Privacy Policy

Last Updated: November 10, 2025

Introduction

Uplift Path, Inc. ("Uplift Path," "we," "us," or "our") is committed to protecting the privacy and security of visitors to our website. This Website Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website at upliftpathwellness.com (the "Website").

IMPORTANT: This Website Privacy Policy covers general website browsing and general inquiries. When you submit service request or intake forms containing health information, that information becomes Protected Health Information (PHI) governed by our separate Notice of Privacy Practices under the Health Insurance Portability and Accountability Act (HIPAA). See the Notice of Privacy Practices section below for important information about this distinction.

Please read this policy carefully. By accessing or using our Website, you acknowledge that you have read, understood, and agree to be bound by the terms of this Website Privacy Policy.

information we collect

Information You Provide Voluntarily — General Inquiries

We may collect personal information that you voluntarily provide when you: submit general contact forms or inquiries through the Website; request general information about our services; subscribe to newsletters or email updates; apply for employment or contractor opportunities; or communicate with us via email or phone through contact information on the Website. This information may include, but is not limited to: name, email address, phone number, message content, employment information (if applying), and any other information you choose to provide.

Information You Provide Through Service Request Forms (Protected Health Information)

If you complete an intake, referral, or service request form through our Website to become a client, you will provide Protected Health Information (PHI) as defined by HIPAA. This information is collected through secure, HIPAA-compliant forms (for example, JotForm under a Business Associate Agreement). PHI collected may include, but is not limited to: full name, date of birth, contact information, Medicaid identification number, health conditions, symptoms and diagnoses, medication information, treatment history and current providers, insurance information, emergency contact information, mental health concerns and treatment goals, and any other health-related information requested on intake forms.

IMPORTANT: Once you submit a service request form containing health information, that information is immediately governed by our Notice of Privacy Practices under HIPAA, not this Website Privacy Policy. See the Notice of Privacy Practices section below for complete information about how we protect your Protected Health Information.

Information Collected Automatically

When you visit our Website, we may automatically collect certain information about your device and browsing activity, including, but is not limited to: IP address, browser type and version, operating system, pages visited and time spent on pages, referring website addresses, date and time of access, and device identifiers. This information is collected through cookies, web beacons, and similar tracking technologies as described below. This automatically collected information is not PHI.

How We Use Your Information

General Website Information (Non-PHI)

We use non-health information collected through our Website to: respond to inquiries and provide requested information; communicate about employment/contractor opportunities; process newsletter subscriptions; understand how visitors use our Website and improve functionality, content and user experience; diagnose technical problems and maintain Website security; send communications you requested (e.g., newsletters); and comply with legal obligations and enforce our terms of use.

Protected Health Information (PHI) — Governed by HIPAA

Information collected through service request and intake forms is used for treatment, payment, and healthcare operations as described in our Notice of Privacy Practices. This use is governed by HIPAA regulations and state law, not this Website Privacy Policy. See the Notice of Privacy Practices section and our separate Notice of Privacy Practices document for complete information about how we use and protect your health information.

Data Minimization

We collect and retain only the personal information and PHI that is reasonably necessary to fulfill the purposes described above. Access is limited to personnel and vendors who require it to perform their duties.

Cookies and Tracking technologies

What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They help websites function properly and provide information to website owners.

Types of Cookies We Use

• Essential Cookies: Necessary for the Website to function and cannot be disabled by our systems. They are set in response to actions you take, such as navigating pages or filling out forms.
• Analytics Cookies: Help us understand how visitors interact with our Website by collecting and reporting information anonymously. We may use third-party analytics services with IP anonymization enabled where available.
• Functionality Cookies: Enable enhanced functionality and personalization, such as remembering your preferences.
• Advertising Cookies: Where used, these may enable third-party advertising platforms to deliver relevant advertisements (we do not use PHI for advertising or targeting).

Cookie Consent and Managing Cookies

We display a cookie banner on first visit that describes cookie categories (Essential, Analytics, Functionality, Advertising) and allows you to accept or decline non-essential cookies. You may change cookie preferences at any time through the cookie banner or by adjusting your browser settings. You can also block or delete cookies using your browser settings; however, disabling cookies may affect Website functionality and user experience.

To learn more about cookies and how to manage them, visit: aboutcookies.org and allaboutcookies.org.

Analytics & Tracking Privacy

We may use third-party analytics services (such as Google Analytics, Microsoft Clarity, or similar tools) with IP anonymization enabled where available to collect non-personally identifying site usage data. Each analytics provider's use and sharing of information is governed by their respective terms of service and privacy policies.

Opt-Out Options:

• Google Analytics: Install the Google Analytics Opt-out Browser Add-on (tools.google.com/dlpage/gaoptout)
• Other analytics tools: Manage preferences through the cookie banner or adjust your browser settings as described above

No PHI to Analytics or Advertising Vendors: We do not provide Protected Health Information (PHI) to analytics providers, advertising platforms, or other marketing vendors. Any analytics or advertising data we share with third parties is limited to non-PHI usage data and is anonymized or pseudonymized where feasible. Form submissions or other flows that include PHI are not routed to analytics or ad platforms.

Note on Advertising: We may use third-party advertising platforms (such as Google Ads, Meta Ads, LinkedIn Ads, or similar services) to promote our services. We do not include PHI in ad targeting, audience creation, or advertising creatives, and we strictly follow rules prohibiting the use of PHI in advertising and marketing activities.

how we share your information

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

Service Providers & Business Associate Agreements (BAAs)

We may share information with trusted third-party service providers who assist us in operating our Website or providing services. Examples include website hosting providers, email service providers, analytics providers (such as Google Analytics), and form management providers (such as JotForm). These service providers are contractually obligated to maintain confidentiality and security and may use the data only for the purposes we authorize.

Business Associate Agreements for PHI Vendors: Any vendor that will handle PHI must execute a Business Associate Agreement (BAA) prior to receiving PHI. The Chief Risk Officer (CRO) maintains the BAA Register, validates BAAs prior to PHI exchange, and conducts quarterly vendor risk reviews and audits of vendor access as required.

Legal Requirements

We may disclose your information when required by law or in response to valid legal processes, such as court orders, subpoenas, government or law enforcement requests, or to comply with applicable laws and regulations.

Protection of Rights & Safety

We may disclose information to protect the rights, property, or safety of Uplift Path, our personnel, or others; to enforce our Website terms of use or other agreements; prevent fraud or illegal activity; or respond to emergencies involving danger to persons.

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of the transaction. We will notify you via email and/or a prominent notice on our Website of any such change in ownership or control of your personal information.

data security & incidents

We implement reasonable administrative, technical, and physical safeguards designed to protect your information from unauthorized access, use, alteration, or disclosure. These measures include SSL/TLS encryption for transmissions, HIPAA-compliant secure forms for health information (e.g., JotForm with an executed BAA), restricted access controls, logging and monitoring, periodic security assessments, and personnel training on information security and HIPAA compliance.

Incident Response & Breach Notification

We maintain an Incident Response Plan (SOP) and testing program. If we become aware of an unauthorized access, use, or disclosure of PHI, we will promptly investigate, follow our Incident Response Plan, contain and remediate the incident, and notify affected individuals without unreasonable delay in accordance with applicable law. We will also provide required notifications to regulatory authorities (including federal or state agencies) as required by law. For workforce access issues, we initiate timely access revocation and document the action.

PHI Breach Notifications: If there is an unauthorized access, use, or disclosure of unsecured PHI, we will notify affected individuals without unreasonable delay and no later than 60 calendar days, and will provide required notifications to regulatory authorities in accordance with applicable law.

Business Continuity & Recovery Testing

We maintain and test business continuity and disaster recovery procedures. We perform quarterly BC/DR tests (tabletop or focused tests) and an annual full-scale exercise. Results of full-scale exercises are reviewed by leadership within 30 days and corrective actions are documented.

Personnel Training

All personnel with access to organizational systems or PHI complete initial privacy and security training within 30 days of hire and annual refresher training thereafter. Training completion records and signed acknowledgements are retained together in the Personnel Technology Training Log and are available for audit.

Access Provisioning and Revocation

We follow documented procedures to create, modify, and remove user accounts and system access. New accounts and permissions are set up within one business day of authorization. When someone leaves the organization or no longer requires access, their accounts are disabled immediately, and in all cases within 24 hours. All access changes are logged and reviewed quarterly.

Access Reviews

We perform periodic access reviews of role-based permissions and system access at least quarterly; remediation of any inappropriate access is completed and documented promptly.

Encryption

PHI and sensitive organizational data are encrypted in transit (TLS/SSL) and at rest, in accordance with HIPAA and our security standards.

Limitations

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Audit Evidence

The organization maintains a central evidence index (BAA Register, incident logs, BC/DR test reports, access review records, training logs, asset inventory, network diagram, integration test artifacts). These artifacts are maintained in the organization's central repository and are available for regulatory or audit review on request.

Data Retention

We retain personal information collected through our Website only as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

Protected Health Information (PHI): We retain PHI in accordance with federal and state requirements and our Notice of Privacy Practices (for example, a minimum of seven years where required). When records are no longer needed, we securely delete or anonymize them in accordance with our retention schedule and secure disposal procedures.

Third-party websites

Our Website may contain links to third-party websites that are not operated by us. This Website Privacy Policy does not apply to those third-party websites. We are not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policies of any third-party websites you visit.

children's privacy

Our Website is not directed to children under the age of 18, and we do not knowingly collect personal information from children under 18 through our general Website. Our clinical services are provided to adults aged 18 and older. If you are under 18, please do not provide any information on this Website. If we learn that we have collected personal information from a child under 18 through our Website, we will delete that information promptly.

your privacy rights

Depending on your location, you may have certain rights regarding your personal information.

Access and Correction

You may request access to the personal information we hold about you and request corrections if the information is inaccurate or incomplete.

How to Make a Request (Access, Amendment, Deletion, and Other Rights)

Identity Verification: To protect privacy, we verify requester identity before fulfilling access, amendment, or deletion requests (for example, by requesting a government-issued photo ID). We will acknowledge receipt of a verified request within 5 business days and respond within the timeframes stated in this policy.
‍
To exercise any rights, submit a written request to privacy@upliftpathinc.com

or through our online contact form at upliftpathwellness.com/contact with:

1. Your full name and contact information
2. The right you are exercising
3. Specific details to help us locate the information
4. A copy of a government-issued photo ID for verification (we redact and securely dispose of the ID after verification)

Response Timeframes:

• For HIPAA requests regarding PHI, we will respond within 30 calendar days. If necessary, we may extend one time by up to 30 calendar days with written notice to you.
• For consumer privacy requests under applicable state laws (for example, CCPA/CPRA), we will respond within 45 calendar days. We may request additional information to verify your identity or authority to act on behalf of another person.
• Where law permits, we may deny requests that conflict with legal obligations; we will explain the reason for any denial and the procedures to appeal.

Deletion

You may request that we delete your personal information, subject to certain legal limitations and record retention obligations. Requests for deletion of PHI will be processed under HIPAA rules and may be denied in limited circumstances (for example, if retained for treatment or legal obligations).

Opt-Out of Communications

You may opt out of marketing or promotional emails by following the unsubscribe instructions in those emails or by contacting us through our online contact form at upliftpathwellness.com/contact. We will continue to send non-promotional messages related to your inquiries or, if you are a client, communications related to your care.

Do Not Track & Opt-Outs

Our Website does not currently respond to Do Not Track browser signals. To opt out of tracking and analytics, manage cookie preferences via the cookie banner or your browser settings as described in the Cookies and Tracking Technologies section above.

california & other State privacy rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and related laws. These include the right to know, the right to delete, the right to opt out of sale (we do not sell personal information), and the right to non-discrimination for exercising privacy rights.

To exercise your state privacy rights, contact us at privacy@upliftpathinc.com

or through our online contact form at upliftpathwellness.com/contact. We will verify your identity before processing requests and respond within the statutory timeframes.

international visitors, controller & processor

Our Website and services are operated from the United States. If you are visiting from outside the United States, your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country. By using our Website, you consent to such transfers. We take reasonable administrative, technical, and organizational measures to protect data transferred across borders.

Controller and Processors: Uplift Path, Inc. is the controller of the data collected through the Website. Our service providers act as processors and process data only under our instructions and contractual terms, including BAAs where PHI is involved.

contact information & Accessibility

If you have questions, concerns, or requests regarding this Website Privacy Policy or our privacy practices, contact:

Uplift Path, Inc.
Chief Risk Officer (CRO) — Privacy & Compliance Contact

Contact Methods:

• Email : privacy@upliftpathinc.com
• Phone : (513) 299-4553
• Online Contact form : upliftpathwellness.com/contact

Ohio Business Office:
Uplift Path Inc.
20 E Broad St, 2nd & 3rd Floor
Columbus, Ohio 43215
United States of America

Accessibility & Language Support: If you need this policy or other materials in an alternative format (large print, audio, or translated version) or require an accommodation, contact the Chief Risk Officer at privacy@upliftpathinc.com

and we will make reasonable efforts to provide the material in the format needed.

Notice of privact practices (HIPAA) — important distinction

Website Inquiries vs. Service Requests

This Website Privacy Policy covers: general website browsing and automatically collected data (cookies, analytics); general inquiries submitted through contact forms; newsletter signups and general communications; employment applications; and any non-health information provided through the Website.

Our HIPAA Notice of Privacy Practices covers: service request and intake forms submitted through the Website and all PHI collected for treatment purposes, including: how we use and disclose your health information; your rights regarding health information under HIPAA; and how to exercise those rights. Once you submit a service request or intake form with health information (for example, Medicaid ID, health conditions, treatment needs, or other health-related information), your information is protected under HIPAA and governed by our Notice of Privacy Practices.

How to Access Our Notice of Privacy Practices

Request a copy from your service provider during your first contact, download a copy from our secure client portal, or contact the CRO at privacy@upliftpathinc.com

Complaints

If you believe your privacy rights have been violated, contact the Chief Risk Officer at privacy@upliftpathinc.com. For HIPAA matters, you may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) (hhs.gov/ocr).

changes to this privacy policy

We may update this Website Privacy Policy at any time. When we make material changes, we will update the "Last Updated" date at the top of the policy, post the revised policy on our Website, and notify you of material changes via email (if we have your email) or through a prominent notice on our Website. We encourage you to review this Website Privacy Policy periodically. Your continued use of the Website after changes are posted constitutes your acceptance of the revised policy.

acceptance Of This policy

By using our Website, you signify your acceptance of this Website Privacy Policy. If you do not agree to this policy, please do not use our Website. Your continued use of the Website following the posting of changes will be deemed your acceptance of those changes.

Uplift Path, Inc. — All Rights Reserved