Privacy Notice

1. Introduction

This Privacy Notice (“Notice”) describes how the Rethink Behavioral Health division of Rethink Autism, Inc. (“Rethink”, “Rethink BH”, “we”, “us”, “our”) collects, uses, discloses, secures, and eventually disposes of (collectively “processes”) your personal information. Personal information is any information that does, or could, identify you.

This Notice applies to personal information collected on our website (rethinkbehavioralhealth.com), mobile app (Rethink BH), and in the course of other interactions with you or your behavioral health practice (collectively the “services”). Our website has public and subscription-only sections. Our mobile app is part of our subscription-only services.

Our services may contain links to external websites. This Notice does not cover those sites.

In this Notice, “you” refers to anyone about whom we process personal information. You will usually be a behavioral health practitioner or other employee or contractor of a behavioral health practice; a parent or other caregiver of a child receiving treatment; or a visitor to our public website. For parents and legal guardians, “your personal information” includes your child’s personal information.

Rethink BH provides online tools, content, and related services to behavioral health practices. For personal information that is processed in our subscription-only services, these practices are the “controllers” of your information and Rethink is a “processor” (also called a “service provider”). As a processor, we handle your information only on the controller’s behalf and according to its instructions. In this situation, this Notice describes how we process your information on behalf of the controller. Further, this Notice does not cover the practice’s processing of your information outside our services.

This Notice will identify those situations where Rethink is the controller of your information. This applies, for example, to information collected on the public sections of our website.

Rethink BH is part of the Rethink group of businesses. This Privacy Notice applies only to Rethink BH.

2. Changes to this Notice

We will update this Notice from time to time and will communicate material changes to you through an appropriate channel (for example, via a notice in our services). The Notice was last updated on August 1st, 2020.

3. Personal information we collect

3.1 Categories collected

We collect the following categories of personal information:

  • Identifiers such as your name, e-mail address, username, and IP address.
  • Additional personal information defined by certain applicable US state laws: address, telephone number, payment card number, health insurance information.
  • Protected classification characteristics and EU “special categories of personal data”, such as gender and health information.
  • Commercial information, such as your purchases from us.
  • Internet activity/usage on our websites and applications.
  • Employment-related information, such as your job role at a behavioral health practice.
  • Geolocation data: physical location of parties at clinician appointment service sign-off.

3.2 Categories of sources

We collect the categories of personal information listed above from the following categories of sources:

  • Directly from you, for example when you complete a form on our website.
  • From other users of our subscription-only services, for example when your behavioral health practice enters information about you as an employee or patient.
  • From observing your activity on our services, for example via cookies and other standard online technologies.

3.3 Items of personal information collected

When we collect personal information directly from you, you will know the details of that information. It may include:

  • Name, contact information, company, and job title.
  • Payment card information.
  • Any details about yourself that you reveal as you use free-form features of the subscription-only services, for example you might mention your favorite activity with your child in treatment session notes that are shared in the services.
  • Information from training you take in the subscription-only services, for example your test score in an autism or Registered Behavior Technician (RBT) course.
  • Your schedule and appointments as they relate to your behavioral health practice.

Our subscription-only services facilitate the utilization of personal information for the purpose of assisting behavioral health practices (Rethink’s customers) to provide behavioral health solutions. When we collect personal information about you or your child from other users of the subscription-only services, we do so solely for this purpose. The data collected in our subscription-only services reflects the range of personal information typically collected by a behavioral health practice. Which users of our services can access the information of which other users is determined and configured by your practice. The personal information collected in this way may include:

Information provided by your practice about your child patient:

  • Name, address, data of birth, gender, unique client identifier.
  • Diagnoses, for example autistic or anxiety disorder.
  • Assessments, for example of skills and preferences.
  • Behaviors and associated learning strategies, targets, programs, and progress.
  • Any information contained in free-form documents or fields, for example clinician notes from a treatment session. Many free-form document types, including a photograph and video, may be uploaded by your practice to a child’s “File Cabinet”.

Information provided by your practice about you as a parent or caregiver:

  • Login credentials.
  • Contact information and relationship to child.
  • Health insurance information, including claims and payments.
  • Your geolocation when you sign off for services received from a clinician.
  • Your schedule and appointments as they relate to your behavioral health practice.
  • Any incidental information about you contained in free-form documents relating to your child or charge.

Information provided by your practice about you as its employee:

  • Login credentials, e-mail address.
  • Name, address, phone numbers.
  • Title, supervisor, work location, US National Provider Identifier, practitioner credentials.
  • Tasks assigned to you by your behavioral health practice and you billable hours.
  • Your schedule and appointments as they relate to your behavioral health practice.
  • Your geolocation at sign-off for services you provide.
  • Any incidental information about you contained in free-form documents.

We collect personal information from observing your activity on our services through the use of cookies and other standard online technologies in our public and subscription-only services. Cookies allow us to recognize your device. We use them to collect information about your device and how you use our services, for example which pages you visit and how long you stay on them. Cookies also facilitate, for example, logging into and navigating our services.

4. How we use your personal information

This section describes how Rethink BH uses your personal information. Remember that your behavioral health practice is the “controller” of the personal information processed in our subscription-only services. This Privacy Notice does not cover how the practice uses your information, which will be determined by its own legal obligations and policies.

Rethink BH will never sell your personal information.

When we receive your personal information as a data processor, we use it solely on the data controller’s behalf and according to its instructions. When your behavioral health practice is a Covered Entity under the US Health Insurance Portability and Accountability Act (HIPAA), our relationship with it is that of Business Associate.

Rethink BH may use your personal information for the following purposes:

  • As a data processor, to provide our subscription-only services, for example to manage log-ins and maintain the security and confidentiality of data contained in the services; to communicate essential service information to you; to provide customer support; and to monitor compliance with our Terms of Use.
  • As a data controller of personal information collected outside our subscription-only services:

    • Where permitted by applicable law, we may send you marketing messages for Rethink products that we think may interest you (see Section 9 for information about opting out of such messages).
    • To respond to your requests or questions, including through website forms and chat features.
    • To help us improve our services and user experience, for example by identifying which parts of our services you find useful or difficult to use. For this purpose, we use anonymized and aggregated information that does not identify you and from which you cannot reasonably be re-identified.

EU General Data Protection Regulation (GDPR) lawfulness of processing

When we process your personal information as a controller, the GDPR requires that we provide individuals in the European Union and European Economic Area with our legal bases for doing so. Our legal basis depends on the purpose of processing:

Purpose of processingLegal basis
Market our services to youGDPR Article 6,1(a) – your consent.
To respond to your requests or questions (on our public services)GDPR Article 6,1(b) – in order to take steps at your request prior to entering into a contract..

5. Disclosure of your personal information

Who we disclose your personal information to depends on the specific items of information and the purposes we use them for. Your personal information may be disclosed to the following categories of recipients:

  • Other users of the subscription-only services: As described above, our subscription services facilitate the utilization of personal information for the purpose of assisting behavioral health practices to provide behavioral health solutions. As such, your information is disclosed to other authorized users of the service. Which users can access the personal information of which other users is determined and configured by behavioral health practice administrators.
  • Employees and contractors of Rethink: These personnel have roles that require access to your information (a “need to know”). They are bound by employment terms that cover their obligation to keep personal information confidential and secure and have been trained in US law governing confidentiality of personal health information.
  • Service providers (“processors”): We use service providers to perform certain tasks for us, for example hosting our services on a Cloud computing platform or operating our online user support chat feature. Service providers process your data on our behalf and according to our instructions. They are contractually bound to protect your data and are prohibited from using it for their own purposes.
  • Other third parties: We may disclose de-identified information to third parties, for example business partners or research organizations. “De-identified” information is stripped of attributes that tie it to a particular individual and which cannot reasonably be reconnected to that individual.

We have in the preceding 12 months disclosed the following categories of personal information to service providers:

  • Identifiers such as your name, email address, username, and IP address.
  • Additional personal information defined by certain applicable US state laws: address, telephone number, payment card number, health insurance information.
  • Internet activity/usage on our websites and applications.
  • Protected classification characteristics and EU “special categories of personal data”, such as gender and health information.

We will also disclose your personal information in the following exceptional circumstances:

  • Corporate event: Your data may be transferred to third parties as a result of a merger, acquisition, or similar corporate event involving Rethink.
  • Legal necessity: We will disclose your information to government agencies, law enforcement, courts, and other authorities and parties if required to by applicable law.
  • Individual’s vital interests: If we reasonably believe based on information posted on or provided in relation to our services that the safety or vital interests of an individual are at risk, we will disclose personal information to relevant parties as necessary to assist the individual.
  • Protection of Rethink’s interests: Where permitted by applicable law, we may disclose personal information to our professional advisors and other qualified parties when we reasonably believe it to be necessary to protect our essential business interests.

6. Information security

We employ technical, physical, and administrative security measures appropriate to the categories of personal information processed in our services. These measures include, for example: encryption at rest and in transit, roles-based access, firewalls, and anti-virus software. For more details of our practices, please consult our Information Security Standards statement.

We protect information about patient’s diagnoses, treatments, and outcomes with particular care. Rethink is HITRUST CSF certified. HITRUST CSF is a security and privacy framework that covers, among others, HIPAA and National Institute for Standards and Technology (NIST) standards.

No matter how carefully we safeguard your information, it is unfortunately not possible to guarantee that it will never be accidentally or illegally breached.

7. Data retention

When we receive your personal information as a processor, we will retain it for the duration of the processing contract and then, according to the controller’s instructions, return it to them, delete it, or transfer it to another service provider.

When we collect your personal information as the data controller, we will retain it as long as necessary to fulfil the purposes for which it was collected, and to satisfy legal, accounting, and reporting obligations, or to resolve disputes or enforce our Terms of Use.

Section 9 of this Notice below describes your right to request deletion of your data outside of our normal data retention schedule.

8. International transfer

Rethink is based in the United States. Your personal information is stored on our systems in the US and is not transferred onward to other jurisdictions.

If you live in the European Union or European Economic Area, note that the European Commission has not issued an unlimited adequacy decision for the US. Privacy safeguards for EU/EEA-US data transfers are the responsibility of the data controller. Rethink BH collaborates with our EU/EEA customers to put in place GDPR-recognized safeguards for international transfer.

9. Your rights

US and international laws give you various rights over your personal information and that of your child. These may include the right to:

  • Access personal information held about you
  • Correct inaccurate or out-of-date personal information
  • Request deletion of your personal information
  • Restrict processing of your personal information
  • Data portability: Receive your personal information in a readily useable format

In most cases relating to our subscription-only services, you should contact your behavioral health practice (the controller) with any request to exercise privacy rights. This would include, for example, requesting access to your child’s information that the practice processes in our services. If necessary, however, please contact Rethink BH using the contact information in Section 10 of this Notice. We will endeavor to facilitate your request.

Rights requests concerning personal information that we collect as a data controller (for example, on our public website or in our marketing communications) should be addressed to Rethink BH using the contact information in Section 10 below.

If you believe that we have infringed your privacy rights, please contact us so that we can try to resolve the issue. However, if you are an EU/EEA resident, you have the right to lodge a complaint with your local supervisory authority.

9.1 Marketing

You can opt out of our marketing communications at any time using, for example, the “unsubscribe” in an e-mail message or similar functionality in other communication formats.

When required by local law, we will obtain your prior consent for marketing communications. You may withdraw that consent at any time using the “unsubscribe” or similar functionality in a marketing message. Alternatively, please contact us using the contact information in Section 10 below.

Please note that, if you are a user of our subscription-only services, you may continue to receive service communications even after you have opted out of marketing communications. “Service” communications contain important information about the service for which you are a current user.

10. Contact us

Data Protection Officer: privacy@rethinkfirst.com or +1 646 257 2919 ext. 800

Rethink Behavioral Health
49 West 27th Street, 8th Floor
New York, NY 10001
USA

EU Representative:

MyEDPO Ltd,
Unit 3d North Point House,
North Point Business Park,
New Mallow Road,
Cork, Ireland
info@myedpo.com or +44 203 870 3376.