Privacy Policy
About Marula Rehab and its Partners
“We,” “us,” or “our” refers to Marula Rehab and its Partners , headquartered in Pleasant Grove Utah, United States. We are a virtual behavioral healthcare provider for Substance Use Disorder, Alcohol Dependency and other similar conditions offering outpatient, intensive outpatient (IOP), non-hospitalization Treatment (NHT), and Non-residential treatment (NRT) “virtual services”. Marula Rehab and its Partners are strictly Non-Face-to-Face (NFTF) telehealth service providers with secure client portal access, chatbot communication, and SMS messaging support.
1. Scope of This Policy
This Privacy Policy explains how we collect, use, share, and protect your personal information when you engage with our services — including through our websites, mobile applications, telehealth platform, client portal, chatbot, SMS messaging, and other non- in-person programs. It also outlines your privacy rights under U.S. law, the Health Insurance Portability and Accountability Act (HIPAA), and the General Data Protection Regulation (GDPR), where applicable.
By accessing or using our services, you agree to the practices described in this Privacy Policy.
2. Information We Collect
We collect personal data directly from you, automatically through your use of our services.. The type of data collected depends on your interaction with Marula Rehab and its Partners and the services you access.
1. Information You Provide to Us
Contact Information: Name, email address, mailing address, phone number.
Health and Clinical Information: Intake forms, telehealth session data, treatment history, progress notes, and other protected health information (PHI).
Account Credentials: Username, password, and other identifiers for secure login to the client portal.
Payment Information: Credit or debit card number, billing address (processed by secure third-party payment processors).
Chatbot Submissions: Any information you choose to enter into our on-site chatbot (though PHI should not be submitted through this channel).
Communication Records: Emails, SMS messages, intake responses, and survey answers.
2. Information We Collect Automatically
Device and Technical Data: IP address, browser type, operating system, device identifiers, access times, and referring URLs.
Usage Data: Pages viewed, time spent, features used, chatbot engagement, and actions taken on our websites or apps.
Cookies and Tracking Technologies: Data collected through cookies and third-party scripts for analytics, security, and personalization. See “Cookies and Analytics” below for details.
3. Information from Third Parties
Service providers, referrers, or partners who may supply clinical or administrative data with your authorization.
Third-party payment processors or scheduling platforms that forward necessary billing or appointment data.
We only collect and use sensitive personal data, including health-related data, in accordance with applicable legal bases such as your explicit consent, performance of a contract, or legal obligation under HIPAA or GDPR.
4. Cookies and Analytics
We use cookies and similar tracking technologies to provide a better user experience, analyze site traffic, and support functionality across our platforms. This section explains how and why we use cookies and how you can manage them.
What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They allow websites to remember your preferences, improve performance, and provide analytics or personalized content.
Types of Cookies We Use
Essential Cookies: Required for core site functionality (e.g. security, session management, login authentication).
Performance and Analytics Cookies: Help us understand how visitors interact with our site, including pages visited, links clicked, and time spent. We use tools like Google Analytics to gather anonymized data.
Functional Cookies: Remember choices you’ve made, such as language or display preferences.
Marketing Cookies: Only used with consent. May be placed by third-party services to deliver relevant messages.
Third-Party Services
We may use tools such as Google Analytics or chatbot providers that set their own cookies. These services collect anonymized usage data and are subject to their own privacy policies. We do not permit third-party advertising cookies. We use additional third-party tools such as Facebook Pixel, Instagram analytics, and Microsoft Bing Ads UET to help personalize advertising content and improve the effectiveness of our campaigns. These services may place their own cookies or tracking technologies, and are subject to their respective privacy policies. We obtain consent where required and provide opt-out mechanisms via our Cookie Policy or browser settings.
Managing Your Cookie Preferences
When you first visit our site, you may see a cookie banner asking for your consent. You can accept or reject non-essential cookies at any time. You may also manage cookies through your browser settings or use tools like opt-out pages for specific trackers.
Please note: Disabling certain cookies may limit website functionality.
5. How We Use Your Information
We use your personal data for the following purposes, depending on how you interact with our services and in accordance with applicable legal bases under HIPAA, GDPR, and U.S. privacy law:
To deliver healthcare services: Including outpatient, intensive outpatient (IOP), non hospitalization Treatment (NHT), non residential treatment (NRT), and telehealth care. This includes using clinical information to assess, treat, and support your health needs.
To manage your account and provide customer service: Including scheduling appointments, sending confirmations, handling billing, and providing access to the secure client portal.
To communicate with you: We may send important updates, appointment reminders, or service-related notifications via email, SMS, or secure portal. Marketing messages are only sent with your consent.
To operate and improve our digital services: Including our website, chatbot, and mobile experience — by monitoring usage trends, page performance, and technical issues using cookies and analytics tools.
To collect feedback and conduct surveys: We may ask for your opinions to help us improve services or satisfaction. Participation is always voluntary.
To fulfill our legal obligations: Including data retention, medical documentation, HIPAA compliance, and safeguarding your privacy rights under GDPR where applicable.
To ensure safety and prevent misuse: We use data to protect the security of our systems, detect fraud or abuse, and respond to inappropriate conduct or breaches of our terms of service.
Respond to your inquiries and provide support services, including via chatbot or SMS.
Send service-related and administrative messages, such as appointment reminders or account updates.
Send marketing communications (with your consent), including information about programs, services, events, or surveys.
Conduct internal research and quality improvement efforts.
Analyze site traffic and improve website functionality using third-party analytics tools (e.g., Google Analytics, Microsoft Advertising).
Deliver personalized advertising on third-party platforms: such as Google, Bing, Facebook, and Instagram using tracking tools like the Meta Pixel, UET tag, and similar technologies.
We do not use your personal or health information to make automated decisions that produce legal or similarly significant effects. All uses of personal data are consistent with the purposes described in this policy and applicable law.
6. Legal Basis for Processing Personal Data (GDPR)
The Services are provided solely for therapeutic and recovery purposes within the State of Utah. Marula Rehab is licensed to operate only in Utah and does not provide services outside the State of Utah or outside the United States. These Services are not a substitute for Hospitalization Treatment (HT) or Residential Treatment (RT) when a higher level of care is clinically indicated or when treatment needs exceed Assessment or Intensive Outpatient Program (IOP) services. If you are experiencing severe substance‑use withdrawal, believe you may be in medical danger, or are having thoughts of suicide, please call 911 immediately.
Marula Rehab and its affiliated partners do not provide 24‑hour emergency or crisis services.
Consent: For marketing communications, cookies, tracking technologies, SMS messaging, and chatbot use where required by law.
Contractual Necessity: To provide our treatment programs, telehealth services, and client portal functions as requested by you.
Legal Obligation: To comply with applicable laws and regulatory requirements, such as documentation for medical services.
Legitimate Interest: To ensure the proper administration, security, and functionality of our website and services, and to engage in limited, non-intrusive analytics or remarketing efforts.
Performance of a contract: We process your data when it is necessary to provide the services you have requested or agreed to, such as participating in a treatment program or accessing your client portal.
Vital interests: In rare cases, we may process personal data to protect your life or the life of another individual (e.g. in emergencies).
You have the right to withdraw your consent at any time, where consent is the basis for processing. To do so, please contact us via our Contact Page
7. Your Marketing & Communication Preferences
We may send you marketing communications about our services, events, promotions, and updates, but only with your explicit consent. You can manage these preferences as follows:
Email Marketing
If you sign up for our newsletter or other marketing emails, you will receive messages from us regarding our services, news, and special offers. You may unsubscribe at any time by clicking the “unsubscribe” link in the email or by contacting us.
SMS/Text Messaging
If you opt in to receive SMS messages, you will get text communications related to appointment reminders, service updates, or promotional offers. Your consent is not a condition of purchase, and you can opt out at any time by replying with “STOP” or by contacting us.
Other Communications
You can also update your communication preferences by logging into our secure client portal or contacting our support team directly. We respect your privacy and preferences, and we will only send you communications that you have agreed to receive. We may also use third-party platforms such as Facebook, Instagram, Google, and Microsoft Bing to deliver personalized advertising content. These communications are based on user consent or legitimate interest, and you may manage your preferences or opt out through the provided channels, including ad settings on those platforms.
8. How We Share Your Information
We do not sell your personal information. However, we may share your information with trusted third parties under specific circumstances, as outlined below:
1. With Service Providers
We may share your personal data with vendors and contractors who help us operate our services — including IT support, telehealth platforms, billing providers, email/SMS communication systems, and data analytics tools. These parties only access data necessary to perform their services and are bound by confidentiality agreements.
2. With Healthcare Professionals
If you are receiving treatment from Marula Rehab and its Partners, your information may be shared with licensed clinicians, care teams, or support staff involved in your care, in accordance with HIPAA and relevant state laws.
9. How Long We Keep Your Information
We retain personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, including to provide services, comply with legal and clinical obligations, resolve disputes, and enforce agreements.
1. Healthcare and Clinical Records
As a behavioral healthcare provider, we are required by HIPAA and state medical laws to retain clinical records — including Protected Health Information (PHI) — for a minimum number of years (typically 6–10 years, depending on jurisdiction and age of the client).
2. Communication and Account Data
We retain contact information, account activity, and communications (e.g., messages, intake records, scheduling history) as long as you maintain an active relationship with us and for a reasonable period thereafter, unless you request deletion.
3. Marketing and Analytics Data
We retain data collected via cookies or analytics tools for as long as necessary to analyze trends and improve services. This data is anonymized where possible and stored in compliance with applicable data retention policies.
4. Your Right to Deletion
In accordance with GDPR and other privacy laws, you may request that we delete your personal information when:
The data is no longer needed for its original purpose
You withdraw your consent (where consent was the legal basis)
You object to processing and there are no overriding legitimate grounds
We are legally obligated to erase it
Some information may be retained if necessary for legal compliance, legitimate business purposes, or to defend against legal claims. To request data deletion, please contact us.
5. With Your Consent
We may share your information with third parties when you have explicitly given us permission — such as coordinating care with an external provider or disclosing your information to a referring clinician.
6. For Legal or Regulatory Purposes
We may disclose your information if required to do so by law, subpoena, court order, or regulatory obligation (e.g., HIPAA, GDPR). This includes cooperating with authorities for fraud prevention, safeguarding public health, or responding to a data breach as required by the HIPAA Breach Notification Rule.
7. Business Transfers
If we are involved in a merger, acquisition, financing, or asset sale, your information may be transferred as part of that transaction — with notice provided and continued protection of your data ensured.
8. With De-Identification
We may share aggregate or de-identified data that does not reasonably identify you, for the purposes of research, program evaluation, or service improvement.
10. International Data Transfers
Marula Rehab and its Partners is based in the United States, and your personal information may be stored and processed in the U.S. only where our service providers also operate. By using our services, you acknowledge that your information may be transferred to — and maintained on — servers located in the US only.
If you have relocated outside the US after receiving treatment in the US or specifically, in the European Union (EU), European Economic Area (EEA), or another region your DATA may only be transferred into the hands of a licensed medical provider, we ensure that appropriate safeguards are in place when transferring your data internationally. These may include:
Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements (DPAs) with our vendors and partners
Certification under recognized frameworks (where applicable)
We take all necessary steps to ensure that your data is treated securely and in accordance with this Privacy Policy and applicable laws wherever it is processed.
11. Your Privacy Rights (Under GDPR)
You have important rights regarding your personal information. These rights vary depending on your location and the legal framework that applies (such as HIPAA or GDPR). We are committed to upholding these rights and making it easy for you to exercise them.
1. Right to Access
You may request a copy of the personal information we hold about you, including any Protected Health Information (PHI) and service-related data. We will provide this information within a reasonable timeframe, in accordance with applicable laws.
2. Right to Rectification (Correction)
You have the right to request correction of inaccurate or incomplete personal data. Clinical records may only be amended in accordance with professional standards and applicable laws.
3. Right to Erasure (“Right to Be Forgotten”)
In certain cases, such as where data is no longer needed or you withdraw your consent, you may request that we delete your personal data. Legal, medical, or contractual obligations may limit this right in some cases.
4. Right to Restrict or Object to Processing
You may ask us to restrict the use of your data or object to processing, including for direct marketing purposes where we rely on legitimate interest or perform profiling. We will evaluate your request and respond in accordance with the applicable legal framework.
5. Right to Data Portability
Where processing is based on consent or contract, and carried out by automated means, you may request a copy of your personal data in a structured, machine-readable format for transfer to another provider.
6. Right to Withdraw Consent
If you previously gave consent for data processing (e.g., for marketing communications), you may withdraw it at any time without affecting prior lawful processing.
7. Right to not be subject to automated decision-making
The right not to be subject to automated decision-making that significantly affects you.
8. Right to File a Complaint
If you believe your data rights have been violated, you may file a complaint with your local data protection authority or contact the U.S. Department of Health and Human Services (HHS) for HIPAA-related concerns. You may also contact us directly at any time.
12. How We Protect Your Information
We take the security of your personal data seriously and implement a range of technical, administrative, and physical safeguards to protect it from unauthorized access, use, alteration, or disclosure.
Technical Safeguards
Encryption: All sensitive data — including health information and payment data — is encrypted both in transit and at rest using industry-standard protocols (e.g., SSL/TLS).
Access Controls: Access to systems and data is limited to authorized personnel only, using unique credentials and, where applicable, two-factor authentication (2FA).
Firewalls and Intrusion Detection: Our systems are monitored for suspicious activity and protected by modern security infrastructure.
Organizational Safeguards
Staff Training: All employees receive ongoing training in data protection, privacy regulations (e.g., HIPAA, GDPR), and cybersecurity awareness.
Data Minimization: We collect only the data necessary for each purpose, and we limit access to data based on job function.
Vendor Contracts: All service providers who process data on our behalf are required to comply with strict data protection and confidentiality obligations.
Incident Response
In the event of a data breach, we will promptly investigate and notify affected individuals and applicable authorities in accordance with the HIPAA Breach Notification Rule and GDPR Article 33/34. While no method of transmission or storage is 100% secure, we are committed to continually reviewing and improving our security practices to meet evolving threats and standards.
13. Children’s Privacy
Marula Rehab and its Partners does not knowingly collect personal information from children under the age of 13 without verifiable parental or guardian consent, as required by the Children’s Online Privacy Protection Act (COPPA) and applicable healthcare and data protection laws. If a child under 13 submits personal data to us through our website, chatbot, telehealth platform, or any other channel without proper consent, we will take reasonable steps to delete the information as quickly as possible and notify the parent or guardian if known. Parents or legal guardians who believe their child has submitted personal information to Marula Rehab and its Partners without consent may contact us to request access to or deletion of that data. For minors receiving treatment through Marula Rehab and its Partners programs, personal health data will be collected and managed in accordance with HIPAA, state law, and our clinical protocols, which may require parental involvement or authorization depending on the jurisdiction and age of the minor. 13.A: Marula Rehab and its Partners do not provide Treatment Services to any person under 18 years of age.
14. Data Security and Breach Procedures
We are committed to protecting your personal information, but in the event of a data breach, we follow strict procedures to minimize risk and comply with applicable laws.
1. Internal Detection and Response
We maintain an internal breach response protocol that includes real-time monitoring, system audits, and logging to detect unauthorized access, misuse, or loss of data. Once a potential breach is identified, we initiate an immediate investigation.
2. Notification to Affected Individuals
If a breach involves your personal data or protected health information (PHI), we will notify you as required by applicable law. Under the HIPAA Breach Notification Rule, we will inform you without unreasonable delay and no later than 60 calendar days from discovery. Notification may include:
The nature of the breach and what data was involved
Steps you can take to protect yourself
What we are doing to investigate and prevent future breaches
How to contact us for more information
3. Regulatory and Public Notifications
Depending on the severity of the breach and applicable jurisdiction, we may also notify the U.S. Department of Health and Human Services (HHS), the media (if 500+ individuals are affected), and relevant EU supervisory authorities under GDPR Article 33.
4. Ongoing Improvements
Following a breach, we review our policies, staff access levels, and system protections to prevent recurrence. All incidents are documented and used to enhance our overall security posture.
15. Contact Information
If you have questions, concerns, or requests related to this Privacy Policy or your personal data, we encourage you to reach out. We’re here to help and committed to protecting your privacy.
You may contact us through our Contact Us page or by using the details below:
Marula Rehab and its Partners
2728 N. Canyon Road
Pleasant Grove Utah 84062
United States
We will respond to inquiries in a timely manner and in accordance with applicable privacy regulations such as HIPAA and GDPR.
.
Marula Rehab Telehealth Substance Use Disorder and Alcohol Dependency Treatment
TERMS OF SERVICE
Welcome to Marula Rehab - Marula LLC - Utah Outpatient - (“we,” “our,” or “us”). These Terms of Service (“Terms”) govern your access to and use of our services, including our website at marularehab.com telehealth platform(s), client portal, chatbot, SMS communications, and any other services we provide (collectively, the “Services”). By using our Services, you agree to these Terms.
1. Eligibility and Participation
Our services are intended for individuals seeking support through outpatient, intensive outpatient (IOP), non-hospitalization (NHT), and Non-residential treatment (NRT) programs. Participation requires full compliance with all terms, policies, clinical rules, and intake procedures. Consent for treatment is required prior to participation in any program.
2. Medical and Therapeutic Disclaimer
The Services are offered solely for therapeutic and recovery‑focused purposes. They are not a substitute for Hospitalization Treatment (HT) or Residential Treatment (RT) when a higher level of care is clinically appropriate or when treatment needs exceed Assessment or Intensive Outpatient Program (IOP) services. If you are experiencing severe substance‑use withdrawal, believe you may be in medical danger, or are having thoughts of suicide, please call 911 immediately. Marula Rehab and its affiliated partners do not provide 24‑hour emergency or crisis services.
3. User Responsibilities
You agree to use our Services lawfully and respectfully. You are responsible for maintaining the confidentiality of your login information and for any activity that occurs under your account. You agree not to misuse the site or share misleading, offensive, or harmful content.
4. Communications and Messaging
By providing your phone number or email, you agree to receive messages related to scheduling, treatment, program updates, and support. You may also receive SMS text messages and chatbot responses. You can opt out of marketing messages at any time by following unsubscribe instructions or by contacting us.
5. Use of Third-Party Tools
We use third-party platforms including Google Analytics, Microsoft Advertising (Bing Ads), Meta Ads (Facebook and Instagram), and a chatbot to enhance your experience and improve service delivery. These platforms may collect or process limited user data. Your use of our website constitutes your agreement to these integrations. Refer to our Privacy Policy for details.
6. Privacy and Data Handling
All data collected through our Services is handled in accordance with our Privacy Policy. As a behavioral health entity, we are committed to HIPAA and GDPR compliance and the confidentiality of all personal and health information.
7. Modifications to Services
We reserve the right to change or discontinue any part of the Services at any time. We will make reasonable efforts to notify users of major changes.
8. Intellectual Property
All content on our site — including text, graphics, logos, and videos — is the property of Marula Rehab and its partners or its content providers and is protected by copyright and intellectual property laws. You may not use or reproduce content without prior written permission.
9. Limitation of Liability
We are not liable for any indirect, incidental, special, or consequential damages arising from your use of the Services. While we take data and safety seriously, we do not guarantee uninterrupted or error-free service.
10. Termination
We may suspend or terminate your access to our Services at our discretion if we believe there has been a violation of these Terms or any applicable laws or policies.
11. Governing Law
These Terms are governed by the laws of the State of Utah, without regard to conflict of law provisions. All disputes will be resolved in the applicable state or federal courts located in Utah.
12. Contact Us
If you have questions about these Terms, please contact us.
.