Privacy Policy

Last updated: March 29, 2024

Kipu Health LLC and its group companies and affiliates (each a “Kipu Group Entity” and collectively “Kipu”, “we”, “our”, “us”) respect your right to privacy. This Privacy Notice applies to Kipu Health LLC; Kipu Systems LLC; and Avea Practice Solutions, LLC d/b/a Avea Solutions, and explains who we are, how we collect, share and use personal information about you, and how you can exercise your privacy rights. This Privacy Notice applies to personal information that we process about:

• visitors to our websites at https://www.kipuhealth.com and https://www.aveasolutions.com/ (“Websites”) which are directed to our business contacts;
• our suppliers, vendors and business advisors;
• our existing, prospective and past customers;
• visitors to our offices; and
• authors of publicly available research material.

If you have any questions or concerns about our use of your personal information, then please contact us using the contact details provided at the bottom of this Privacy Notice.

Kipu offers electronic health record (EHR) and related technologies as part of a portfolio of SaaS solutions. Kipu has been delivering services since 2003 and our customers include substance abuse and mental health treatment providers. We are headquartered in the United States.

For more information about Kipu, please see the About Us section of our Website.

Note that in general, we will use the personal information we collect from you only for the purposes described in this Privacy Notice or for purposes that we explain to you at the time we collect your personal information. However, we may also use your personal information for other purposes that are not incompatible with the purposes we have disclosed to you if and where this is permitted by applicable data protection laws.

During the course of our relationship with you, we may collect other information than that detailed in this Privacy Notice. If we ask you to provide information voluntarily, then the personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information. If we obtain the information from other sources, then we will only do so where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.

If you are a visitor to our Websites, we may collect certain information automatically from your device. In some countries, including countries in the European Economic Area, this information may be considered personal information under applicable data protection laws. Specifically, the information we collect automatically may include information like your IP (Internet Protocol) address, associated device type, unique device identification numbers, browser-type, operating system, broad geographic location (e.g., country or city-level location) and other technical information. We may also collect information about how your device has interacted with our Website, including the pages accessed and links clicked, when those pages were accessed, and how long they were viewed.

Collecting this information enables us to better understand the visitors who come to our Websites, where they come from, and what content on our Websites is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our Websites to our visitors.
Some of this information may be collected using cookies and similar tracking technology, as explained further under the heading Cookies and similar tracking technology.

If you are a prospective customer (who may also use our Websites), the personal information that we may collect about you falls broadly into the following categories:

Information that you provide voluntarily. Certain parts of our Websites may ask you to provide personal information voluntarily: for example, to submit an inquiry about our products and services, or to request a quote; to subscribe to marketing communications from us and/or to submit inquiries to us. We will use this information to communicate with your organization about our Websites, products and services, to send you offers, for our other legitimate interests or those of a third party, or to comply with a legal obligation to which we are subject, for example to investigate and help prevent unlawful or potentially unlawful activity. We may also gather information from our prospective clients through offline communications, such as in-person meetings and phone calls, or corporate/industry events.

Calls with Kipu’s sales, client service and other Kipu departments may be recorded to gather information to improve our customer service. However, if you would prefer that your call was not recorded, you can opt out by stating this, or by hanging up.

In general, the personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point that we ask you to provide your personal information; however, it may include: your full name, company, work email address, work phone number, country; and in relation to your employer your industry, revenue, number of employees and purchasing timeframe.

Information that we collect automatically. If you use our Websites to inquire about our products and services, or otherwise interact with us via a digital device, we may collect that information described more clearly in the “Website Visitors” section, above. We use this information to help us analyze how you use our Website and services and to better match your experience with our Websites and services to your organization’s interests.

In addition, we may also collect information about your viewing of our emails (for example, information about whether or not you have opened the email), so we can understand the success of our email campaigns and improve our marketing.

Information that we obtain from third party sources. From time to time, we may receive personal information about you from third party sources (including third party websites, data brokers or credit reference agencies), but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.

The types of information we collect from third parties include biographical information about you and your job role or marketing information; and we use the information we receive from these third parties to help us market our products and services to you, or otherwise develop and improve our products and services.

If your organization is a current client (who may also use our Websites), we may already have collected information about you when your organization was a prospective client and we will continue to use this information in accordance with our data retention policies.

In addition, where your organization is a current client, the further types of personal information that we may collect about you falls broadly into the following categories:

Once your organization has entered into an agreement with Kipu, we will collect and maintain information about that agreement, including your organization’s payment information and information about its transactions. We also collect information to enable us to manage and deliver our services, support, and training. For example:

• We will collect your username and password for your organization’s account when you register to use our services (including via our online portal);
• We may also collect additional personal information relating to you or your organization, including your name, address, email address, telephone number and/or payment details during the registration/payment process;
• We will collect information relating to your (and your organization’s) use of our services, including IP addresses, phone numbers, email addresses, service set-up information, service configurations and settings, recorded calls, messages, and meetings, voicemails, incoming and outgoing faxes, user-saved or stored content shared among users, email and text communications, Call Records Data, and contact center client information you provide to us;
• Other information you choose to provide to us. For example, the purpose of your visit if you visit one of our site locations or any feedback you provide to us in relation to your use of our Websites or services.
• If you register as a partner, we may also collect personal data relating to you in the context of our partner program including your name, address, email address, and telephone number.

We will use this information to process your organization’s payments and to provide your organization with the information, products, or services that it has requested from us (including controlling access to those services, for example enabling your organization to join meetings or to log into our portal); to respond to your inquiries and requests; to enable your organization to register on our Websites; to administer records about your organization’s account; quality control of and to improve our Websites and services; to provide you and your organization with marketing and other communications about our products and services (where permitted by law); and for the purpose of general business or contract relationship management within Kipu, including auditing the use of our services and establishing, exercising or defending any legal claims against us.

We may also use your personal information for our other legitimate business interests, including providing training and support; to manage any queries, complaints or claims relating to the services that Kipu provides to your organization; for entertainment purposes (e.g. to invite you to events) and to facilitate ongoing relationships; and for investigating and helping to prevent unlawful or potentially unlawful activity that threatens either Kipu, any company affiliated with Kipu, or any of our respective customers.

Calls with Kipu’s sales, customer service and other Kipu departments may be recorded to gather information to improve our customer service. However, we will let you know if your call is being recorded before we do so if you would prefer that your call was not recorded, you can opt out by stating this, or by hanging up.

We may use your personal information in combination with information we receive about other individuals for the purposes set out in this Privacy Notice.

If you are an employee of a supplier or partner, we may process the following personal information about you.

• Identification data – such as your name, date of birth.
• Contact details – such as business address, telephone/business email address;
• Professional details – such as job title/position, affiliated organization, office location;
• Financial characteristics – such as your or your organization’s account number and bank details.
• National identifiers – such as tax ID number (EIN) of your organization.
• Information relating to your transactional history with us.
• Other information you choose to provide to us, for example the purpose of your visit if you visit one of our site locations.

We may collect and use personal information about you for the following purposes:

• For the purpose of general business relationship management within Kipu;
• To manage our daily business activities, such as executing payments and obtaining the goods, advice or services that we have purchased from your organization;
• For entertainment purposes (e.g. to invite you to events) and to facilitate ongoing relationships with your organization;
• To manage any queries, complaints or claims relating to the services your organization provides to Kipu;
• For product development purposes, to allow us to improve our products and services or develop new products and services;
• Where necessary to comply with laws and regulations, under judicial authorization, or to exercise or defend the legal rights of Kipu;
• To help us conduct our business more effectively and efficiently or check and improve the quality of our products and/or services;
• To carry out research and development with various Kipu Health Group entities;
• To investigate violations of law or breaches of other Kipu policies.
• We may also collect personal information from you when you use our Websites. For further information about how we use personal information that we collect when you visit our Websites, please click on following link to see the Website Visitors.

When you visit one of our offices, you will be asked to provide your name and company to us. We collect this information for our legitimate business interests, including administrative, notification and housekeeping purposes.

Kipu carries out research for our legitimate business interests, more specifically to improve our business and technology. In order to do this, we sometimes use publicly available research material. If you are the author of this material, then we will collect and process information about you related to your research material such as your name, title, organization, and relevant qualifications.

We may disclose your personal information to the following categories of recipients:

• To our group companies, third party services providers and partners who provide data processing services to us, for example (i) to support the delivery of, provide functionality on, or help to enhance the security of our Websites or services, (ii) for quality control and assurance, or (iii) improving our services and developing new services. We may also share personal information with such third parties where we consider that such disclosure is necessary to protect the safety or legitimate business interests of those third parties, including to investigate suspected fraud or to trace debtors.
• To any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
• To an actual or potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Privacy Notice;
• To any other person with your consent to the disclosure.

This section applies to European Economic Area visitors only. If you are a visitor from the European Economic Area, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.

However, we will normally collect personal information from you only (i) where the processing is in our legitimate interests and not overridden by your rights, (ii) where the processing is a contractual necessity, or (iii) where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.

If we ask you to provide personal information to comply with a legal requirement or to enter into a contact with your organization, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).

If we collect and use your personal information in reliance on our legitimate interests (or those of any third party), this interest will normally be to operate our Websites or services and to communicate with you as necessary to provide our services to your organization; as well as for our legitimate commercial interests, for instance, when responding to your queries, improving our Website or services, undertaking marketing, or for the purposes of detecting or preventing illegal activities. We may have other legitimate interests and, if appropriate, we will make clear to you at the relevant time what those legitimate interests are.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided below in the Sales & Support section of the website.

We use cookies and similar tracking technology (collectively, “Cookies”) to collect and use personal information about you. For further information about the types of Cookies we use, why, and how you can control Cookies, please see our Cookie Notice.

We use appropriate technical and organizational measures to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. Specific measures we use include SSL encryption technology for protection of sensitive information such as payments when in transit. We have industry-standard administrative, technical and physical safeguards in place to protect the confidentiality, integrity and availability of your personal information.

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).

Specifically, our Website servers are located in various locations within the United States, and our group companies and third party service providers and partners operate around the world. This means that when we collect your personal information, we may process it in any of these countries.

However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice.

Kipu also requires such third parties to protect personal information they process from the European Economic Area (“EEA”) in accordance with European Union data protection law. Further details can be provided upon request.

Kipu publicly commits to comply with the EU-U.S. Data Privacy Framework (“DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF (collectively “Data Privacy Framework”) through self-certification. The certification can be found here. In the event of any conflict between the terms in this Privacy Notice and the Principles in the Data Privacy Framework, the Data Privacy Framework Principles shall govern.

Kipu’s Data Processing Roles, the Types of Personal Data Kipu Receives and the Purposes for which it Processes Personal Data from the EEA:

Kipu has two separate roles when processing personal data transferred from the EEA:

First, as a “data controller” Kipu determines the purposes for which and the manner in which it collects, stores and processes the relevant personal data.

Kipu, as a data controller, collects and processes personal data relating to its clients, vendors, partners and associates. Personal data collected from clients, vendors and partners and processed by Kipu is limited to what is necessary in the business relationship, e.g. name, contact details, payment records, contracts and business correspondence.

In addition, Kipu’s goal is to provide its global clients, partners and associates with a personalized Internet experience and an Internet-based online information and communication service that delivers the information, resources and services that are most relevant and helpful to its users. In order to achieve these goals, Kipu collects and processes personal data from users during visits to its Web sites and, in particular, during a user’s visits to kipuhealth.com. As a consequence, Kipu may process personal data from clients, partners and associates also within the EEA while providing website services such as an Internet based communication platform for professionals to connect to each other. Kipu’s collection and use of personal data varies based on the website services requested by the users and the users’ choice of privacy options within the relevant website services. For EEA users of Kipu’s website, the principles are set out in this Privacy Notice.

Second, as a “data processor” Kipu processes personal data for its clients who are data controllers. In this capacity, Kipu does not own or determine the purposes for which it processes the personal data. Kipu’s clients, as data controllers, collect the data and determine the purpose for which it is processed. Kipu receives and processes personal data for and at the instruction of its client, and in such circumstances Kipu has no direct relationship with the individuals to whom such personal data relates. As a data processor acting on behalf of a Kipu client who is the data controller, Kipu is required to perform its services in accordance with the Data Privacy Framework Principles and its contract with the client together with any data privacy protections incorporated therein. Kipu, however, is otherwise dependent upon its client, the data controller, to comply with applicable EEA data protection laws at the time that the personal data is originally collected or received by the client.

As a manufacturer of clinical and management information systems, Kipu assists its clients worldwide in the implementation and support of Kipu solutions in their healthcare institution(s). Since Kipu provides implementation and support for different healthcare institutions, Kipu may receive, hold, and process personal data from clients within the EEA, including client employee name, work role, email, telephone number, work address, etc. and any patient data provided by clients for the purpose of troubleshooting specific computer system hardware and software problems and issues in accordance with business and/or service agreements. Kipu also provides managed services such as remote hosting, remote system monitoring, disaster recovery, data warehousing and application management services, in which it may act as the custodian of patient health information for certain clients. With these offerings, Kipu not only has access to provider-based personal health information, but also performs many of a provider’s custodial duties as well.

This Privacy Notice is to be read subject to this distinction.

If you are a Covered Individual covered by the Data Privacy Framework and this Privacy Notice and believe that Kipu maintains your Personal Data in one of the services within the scope of our Privacy Shield certification, you may submit any privacy or data use concerns concerning such data by email to legal@kipuhealth.com or by mail to:

Kipu Health LLC
255 Alhambra Circle, Suite 900
Coral Gables, FL 33134, USA
Attention: Privacy Officer

Kipu will respond within 45 days of receiving the communication. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, Kipu has further committed to refer unresolved privacy complaints under the Data Privacy Framework Principles to JAMS, at no cost to the individual. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by Kipu, please visit the JAMS web site at www.jamsadr.com/eu-us-privacy-shield for more information and to file a complaint.

If neither Kipu nor our U.S.-based third party dispute resolution provider resolves your complaint, you may have the possibility to engage in binding arbitration as provided under the Data Privacy Framework Program (See Privacy Framework website).

Kipu may disclose Personal Data to its affiliates, as well as to a limited number of third-party business partners, service providers, vendors, suppliers and other contractors (collectively, “Service Providers”) for the purpose of assisting us in providing, managing, deploying, enhancing, or improving our services. Kipu maintains contracts with these Kipu affiliates and Service Providers restricting their access, use and disclosure of Personal Data in compliance with our Data Privacy Framework obligations, and Kipu may be liable if such parties fail to meet those obligations and we are responsible for the event giving rise to the damage. We also may share or disclose Personal Data to the extent that the customer or other data controller has obtained the relevant Covered Individual’s consent.

Covered Individuals have rights to access their stored Personal Data and to limit its use and disclosure. With our Data Privacy Framework certification, Kipu has committed to respect those rights. Because Kipu personnel have limited ability to access data that our customers or other data controllers transmit, receive, or store through our services, if you are a Covered Individual covered by the Data Privacy Framework and this Privacy Notice, and you wish to request access to or to limit use or disclosure of your Personal Data, please provide the name of the Kipu client or other data controller who transmitted, received, or stored your Personal Data through our services. We will refer your request to that client or other data controller and will support that business as needed in responding to your request.

Kipu’s commitments under the Data Privacy Framework are subject to the investigatory and enforcement powers of the United States Federal Trade Commission or the applicable United States authorized statutory body.

Kipu may be required to disclose Personal Data in response to lawful requests by public authorities, or administrative or judicial process, including to meet national security or law enforcement requirements.

Children are not eligible to use Kipu’s website and services, and we ask that minors (under age eighteen) not submit personal information to us. If we become aware that we have inadvertently received personal information from an individual under the age of eighteen, we will delete this information from our records.

If you provide us with information about another person, you confirm that you have obtained their consent to the processing of their personal data by us (or are otherwise legally entitled to provide us with that information) and that you have informed them of our identity, the purposes for which their personal data will be processed and their rights (as set out in this Privacy Notice), as well as where they can obtain a copy of this Privacy Notice.

We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

If you are a resident of the EEA, you have the following data protection rights:

• If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us using the contact details provided below. You may also be able to access and update certain information via your online account.
• In addition, if you are a resident of the EEA, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided below.
• You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided below.
• Similarly, if we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
• You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. (Contact details for data protection authorities in the EEA, Switzerland and certain non-European countries (including the US and Canada) are available here.)

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

As noted above, this Privacy Notice applies to personal information that we process about visitors to our Websites, which are directed to our business contacts; our suppliers, vendors and business advisors; our existing, prospective and past customers; visitors to our offices; and authors of publicly available research material.

This section contains disclosures required by the California Consumer Privacy Act (“CCPA”) and applies only to “personal information” that is subject to the CCPA. For opt-out information, please visit our page located at https://kipuhealth.com/do-not-sell-or-share-my-personal-information/. Consumers with disabilities may access this notice through the use of standard screen readers or by emailing legal@kipuhealth.com to obtain a copy in an alternative format.

We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.

You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.

If you have any questions or concerns about our use of your personal information, please contact our data protection officer using the following details:

legal@kipuhealth.com
Kipu Health LLC
255 Alhambra Circle, Suite 900
Coral Gables, FL 33134
United States

In the EU:

Kipu has appointed DPR Group as its Data Protection Representative for the purposes of GDPR.

Kipu, which processes the personal data of individuals in the European Union in either the role of “data controller” or “data processor,” has appointed DataRep as its Data Protection Representative for the purposes of GDPR.

If Kipu has processed or is processing your personal data, you may be entitled to exercise your rights under GDPR in respect of that personal data. For more details on the rights you have in respect of your personal data, please refer to the European Commission (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en) or the national Data Protection Authority in your country.

Kipu takes its clients’ (and the customers of their clients) data protection seriously, and has appointed DataRep as their Data Protection Representative in the European Union so that you can contact them directly in your home country. DataRep has locations in each of the 27 EU countries and the UK, so that Kipu’s customers can always raise the questions they want with them.

If you want to raise a question to Kipu or otherwise exercise your rights in respect of your personal data, you may do so by:

• sending an email to DataRep at datarequest@datarep.com quoting <Kipu Health LLC> in the subject line,
• contacting us on our online webform at www.datarep.com/data-request, or
• mailing your inquiry to Data Rep at the most convenient of the addresses here.

PLEASE NOTE: when mailing inquiries. it is ESSENTIAL that you mark your letters for ‘DataRep’ and not ‘Kipu,’ or your inquiry may not reach us. Please refer clearly to Kipu Health LLC in your correspondence. On receiving your correspondence, Kipu is likely to request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you.