Palo Alto
Leela Mental Health

Website Privacy Policy

Effective Date: April 2, 2026 · Supersedes all prior versions

Leela Mental Health, Family Therapy Corporation, doing business as Leela Mental Health

1. Notice at Collection — What We Collect & Why

Information You Provide Directly

When you complete a contact form, consultation inquiry, or appointment request on this Website, we may collect:

  • Identifiers (CCPA Category A): Name, email address, phone number
  • Internet / Network Activity (CCPA Category F): Pages visited, session duration, IP address
  • Communication preferences: Your preferred method and timing of contact

We collect only what you choose to provide. Please do not submit detailed clinical history, diagnoses, or sensitive personal information through our website contact forms. Use the Simple Practice client portal for secure clinical communication.

Information Collected Automatically
When you visit this Website, the following data is collected automatically:

  • Internet / Network Activity (CCPA Category F): Pages visited, time on page, referring URL, session duration
  • Device and Technical Data (CCPA Category A/F): IP address, browser type, device type, operating system
  • Approximate Geolocation (CCPA Category G): Derived from IP address only — not precise GPS location. You have the right to limit our use of this data to purposes reasonably necessary to provide the services you request.

This data does not identify you by name and is used solely to maintain website security, measure performance, and improve content.

Scheduling and Intake Platforms

 If you book an appointment or complete intake documents through our client portal (Simple Practice), that platform’s privacy practices apply. Simple Practice operates under a HIPAA Business Associate Agreement. Data entered there is clinical information governed by our HIPAA NPP, not this policy.

2. How We Use Your Information

We use website-collected information to:

  • Respond to your inquiry or consultation request
  • Schedule and confirm appointments
  • Send service-related communications (reminders, policy updates)
  • Analyze and improve website performance and content
  • Comply with legal and regulatory obligations

We do not use website inquiry data to make automated clinical decisions, and we do not combine it with your clinical records without your explicit consent.

3. When and With Whom We Share

We may share limited information with service providers under written contracts that restrict them to using your data only for services they provide to us:

  • Website hosting provider (Hostinger)
  • Scheduling and EHR platform (Simple Practice — HIPAA BAA in place)
  • Google Workspace — email, calendar, document management (HIPAA BAA in place)
  • Web analytics services (see Section 4)
  • Cookie consent management (Complianz) — stores visitor consent records for CCPA/CPRA compliance documentation.

We may disclose information as required by applicable law, court order, or to protect the safety of any individual

Contact information submitted through this Website may be subject to the California Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code §56 et seq.) to the extent it reveals health-seeking behavior. We treat all contact form submissions with the same confidentiality protections applied to clinical information and do not disclose them to third parties for any commercial purpose.

 

BUSINESS TRANSFERS
In the unlikely event of a practice acquisition, merger, or sale of assets, website data may transfer to a successor entity. Any transfer of clinical PHI will remain subject to HIPAA requirements and our Notice of Privacy Practices at all times.

4. Tracking Technologies, Analytics & The Pixel Problem

What We Use

This Website uses Google Analytics 4 to understand how visitors use the site. Google Analytics 4 collects anonymized usage data — page views, session duration, device type, and approximate location derived from IP address. It does not collect your name or contact information.

Our Google Analytics 4 property is configured as follows:

  • Google Signals is disabled. We do not link visitor sessions to Google account profiles or enable cross-device advertising audiences.
  • Data retention is set to 2 months. Raw event and user data is automatically deleted after 2 months.
  • IP anonymization is enabled. Full IP addresses are not stored.
  • Data sharing with Google is restricted. Google does not use data collected through this Website to improve its own products or serve advertising.
  • Google Analytics 4 is integrated with our cookie consent system. Visitors who decline analytics cookies are not tracked. GA4 receives and respects the consent signal from our cookie banner before collecting any data.

We do not use advertising pixels of any kind — including Meta Pixel, Pinterest Pixel, TikTok Pixel, or Google Ads remarketing tags — on this Website. We do not use behavioral data collected here to target advertising to you on other platforms.

Healthcare Tracking — Applicable Guidance and Our Position
HEALTHCARE TRACKING DISCLOSURE — HHS OCR GUIDANCE & COURT UPDATE
HHS OCR issued guidance in March 2024 addressing the use of tracking technologies on healthcare provider websites. A federal court subsequently vacated part of that guidance to the extent it characterized IP addresses on unauthenticated website pages as Protected Health Information (PHI). HIPAA’s full protections continue to apply to authenticated pages (such as patient portals).

Regardless of minimum legal requirements, our position is that the combination of a user’s IP address and their health-seeking behavior on this Website deserves careful handling. Our specific commitments:

  • We do not use advertising or retargeting pixels that transmit user identifiers to social media platforms
  • We configure analytics tools to anonymize IP addresses where that feature is available
  • We do not share page-level analytics (which service pages were visited) with any third party for commercial or advertising purposes
  • We do not use behavioral data collected on this Website to target advertising to you on other platforms

To prevent analytics collection: use a browser privacy extension, enable built-in tracking protection, or opt out of Google Analytics at: tools.google.com/dlpage/gaoptout

Cookies
Our Website uses cookies for basic functionality and analytics. You may configure your browser to refuse or delete cookies; some site features may not function if you do so. We do not use third-party advertising cookies or cross-site tracking cookies.

5. Google Voice, SMS & Unencrypted Communications

We use Google Voice as our primary phone system for incoming call routing and administrative communications. All appointment reminders are sent through our secure Simple Practice client portal. We will communicate with you by standard SMS only when you have initiated contact via SMS and have consented to receiving responses by that channel.
Security Disclosure — Unencrypted Communication Risk

Standard SMS/text messaging is not encrypted in transit and does not meet HIPAA’s technical security standards for transmitting Protected Health Information. Messages sent via standard text — may theoretically be intercepted or accessed by unauthorized third parties.

Google Voice provides an administrative layer for call management but does not encrypt SMS messages end-to-end.

We will not send clinical content, session notes, diagnoses, or sensitive health information via text message. If you request to receive administrative communications from us via text, your acknowledgment of this risk and your consent to this channel will be documented in your intake paperwork through Simple Practice. If you prefer encrypted communication only, please notify us in writing — we will arrange secure messaging through the Simple Practice client portal instead.

Email

We use Google Workspace (Gmail) under a HIPAA Business Associate Agreement for email communication. Standard email is not end-to-end encrypted. We do not send sensitive clinical content by email without your prior written consent. For secure clinical communication, please use the Simple Practice client portal.

6. Data Retention

6.1 Contact and Inquiry Data (Name, email address, phone number — submitted through contact forms or direct email)

Retained for a maximum of 24 months from the date of submission, or until a clinical relationship is established, whichever occurs first.

  • If a clinical relationship is established: your contact information becomes part of your clinical record and is governed by Section 6.3 below.
  • If no clinical relationship is established: contact records are securely deleted after 24 months. Deletion applies across all systems where that information is stored, including our website database, email platform (Google Workspace), and administrative records.

The 24-month period reflects the time reasonably necessary to respond to inquiries, complete intake consultations, and determine whether a clinical relationship will be established — consistent with the purpose for which this information was collected.

6.2 Automatically Collected Technical Data (IP address, session duration, referring URL, browser type, device type, operating system — collected automatically as described in Section 1)

This data is processed across three separate systems, each with its own retention schedule:

System Data Retention
Hostinger (website infrastructure) Clicks, visits, traffic activity Maximum 7 days — Hostinger’s platform retains short-term traffic data only and does not maintain long-term traffic history
Google Analytics 4 Anonymized session data, approximate geolocation 2 months — automatically deleted per our GA4 account data retention settings
Complianz (cookie consent records) Consent choice, timestamp, consent version 3 years — retained solely to document regulatory compliance; not used for any other purpose

Note on Complianz consent records: When you interact with our cookie consent banner, a record of your choice is created. This record is retained for 3 years so that we can demonstrate, if audited by the California Privacy Protection Agency, that consent was properly obtained. This is a legal documentation requirement, not a marketing or analytics function.

Note on Google Analytics: GA4 is configured with restricted data processing and IP anonymization. We do not enable Google Signals. Data is not shared with Google for advertising purposes.

6.3 Clinical Records (Protected Health Information — governed by HIPAA and California law, not this Website Privacy Policy)

Clinical records — including intake documents, session notes, treatment plans, progress notes, and billing records — are maintained in SimplePractice, our HIPAA-compliant electronic health record platform.

Adult clients: Minimum 7 years from the date therapy is terminated.

Minor clients: Minimum 7 years from the date the client turns 18 — meaning records are retained at least until age 25 if therapy concluded before the client’s 18th birthday. Where therapy continued into adulthood, the 7-year period runs from the date of last service.

Authority: California Business and Professions Code §4980.49 (LMFT) and §4999.75 (LPCC).

Records may be retained beyond these minimum periods where required by law — including pending litigation, a regulatory investigation, or a mandatory reporting obligation.

Your right to deletion under California law (Section 9) does not override clinically mandated retention. We cannot delete records we are legally required to keep. For questions about your clinical records, refer to our HIPAA Notice of Privacy Practices or contact our Privacy Officer.

6.4 Secure Deletion

When information reaches the end of its applicable retention period, we use reasonable technical measures to render it unrecoverable — including deletion from active databases and removal from backup systems within our standard backup rotation cycle.

7. Security

This Website is secured using SSL/TLS encryption. We implement reasonable technical and organizational safeguards to protect information from unauthorized access, disclosure, or loss. No internet transmission is 100% secure; you transmit data to us at your own risk and we recommend using a secure, private network.

In the event of a breach of your personal information (as defined by California Civil Code §1798.82), we will notify affected individuals without unreasonable delay as required by California law. For breaches involving your clinical health information (PHI), separate notification obligations under HIPAA apply — see our Notice of Privacy Practices.

8. Children and Minors

This Website is not directed to children under 13, and we do not knowingly collect personal information from children under 13 through the Website. If you believe a child under 13 has submitted information through this Website, please contact us immediately at information@leelamentalhealth.com so we may delete it.

Minors who have the legal right to consent to their own mental health care under California Health & Safety Code §124260 may contact us directly. Please refer to the AB 1184 Confidential Communications section in our HIPAA Notice of Privacy Practices for information about how we protect the privacy of minors and individuals on another person’s insurance policy.

9. California Residents — Your Privacy Rights

California residents have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The table below reflects our Notice at Collection as required by Cal. Civ. Code §1798.100(a).

Categories of Personal Information Collected (Past 12 Months)

Category Examples (Website Only) Purpose Collected Retention
A. Identifiers Name, email, phone, IP address Respond to inquiries; analytics Yes 24 months
B. CA Customer Records Name, contact information Scheduling, communication Yes 24 months
C. Protected Classification Age, gender (if submitted) N/A — not actively collected No _
D. Commercial Information Purchase or transaction history N/A No _
E. Biometric Information Fingerprints, facial recognition N/A No _
F. Internet / Network Activity Pages visited, session duration, IP Website analytics; security Yes 2 months
G. Geolocation Data Approximate location via IP only Analytics (anonymized) Approx. only 2 months
H. Sensory / Audio / Visual Recordings, photographs N/A No _
I. Professional / Employment Job title, employer N/A No _
J. Education Information Student records N/A No _
K. Inferences Profiles or behavioral characteristics N/A — not created No _
L. Sensitive Personal Information Health data (clinical records not collected via website).
Note: 2026 CPRA also classifies "neural data" as SPI; not collected by this Website. 		N/A — website only No _

We have not sold or shared personal information with any third party for commercial purposes in the past 12 months, and we do not intend to do so.

Your Rights Under California Law
Right to Know (Cal. Civ. Code §1798.110)
Request disclosure of the categories and specific pieces of personal information we hold about you, the purposes for collection, and any third parties with whom it has been shared. Under the CPRA, your right to know extends to personal information collected on or after January 1, 2022.
Right to Delete
Request deletion of personal information we hold, subject to exceptions required by law (including HIPAA-mandated clinical record retention).
Right to Correct
Request correction of inaccurate personal information we maintain.
Right to Opt Out of Sale or Sharing (Cal. Civ. Code §1798.120)
We do not sell or share personal information. No opt-out action is needed, but you may contact us at any time to confirm this in writing.
Right to Limit Use of Sensitive Information
We do not collect sensitive personal information (as defined by CPRA) through this Website beyond approximate geolocation data derived from IP address. You have the right to limit our use of geolocation data to purposes reasonably necessary to provide the services you request. Clinical PHI is governed by our HIPAA NPP.
Right to Non-Discrimination
We will not discriminate against you in any way for exercising your privacy rights under California law.
Authorized Agent
You may designate an authorized agent to submit a CPRA request on your behalf (Cal. Civ. Code §1798.130(a)(2)(B)). We may require proof of your agent’s authorization before processing the request.
No Financial Incentive Programs
We do not offer any financial incentive, discount, or service benefit tied to the collection or sale of your personal information (CPRA §1798.125).
Shine the Light — California Civil Code §1798.83
We do not disclose personal information to third parties for their own direct marketing purposes. California residents may request confirmation of this once per year by contacting us using the information in Section 12.
Minors — California Business and Professions Code §22581
California residents under 18 who have submitted information through this Website may request its removal by contacting us with their name and a description of the content. We will make reasonable efforts to remove the information, though we cannot guarantee removal from all third-party caches or archives.
Global Privacy Control (GPC)
The California Privacy Protection Agency’s regulations require businesses to honor browser-based opt-out preference signals, including the Global Privacy Control (GPC). If your browser transmits a GPC signal, we treat it as a request to opt out of the sale or sharing of your personal information. We honor this signal. Because we do not sell or share personal information, no data practices change when the signal is received — but the signal is recognized, logged, and confirmed as honored in accordance with California Privacy Protection Agency regulations (CPPA Reg. §7025–7026, effective January 1, 2026).
How to Submit a Request

To exercise any California privacy right, contact us by email or postal mail (see Section 12). We will verify your identity before processing your request and will respond within 45 days, with one possible extension of up to an additional 45 days where reasonably necessary. We will not charge a fee for a first request in any 12-month period. For website privacy requests (non-clinical), we verify identity by confirming the email address and/or phone number associated with the original inquiry. We will not require additional documentation unless the request involves sensitive information or the identity cannot be confirmed by the information provided.

To file a complaint with the California Privacy Protection Agency: cppa.ca.gov

10. Do Not Track

No uniform legal standard currently requires websites to respond to browser Do Not Track (DNT) signals. We do not currently alter data collection in response to DNT signals. For the Global Privacy Control (GPC), see Section 9 above. You may reduce analytics tracking by using a browser privacy extension or opting out of Google Analytics (see Section 4).

11. Updates to This Policy

We may update this Policy periodically. Material changes will be indicated by a new “Last Updated” date at the top of this page. Material changes to how previously collected personal information is used will not apply retroactively without your affirmative consent. Continued use of the Website after non-material updates constitutes acceptance of the revised Policy.

12. Contact Us

For privacy-related questions, requests, or complaints about this Website Privacy Policy:

Practice          Leela Mental Health, Family Therapy Corporation, dba Leela Mental Health
Attn               Privacy Officer — Moitreyee Chowdhury, LMFT #121934 | LPCC #9238
Location         220 California Ave, Suite 105, Palo Alto, CA 94306
Email             information@leelamentalhealth.com
Secure messaging       Simple Practice client portal
For clinical health information questions, refer to our HIPAA Notice of Privacy Practices.