Privacy Policy

Effective Date: March 17, 2026

Last Updated: March 2026

Important: This privacy policy covers the Rocky Mountain Thrive public website (rockymountainthrive.com) only. The website itself does not store, process, or retain any user-submitted data. All form submissions are transmitted directly into HIPAA-compliant systems. When you become a client, you will receive our HIPAA Notice of Privacy Practices, which governs how your protected health information is used and disclosed.

Telehealth-Only Practice: Rocky Mountain Thrive PLLC is a telehealth-only mental health practice serving clients across Colorado. We do not maintain a physical office where clients are seen. All therapy sessions are conducted via secure, HIPAA-compliant video platforms.

1. Introduction & Scope

Rocky Mountain Thrive PLLC("we," "us," or "our") operates the website at rockymountainthrive.com(the "Website"). We are a telehealth-only mental health practice licensed in and serving clients throughout Colorado.

This Privacy Policy explains what information is collected through our Website, how it is used and protected, and your rights regarding that information. This policy applies only to information collected through this Website — it does not apply to information collected through our electronic health record (EHR) system, which is governed by our separate HIPAA Notice of Privacy Practices.

The Website itself does not independently store or retain user-submitted data. When you submit information through a contact or inquiry form, that data is transmitted directly into HIPAA-compliant systems operated by or on behalf of the practice (see Section 2 for details).

Definition of "Client":Throughout this policy, the term "client" refers to an individual who has established a provider-client relationship with Rocky Mountain Thrive by: (1) completing all required digital intake documentation in SimplePractice, (2) receiving written confirmation of acceptance by the practice, and (3) completing at least one billable clinical session with a licensed clinician of the practice. Individuals who have only submitted a website inquiry, contact form, or consultation request are not considered clients and are not entitled to the clinical record rights described in this policy.

By using our Website, you agree to the collection and use of information as described in this policy. If you do not agree with these practices, please do not use our Website.

2. Information We Collect

2.1 Information You Provide

When you interact with our Website, you may voluntarily provide us with the following information through contact and inquiry forms:

  • Contact form inquiries: Your name, email address, phone number, and the content of your message
  • Appointment inquiry information: Your name, contact information, insurance provider, and general reason for seeking services
  • Newsletter or email communications: Your email address and name if you subscribe to updates

How form data is handled:Contact and inquiry form submissions are transmitted directly into HIPAA-compliant systems at the point of submission — specifically, SimplePractice (our EHR platform, operating under a Business Associate Agreement) and/or the practice's internal HIPAA-compliant database infrastructure (also operating under appropriate HIPAA safeguards and BAA agreements). The Website itself has no independent data storage for form submissions. The specific system(s) receiving any given submission may vary based on inquiry type and current infrastructure configuration.

Note: We do not collect clinical or health information through this Website. If you include health details in a contact form message, that information is used solely to direct you to appropriate services and is not stored as a clinical record.

2.2 Information Collected Automatically

When you visit our Website, we may automatically collect:

  • Device and browser information: Browser type, operating system, screen resolution, and device type
  • Usage data: Pages visited, time spent on pages, referring website, and general navigation patterns
  • Location data: General geographic location based on IP address (city/state level only — we do not collect precise location)

3. How We Use Your Information

We use the information collected through our Website for the following specific purposes:

  • Responding to inquiries: To reply to your contact form submissions and appointment requests
  • Directing you to services: To connect you with the appropriate clinician or our secure client portal (SimplePractice) for intake
  • Website improvement: To understand how visitors use our site and improve content, navigation, and user experience
  • Communications: To send you information you have requested, such as newsletter updates or practice announcements (you may opt out at any time)
  • Legal compliance: To comply with applicable laws, regulations, or legal processes

We do not use your information for targeted advertising, and we do not build behavioral profiles based on your Website activity.

4. How We Share Your Information

We do not sell your personal information. We have never sold personal information, and we have no plans to do so.

We may share your information only in the following limited circumstances:

  • HIPAA-compliant systems:Form submissions are transmitted directly into SimplePractice (operating under a BAA) and/or the practice's internal HIPAA-compliant database infrastructure (also operating under appropriate BAA agreements). These systems handle all submitted data exclusively within HIPAA-compliant frameworks.
  • Service providers: We use trusted third-party services to operate our Website, including website hosting (Google Cloud Platform), email delivery, and analytics. These providers process data on our behalf and are contractually required to protect your information.
  • Legal requirements: We may disclose information if required by law, court order, or government regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Clinical Records & EHR

Our Website is an informational and marketing site. It does not store clinical records, therapy notes, treatment plans, diagnoses, or any other protected health information (PHI). All data submitted through website forms flows directly into HIPAA-compliant systems at the point of submission.

Clinical records for established clients are maintained in SimplePractice and/or the practice's internal HIPAA-compliant database, per applicable BAA and HIPAA requirements. When you become a client, you will receive our HIPAA Notice of Privacy Practices as part of the onboarding process.

HIPAA applies to our clinical services provided through our HIPAA-compliant systems — not to this Website. For questions about how your clinical information is used and protected, please refer to the HIPAA Notice of Privacy Practices provided during your intake process, or contact us at contact@rockymountainthrive.com.

6. Cookies & Tracking

Our Website uses a minimal set of cookies and tracking technologies:

6.1 Essential Cookies

These are necessary for the Website to function properly, including session management and security features. They cannot be disabled.

6.2 Analytics

We use self-hosted, privacy-focused analytics to understand how visitors use our Website. Our analytics system collects anonymous page view and session data without tracking individual users across sessions or sites. We do not use Google Analytics, Meta Pixel, or any third-party advertising trackers.

6.3 How to Manage Cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling essential cookies may affect Website functionality.

7. Data Retention

The Website itself does not independently store user-submitted data. Form submissions are transmitted directly into HIPAA-compliant systems and are governed by the retention policies of those systems. Operational data retention is as follows:

  • Operational email communications (Google Workspace): Operational emails, including intake inquiry responses, are automatically purged after 30 days pursuant to the practice's standing HIPAA-aligned data minimization policy.
  • Non-client inquiries (individuals who do not become clients): We do not retain records, documentation, or communications for individuals who did not complete intake and establish a lawful provider-client relationship. Operational emails are purged within 30 days.
  • Established client records: Once a provider-client relationship is established, records are retained in HIPAA-compliant systems per Colorado law (6 CCR 1011-1) and HIPAA requirements.
  • Analytics data: Anonymized usage data is retained for up to 12 months to understand long-term Website trends. This data does not identify individual users.
  • Email subscription data: Retained until you unsubscribe, at which point your email address is removed from our mailing list within 10 business days.

8. Telehealth Services Notice

Rocky Mountain Thrive PLLC is a telehealth-only practice. All therapy services are delivered remotely via secure, HIPAA-compliant video platforms. We do not maintain a physical office location where clients are seen for appointments.

Because our services are delivered through technology, we want you to understand:

  • Our telehealth platforms are separate from this Website and use their own HIPAA-compliant security measures
  • We use encryption and other security measures to protect all telehealth sessions
  • As a client, you will receive specific information about the telehealth platforms we use, including their privacy practices, before your first session
  • Our clinicians are licensed in Colorado and provide services only to individuals physically located in Colorado at the time of their session

8.1 SMS Text Messaging

Rocky Mountain Thrive PLLC uses SMS text messaging to communicate with established and prospective clients for appointment reminders, scheduling confirmations, schedule changes, intake follow-ups, and general patient communication with your therapist. Message frequency varies based on your appointment schedule and active communication.

Your mobile information will not be sold or shared with third parties for promotional or marketing purposes. Mobile phone numbers and SMS content are used solely to deliver the clinical care communications you have consented to receive. We do not engage in SMS marketing.

How to opt in: You provide consent by checking the SMS consent box on our web intake form, by verbally agreeing during an initial intake call, or by sending a text message to our practice number.

How to opt out: You may opt out of text messages at any time by replying STOP, UNSUBSCRIBE, QUIT, END, or CANCEL to any message we send. You will receive a confirmation message, and no further texts will be sent to your number. You may re-subscribe at any time by replying START or YES. For help, reply HELP or INFO to any message.

Message and data rates may apply based on your mobile carrier plan. Carrier support is not guaranteed in all areas.

Crisis resources: SMS is not a substitute for emergency care. If you are in crisis, please call or text 988(Suicide & Crisis Lifeline) or dial 911 immediately.

For complete SMS program terms including opt-in methods, opt-out instructions, message frequency, and data rates, see our SMS Terms & Conditions.

9. Colorado Privacy Rights

9.1 Colorado Privacy Act (CPA)

Under the Colorado Privacy Act (CRS §6-1-1301 et seq.), Colorado residents have specific rights regarding their personal data. While this Website does not independently collect or store personal data beyond standard analytics (all form submissions flow into HIPAA-compliant systems), we are committed to transparency:

  • Right to Access: You have the right to confirm whether we are processing your personal data and to access that data
  • Right to Correction: You have the right to correct inaccuracies in your personal data
  • Right to Deletion: You have the right to request deletion of your personal data
  • Right to Data Portability: You have the right to obtain your personal data in a portable and readily usable format
  • Right to Opt Out: You have the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in any of these activities.

We do not sell personal data, engage in targeted advertising, or profile consumers. If you include health-related information in a contact form submission, it is transmitted into HIPAA-compliant systems, used solely to direct you to appropriate services, and subject to the 30-day operational email purge policy.

9.2 Colorado Consumer Protection

Under the Colorado Consumer Protection Act (CRS §6-1-101 et seq.), you have the right to:

  • Know what personal information we collect about you
  • Request deletion of your personal information
  • Not be discriminated against for exercising your privacy rights

To exercise any of these rights, contact us at contact@rockymountainthrive.com. We will respond within 45 days as required by the Colorado Privacy Act. If we need additional time, we will notify you of the extension and the reason for it.

10. Your Privacy Rights

The Rocky Mountain Thrivepublic website does not independently store personal information. Any data submitted via website forms is transmitted directly into HIPAA-compliant systems (SimplePractice and/or the practice's internal HIPAA-compliant database) and is not retained by the website itself.

If you are an established client (as defined in Section 1) and wish to access, correct, or request deletion of your clinical records, please contact us at contact@rockymountainthrive.com. Client record requests are handled in accordance with HIPAA and Colorado law (6 CCR 1011-1).

Colorado residents may also exercise rights under the Colorado Privacy Act (CRS §6-1-1301 et seq.) by contacting us at contact@rockymountainthrive.com. We will respond within 45 days as required by the CPA.

To opt out of any marketing communications, use the unsubscribe link in any email or contact us at contact@rockymountainthrive.com.

10.1 CAN-SPAM Compliance

If you receive marketing emails from us, each email will include an unsubscribe link. We honor all unsubscribe requests within 10 business days. We do not use deceptive subject lines, and all emails clearly identify Rocky Mountain Thrive as the sender. For CAN-SPAM compliance purposes, our mailing address is: 215 S Wadsworth Blvd Unit 400, Denver, CO 80226.

11. Data Security

The Website itself does not store personal data submitted through forms. All form submissions are transmitted directly into HIPAA-compliant systems. The security of submitted data is governed by the HIPAA-compliant infrastructure of SimplePractice and/or the practice's internal systems, each operating under appropriate Business Associate Agreements (BAAs).

For the Website itself, we implement the following safeguards:

  • SSL/TLS encryption for all data transmitted between your browser and our Website
  • Hosting on Google Cloud Platform with enterprise-grade infrastructure security
  • Regular security audits and monitoring
  • Automatic session timeout on authenticated areas

While we implement these safeguards, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your information using industry-standard practices.

12. Data Breach Notification

Rocky Mountain Thrivecomplies with Colorado's data breach notification law (CRS §6-1-716). In the event of a breach affecting personal information, we will notify affected Colorado residents within 30 days of determining that a security breach occurred.

For breaches affecting more than 500 Colorado residents, we will also notify the Colorado Attorney General as required by law. If the breach affects more than 1,000 Colorado residents, we will also notify all consumer reporting agencies.

13. Children's Privacy

Our Website is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13 through our Website.

If we discover that we have inadvertently collected personal information from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at contact@rockymountainthrive.com.

Note: Rocky Mountain Thrive does provide therapy services to teens (ages 13+) with parental or guardian consent. Clinical intake for minors is handled through our secure EHR system, not through this Website.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes:

  • The "Last Updated" date at the top of this page will be revised
  • For material changes, we will provide notice through our Website
  • Your continued use of the Website after changes are posted constitutes acceptance of the updated policy

We encourage you to review this policy periodically.

16. Contact Us

If you have questions about this Privacy Policy, your privacy rights, or how we handle your information, please contact us:

We aim to respond to all privacy inquiries within 30 days.

Rocky Mountain Thrive PLLC is a Professional Limited Liability Company registered in the State of Colorado.