collect data directly from you when you create an account, register for courses, submit payment, apply for a job, request an appointment, or contact us.
We collect some data automatically when you access the website (such as device and connection information).
We collect data from cookies and similar technologies; non-essential cookies are used only after you make your choices in our cookie consent tool.

If you do not provide certain information, we may not be able to create your account, process your course registration and payment, process your job application, or handle your appointment request. Marketing emails, analytics, and advertising-related data are optional and depend on your choices.

How We Use Your Data

We use your personal data for the purposes below, and we rely on the following legal bases depending on the purpose:

To provide our services, including creating and managing your account, registering you for continuing education courses, and connecting you to our online appointment request system (contract).

To process purchases and payments for continuing education courses and to manage related transaction administration (contract).

To receive, review, and communicate with you about job applications you submit through our website (contract).

To send marketing emails where you choose to receive them (consent). You can unsubscribe at any time using the link in the email or by contacting us.

To collect analytics data about website usage using cookies or similar technologies (consent).

To display personalized advertising and measure advertising performance using advertising technologies (consent).

To protect our website and users, including monitoring for security threats, abuse, and fraud, and maintaining the reliability of our services (legitimate interest).

To produce aggregated statistics that help us understand overall website performance without using cookies or other technologies that require consent (legitimate interest).

Who We Share Your Data With

We share personal data with the following recipients to operate and protect our website and to provide our services. These recipients process personal data under their own privacy policies and, where applicable, under contractual terms with us.

WordPress / WooCommerce: We use WordPress and WooCommerce to operate our website and course registration functionality. This may involve processing account, order, and technical information needed to provide the site and related services.

WooCommerce / Jetpack: We use Jetpack features associated with our WordPress/WooCommerce setup to support site functionality, performance, and security. This may involve processing device and connection information and other technical data needed to operate and protect the site.

Stripe: We use Stripe to handle payments for continuing education courses. Stripe processes payment and billing information to complete transactions and help prevent fraud.

Klaviyo: We use Klaviyo to send service-related messages and, where you have consented, marketing emails. This involves processing contact details and marketing preference information and may include tracking of email interactions using pseudonymous identifiers where enabled and permitted by your choices.

Mixpanel: If you consent, we use Mixpanel to understand how visitors use our website and to improve it. This involves processing usage data and online identifiers (including pseudonymous identifiers) collected through cookies or similar technologies.

Google Analytics: If you consent, we use Google Analytics to understand how visitors use our website and to improve it. This involves processing usage data and online identifiers (including pseudonymous identifiers) collected through cookies or similar technologies.

Hotjar: If you consent, we use Hotjar to understand how visitors use our website (for example, through usage analytics and feedback tools). This may involve processing usage data and online identifiers (including pseudonymous identifiers) collected through cookies or similar technologies.

Crazy Egg: If you consent, we use Crazy Egg to understand how visitors use our website (for example, through heatmaps and related analytics). This may involve processing usage data and online identifiers (including pseudonymous identifiers) collected through cookies or similar technologies.

Google Ads / Google: If you consent, we may use Google technologies (including Google Ads) for advertising and measurement. These technologies may process online identifiers (including pseudonymous identifiers) and usage data to support personalized advertising and measure advertising performance.

Facebook (Meta): If you consent, we may use Meta technologies (such as the Meta Pixel) and social media features that may allow Meta to receive information when you interact with embedded content or social tools on our website. This may involve online identifiers (including pseudonymous identifiers) and usage data for advertising measurement and cross-context behavioral advertising.

Microsoft: If you consent, we may use Microsoft technologies for advertising and measurement. These technologies may process online identifiers (including pseudonymous identifiers) and usage data to support personalized advertising and measure advertising performance.

Neustar: If you consent, we may use Neustar services in connection with advertising and measurement. This may involve processing online identifiers (including pseudonymous identifiers) and related usage data to support advertising measurement and related functions.

YouTube / Google: If you view pages where YouTube videos are embedded, YouTube (a Google service) may receive device and connection information and information about your interaction with the embedded content. Depending on configuration and your choices, YouTube may also use cookies or similar technologies and process online identifiers (including pseudonymous identifiers) for playback, security, and measurement purposes.

CookieYes: We may use CookieYes in connection with cookie management and compliance features. Where used, it may process information about your cookie choices and related technical data needed to present and store those choices.

We use our own consent management system (Trustwards) to record and manage your cookie preferences. This data is processed internally and not shared with third parties.

International Data Transfers

Some of our service providers are located outside the EU/EEA, specifically in the United States. When personal data is transferred internationally, we use appropriate safeguards required by applicable data protection laws.

Google (including Google Analytics, Google Ads, and YouTube): Google LLC participates in the EU-U.S. Data Privacy Framework (DPF).

Facebook (Meta): Meta Platforms, Inc. participates in the EU-U.S. Data Privacy Framework (DPF).

Microsoft: Microsoft Corporation participates in the EU-U.S. Data Privacy Framework (DPF).

Stripe: Stripe, Inc. participates in the EU-U.S. Data Privacy Framework (DPF).

Neustar: Neustar, Inc. participates in the EU-U.S. Data Privacy Framework (DPF).

Mixpanel: Mixpanel, Inc. is located in the United States. Where Mixpanel processes personal data transferred from the EU/EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and, where applicable, additional measures based on the transfer and risk assessment.

Hotjar: Hotjar Ltd. is located outside the EU/EEA. Where Hotjar processes personal data transferred from the EU/EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and, where applicable, additional measures based on the transfer and risk assessment.

Crazy Egg: Crazy Egg, Inc. is located in the United States. Where Crazy Egg processes personal data transferred from the EU/EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and, where applicable, additional measures based on the transfer and risk assessment.

CookieYes: CookieYes may process data outside the EU/EEA depending on configuration and hosting. Where personal data is transferred internationally in connection with CookieYes, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and, where applicable, additional measures based on the transfer and risk assessment.

For other providers that may process data outside the EU/EEA (for example, email and website service providers), we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and, where applicable, additional measures based on the transfer and risk assessment.

Our consent management system (Trustwards) is based in Spain (EU), so consent data is not transferred internationally.

How Long We Keep Your Data

We keep personal data for the periods listed below. Each retention period is independent and applies only to the data type described on that line.

Account data: until the account is deleted

Cookie consent records: 10 years (to demonstrate compliance and address potential claims within legal limitation periods)

Security logs and technical records: 12 months

Tax and accounting records: 10 years (legal requirement)

Analytics data: until consent is withdrawn or according to the analytics tool retention settings

Advertising/marketing tracking data: until consent is withdrawn

Marketing email data: until consent is withdrawn or user unsubscribes

Social media integration data: until consent is withdrawn

Your Rights

Depending on where you live and which laws apply, you may have the following rights regarding your personal data:

Access: request access to the personal data we hold about you.

Correction: request that we correct inaccurate or incomplete personal data.

Deletion: request that we delete your personal data in certain circumstances.

Restriction: request that we limit how we use your personal data in certain circumstances.

Data portability: request a copy of certain personal data in a portable format and, where applicable, ask that it be transferred to another provider.

Objection: object to certain processing, including processing based on legitimate interests, and object to certain direct marketing.

Withdraw consent: where we rely on consent, you can withdraw it at any time (this will not affect processing that occurred before you withdrew consent).

Automated decision-making: the right not to be subject to automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Additional rights for California consumers include the right to opt-out of the sale or sharing of personal information and the right to limit the use and disclosure of sensitive personal information (where applicable).

How to exercise your rights: Please contact us at hello@highbarhealth.com. We may need to verify your identity before completing your request.

Response timing: We respond within one month for GDPR and LGPD requests, within 45 days for CCPA/CPRA requests (with the possibility of an additional 45 days where permitted and with notice), and within 30 days for PIPEDA requests, as applicable.

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Children's Privacy

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

Data Security

We implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. No method of transmission over the Internet or method of electronic storage is 100% secure, so we cannot guarantee absolute security.

Data Breach Notification

We maintain procedures to detect, report, and investigate security incidents. If a personal data breach occurs that poses a high risk to your rights and freedoms, we will notify you without undue delay and provide information about the nature of the breach, the likely consequences, and the measures taken or proposed to address it. If you suspect a security issue, please contact us at hello@highbarhealth.com.

How to Lodge a Complaint

We encourage you to contact us first so we can try to resolve your concern. You also have the right to lodge a complaint with the relevant authority depending on your location.

For EU/EEA/UK/Switzerland users: you may contact the competent authority in your jurisdiction.

For California consumers: you may contact the California Privacy Protection Agency (CPPA) at https://cppa.ca.gov/ and/or the California Attorney General.

For Brazilian data subjects: you may contact the ANPD (Autoridade Nacional de Proteção de Dados) at https://www.gov.br/anpd/.

For Canadian data subjects: you may contact the Office of the Privacy Commissioner of Canada (OPC) at https://www.priv.gc.ca/.

Updates to This Policy

We review and update this Privacy Policy periodically. The “Last updated” date at the top of this policy shows when it was last changed. If we make significant changes, we will provide notice by posting an update on our website and/or by email where appropriate. Changes take effect from the date indicated at the top of this policy. Where processing is based on consent, we will request new consent when required.

Contact Us

Email: hello@highbarhealth.com

Address: 4 Richmond Square Suite 400
Providence, RI 02906

Data Controller: Highbar Physical Therapy

California Privacy Rights (CCPA/CPRA)

This section applies to California consumers and describes our Notice at Collection and your rights under the CCPA/CPRA.

Categories of personal information collected in the last 12 months:
Identifiers (such as name, email address, IP address, and online identifiers).
Internet or other electronic network activity information (such as interactions with our website, where collected through analytics and advertising technologies based on your choices).
Commercial information (such as records of course purchases and payment-related transaction details).
Professional or employment-related information (such as information you submit in a job application).
Inferences (such as inferences used to support personalized advertising, where you consent to advertising technologies).

Business and commercial purposes for collecting personal information:
To provide and operate our services, including course registration, payment processing, job application handling, and appointment requests.
To communicate with you, including sending service messages and, where you consent, marketing emails.
To secure and protect our website and users.
To understand and improve website performance and user experience (where you consent to analytics).
To support personalized advertising and measure advertising performance (where you consent).

Sale of personal information: We do not sell personal information.

Sharing for cross-context behavioral advertising: We share personal information for cross-context behavioral advertising.

Categories of personal information shared for cross-context behavioral advertising: We share identifiers and internet or other electronic network activity information for this purpose.

Your CCPA/CPRA rights include:
Right to know what personal information is collected, used, shared, or sold.
Right to delete personal information, subject to exceptions.
Right to correct inaccurate personal information.
Right to opt-out of the sale or sharing of personal information (“Do Not Sell or Share My Personal Information”). You can submit an opt-out request by contacting us at hello@highbarhealth.com and by using our cookie and advertising preference controls where available. We also honor Global Privacy Control (GPC) signals as valid opt-out requests for sharing for cross-context behavioral advertising.
Right to limit the use and disclosure of sensitive personal information. We do not use sensitive personal information for purposes that require offering a “Limit the Use of My Sensitive Personal Information” link; if this changes, we will update this policy and provide the required choices.
Right to non-discrimination for exercising your rights.

How to submit requests: Email us at hello@highbarhealth.com.

Verification: We will take reasonable steps to verify your identity based on the nature of the request and the sensitivity of the information involved. This may include verifying access to the email address associated with your account or requesting additional information needed to confirm your identity. If you use an authorized agent, we may request proof of authorization and may still need to verify your identity directly.

Response timing: We respond within 45 days, and we may extend by an additional 45 days when permitted, with notice.

Brazilian Data Protection (LGPD)

This section applies to Brazilian data subjects.

Legal bases: We process personal data under LGPD legal bases that include consent (for example, marketing emails, analytics, personalized advertising, and social media integrations based on your choices), contract (to provide our services such as course registration and payment processing, job application handling, and appointment requests), and legitimate interest (to protect our website and users and to maintain service security and reliability).

Your LGPD rights include: confirmation of processing and access; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary or excessive data; portability; deletion of personal data processed with consent; information about sharing; and withdrawal of consent.

To exercise your rights, contact us at hello@highbarhealth.com. You also have the right to petition the ANPD (Autoridade Nacional de Proteção de Dados).

Data Protection Officer contact: hello@highbarhealth.com.

Canadian Privacy Rights (PIPEDA)

This section applies to Canadian data subjects.

Accountability: We are responsible for personal information under our control and we use appropriate safeguards and practices to protect it.

Meaningful consent: We seek meaningful consent for the collection, use, and disclosure of personal information, including through clear notices and choices. For non-essential cookies and similar technologies used for analytics and advertising, we provide choices through our cookie consent tool.

Access and accuracy: You have the right to request access to your personal information and to challenge the accuracy and completeness of the information, and have it amended as appropriate.

Withdrawing consent: You can withdraw consent, subject to legal or contractual restrictions, by contacting us at hello@highbarhealth.com, using unsubscribe links in marketing emails, and adjusting cookie preferences through our consent tool.

Complaints: You may contact us to raise concerns, and you also have the right to complain to the Office of the Privacy Commissioner of Canada (OPC) at https://www.priv.gc.ca/.