Privacy Policy

1. Introduction

Welcome to Bliik. We are committed to protecting your privacy and being transparent about how we collect, use, and share your personal information.

Who We Are:
Bliik ("we," "us," or "our") is a digital platform that connects families seeking Applied Behavior Analysis (ABA) therapy for individuals with autism, with qualified ABA therapists and clinical supervisors. We operate three interconnected systems:

• Bliik.Families - For parents and caregivers seeking therapy services
• Bliik.Therapists - For ABA therapists (BCBAs and RBTs) seeking clients
• Bliik.Supervisors - For clinical supervisors providing oversight

What This Policy Covers:
This Privacy Policy applies to all information collected through our website at www.bliik.com and our Families, Therapists, and Supervisors portals.

2. Information We Collect

A. Information You Provide Directly

For Families:

When you create a family account or request therapy services, we collect:

• Contact Information: Your name, email address, phone number, home address, and zip code
• Child Information: Your child's first name, age, date of birth, and autism diagnosis information
• Health Information: Diagnosis details, assessment results (such as ADOS or CARS scores), current behaviors, therapy goals, and treatment history
• Insurance Information: Insurance provider, policy number, group number, subscriber name, and authorization details
• Emergency Contacts: Names and phone numbers of emergency contacts
• Preferences: Preferred therapist characteristics (such as gender preference), availability, location preferences, and communication preferences
• Payment Information: Credit card or bank account information (processed securely through our payment processor)

For Therapists:

When you create a therapist account, we collect:

• Personal Information: Full name, email address, phone number, home address
• Professional Information: Credentials (BCBA, BCaBA, RBT), license numbers, certifications, work history, and professional references
• Background Check Information: Information required for criminal background checks and credential verification (we do not store Social Security Numbers)
• Professional Liability Insurance: Insurance provider and policy details
• Banking Information: Bank account details for payment deposits
• Availability: Work schedule preferences, service areas, and client preferences

For Supervisors:

When you create a supervisor account, we collect:

• Professional Credentials: BCBA certification, state licenses, specializations
• Clinical Expertise: Assessment tool certifications (ADOS-2, CARS-2, Vineland-3, ADI-R), areas of clinical focus
• Contact Information: Name, email, phone number, professional address
• Banking Information: For payment processing

B. Information Collected Automatically

When you visit our website or use our platform, we automatically collect:

• Device Information: Device type, operating system, browser type and version
• Usage Information: Pages visited, time spent on pages, links clicked, features used
• IP Address and Location: Your IP address and approximate geographic location (city and state level, via ipapi.co)
• Language Preference: Browser language settings
• Cookies and Tracking Technologies: Information collected through cookies, web beacons, and similar technologies (see Section 9 for details)

Within the Platform:

• Session Logs: Date, time, duration, and location of therapy sessions
• Communication Logs: Messages exchanged between families, therapists, and supervisors through our platform
• Progress Notes: Clinical documentation entered by therapists and supervisors
• System Access Logs: Login times, IP addresses, and actions taken within the platform

C. Information from Third Parties

We may receive information about you from third-party sources, including:

• Insurance Verification Services: Coverage details, benefit information, and authorization status
• Background Check Providers: Criminal history results and professional credential verification (for therapists only)
• Professional Licensing Boards: License status and disciplinary action information (for therapists and supervisors)
• Payment Processors: Transaction confirmation and payment status

3. How We Use Your Information

We use the information we collect for the following purposes:

A. To Provide and Improve Our Services

• Matching: Connect families with qualified therapists based on location, availability, insurance, and clinical needs
• Scheduling: Coordinate therapy sessions between families and therapists
• Clinical Services: Enable therapists to document sessions, track progress, and create treatment plans
• Supervision: Allow supervisors to review treatment plans, provide clinical oversight, and sign off on documentation
• Communication: Facilitate secure messaging between families, therapists, and supervisors
• Platform Improvement: Analyze usage patterns to improve our matching algorithms and user experience

B. To Process Payments and Insurance Claims

• Verify insurance coverage and benefits
• Obtain prior authorizations for therapy services
• Submit insurance claims on behalf of therapists
• Process payments between families, therapists, and Bliik
• Generate invoices and receipts
• Comply with tax reporting requirements

C. To Ensure Safety and Quality

• Conduct background checks on therapists
• Verify professional credentials and licenses
• Monitor platform usage for fraud and abuse
• Investigate complaints and safety concerns
• Ensure compliance with ABA ethical standards (BACB Ethics Code)

D. To Communicate with You

• Send appointment reminders and service notifications
• Provide customer support via live chat, email, or phone
• Send important updates about your account or our services
• Send marketing communications (only with your consent, and you can unsubscribe at any time)
• Conduct user satisfaction surveys

E. To Comply with Legal Obligations

• Respond to legal requests, court orders, and subpoenas
• Comply with healthcare record retention requirements
• Report to state licensing boards when required
• Maintain records for tax and financial audits
• Protect the rights, property, and safety of Bliik, our users, and the public

Legal Bases for Processing (GDPR/LGPD)

For users in jurisdictions requiring specific legal bases for data processing (such as the EU, Brazil, and certain US states), we process your information based on:

• Consent: When you give us explicit permission (e.g., marketing emails, optional analytics)
• Contractual Necessity: To provide the services you've requested (e.g., matching, scheduling, payments)
• Legal Obligation: To comply with applicable laws (e.g., record retention, tax reporting)
• Legitimate Interests: For fraud prevention, security, and platform improvement (where not outweighed by your privacy rights)
• Vital Interests: In emergency situations affecting health or safety
• Healthcare Provision: For providing health services and clinical care coordination

4. How We Share Your Information

We do NOT sell your personal information to anyone.

We share your information only in the following circumstances:

A. Within the Bliik Platform (Between User Types)

Families ↔ Therapists:

• Therapists can see: Your child's first name, age, general diagnosis information (autism spectrum disorder), therapy goals, location (city/neighborhood), insurance information (for billing purposes), and session scheduling details
• Families can see: Therapist's full name, credentials (BCBA, RBT, etc.), professional photo, experience level, bio, availability, location (general area), and rates (if self-pay)
• Why this is necessary: To match families with appropriate therapists and facilitate therapy services

Supervisors ↔ Therapists & Families:

• Supervisors can see: All clinical information necessary for supervision, including assessment results, treatment plans, session notes, and progress data
• Why this is necessary: ABA therapy requires clinical supervision by a BCBA. Supervisors need access to clinical data to ensure quality care and meet insurance requirements

B. With Third-Party Service Providers

We share information with trusted third-party companies that help us operate our platform. These service providers are contractually obligated to protect your information and use it only for the purposes we specify.

Current Service Providers:

• Google Analytics - Website analytics and usage statistics
• Tawk.to - Live chat customer support
• ipapi.co - IP-based geolocation for language detection (city/state level only)
• Cloud Hosting Provider (Azure) - Secure data storage and platform hosting

Future Service Providers (when implemented):

• Payment Processor - Credit card and ACH payment processing
• Insurance Verification Service - Coverage checks and prior authorization
• Background Check Provider - Criminal background and credential verification for therapists
• Email Service Provider - Transactional and marketing emails

C. For Legal Reasons

We may disclose your information if required by law or if we believe in good faith that such disclosure is necessary to:

• Comply with legal obligations, court orders, subpoenas, or government requests
• Enforce our Terms of Service or other agreements
• Protect the rights, property, or safety of Bliik, our users, or the public
• Investigate fraud, security breaches, or violations of our policies
• Respond to emergency situations involving health or safety risks

D. In Connection with Business Transfers

If Bliik is involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred to the new entity. We will notify you via email and/or a prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.

E. With Your Consent

We may share your information for any other purpose with your explicit consent.

5. Data Security

We take the security of your personal and health information seriously. We implement industry-standard technical and organizational measures to protect your data from unauthorized access, disclosure, alteration, or destruction.

Technical Safeguards:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using SSL/TLS (HTTPS) protocols
• Encryption at Rest: Sensitive data stored in our databases is encrypted
• Access Controls: Role-based access controls ensure users can only access information necessary for their role
• Authentication: Password-protected accounts with option for multi-factor authentication (MFA)
• Secure Infrastructure: Platform hosted on secure cloud servers with regular security updates
• Audit Logging: We maintain logs of all access to health information for security monitoring

Organizational Safeguards:

• Employee Training: All employees receive training on data protection and privacy
• Confidentiality Agreements: Employees and contractors sign confidentiality agreements
• Limited Access: Access to personal information is limited to employees who need it
• Incident Response Plan: We have procedures in place to respond to security incidents
• Regular Security Assessments: We conduct periodic security audits and vulnerability assessments

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention Periods:

Active Accounts:

• Account Information: Retained for the duration of your account plus 30 days after account deletion
• Therapy Session Data: Retained for the duration of treatment plus the period required by healthcare record laws (varies by state, typically 5-7 years, longer for minors)
• Communication Logs: Retained for the duration of your account
• Payment Records: Retained for 7 years to comply with IRS and tax regulations

After Account Deletion:

• Immediate Deletion: Most personal information is deleted within 30 days
• Legal Retention: Some information must be retained longer (healthcare records, financial records, legal disputes)
• De-Identified Data: We may retain de-identified or aggregated data indefinitely for research
• Backup Systems: Deleted data may persist in backup systems for up to 90 days

7. Your Privacy Rights

Depending on where you live, you may have certain rights regarding your personal information.

Rights Available to All Users:

• Right to Access: Request a copy of the personal information we have about you
• Right to Correction: Request that we correct inaccurate or incomplete information
• Right to Deletion: Request that we delete your personal information (subject to legal retention requirements)
• Right to Opt-Out of Marketing: Unsubscribe from marketing emails at any time
• Right to Data Portability: Receive your personal information in a machine-readable format

How to Exercise Your Rights:

• Email: privacy@bliik.com
• Online Form: [Link to privacy request form - to be created]
• Mail: Bliik Privacy Team, [Physical Address - to be added]

Response Time:

• US Residents: We will respond within 45 days (may be extended by an additional 45 days for complex requests)
• Brazilian Residents: We will respond within a reasonable time, typically within 15 days

No Discrimination: We will not discriminate against you for exercising your privacy rights. You will receive the same quality of service whether or not you exercise your rights.

8. Children's Privacy

Protecting children's privacy is extremely important to us. We comply with the Children's Online Privacy Protection Act (COPPA) and similar laws worldwide.

Our Commitment:

• No Direct Collection from Children: Bliik does not knowingly collect personal information directly from children under 13 without verifiable parental consent
• Parent-Controlled Accounts: All accounts are created and controlled by parents or legal guardians
• Limited Child Information: We only collect information about children necessary to provide therapy services

Parental Control and Rights:

As a parent or legal guardian, you have the right to:

• Review: Access all information we have collected about your child
• Correct: Request corrections to your child's information
• Delete: Request deletion of your child's information (subject to legal record retention)
• Refuse Collection: Refuse to allow further collection or use of your child's information
• Control Communications: All notifications are sent to the parent/guardian, not the child

Therapist Interaction with Children:

• Therapists interact with children as part of providing clinical ABA therapy services
• All therapy session data is controlled by parents/guardians and clinical supervisors
• Therapists are bound by professional ethics codes (BACB Ethics Code)

If We Learn of Improper Collection: If we learn that we have collected personal information from a child under 13 without proper parental consent, we will delete that information as quickly as possible. If you believe we have collected information from your child without consent, please contact us immediately at privacy@bliik.com.

9. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to improve your experience on our website and platform.

What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences and improve your experience.

Types of Cookies We Use:

1. Essential Cookies (Cannot Be Disabled):

• Session Management: Keep you logged in as you navigate the platform
• Security: Protect against cross-site request forgery (CSRF) attacks
• Load Balancing: Ensure the platform runs smoothly

2. Analytics Cookies (Optional):

• Google Analytics: Understand how visitors use our website
• Analytics ID: G-TEY0Q6RLD8
• What we learn: Which pages are popular, how long visitors stay, where visitors come from

3. Functional Cookies (Optional):

• bliik_lang: Remembers your language preference (expires after 1 year)
• User Preferences: Remembers your settings and preferences

4. Third-Party Cookies:

• Tawk.to (Live Chat): Enables the live chat widget

How to Control Cookies:

• Browser Settings: Block all cookies or block third-party cookies
• Opt-Out of Google Analytics: Install the Google Analytics Opt-Out Browser Add-on
• Do Not Track (DNT): We do not currently respond to DNT signals

10. International Data Transfers

Bliik is based in the United States. If you access our platform from outside the US, your information will be transferred to, stored, and processed in the United States.

Safeguards for International Transfers:

• Encryption: All data is encrypted during transfer (SSL/TLS) and at rest
• Access Controls: Strict limits on who can access your data
• Contractual Protections: Data Processing Agreements (DPAs) with all service providers
• Security Audits: Regular security assessments and vulnerability testing

For Brazilian Users (LGPD Compliance):

If you are a user in Brazil, we comply with LGPD requirements for international data transfers:

• Legal Mechanism: We use Standard Contractual Clauses (SCCs) to ensure adequate protection for your data
• Your Rights: You have the right to obtain information about the safeguards we use for international transfers

11. Third-Party Links

Our website and platform may contain links to third-party websites, including insurance provider portals, professional licensing boards, and social media platforms.

We are not responsible for the privacy practices of these third-party websites. When you click on a third-party link, you leave our platform and are subject to that website's privacy policy and terms of service.

We encourage you to read the privacy policies of any third-party websites you visit.

12. Marketing Communications

Opt-In Required For:

We will only send you marketing communications if you have given us permission:

• Marketing Emails: Newsletters, promotions, and product updates
• SMS/Text Messages: Promotional texts (we currently do not send marketing SMS)

Always Allowed (Transactional Communications):

We may send you important service-related communications without your consent:

• Appointment reminders and confirmations
• Service updates and changes to our Terms or Privacy Policy
• Security alerts and account notifications
• Billing and payment notifications

How to Unsubscribe:

• Email: Click the "Unsubscribe" link at the bottom of any marketing email
• Account Settings: Manage your email preferences in your account settings
• Email Us: Send a request to privacy@bliik.com

We will process your unsubscribe request within 10 business days. You may still receive transactional emails related to your account and services.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How We Will Notify You:

• Email Notification: We will send an email to all registered users at least 30 days before material changes take effect
• Website Notice: We will display a prominent banner on our website announcing the policy update
• "Last Updated" Date: The date at the top of this policy will reflect when changes were made

Your Options:

• Accept Changes: Continue using our services (constitutes acceptance of the new policy)
• Reject Changes: If you disagree with the changes, you may delete your account before the new policy takes effect

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA).

Your California Privacy Rights:

1. Right to Know:

You have the right to request:

• Categories of personal information we collect about you
• Specific pieces of personal information we have collected
• Categories of sources from which we collect personal information
• Our business or commercial purposes for collecting personal information
• Categories of third parties with whom we share personal information

2. Right to Delete:

You have the right to request deletion of your personal information, subject to certain exceptions (such as legal obligations to retain healthcare records).

3. Right to Opt-Out of Sale or Sharing:

We do NOT sell your personal information. We do not share your personal information for cross-context behavioral advertising.

4. Right to Non-Discrimination:

We will not discriminate against you for exercising your CCPA rights. You will receive the same service quality whether or not you exercise your rights.

Categories of Personal Information We Collect (Last 12 Months):

• Identifiers: Name, email, phone, address, IP address
• Protected Classifications: Autism diagnosis, disability status (for therapy purposes)
• Commercial Information: Insurance details, payment information, transaction history
• Internet/Network Activity: Website usage, pages visited
• Geolocation Data: City/state level location for therapist matching
• Professional Information: Therapist credentials, licenses, work history
• Sensitive Personal Information: Health data (autism diagnosis, therapy records)

How to Exercise Your California Rights:

• Email: privacy@bliik.com
• Online Form: [Link to California privacy request form]

We will verify your identity before fulfilling your request and will respond within 45 days.

15. For Brazilian Users (LGPD)

If you are a resident of Brazil, your personal data is protected by the Lei Geral de Proteção de Dados (LGPD).

Legal Bases for Processing (LGPD Article 7):

• Consent: When you give us explicit permission for marketing communications or optional features
• Contractual Performance: To provide the therapy services you requested
• Legal/Regulatory Obligation: To comply with Brazilian laws
• Protection of Life or Physical Safety: In emergency medical situations
• Health Protection: To provide healthcare services and clinical care coordination
• Legitimate Interest: For fraud prevention and security

Sensitive Personal Data (Article 11):

We process sensitive personal data, including:

• Health Data: Autism diagnosis, therapy records, treatment plans
• Children's Data: Information about children receiving therapy services

This sensitive data is processed based on explicit consent from parents/legal guardians and for healthcare provision by qualified professionals.

Your Rights Under LGPD (Articles 17-22):

As a Brazilian data subject, you have the right to:

1. Confirmation of Processing: Confirm whether we process your personal data
2. Access: Access your personal data
3. Correction: Correct incomplete, inaccurate, or outdated data
4. Anonymization, Blocking, or Deletion: Request deletion of unnecessary or unlawfully processed data
5. Data Portability: Receive your data in a structured, machine-readable format
6. Information on Sharing: Know which entities received your data
7. Refusal: Refuse to give consent
8. Revoke Consent: Withdraw consent at any time
9. Oppose Processing: Object to processing done without your consent
10. Petition to ANPD: File a complaint with the Brazilian Data Protection Authority

How to Exercise Your LGPD Rights:

• Email DPO: dpo@bliik.com
• General Privacy Email: privacy@bliik.com
• Response Time: Within a reasonable time, typically within 15 days

Data Protection Officer (DPO):

Our Data Protection Officer is responsible for overseeing compliance with data protection laws.

DPO Contact: dpo@bliik.com

Contact ANPD (Brazilian Data Protection Authority):

If you have concerns about how we process your data, you may contact ANPD:

• Website: https://www.gov.br/anpd/

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email:

• General Privacy Inquiries: privacy@bliik.com
• Data Protection Officer (DPO): dpo@bliik.com

Phone:

Privacy Hotline: [Phone Number - To Be Added]

Mail:

Bliik Privacy Team
[Company Legal Name]
[Street Address]
[City, State, ZIP]
United States

Online Privacy Request Form:

[Link to privacy request form - To Be Created]

Supervisory Authorities:

You also have the right to lodge a complaint with a supervisory authority:

For Brazilian Residents:

ANPD (Autoridade Nacional de Proteção de Dados)
Website: https://www.gov.br/anpd/

For California Residents:

California Attorney General - Privacy Complaints
Website: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

17. Definitions

For clarity, here are definitions of key terms used in this Privacy Policy:

ABA (Applied Behavior Analysis)

A scientific, evidence-based therapy approach used to help individuals with autism develop communication, social, and daily living skills.

ANPD

Autoridade Nacional de Proteção de Dados - Brazil's National Data Protection Authority responsible for enforcing LGPD.

BACB

Behavior Analyst Certification Board - The organization that certifies behavior analysts (BCBAs) and Registered Behavior Technicians (RBTs).

BCBA

Board Certified Behavior Analyst - A graduate-level professional who designs and supervises ABA therapy programs.

CCPA

California Consumer Privacy Act - California's privacy law that grants consumers rights over their personal information.

COPPA

Children's Online Privacy Protection Act - US federal law protecting the privacy of children under 13.

Cookies

Small text files stored on your device by websites to remember your preferences and track usage.

Data Controller

The entity that determines the purposes and means of processing personal data (Bliik for most platform data).

Data Processor

An entity that processes personal data on behalf of a data controller.

De-Identified Data

Data that has been modified to remove personally identifiable information.

DPO (Data Protection Officer)

A person designated to oversee data protection strategy and LGPD/GDPR compliance.

LGPD

Lei Geral de Proteção de Dados - Brazil's General Data Protection Law, similar to GDPR.

Personal Information / Personal Data

Any information that identifies, relates to, or could reasonably be linked to you or your household.

RBT

Registered Behavior Technician - A paraprofessional who implements ABA therapy under BCBA supervision.

Sensitive Personal Information

Personal information that reveals health data, precise geolocation, racial/ethnic origin, or children's data - subject to heightened protection.

Standard Contractual Clauses (SCCs)

Pre-approved contract terms that provide safeguards for international data transfers under LGPD/GDPR.