Privacy Policy
Last Updated: March 18, 2026
PracticeRunner LLC (“PracticeRunner,” “we,” “us,” or “our”) operates the PracticeRunner website, mobile applications, and software platform (collectively, the “Service”). This Privacy Policy explains in detail how we collect, use, store, and disclose personal information when you access or interact with the Service, including information submitted directly by you, collected automatically through your use of the Service, or received from third-party sources.
This Privacy Policy applies only to personal information that is not governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Any Protected Health Information (“PHI”) created, received, maintained, or transmitted through the Service on behalf of healthcare providers is governed exclusively by our Business Associate Agreement (“BAA”). This Privacy Policy does not alter, replace, or limit any obligations under the BAA, and the handling of PHI under the BAA remains subject to HIPAA and related regulations.
PracticeRunner makes this Privacy Policy available through the Service and related signup, onboarding, and purchase flows as a notice describing our data practices. Where the Service asks you to acknowledge this Privacy Policy, such acknowledgment confirms that you have been presented with and reviewed this notice. No separate signature block or countersignature by PracticeRunner is required for this Privacy Policy to be effective as a notice.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described in this Privacy Policy, you should not use or access the Service.
1. SCOPE
This Privacy Policy governs the collection, use, storage, and disclosure of personal information by PracticeRunner LLC in connection with the use of our website, software platform, and related services (collectively, the “Service”). It applies to all individuals who interact with the Service, including visitors to our website who browse or access publicly available information, individuals who create accounts to use the Service, organizations that subscribe to or purchase access to the Service, and users who are authorized by subscribing organizations to access and use the Service on their behalf. Additionally, this Privacy Policy applies to prospective customers or other parties who communicate with us directly, whether for inquiries, demonstrations, or support purposes.
This Privacy Policy applies solely to information that does not constitute Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations. This includes information collected through PracticeRunner’s website, marketing activities, and certain administrative or account-level data that is not subject to HIPAA.
PracticeRunner may create, receive, maintain, or transmit PHI on behalf of healthcare providers, clinics, and other covered entities (each, an “Organization”) in connection with the provision of the Service. In such cases, PracticeRunner acts solely as a “Business Associate” (or similar service provider role under applicable law) and processes PHI exclusively on behalf of and at the direction of the Organization pursuant to one or more Business Associate Agreements (“BAAs”).
All PHI is governed exclusively by the applicable BAA and not by this Privacy Policy. This Privacy Policy does not apply to PHI, does not govern the use or disclosure of PHI, and does not create any rights or obligations with respect to PHI. The Organization, and not PracticeRunner, determines the purposes and means of processing PHI, including any clinical, treatment, payment, or healthcare operations-related uses.
In the event of any conflict or inconsistency between this Privacy Policy and a BAA, the terms of the BAA shall control with respect to all PHI-related matters. Individuals seeking to exercise rights relating to their PHI, including rights of access, amendment, or restriction, should direct such requests to their healthcare provider, whose Notice of Privacy Practices governs the handling of PHI. Nothing in this Privacy Policy shall be interpreted to expand PracticeRunner’s obligations or liability with respect to PHI beyond those expressly set forth in the applicable BAA or required under applicable law.
2. ORGANIZATION STRUCTURE
Within the Service, an “Organization” is defined as a single legal entity, which may include a therapy practice, clinic, nonprofit, healthcare provider, or any other entity that subscribes to or utilizes the Service. Each Organization is treated as a distinct account holder within the Service, and all user access, data management, and administrative functions are associated with that specific Organization. In cases where an Organization qualifies as a HIPAA Covered Entity, PracticeRunner acts exclusively as a Business Associate, and any Protected Health Information (“PHI”) processed through the Service is handled solely on behalf of that Organization under the terms of a Business Associate Agreement (“BAA”).
The Service implements role-based permissions to govern internal user access within each Organization. These permissions allow Organizations to assign varying levels of access and administrative rights to users based on their responsibilities, ensuring that sensitive information is only accessible to authorized personnel. However, it is important to note that role-based access does not create separate legal entities, and all actions within the Service remain under the legal and operational control of the subscribing Organization. This structure ensures that Organizations retain full responsibility for their data while allowing for secure and flexible internal management of user access and permissions.
3. INFORMATION WE COLLECT
When an Organization registers to use the Service, we collect information necessary to create and maintain the account, facilitate communication, and process billing. This includes the name of the account holder, the legal name of the Organization or practice, email address, mailing address, and billing information such as credit card or payment details. Payment processing is handled securely by third-party payment processors, and full payment credentials are not stored on our systems. This information enables us to manage account access, provide customer support, send important updates, and ensure accurate billing and subscription management.
In addition to account information, we may collect technical and usage-related information automatically when you access or interact with the Service. This may include IP addresses, device identifiers, browser type, operating system, and other device-related information. We may also collect log files, timestamps of access, detailed records of usage activity within the Service including pages visited, features accessed, and session duration as well as error logs and performance diagnostics. The collection of this information allows us to maintain system reliability, detect and prevent fraud, optimize system performance, and protect the Service and its users against security threats.
When you contact us for support, make inquiries, provide feedback, or engage in other forms of communication, we may retain records of these interactions. This includes the content of your messages, your email address, phone number, and any other relevant contact information. Retaining this information helps us respond to requests effectively, track support issues, analyze trends, and continuously improve the Service. All communications are treated with appropriate confidentiality and are not shared outside the scope necessary to address your requests or as otherwise described in this Privacy Policy.
4. CATEGORIES OF DATA COLLECTED
PracticeRunner collects information in different contexts, and the type of data collected depends on how you interact with us:
-
Website and Marketing Data: Information collected when individuals visit the PracticeRunner website, submit inquiries, subscribe to newsletters or communications, or otherwise interact with PracticeRunner outside of the platform. This may include contact details (e.g., name, email), device identifiers and browser information, cookies or other tracking technologies, and usage analytics that inform website performance, user engagement, and preferences.
-
Platform Data (Non-PHI): Information collected from Organizations and their Authorized Users when accessing and using the PracticeRunner platform. This includes account registration information, user credentials, configuration settings, role-based permissions, operational and administrative data, feature usage metrics, and technical information required to provide, maintain, and improve the Service. This data supports functionality and security but does not include clinical or patient health information.
-
Protected Health Information (PHI): Any PHI created, received, maintained, or transmitted through the platform is processed exclusively on behalf of the healthcare Organization under applicable Business Associate Agreements (BAAs) and HIPAA requirements. PHI is governed solely by the BAA, is not covered by this Privacy Policy, and is not used by PracticeRunner for marketing, analytics unrelated to the Service, or any other purposes outside the scope of the BAA. Questions regarding PHI should be directed to the healthcare provider, whose privacy notices govern the collection, use, and disclosure of medical information.
-
California CMIA/State Privacy Compliance (Optional Addition): PracticeRunner acts solely as a service provider to the healthcare Organization and processes patient information on behalf of the provider. The Organization determines the purposes and means of processing patient data, and PracticeRunner cooperates with the Organization in responding to any unauthorized access or disclosure of medical information, consistent with California’s Confidentiality of Medical Information Act (CMIA).
5. PROTECTED HEALTH INFORMATION (PHI)
If you are a HIPAA Covered Entity and use the Service to create, receive, maintain, or transmit Protected Health Information (“PHI”), PracticeRunner acts solely as a Business Associate and processes PHI exclusively on behalf of the subscribing Organization in accordance with the terms of a Business Associate Agreement (“BAA”). Our handling of PHI is strictly governed by the BAA and applicable HIPAA regulations, and this Privacy Policy does not modify, replace, or limit any obligations imposed by the BAA.
PHI is collected, used, and disclosed only as necessary to provide, operate, maintain, secure, and support the Service, and in accordance with the requirements of applicable law and the BAA. PracticeRunner does not use PHI for advertising purposes, nor does it sell PHI to any third parties under any circumstances. Additionally, PHI is never used to train, fine-tune, or improve generalized machine learning models that are unrelated to providing the Service for the Organization. Any access, processing, or storage of PHI is performed with strict administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability.
This approach ensures that all PHI remains under the control and responsibility of the subscribing Organization, while PracticeRunner supports the secure delivery of the Service in full compliance with HIPAA and related privacy standards.
6. HOW WE USE NON-PHI INFORMATION
PracticeRunner uses non-PHI personal information collected through the Service to provide, maintain, and continuously improve the functionality, performance, and user experience of our platform. This includes processing billing and subscription information, managing administrative functions, and ensuring accurate account management. Non-PHI information is also used to provide customer support, respond to inquiries, and communicate important updates regarding the Service, such as feature enhancements, policy changes, or promotional information, when applicable.
In addition, non-PHI data is utilized to monitor system performance, detect and prevent fraudulent or unauthorized activity, and implement security measures to protect the integrity of the Service. PracticeRunner may also use non-PHI personal information to comply with applicable legal obligations, enforce our Terms of Service, and protect our legal rights or those of our users.
Where appropriate, we may aggregate or de-identify collected information so that it no longer identifies individual users. Aggregated or de-identified data may be used for analytics, research, benchmarking, service improvement, and other operational purposes. This ensures that insights can be derived to improve the Service while protecting individual privacy and maintaining compliance with privacy laws and best practices.
7. ROLE OF PRACTICERUNNER AND PATIENT DATA
When PracticeRunner processes information on behalf of healthcare providers, including information relating to patients, clients, or other end users (“Patients”), PracticeRunner acts solely as a technology service provider and data processor to the applicable healthcare provider or organization (the “Organization”). PracticeRunner does not act as a healthcare provider, covered entity, or controller of Patient data and does not determine the purposes or means of processing such information.
The Organization retains full control over and responsibility for all Patient data made available through the PracticeRunner platform, including determining what information is collected, created, accessed, transmitted, or disclosed, and for what purposes such information is used, including any clinical, medical, or treatment-related purposes. PracticeRunner processes such information only on behalf of and at the direction of the Organization, in accordance with applicable agreements, including any Business Associate Agreement (“BAA”), and does not independently use Patient data for its own purposes except as necessary to provide and maintain the Service.
PracticeRunner does not establish a direct relationship with Patients and does not provide medical advice, diagnosis, or treatment. All medical decisions, patient care, and compliance with applicable healthcare laws and regulations—including, without limitation, HIPAA and the California Confidentiality of Medical Information Act (CMIA)—are the sole responsibility of the Organization.
Patients and other end users must direct any questions, requests, or concerns regarding their medical information, including requests for access, correction, amendment, deletion, or restrictions on use, to their healthcare provider. The Organization’s Notice of Privacy Practices, privacy policy, and applicable consent forms govern the collection, use, and disclosure of Patient data, and will control in the event of any conflict with this Privacy Policy with respect to medical or health-related information.
PracticeRunner will reasonably cooperate with the Organization, as required under applicable law and contractual obligations, in responding to verified requests, inquiries, or incidents involving Patient data, including suspected or confirmed unauthorized access, use, or disclosure.
8. SERVICE PROVIDERS AND INFRASTRUCTURE
PracticeRunner may engage third-party service providers, contractors, or vendors (collectively, “Service Providers”) to assist with the operation, delivery, security, performance, and maintenance of the Service and related systems. Such Service Providers may include, but are not limited to, cloud hosting and infrastructure providers, data storage and backup vendors, payment processors, analytics and monitoring platforms, logging and diagnostic tools, customer support and communication platforms, and specialized security services.
These Service Providers are authorized to access or process information only to the extent necessary to provide their contracted services to PracticeRunner, and their access is strictly limited by confidentiality, privacy, and security obligations outlined in binding contractual agreements. All Service Providers are required to implement safeguards consistent with industry standards to protect the confidentiality, integrity, and availability of data, including non-PHI information collected by the platform and any PHI processed under applicable Business Associate Agreements.
PracticeRunner retains responsibility for the selection, oversight, and management of its Service Providers but does not guarantee or control the performance, reliability, or security of third-party systems beyond what is contractually required. PracticeRunner does not sell, share, or otherwise provide personal information or PHI to Service Providers except as necessary to provide the Service. Users should be aware that the security, privacy, or regulatory compliance of integrated third-party services may vary, and PracticeRunner is not liable for any unauthorized access, loss, or disclosure resulting from the actions or failures of these Service Providers.
9. AUTOMATED AND ASSISTIVE FEATURES
The Service may include optional automated or AI-assisted tools designed to support documentation, organization, workflow management, or customer support. These features are intended to function solely as assistive tools to enhance efficiency and provide guidance, and they are not a substitute for professional judgment or decision-making by authorized users of the Service. When deployed in environments that handle Protected Health Information (“PHI”), these features operate within HIPAA-eligible frameworks and are fully subject to the terms of the applicable Business Associate Agreement (“BAA”).
PracticeRunner does not use PHI to train or improve generalized machine learning models that are unrelated to the provision of the Service for the subscribing Organization. Any content, suggestions, or outputs generated by these automated or AI-assisted features are intended for review and approval by the Organization before clinical or operational use. Users should exercise their professional discretion when interpreting or relying on automated outputs. While these tools are designed to assist with efficiency and accuracy, PracticeRunner does not guarantee the completeness, correctness, or suitability of the results generated by automated or AI-assisted processes, and responsibility for any clinical or operational decisions rests with the Organization and its authorized users.
10. SHARING OF INFORMATION
PracticeRunner does not sell personal information to third parties. However, in order to provide, maintain, and improve the Service, we may share personal information with trusted third-party service providers that support critical aspects of our operations. These service providers may include companies that provide hosting, infrastructure, analytics, technical support, billing, or other operational services necessary for the functioning of the Service. Payment information is shared only with authorized payment processors to facilitate secure transaction processing, and full payment credentials are not stored on our systems.
We may also disclose personal information when required by applicable law, regulation, legal process, or governmental authority, including to respond to subpoenas, court orders, or other legal requests. Additionally, personal information may be shared in connection with a merger, acquisition, corporate reorganization, or sale of assets, but any such transfer will be subject to confidentiality obligations and limitations on use consistent with this Privacy Policy.
When service providers access or process Protected Health Information (“PHI”), they are bound by written agreements that require appropriate administrative, technical, and physical safeguards, as well as strict confidentiality obligations, in accordance with HIPAA and the terms of our Business Associate Agreement (“BAA”). These measures ensure that PHI is only used as necessary to support the Service and is protected against unauthorized access, disclosure, or misuse.
11. DATA SECURITY
PracticeRunner implements a comprehensive set of administrative, physical, and technical safeguards designed to protect personal information and Protected Health Information (“PHI”) from unauthorized access, disclosure, alteration, or destruction. All data transmitted through the Service is encrypted using industry-standard protocols, and sensitive information stored at rest is also encrypted in accordance with current best practices and HIPAA guidance. These measures help ensure the confidentiality, integrity, and availability of the data we process.
Access to the Service and sensitive information is governed by role-based controls, which restrict system access to authorized personnel based on their responsibilities and organizational role. In addition, we maintain detailed logging, continuous monitoring, and auditing of system activity to detect potential security incidents, anomalies, or unauthorized attempts to access data. Our hosting environments are secured with firewalls, intrusion detection systems, and other safeguards designed to prevent breaches and protect against external and internal threats.
While no method of data storage or transmission can be guaranteed to be completely secure, PracticeRunner takes all reasonable and appropriate measures consistent with the sensitivity of the information, industry standards, and regulatory requirements to protect the personal information and PHI processed through the Service.
12. DATA RETENTION
PracticeRunner retains personal information for as long as necessary to provide and maintain the Service, fulfill contractual obligations, comply with applicable legal and regulatory requirements, and resolve disputes or enforce agreements. The specific retention period may vary depending on the type of information, the purpose for which it was collected, and any applicable legal obligations that require longer retention.
For organizations that use the Service to process Protected Health Information (“PHI”), retention and deletion of PHI is governed exclusively by the terms of the Business Associate Agreement (“BAA”). Upon termination of an account, subscribing Organizations are provided a period of thirty (30) days to export or retrieve their data. After this period, PracticeRunner may permanently delete the data from active systems, subject to any backup retention policies and applicable legal or regulatory obligations. These retention policies are designed to balance operational needs, legal compliance, and data privacy, while ensuring that personal information and PHI are not maintained longer than necessary.
13. STATE-SPECIFIC PRIVACY RIGHTS
Depending on your state or other applicable jurisdiction, you may be entitled to specific privacy rights under state or local laws, including, without limitation, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and other similar privacy statutes that may apply to individuals within those states. These rights may include, but are not limited to, the right to request access to personal information collected by PracticeRunner, the right to request correction or deletion of such information, the right to obtain information regarding the categories of data collected and the purposes for which it is used, and the right to opt out of the sale or sharing of personal information, if applicable. PracticeRunner will honor and facilitate these rights in accordance with applicable law and within the statutory timeframes provided. This section may be updated or expanded over time as new state-specific privacy laws are enacted, amended, or interpreted, and as PracticeRunner onboards new organizations or offers services in additional jurisdictions. Individuals are encouraged to review this section periodically and may submit requests or inquiries regarding their privacy rights through the contact methods provided in the PracticeRunner Privacy Policy.
14. CALIFORNIA PRIVACY RIGHTS (CPRA NOTICE AT COLLECTION)
If you are a resident of California, PracticeRunner collects certain categories of personal information, including identifiers such as your name, email address, and IP address; commercial information such as billing, subscription, and payment records; internet or network activity information reflecting your use of the Service; and professional or employment-related information, including practice or organizational details. This information is collected and used to provide, maintain, and improve the Service, to manage account and subscription activities, and to ensure a secure and reliable user experience.
PracticeRunner does not sell or share personal information for cross-context behavioral advertising or similar purposes. Under the California Privacy Rights Act (“CPRA”), California residents have the right to request access to the personal information we collect, request correction of inaccurate information, and request deletion of personal information, subject to certain exceptions as permitted by law. Requests are verified and processed in accordance with applicable legal requirements. It is important to note that Protected Health Information (“PHI”) collected or processed under HIPAA and the applicable Business Associate Agreement (“BAA”) is excluded from certain CPRA rights to the extent permitted by law, and any such requests for PHI must be directed to the healthcare provider responsible for the PHI.
These rights are part of our commitment to transparency and control over personal information for California residents, and PracticeRunner has implemented procedures to ensure that requests can be fulfilled in compliance with state law.
15. CHILDREN’S PRIVACY
The Service is designed and intended for use exclusively by licensed professionals, authorized staff, and subscribing organizations. It is not directed to children under the age of 18, and PracticeRunner does not knowingly collect, maintain, or use personal information from children. If we become aware that personal information has been inadvertently collected from a child under 18, we take steps to delete such information as quickly as possible.
Parents or guardians who believe that their child has provided personal information to the Service should contact us immediately so that we can take appropriate action to remove the information. By restricting access and functionality to professionals and authorized users, we help ensure that minors do not interact with the Service in a manner that would result in the collection of their personal information. These safeguards reflect our commitment to compliance with applicable privacy laws concerning children and to the protection of sensitive personal information.
16. INTERNATIONAL USERS
If you access or use the Service from outside the United States, please be aware that your personal information and any data you provide may be transferred to, stored, and processed in the United States, where data protection and privacy laws may differ from those of your country of residence. By using the Service, you acknowledge and consent to such transfers and understand that your information may be subject to U.S. laws, including applicable regulations related to data privacy, security, and law enforcement access.
PracticeRunner takes reasonable measures to protect the privacy and security of information transferred internationally, including implementing technical, administrative, and physical safeguards consistent with industry standards. However, users located outside the United States assume responsibility for ensuring that such transfers comply with the legal requirements of their jurisdiction. Where applicable, we may provide additional information or contractual safeguards to meet international data transfer requirements, such as standard contractual clauses or other compliance mechanisms under relevant privacy laws.
17. THIRD-PARTY LINKS AND INTEGRATIONS
The Service may include links to third-party websites, applications, or online services, and may also integrate with certain third-party tools or platforms to enhance functionality. PracticeRunner does not control these third-party services and is not responsible for the privacy practices, security measures, or content of any such websites or services. The collection, use, or disclosure of personal information by these third parties is governed solely by their own privacy policies and terms of use, which may differ from those of PracticeRunner.
Users are strongly encouraged to review the privacy policies and terms of service of any third-party websites, applications, or services they access or integrate with through the Service. By interacting with third-party content or services, users acknowledge that PracticeRunner has no liability for any actions, data practices, or communications conducted by these third parties. This section is intended to help users make informed decisions and maintain control over their personal information when engaging with services outside of PracticeRunner’s direct control.
18. COOKIES AND TRACKING TECHNOLOGIES
PracticeRunner may use cookies, web beacons, pixel tags, and other similar tracking technologies to enhance the user experience, analyze usage patterns, and measure the effectiveness of our communications and Service features. These technologies help us understand how users interact with the Service, optimize performance, and deliver content that is relevant and useful. They may also be used for security purposes, such as detecting and preventing unauthorized access or fraudulent activity.
Users have the ability to manage or disable cookies and other tracking technologies through their browser or device settings. However, please note that some features or functionality of the Service may rely on cookies or similar technologies, and disabling them may limit your ability to access certain tools, maintain session information, or fully utilize the Service. By continuing to use the Service without adjusting your settings, you consent to our use of cookies and similar technologies as described in this Privacy Policy.
19. YOUR RIGHTS AND CHOICES
Subject to applicable laws and regulations, users may have certain rights regarding the personal information that PracticeRunner collects and processes. These rights may include the ability to access the personal information we hold about you, request corrections to inaccurate or incomplete data, or request deletion of personal information, to the extent permitted by law. Additionally, users may choose to opt out of marketing or promotional communications at any time, and, where applicable, may have the right to limit certain processing of their personal information.
Requests to exercise these rights can be submitted through the contact information provided below. Upon receiving a request, PracticeRunner will take reasonable steps to verify your identity and process the request in accordance with applicable legal requirements. Certain requests may be subject to exceptions under the law, for example, if retention or processing is required to comply with legal obligations, resolve disputes, enforce agreements, or protect the security and integrity of the Service. We are committed to respecting your privacy choices and ensuring that users have meaningful control over their personal information.
20. CHANGES TO THIS POLICY
PracticeRunner may update this Privacy Policy from time to time to reflect changes in our practices, regulatory requirements, technological developments, or the features of the Service. When material changes are made, we will provide notice to users through the Service, via email, or through other reasonable means to ensure that you are informed of the updates.
The revised Privacy Policy will become effective on the date indicated in the “Last Updated” header or as otherwise specified in the notice. Where the Service asks you to acknowledge an updated Privacy Policy, your electronic acknowledgment through the applicable flow will confirm that you have been presented with the revised notice. Otherwise, continued use of the Service after the effective date of any changes constitutes your acknowledgment of the revised Privacy Policy to the extent permitted by applicable law. We encourage users to periodically review this Privacy Policy to stay informed about how we collect, use, share, and protect personal information. Any material changes affecting the rights or obligations of users will be communicated clearly to allow users to make informed decisions about their continued use of the Service.
21. CONTACT INFORMATION
If you have any questions, concerns, or requests regarding this Privacy Policy or the way PracticeRunner collects, uses, or protects personal information, you may contact our designated Privacy Officer. Our Privacy Officer is responsible for overseeing our data protection practices, responding to inquiries, and assisting users in exercising their privacy rights. You can reach us by mail at PracticeRunner LLC, Attn: Privacy Officer, PO Box 401101, San Francisco, CA 94140, or by email at [email protected].
When submitting a request, please provide sufficient information to allow us to verify your identity and respond appropriately. We strive to respond to all inquiries and privacy-related requests in a timely and reasonable manner, consistent with applicable legal requirements. Whether your concern involves access, correction, deletion, or general questions about the Service’s privacy practices, our Privacy Officer will work with you to provide guidance and ensure that your rights and preferences are respected.
By using the Service, you acknowledge that you have read and understood this Privacy Policy, including how PracticeRunner collects, uses, shares, and protects personal information.
This Privacy Policy operates as a notice of PracticeRunner’s data practices and does not require a separate signature block or countersignature.