Creating privacy policy for Kin Therapy Inc.
Kin Therapy Inc. Privacy Policy
Effective Date: May 2, 2025
Last updated: May 2, 2025
1. Who We Are
Kin Therapy Inc. (“Kin,” “we,” “us,” or “our”) provides a virtual Intensive Outpatient Program (“IOP”) and related digital products that help teens and young adults manage moderate-to-severe mental-health conditions, together with companion apps for parents, clinicians, and care teams. We are headquartered in the United States and operate as a Managed-Service Organization (MSO) above licensed Professional Corporations that deliver clinical care.
2. Scope of This Policy
This Privacy Policy explains how we collect, use, disclose, and safeguard information when you:
- visit kintherapy.com or any sub-domain;
- use the Kin mobile or web applications;
- engage with our services as a patient, parent/guardian, clinician, or website visitor; or
- communicate with us via email, phone, text, or social media.
Protected Health Information (“PHI”). When Kin acts as a Business Associate to a licensed clinical provider under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), we handle PHI pursuant to our Business Associate Agreement (“BAA”). In a conflict between this Policy and a BAA, the BAA controls for PHI.
3. Information We Collect
| Category | Examples | How We Collect |
|---|---|---|
| Account data | Name, email address, phone number, date of birth, gender, parent/guardian details | You provide directly when creating an account or scheduling care |
| Clinical & wellness data (PHI) | Diagnoses, treatment plans, session notes, outcome measures, crisis-plan details | Entered by you, your clinician, or imported from Electronic Health Records |
| Device & usage data | IP address, browser type, mobile OS, timestamps, page views, crash logs | Collected automatically via cookies, SDKs, and server logs |
| Engagement data | In-app messages, homework completion, AI-companion interactions | Generated while you use our products |
| Payment & insurance data | Insurance member ID, claim history, payment card details | Provided by you or your payor; processed through PCI-compliant vendors |
| Communications | Email, chat, SMS, phone recordings with support | When you interact with us |
Children under 13. Kin does not knowingly collect personal data from anyone under 13 without verified parental consent and compliance with the Children’s Online Privacy Protection Act (“COPPA”). If you believe we have collected data from a child under 13 in error, contact us at privacy@kin-therapy.com so we can delete it.
4. How We Use Your Information
We use personal information to:
- Deliver and improve clinical care – schedule sessions, manage care plans, personalize content, and monitor outcomes.
- Operate our platform – authenticate users, maintain security, debug, analyze usage, and develop new features (including AI-powered tools).
- Process payments & insurance claims.
- Communicate – send appointment reminders, program updates, crisis-management instructions, marketing (with opt-out), and survey requests.
- Comply with law – satisfy HIPAA, state medical-privacy laws, insurance audits, and court orders.
- Research & analytics – de-identified or aggregated data may be used to evaluate program effectiveness, publish academic findings, and improve mental-health interventions.
- Protect safety – detect and respond to self-harm or abuse signals, fraud, or security threats.
We do not sell or rent your personal information.
5. Legal Bases (GDPR / International Users)
Where the EU or UK General Data Protection Regulation applies, we rely on the following legal grounds:
- Contract performance – to provide the services you request.
- Legal obligation – to comply with healthcare-privacy, tax, and record-retention laws.
- Legitimate interests – to secure our platform and improve services (balanced against your rights).
- Consent – for marketing or where local law requires explicit consent for processing sensitive data. You may withdraw consent at any time.
6. How We Share Information
We share information only as necessary:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Licensed clinicians & care team | Deliver treatment, coordinate care, crisis response | HIPAA & professional-ethics obligations |
| Service providers | Cloud hosting, EHR, claims clearinghouse, SMS gateway, analytics | Written contracts, HIPAA BAA where applicable |
| Insurance companies / payors | Verify eligibility, submit claims, prior authorization | HIPAA transactions & state insurance laws |
| Research partners | Program evaluation, academic studies | Data de-identified or subject to IRB approval |
| Legal & regulatory authorities | Subpoenas, court orders, mandatory reporting of child abuse or imminent harm | Disclosed only as required |
| Corporate transactions | Merger, acquisition, or asset sale | Information transferred subject to this Policy |
We do not allow advertising networks to track PHI-based behavior.
7. Cookies & Similar Technologies
We use first- and third-party cookies, log files, and SDKs for:
- essential site functionality;
- remembering preferences;
- analytics (e.g., Mixpanel, Google Analytics); and
- security (e.g., reCAPTCHA).
You can block or delete cookies in your browser; some features may not work afterwards.
8. Data Retention
- PHI – retained for at least 7 years (or longer where state law is stricter) after the last date of service.
- Other data – kept as long as needed for the purposes in Section 4, then securely deleted or de-identified.
9. Data Security
We employ administrative, technical, and physical safeguards:
- AES-256 encryption at rest, TLS 1.2+ in transit
- Role-based access controls and multi-factor authentication
- Annual HIPAA security-risk assessments
- Continuous monitoring, vulnerability scanning, and penetration testing
- Workforce HIPAA & privacy training
No internet transmission or storage system is 100 % secure; we cannot guarantee absolute security.
10. Your Privacy Rights
Depending on where you live, you may have the right to:
| Right | What it Means |
|---|---|
| Access | Receive a copy of the personal data we hold about you |
| Correction | Request corrections to inaccurate or incomplete data |
| Deletion | Ask us to delete certain data (subject to legal limits) |
| Restriction / Objection | Limit or object to particular uses of your data |
| Data portability | Receive your data in a structured, machine-readable format |
| Opt-out of marketing | Unsubscribe at any time via email footer or account settings |
| California / Virginia / Colorado | Additional rights to opt out of targeted advertising and profiling |
To exercise any right, email privacy@kin-therapy.com. We will verify your identity and respond within the timeframe required by law.
11. International Data Transfers
Kin hosts data primarily in the United States. If you access our services from outside the U.S., you understand your information may be transferred to, stored, and processed in the U.S. and other countries that may not offer the same level of data protection. Where required, we use Standard Contractual Clauses or equivalent safeguards.
12. Third-Party Links
Our platform may link to external sites or services we do not control. This Policy does not cover those sites; review their privacy statements.
13. Changes to This Policy
We may update this Privacy Policy periodically. We will post the revised version with a new “Last updated” date and, if the changes are material, notify you via email or in-app message before they take effect. Continued use of the services after the effective date constitutes acceptance.
14. Contact Us
Questions, concerns, or complaints?
Kin Therapy Inc.
Email: privacy@kin-therapy.com
Phone: +1 (813) 212-5200
You may also lodge a complaint with your local data-protection authority, the U.S. Department of Health and Human Services Office for Civil Rights (for HIPAA), or other regulators, but we encourage you to contact us first so we can address your concerns quickly.