Effective date: March 2, 2026

1. INTRODUCTION AND SCOPE

Welcome to Practice with Joy. We are committed to protecting the privacy of all individuals who interact with our services. This Privacy Policy describes how Practice with Joy, Inc. (“Practice with Joy,” “we,” “our,” or “us”) collects, uses, discloses, and safeguards information when you visit our website, use our technology platform, or interact with our services.

1.1 Who This Policy Applies To

Practice Clients: Medical practices, healthcare provider organizations, and other professional entities that contract with Practice with Joy for consulting, marketing, or healthcare platform services. Practice Clients’ use of the Services is governed by a Master Services Agreement (“MSA”), Business Associate Agreement, and related agreements, which may contain additional or superseding provisions regarding data handling, security, and privacy. In the event of a conflict between this Privacy Policy and the MSA or BAA, the MSA or BAA shall control.

Patient Users: Individuals who interact with the Practice with Joy platform in connection with receiving or seeking healthcare services from a Practice Client, including through the patient portal, Practice Client websites, or any other patient-facing feature of the Platform.

Website Visitors: Individuals who visit the Practice with Joy corporate website (practicewithjoy.com) without necessarily being a Practice Client or Patient User.

1.2 Relationship Between This Policy and HIPAA

Some of the information processed through our Healthcare Platform and certain patient-facing Marketing Platform features constitutes Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act (“HIPAA”). The handling of PHI is governed by HIPAA, our Business Associate Agreements with Practice Clients, and the applicable Practice Client’s Notice of Privacy Practices. Where HIPAA applies, it takes precedence over this Privacy Policy with respect to PHI. This Privacy Policy governs our handling of personal information that is not PHI.

2. INFORMATION WE COLLECT

2.1 Information from Practice Clients

We collect information that Practice Clients provide in connection with their use of our Services, including: contact and business information (names, email addresses, phone numbers, business addresses, and professional credentials); account and login credentials; practice configuration and platform settings; and any other information provided during onboarding or ongoing use of the Services.

Payment Information. We use Stripe to process payments. When you provide payment information, it is transmitted directly to and stored by Stripe in accordance with their security standards. We do not store credit card numbers or full payment card details on our servers. We may retain transaction records, billing history, and related metadata as necessary for account management and legal compliance.

2.2 Information from Patient Users

2.2.1 Protected Health Information (PHI)

The Healthcare Platform supports the full lifecycle of patient care, including self-scheduling and appointment booking. In the course of providing the Platform to Practice Clients, we may create, receive, maintain, or transmit PHI on their behalf. This includes any individually identifiable health information that relates to an individual’s past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare, as processed through the Healthcare Platform or patient-facing features of the Marketing Platform (such as contact forms on Practice Client websites).

PHI is processed by Practice with Joy solely as a Business Associate on behalf of the Practice Client (the Covered Entity). The Practice Client’s Notice of Privacy Practices governs Patient Users’ rights with respect to their PHI.

2.2.2 Website Contact Forms

Information submitted by prospective or current patients through contact forms on Practice Client websites is treated as PHI under HIPAA. When an individual submits a contact form on a Practice Client’s website, the information provided relates to the individual’s request for healthcare services and is therefore protected under HIPAA. This data is subject to the same safeguards and BAA obligations that apply to all PHI processed through the Healthcare Platform.

2.2.3 Non-PHI Patient Information

We may also collect information from Patient Users that does not constitute PHI, including: browser type, device type, and IP address when accessing the Platform; cookies and similar tracking technologies (see Section 5); and general usage data and analytics.

2.3 Information from Website Visitors

When you visit the Practice with Joy corporate website (practicewithjoy.com), we may automatically collect non-personal information such as: IP address; browser type and version; device type and operating system; pages visited, time spent, and browsing behavior; referring URL; and geolocation data (if enabled). This information is collected through cookies and similar technologies and is used to improve our website and user experience.

Note: This section applies to visitors of the Practice with Joy corporate website. Visitors to Practice Client websites who submit contact forms are treated as Patient Users, and their submissions are treated as PHI as described in Section 2.2.2.

3. HOW WE USE INFORMATION

3.1 Use of PHI

We use PHI only as permitted by HIPAA and the applicable Business Associate Agreement. Permitted uses include: providing, maintaining, and supporting the Healthcare Platform on behalf of Practice Clients; facilitating clinical and administrative workflows, including scheduling, patient communications, and telehealth; processing contact form inquiries submitted through Practice Client websites; processing Visit Experience Surveys; and as otherwise required by law.

We do not use PHI for marketing, advertising, or any purpose unrelated to the provision of the Services. We do not sell PHI to third parties.

3.2 Use of Non-PHI Personal Information

We may use non-PHI personal information for the following purposes: to provide, manage, and improve the Consulting Services, Marketing Platform, and Healthcare Platform; to respond to inquiries and provide customer support; to process payments for Services; to send promotional communications with consent (Practice Clients and Website Visitors may opt out at any time); to analyze website and platform usage and improve functionality; and to comply with legal obligations or resolve disputes.

4. HOW WE SHARE INFORMATION

4.1 Sharing of PHI

We share PHI only as permitted by HIPAA and the applicable Business Associate Agreement. PHI may be shared with: the Practice Client (Covered Entity) and its authorized workforce members; subcontractors who have executed Business Associate Agreements with Practice with Joy (see Section 10); and governmental authorities as required by law. We do not sell, rent, or trade PHI.

4.2 Sharing of Non-PHI Personal Information

We do not sell, trade, or otherwise transfer your personal information to outside parties for their own marketing purposes. We may share non-PHI personal information with trusted third-party service providers who assist us in operating our platform and conducting our business, provided they agree to maintain confidentiality. These may include: website hosting and cloud infrastructure providers; marketing service providers; payment processors (Stripe); analytics platforms; and legal and regulatory bodies as required by law.

5. COOKIES AND TRACKING TECHNOLOGIES

Our website and Platform use cookies and similar technologies to enhance your experience. Cookies are small files stored on your device by your web browser that help us remember preferences, improve functionality, and analyze site traffic.

You can manage cookie preferences through your browser settings. Disabling cookies may affect your ability to use certain features, such as staying logged in or saving preferences.

We do not use cookies or tracking technologies to collect or process PHI.

6. DATA SECURITY

6.1 General Security Measures

We implement industry-standard security measures to protect personal information from unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS) and at rest, role-based access controls, network firewalls and intrusion detection, regular security assessments and vulnerability testing, and employee security training and access management.

6.2 HIPAA Security Safeguards

For PHI processed through the Platform, we maintain administrative, physical, and technical safeguards in accordance with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), including: access controls and authentication mechanisms; audit logging and monitoring; encryption of electronic PHI at rest and in transit; workforce training on HIPAA obligations; and incident response and breach notification procedures.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

7. DATA RETENTION

7.1 PHI and Clinical Data

PHI processed through the Healthcare Platform — including all clinical, administrative, and patient-submitted data — is retained in accordance with the Practice Client’s configuration settings, the applicable MSA and BAA, and federal and state medical records retention requirements. Practice Clients are responsible for configuring retention settings consistent with applicable law.

7.2 Visit Experience Survey Data

Individual survey responses are retained for up to one (1) year from the date of collection, after which they are deleted. Aggregated, de-identified survey data may be retained indefinitely for quality improvement and operational analytics purposes.

7.3 Practice Client Account Data

Practice Client account and business information is retained for the duration of the service relationship as defined in the applicable MSA and for a reasonable period thereafter to comply with legal, contractual, and regulatory obligations.

7.4 Website Visitor Data

Non-personal browsing data and analytics are retained for up to twenty-four (24) months. Personal information provided through the Practice with Joy corporate website is retained for as long as necessary to respond to the inquiry and for a reasonable period thereafter.

7.5 Payment Records

Payment transaction records are retained as required by applicable tax and financial regulations.

8. GOOGLE USER DATA ACCESS

If a Practice Client connects their Google Workspace account to the Practice with Joy platform, we access certain Gmail data via Google APIs, specifically: reading incoming Gmail messages for the purpose of ingesting them into the EMR system; and sending email responses from within the EMR interface on behalf of the Practice Client.

This integration does not access Google Contacts, Google Calendar, Google Drive, or any other Google services unless separately disclosed and authorized.

This data is used solely to provide the above functionality and is not shared with any third parties, used for advertising, or used for analytics unrelated to the EMR functionality.

Compliance with Google’s Limited Use Requirements: We comply with the Google API Services User Data Policy, including the Limited Use requirements. Specifically: we do not transfer Gmail data to third parties except as necessary to provide the EMR integration; we do not use Gmail data for advertising, profiling, or purposes unrelated to the EMR; we ensure user-controlled access and deletion; and we employ strong security and access controls.

Gmail message metadata and content ingested into the EMR is retained according to the Practice Client’s EMR settings and compliance requirements. We do not store raw Gmail data separately from the EMR system.

9. VISIT EXPERIENCE SURVEYS

9.1 Data We Collect

Visit Experience Surveys collect satisfaction ratings and any comments voluntarily provided by the Patient User, along with identifiers necessary to associate the response with the relevant visit and provider. Surveys may be sent following visits. Because survey responses are linked to the Patient User’s visit and provider, individually identifiable survey data is treated as PHI under HIPAA.

9.2 How We Use Survey Data

Survey responses are used for internal quality improvement, provider performance evaluation, and operational analytics. Individual responses may be shared with the Practice Client associated with the Patient User’s visit in accordance with HIPAA’s permitted uses for health care operations. We do not sell survey responses to third parties.

9.3 Consent

Consent to the collection and use of Visit Experience Survey data is obtained through the consent forms provided during the Practice Client’s intake process. Completion of any individual survey remains voluntary, and declining will not affect care or services.

9.4 Communications and Opt-Out

Survey requests may be delivered via SMS and/or email. By providing a mobile phone number and email during intake, Patient Users consent to receiving survey-related text messages. Message and data rates may apply. Message frequency varies. Opt out of SMS at any time by replying STOP. Opt out of email by clicking the “Unsubscribe” link in any survey email. Opting out will not affect care or services.

9.5 Google Reviews

After completing a Visit Experience Survey, Patient Users may be invited to leave a review on Google. Google Reviews are entirely voluntary and are governed by Google’s Terms of Service and Privacy Policy. Reviews posted on Google are public and visible to anyone on the internet. Practice with Joy does not control the content, visibility, or retention of Google Reviews once posted.

We strongly recommend that Patient Users do not include any PHI, medical details, or other sensitive information in a Google Review. Practice with Joy is not responsible for any personal information disclosed through third-party platforms.

10. THIRD-PARTY SUBPROCESSORS

We engage trusted third-party service providers (“subprocessors”) to assist in delivering our Services, including cloud hosting, data storage, analytics, email and SMS delivery, payment processing, and telehealth infrastructure. All subprocessors are contractually obligated to safeguard personal data and, where applicable, PHI in accordance with HIPAA and applicable data protection laws.

A current list of subprocessors is available at practicewithjoy.com/legal/subprocessors. Practice with Joy will provide Practice Clients with at least thirty (30) days’ prior notice before engaging a new subprocessor that will process PHI, allowing Practice Clients the opportunity to raise objections.

11. YOUR RIGHTS

11.1 Rights Regarding PHI

Patient Users’ rights regarding their PHI — including the right to access, amend, request restrictions, and receive an accounting of disclosures — are governed by HIPAA and are described in the applicable Practice Client’s Notice of Privacy Practices. Requests to exercise these rights should be directed to the Practice Client (your healthcare provider).

11.2 Rights Regarding Non-PHI Personal Information

For personal information that is not PHI, you have the right to: access the personal information we hold about you; request corrections to inaccurate or incomplete data; request deletion of your personal information, subject to legal exceptions; and opt out of receiving promotional emails or other marketing communications by following the unsubscribe instructions in those communications.

To exercise these rights, please contact us at info@practicewithjoy.com.

12. CHILDREN’S PRIVACY

Our Services are not directed to children under the age of 13. We do not knowingly collect personal information directly from children under 13 without parental consent. However, because our Healthcare Platform is used by medical practices that may treat minor patients, PHI of minors may be processed through the Platform on behalf of Practice Clients. Such processing is conducted under the direction and authorization of the Practice Client, which is responsible for obtaining appropriate parental or guardian consent as required by applicable law, including COPPA. If we become aware that we have collected personal information from a child under 13 without appropriate consent, we will take steps to delete such information promptly.

14. INTERNATIONAL DATA TRANSFERS

Practice with Joy is based in the United States and our Services are primarily directed to U.S.-based medical practices and their patients. Personal information collected through our Services is stored and processed in the United States. If you access our Services from outside the United States, you understand and consent to the transfer of your information to the United States, where data protection laws may differ from those of your jurisdiction.

15. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. Any changes will be posted on this page with the updated date at the top. For material changes that affect the handling of PHI or that significantly alter our data practices, we will provide Practice Clients with at least thirty (30) days’ prior written notice. Changes to this Privacy Policy do not modify the terms of any executed MSA or BAA. We encourage you to review this Privacy Policy periodically. Your continued use of our website and Services after any changes constitutes acceptance of those changes.

16. CONTACT US

If you have any questions or concerns about this Privacy Policy, please contact us at:

Email: info@practicewithjoy.com

‍