NowPsych Privacy Policy

Last modified: May 8, 2026

1. About this Policy and Who We Are

This Privacy Policy explains how NowPsych, PLLC and Sean Paul, M.D., P.C., doing business as NowPsych (“NowPsych,” “we,” “us,” “our“), collects, uses, discloses, and protects personal information when you visit nowpsych.com and any subdomains we operate (collectively, the “Website“), and when you communicate with us by email, text, or other electronic means in connection with the Website.

This Policy applies to information collected through the Website. It does not apply to information you provide to us in the course of clinical care. Information you share with your provider during evaluation or treatment, or through clinical platforms we use such as DrChrono, AdvancedMD, Doxy.me, or Zoom for Healthcare, is governed by our separate Notice of Privacy Practices under the Health Insurance Portability and Accountability Act (“HIPAA“), which your provider will furnish to you and which is also available on request at the contact information in Section 17.

If you do not agree with this Policy, please do not use the Website.

2. Quick Summary

The following summary is provided for convenience; it does not replace the full text below.

We collect information you give us through forms (including appointment, contact, and intake requests), basic technical information about your device and visit, and limited analytics data. We use this information to operate the Website, respond to you, schedule care, comply with law, and improve the site. We do not sell personal information for money. We do not knowingly use advertising “pixels” that share information about visits to clinical service pages with third-party advertising networks. We honor the Global Privacy Control browser signal as an opt-out of any “sale” or “sharing” of personal information as those terms are defined under U.S. state privacy laws. Mental health information is sensitive, and we treat it accordingly.

3. Scope and Applicable Laws

We design our Website privacy practices to comply with the laws that apply to us, including:

• HIPAA, including the U.S. Department of Health and Human Services Office for Civil Rights guidance on use of online tracking technologies by HIPAA-regulated entities;
• The California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA“);
• The Colorado Privacy Act (“CPA“) and its implementing regulations;
• The Washington My Health My Data Act (“MHMDA“) and comparable consumer health-data laws (including Nevada SB 370 and Connecticut’s expanded CTDPA health-data provisions);
• Other U.S. state comprehensive privacy laws as applicable, including those of Virginia, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island, and Florida;
• The EU General Data Protection Regulation (“GDPR“) and the UK GDPR, where they apply to our processing of information about residents of the European Economic Area, the United Kingdom, or Switzerland;
• The Children’s Online Privacy Protection Act (“COPPA“); and
• Other federal and state laws applicable to our practice.

4. Children

The Website is intended for adults. We do not knowingly collect personal information through the Website from children under 13, and we do not direct the Website to children. If you are under 18 and seeking care, a parent or legal guardian must contact us, complete intake on your behalf, and consent to treatment as required by applicable law. If we learn that we have inadvertently collected personal information through the Website from a child in violation of COPPA, we will delete it. To report a concern, contact us at the address in Section 17.

5. Information We Collect

5.1 Information you provide to us

We collect information you submit through Website forms, email, text, or phone, including:

• Identifiers such as your name, email address, telephone number, mailing address, and date of birth;
• Information about the reason you are contacting us, which may include references to symptoms, diagnoses, medications, or other health-related details you choose to share;
• Insurance and billing information you provide to inquire about coverage;
• For prospective minors, information about a parent or legal guardian; and
• Any other information you choose to provide in free-text fields, attachments, or correspondence.

Please do not include detailed clinical information, medical record numbers, or sensitive identifiers (such as Social Security numbers) in Website forms or unencrypted email. Use only the minimum information needed to schedule or ask a question. After you become a patient, your provider will direct you to secure clinical channels.

5.2 Information collected automatically

When you visit the Website, we and our service providers automatically collect certain technical information, including:

• IP address and approximate location derived from it;
• Device, browser, and operating system information;
• Pages viewed, links clicked, time on page, and referring URL;
• Cookie and similar identifiers, where set; and
• General interaction data such as scroll depth and form interactions (not including the content you type into form fields, except where you submit it).

5.3 Sensitive information

Some information you provide or that is inferable from your visit (for example, viewing a page about a specific condition or treatment) may constitute “sensitive personal information,” “sensitive data,” or “consumer health data” under applicable law. We treat such information with heightened care as described in Section 8.

6. How We Use Information

We use the information described above to:

• Respond to inquiries, schedule appointments, and communicate with you;
• Operate, secure, maintain, and improve the Website;
• Detect, prevent, and respond to fraud, abuse, security incidents, and unlawful activity;
• Comply with legal obligations, respond to lawful requests from public authorities, and establish, exercise, or defend legal claims;
• Send you administrative messages and, with your consent where required, occasional informational emails about services you have asked about (you may unsubscribe at any time using the link in any such email or by emailing us); and
• Conduct limited analytics to understand aggregate Website usage.

We do not use Website information to make decisions that produce legal or similarly significant effects about you through automated processing alone, and we do not engage in profiling for such decisions.

7. Cookies, Analytics, and Tracking Technologies

7.1 What we use

The Website uses a limited set of cookies and similar technologies. We classify them as follows:

• Strictly necessary: required for the Website to function (for example, security, load balancing, and remembering form input within a session). These cannot be disabled.
• Analytics: used to understand aggregated, de-identified usage of the Website. Where we use Google Analytics or a comparable tool, we configure it to mask IP addresses, disable advertising features, and limit data retention. We do not knowingly enable Google Signals or cross-device advertising features on this Website.
• Functional: used to remember preferences such as language or display choices.
• Advertising: not used on pages of the Website that describe specific clinical services, conditions, or treatments. To the extent any advertising or remarketing tag is used elsewhere on the Website, it is loaded only after you grant consent through our cookie banner where required by law.

We do not deploy the Meta (Facebook) Pixel, TikTok Pixel, or comparable third-party advertising trackers on pages of the Website where the URL or content reveals an individual’s likely health condition, treatment, or care relationship.

7.2 Your choices

When you arrive on the Website from a jurisdiction that requires consent for non-essential cookies, you will see a cookie banner allowing you to accept, reject, or manage categories. You can change your choices at any time using the “Cookie Preferences” link in the Website footer.

You can also control cookies through your browser settings, and you can opt out of certain interest-based advertising through the Digital Advertising Alliance (aboutads.info), the Network Advertising Initiative (networkadvertising.org), and, in the EU, the European Interactive Digital Advertising Alliance (youronlinechoices.eu).

7.3 Global Privacy Control and Do Not Track

We honor the Global Privacy Control (“GPC”) browser signal as a valid opt-out of any “sale” or “sharing” of personal information, and as an opt-out of targeted advertising and processing of sensitive data for advertising, in jurisdictions that recognize it (including California, Colorado, and Connecticut).

There is no consensus standard for “Do Not Track” (DNT) signals, and most browsers no longer offer them; we do not separately respond to DNT signals, but the GPC signal accomplishes the same effect for purposes of applicable U.S. state laws.

8. HIPAA and Tracking Technologies

We are a HIPAA-covered entity. The Website is a marketing and informational site, not a patient portal. We are aware of the HHS Office for Civil Rights guidance regarding the use of online tracking technologies by HIPAA-regulated entities, including the position that combinations of an IP address with the URL of a page that addresses specific health conditions can constitute Protected Health Information (“PHI“) when transmitted to third parties.

Consistent with that guidance:

• We do not place third-party tracking technologies that disclose information to advertising networks on Website pages whose URL or content addresses specific clinical services, conditions, or treatments;
• We use a HIPAA-eligible analytics configuration, or a service provider with whom we have a Business Associate Agreement, where any tracking is used in connection with content that could be considered PHI; and
• We require service providers that may receive Website data to use that data only for the purposes for which we engage them.

If you become a patient, your treatment information is governed by our HIPAA Notice of Privacy Practices, which controls in any conflict between that Notice and this Policy with respect to PHI.

9. How We Disclose Information

We do not sell personal information for monetary consideration. We disclose personal information only as follows:

• Service providers who help us operate the Website and our practice (for example, web hosting, email, scheduling, analytics, and payment processing), under written contracts that limit their use of the information to the services they provide to us;
• Clinical platforms to which you are directed for care, such as DrChrono, Doxy.me, and Zoom for Healthcare, each of which has its own privacy policy and, where applicable, a Business Associate Agreement with us;
• Professional advisors, such as our attorneys, accountants, and insurers;
• Government and law-enforcement authorities where required by law, subpoena, court order, or other legal process, or to protect rights, safety, and property;
• In connection with a corporate transaction, such as a merger, acquisition, financing, or sale of all or part of our practice, with appropriate confidentiality protections; and
• With your consent or at your direction.

We do not disclose consumer health data to third parties for their independent marketing purposes. We require explicit, separate authorization (consistent with MHMDA and similar laws) before any such disclosure.

10. Your Rights

Depending on where you live, you may have some or all of the following rights with respect to personal information we hold about you:

• Access / Know: request a copy of the personal information we have about you, and information about how we process it;
• Correct: request correction of inaccurate information;
• Delete: request deletion of your information, subject to legal exceptions (including HIPAA recordkeeping requirements);
• Portability: receive your information in a portable format;
• Opt out of sale of personal information, sharing for cross-context behavioral advertising, targeted advertising, and certain profiling;
• Limit the use of sensitive personal information;
• Withdraw consent for processing based on consent, including consent to non-essential cookies;
• Appeal a decision we make about a privacy request; and
• Lodge a complaint with a supervisory authority — in the U.S., your state Attorney General; in the EU/EEA or UK, your national data protection authority; in California, the California Privacy Protection Agency.

To exercise these rights, contact us at the address in Section 17 or use the “Privacy Request” link in the Website footer. We will verify your identity to the extent required by law before responding. We do not discriminate against you for exercising your privacy rights.

Authorized agents. California, Colorado, and certain other state residents may submit a request through an authorized agent with appropriate written authorization.

11. Specific Disclosures for U.S. State Laws

11.1 California (CCPA/CPRA)

In the preceding 12 months, we have collected the categories of personal information described in Section 5 (identifiers, customer-records information, internet/network activity, geolocation derived from IP address, audio/electronic information from voicemails or recorded calls if applicable, professional or employment-related information for applicants, and inferences). The sources, purposes, and disclosures correspond to Sections 5, 6, and 9.

We have not “sold” personal information for monetary consideration in the preceding 12 months. We have not knowingly “shared” personal information for cross-context behavioral advertising in the preceding 12 months on pages described in Section 8. To the extent any limited “sharing” has occurred elsewhere on the Website through analytics or marketing tools, you may opt out using the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links in the Website footer, or by sending a GPC signal.

We do not knowingly sell or share personal information of consumers under 16.

11.2 Colorado (CPA)

We process personal data of Colorado residents as a “controller.” You have the rights listed in Section 10. We honor the GPC signal as a universal opt-out mechanism. We do not process sensitive data — including data revealing mental or physical health condition, racial or ethnic origin, religious beliefs, sex life or sexual orientation, citizenship status, or genetic or biometric data — without your consent.

11.3 Washington (My Health My Data Act) and Comparable Health-Data Laws

We treat information that identifies your past, present, or future physical or mental health status as consumer health data. Without your separate, valid authorization, we do not collect consumer health data beyond what is necessary to provide services you have requested, sell consumer health data, or use a “geofence” around any health facility. You may exercise your MHMDA rights by contacting us at the address in Section 17.

11.4 Other U.S. states

Residents of other U.S. states with comprehensive privacy laws have the rights listed in Section 10 to the extent those laws apply, on terms consistent with those laws.

12. EU/UK/Swiss Residents (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, this section applies in addition to the rest of this Policy.

Controller. NowPsych, PLLC is the controller of your personal data collected through the Website.

Legal bases. We process personal data on the following legal bases: your consent (for non-essential cookies and certain communications); the necessity of processing to take steps at your request prior to entering into a contract or to perform a contract; compliance with our legal obligations; and our legitimate interests in operating, securing, and improving the Website, where those interests are not overridden by your rights. Health-related information you submit is processed on the basis of your explicit consent, or as necessary for the provision of health care under Article 9(2)(h) GDPR with appropriate safeguards.

International transfers. We are based in the United States. Where we transfer personal data outside the EEA, UK, or Switzerland, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism. You may request a copy of the relevant safeguards by contacting us.

Retention. We retain personal data for as long as necessary for the purposes described in this Policy and to meet our legal, accounting, and reporting obligations. Clinical records are retained as required by applicable law and our HIPAA Notice of Privacy Practices.

Your rights. You have the rights listed in Section 10 plus the right to object to processing based on legitimate interests and the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. You also have the right to lodge a complaint with your local supervisory authority.

13. Data Retention

We retain Website information only as long as necessary for the purposes for which it was collected, to comply with our legal obligations (including HIPAA), to resolve disputes, and to enforce our agreements. Inquiries that do not result in a clinical relationship are typically retained for a limited period and then deleted or de-identified. Clinical records are retained for the period required by federal and state law, which may exceed the periods that apply to general Website information.

14. Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, alteration, or disclosure, including encryption in transit, access controls, logging, and workforce training. No system is perfectly secure; transmissions over the Internet are at your own risk. If we become aware of a security incident affecting your information, we will notify you and applicable authorities to the extent required by law.

15. Third-Party Links and Embeds

The Website contains links to and embeds from third-party services (such as Google Maps, Psychology Today, and the PRATI directory). Those services have their own privacy practices, which we do not control. Please review their policies before interacting with them.

16. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will post the updated Policy on this page, update the “Last updated” date at the top, and, where required by law, provide additional notice (such as a banner on the Website or, for current patients, a direct notice). Your continued use of the Website after the effective date of an update constitutes acceptance of the updated Policy to the extent permitted by law.

17. Contact Us

For questions about this Policy or to exercise your privacy rights:

NowPsych, PLLC — Attn: Privacy Officer 15 Paradise Plaza #172, Sarasota, FL 34239  General contact: contact@nowpsych.com Phone: 941-405-3020

If you have a concern about our handling of PHI specifically, please refer to our HIPAA Notice of Privacy Practices for the complaint process, which includes the right to file a complaint with the HHS Office for Civil Rights at hhs.gov/ocr.