PRIVACY POLICY

HYPMTHR®

Effective Date: April 28, 2026

Last Updated: April 28, 2026

This Privacy Policy explains how Hypmthr ("we," "us," or "our") collects, uses, shares, and protects personal information when you visit our website at hypmthr.com (the "Site"), when you book or receive grief counseling, thanatology education, bereavement support, training, or related services (together, the "Services"), and when you otherwise interact with us.

We take your privacy seriously. Much of the information you share with us is sensitive, including information about loss, bereavement, grief, and personal health. We have built our practices to protect that information with care.

A Note on HIPAA and Similar Laws

We are not a covered entity or business associate under the federal Health Insurance Portability and Accountability Act (HIPAA). The Services we provide are non-clinical in nature and we do not bill insurance. We have nonetheless chosen to adopt information-handling practices designed to meet or approximate HIPAA-comparable safeguards where practical, including administrative, physical, and technical measures to protect sensitive information.

Depending on where you live, additional laws apply to information we collect about you, including the Washington My Health My Data Act, the California Consumer Privacy Act (as amended by the California Privacy Rights Act), the Colorado Privacy Act, the New Jersey Data Privacy Act, the UK and EU General Data Protection Regulations, and other state or international laws. See the section titled "Your Rights and Choices" below.

1. Information We Collect

We collect information in three ways: directly from you, automatically when you use the Site, and from third parties who help us deliver the Services.

Information You Provide

  • Contact and account information, such as your name, email address, phone number, mailing address, date of birth, and emergency contact.

  • Intake information, such as information about your loss, bereavement, relationships, family history, caregiving situation, and reasons for seeking support.

  • Health-related information you choose to share with us, including information about your physical and mental health, medications, substance use history, prior or current treatment providers, and diagnoses.

  • Session content, including notes we take during or after sessions, written communications you send us, intake forms, and any materials you share with us.

  • Payment information, such as credit or debit card data, billing address, and transaction records. Card data is processed by our payment processor and is not stored on our systems.

  • Content you submit, including testimonials, feedback, survey responses, and messages sent through the Site or to our email address.

Information Collected Automatically

  • Device and usage information, such as IP address, device type, operating system, browser type, referring URLs, pages viewed, and dates and times of visits.

  • Cookies and similar technologies, as described in Section 13.

Information From Third Parties

  • Scheduling, telehealth, payment, email, and practice management platforms we use to operate the Services.

  • Referrals from other professionals, family members, or caregivers, where you have authorized the referral or the referral is otherwise permitted by law.

  • Publicly available sources, where relevant.

2. Consumer Health Data

This section describes our practices with respect to "consumer health data," a category of information defined under the Washington My Health My Data Act and similar laws. Consumer health data includes personal information that identifies your past, present, or future physical or mental health status, and includes information related to bereavement, grief, mental health, medications, treatments, and health-related conditions or diagnoses.

Categories of Consumer Health Data We Collect

  • Information about bereavement, loss, grief, and the circumstances of a death or anticipated death.

  • Information about mental health, mood, behavior, sleep, trauma history, and related conditions.

  • Information about physical health conditions, medications, treatments, and treating providers.

  • Substance use history, where you disclose it to us.

  • Session notes and intake responses containing any of the above.

Sources

We collect consumer health data directly from you through intake forms, sessions, and written communications. We do not collect consumer health data from third parties except where you have authorized it, such as when you request a consultation with a prior provider or a referral.

Purposes

We use consumer health data to provide the Services, maintain records of your engagement, arrange scheduling, process payment, and comply with legal obligations. We do not use consumer health data for advertising, marketing to you, or training artificial intelligence or machine learning models.

Sharing

We share consumer health data only: (a) with service providers who need it to support the Services and who are bound by contractual confidentiality obligations; (b) with your written consent or authorization; (c) where required by law or legal process; or (d) as needed to protect you or others from imminent serious harm, consistent with our Informed Consent.

We do not "sell" consumer health data, as that term is defined under applicable law, and we do not share consumer health data for cross-context behavioral advertising.

Your Rights Over Consumer Health Data

You have the right to confirm whether we are collecting, sharing, or selling your consumer health data; to access your consumer health data; to withdraw your consent to the collection or sharing of your consumer health data; and to request deletion of your consumer health data. See Section 9 for how to exercise these rights.

3. How We Use Information

We use the information we collect to:

  • Provide, schedule, and deliver the Services.

  • Communicate with you about appointments, billing, and our Services.

  • Maintain records in accordance with professional and ethical standards.

  • Process payments and prevent fraud.

  • Operate, maintain, improve, and secure the Site.

  • Comply with legal, regulatory, and professional obligations.

  • Respond to requests, feedback, and inquiries.

  • With your consent, send newsletters or educational content.

  • Exercise and defend our legal rights.

We do not use your information for cross-context behavioral advertising, do not sell your information, and do not use your information to train artificial intelligence or machine learning models.

4. Legal Bases (EU/UK Users)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information on the following legal bases under the UK and EU General Data Protection Regulations:

  • Performance of a contract, where processing is needed to deliver the Services you have requested.

  • Consent, where you have given explicit consent for processing, including consent to process special category data about your health. You may withdraw consent at any time.

  • Legal obligation, where we must process information to comply with law.

  • Vital interests, in rare circumstances where processing is necessary to protect life.

  • Legitimate interests, where we have a legitimate business interest that is not overridden by your rights, such as securing our Site, preventing fraud, and improving the Services.

5. How We Share Information

We share personal information only as described below and in our Informed Consent.

Service Providers

We share information with vendors who help us operate the Services, including scheduling, video conferencing, secure messaging, payment processing, email, practice management, cloud storage, and technology support. These vendors are contractually required to handle your information consistently with this Policy and to use reasonable safeguards.

Legal Requirements and Safety

We may disclose information when we believe in good faith that disclosure is required or permitted by law, including to comply with a subpoena or court order, respond to lawful requests from public authorities, enforce our agreements, or protect the rights, property, or safety of you, us, or others. See our Informed Consent for details about mandatory reporting and duty to warn circumstances.

With Your Consent or Direction

We share information with other providers, family members, caregivers, or third parties when you direct or authorize us to do so in writing.

Business Transfers

If we are involved in a merger, acquisition, reorganization, or sale of assets, information may be transferred as part of that transaction. We will notify you consistent with applicable law if your information becomes subject to a materially different privacy policy as a result.

Aggregated or De-identified Information

We may create and share aggregated or de-identified information that cannot reasonably be used to identify you, for statistical analysis, professional education, internal quality improvement, and similar purposes. Aggregated information means data combined across multiple individuals such that no single person can be identified. We use de-identification methods designed to meet or approximate HIPAA Safe Harbor or Expert Determination standards.

Individual case studies, even anonymized ones, are not covered by this Section. Use of your individual experience in published research, conference presentations, books, articles, or similar individual-level case material requires your separate written consent through our intake research consent form.

6. No Sale of Personal Information; No Targeted Advertising

We do not "sell" personal information or consumer health data, and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act, the Washington My Health My Data Act, or similar laws. We do not use third-party advertising cookies or trackers on pages where you provide intake, session, or payment information.

7. Data Retention

We retain personal information for as long as needed to provide the Services, maintain records consistent with professional and ethical obligations, comply with legal requirements, resolve disputes, and enforce our agreements. Clinical and session records may be retained for a period consistent with applicable state guidance for counseling records, typically seven years from the last date of service, or longer where law requires.

When we no longer need information, we will delete, de-identify, or securely destroy it.

8. Security and HIPAA-Adjacent Safeguards

We use reasonable administrative, physical, and technical safeguards to protect personal information, including access controls, encryption in transit, encryption at rest where practical, secure storage systems, vendor due diligence, confidentiality obligations for our staff and contractors, and routine review of our practices. Where practical, we have selected vendors whose platforms are designed to support HIPAA-comparable safeguards, even though we are not a HIPAA-covered entity.

No system is completely secure. While we work hard to protect your information, we cannot guarantee that it will never be accessed, disclosed, altered, or destroyed by a breach of our safeguards. If a breach affects your information, we will notify you consistent with applicable law.

9. Your Rights and Choices

Depending on your location, you may have rights described below. We will honor rights required by the law that applies to you, and we voluntarily extend some rights to all users where feasible.

All Users

  • Access. You may request a copy of the personal information we hold about you.

  • Correction. You may ask us to correct inaccurate information.

  • Deletion. You may ask us to delete personal information, subject to our record retention and legal obligations (see Section 7).

  • Opt out of marketing. You may unsubscribe from marketing emails at any time.

California Residents

Under the California Consumer Privacy Act (as amended by the California Privacy Rights Act), you may have the right to: (a) know what personal information we collect, use, disclose, and sell or share; (b) access your personal information; (c) correct inaccurate personal information; (d) delete personal information; (e) opt out of the sale or sharing of your personal information (we do not sell or share); (f) limit the use and disclosure of sensitive personal information; and (g) not be discriminated against for exercising these rights.

We process certain categories of "sensitive personal information" (such as information about health). We use sensitive personal information only to perform the Services you request, comply with law, and for the purposes permitted by the CCPA.

Washington Residents

Under the Washington My Health My Data Act, you have the rights described in Section 2 above, including the right to confirm, access, withdraw consent, and delete consumer health data. You also have the right to appeal a denial of your request (see "How to Exercise Your Rights").

Colorado Residents

Under the Colorado Privacy Act, you may have the right to: access, correct, and delete personal data; obtain a portable copy of personal data; and opt out of targeted advertising, the sale of personal data, and certain profiling. We do not engage in targeted advertising, sell personal data, or engage in profiling that produces legal or similarly significant effects.

New Jersey Residents

Under the New Jersey Data Privacy Act, you may have the right to: confirm whether we process your personal information; access a copy; correct inaccuracies; delete personal information; obtain a portable copy; and opt out of targeted advertising, the sale of personal information, and certain profiling. We do not engage in targeted advertising, sell personal information, or engage in such profiling.

Other U.S. States

Residents of other states with comprehensive privacy laws (including Connecticut, Virginia, Utah, Oregon, Texas, Montana, and others, as applicable) may have similar rights. We will honor rights required by the law that applies to you.

EU, UK, and EEA Residents

Under the UK and EU General Data Protection Regulations, you may have the right to: access your personal information; request correction or erasure; restrict or object to processing; data portability; withdraw consent where processing is based on consent; and lodge a complaint with your local data protection authority. You will not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

10. How to Exercise Your Rights

To submit a request, email us at breonna@hypmthr.com or write to us at the address below. Please describe your request and the personal information you believe we hold. We will verify your identity before responding, which may require that you confirm details we already have on file.

You may designate an authorized agent to make a request on your behalf. We will require reasonable proof of the agent's authority.

We will respond within the time periods required by applicable law. If we decline a request in whole or in part, we will explain why and, where required by law, tell you how to appeal. To appeal a decision, reply to our response email with the subject line "Privacy Request Appeal"; we will review and respond consistent with applicable law.

We will not discriminate against you for exercising your privacy rights.

11. International Data Transfers

We are based in the United States. If you access the Site or receive Services from outside the United States, your information will be transferred to, stored, and processed in the United States. U.S. data protection laws may differ from those of your home country. Where required by applicable law, we use appropriate safeguards for international data transfers, such as Standard Contractual Clauses.

12. Children's Privacy

The Site and the Services are intended for adults age 18 and older. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us and we will take appropriate steps to delete it.

13. Cookies and Similar Technologies

The Site uses cookies and similar technologies for basic site functionality, performance, and analytics. We do not use third-party advertising cookies on pages where you provide intake, session, or payment information. You can control cookies through your browser settings. Disabling cookies may limit certain features of the Site.

If we introduce any additional analytics or other cookies in the future, we will update this Policy and, where required, seek your consent before those cookies are set.

14. Third-Party Links

The Site may link to third-party websites, services, or platforms. We are not responsible for their privacy practices. Please review the privacy policies of any third-party sites you visit.

15. Changes to This Policy

We may update this Policy from time to time. When we do, we will update the "Last Updated" date above. Material changes will be communicated by email or by a notice on the Site. Your continued use of the Site or the Services after changes take effect constitutes acceptance of the revised Policy. Where required by law, we will obtain your consent before applying material changes retroactively to previously collected consumer health data.

16. Accessibility

We want this Policy to be accessible to everyone. If you need this Policy in an alternative format, please contact us using the contact information below.

17. Contact Us

If you have questions, concerns, or requests about this Policy or our privacy practices, please contact:

Hypmthr

Attn: Privacy

Email: breonna@hypmthr.com

If you are an EU, UK, or EEA resident and are not satisfied with our response, you may lodge a complaint with your local data protection authority. Residents of other jurisdictions may have similar rights to contact their state attorney general or data protection regulator.