Privacy Policy

1. Who we are.

ABA Health LLC DBA CareThread360 ("CareThread360," "we," "us," or "our") is a medical records retrieval platform headquartered in Los Angeles, California. This Privacy Policy describes how we collect, use, disclose, and protect information when you access our website at carethread360.com (the "Site") or use our retrieval platform (the "Services").

2. Information we collect.

Information you provide directly. When you complete the Tailored Analysis form, request a walkthrough, or correspond with us, we collect your name, work email address, phone number, job title, organization name, and any operational figures or notes you submit voluntarily.

Information collected automatically. We collect standard server log data including IP addresses, browser type, referring URLs, and pages visited. We use this data solely for security monitoring and aggregate analytics. We do not sell or license this data.

Protected Health Information (PHI). CareThread360 processes PHI on behalf of its customers under the terms of a signed Business Associate Agreement (BAA). PHI processed through the Services is governed by HIPAA / HITECH requirements and by the contractual terms between CareThread360 and each covered entity or business associate customer. CareThread360 does not access medical records without valid patient authorization and does not use PHI for any purpose other than providing the Services. All record requests are processed in compliance with HIPAA authorization requirements and provider release procedures.

3. How we use your information.

• To respond to inquiries and schedule walkthroughs requested by you.
• To deliver, maintain, and improve the Services.
• To fulfill legal and compliance obligations, including HIPAA requirements.
• To communicate service updates and relevant operational notices.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. How we share your information.

Service providers. We engage a limited set of vetted subprocessors (listed at carethread360.com/subprocessors) to operate the Services. All subprocessors are bound by data processing agreements consistent with applicable law.

Legal requirements. We may disclose information where required by law, court order, or governmental authority, or where we believe disclosure is necessary to protect our rights or the safety of others.

Business transfers. In the event of a merger, acquisition, or sale of substantially all assets, user information may be transferred as part of that transaction, subject to the protections described in this Policy.

5. Mobile Messaging & SMS.

When you opt in to receive text messages from CareThread360, we collect your mobile phone number to send one-time login verification codes. We use this number solely to verify your identity and secure your account.

We do not sell, rent, or share mobile phone numbers or SMS opt-in/consent data with third parties or affiliates for their marketing or promotional purposes. SMS consent is not shared with any third party except as needed to deliver the messages you requested (e.g., our messaging service provider).

You can opt out of text messages at any time by replying STOP. For help, reply HELP or contact hello@carethread360.com. Message frequency varies and message and data rates may apply. See our SMS Terms for full details.

6. Data retention.

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, and to resolve disputes. PHI is retained and disposed of in accordance with the applicable BAA and HIPAA requirements.

7. Security.

CareThread360 implements administrative, technical, and physical safeguards appropriate to the sensitivity of the information we process, including AES-256 encryption at rest, TLS 1.3 in transit, immutable audit logging, and access controls. No system is perfectly secure; we encourage customers to use strong credentials and to report suspected security issues to security@carethread360.com.

8. Your rights.

Depending on your jurisdiction, you may have rights to access, correct, delete, or restrict the processing of your personal information. To exercise these rights, contact us at privacy@carethread360.com. We will respond within 30 days. Note that certain information may be subject to legal hold or regulatory retention requirements that limit our ability to delete it.

9. Changes to this policy.

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date. Continued use of the Services after a change constitutes acceptance of the revised Policy.

10. Contact.

Questions about this Policy or our privacy practices may be directed to privacy@carethread360.com or by mail to ABA Health LLC DBA CareThread360, Attention: Privacy, 486 Arnaz Dr, Los Angeles, CA 90048.