Privacy Policy

Think Beyond Practice LLC | Effective Date: June 1, 2026

1. Introduction

This Privacy Policy describes how Think Beyond Practice LLC ("Think Beyond Practice," "we," "us," or "our") collects, uses, stores, shares, and protects information through our Platform, including the Think Beyond Practice Forum, Practice Lab, Practice Manager, Credentialing Hub, Ask the Archive, and other current or future services (collectively, the "Platform").

This Privacy Policy applies to:

Healthcare professionals who use the Platform ("Members")

Visitors to our website who do not have an account

Patients of Members whose information is briefly processed through specific Platform features (governed primarily by your clinician's privacy practices and applicable Business Associate Agreements)

This Privacy Policy should be read together with our Terms of Service and, where applicable, the Business Associate Agreement executed between you and Think Beyond Practice LLC.

By using the Platform, you consent to the practices described in this Privacy Policy.

2. Information We Collect

2.1 Information Members Provide Directly

When you create an account, subscribe, use Platform features, or contact us, we collect information you provide, which may include:

Identity information (name, professional title, credentials such as PMHNP, MD, NP, LCSW, LMHC, or other clinical license types)

Contact information (email address, mailing address, phone number)

Professional information (NPI, state license numbers, education and training history, board certifications, specialty areas, practice setting)

Account credentials (username, password)

Payment information (billing address, payment method details, processed through our payment processor — full payment card numbers are not stored on our servers)

Tax information where required for payment processing

Communications you send to us (support requests, feedback, forum posts, comments)

Profile information you choose to share within the Member community

For users of the Credentialing Hub specifically, additional information may include credentialing-specific data such as malpractice insurance details, work history, references, hospital affiliations, sanctions and disciplinary history (where you provide it), and payer-specific application data.

2.2 Information About Patients (Limited and Transient)

Certain Platform features require Members to input patient information solely for the purpose of generating outputs (such as letters, assessments, treatment plans, chart note content, or reference materials). Patient information that may be processed transiently includes:

Names or initials

Contact information (email or phone number, when sending tokenized assessment links or similar)

Demographic information (age, sex, dates of birth where relevant to clinical content)

Diagnostic information

Medication lists

Clinical history and presentation details

Assessment responses

Important: The Platform is designed to minimize patient data persistence. Patient data submitted through Platform features is processed for the purpose of generating the requested output and is not retained for ongoing use beyond what is necessary to deliver that output. Patient data is not stored in databases that are accessible to other Members or to Think Beyond Practice for purposes other than service delivery, troubleshooting, security, or legal compliance.

As with any cloud-based system, patient data may transiently exist in application memory, processing queues, system logs, error reports, and encrypted backups during normal operation. We work to minimize such persistence and to delete patient data from operational systems in accordance with our data retention practices described in Section 6. Despite these practices, no system can guarantee instantaneous and complete data removal across all infrastructure layers.

To the extent the Platform processes Protected Health Information (PHI) on behalf of a Member who is a Covered Entity under HIPAA, this processing is governed by the Business Associate Agreement (BAA) executed between the Member and Think Beyond Practice LLC.

2.3 Information Collected Automatically

When you use the Platform, we automatically collect certain information, including:

Device information (device type, operating system, browser type and version)

Log information (IP address, access times, pages viewed, features used, referring URL)

Usage analytics (which Platform features you use, how often, performance metrics)

Cookies and similar tracking technologies (see Section 8)

We do not use this automatically collected information to identify individual patients of Members. Where this information is associated with a Member's account, it may be used to improve the Platform and inform feature development.

2.4 Information from Third Parties

We may receive information about you from third parties, including:

Payment processors (transaction confirmations and payment status)

Authentication providers (if you sign in via a third-party identity provider)

Public sources (publicly available professional licensure databases, NPI registries, where used to verify your professional credentials)

Marketing or referral partners (if you were referred to the Platform through a partner program)

3. How We Use Information

We use the information we collect to:

3.1 Provide and Operate the Platform

Authenticate your identity and maintain your account

Process subscription payments and manage billing

Deliver the features you request (assessments, letters, treatment plans, credentialing tools, forum access, etc.)

Generate AI Outputs as part of Platform features

Provide customer support and respond to your inquiries

3.2 Improve the Platform

Analyze usage patterns to identify popular features, bugs, and areas for improvement

Develop new features and tools

Train and improve AI features (using de-identified data, Member-submitted Feedback, and Member-contributed content as permitted under the Terms of Service)

Conduct internal research and analytics

3.3 Communicate With You

Send transactional emails (account confirmations, billing notices, security alerts, important Platform updates)

Send Platform announcements and educational content (you can opt out of non-essential communications)

Notify you of changes to the Platform, these policies, or our terms

3.4 Maintain Security and Compliance

Detect, prevent, and respond to fraud, unauthorized access, abuse, and security incidents

Comply with legal obligations, including HIPAA, tax laws, and regulatory requirements

Enforce our Terms of Service

Defend against legal claims

3.5 Specific to Patient Information

Patient information processed through the Platform is used solely to provide the specific feature the Member has requested (such as generating an assessment summary, drafting a letter, or producing a treatment plan). Patient information is not used for advertising, sold to third parties, used to train AI models, or retained beyond the period required to deliver the requested output to the Member.

4. AI Features and Patient Data

The Platform includes AI-assisted features. The following describes how patient data flows through AI features:

When patient data is processed through AI-assisted features, that data is sent to AI service providers selected and configured by Think Beyond Practice. We use AI service providers that have executed Business Associate Agreements with Think Beyond Practice for any feature processing PHI. Our Business Associate Agreements with AI providers contractually prohibit the use of Member-submitted patient data for AI model training, restrict retention to what is necessary to process the request, and prohibit use of the data for purposes other than service delivery to Think Beyond Practice.

AI Outputs are returned to the Member and are subject to the data retention practices described in Section 6.

Think Beyond Practice does not use Member-submitted patient data to train AI models. To the extent we develop or refine AI features, we may use de-identified or aggregated data, synthetic data, content explicitly contributed by Members under the user-generated content provisions of our Terms of Service, or other data sources that do not contain PHI. If our practices in this area change, we will update this Privacy Policy and notify Members in accordance with Section 13.

5. How We Share Information

We do not sell personal information. We share information only as described below.

5.1 Service Providers and Subprocessors

We share information with third-party service providers who help us operate the Platform, including:

Payment processors (for subscription billing)

Cloud infrastructure providers (for hosting and storage)

AI service providers (for AI-assisted Platform features)

Email and messaging providers (for transactional communications and assessment delivery)

Analytics providers (for understanding Platform usage)

Authentication providers (for account security)

Customer support tools (for responding to your inquiries)

We maintain Business Associate Agreements with all subprocessors that process PHI on our behalf. We perform reasonable diligence on subprocessors before engaging them and review their security and compliance posture periodically. The current list of subprocessors at https://thinkbeyondpractice.com/subprocessors will be updated when subprocessors are added or removed; we will provide reasonable notice of material changes. If you have questions about a specific subprocessor, contact privacy@thinkbeyondpractice.com.

5.2 Other Members (Forum and Community Features)

Information you choose to share in the Forum, comments, or other community features (such as your name, professional credentials, posts, and comments) is visible to other Members and, where applicable, to visitors of public forum content. Do not share information in community features that you do not want to be visible to others.

5.3 Legal and Safety

We may share information when we believe in good faith that disclosure is necessary to:

Comply with applicable law, legal process, or government requests (including subpoenas, court orders, or regulatory inquiries)

Enforce our Terms of Service

Detect, prevent, or address fraud, security, or technical issues

Protect the rights, property, or safety of Think Beyond Practice, our Members, or the public

Respond to a HIPAA-required disclosure (such as for HHS Office for Civil Rights inquiries)

5.4 Business Transfers

If Think Beyond Practice LLC is involved in a merger, acquisition, sale of assets, financing, or similar business transaction, information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

5.5 With Your Consent

We may share information for any other purpose with your explicit consent.

5.6 Email and Messaging

Some Platform features deliver outputs to Members via email or messaging channels (for example, assessment summaries sent to the Member's email address, or notification emails about Member account activity). To the extent that PHI is included in these communications, it flows through our email service provider under our Business Associate Agreement with that provider. Members are responsible for ensuring that the email address associated with their account is appropriate to receive Platform communications and that they apply appropriate security to their own email environment.

6. Data Retention

We retain different categories of information for different periods:

6.1 Member Account Information Retained for as long as your account is active. After account closure, we retain account information for a reasonable period to comply with tax, accounting, and legal obligations (typically up to seven years for financial records). Some information may be retained longer if required for legal hold, dispute resolution, or regulatory compliance.

6.2 Patient Information Patient data submitted through Platform features is deleted from operational systems following delivery of the requested output to the Member, in accordance with the Platform's data retention practices. The deletion process targets removal within the timeframes specified in Platform documentation, which may vary by feature. Some operational metadata that does not identify individual patients (such as timestamps of feature use, error rates, and aggregated usage statistics) may be retained for usage analytics, debugging, security monitoring, and Platform improvement. Patient data may persist transiently in encrypted backups during normal backup rotation as described in Section 6.5.

6.3 Forum Content Forum posts, comments, and contributed content remain on the Platform after your account closure unless you specifically request deletion. Anonymized or aggregated forum content may be retained for community continuity.

6.4 Communications With Us Support emails, feedback, and other communications are typically retained for two years after the conversation ends, unless retained longer for legal or operational reasons.

6.5 Backups Information in encrypted backups may persist for up to ninety (90) days after deletion from production systems before being permanently destroyed through our normal backup rotation.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect information from unauthorized access, use, alteration, and destruction, including:

Encryption of data in transit (TLS 1.2 or higher) and at rest (where applicable)

Access controls limiting employee and contractor access to information on a need-to-know basis

Authentication and authorization controls for Member accounts (including support for multi-factor authentication)

Audit logging of administrative access to systems containing sensitive information

Regular security reviews and vulnerability management

Incident response and breach notification procedures

Vendor security assessments for subprocessors

No security measures are perfect. While we work to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and notifying us promptly of any suspected compromise at privacy@thinkbeyondpractice.com.

8. Cookies and Tracking Technologies

The Platform uses cookies and similar technologies to:

Authenticate logged-in Members and maintain session state

Remember Member preferences

Analyze Platform usage and performance

Deliver Platform functionality

Most browsers allow you to refuse or accept cookies. If you disable cookies, some Platform features may not function correctly. We do not use third-party advertising cookies on the Platform.

We honor "Do Not Track" signals where technically feasible, though there is no industry consensus on how DNT signals should be handled.

9. Your Privacy Rights

We extend the same privacy rights to all Members and users regardless of state of residence. These rights meet or exceed the standards set by the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and similar comprehensive state privacy laws.

9.1 Your Rights

You have the right to:

Know. Request information about the categories of personal information we collect, the sources of that information, the purposes for which we use it, and the categories of third parties with whom we share it.

Access. Request a copy of the specific personal information we hold about you.

Correct. Request correction of inaccurate personal information.

Delete. Request deletion of personal information we have collected from you, subject to certain exceptions described in Section 9.4.

Opt out of sale or sharing. We do not sell or share your personal information for cross-context behavioral advertising, but if our practices change, you will have the right to opt out.

Limit use of sensitive information. Request that we limit the use of sensitive personal information to what is necessary to provide the requested services.

Non-discrimination. Exercise these rights without facing discrimination, including denial of services, different pricing, or reduced quality of service.

Authorized agent. Designate an authorized agent to make requests on your behalf, subject to verification.

Appeal. If we deny a request, you may appeal that decision by contacting privacy@thinkbeyondpractice.com with the word "Appeal" in the subject line.

9.2 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@thinkbeyondpractice.com with:

A clear description of the right you are exercising

Sufficient information to verify your identity

The email address associated with your Platform account, if applicable

You may also submit requests by mail to the address listed in Section 14.

9.3 Verification and Response Timeframes

We will acknowledge receipt of your request within ten (10) business days and respond substantively within forty-five (45) days. We may extend the response period by an additional forty-five (45) days where reasonably necessary, in which case we will notify you of the extension and the reason.

To protect your privacy, we will verify your identity before responding to requests for access, correction, or deletion. The verification process may require you to provide information that matches information we already have on file. For sensitive requests, we may require additional verification steps.

9.4 Limitations and Exceptions

We may decline to fulfill a request, or fulfill it only partially, where:

We cannot verify your identity to a reasonable degree of certainty

The request would conflict with federal or state law, including HIPAA, where Member-controlled patient information is involved

The information is necessary for us to comply with legal obligations, defend legal claims, or detect and prevent fraud or security incidents

The information must be retained for tax, accounting, or audit purposes

The information has been de-identified or aggregated and can no longer be associated with you

An exception under applicable privacy law applies

If we decline a request in whole or in part, we will explain the reason and describe any rights you have to appeal.

9.5 Patient Rights Under HIPAA

Patients of Platform users seeking to exercise rights under HIPAA (including access to records, amendment requests, accounting of disclosures, and restrictions) should direct those requests to their healthcare provider, not to Think Beyond Practice. As a Business Associate, we will support Members in responding to patient requests as required by the BAA.

9.6 Reporting Concerns

If you believe we have not handled your request appropriately, you may:

Appeal directly to us at privacy@thinkbeyondpractice.com

File a complaint with your state attorney general's office

File a complaint with the U.S. Department of Health and Human Services Office for Civil Rights for HIPAA-related concerns at https://www.hhs.gov/hipaa/filing-a-complaint/

File a complaint with the California Privacy Protection Agency (cppa.ca.gov) if you are a California resident

10. Children's Privacy

The Platform is intended for use by licensed healthcare professionals. We do not knowingly collect information directly from children under thirteen. If you believe a child under thirteen has provided information to us directly, please contact privacy@thinkbeyondpractice.com so we can take appropriate action.

Members may, in the course of clinical care, process information about minor patients through Platform features. Such processing is governed by the Member's HIPAA obligations and the BAA, not by direct collection from minors.

11. International Users

The Platform is operated from and intended for use within the United States. If you access the Platform from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your country.

We do not currently target or actively market the Platform to residents of the European Union, United Kingdom, or other jurisdictions with cross-border data transfer requirements. If you are located in one of these jurisdictions, please be aware that the Platform may not provide all rights afforded under your local law.

12. Third-Party Links and Services

The Platform may contain links to third-party websites or services that we do not control. This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices or content of third-party services. Review the privacy policies of any third-party services you use.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last Updated" date at the top of this Privacy Policy

Post a prominent notice on the Platform

Send notice to the email address associated with your account, where the change materially affects your rights

Continued use of the Platform after the effective date of the updated Privacy Policy constitutes acceptance of the updated policy. If you do not agree to the updated policy, you must stop using the Platform.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your information, contact us at:

Think Beyond Practice LLC 9631 N Nevada St, Suite 209 Spokane, WA 99218

Privacy and Security: privacy@thinkbeyondpractice.com General Support: support@thinkbeyondpractice.com Legal Notices: legal@thinkbeyondpractice.com

For HIPAA-related concerns where you believe your protected health information has been mishandled, contact privacy@thinkbeyondpractice.com. You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at https://www.hhs.gov/hipaa/filing-a-complaint/.