Privacy Policy

Elite Performance Institute San Diego ("Company," "we," "us," or "our") is committed to protecting the privacy and security of all individuals who interact with our website located at episandiego.com (the "Site") and our clinical services. This Privacy Policy governs our collection, processing, use, disclosure, and retention of personal information in accordance with applicable law, including the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA).

This Policy applies to all users of the Site and individuals who contact us through any channel. By accessing or using the Site, you acknowledge that you have read, understood, and agree to the practices described herein. If you do not agree, please discontinue use of the Site immediately.

Our registered business address is: 444 West C St STE 190, San Diego, CA 92101, United States. For privacy inquiries, contact us at EPI@SANDIEGO.COM or +1 (619) 232-4030.

We collect various categories of information depending on how you interact with us:

2.1 Information You Provide Directly
- Identity data: first name, last name, date of birth, gender
- Contact data: email address, telephone number, mailing address
- Health and medical information: symptoms, medical history, injury details, insurance information, treatment records
- Communications: messages submitted through our contact form, emails, and telephone call records
- Financial data: payment information (processed securely through third-party processors; we do not store card numbers)

2.2 Automatically Collected Information
- Technical data: IP address, browser type and version, operating system, device identifiers, referral URLs
- Usage data: pages viewed, time spent on pages, links clicked, scroll depth, session recordings
- Cookie and tracking data: as described in our Cookie Policy

2.3 Information from Third Parties
- Referral data from attorneys, physicians, and healthcare professionals who refer patients to our clinic
- Publicly available information for verification purposes
- Analytics and advertising partners (in de-identified or aggregated form only)

2.4 Special Categories of Sensitive Data
Health and medical information is classified as a special category of personal data requiring enhanced protection. We process such data only with your explicit consent or where necessary for the provision of medical care, in strict compliance with HIPAA and applicable state laws.

We process your personal information for the following lawful purposes:

Clinical and Administrative Purposes
- Scheduling, confirming, and managing appointments
- Providing chiropractic care, sports medicine, and rehabilitation services
- Communicating with referring attorneys, insurers, and other healthcare providers involved in your care
- Processing insurance claims and billing

Legal and Regulatory Compliance
- Maintaining medical records as required by California law (minimum 7 years for adults; 10 years from the age of majority for minors)
- Responding to legal holds, subpoenas, court orders, and regulatory inquiries
- Preparing expert testimony and legal documentation for personal injury cases

Business Operations
- Responding to inquiries and contact form submissions
- Sending appointment reminders and follow-up communications
- Improving clinical outcomes through quality assurance reviews
- Internal reporting, analytics, and business planning

Marketing and Communications (with consent)
- Sending newsletters, health tips, and promotional communications where you have opted in
- You may opt out at any time by contacting us or clicking the unsubscribe link in any email

We will not use your personal information for purposes incompatible with the purpose for which it was collected without providing prior notice and, where required, obtaining your consent.

We do not sell, rent, or trade your personal information. We may share your information in the following limited circumstances:

Healthcare Operations
- With other treating physicians, specialists, and healthcare providers involved in your direct care (subject to HIPAA)
- With insurance companies and third-party payers to process claims on your behalf
- With personal injury attorneys who have retained us on your case, with your written authorization

Service Providers (Data Processors)
- Technology vendors who host our website infrastructure (Vercel, Inc.)
- Email delivery services (Resend, Inc.) for transactional communications
- Analytics providers (Vercel Analytics) operating under data processing agreements
- Payment processors operating under PCI-DSS compliance

Legal Requirements
- When required by law, court order, or government authority
- When necessary to protect the rights, property, or safety of EPI, our patients, or the public
- In connection with legal proceedings or regulatory investigations

Business Transfers
- In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred, subject to the same privacy protections described herein.

All third-party processors are bound by contractual obligations to protect your data and are prohibited from using it for their own independent purposes.

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, subject to the following minimum retention periods:

• Medical records: 7 years from last date of service (adults); until the patient reaches age 28 (minors)
• Business communications and contact form submissions: 3 years
• Financial and billing records: 7 years (tax and legal compliance)
• Website analytics data: 13 months (aggregated; individual sessions purged sooner)
• Marketing communications and opt-out records: until you withdraw consent plus 3 years

Upon expiration of the applicable retention period, we will securely delete or anonymize your personal information in accordance with our data destruction policies.

Depending on your location and applicable law, you may have the following rights:

California Residents (CCPA)
- Right to Know: request disclosure of personal information collected, used, disclosed, or sold about you
- Right to Delete: request deletion of personal information, subject to legal exceptions (e.g., medical record retention)
- Right to Opt-Out: we do not sell personal information, so no opt-out mechanism is required
- Right to Non-Discrimination: we will not discriminate against you for exercising your privacy rights
- Right to Correct: request correction of inaccurate personal information

European Residents (GDPR)
- Right of Access, Rectification, and Erasure
- Right to Restrict or Object to Processing
- Right to Data Portability
- Right to Withdraw Consent (where processing is based on consent)
- Right to Lodge a Complaint with a supervisory authority

HIPAA Rights (All Patients)
- Right to access and obtain a copy of your Protected Health Information (PHI)
- Right to request amendments to your PHI
- Right to an accounting of disclosures
- Right to request restrictions on use or disclosure
- Right to receive communications by confidential means
- Right to a paper copy of our Notice of Privacy Practices

To exercise any of these rights, please contact us in writing at EPI@SANDIEGO.COM or by mail at 444 West C St STE 190, San Diego, CA 92101. We will respond within 30 days (45 days for complex requests under CCPA; 30 days under GDPR).

We implement appropriate technical and organizational safeguards designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Our security practices include:

• Transport Layer Security (TLS/SSL) encryption for all data transmitted between your browser and our servers
• Access controls and authentication requirements for staff accessing patient data
• Regular security assessments and vulnerability scanning
• Staff training on HIPAA and data privacy requirements
• Data minimization and pseudonymization where technically feasible
• Business Associate Agreements with all vendors who handle Protected Health Information
• Incident response procedures and breach notification protocols in compliance with HIPAA and California law

No method of electronic transmission or storage is 100% secure. While we strive to use commercially reasonable security measures, we cannot guarantee absolute security. In the event of a data breach that affects your rights and freedoms, we will notify you as required by applicable law.

We use cookies and similar tracking technologies to operate and improve our website. Please review our Cookie Policy at episandiego.com/cookies for full details, including how to manage your cookie preferences.

In summary, we use:
- Strictly necessary cookies required for the website to function
- Analytics cookies to understand how visitors interact with the Site (Vercel Analytics)
- No third-party advertising or cross-site tracking cookies

You may disable non-essential cookies through your browser settings or our cookie preference center without affecting your ability to use the core functionality of the Site.

Our Site may contain links to third-party websites, including Google Maps, YouTube, Facebook, and Instagram. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party services you access through links on our Site.

Embedded YouTube videos are loaded only on user interaction to minimize third-party data collection. By clicking to play a video, you consent to YouTube/Google's data collection as described in Google's Privacy Policy.

Our website is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent. If you believe we have inadvertently collected information from a child under 13, please contact us immediately at EPI@SANDIEGO.COM and we will take steps to delete such information promptly.

For patients between 13 and 18, a parent or legal guardian must provide consent for clinical services and may request access to minor health records in accordance with California law.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will post the revised Policy on this page with an updated "Last Revised" date. For material changes, we will provide additional notice, which may include a prominent notice on the Site or an email notification to registered users.

Your continued use of the Site after the effective date of a revised Policy constitutes your acceptance of the updated terms.

For privacy-related inquiries, to exercise your rights, or to report a privacy concern, please contact us:

Elite Performance Institute San Diego
Privacy Officer
444 West C St STE 190
San Diego, CA 92101
United States

Email: EPI@SANDIEGO.COM
Phone: +1 (619) 232-4030

For HIPAA-specific complaints, you also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/ocr/privacy.