Leela Mental Health

Website Privacy Policy

Effective Date: April 2, 2026 · Supersedes all prior versions

Leela Mental Health, Family Therapy Corporation, doing business as Leela Mental Health

CALIFORNIA NOTICE AT COLLECTION — CCPA/CPRA §1798.100(A)

This policy governs information collected through leelamentalhealth.com only. It is not a HIPAA Notice of Privacy Practices. Your clinical health information (Protected Health Information) is governed separately by our HIPAA Notice of Privacy Practices.

We do not sell or share your personal information with third parties for their commercial purposes.

1. Notice at Collection — What We Collect & Why

Information You Provide Directly

When you complete a contact form, consultation inquiry, or appointment request on this Website, we may collect:

Identifiers (CCPA Category A): Name, email address, phone number
Internet / Network Activity (CCPA Category F): Pages visited, session duration, IP address
Communication preferences: Your preferred method and timing of contact

We collect only what you choose to provide. Please do not submit detailed clinical history, diagnoses, or sensitive personal information through our website contact forms. Use the Simple Practice client portal for secure clinical communication.

Information Collected Automatically

When you visit this Website, the following data is collected automatically:

Internet / Network Activity (CCPA Category F): Pages visited, time on page, referring URL, session duration
Device and Technical Data (CCPA Category A/F): IP address, browser type, device type, operating system
Approximate Geolocation (CCPA Category G): Derived from IP address only — not precise GPS location. You have the right to limit our use of this data to purposes reasonably necessary to provide the services you request.

This data does not identify you by name and is used solely to maintain website security, measure performance, and improve content.

Scheduling and Intake Platforms

If you book an appointment or complete intake documents through our client portal (Simple Practice), that platform’s privacy practices apply. Simple Practice operates under a HIPAA Business Associate Agreement. Data entered there is clinical information governed by our HIPAA NPP, not this policy.

2. How We Use Your Information

We use website-collected information to:

Respond to your inquiry or consultation request
Schedule and confirm appointments
Send service-related communications (reminders, policy updates)
Analyze and improve website performance and content
Comply with legal and regulatory obligations

We do not use website inquiry data to make automated clinical decisions, and we do not combine it with your clinical records without your explicit consent.

3. When and With Whom We Share

We will never sell, rent, or lease your personal information to any third party.
We may share limited information with service providers under written contracts that restrict them to using your data only for services they provide to us:

Website hosting provider (Hostinger)
Scheduling and EHR platform (Simple Practice — HIPAA BAA in place)
Google Workspace — email, calendar, document management (HIPAA BAA in place)
Web analytics services (see Section 4)

We may disclose information as required by applicable law, court order, or to protect the safety of any individual.

BUSINESS TRANSFERS

In the unlikely event of a practice acquisition, merger, or sale of assets, website data may transfer to a successor entity. Any transfer of clinical PHI will remain subject to HIPAA requirements and our Notice of Privacy Practices at all times.

4. Tracking Technologies, Analytics & The Pixel Problem

What We Use

This Website uses cookies and may use Google Analytics or similar web analytics tools to understand how visitors use the site. These tools collect anonymized usage data: page views, session duration, device type, and approximate location. We do not use advertising pixels (such as Meta Pixel or Pinterest Pixel) on this Website.

Healthcare Tracking — Applicable Guidance and Our Position

HEALTHCARE TRACKING DISCLOSURE — HHS OCR GUIDANCE & COURT UPDATE

HHS OCR issued guidance in March 2024 addressing the use of tracking technologies on healthcare provider websites. A federal court subsequently vacated part of that guidance to the extent it characterized IP addresses on unauthenticated website pages as Protected Health Information (PHI). HIPAA’s full protections continue to apply to authenticated pages (such as patient portals).

Regardless of minimum legal requirements, our position is that the combination of a user’s IP address and their health-seeking behavior on this Website deserves careful handling. Our specific commitments:

We do not use advertising or retargeting pixels that transmit user identifiers to social media platforms
We configure analytics tools to anonymize IP addresses where that feature is available
We do not share page-level analytics (which service pages were visited) with any third party for commercial or advertising purposes
We do not use behavioral data collected on this Website to target advertising to you on other platforms

To prevent analytics collection: use a browser privacy extension, enable built-in tracking protection, or opt out of Google Analytics at: tools.google.com/dlpage/gaoptout

Our Website uses cookies for basic functionality and analytics. You may configure your browser to refuse or delete cookies; some site features may not function if you do so. We do not use third-party advertising cookies or cross-site tracking cookies.

5. Google Voice, SMS & Unencrypted Communications

We use Google Voice as our primary phone system for incoming call routing and administrative communications. All appointment reminders are sent through our secure Simple Practice client portal. We will communicate with you by standard SMS only when you have initiated contact via SMS and have consented to receiving responses by that channel.

Security Disclosure — Unencrypted Communication Risk

Standard SMS/text messaging is not encrypted in transit and does not meet HIPAA’s technical security standards for transmitting Protected Health Information. Messages sent via standard text — May theoretically be intercepted or accessed by unauthorized third parties.

Google Voice provides an administrative layer for call management but does not encrypt SMS messages end-to-end.

We will not send clinical content, session notes, diagnoses, or sensitive health information via text message. If you request to receive administrative communications from us via text, your acknowledgment of this risk and your consent to this channel will be documented in your intake paperwork through Simple Practice. If you prefer encrypted communication only, please notify us in writing — we will arrange secure messaging through the Simple Practice client portal instead.

We use Google Workspace (Gmail) under a HIPAA Business Associate Agreement for email communication. Standard email is not end-to-end encrypted. We do not send sensitive clinical content by email without your prior written consent. For secure clinical communication, please use the Simple Practice client portal.

6. Retention

We collect only name, phone number, and email address through this Website. That contact information is retained for a maximum of 24 months from the date of submission, or until a clinical relationship is established, whichever comes first. If a clinical relationship is established, your contact information becomes part of your clinical record and is governed by the clinical retention policy below. Contact records that do not result in a client relationship are securely deleted after 24 months.

Analytics data (session data, anonymized IP) is retained for 2 months as configured in Google Analytics.

Clinical records are retained in accordance with California BPC §4980.49 (LMFT) and §4999.75 (LPCC): minimum 7 years from date of termination for adult clients; minimum 7 years from the date the client reaches age 18 for minor clients (at least until age 25 if therapy ended before age 18).

7. Security

This Website is secured using SSL/TLS encryption. We implement reasonable technical and organizational safeguards to protect information from unauthorized access, disclosure, or loss. No internet transmission is 100% secure; you transmit data to us at your own risk and we recommend using a secure, private network.

8. Children and Minors

This Website is not directed to children under 13, and we do not knowingly collect personal information from children under 13 through the Website. If you believe a child under 13 has submitted information through this Website, please contact us immediately at information@leelamentalhealth.com so we may delete it.

Minors who have the legal right to consent to their own mental health care under California Health & Safety Code §124260 may contact us directly. Please refer to the AB 1184 Confidential Communications section in our HIPAA Notice of Privacy Practices for information about how we protect the privacy of minors and individuals on another person’s insurance policy.

9. California Residents — Your Privacy Rights

California residents have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The table below reflects our Notice at Collection as required by Cal. Civ. Code §1798.100(a).

Categories of Personal Information Collected (Past 12 Months)

Category	Examples (Website Only)	Purpose	Collected	Retention
A. Identifiers	Name, email, phone, IP address	Respond to inquiries; analytics	Yes	24 months
B. CA Customer Records	Name, contact information	Scheduling, communication	Yes	24 months
C. Protected Classification	Age, gender (if submitted)	N/A — not actively collected	No	_
D. Commercial Information	Purchase or transaction history	N/A	No	_
E. Biometric Information	Fingerprints, facial recognition	N/A	No	_
F. Internet / Network Activity	Pages visited, session duration, IP	Website analytics; security	Yes	2 months
G. Geolocation Data	Approximate location via IP only	Analytics (anonymized)	Approx. only	2 months
H. Sensory / Audio / Visual	Recordings, photographs	N/A	No	_
I. Professional / Employment	Job title, employer	N/A	No	_
J. Education Information	Student records	N/A	No	_
K. Inferences	Profiles or behavioral characteristics	N/A — not created	No	_
L. Sensitive Personal Information	Health data (clinical records not collected via website). Note: 2026 CPRA also classifies "neural data" as SPI; not collected by this Website.	N/A — website only	No	_

We have not sold or shared personal information with any third party for commercial purposes in the past 12 months, and we do not intend to do so.

Your Rights Under California Law

Right to Know (Cal. Civ. Code §1798.110)

Request disclosure of the categories and specific pieces of personal information we hold about you, the purposes for collection, and any third parties with whom it has been shared. Under the CPRA, your right to know extends to personal information collected on or after January 1, 2022.

Right to Delete

Request deletion of personal information we hold, subject to exceptions required by law (including HIPAA-mandated clinical record retention).

Right to Correct

Request correction of inaccurate personal information we maintain.

Right to Opt Out of Sale or Sharing (Cal. Civ. Code §1798.120)

We do not sell or share personal information. No opt-out action is needed, but you may contact us at any time to confirm this in writing.

Right to Limit Use of Sensitive Information

We do not collect sensitive personal information (as defined by CPRA) through this Website beyond approximate geolocation data derived from IP address. You have the right to limit our use of geolocation data to purposes reasonably necessary to provide the services you request. Clinical PHI is governed by our HIPAA NPP.

Right to Non-Discrimination

We will not discriminate against you in any way for exercising your privacy rights under California law.

Authorized Agent

You may designate an authorized agent to submit a CPRA request on your behalf (Cal. Civ. Code §1798.130(a)(2)(B)). We may require proof of your agent’s authorization before processing the request.

No Financial Incentive Programs

We do not offer any financial incentive, discount, or service benefit tied to the collection or sale of your personal information (CPRA §1798.125).

Shine the Light — California Civil Code §1798.83

We do not disclose personal information to third parties for their own direct marketing purposes. California residents may request confirmation of this once per year by contacting us using the information in Section 12.

Minors — California Business and Professions Code §22581

California residents under 18 who have submitted information through this Website may request its removal by contacting us with their name and a description of the content. We will make reasonable efforts to remove the information, though we cannot guarantee removal from all third-party caches or archives.

Global Privacy Control (GPC)

The California Privacy Protection Agency’s regulations require businesses to honor browser-based opt-out preference signals, including the Global Privacy Control (GPC). If your browser transmits a GPC signal, we treat it as a request to opt out of the sale or sharing of your personal information. We honor this signal. Because we do not sell or share personal information, no data practices change when the signal is received — but the signal is recognized, logged, and confirmed as honored in accordance with California Privacy Protection Agency regulations (CPPA Reg. §7025–7026, effective January 1, 2026).

How to Submit a Request

To exercise any California privacy right, contact us by email or postal mail (see Section 12). We will verify your identity before processing your request and will respond within 45 days, with one possible extension of up to an additional 45 days where reasonably necessary. We will not charge a fee for a first request in any 12-month period.

To file a complaint with the California Privacy Protection Agency: cppa.ca.gov

10. Do Not Track

No uniform legal standard currently requires websites to respond to browser Do Not Track (DNT) signals. We do not currently alter data collection in response to DNT signals. For the Global Privacy Control (GPC), see Section 9 above. You may reduce analytics tracking by using a browser privacy extension or opting out of Google Analytics (see Section 4).

11. Updates to This Policy

We may update this Policy periodically. Material changes will be indicated by a new “Last Updated” date at the top of this page. Material changes to how previously collected personal information is used will not apply retroactively without your affirmative consent. Continued use of the Website after non-material updates constitutes acceptance of the revised Policy.