Privacy policy.

How we handle your personal and health information. Written plainly, with concrete answers to the questions a careful patient would ask.

Explain what we collect, why, who else sees it, and what you can do about it.

NorCal ADHD is a private medical practice serving California adults. This policy describes how we collect, use, store, and share personal and health information when you book an appointment, become a patient, or interact with the practice site at norcaladhd.com.

This is a plain-English policy. Where the law uses specific language (HIPAA, CMIA, CCPA), we name it so you can look it up. This document is not legal advice; it is how the practice operates.

Different categories. Different reasons. Different protections.

When you book an appointment, we collect contact information, service-area ZIP, scheduling details, fit confirmations, required booking agreements, optional SMS-reminder consent, and the $50 deposit. After the appointment is held, we collect your residential address and arbitration signature so the before-call record is complete.

Clinical history, current concerns, medications, prior treatment, labs, pharmacy details, and care messages are collected through Spruce and the practice's clinical systems after booking. This is Protected Health Information (PHI) under HIPAA and Medical Information under California's CMIA.

When you visit norcaladhd.com, we receive standard server-side request data (IP address, user agent, referrer, page URL). The site is served via Cloudflare Pages. The site also uses Google Analytics to measure, in aggregate, which pages are reached and whether booking works. Analytics is configured with advertising personalization turned off, and analytics events never include your name, contact details, health information, or exact appointment times.

Card details are entered into secure Square fields. Square vaults the card; Maxio handles the deposit and ongoing billing records. NorCal ADHD does not store full card numbers directly.

Care, not commerce.

Booking information is collected to schedule and confirm appointments and to process the $50 deposit. We do not use booking information for marketing without your separate consent.

Clinical information is collected to provide care: evaluation, treatment decisions, follow-up, pharmacy coordination, and authorization paperwork when needed. This is the core of the practice and is the core of what is protected by HIPAA and CMIA.

Site request data and analytics are used for routine site operation: serving pages, preventing abuse, and aggregate measurement of which pages are reached, where booking steps stall, and whether the practice's advertising brings people who book. We do not build behavioral profiles, and advertising personalization is turned off in our analytics configuration.

Payment information is collected and processed to charge for care. We do not use payment identifiers for marketing.

A short list. Each has a specific role.

Spruce Health is the HIPAA-compliant secure messaging platform used for all care between visits. Spruce is a HIPAA Business Associate of NorCal ADHD. Their privacy policy applies in addition to this one.

Acuity Scheduling stores appointment times created by the practice after deposit payment. Acuity (a Squarespace company) operates as a Business Associate where PHI is involved. Their privacy policy applies in addition to this one.

Maxio handles the initial deposit and ongoing care charges. Maxio receives billing contact information, subscription state, and Square vault references. Maxio is a Business Associate where PHI is involved.

Square provides the secure card fields and card vault used for the deposit path. Square receives payment contact details needed to create the card vault and is a Business Associate where PHI is involved.

AWS stores durable consent and arbitration records in DynamoDB and S3 Object Lock. AWS is used for records that must not live in Cloudflare storage and is covered by a Business Associate Agreement.

Google Workspace is the practice's BAA-covered email and document workspace for individual operational correspondence from @norcaladhd.com accounts. It is not used for marketing automation. Separately, Google Analytics measures site usage and advertising effectiveness in aggregate, with advertising personalization turned off; analytics events never include names, contact details, health information, or exact appointment times. Acuity reports its own scheduling activity to the same analytics property.

The practice site is served via Cloudflare Pages and Functions. Cloudflare carries requests in transit and stores only coded, non-PHI booking state; names, address, signatures, and clinical history are not stored in Cloudflare KV.

This list is current as of the effective date. We update it when processors change.

Plain about the lines we do not cross.

We do not sell or rent your information. Not patient information, not contact information, not site visitor data.

We do not run ad retargeting or build cross-site behavioral profiles. Site analytics measures pages and booking steps in aggregate, with advertising personalization turned off — never who you are or why you came.

We do not text or email patient information to anyone you have not explicitly authorized. Secure messaging runs through Spruce.

We do not share clinical records with employers, insurers (beyond payment necessity), or marketers without your authorization.

HIPAA and California law give you specific rights. We honor them.

Access. You can request a copy of the personal and health information NorCal ADHD holds about you.

Amendment. You can request corrections to information you believe is inaccurate.

Restriction. You can request that we limit how we use or share certain information (subject to legal and clinical requirements).

Accounting of disclosures. You can request a list of certain disclosures of your information.

Communication preferences. You can request that we contact you through specific channels or at specific times.

California-specific rights. California residents have additional rights under CMIA and the CCPA, including the right to know what categories of personal information are collected and to whom they are disclosed, and the right to request deletion of certain personal information (subject to medical-record retention requirements).

To exercise any of these rights, message the practice through Spruce (current patients) or use the booking contact for non-patients.

Medical records are kept per California requirements. Other information is held only as long as needed.

Medical records are retained per California's medical-record retention requirements (a minimum of seven years for adult patients from the date of last contact, with longer retention where law requires). Durable consent, cancellation, and arbitration records may be retained for about 10 years or longer where the law, record-locking policy, or dispute needs require it.

Booking information for appointments that did not result in care is retained for routine business purposes and then purged.

Site request data is retained briefly for operational and security purposes and then aggregated or purged.

Secure messaging through Spruce. Encryption in transit and at rest. Limited team access.

Clinical messaging runs through Spruce, which provides HIPAA-compliant encryption and authentication. The practice site does not collect clinical history, medication lists, symptom narratives, or ID images.

Access to clinical records is limited to Dr. D and the practice team members who need access for care delivery. Access is logged.

No system is perfectly secure. If a security incident affects patient information, we notify affected patients per HIPAA breach-notification rules and California law.

Plain about the limits of a written policy.

This is not legal advice and not a contract; it describes how the practice operates. It is not a HIPAA Notice of Privacy Practices, which current patients receive separately upon becoming a patient. Policy updates as practice evolves and law changes; the effective date at the top reflects the current version.

One inbox. Real responses.

Current patients: message the practice through Spruce. Mark messages "privacy" so the team routes them appropriately.

Non-patients with privacy questions: use the contact path on the booking page until a dedicated privacy contact is published.

For emergencies, call 911. This page is not for emergencies.