Privacy Policy

Privacy Policy for Stone & Stream

Last Updated: August 26, 2025

Introduction This Privacy Policy outlines the procedures of Stone & Stream regarding the collection, use, and disclosure of Your information when You use Our Service (the Website). It encompasses both general Personal Data and, where applicable, Protected Health Information (PHI). We aim to inform You about Your privacy rights and how the law protects You, particularly under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and relevant state privacy laws like the Medical Records Privacy Act.

Our Pledge Regarding Your Information Stone & Stream (referred to as "the Company," "We," "Us," or "Our") is committed to safeguarding Your privacy. We recognize that health information concerning You and Your care is highly personal. If our service involves providing mental health care, We maintain records of the care and services You receive to ensure quality care and fulfill legal obligations. This policy applies to all records of Your care generated by or through Stone & Stream. We are legally obligated to protect Your Protected Health Information (PHI), provide You with this notice detailing Our privacy practices, and adhere to the terms currently in effect. We reserve the right to modify this Notice, and such changes will be applicable to all information We hold about You.

Definitions For the purposes of this Privacy Policy:

• Account: A unique account established for You to access Our Service or specific parts of it.

• Affiliate: An entity that is controlled by, controls, or is under common control with the Company, where "control" means ownership of 50% or more of the shares, equity interest, or other voting securities.

• Company (Stone & Stream): Refers to Stone & Stream.

• Cookies: Small files placed on Your device (computer, mobile, etc.) by a website, used to store Your browsing history and other information.

• Country: Refers to Texas, United States.

• Device: Any electronic device capable of accessing the Service, such as a computer, cellphone, or digital tablet.

• Personal Data: Any information that pertains to an identified or identifiable individual. This broad term can include PHI.

• Protected Health Information (PHI): Individually identifiable health information created or received by a healthcare provider, health plan, or other covered entity, related to an individual's past, present, or future physical or mental health, provision of healthcare, or payment for healthcare, and that can identify the individual.

• Service: Refers to the Website.

• Service Provider: Any third-party individual or legal entity engaged by the Company to process data, facilitate the Service, provide services on Our behalf, or assist in analyzing Service usage.

• Usage Data: Data automatically collected, resulting from the use of the Service or its infrastructure (e.g., page visit duration).

• Website: Refers to Stone & Stream, accessible at http://stone-stream.org.

• You: The individual accessing or using the Service, or the legal entity on whose behalf such individual is accessing or using the Service.

Collection of Your Information We collect various types of information to deliver and enhance Our Service. This may include general Personal Data and, if You are a client engaging in mental health services, Protected Health Information (PHI).

• Information You Provide to Us: This includes data You submit when creating an Account, communicating with Us, or directly utilizing Our services.

• Usage Data: Automatically collected data generated during Your use of the Service. This may include Your Device’s IP address, browser type and version, pages visited, time of visit, time spent on pages, unique device identifiers, and other diagnostic data.

• Tracking Technologies and Cookies: We employ Cookies and similar tracking technologies to monitor activity on Our Service and store information. These include:

    ◦ Cookies Policy / Notice Acceptance Cookies: Persistent Cookies used to determine if users have accepted cookie usage on the Website.

    ◦ Functionality Cookies: Persistent Cookies that remember Your preferences (e.g., login details, language) to personalize Your experience.

Use and Disclosure of Your Information Your information may be used and disclosed for various purposes, contingent upon the type of information and Your interaction with Stone & Stream.

A. Uses and Disclosures of General Personal Data: The Company may use Personal Data for the following purposes:

• To provide and maintain Our Service: Including monitoring Service usage.

• To manage Your Account: To facilitate Your registration as a user and grant access to registered user functionalities.

• For other purposes: Such as data analysis, identifying usage trends, measuring the effectiveness of promotional campaigns, and improving Our Service, products, marketing, and Your overall experience.

We may share Your Personal Data in these scenarios:

• With Service Providers: For monitoring and analyzing Service usage, or for contacting You.

• For business transfers: In the context of mergers, acquisitions, asset sales, or financing negotiations involving Our business.

• With Affiliates: Your information may be shared with Our affiliates, who will be bound by this Privacy Policy.

• With business partners: To offer You specific products, services, or promotions.

• With other users: Information shared in public areas may be visible to all users and publicly distributed.

• With Your consent: We may disclose Your personal information for any other purpose with Your explicit consent.

B. Uses and Disclosures of Protected Health Information (PHI) (Applicable if Stone & Stream provides mental health care services): If Stone & Stream functions as a mental health care practice, the following uses and disclosures of PHI will adhere strictly to HIPAA regulations:

• For Treatment, Payment, or Health Care Operations: We may use or disclose Your PHI without Your written authorization to perform Our own treatment, payment, or health care operations, or for the treatment activities of other healthcare providers. For instance, if a clinician consults with another licensed healthcare provider about Your condition, Your PHI may be shared to aid in diagnosis and treatment.

• Psychotherapy Notes: If We maintain "psychotherapy notes", any use or disclosure requires Your specific Authorization unless it falls under these exceptions:

    ◦ For Our use in treating You.

    ◦ For Our use in training or supervising mental health practitioners.

    ◦ For Our use in legal defense against proceedings initiated by You.

    ◦ For investigation of Our HIPAA compliance by the Secretary of Health and Human Services.

    ◦ Required by law and limited to the scope of that law.

    ◦ Required by law for specific health oversight activities related to the notes' originator.

    ◦ Required by a coroner for authorized duties.

    ◦ Required to prevent a serious threat to the health or safety of others.

• Marketing and Sale of PHI: As a mental health care provider, We will not use or disclose Your PHI for marketing purposes nor sell Your PHI in the regular course of Our business, unless You provide explicit written authorization.

• When Disclosure is Required by Law: We may use and disclose Your PHI without Your Authorization when mandated by state or federal law, provided such use or disclosure is limited to the relevant legal requirements. This includes compliance with state laws such as those governing Licensed Professional Counselors in Texas (e.g., Texas Family Code Chapter 261 concerning child abuse/neglect, Texas Human Resources Code Chapter 48 concerning elder/disabled abuse, Texas Health and Safety Code Chapter 161 concerning healthcare facility conduct, and Texas Civil Practice and Remedies Code §81.006 concerning sexual exploitation by a mental health provider).

• Workers' Compensation: Your PHI may be provided to comply with workers' compensation laws, though Your Authorization is preferred.

• Lawsuits and Disputes: In the event of a lawsuit, We may disclose health information in response to a court or administrative order. Disclosure in response to subpoenas or discovery requests is made only after efforts to notify You or obtain a protective order have been made.

• Appointment Reminders and Health-Related Benefits/Services: We may use and disclose Your PHI to send appointment reminders or to inform You about treatment alternatives, or other health care services or benefits We offer.

Your Privacy Rights

A. Rights Regarding Your Personal Data (General Website Information):

• Right to Delete Your Personal Data: You have the right to request deletion or assistance in deleting the Personal Data We have collected about You.

B. Rights Regarding Your Protected Health Information (PHI) (Applicable if Stone & Stream provides mental health care services):

• Right to Request Restrictions: You have the right to request limitations on how We use and disclose Your PHI for treatment, payment, healthcare operations, or to individuals involved in Your care.

• Right to Request Restrictions for Out-of-Pocket Payments: You have the right to request that We restrict disclosures to Your health plan if You pay for a service or healthcare item in full and directly out-of-pocket.

• Right to Choose Communication Method: You have the right to request that We communicate with You about health matters through a specific method or at a particular location.

• Right to Access and Copy Your PHI: You have the right to inspect and receive an electronic or paper copy of Your medical record and other PHI We maintain, excluding psychotherapy notes. We will provide this within 30 days of Your written request and may charge a reasonable, cost-based fee.

• Right to an Accounting of Disclosures: You have the right to request a list of certain disclosures We have made of Your PHI, excluding those for treatment, payment, healthcare operations, or where You provided authorization. We will respond within 60 days, covering disclosures made in the last six years (or a shorter period if requested) at no charge for the first request annually. Subsequent requests within the same year may incur a reasonable, cost-based fee.

• Right to Amend or Correct PHI: If You believe there is an error or omission in Your PHI, You have the right to request correction or addition of information. We may deny the request but will provide a written explanation within 60 days.

• Right to a Paper or Electronic Copy of this Notice: You are entitled to receive a paper copy of this Privacy Policy, even if You have previously agreed to receive it electronically.

Security of Your Information The security of Your Personal Data and PHI is of utmost importance to Us. While We employ commercially reasonable measures to protect Your information, no method of transmission over the Internet or electronic storage can be guaranteed 100% secure. If Stone & Stream offers telehealth services, We are committed to utilizing HIPAA compliant telehealth software and ensuring that Business Associate Agreements (BAAs) are in place with all third-party service providers who handle PHI. The absence of a signed BAA with a software vendor, even if the software advertises strong security, puts the practice at risk of non-compliance and legal liability.

Transfer of Your Personal Data Your information, including Personal Data, is processed at the Company's operational offices and other locations where involved parties are situated. This means data may be transferred to and stored on computers outside Your state, province, country, or jurisdiction, where data protection laws may differ. Your acceptance of this Privacy Policy and submission of information signifies Your agreement to such transfers. We will implement all reasonably necessary steps to ensure Your data is securely handled in accordance with this Privacy Policy, with robust controls for data security.

Disclosure of Your Personal Data (General & PHI)

• Business Transactions: In the event of a merger, acquisition, or asset sale, Your Personal Data may be transferred. We will provide prior notice before such transfer, after which Your data may become subject to a different Privacy Policy.

• Law Enforcement: We may be compelled to disclose Your Personal Data if required by law or in response to valid requests from public authorities (e.g., a court or government agency).

• Other Legal Requirements: We may disclose Your Personal Data in good faith if We believe it is necessary to comply with a legal obligation, protect Our rights or property, investigate potential wrongdoing related to the Service, ensure the personal safety of Users or the public, or defend against legal liability.

Links to Other Websites Our Service may include links to external websites that are not operated by Us. Clicking on a third-party link will redirect You to that site. We strongly advise You to review the Privacy Policy of every website You visit, as We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

Changes to this Privacy Policy We may update this Privacy Policy periodically. We will notify You of any changes by posting the revised Privacy Policy on this page and will inform You via email and/or a prominent notice on Our Service before the changes take effect, updating the "Last updated" date at the top. We encourage You to review this Privacy Policy regularly for any modifications.

Contact Us For any questions about this Privacy Policy, You can reach Us:

• By email: admin@stone-stream.org

• By phone number: 512-867-6291

Acknowledgement of Receipt of Privacy Notice As per the Health Insurance Portability and Accountability Act of 1996 (HIPAA), You possess specific rights concerning the use and disclosure of Your Protected Health Information.