Privacy Policy

Effective Date

This Privacy Policy is effective as of April 30, 2026. It applies to all information collected by CareVixis Medical Practice Back-Office Solutions ("CareVixis," "we," "us," or "our") through the website located at www.carevixis.com, through our contact and intake forms, through our chat widget, and through SMS and telephone communications associated with our services.

By using this website or submitting any form on this website, you agree to the terms of this Privacy Policy. If you do not agree with this policy, please do not use this website or submit any personal information through it.

CareVixis is a full-service medical practice back-office provider serving medical practices across the United States. We provide medical billing and revenue cycle management, claims processing, denial management, accounts receivable recovery, patient billing, coding optimization, credentialing, prior authorization management, website design and digital marketing, business telecommunications, SMS appointment and payment reminders, full EMR/EHR systems, practice-branded telemedicine, and transcription and clinical note-taking services.

Information We Collect

CareVixis collects information from visitors and practice partners through several channels on this website. Below is a complete description of what we collect and how it is gathered.

Contact and Inquiry Information

When you submit a contact form, a consultation request form, or any other intake form on this website, we collect the information you provide directly. This includes:

• Your full name
• Your email address
• Your phone number
• Your practice or organization name
• Your specialty or practice type (if provided)
• Any message, question, or description you include in the form

All form submissions are processed and stored directly on CareVixis servers. We do not use any third-party form processing services (such as Formspree, Typeform, HubSpot forms, or similar platforms). Your information goes directly from our website to our own infrastructure and remains under our control at all times.

Chat Widget Communications

This website includes a live chat widget that connects you directly to Jeff Norton, founder of CareVixis. It is not a chatbot. When you use the chat widget, we collect and store the messages you send, the time and date of the conversation, and any contact information you voluntarily provide during the chat. Chat conversations are stored on CareVixis servers exclusively.

Technical and Usage Data

When you visit this website, our web server automatically records certain technical information as a standard part of internet operation. This includes:

• Your IP address
• The type of browser and operating system you are using
• The pages you visit on this website and the order in which you visit them
• The date and time of your visit
• The amount of time spent on individual pages
• The referring URL (the website or search engine that sent you here, if applicable)
• Error messages encountered during your visit

This technical data is used solely for website operation, security monitoring, and performance improvement. It is not used to identify you personally unless combined with information you have voluntarily provided.

Cookies and Similar Technologies

CareVixis uses cookies and similar browser-based technologies to maintain website functionality and improve user experience. See the dedicated "Cookies and Tracking" section below for a complete description of what cookies are used, their purpose, and how to control them.

How We Use Your Information

CareVixis uses the information we collect for the following specific purposes. We do not use your information for any purpose not listed here without obtaining your explicit consent first.

Responding to Inquiries

When you submit a contact form or initiate a chat conversation, we use your contact information to respond to your inquiry. Responses are delivered via the method you used to contact us (email, phone, or chat) or by the method you indicate is preferred. We aim to respond to all inquiries within one business day.

Providing and Delivering Services

If you become a practice partner of CareVixis, we use the information you provide during onboarding and throughout the relationship to deliver the services you have contracted for. This includes billing and revenue cycle management, credentialing, communications, and all other back-office services included in your agreement.

Billing and Account Communications

We use your contact information to send billing statements, account status updates, and service-related notifications. These communications are considered transactional and informational, not promotional.

Appointment and Payment Reminders (with Consent)

On behalf of our practice partners, CareVixis may send appointment reminders, payment reminders, and billing notifications to patients of those practices via SMS, voice, or email. These communications are sent only with the prior express written consent of the recipient, in compliance with TCPA and 10DLC requirements. See the "10DLC and SMS/Text Messaging Compliance" section for complete details.

Website Improvement and Analytics

We use technical and usage data to understand how visitors navigate the website, identify pages or sections that may be confusing or underperforming, and make improvements to content, structure, and functionality. This analysis is conducted internally using our own server logs and does not involve sharing your data with any analytics platform.

Legal and Regulatory Compliance

We may use or disclose information when required to comply with applicable law, respond to a lawful subpoena or court order, cooperate with a government investigation, or protect the legal rights of CareVixis, its practice partners, employees, or the public.

Security and Fraud Prevention

We use IP addresses and technical data to detect and prevent unauthorized access, spam submissions, and potential security threats to our website and infrastructure.

Information We Do NOT Collect Through This Website

It is important to be explicit about what this website does not collect, particularly regarding health information.

No Protected Health Information on This Website

This website does not collect, process, or transmit Protected Health Information (PHI) as defined by HIPAA. PHI includes patient names, dates of service, diagnosis codes, procedure codes, insurance information, social security numbers, and any other individually identifiable health information.

This website is a marketing and intake site only. It is not a patient portal, claims submission portal, or clinical interface of any kind. No patient medical records, clinical notes, insurance claim data, or any other form of PHI passes through this website or any form on it.

How PHI Is Handled

PHI is handled exclusively through secure, dedicated, HIPAA-compliant systems that are entirely separate from this public-facing website. Access to these systems is restricted to authorized CareVixis staff only. Every practice partner relationship is governed by a fully executed Business Associate Agreement (BAA) prior to any exchange of PHI. CareVixis's handling of PHI is described in detail in the "HIPAA Compliance" section below.

No Social Security Numbers or Financial Account Data

This website does not collect social security numbers, bank account information, credit card numbers, or any other sensitive financial data. Any financial information required for billing or payment processing between CareVixis and its practice partners is handled through secure, encrypted channels entirely separate from this website.

Data Storage and Security

CareVixis takes data security seriously at every level of our infrastructure. The following describes our security practices in full.

US-Only Data Centers

All data collected or processed by CareVixis - including form submissions, chat logs, service data, PHI, and technical logs - is stored exclusively in data centers located within the United States. CareVixis does not use offshore, foreign, or cloud providers with data residency outside the US. We own and control our data infrastructure without outsourcing storage or processing to any foreign entity.

Encryption

All data stored by CareVixis is encrypted at rest using AES-256 encryption. All data transmitted between your browser and our servers is encrypted in transit using TLS 1.2 or higher. These are the same encryption standards used by financial institutions and healthcare systems. No unencrypted transmission of personal information is permitted.

Access Controls

Access to stored data is controlled using a role-based access control (RBAC) system. Employees and contractors are granted access only to the specific data required to perform their assigned job functions. No employee has blanket access to all data. Access privileges are reviewed quarterly and revoked immediately upon termination or role change.

Multi-Factor Authentication

All internal systems containing personal or protected data require multi-factor authentication (MFA) for login. Single-factor (password-only) access is not permitted for any system containing personal information. MFA is enforced at the infrastructure level, not left to individual user discretion.

Daily Compliance Audits

CareVixis conducts daily automated compliance audits of its systems. These audits check for unauthorized access attempts, configuration drift, unusual data access patterns, and other indicators of potential security incidents. Alerts are reviewed by staff on every business day and addressed within a defined incident response timeline.

Zero Outsourcing / Zero Offshore Access

CareVixis is 100% US-based. We do not outsource any billing, coding, data entry, customer service, or technical operations to offshore or foreign entities. Every person who touches your data is located in the United States and is subject to US law, HIPAA requirements, and our internal security policies. This is a non-negotiable operational standard, not a marketing claim.

No Third-Party Form Services

As noted above, CareVixis does not route form submissions through third-party services such as Formspree, Mailchimp, HubSpot, Salesforce, Typeform, or similar platforms. When you submit a form on this website, the data travels directly from your browser to our server via an encrypted HTTPS connection and is stored on our infrastructure. It does not pass through any intermediary.

Physical Security

Our data center facilities maintain physical access controls including keycard access, video surveillance, and restricted entry policies. Physical access logs are maintained and reviewed regularly. Unauthorized physical access to server hardware is not possible without detection.

Incident Response

In the event of a confirmed or suspected security incident involving personal information, CareVixis has a documented incident response plan. This plan includes immediate containment, investigation, remediation, and - where required by law - notification to affected individuals and regulatory authorities within applicable timeframes.

HIPAA Compliance

CareVixis is a covered business associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act. Our operations are designed from the ground up to meet and exceed HIPAA's Privacy Rule and Security Rule requirements.

Business Associate Agreements

Before any exchange of Protected Health Information (PHI) with a practice partner, CareVixis executes a fully compliant Business Associate Agreement (BAA). This BAA is a binding legal document that defines the permitted uses and disclosures of PHI, establishes each party's obligations to safeguard PHI, and specifies the consequences of non-compliance. No practice partner relationship involving PHI is initiated without a signed BAA in place.

Minimum Necessary Standard

CareVixis applies the HIPAA minimum necessary standard to all PHI access and use. This means that employees access only the PHI required to perform their specific job function - no more. Access to PHI is not granted by default and must be justified by a specific operational need. This standard is enforced through our role-based access control system and is audited regularly.

Workforce Training

All CareVixis employees and contractors who may encounter PHI receive mandatory HIPAA training before beginning any work involving health information. This training covers the Privacy Rule, the Security Rule, workforce sanctions for violations, and the specific policies and procedures of CareVixis. Training is refreshed annually and whenever material regulatory changes occur.

Breach Notification Procedures

CareVixis maintains documented breach notification procedures that comply with HIPAA's Breach Notification Rule. In the event of a breach of unsecured PHI, CareVixis will notify affected practice partners without unreasonable delay and no later than 60 days of discovering the breach. Notifications include the nature of the breach, the types of PHI involved, the steps individuals should take to protect themselves, and a description of CareVixis's remediation efforts. Where required, notifications to the Department of Health and Human Services (HHS) and affected individuals will also be completed within the required timeframes.

Administrative Safeguards

CareVixis maintains the following administrative safeguards as required by the HIPAA Security Rule:

• Documented security management process including risk analysis and risk management programs
• Assigned security responsibility to a designated security official
• Workforce security procedures including authorization, supervision, and termination
• Information access management with documented policies for granting and revoking access
• Security awareness and training programs for all workforce members
• Security incident response and reporting procedures
• Contingency planning including data backup, disaster recovery, and emergency mode operations
• Evaluation procedures for periodic review of security policies and technical controls
• Business associate contracts with all entities that handle PHI on our behalf

Physical Safeguards

CareVixis maintains the following physical safeguards for systems that store or process PHI:

• Facility access controls limiting physical access to data systems to authorized personnel only
• Workstation use policies specifying appropriate functions and restrictions for devices that access PHI
• Workstation security measures including screen locks, secure positioning, and clean desk policies
• Device and media controls governing the receipt, removal, and disposal of hardware and electronic media containing PHI

Technical Safeguards

CareVixis maintains the following technical safeguards for PHI systems:

• Access controls including unique user identification, emergency access procedures, automatic logoff, and encryption and decryption
• Audit controls to record and examine activity in information systems that contain PHI
• Integrity controls to protect PHI from improper alteration or destruction
• Transmission security including encryption of all PHI transmitted over electronic communications networks

All PHI Stored in HIPAA-Compliant US Data Centers

Every system that contains PHI - including billing systems, EMR/EHR platforms, credentialing records, and any other operational system - is hosted in US-based data centers that meet HIPAA physical and environmental safeguard requirements. PHI does not transit through, or reside in, any system outside the United States.

10DLC and SMS/Text Messaging Compliance

CareVixis operates a fully compliant 10-digit long code (10DLC) SMS messaging program. This section describes our 10DLC registration, consent practices, message types, opt-out procedures, and compliance framework in complete detail.

10DLC Registration with The Campaign Registry

CareVixis is fully registered as a brand with The Campaign Registry (TCR), the industry-standard registry for 10DLC messaging in the United States. Our brand registration is verified and active. All SMS campaigns operated by CareVixis - including campaigns for appointment reminders, payment reminders, billing notifications, and account information - are individually registered as separate campaigns within TCR with the appropriate use-case designations assigned to each.

Campaign registration includes submission of campaign descriptions, sample message content, and consent disclosures for review by TCR and carrier partners. All campaigns have received carrier approval and operate within verified throughput limits set by the major US wireless carriers. CareVixis does not operate any unregistered or grey-route messaging.

Prior Written Consent Required

CareVixis does not send any SMS message - of any type - to any recipient without obtaining prior express written consent from that recipient before the first message is sent. This applies without exception to every message sent through every campaign we operate.

Consent is obtained through a formal signed Consent for Electronic Communications document presented to each patient during intake or onboarding. This consent form is generated based on the specific communication preferences selected for each of the patient's phone numbers - each communication channel (text messages, phone calls, health alerts, voicemail, billing communications) is authorized individually by the patient. No blanket consent is assumed, and simply providing a phone number does not constitute consent.

The signed consent document is uploaded into the patient's electronic medical record and retained as part of their medical record number (MRN) until the patient requests removal. The full consent document language is published on our Compliance page.

The consent disclosure presented to each recipient before they opt in includes all of the following information:

• The name and identity of the sender (CareVixis and/or the specific practice partner on whose behalf messages will be sent)
• The types of messages that will be sent (appointment reminders, payment reminders, billing notifications, account information)
• The estimated frequency of messages
• The fact that message and data rates may apply depending on the recipient's wireless plan
• Clear instructions for opting out at any time by replying STOP
• A reference to where the full privacy policy can be reviewed

Types of Messages We Send

CareVixis sends only transactional and informational SMS messages. We do not send promotional, marketing, or solicitation messages via SMS. The categories of messages we send are:

• Appointment Reminders: Reminders sent to patients of our practice partners about upcoming scheduled appointments, including date, time, provider name, and any pre-visit instructions. These messages help reduce no-show rates and improve practice efficiency.
• Payment Reminders: Reminders sent to patients regarding outstanding balances, upcoming payment due dates, or available payment options. These messages always include contact information for billing questions.
• Billing Notifications: Notifications regarding statements, insurance processing updates, explanation of benefits status, or other billing account activity. These are informational updates about the patient's account status.
• Account Information: Messages conveying specific account information requested by the patient or practice, such as confirmation of a payment received, a change in appointment status, or a response to a patient inquiry.

CareVixis never sends messages that contain marketing language, promotional offers, discount codes, product advertisements, or any content designed to solicit a purchase or referral. All messages are directly related to the recipient's existing relationship with the practice partner.

Sender Identification and Opt-Out Language

Every SMS message sent by CareVixis includes clear identification of the sender and opt-out instructions. At minimum, all messages include:

• The name of the practice or entity on whose behalf the message is sent
• Opt-out instructions in the form of "Reply STOP to opt out" or equivalent language
• A reference to help resources (typically "Reply HELP for help" or a phone number)

Initial welcome messages sent at the time of consent confirmation include the full disclosure: sender identity, message type, frequency estimate, message and data rates disclosure, STOP opt-out instruction, and HELP instruction.

STOP Opt-Out Honored Immediately

When any recipient replies STOP (or any standard opt-out keyword including CANCEL, END, QUIT, UNSUBSCRIBE, or STOPALL) to any message sent by CareVixis, that recipient is immediately removed from all active messaging campaigns. Opt-outs are processed in real time. No additional messages are sent to an opted-out number under any circumstances after the opt-out is received. We do not re-add opted-out numbers to messaging campaigns without a new, separate, explicit consent collection from the same number.

Recipients may also opt out by contacting us directly at (352) 897-8598 or jeff@carevixis.com and requesting removal from SMS communications. These opt-out requests are processed within one business day.

Consent Records

CareVixis maintains comprehensive records of all consent collected for SMS messaging. Each consent record contains:

• The phone number for which consent was collected
• The date and time consent was provided
• The method by which consent was collected (written form, digital form, verbal with documentation, etc.)
• The specific channels and message types the recipient consented to receive
• The exact consent language that was presented to the recipient at the time of opt-in
• The identity of the practice partner on whose behalf the consent was collected

Consent records are retained for a minimum of five years and are available to practice partners upon request for audit or regulatory purposes.

No Sharing or Selling of Phone Numbers

Phone numbers collected for SMS consent purposes are not shared with, sold to, or transferred to any third party for messaging purposes. Numbers are used exclusively for the purpose disclosed at the time of consent and for the specific practice partner relationship for which consent was granted. A patient's consent to receive messages from Practice A does not authorize messages from Practice B, even if both are CareVixis partners.

TCPA Compliance

All CareVixis SMS and voice communications comply with the Telephone Consumer Protection Act (TCPA) and Federal Communications Commission (FCC) regulations. Our TCPA compliance program includes:

• Express Written Consent: Prior express written consent is obtained before any automated or pre-recorded message or SMS is sent to any recipient. Consent records are maintained as described above.
• Permitted Calling Hours: SMS messages and automated voice calls are only sent or initiated during permitted hours: 8:00 AM to 9:00 PM in the recipient's local time zone. Messages are never sent outside these hours.
• Do-Not-Call Registry Compliance: CareVixis scrubs phone number lists against the National Do-Not-Call (DNC) Registry on a regular basis. Numbers registered on the DNC are not contacted for any purpose other than transactional communications with an established business relationship.
• Accurate Caller ID: All voice calls made by or on behalf of CareVixis use accurate, non-spoofed caller ID information that reflects the actual originating number. Practice-branded calls display the practice's registered phone number.
• Established Business Relationship: All communications are made only to individuals with an established business relationship with CareVixis or the relevant practice partner, and only for purposes related to that relationship.

SMS / Text Message Data

This section describes how CareVixis handles phone numbers and consent records related to SMS/text messaging on behalf of its practice partners.

Phone Number Collection and Use

Patient phone numbers are collected during in-person patient intake at the healthcare practice and entered into the practice's EMR/EHR system. Phone numbers collected during patient intake are used exclusively for authorized communications as specified in the patient's signed consent form -- including appointment reminders, prescription notifications, test result notifications, billing reminders, and general health information. Phone numbers are not used for any purpose beyond what the patient has explicitly authorized in writing.

SMS Consent Records

SMS consent is collected via a physical consent form that is printed at the practice, reviewed with the patient, signed by the patient, and uploaded to the patient's electronic medical record. These signed consent forms are retained as part of the patient record and serve as the documented proof of prior express written consent required by the TCPA. Consent records include the patient's signature, the date of consent, and the specific communication channels and message types authorized.

No Sharing or Selling of Mobile Information

No mobile information -- including phone numbers, SMS consent records, and messaging opt-in/opt-out status -- is shared with or sold to third parties for marketing or promotional purposes. Phone numbers collected for SMS messaging are used solely for the healthcare communication purposes described in the patient's consent form and are not transferred to any external marketing platform, data broker, lead aggregator, or advertising network.

Opting Out of SMS

Patients may opt out of SMS messages at any time by replying STOP to any message, or by contacting us at (352) 897-8598 or jeff@carevixis.com. Opting out of SMS does not affect the patient's ability to receive medical care, treatment, or any other services from the practice. The patient's care relationship with the practice continues without interruption regardless of SMS communication preferences.

Cookies and Tracking

CareVixis uses a limited set of cookies on this website. We do not use advertising cookies, behavioral tracking cookies, or any third-party analytics cookies.

Types of Cookies We Use

Essential Cookies: These cookies are required for the website to function. They enable core features such as navigation, form security tokens, and session management. You cannot disable essential cookies and continue to use the website, as they are technically necessary for it to operate. Examples include cookies that maintain your session while you fill out a form and security tokens that protect against cross-site request forgery.

Functional Cookies: These cookies remember your preferences to improve your experience on repeat visits. For example, a functional cookie may remember that you dismissed a notification or that you prefer a specific display setting. These cookies do not track your activity across other websites and do not collect personally identifiable information beyond what is required to maintain your preferences on this website.

What We Do NOT Use

CareVixis does not use:

• Third-party advertising cookies (such as Google Ads, Facebook Pixel, or similar tracking pixels)
• Cross-site behavioral tracking cookies
• Google Analytics or similar third-party analytics platforms
• Social media tracking pixels or share buttons with embedded trackers
• Fingerprinting scripts or any non-cookie tracking technology

Our analytics are based entirely on our own server-side logs, which we control and which do not involve any third party receiving your data.

How to Manage Cookies

You can manage and delete cookies using your web browser's built-in settings. All major browsers allow you to view stored cookies, block cookies from specific sites, block all cookies, or delete cookies on demand. Instructions for managing cookies vary by browser:

• Google Chrome: Settings > Privacy and security > Cookies and other site data
• Mozilla Firefox: Settings > Privacy and Security > Cookies and Site Data
• Apple Safari: Preferences > Privacy > Manage Website Data
• Microsoft Edge: Settings > Cookies and site permissions > Manage and delete cookies and site data

Note that disabling essential cookies may prevent some features of this website from functioning correctly, including form submission and secure navigation.

Third-Party Services and Information Sharing

CareVixis does not sell, rent, trade, or transfer your personal information to any third party for their own use. This is an absolute policy with no exceptions for commercial purposes.

Limited Circumstances for Disclosure

We may disclose personal information only in the following specific and limited circumstances:

• Required by Law: When we receive a valid subpoena, court order, or other legally enforceable demand from a government authority with jurisdiction, we may be required to disclose information to comply with that legal obligation. Where legally permitted, we will notify affected individuals of such disclosures before they occur.
• Protection of Rights and Safety: We may disclose information when we have a good-faith belief that such disclosure is necessary to protect the rights, property, or safety of CareVixis, its practice partners, employees, or the public from imminent harm, fraud, or illegal activity.
• Explicit Consent: We may disclose information to a third party if you have given us explicit, specific, written consent to do so. Consent for one type of disclosure does not imply consent for any other type.

SIPLYPhone.com

SIPLYPhone.com is a sister company of CareVixis, not an independent third party. SIPLYPhone.com provides business telecommunications infrastructure used by CareVixis in delivering services to practice partners. Data shared between CareVixis and SIPLYPhone.com is governed by the same security and privacy standards described in this policy and does not constitute a third-party data transfer.

No Data Brokers

CareVixis does not engage with data brokers, lead aggregators, marketing data platforms, or any other entity whose business model involves the collection, packaging, or resale of personal information. We do not purchase data about you from any such sources, and we do not supply data to them.

No Third-Party Advertising Networks

CareVixis does not participate in behavioral advertising networks, retargeting programs, or audience segmentation platforms. No data about your visit to this website is shared with any advertising network for the purpose of showing you targeted advertisements on other websites.

Data Retention

CareVixis retains personal information for the period necessary to fulfill the purposes for which it was collected, subject to longer retention periods required by law or regulation.

Inquiry and Contact Data

Information submitted through contact forms, chat conversations, and general inquiries is retained for a period of three years from the date of submission. This retention period allows us to maintain a record of our communications, respond to any follow-up questions, and comply with any applicable legal requirements related to business communications.

Practice Partner Service Data

Data related to active practice partner relationships - including service records, communications, and account information - is retained for the duration of the practice partner agreement and for a period of seven years following the termination of the agreement. This retention period is required to comply with federal and state healthcare regulations, tax requirements, and potential audit obligations.

PHI Retention

Protected Health Information (PHI) handled by CareVixis on behalf of practice partners is retained in accordance with HIPAA requirements and any applicable state law. HIPAA generally requires that records be retained for at least six years from the date of creation or the date the record was last in effect, whichever is later. State laws may require longer retention periods, and CareVixis complies with the more stringent of the two requirements.

SMS Consent Records

Records of SMS consent - including the date, time, method, and content of each consent collection - are retained for a minimum of five years from the date consent was collected, or for two years after the last message was sent to a given number, whichever is longer. This retention supports TCPA compliance and provides documentation in the event of a regulatory inquiry.

Technical Logs

Web server logs containing technical data such as IP addresses, page visit records, and error logs are retained for a period of 90 days and then purged on a rolling basis. These logs are used for security monitoring and performance diagnostics and are not used for long-term analysis or profiling.

Deletion Upon Request

Subject to our legal and regulatory retention obligations, you may request deletion of your personal information at any time. See the "Your Rights" section below for how to submit a deletion request. We will confirm receipt of deletion requests within five business days and complete deletion within 30 days of confirmation, except where retention is required by law.

Your Rights

Regardless of your location, CareVixis respects your rights with respect to your personal information. The following rights apply to information collected through this website and through our service operations.

Right to Access

You have the right to request a copy of the personal information CareVixis holds about you. Upon a verified request, we will provide you with a complete description of the categories of data we hold, the specific data points within each category, the purposes for which that data is used, and any third parties with whom the data has been shared (none, in virtually all cases).

Right to Correct

You have the right to request correction of any personal information we hold that is inaccurate or incomplete. If you believe we have incorrect information about you - such as a wrong email address, phone number, or practice name - you can request that we update our records. We will verify your identity before making any corrections and will confirm the change once completed.

Right to Delete

You have the right to request deletion of your personal information from our systems. We will delete your information upon a verified request, subject to our legal and regulatory obligations that require retention of certain data. Where we are required to retain data and cannot fulfill a deletion request in full, we will inform you of what data must be retained and why.

Right to Opt Out of Communications

You have the right to opt out of any communications from CareVixis at any time, including:

• Email communications - by following the unsubscribe link in any email or by contacting us directly
• SMS communications - by replying STOP to any text message or by contacting us directly
• Phone calls - by contacting us and requesting to be added to our internal do-not-call list

Opting out of communications does not affect any legal rights or obligations between you and CareVixis and does not terminate any active service agreement.

How to Exercise Your Rights

To exercise any of the rights described above, contact us using the information in the "Contact Information" section at the end of this policy. Please include:

• Your full name
• Your email address and/or phone number on file with us
• A clear description of the right you are requesting to exercise and any specifics about the data involved

We will verify your identity before processing any access, correction, or deletion request to ensure that we do not disclose or modify data based on an unauthorized request. We aim to respond to all rights requests within 10 business days and to complete the requested action within 30 days.

We will never charge a fee for exercising your rights, deny services based on the exercise of privacy rights, or retaliate in any way against individuals who exercise the rights described in this policy.

Children's Privacy

This website is intended for use by medical professionals, practice administrators, and others involved in healthcare practice management. It is not directed at children under the age of 13.

CareVixis does not knowingly collect personal information from any individual under the age of 13. If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will delete that information from our systems promptly upon discovery.

If you are a parent or guardian and believe that your child under the age of 13 has submitted personal information to this website, please contact us immediately using the information in the "Contact Information" section below and we will take immediate action to locate and delete that information.

Note that the pediatric patient data handled by CareVixis on behalf of practice partners as part of our billing and back-office services is a separate matter governed by our HIPAA compliance program and the terms of our Business Associate Agreements, not by this website privacy policy.

Changes to This Policy

CareVixis may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or regulatory guidance. When we make material changes to this policy, we will take the following steps to ensure you are informed:

• We will update the "Effective Date" at the top of this page to reflect the date the revised policy takes effect
• For material changes that significantly affect how we handle personal information, we will post a prominent notice on our homepage for a period of at least 30 days following the change
• If you are an active practice partner and the change affects how we handle data related to your practice, we will notify you directly by email at the address on file for your account

Your continued use of this website after the effective date of a revised policy constitutes your acceptance of the revised terms. If you do not agree with the revised policy, please discontinue use of this website and contact us to discuss any concerns.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. The current version of this policy is always available at https://www.carevixis.com/privacy-policy.html.

Previous versions of this policy are available upon request. Contact us at the information below and we will provide the version in effect on any specific date you request.

Contact Information

If you have any questions, concerns, or requests related to this Privacy Policy - including requests to access, correct, or delete your personal information, or to opt out of any communications - please contact us using any of the following methods:

Jeff Norton - Founder, CareVixis

Jeff Norton is the founder of CareVixis and the direct point of contact for all privacy-related matters. Nothing is off the table. If you have a concern, Jeff will address it personally.

• Phone: (352) 897-8598
• Email: jeff@carevixis.com
• Website: www.carevixis.com
• Mailing Address: CareVixis Medical Practice Back-Office Solutions, United States

Phone lines are answered during normal business hours, Monday through Friday. Email inquiries are responded to within one business day. For urgent privacy or security concerns, call directly - do not rely solely on email.

If you are reaching out regarding a potential HIPAA-related concern or a suspected breach, please call (352) 897-8598 directly and identify the nature of your concern so that it can be escalated to our compliance and security personnel immediately.