Privacy Policy

AtReef Therapy Privacy Policy

AtReef Therapy PLLC ("AtReef Therapy," "the Practice," "I," "me," or "my") is committed to protecting your privacy. This Privacy Policy describes how I collect, use, share, and safeguard information when you visit https://www.atreef.com, communicate with the Practice, or engage in clinical, consultation, or educational services. It also describes your rights, the legal framework that applies, and how this Policy interacts with the separate Notice of Privacy Practices (NPP) that governs Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

About the Practice

AtReef Therapy PLLC is a solo private psychotherapy practice based in Cambridge, Massachusetts, operated by Dr. Ehsan Adib Shabahang (NCC, LPC, LCMHC, LMHC). Services are provided primarily by telehealth to clients in jurisdictions where Dr. Ehsan is licensed or registered to practice.

What This Policy Covers

This Policy covers personal data collected through:

• The Website and online forms

• Email and text communication

• Practice management systems (such as SimplePractice)

• Telehealth platforms (such as SimplePractice Telehealth)

• HIPAA-compliant documentation tools (such as SimplePractice AI and Heidi Health)

• Newsletter and marketing systems (such as Squarespace and Mailchimp)

• Any other interactions related to clinical, consultation, or administrative services

Information Collected

Information may be collected:

• Directly from you, through forms, intake materials, scheduling, contact, or service registration

• Automatically, through cookies, server logs, and analytics tools

Examples include:

• Identifiers: name, email, phone, mailing address

• Demographics: age, gender (if you choose to share it), emergency contact

• Clinical information: presenting concerns, diagnosis, treatment goals, progress notes

• Billing information: payment method, invoices, balance history

• Technical data: IP address, browser and device type, session activity

• Communication history: emails, secure messages, and form submissions

How Information Is Used

Information may be used to:

• Provide, coordinate, and document psychotherapy and related services

• Schedule appointments and send appointment reminders

• Communicate about care, billing, or scheduling

• Process payments securely

• Send opt-in newsletters or educational materials (you can unsubscribe at any time)

• Improve Website performance and user experience

• Comply with applicable legal, regulatory, and ethical obligations

Legal Bases for Processing (GDPR)

When the European Union General Data Protection Regulation (GDPR) applies, information may be processed on the following legal bases: your consent, contractual necessity, legal obligation, vital interests, or legitimate interest.

Sharing of Information

The Practice does not sell personal information. Information may be shared, only when necessary, with:

• HIPAA-compliant service providers (for example, SimplePractice for practice management, Stripe for payment processing, SimplePractice AI and Heidi Health for documentation support)

• Insurance billing partners when applicable (for example, Alma, Headway, Mentaya), only to the extent needed for billing and reimbursement

• Legal or regulatory authorities, when required by law

• Supervisors, consultants, or specialist trainers (for example, Gottman Method consultants), only when you have provided written authorization

• Emergency services, when there is an imminent risk to life or safety

A complete description of how PHI may be used and disclosed is provided in the Notice of Privacy Practices given to clients at intake.

Documentation Tools and Session Recordings

To support accurate documentation and allow Dr. Ehsan to remain present during sessions, the Practice may use HIPAA-compliant documentation tools, including SimplePractice AI and Heidi Health. These tools may temporarily record audio for the purpose of generating a transcript and a progress note. Audio recordings are deleted shortly after transcription, and transcripts are managed according to vendor policy and HIPAA requirements.

These tools are used only with your separate written consent. You may decline AI-assisted documentation and still receive services. For more detail, see the Use of AI-Assisted Tools page.

Your Rights

Depending on your jurisdiction, you may have rights under HIPAA, GDPR, the California Consumer Privacy Act (CCPA), or other applicable law. These may include:

• Accessing, correcting, or requesting a copy of your information

• Requesting deletion of certain information (subject to legal and clinical retention requirements)

• Restricting or objecting to certain processing

• Withdrawing consent for non-essential communications

• Filing a complaint with a regulatory authority

For PHI specifically, the rights described in the Notice of Privacy Practices apply.

Cookies and Analytics

This Website uses cookies and third-party analytics (such as Google Analytics) to understand site usage and improve performance. Cookies can be disabled through your browser settings. The Practice does not use third-party behavioral advertising or retargeting services on the Website.

Browser Tracking and Do Not Track Signals

There is currently no universal standard for how websites must respond to Do Not Track (DNT) browser signals. This Website does not respond to DNT settings. You may limit tracking by adjusting your browser settings, blocking cookies, or using browser plugins. You may opt out of Google Analytics at https://tools.google.com/dlpage/gaoptout.

Communications and Newsletters

You may receive email or SMS communication related to:

• Scheduling and appointment reminders

• Newsletters, educational content, or practice announcements (only when you have opted in)

These communications are not clinical care and do not replace psychotherapy. You can unsubscribe from non-essential communications at any time.

Data Retention

Clinical records are retained for a minimum of seven (7) years after the end of treatment, or longer if required by law or professional standards. Non-clinical data is retained only as long as needed for business or legal purposes.

Safeguards and Security

The Practice uses reasonable administrative, technical, and physical safeguards to protect information, including HIPAA-compliant encryption and storage, secure telehealth and messaging platforms, and access controls. Despite these safeguards, no method of electronic transmission or storage is fully secure. You are encouraged to take reasonable steps to protect your own information, such as using strong passwords and private internet connections.

Third-Party Links

This Website may link to third-party platforms or resources. The Practice is not responsible for the privacy practices of third parties. You are encouraged to review their privacy policies before sharing personal information.

Children's Privacy

This Website is not directed to individuals under the age of 13, and the Practice does not knowingly collect data from children under 13 without verified parental consent.

Changes to This Policy

This Privacy Policy may be updated periodically. The most recent version will always be available on this page, with the effective date at the top. Material changes may be communicated directly when appropriate.