PRIVACY POLICY

Effective Date: 10/01/2025
Provider: Darr Family Chiropractic (“we,” “us,” “our”)

1. Purpose of This Policy

This Privacy Policy explains how we collect, use, protect, and disclose personal and health information submitted through our online intake, scheduling, and pre-screening systems. This policy applies exclusively to information submitted before becoming an in-office patient and does not replace the full Notice of Privacy Practices provided at the time of treatment.

2. Types of Information Collected

We collect only the information necessary to schedule an appointment and determine whether you may be a candidate for evaluation or treatment. This may include:

Contact information (name, phone, email)

Health and symptom information voluntarily entered into the form

Diagnostic or imaging status (e.g., MRI completed)

Optional prepaid appointment reservation information (if submitted)

We do not collect unnecessary data, and we do not sell or share information for advertising purposes.

3. Purpose and Lawful Basis for Collection

Information submitted through the online form is used exclusively for:

Appointment scheduling

Preliminary medical suitability review

Secure transfer into our HIPAA-compliant Electronic Health Record (EHR)

Appointment and clinical follow-up communications

By submitting the form, you provide consent for this limited medical use. No information submitted is used for audience targeting, advertising, remarketing, or data resale.

4. Data Handling and Storage

Form submissions are processed on a HIPAA-compliant version of GoHighLevel

Data is encrypted in transit and at rest

PHI is transferred into the clinic’s EHR system

The landing page and web host do not retain PHI after transfer

Only authorized clinical staff may access submitted information

No PHI is stored by advertising platforms (Meta, Google, etc.)

5. HIPAA Compliance

For U.S. patients, all collected health information is handled in accordance with the HIPAA Privacy Rule. Patients are entitled to all privacy rights under HIPAA, including access, correction, restriction, and complaint rights.

6. Canadian Compliance (PIPEDA and Provincial Law)

For Canadian users, collection and handling of personal information complies with PIPEDA and any applicable provincial health privacy laws. Data may be transferred to the United States for treatment purposes only and is subject to the same level of protection applied to U.S. patient records.

7. Data Retention

PHI submitted through the form is not stored on this website after transfer to the EHR

If an individual does not become a patient, intake data is not kept or reused

No intake data is retained for marketing or sales purposes

8. Disclosure Restrictions

We do not sell or share personal or health information with third parties for commercial purposes. Disclosure may occur only as permitted by law, including:

To authorized medical staff

To HIPAA-compliant service providers under Business Associate Agreements

To process an approved payment

When legally required (e.g., subpoena, court order)

9. Cookies and Analytics

Website-level analytics may track anonymous, non-medical browsing activity. No cookie, pixel, or tracking tool is permitted to collect or transmit PHI.

9A. Use of Advertising and Analytics Platforms (Meta, Google, or Similar)

We may use advertising or analytics tools to measure the performance of our online advertising campaigns. These tools may collect limited technical information such as IP address, device type, browser type, and timestamp of page visit for attribution and conversion-tracking purposes only.

No personal health information (PHI), medical intake responses, diagnostic details, treatment history, symptoms, or form submission data are transmitted to Meta, Google, or any other advertising platform.

All tracking tools are configured to prevent the transmission of PHI or any data that could be used to infer a health condition, diagnosis, or treatment status about a specific individual. Pixel-based tracking is disabled on pages where medical intake forms are submitted or viewed, and no form fields or health data are mapped to ad platforms.

We do not use retargeting or remarketing audiences based on medical form submissions, health status, or appointment scheduling actions.

9B. Meta (Facebook/Instagram) Tracking Limitation Notice

When Meta tracking is used, the only data transmitted is non-medical event metadata such as:

IP address

Timestamp of page visit or action

Generic page URL (not containing health references)

Non-identifying conversion event data

No medical history, symptoms, diagnostic information, or intake responses are shared with Meta. Meta does not receive, store, or process any personal health information submitted through this website.

Meta is not a Business Associate under HIPAA, and therefore no PHI is sent to Meta under any circumstances.

9C. Google Tracking Limitation Notice

Any Google Analytics or Google Ads tracking is configured in “restricted data mode” and does not collect or transmit PHI. No medical form responses, health condition identifiers, or intake data are linked to Google services.

If attribution tracking is used, it is limited to anonymous, aggregate, non-medical traffic data. Google does not receive, store, or process PHI from this website.

9D. No PHI Shared With Any Advertising Platform

For clarity:

We do not send PHI to Meta, Google, or any third-party advertiser

We do not allow ad platforms to collect health-related fields or form data

We do not build advertising audiences using health data or appointment activity

We do not share or sell patient data for any marketing or profiling purpose

We do not authorize any platform to re-identify website visitors based on medical information

All PHI remains within our HIPAA-compliant intake system and clinical EHR only.

9E. Canadian Compliance Statement

For users located in Canada, no personal health information is disclosed to Meta, Google, or other advertising platforms. Any metadata shared is anonymized and processed in compliance with PIPEDA and applicable provincial health privacy laws.


10. PCI Compliance for Payment Processing

If you choose to prepay to secure your appointment:

Payment is processed through a PCI-DSS compliant payment processor

We do not store credit card data on this website or in our systems

Payment information is not linked to medical records

Cardholder data is encrypted and accessible only to the payment processor

11. HIPAA Consent for Online Intake

Submission of the medical intake form constitutes consent for the use of the information solely for evaluation, scheduling, and transfer into the EHR. A separate formal consent for treatment is provided in-office.

12. Patient Rights

To request access, correction, restriction, or deletion of your information, contact:

Shonda Darr
Darr Family Chiropractic

Requests will be completed in accordance with HIPAA, federal law, state law, and (where applicable) Canadian law.

13. Changes to This Policy

We reserve the right to make changes to this Privacy Policy. Updates will be posted with a revised effective date.

14. How to File a Complaint

United States:
Office for Civil Rights, U.S. Department of Health & Human Services

Canada:
Office of the Privacy Commissioner of Canada

You will not be penalized for filing a privacy complaint.

15. Acknowledgment

By submitting information through this website, you acknowledge that:

You are providing health information voluntarily

The information will be used only for medical review and scheduling

No PHI is used for advertising, retargeting, or profiling

You may withdraw consent as permitted by law.