Privacy Policy

Privacy Policy — Samadhi Healing Collective

Last updated: November 18, 2025

Samadhi Healing Collective (“Samadhi,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our websites, schedule care, use our telehealth services, complete intake forms, or otherwise interact with us online or offline (collectively, the “Services”).

Important HIPAA Note: Certain information we collect in connection with providing health care services may be Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). When we handle PHI, our uses and disclosures are governed by our HIPAA Notice of Privacy Practices (the “HIPAA Notice”), not this Privacy Policy. Where there is a conflict between this Policy and the HIPAA Notice with respect to PHI, the HIPAA Notice controls. A copy of our HIPAA Notice is available at: [link to your HIPAA Notice PDF or page].

1) Information We Collect

A. Information You Provide

  • Account & contact details: name, email, phone number, mailing address.
  • Patient intake & scheduling: date of birth, medical history, screening/intake responses, emergency contact, insurance information (if applicable).
  • Communications: messages you send to us (email, SMS, forms, chat), feedback, survey responses.
  • Payment details: payment method, billing address, limited payment card details processed via our payment processor [e.g., Stripe/Square/Authorize.Net] (we do not store full card numbers).
  • Telehealth: audio/video interactions, files you upload (e.g., photos, IDs), and data generated when you use our telehealth platform [e.g., Doxy.me/Zoom for Healthcare/Osmind/Klara].

B. Information Collected Automatically

  • Usage & device data: IP address, browser type, device identifiers, pages viewed, referring/exit pages, timestamps.
  • Cookies & similar technologies: We and our partners may use cookies, pixels, web beacons, and SDKs to enable site functionality, remember preferences, measure performance, and (if enabled) support limited marketing. See Section 8 (Cookies) for choices.

C. Information from Third Parties

  • Vendors & platforms: EHR/telehealth platforms, scheduling tools, payment processors, analytics providers, and communication tools may provide us with information about your interactions with them.
  • Referrals/coordination of care: With your consent or as permitted by law, we may receive records from referring providers or share data for care coordination.

2) How We Use Information

We use information to:

  • Provide, secure, and improve the Services and our clinical operations.
  • Verify identity, schedule appointments, and deliver telehealth and in-clinic care.
  • Communicate with you (confirmations, updates, educational content, billing).
  • Process payments and prevent fraud or misuse.
  • Comply with legal, regulatory, and audit requirements.
  • De-identify and/or aggregate data for analytics and quality improvement.
  • With your consent, send marketing communications; you can opt out at any time.

PHI Use/Disclosure: Uses/disclosures of PHI are described in our HIPAA Notice and include treatment, payment, and health care operations.

3) How We Share Information

We may share information with:

  • Service providers / business associates: vendors that help us run our Services (hosting, EHR/telehealth, messaging, analytics, billing, e-signature, forms). Where required, we have Business Associate Agreements (BAAs) in place for PHI.
  • Other health care providers or pharmacies: for treatment, care coordination, or referrals (as allowed by HIPAA and applicable law).
  • Insurance/payors: for eligibility, prior authorization, claims, and payment processing (if applicable).
  • Legal & safety: to comply with law, court orders, or to protect rights, safety, and security (including responding to lawful requests from authorities).
  • Business transfers: as part of a merger, acquisition, financing, or asset sale, subject to confidentiality obligations.
  • With your direction or consent: for example, if you ask us to share records or communicate with a family member or other representative.

We do not sell your personal information, and we do not sell or share PHI for advertising purposes.

4) Special Protections & Sensitive Data

  • Psychotherapy notes: If our clinicians maintain psychotherapy notes, they are subject to special protections under HIPAA and are not used or disclosed without your written authorization except as permitted by law.
  • Substance use disorder records (42 C.F.R. Part 2): If we operate a federally assisted SUD program or otherwise maintain Part 2 records, those records are subject to additional confidentiality protections and disclosures require your written consent unless an exception applies.
  • Minors: We follow applicable state and federal laws regarding the privacy of minors’ health information and consent for treatment.

5) Your Choices & Rights

Depending on your location and the data in question, you may have the following rights:

  • HIPAA rights regarding PHI: access, amendments, accounting of disclosures, restrictions, confidential communications, and receiving a copy of our HIPAA Notice. See the HIPAA Notice for how to exercise these.
  • Email/SMS preferences: You can opt out of non-transactional emails and SMS by using the unsubscribe link or replying STOP to SMS. (Service/appointment messages may still be sent.)
  • Browser or device controls: Manage cookies and tracking at the browser/device level; see Section 8.
  • U.S. state privacy rights (e.g., CA/CO/CT/VA/UT): You may request access, correction, deletion, portability, or to limit certain uses or disclosures of personal information not governed by HIPAA. Submit requests using the contact details in Section 13. We will not discriminate against you for exercising your rights.
  • Do Not Track / Global Privacy Control (GPC): We honor legally required signals where applicable.

6) Data Retention

We retain information for as long as needed to provide Services, for legitimate business purposes, and to comply with legal/recordkeeping requirements (including medical record retention rules under state law). When no longer needed, we will de-identify or securely delete information consistent with our retention schedules and applicable law.

7) Security

We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit, access controls, staff training, and vendor due diligence. No method of transmission or storage is 100% secure; if we learn of a security incident impacting your information, we will notify you as required by law.

8) Cookies, Analytics, and Online Tracking

We may use:

  • Strictly necessary cookies for core site functions (cannot be disabled).
  • Functional & performance cookies to remember preferences and analyze site usage (e.g., [Google Analytics 4] with IP-masking features).
  • Limited marketing/retargeting (if enabled): only for non-PHI website behavior; we do not use PHI for advertising.

Your choices:
You can set your browser to refuse or delete cookies. Some features may not function without cookies. For Google Analytics, you can use Google’s opt-out add-on. If we operate a cookie banner/manager, you can update your preferences there at any time.

9) Telehealth & Communications

  • Telehealth platforms: We deliver remote care through [Platform Name] using secure, HIPAA-appropriate configurations where applicable. Please use a private space and a secure internet connection.
  • Email & SMS: Standard email/SMS may not be fully secure. We limit sensitive details in unencrypted channels and may route PHI through our EHR/secure messaging portal. By providing your number/email, you consent to receive communications related to care and operations. Message/data rates may apply.

10) Third-Party Links and Tools

Our site may link to third-party websites or embed third-party tools. We are not responsible for the privacy practices of those parties. Review their policies before providing information.

11) Children’s Privacy

Our website is not directed to children under 13. We do not knowingly collect personal information online from children under 13 without verifiable parental consent. If you believe a child has provided personal information to us, contact us and we will delete it as required by law.

12) International Visitors (GDPR/UK GDPR)

Our Services are intended for users in the United States. If you are accessing from the EEA/UK, we process personal data as a controller for legitimate interests, to perform a contract, to comply with legal obligations, or based on consent where required. You may have rights to access, correct, delete, restrict/ object, and data portability. You may also lodge a complaint with your local supervisory authority.

13) How to Contact Us & Exercise Rights

Samadhi Healing Collective
Address: 1275 Delaware Avenue, Suite B100, Buffalo, NY 14209
Email: seaghan.samadhi@proton.me
Phone: (716) 427-3194
HIPAA Privacy Officer: [Name / Title / Contact]

For rights requests (state privacy or GDPR) or HIPAA requests (regarding PHI), please specify the type of request and the information at issue so we can route it appropriately.

14) Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date indicates the latest revision. Material changes will be posted on this page and, where required, we will provide additional notice.

15) State-Specific Disclosures (California & Others)

If you are a California resident (and to the extent information is not PHI under HIPAA):

  • Categories collected: Identifiers (e.g., name, email, IP), commercial information (payments), internet activity (usage data), geolocation (coarse), inferences (to improve Services), and professional or employment information if you provide it (e.g., in forms).
  • Sources: You, your devices, service providers, and integrated platforms.
  • Purposes: As described in Sections 2–3.
  • Sharing/Selling: We do not sell personal information. We do not share personal information for cross-context behavioral advertising involving PHI. If we use analytics or limited advertising cookies, you can opt out through our cookie banner or the “Do Not Sell or Share” preference center (if available on your site).
  • Sensitive personal information: We use sensitive information only for permitted purposes (e.g., providing services, security, short-term transient use) and do not use it to infer characteristics.
  • Your rights: Access, deletion, correction, portability, opt-out of sharing (if applicable), and limit use of sensitive information. Submit requests via the contact details above. If you use an authorized agent, we may require proof of authorization and identity.

Other state residents (CO, CT, VA, UT, etc.) may have similar rights; contact us to exercise them.

16) Accessibility

We are committed to making our privacy disclosures accessible to everyone. If you need this Policy in an alternative format, please contact seaghan.samadhi@proton.me or call (716) 427-3194.