Ezi Practice Manager, LLC
Effective Date: March 14, 2026
This Privacy Policy describes how Ezi Practice Manager, LLC ("Company," "we," "our," "us"), a Georgia limited liability company located in Morrow, Georgia, collects, uses, stores, and protects information when you use the EziGoals platform. EziGoals is a clinical goal management platform for Applied Behavior Analysis (ABA) practitioners.
We are committed to protecting your privacy and the privacy of the clients whose information is entered into the platform. This policy applies to all users of EziGoals, including account owners, team members, and any individual who accesses the platform.
Account Information: When you create an account, we collect your full name, email address, practice name, and professional role. This information is necessary to set up your account, assign permissions, and communicate with you about the service.
Client Data (Protected Health Information): Authorized users within your practice enter client information into the platform, including client names, dates of birth, diagnoses, autism support levels, assessment scores, treatment goals, program parameters, and treatment plan documentation. This information constitutes Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).
Assessment Data: When users score assessments or upload scoring forms, the platform processes assessment results to generate goal recommendations. On the Enterprise tier, uploaded scoring form images are processed by an AI service (Anthropic) for automated score extraction. These images are processed in real-time and are not retained by the AI provider after processing is complete.
Payment Information: Subscription payments are processed by Stripe, Inc. We do not collect, store, or have access to your full credit card number, CVV code, or banking details. Stripe handles all payment data in accordance with PCI DSS Level 1 certification standards. We receive only a confirmation of payment status and the last four digits of your card for display purposes.
Usage Data: We automatically collect technical and usage information when you use the platform, including pages visited, features used, browser type, device type, IP address, and timestamps. This data does not contain any client information or PHI and is used solely to monitor platform performance and improve the user experience.
Cookies: We use essential cookies for authentication and session management. These cookies are necessary for the platform to function and cannot be disabled. We do not use advertising cookies, marketing cookies, tracking pixels, or third-party analytics tools that create individual user profiles. No PHI is ever stored in cookies.
We use the information we collect for the following purposes only:
Providing the Service: To operate the EziGoals platform, including generating goal recommendations, clinical pathways, program designs, teaching instructions, and treatment plan documentation based on the assessment data you enter.
Account Management: To create and manage your account, authenticate your identity, assign role-based access within your practice, and manage your subscription.
Communication: To send you essential service communications, including trial expiration notices, subscription confirmations, security alerts, and platform update notifications. We also send optional clinical notifications such as mastery milestone alerts and authorization period reminders, which you may receive based on your notification preferences.
Payment Processing: To process subscription payments through our payment processor (Stripe) and maintain billing records as required by law.
Platform Improvement: To analyze anonymized, aggregated usage patterns to identify and fix technical issues, improve platform performance, and develop new features. This analysis never involves individual client data or PHI.
Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.
We do not sell, rent, trade, license, or otherwise share your data or your clients' data with any third party for marketing, advertising, or commercial purposes.
We do not use your client data, assessment scores, treatment goals, or any Protected Health Information to train artificial intelligence models, machine learning algorithms, or develop products for other customers.
We do not share individual practice data with other practices, researchers, insurance companies, or any entity outside of your authorized team.
We do not display advertising within the platform. We do not use tracking technologies to build advertising profiles of our users.
EziGoals processes Protected Health Information on behalf of covered entities (ABA practices). As a Business Associate under HIPAA, we implement comprehensive safeguards to protect PHI:
Technical Safeguards: All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS) version 1.2 or higher. All data stored in our database is encrypted at rest using AES-256 encryption. Row-level security (RLS) policies enforce tenant-level data isolation at the database layer. Role-based access controls ensure that users can only access data within their own practice and according to their assigned role. Authentication sessions expire automatically after periods of inactivity.
Multi-Tenant Data Isolation: EziGoals is a multi-tenant platform. Each practice's data is logically separated at the database level using tenant-scoped queries and row-level security policies enforced by the database engine. No practice can access, view, query, or modify another practice's data under any circumstance. This isolation is enforced at the infrastructure level, not merely the application level.
Administrative Safeguards: Access to production database systems and infrastructure is restricted to authorized personnel. We maintain security incident response procedures. Platform access events are logged for auditing purposes.
Business Associate Agreement: Covered entities using EziGoals are required to execute a Business Associate Agreement (BAA) with Ezi Practice Manager, LLC prior to entering any Protected Health Information into the platform. To request a BAA, contact support@ezigoals.com.
Breach Notification: In the event of a confirmed data breach involving Protected Health Information, we will notify affected account owners within 60 days of discovery, in accordance with the HIPAA Breach Notification Rule (45 CFR 164.404). Notification will include a description of the breach, the types of information involved, steps we are taking in response, and recommendations for affected individuals.
Platform data is stored on Supabase infrastructure hosted in the United States. Supabase maintains SOC 2 Type II compliance for its hosting environment.
The EziGoals web application is hosted on Vercel, which provides global edge delivery and maintains SOC 2 compliance.
Database backups are performed automatically and encrypted. Backup data is subject to the same security controls as primary data.
We do not store data outside of the United States.
We use the following third-party services to operate the platform. Each service processes data only as necessary to fulfill its specific function:
Supabase (supabase.com): Database hosting, user authentication, and row-level security enforcement. Stores all platform data including client records and assessment scores. SOC 2 Type II compliant. Data hosted in the United States.
Vercel (vercel.com): Application hosting and content delivery. Serves the EziGoals web application. SOC 2 compliant. Does not store client data.
Stripe (stripe.com): Payment processing for subscription billing. Handles credit card and banking information. PCI DSS Level 1 certified. We do not receive or store full payment details.
Resend (resend.com): Transactional email delivery. Sends platform notifications such as trial expiration reminders, mastery milestone alerts, and authorization period warnings. Email content may include client first names in notification context. Resend does not store email content after delivery.
Anthropic (anthropic.com): AI-powered assessment score extraction from uploaded scoring form images. Available on the Enterprise subscription tier only. Uploaded images are processed in real-time for score extraction and are not retained by Anthropic after processing is complete. This service is governed by Anthropic's data processing terms.
We do not share your data with any third-party services beyond those listed above. We evaluate the security practices of all third-party providers and select providers that maintain appropriate certifications and data protection standards.
Active Subscriptions: All account and client data is retained for the duration of your active subscription. Data remains accessible and fully functional as long as your subscription is current.
Canceled Subscriptions: Upon cancellation, your data is preserved in our systems for 90 days. During this period, you may reactivate your subscription and regain full access to all your data with no loss. After the 90-day preservation period, your data may be permanently deleted from our primary systems and backups.
Expired Trials: Trial account data is preserved for 90 days after the trial period ends, following the same retention policy as canceled subscriptions.
Notification Records: Internal records of notification delivery (email send confirmations, timestamps) are retained for 12 months for operational and troubleshooting purposes. These records do not contain client PHI.
Payment Records: Billing transaction records are retained as required by applicable federal and state tax and financial regulations.
Activity Logs: Records of goal additions, modifications, and status changes within the platform are retained for the duration of the active subscription plus the 90-day post-cancellation period.
Access: You may access all of your data at any time through the EziGoals platform. Client records, goals, assessments, and treatment plans are available on their respective pages within the application.
Data Export: You may export your data at any time using the Data Export feature located on the Settings page. Exports are available in JSON format (complete data including goals, assessments, and revision history) and CSV format (goal summary). There is no charge for data export.
Data Deletion: You may request deletion of your account and all associated data by contacting support@ezigoals.com. We will process deletion requests within 30 days, subject to any legal retention requirements. Upon deletion, all client records, goals, assessments, treatment plans, and account information will be permanently removed from our systems.
Data Correction: You may correct any inaccurate information in your account profile or client records directly within the platform at any time.
Breach Notification: You have the right to be notified of any confirmed data breach affecting your Protected Health Information within 60 days, as described in Section 4.
EziGoals is a professional clinical tool designed for use by Board Certified Behavior Analysts, behavior technicians, and other ABA practitioners. The platform is not directed at children under the age of 13 and is not intended to be used by minors.
Client data entered into the platform (which may include information about minor children receiving ABA services) is entered and managed exclusively by authorized healthcare professionals, not by the minor clients themselves. The collection and use of this information is governed by HIPAA, not the Children's Online Privacy Protection Act (COPPA), as it constitutes Protected Health Information managed within a healthcare provider relationship.
Georgia Residents: Under Georgia law, you have the right to request access to personal information we maintain about you. To exercise this right, contact support@ezigoals.com.
California Residents: If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). However, HIPAA-covered health information is exempt from CCPA. For non-health personal information, you may request access to, deletion of, or information about the categories of personal information we collect. Contact support@ezigoals.com to exercise these rights.
We do not sell personal information as defined by the CCPA.
If we discover or are notified of a security incident that may affect the confidentiality, integrity, or availability of your data, we will:
Immediately investigate the scope and impact of the incident.
Take appropriate steps to contain and remediate the incident.
Notify affected account owners in accordance with HIPAA requirements and applicable state breach notification laws.
Document the incident, our response, and any corrective actions taken.
If you believe your account has been compromised or you become aware of any security concern, contact us immediately at support@ezigoals.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify account owners via email at least 30 days before the changes take effect. The updated Privacy Policy will be posted at ezigoals.com/privacy with the revised effective date.
Your continued use of the platform after the effective date of an updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the changes, you must stop using the platform and cancel your subscription before the effective date.
For questions about this Privacy Policy, data protection practices, HIPAA compliance, BAA requests, data export assistance, or data deletion requests:
Ezi Practice Manager, LLC Morrow, Georgia 30260 United States
Email: support@ezigoals.com Website: ezigoals.com