top of page
theraq_logo_resized.png

TheraQ's Privacy Policy


Effective Date:  October 2025
Who we are: TheraQ Inc. is a nonprofit healthcare organization based in California. We operate this website at [https://TheraQ.org] (the “Site”). This Privacy Policy explains how we handle information collected through the Site and related online services.
 
Important: If you receive care or participate in our health services, some information we handle may be Protected Health Information (PHI). For PHI, our uses and disclosures are governed by the HIPAA Privacy Rule (45 C.F.R. Part 160 & Subparts A and E of Part 164) and California’s Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code §§ 56–56.37). Where applicable, please also review our HIPAA Notice of Privacy Practices (NPP): [link or attach TheraQ NPP]. If this Site collects PHI (e.g., via a patient portal or intake forms), the NPP controls to the extent of any conflict.

1) Scope & Applicability

This Policy covers personal information we collect online through the Site, emails, forms, donations pages, event registrations, and newsletters. It does not cover job applicant data (see our Careers Privacy Notice, if applicable), offline program files, or PHI handled under HIPAA/CMIA (see our NPP).
Nonprofit note (CCPA/CPRA): The California Consumer Privacy Act (as amended by the CPRA) generally applies to for‑profit entities. TheraQ Inc. is a nonprofit, so CCPA/CPRA may not directly apply to us unless we are controlled by, share common branding with, or act as a service provider/contractor to a covered business. Regardless, we voluntarily extend many CCPA/CPRA-style disclosures and rights below to California residents.

2) The Information We Collect
A. Information you provide directly

  • Contact details (name, email, phone, postal address)

  • Account credentials if you create an account (username, password)

  • Donation details (amount, date, designation). Payment cards are processed by our PCI‑compliant processor; we do not store full card numbers.

  • Program and event registrations, surveys, or messages you send us

  • Health-related information only if you voluntarily provide it via forms or services on the Site (e.g., screening questionnaires). Where such data constitutes PHI or “medical information” under CMIA, our HIPAA/CMIA rules and NPP apply.
     

B. Information collected automatically
When you use the Site, we and our service providers may collect:

  • Device and usage data (IP address, browser, device identifiers, pages viewed, time on page, referring/exit pages)

  • General geolocation from IP

  • Cookies, pixels, and similar technologies (see Cookies & Tracking)
     

C. Information from third parties

  • Donation, email delivery, analytics, fraud prevention, and security partners

  • Social media platforms when you interact with our pages or plugins

We do not knowingly collect personal information from children under 13.

3) How We Use Information

We use information to:

  • Provide, secure, and improve the Site and our services

  • Communicate with you (including responding to inquiries and sending service, program, and fundraising messages)

  • Process donations and send tax receipts/acknowledgments

  • Perform analytics, research, and reporting (using aggregated or de‑identified data where possible)

  • Comply with laws, regulations, and enforce our terms; prevent, detect, and investigate security incidents and fraud

We do not sell personal information and we do not use sensitive health information for marketing without your written authorization.

4) Our Legal Bases (for international visitors)

Where required (e.g., EU/UK), we rely on: consent; performance of a contract; legitimate interests (e.g., Site security, donor relations); vital interests; compliance with legal obligations; and, for health data, explicit consent or public interest in public health where applicable.

5) Sharing & Disclosures

We may disclose information to:

  • Service providers/contractors performing services for us (e.g., hosting, analytics, payment processing, email delivery, CRM, fraud prevention). They must use the data only as instructed, protect it, and not sell it.

  • Program partners and collaborators with your consent or as de‑identified/aggregated information.

  • Legal and safety: to comply with law, court orders, or to protect rights, safety, or property.

  • PHI/CMIA data: only as permitted by HIPAA/CMIA and our NPP (e.g., for treatment, payment, healthcare operations, and other permitted uses). We do not disclose medical information without authorization except as allowed by law.
     

We do not disclose personal information to third parties for their direct marketing without offering you a choice consistent with California’s “Shine the Light” law.

6) Cookies, Tracking, and “Do Not Track”

We use cookies and similar technologies to run the Site, remember preferences, measure performance, and understand usage.

  • Choices: You can control cookies via your browser and device settings and by using our cookie preferences tool (if implemented).

  • Do Not Track: California law requires us to disclose how we respond to DNT signals. At this time, our Site does not respond to DNT browser signals.

  • Global Privacy Control (GPC): If we ever engage in activities considered a “sale” or “share” of personal information under California law, we will honor user-enabled GPC signals as an opt‑out/limit request.
     

7) Your Privacy Rights

Depending on your jurisdiction and our relationship with you, you may have rights to:

  • Access/Know the categories and specific pieces of personal information we hold

  • Correct/Update inaccurate information

  • Delete information (subject to legal exceptions)

  • Opt out of marketing communications

  • Limit the use/disclosure of sensitive personal information (where applicable)

  • Data portability

  • Non‑discrimination for exercising rights
     

How to make a request: Email us at info@TheraQ.org or write to TheraQ Privacy, 20409 Yorba Linda Blvd Ste 237, Yorba Linda, CA 92886. We may need to verify your identity and, where allowed, accept authorized agent requests.
For PHI/CMIA data, see our HIPAA NPP for additional rights (e.g., request restrictions, confidential communications, accounting of disclosures, and how to file a HIPAA complaint without retaliation).

8) Security

We use administrative, technical, and physical safeguards designed to protect information (e.g., encryption in transit, access controls, MFA, vendor diligence, secure development practices). No system is 100% secure. If a security incident involves your information, we will notify you consistent with applicable laws.
California Breach Notice: If your personal information is involved in a breach, we will provide a “Notice of Data Breach” in plain language with the headings required by California Civil Code §1798.82 (e.g., “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information”).

9) Data Retention

We retain information for as long as needed for the purposes described (e.g., to operate programs, maintain donor records for tax and audit, resolve disputes, and meet legal obligations). When no longer needed, we will delete or de‑identify data consistent with our retention schedule and applicable law.

10) International Data Transfers

If you are outside the United States, your data may be processed in the U.S. and other countries with different data protection laws. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) for cross‑border transfers.

11) Third‑Party Links & Tools

The Site may include links or embedded tools from third parties (e.g., maps, videos, social media). Their privacy practices are governed by their policies. We encourage you to review them before interacting.

12) California Disclosures
 

  • CalOPPA (Cal. Bus. & Prof. Code §22575): This Policy lists the categories of personally identifiable information we collect, the categories of third parties with whom we may share it, our effective date, how we notify of changes, and how we handle Do Not Track signals.
     

  • “Shine the Light” (Cal. Civ. Code §1798.83): California residents with an established relationship may request details about disclosures of personal information to third parties for their direct marketing. To submit a request, contact info@TheraQ.org with the subject “California Privacy Rights.”
     

  • CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.): Although nonprofits are generally outside the statute’s scope, if and when CCPA/CPRA applies to TheraQ Inc. (e.g., due to relationships with covered businesses), we will provide the required notices and honor rights to know, delete, correct, opt out of sale/share, limit the use of sensitive information, and recognize GPC signals.
     

  • CMIA/HIPAA: For “medical information” and PHI, we follow CMIA/HIPAA; see our NPP for permitted uses/disclosures and your health privacy rights.
     

13) Children’s Privacy

We do not knowingly collect personal information from children under 13 online. If we learn we have collected such information, we will delete it. Parents or guardians who believe a child has provided us information may contact info@TheraQ.org.

14) Changes to This Policy

We may update this Policy from time to time. We will post the updated version with a new Effective Date and, if changes are material, provide additional notice as required.

15) Contact Us

TheraQ Inc.
20409 Yorba Linda Blvd Ste 237
Yorba Linda, CA 92886
Email: info@TheraQ.org
Phone: (714) 922‑0720

bottom of page