Privacy Policy

1) Who We Are
Her Therapy Studio (“we,” “our,” or “us”) provides private-pay psychotherapy services in Arizona. This Privacy Policy explains how we collect, use, and protect information when you visit hertherapystudio.com or interact with our online content (the “Site”).
This policy does not replace our Notice of Privacy Practices, which explains how we handle Protected Health Information (PHI) under HIPAA for therapy services.

2) Scope: Website Data vs. PHI
  • Website Data: Things like IP address, pages visited, and contact form submissions.
  • Protected Health Information (PHI): Any information about your health or care that identifies you. PHI is governed by HIPAA and addressed in our NPP.

3) Information We Collect on This Site
  • You provide directly: Your name, email, phone, or message when you use our contact forms or request a consultation.
  • Automatically collected: IP address, browser type, referring page, and site usage data.
  • No therapy via the website: The Site is for general information only and initial contact, not for diagnosis, treatment, emergencies, or secure clinical communications.

If you are in crisis, call 911 or a local crisis hotline immediately.

4) Cookies & Online Tracking
We use limited, privacy-respecting analytics to understand how our site is used.
  • We do not use marketing pixels or tracking tools on pages where PHI could be collected or inferred.
  • Any analytics tools are configured to avoid collecting sensitive health information.
  • You can disable cookies in your browser settings.

5) How We Use Website Information
  • To respond to inquiries and scheduling requests.
  • To improve and secure our Site.
  • To comply with applicable laws and regulations.

6) How We Share Website Information
Vendors (“Business Associates”): We work with trusted companies like SimplePractice, Square, Gmail, and Flodesk to support scheduling, payments, email, and website functions.
  • Each vendor that may access PHI has a Business Associate Agreement (BAA) in place requiring HIPAA-level safeguards.
  • Legal purposes: If required by law, court order, or government regulations.
  • We do not sell your information.

7) Email, Forms, and Security
  • Email is not always secure. Please avoid sharing sensitive clinical information through regular email or contact forms.
  • For PHI, we use SimplePractice and other HIPAA-secure tools.
  • While we maintain strong security measures, no system is 100% secure.

8) Data Retention
  • Website inquiries are kept as long as needed for communication or legal requirements.
  • Clinical records are maintained per state and federal guidelines (see NPP).

9) Your Choices
  • Adjust your cookie settings via your browser.
  • You may request we update or delete non-clinical information when legally permissible.

10) Children’s Privacy
This Site is not intended for children under 13.

11) Links to Other Sites
Links to third-party tools or scheduling platforms are covered by their own privacy policies.

12) Arizona Breach Notification
If a data breach involving personal information occurs, we will notify affected Arizona residents as required by law, generally within 45 days of discovery unless law enforcement requests a delay.

13) Changes
We may update this policy from time to time. The revised policy will include an updated effective date.

14) Contact Us
Her Therapy Studio
 Email: kelly@hertherapystudio.com
 Phone: 480-797-1328

Her Therapy Studio – HIPAA Notice of Privacy Practices (NPP)
Effective Date: October 1, 2025

Your Rights
You have rights regarding your health information, including the right to:
  • Get a copy of your records (paper or electronic).
  • Request corrections to your records.
  • Request confidential communication methods (alternate address or phone).
  • Ask us to limit what we share (we may not be able to agree in every case).
  • Receive a list of disclosures we’ve made of your PHI.
  • Get a copy of this notice at any time.
  • File a complaint without fear of retaliation if you believe your privacy rights have been violated.

How We Use and Share Your PHI
We typically use or share your PHI to:
  • Provide treatment: Coordinate your care with other providers.
  • Process payments: Collect private-pay fees through Square or other HIPAA-compliant systems.
  • Run our practice: For quality improvement, auditing, and training purposes.

We may also disclose information:
  • To report suspected abuse or neglect.
  • For public health and safety purposes.
  • In response to legal proceedings, subpoenas, or law enforcement.
  • To comply with other legally required disclosures.

Any other use or disclosure, including most uses of psychotherapy notes, requires your written authorization.

Our Responsibilities
  • Maintain the privacy and security of your PHI.
  • Follow the terms of this notice.
  • Notify you promptly if a breach occurs.
  • Only share PHI as described here unless you authorize us to do so.

Business Associates
We work with trusted companies to provide services like scheduling, payments, email, and forms.
  • SimplePractice – secure scheduling, telehealth, and records.
  • Square – secure private-pay processing.
  • Gmail/Google Workspace – secure business email.
  • Flodesk – email marketing (non-PHI only).
  • Each vendor has a BAA with us to ensure HIPAA compliance.

Communication Preferences
You can request how we contact you (phone, voicemail, email).
  • If email is used, we’ll explain risks and offer secure alternatives where needed.

Filing a Complaint
If you believe your privacy rights have been violated:
To us:
 Her Therapy Studio Privacy Officer
 Email: kelly@hertherapystudio.com
 Phone: 480-797-1328

To the U.S. Department of Health and Human Services:
 You can file a complaint online at www.hhs.gov/ocr/privacy/hipaa/complaints.

We will not retaliate against you for filing a complaint.

Summary
  • This combined policy covers website visitors and therapy clients.
  • Vendors like SimplePractice, Square, Gmail, and Flodesk are fully integrated and HIPAA-aligned where applicable.
  • Arizona breach rules are included with a 45-day notification requirement.
  • No CA/CPRA or GDPR sections are included, as requested.

LAST UPDATED October 1, 2025