Privacy Policy

Last Updated: 16 April 2026

Effective Date: 19 July 2023

1. Who We Are

Chiropractic Outcomes OÜ ("Company," "we," "us," or "our") is a company incorporated in Estonia. We operate the Chiropractic Outcomes platform (chiropracticoutcomes.com), a software-as-a-service tool that enables chiropractic practitioners to collect, organize, and display patient outcomes data.

For the purposes of applicable data protection law, Chiropractic Outcomes OÜ acts as a data processor on behalf of our practitioner clients (who are the data controllers) when processing patient data. Where we collect data directly from you (e.g. account registration), we act as data controller in our own right.

Our registered address is: Tornimäe tn 3-7, 10145 Tallinn, Estonia

2. Purpose and Scope of This Policy

This Privacy Policy explains how Chiropractic Outcomes OÜ collects, uses, stores, shares, and protects your personal data when you use our platform. It applies to:

  • Chiropractic practitioners and clinic staff who register accounts ("Practitioners");
  • Patients whose outcome data is entered into the platform ("Patients"); and
  • Visitors to our website (chiropracticoutcomes.com).

This Policy should be read alongside any separate agreements between your clinic and Chiropractic Outcomes OÜ (e.g. a Data Processing Agreement / Business Associate Agreement).

3. HIPAA Notice (U.S. Users)

Where our platform is used by U.S.-based healthcare practitioners covered by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Chiropractic Outcomes OÜ acts as a Business Associate as defined under HIPAA and its implementing regulations (45 C.F.R. Parts 160 and 164).

Practitioner clients who are HIPAA Covered Entities must execute a Business Associate Agreement ("BAA") with Chiropractic Outcomes OÜ before using the platform to process Protected Health Information ("PHI"). Please contact support@chiropracticoutcomes.com to request a BAA.

As a Business Associate, Chiropractic Outcomes OÜ agrees to:

  • Use and disclose PHI only as permitted by the BAA and HIPAA;
  • Implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI) in accordance with the HIPAA Security Rule (45 C.F.R. § 164.312);
  • Report any breach of unsecured PHI to the applicable Covered Entity without unreasonable delay and no later than 60 days of discovery, in accordance with the HIPAA Breach Notification Rule (45 C.F.R. § 164.410);
  • Ensure that any subcontractors or sub-processors who handle PHI on our behalf also agree to HIPAA-equivalent obligations; and
  • Make available records and policies to the U.S. Department of Health and Human Services (HHS) as required for compliance investigations.

Patients who believe their rights under HIPAA have been violated may file a complaint with the HHS Office for Civil Rights at: https://www.hhs.gov/ocr/privacy/hipaa/complaints/

4. What Personal Data We Collect

We collect the following categories of personal data, depending on your relationship with the platform:

4a. Data from Practitioners (Account Holders)

  • Name, email address, and clinic/practice details;
  • Account login credentials (passwords are stored in hashed form only);
  • Billing information (processed via our payment provider — we do not store full card details);
  • Usage data and platform activity logs.

4b. Data from or about Patients

  • Name, contact details;
  • Health outcomes data, symptom ratings, survey responses, and treatment progress metrics entered by the patient;
  • This data constitutes Special Category data under GDPR (Article 9) and Protected Health Information (PHI) under HIPAA and is treated with the highest level of protection.

4c. Technical & Usage Data

  • IP address, browser type, device identifiers;
  • Cookies and similar tracking technologies (see Section 11 below);
  • Platform interaction logs for security and performance monitoring.

We do not use patient health data for advertising, profiling, or any commercial purpose unrelated to delivering the platform.

5. Legal Basis for Processing (GDPR)

For users in the EEA and UK, we rely on the following legal bases under the UK/EU GDPR:

For Practitioner account data:

  • Article 6(1)(b) — Performance of a contract (your subscription agreement with us);
  • Article 6(1)(c) — Compliance with legal obligations (e.g. data retention laws, tax records);
  • Article 6(1)(f) — Legitimate interests (platform security, fraud prevention, product improvement).

For Patient health data (Special Category — Article 9 GDPR):

  • Article 9(2)(h) — Healthcare purposes: processing necessary for the provision of health or social care treatment, managed by a health professional subject to professional secrecy obligations;
  • Article 9(2)(a) — Explicit consent (where required and obtained by the practitioner from their patient).
  • Where the practitioner is the data controller for patient data, it is the practitioner's responsibility to establish and document the appropriate legal basis for that processing.

For marketing communications:

  • Article 6(1)(a) — Consent: you can withdraw consent at any time by clicking 'unsubscribe' in any email or contacting us.

6. How We Use Your Personal Data

We use personal data only for the purposes listed below:

  • To provide, operate, and improve the Chiropractic Outcomes platform;
  • To create and manage your account;
  • To process subscription payments;
  • To provide technical support and respond to queries;
  • To communicate platform updates, maintenance windows, and service notices;
  • To detect, prevent, and respond to security incidents, fraud, and abuse;
  • To compile anonymized, aggregated analytics about platform usage (no individual can be identified from this data);
  • To comply with legal obligations, including responding to lawful requests from regulators or law enforcement.

We will not use your data for automated decision-making or profiling that produces legal or similarly significant effects without your explicit consent.

7. Sharing Your Personal Data

We share personal data only as described below. We do not sell, rent, or trade personal data to any third party.

  • With Practitioner clients: patient outcome data is accessible to the patient's treating practitioner and authorized clinic staff;
  • With sub-processors: we use carefully vetted third-party service providers for cloud hosting, email delivery, payment processing, and analytics. A full list of sub-processors is available on request at support@chiropracticoutcomes.com;
  • With third-party integrations: only those integrations expressly authorized by the practitioner client in their account settings;
  • With regulators or law enforcement: where required by law, court order, or to protect our legal rights;
  • In the event of a business transfer: if Chiropractic Outcomes OÜ is involved in a merger, acquisition, or asset sale, your data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

8. International Data Transfers

Your personal data may be stored and processed in the United States and/or within the European Economic Area (EEA). Where data is transferred from the EEA or UK to a country that does not provide an equivalent level of data protection (such as the United States), we implement appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (for EEA transfers);
  • UK International Data Transfer Agreements (IDTAs) (for UK transfers);
  • Transfer Impact Assessments (TIAs) where required.

You may request a copy of the applicable safeguards by contacting us at support@chiropracticoutcomes.com.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy, or as required by applicable law. Our standard retention periods are:

  • Practitioner account data: retained for the duration of the active subscription plus 3 years, unless a longer period is required by law;
  • Patient health/outcome data: retained in accordance with the practitioner's instruction and applicable clinical records retention requirements (which vary by jurisdiction — typically 7–10 years);
  • Billing records: 7 years from the date of the transaction (tax/accounting requirements);
  • Security logs: 12 months;
  • Marketing consent records: for the duration of the consent plus 3 years.

Upon expiry of the applicable retention period, data is securely deleted or anonymized in accordance with our Data Deletion Procedure. You may request early deletion subject to any overriding legal retention obligations (see Section 10).

Upon termination of services, practitioner clients may request the return or deletion of all patient data within a reasonable period, subject to any overriding legal or regulatory retention obligations.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any right, contact us at support@chiropracticoutcomes.com. We will respond within 30 days (extendable to 60 days for complex requests).

Rights under EU/UK GDPR:

  • Right of access (Article 15) — obtain a copy of your data and information about how it is processed;
  • Right to rectification (Article 16) — correct inaccurate or incomplete data;
  • Right to erasure (Article 17) — request deletion of your data ('right to be forgotten'), subject to legal retention obligations;
  • Right to restriction (Article 18) — request we limit processing while a dispute is resolved;
  • Right to data portability (Article 20) — receive your data in a structured, machine-readable format;
  • Right to object (Article 21) — object to processing based on legitimate interests;
  • Right to withdraw consent — at any time, without affecting prior lawful processing;
  • Right to lodge a complaint — with your national Data Protection Authority (DPA). For Estonia: Andmekaitse Inspektsioon (www.aki.ee). For the UK: ICO (www.ico.org.uk).

Rights under California law (CCPA/CPRA):

  • Right to know the categories and specific pieces of personal information collected;
  • Right to delete personal information;
  • Right to correct inaccurate personal information;
  • Right to opt-out of sale/sharing (we do not sell or share personal information);
  • Right to non-discrimination for exercising privacy rights.

Rights under Brazilian LGPD:

  • Rights equivalent to those listed under GDPR above apply to Brazilian data subjects.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website and platform. These include:

  • Strictly necessary cookies: required for the platform to function (e.g. session authentication). These cannot be disabled.
  • Analytics cookies: help us understand how the platform is used (e.g. Google Analytics).
  • Marketing/advertising cookies: we currently do not use advertising cookies on the logged-in platform.

12. Data Security

We implement industry-standard technical and organizational security measures to protect your personal data, including:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256);
  • Role-based access controls limiting data access to authorized personnel only;
  • Regular security assessments and penetration testing;
  • Multi-factor authentication (MFA) options for practitioner accounts;
  • Employee data protection training and confidentiality obligations.

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33) and notify affected individuals without undue delay where the breach is likely to result in a high risk (GDPR Article 34).

For U.S. users, HIPAA breach notification obligations are described in Section 3 above.

13. Children's Privacy

Our platform is not directed at children. Where a practitioner enters health data relating to a minor patient, the practitioner is responsible for ensuring appropriate consent from the minor's parent or legal guardian has been obtained under applicable law.

We do not knowingly collect personal data directly from children under 13 (US) or under 16 (EU/UK). If we become aware that we have inadvertently collected such data, we will delete it promptly. Contact us at support@chiropracticoutcomes.com if you believe we hold personal data of a minor without appropriate consent.

14. Changes to Processing Purposes

If we wish to use your personal data for a new purpose not described in this Policy, we will provide you with a new or updated notice prior to commencing that processing and, where required, seek your consent.

15. Updates to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by displaying a prominent notice on the platform at least 30 days before the changes take effect. The updated Policy will include a revised 'Last Updated' date at the top of the document. Your continued use of the platform after the effective date constitutes acceptance of the updated Policy.

16. Contact Us / Data Protection Queries

If you have questions, complaints, or requests regarding this Privacy Policy or how we handle your data, please contact:

Chiropractic Outcomes OÜ

Email: support@chiropracticoutcomes.com

Tornimäe tn 3-7

10145 Tallinn, Estonia

Data Protection Officer (DPO): We have determined that appointment of a DPO is not mandatory for our processing activities; however, all data protection queries should be directed to Brock McCurdy at the email contact above.

You have the right to lodge a complaint with your local supervisory authority at any time. We would, however, appreciate the opportunity to address your concerns before you approach a regulator.