PRIVACY POLICY

But First, Heal Thyself

Website: https://butfirsthealthyself.com


Effective Date: February 17, 2026

Last Updated: February 17, 2026


============================================================


TABLE OF CONTENTS


1. Introduction

2. Information We Collect

3. How We Collect Your Information

4. Why We Collect Your Information

5. How We Use Your Information

6. Who We Share Your Information With

7. How Long We Keep Your Information

8. How We Protect Your Information

9. Your Rights as a Client

10. Notice of Privacy Practices (HIPAA)

11. Cookies and Tracking Technologies

12. Website Accessibility (UserWay)

13. Telehealth and Virtual Services

14. Social Media Policy

15. Data Breach Notification

16. Children's Privacy

17. Third-Party Links

18. Changes to This Privacy Policy

19. Contact Information


============================================================


1. INTRODUCTION


But First, Heal Thyself ("we," "us," "our," or "the Practice") is a psychotherapy and holistic wellness practice located in Virginia. We are committed to protecting the privacy and confidentiality of every person who visits our website, contacts our office, or receives our services.


This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you interact with us through our website (https://butfirsthealthyself.com), by phone, email, video call, or in person. It also outlines your rights regarding your personal data.


Our services include trauma-informed therapy, brainspotting, walk-and-talk therapy, trauma-informed yoga, clinical supervision, and Reiki healing. Regardless of which service you engage with, this policy applies to all personal information we collect.


We comply with applicable federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA), Virginia state privacy regulations, and other relevant data protection requirements.


By using our website or engaging our services, you acknowledge that you have read and understand this Privacy Policy.


============================================================


2. INFORMATION WE COLLECT


We may collect the following categories of personal information depending on your interaction with our Practice:


Identifying Information: Full name, date of birth, gender identity, pronouns, and other demographic details.


Contact Information: Email address, phone number, mailing address, and emergency contact details.


Health and Clinical Information: Mental health history, diagnoses, treatment plans, therapy session notes, progress notes, intake assessments, health questionnaires, and any information you share during the course of therapy, brainspotting, yoga, Reiki, or clinical supervision sessions.


Insurance and Billing Information: Health insurance details, policy numbers, billing address, and related financial information necessary for claims processing and payment.


Payment Information: Credit or debit card numbers, bank account information, and transaction records when processed through our secure payment systems.


Appointment Information: Dates, times, types of appointments, cancellation records, and scheduling preferences.


Communication Records: Emails, phone call logs, voicemails, text messages, and any written correspondence between you and the Practice.


Website Usage Data: IP address, browser type, operating system, device information, pages visited, time spent on pages, referring URLs, and general geographic location data collected through cookies and analytics tools.


Telehealth Data: Information transmitted during virtual therapy sessions, including audio and video data, as well as technical data related to your connection.


Employment or Background Information: If you are seeking clinical supervision services, we may collect information about your professional credentials, licensure status, employment history, and supervision goals.


============================================================


3. HOW WE COLLECT YOUR INFORMATION


We collect your information through the following methods:


Website Forms: When you complete intake forms, contact forms, appointment request forms, or any other forms on our website.


Direct Communication: When you communicate with us by phone, email, text message, video call, or in person during sessions.


Telehealth Platforms: Through secure, HIPAA-compliant telehealth platforms used for virtual therapy sessions.


Electronic Medical Records (EMR): Through our secure EMR system used to manage client records, scheduling, and clinical documentation.


Cookies and Analytics Tools: Through cookies, pixels, and analytics technologies embedded on our website that automatically collect certain usage data when you visit our site.


Third-Party Referrals: From other healthcare providers, insurance companies, or referral sources, with your consent or as permitted by law.


Payment Processing Systems: Through secure third-party payment processors when you make payments for services.


In-Person Sessions: During walk-and-talk therapy, trauma-informed yoga, Reiki, brainspotting, or traditional in-office therapy sessions.


============================================================


4. WHY WE COLLECT YOUR INFORMATION


We collect your personal information for the following purposes:


To Provide Clinical Services: To deliver therapy, brainspotting, walk-and-talk therapy, trauma-informed yoga, Reiki, and clinical supervision services tailored to your needs.


To Manage Appointments: To schedule, confirm, reschedule, or cancel appointments and send you appointment reminders.


To Communicate With You: To respond to your inquiries, provide information about our services, and maintain ongoing communication related to your care.


To Process Payments and Billing: To bill for services, process insurance claims, collect payments, and maintain accurate financial records.


To Comply With Legal Obligations: To meet our legal and regulatory obligations, including HIPAA compliance, Virginia state licensing requirements, mandatory reporting obligations, and court orders or subpoenas.


To Improve Our Services: To analyze website usage patterns, evaluate the effectiveness of our services, and improve the client experience.


To Maintain Safety: To protect the health and safety of our clients, staff, and the public as required or permitted by law.


To Provide Resources: To share relevant educational content, blog posts, and wellness resources available on our website.


============================================================


5. HOW WE USE YOUR INFORMATION


We use your personal information in the following ways:


Clinical Care: Your health and clinical information is used to assess your needs, develop treatment plans, provide therapy and holistic wellness services, track your progress, and coordinate care when appropriate.


Administrative Operations: Your contact and appointment information is used for scheduling, reminders, billing, insurance verification, and general office administration.


Website Operations: Website usage data is used to maintain and improve the functionality of our website, analyze visitor trends, and ensure a positive user experience.


Marketing and Outreach: With your consent, we may use your email address to send newsletters, updates about our services, or educational content. You may opt out of marketing communications at any time.


Legal and Regulatory Compliance: We may use your information as necessary to comply with applicable laws, respond to legal processes, and fulfill our professional and ethical obligations.


Quality Improvement: Aggregated or de-identified data may be used for internal quality improvement, training, and research purposes.


============================================================


6. WHO WE SHARE YOUR INFORMATION WITH


We take your privacy seriously and do not sell your personal information to anyone. We may share your information with the following parties only as described below:


EMR and Practice Management Software Providers: We use secure, HIPAA-compliant electronic medical records and practice management systems to store and manage your clinical and appointment data.


Payment Processors: We use secure, PCI-compliant third-party payment processors to handle credit card and electronic payment transactions. We do not store your full payment card details on our systems.


Telehealth Platform Providers: We use HIPAA-compliant telehealth platforms to conduct virtual therapy sessions. These providers may process certain technical data necessary to facilitate the video connection.


Website Analytics Providers: We use analytics tools (such as Google Analytics or similar services) to understand how visitors use our website. These tools may collect anonymized or aggregated data about your browsing behavior.


Insurance Companies: If you use insurance to pay for services, we share necessary clinical and billing information with your insurance provider to process claims.


Healthcare Collaborators: With your written consent, we may share relevant clinical information with other healthcare providers involved in your care, such as psychiatrists, primary care physicians, or other therapists.


Legal and Regulatory Authorities: We may disclose your information when required by law, such as in response to a court order, subpoena, or mandatory reporting obligation (e.g., suspected child abuse, elder abuse, or imminent threat of harm).


Professional Supervisors or Consultants: In the context of clinical supervision or professional consultation, limited and de-identified information may be discussed to support quality care. Your identity is protected in these circumstances whenever possible.


IT and Security Providers: We work with trusted IT service providers who help maintain the security and functionality of our systems. These providers are bound by confidentiality agreements.


All third-party vendors and partners with whom we share information are required to maintain the confidentiality and security of your data and are contractually obligated to use it only for the purposes specified.


============================================================


7. HOW LONG WE KEEP YOUR INFORMATION


We retain your personal and clinical information in accordance with applicable federal and state laws, professional licensing requirements, and best practices in the mental health field.


Clinical Records: Adult client records are retained for a minimum of seven (7) years following the date of the last clinical contact, or longer if required by Virginia state law or other applicable regulations. Records for minor clients are retained for a minimum of seven (7) years after the client reaches the age of eighteen (18), or longer if required by law.


Billing and Financial Records: Billing and payment records are retained for a minimum of seven (7) years for tax and audit purposes.


Website Data: Website analytics data and cookie data are retained according to the retention settings of the analytics tools in use, typically no longer than twenty-six (26) months.


Communication Records: Emails, phone logs, and other correspondence are retained as long as necessary to support ongoing client care and administrative needs, after which they are securely deleted.


When retention periods expire, your information is securely destroyed using methods appropriate to the format, including shredding of paper records and permanent deletion or overwriting of electronic records.


If you request deletion of your information, we will comply to the extent permitted by law. Please note that certain records may need to be retained to meet legal, regulatory, or professional obligations even after your request.


============================================================


8. HOW WE PROTECT YOUR INFORMATION


We implement a range of administrative, technical, and physical safeguards to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction.


Encryption: All electronic data transmissions, including those through our website and telehealth platforms, are encrypted using industry-standard SSL/TLS encryption protocols. Data stored in our EMR and other systems is encrypted at rest.


Access Controls: Access to your personal and clinical information is restricted to authorized personnel only. We use role-based access controls, unique user IDs, and strong password requirements.


Secure Storage: Paper records, if any, are stored in locked filing cabinets in secured areas. Electronic records are stored on secure, HIPAA-compliant servers with regular security updates.


Offsite and Cloud Backups: We maintain secure, encrypted backups of electronic records to protect against data loss.


Staff Training: All staff members and contractors receive regular training on privacy, confidentiality, HIPAA compliance, and information security best practices.


Business Associate Agreements: We maintain signed Business Associate Agreements (BAAs) with all third-party vendors who handle Protected Health Information (PHI) on our behalf, as required by HIPAA.


Device and Network Security: Our devices and networks are protected with firewalls, antivirus software, and intrusion detection systems. Devices used for telehealth or remote access are secured and monitored.


Regular Audits: We conduct periodic reviews and audits of our privacy and security practices to identify and address potential vulnerabilities.


While we strive to protect your personal information, no method of electronic transmission or storage is completely secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately using the information provided in Section 19.


============================================================


9. YOUR RIGHTS AS A CLIENT


As a client of our Practice, you have the following rights regarding your personal information:


Right to Access: You have the right to request a copy of your personal and clinical records. We will provide access within a reasonable timeframe, typically within thirty (30) days of your written request.


Right to Amend: You have the right to request corrections or amendments to your records if you believe they contain inaccurate or incomplete information. We will review your request and respond within a reasonable timeframe. Please note that we may deny certain amendment requests if the information is accurate and complete, was not created by our Practice, or is not part of the records you are permitted to access.


Right to Restrict: You have the right to request restrictions on how we use or disclose your health information. While we will consider your request, please be aware that we are not required to agree to all restriction requests. However, we are required to honor a request to restrict disclosure to a health plan if you have paid for the service in full out of pocket.


Right to Request Confidential Communications: You may request that we communicate with you through specific methods or at specific locations (for example, contacting you only by email rather than by phone).


Right to an Accounting of Disclosures: You have the right to request a list of certain disclosures we have made of your health information for purposes other than treatment, payment, or healthcare operations.


Right to Receive a Copy of This Policy: You have the right to request and receive a paper or electronic copy of this Privacy Policy at any time.


Right to Revoke Authorization: If you have given us written authorization to use or disclose your information for a specific purpose, you have the right to revoke that authorization in writing at any time. Revocation will not affect any actions we took in reliance on the authorization before it was revoked.


Right to File a Complaint: If you believe your privacy rights have been violated, you have the right to file a complaint with our Practice or with the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate against you for filing a complaint.


Right to Data Deletion: You may request deletion of your personal data. We will honor your request to the extent permitted by law, noting that certain records must be retained to comply with legal, regulatory, and professional requirements.


To exercise any of these rights, please submit a written request to us using the contact information in Section 19. We may require verification of your identity before processing your request.


============================================================


10. NOTICE OF PRIVACY PRACTICES (HIPAA)


This section serves as our Notice of Privacy Practices in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.


As a healthcare provider, we are required by law to maintain the privacy of your Protected Health Information (PHI), provide you with notice of our legal duties and privacy practices, and abide by the terms of this notice currently in effect.


Uses and Disclosures of PHI


We may use and disclose your PHI without your written authorization for the following purposes:


Treatment: We may use your PHI to provide, coordinate, or manage your mental health treatment and related services.


Payment: We may use and disclose your PHI to obtain payment for services, including billing your insurance company or other third-party payer.


Healthcare Operations: We may use and disclose your PHI for our internal operations, including quality assessment, staff training, licensing, and compliance activities.


As Required by Law: We may disclose your PHI when required by federal, state, or local law.


To Avert a Serious Threat to Health or Safety: We may use and disclose your PHI when necessary to prevent a serious and imminent threat to your health or safety or the health or safety of others.


Mandatory Reporting: We are required by law to report suspected child abuse, elder abuse, or abuse of incapacitated persons to the appropriate authorities.


Judicial and Administrative Proceedings: We may disclose your PHI in response to a court order, subpoena, or other lawful process.


Uses and Disclosures Requiring Your Written Authorization


For uses and disclosures not described above, we will obtain your written authorization before using or disclosing your PHI. This includes, but is not limited to, psychotherapy notes (where applicable), marketing communications, and any sale of your PHI.


Virginia-Specific Provisions


As a practice licensed in the Commonwealth of Virginia, we comply with all applicable Virginia laws governing the confidentiality of mental health records, including but not limited to Virginia Code sections related to the privacy of health records and the duties of mental health professionals.


Virginia law may provide additional protections for certain types of information, including substance abuse treatment records and mental health records. Where Virginia law is more protective than HIPAA, we follow the stricter standard.


============================================================


11. COOKIES AND TRACKING TECHNOLOGIES


Our website (https://butfirsthealthyself.com) uses cookies and similar tracking technologies to improve your browsing experience and help us understand how our website is used.


What Are Cookies: Cookies are small text files placed on your device when you visit a website. They help the website remember your preferences and understand how you interact with the site.


Types of Cookies We Use:


Essential Cookies: These cookies are necessary for the basic functionality of our website, such as navigation and accessing secure areas. The website cannot function properly without these cookies.


Analytics Cookies: We may use analytics cookies (such as those provided by Google Analytics or similar tools) to collect anonymized information about how visitors use our website, including which pages are visited most often, how long visitors stay on the site, and how they arrived at the site. This information helps us improve the design and content of our website.


Functional Cookies: These cookies allow our website to remember choices you make (such as language preferences) and provide enhanced features.


Managing Cookies: Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all cookies, accept only certain cookies, or notify you when a cookie is being placed on your device. Please note that disabling cookies may affect the functionality of certain parts of our website.


Do Not Track: Our website currently does not respond to "Do Not Track" browser signals. However, you may manage your tracking preferences through your browser settings or through the cookie controls on our website.


Third-Party Tracking: We do not use cookies or tracking technologies for the purpose of targeted advertising. Any analytics data collected is used solely for website performance improvement and is not shared with advertisers.


============================================================


12. WEBSITE ACCESSIBILITY (USERWAY)


We are committed to ensuring that our website is accessible to all individuals, including those with disabilities.


Our website uses the Accessibility Widget by UserWay, a third-party accessibility tool designed to improve the digital accessibility of our website for people with disabilities.


What UserWay Provides:


UserWay offers a suite of accessibility features that may include, but are not limited to:


Screen reader compatibility and optimization to assist visually impaired users.


Keyboard navigation support for users who cannot use a mouse.


Adjustable text size, spacing, and font options for improved readability.


Contrast and color adjustments for users with visual impairments or color blindness.


Cursor and focus enhancements for easier navigation.


Animation and motion pausing for users sensitive to screen movement.


Content highlighting and reading guides.


Alt-text identification for images.


Link highlighting and identification.


Page structure and heading navigation.


ARIA landmark and attribute support.


How to Use the Accessibility Widget: The UserWay accessibility widget is available on every page of our website. You can activate it by clicking the accessibility icon, typically located in the corner of the page. Once activated, you can customize your experience using the available settings and features.


UserWay Privacy: UserWay may collect limited technical data to provide its accessibility services. This data is processed in accordance with UserWay's own privacy policy, which can be reviewed at https://www.userway.org/privacy. UserWay does not collect personal health information from our website visitors.


Accessibility Feedback: If you experience any difficulty accessing any part of our website or have suggestions for improving accessibility, please contact us using the information provided in Section 19. We welcome your feedback and are committed to making improvements.


Our website aims to conform to the Web Content Accessibility Guidelines (WCAG) 2.1 at the AA level. We continue to monitor and improve our website's accessibility on an ongoing basis.


============================================================


13. TELEHEALTH AND VIRTUAL SERVICES


We offer telehealth services, including virtual therapy sessions, through secure, HIPAA-compliant platforms. When you participate in telehealth, the following additional considerations apply:


The telehealth platform may collect certain technical information (such as device type, connection quality, and session duration) necessary to facilitate the virtual session.


Audio and video transmissions during telehealth sessions are encrypted and are not recorded unless you provide explicit written consent.


You are responsible for ensuring that you are in a private, secure location during your telehealth session to protect your own confidentiality.


Telehealth services are subject to the same confidentiality protections as in-person services under HIPAA and Virginia state law.


We maintain Business Associate Agreements with our telehealth platform providers to ensure your information is protected.


============================================================


14. SOCIAL MEDIA POLICY


Our Practice may maintain a presence on social media platforms for the purpose of sharing educational content, wellness resources, and general information about our services.


Please be aware of the following:


We will never disclose your identity, clinical status, or any personal information on social media.


We advise clients not to contact us through social media platforms for scheduling, clinical questions, or any communication that may reveal your identity as a client.


Social media platforms have their own privacy policies and data practices that are outside our control. We encourage you to review the privacy policies of any social media platforms you use.


Any interaction you initiate with our social media profiles (such as liking, commenting, or following) is visible to others and is subject to the platform's privacy settings, not ours.


We do not use social media data for clinical purposes.


============================================================


15. DATA BREACH NOTIFICATION


In the unlikely event of a data breach involving your personal or health information, we will take the following steps:


Immediate Response: We will promptly investigate and contain the breach to prevent further unauthorized access or disclosure.


Assessment: We will assess the nature and scope of the breach, the types of information involved, and the potential impact on affected individuals.


Notification to Affected Individuals: If the breach involves unsecured Protected Health Information and poses a significant risk of harm, we will notify affected individuals without unreasonable delay and no later than sixty (60) days after discovery of the breach. Notification will include a description of the breach, the types of information involved, steps you can take to protect yourself, and what we are doing in response.


Notification to Authorities: As required by HIPAA and applicable law, we will notify the U.S. Department of Health and Human Services and, if the breach affects 500 or more individuals, prominent media outlets in the affected area.


Documentation: We will document the breach, our investigation, and the actions taken in response, and we will retain this documentation as required by law.


Corrective Action: We will implement appropriate measures to prevent future breaches, which may include additional staff training, updated security protocols, and enhanced technical safeguards.


============================================================


16. CHILDREN'S PRIVACY


Our website is not directed at children under the age of thirteen (13), and we do not knowingly collect personal information from children under thirteen through our website.


If we provide clinical services to a minor client, all clinical records and personal information related to that minor are handled in accordance with HIPAA, Virginia state law regarding minors' mental health records, and applicable parental consent requirements.


If you are a parent or guardian and believe that your child has provided personal information through our website without your consent, please contact us immediately using the information in Section 19, and we will take steps to remove that information.


============================================================


17. THIRD-PARTY LINKS


Our website may contain links to third-party websites, resources, or services that are not operated or controlled by our Practice. This includes links on our Resources page and blog posts.


We are not responsible for the privacy practices, content, or security of any third-party websites. We encourage you to review the privacy policies of any external sites you visit.


The inclusion of a link on our website does not imply endorsement of the linked site or its content.


============================================================


18. CHANGES TO THIS PRIVACY POLICY


We reserve the right to update or modify this Privacy Policy at any time. When we make changes, we will:


Update the "Last Updated" date at the top of this policy.


Post the revised policy on our website at https://butfirsthealthyself.com.


For significant changes that affect how we use or disclose your personal or health information, we will make reasonable efforts to notify you directly, such as by email or by posting a prominent notice on our website.


We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.


Your continued use of our website or services after any changes to this Privacy Policy constitutes your acceptance of the updated terms.


============================================================


19. CONTACT INFORMATION


If you have any questions, concerns, or requests regarding this Privacy Policy, your personal information, or your privacy rights, please contact us:


But First, Heal Thyself


Email: [Insert Email Address]

Phone: [Insert Phone Number]

Mailing Address: [Insert Physical Address]

Privacy Officer: [Insert Privacy Officer Name and Contact Information]

Website: https://butfirsthealthyself.com


To exercise any of your privacy rights described in this policy, please submit your request in writing via email or mail to the addresses listed above. We will respond to your request within a reasonable timeframe, typically within thirty (30) days.


If you believe your privacy rights have been violated, you may also file a complaint with:


U.S. Department of Health and Human Services

Office for Civil Rights

Website: https://www.hhs.gov/ocr

Phone: 1-800-368-1019


Filing a complaint will not affect your ability to receive services from our Practice.


============================================================


ACKNOWLEDGMENT


By using our website or engaging our services, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy.


This Privacy Policy is effective as of February 17, 2026.


============================================================


Copyright 2026 But First, Heal Thyself. All rights reserved.