This document outlines the comprehensive Privacy Policy for Healing Hearts with Hooves (referred to herein as “HHWH,” “the Organization,” “we,” “us,” or “our”). This policy is designed to affirm our profound commitment to maintaining the absolute confidentiality, security, and integrity of all Personal Data, especially sensitive Therapeutic Data, entrusted to us by our clients, their families, our dedicated volunteers, and our community partners. Given our unique position as a therapeutic organization that utilizes animal-human interaction to facilitate deep emotional and mental healing, we recognize that the information we collect is inherently sensitive and demands the highest level of diligence and ethical protection, often exceeding standard industry requirements. We are committed to transparency in our data handling practices and want you to be fully informed about how we collect, use, safeguard, and, under very limited circumstances, disclose your information. This policy is intended to be comprehensive, detailed, and easily understood, serving as a pillar of the trust we strive to build with every individual who connects with our sanctuary.

1. Introduction and Scope of Policy

This Privacy Policy applies universally to all information collected by Healing Hearts with Hooves at our physical location (402 43RD STREET WEST, BRADENTON, FL 34209), through our official website, via electronic forms, during telephone or email correspondence, and directly through the process of providing animal-assisted therapeutic services, whether those services are rendered on an individual basis, as part of a family unit, or within a specialized group setting. Our unwavering commitment extends to safeguarding data collected from all individuals interacting with our organization, including: prospective and current clients (Participants), their essential family members and legal guardians, volunteers, donors, job applicants, and community partners. This policy strictly governs all forms of data, ranging from basic contact details used for scheduling to the deeply sensitive, confidential clinical notes generated during our therapeutic sessions. By engaging with our services, applying to volunteer, or donating to our cause, you acknowledge and accept the detailed practices described within this policy and fully consent to our meticulous processing of your data in accordance with its specific terms and applicable legal standards. We ensure that every staff member, certified specialist, and professional contractor working on behalf of HHWH receives mandatory, recurrent training on data protection protocols, confidentiality ethics, and the rigorous requirements of this Privacy Policy, establishing a collective, organizational culture that prioritizes the sanctity of your private information above all other operational considerations. Our administrative, technical, and physical safeguards are continuously reviewed, proactively tested, and intentionally updated to maintain the highest levels of security against the evolving landscape of digital and physical data threats, ensuring the integrity of the information that is critical to our shared mission of healing.

2. Definitions of Key Data Categories

To ensure absolute clarity and understanding throughout this document, it is essential to define the specific categories of data we manage and protect, as the level of security and access control we apply is directly dependent on the sensitivity of the information.

2.1. Personal Data (PD)

Personal Data encompasses any information, recorded in any format, that can be used directly or indirectly to identify, locate, or contact a specific, individual living person. This includes, but is not limited to: Contact Identifiers, such as full legal name, residential address, telephone numbers (home, mobile), and personal email addresses. Demographic Details, including date of birth, gender, marital or familial status, and emergency contact information. Technical Identifiers, such as Internet Protocol (IP) addresses, device identifiers, browser history, and unique identifiers generated through website use (like cookie IDs). Financial Details, including billing addresses, payment card information (though only securely processed and never stored by us), and payment history for services rendered or donations made to the Organization. Administrative Records, such as Client ID numbers, intake interview notes that pertain only to scheduling and logistics, and records of communication correspondence via email or documented phone calls.

2.2. Sensitive Therapeutic Data (STD)

Sensitive Therapeutic Data, which aligns with industry standards for Protected Health Information (PHI) in the mental health domain, represents the highest classification of sensitive data we manage. This category is subject to the most stringent confidentiality protocols, limited access controls, and enhanced security measures. This information is considered the core record of your therapeutic journey and is only accessible to the primary clinical treatment team and essential supervisory staff. It includes: Clinical Records, such as detailed, ongoing session notes, formal treatment plans, assessments of presenting symptoms, documented mental health diagnoses, psychological evaluations, and internal records of emotional or behavioral changes observed during therapeutic sessions with the animal partners. Medical History, including past and current medical conditions, prior mental health history, and any medication details or concurrent therapies that may directly influence the safe delivery and efficacy of our animal-assisted programs. Family/Social Context, which involves confidential information regarding family dynamics, personal background history, social interactions, educational performance records, or employment status details that are specifically shared to inform the therapeutic strategy and achieve established clinical goals. Progress Documentation, including measurable outcomes, final disposition reports, and highly confidential post-session reflections detailing the emotional responses and specific breakthroughs experienced by the Participant in the sanctuary environment.

2.3. Non-Personal Data (NPD)

Non-Personal Data refers to information that has been rigorously anonymized, aggregated, or de-identified to the extent that it cannot, by itself or in combination with other reasonably accessible information, be linked to a specific living individual. This data type is primarily utilized for internal operational improvement, statistical analysis, and general reporting. It includes: Aggregate Metrics, such as the total number of clients served by age bracket, anonymous donation amounts by geographic region, the aggregated average session completion rates, and the total volume of website traffic or page views. De-identified Research Data, which is therapeutic data that has been stripped of all direct identifiers (names, dates of birth, addresses) and other reasonably identifying elements, used strictly for internal program effectiveness studies, research publications, or grant application reporting to support the ongoing advancement and proven efficacy of animal-assisted therapeutic models. System Telemetry, including logs detailing server activity, error reports, and general performance data of our IT infrastructure.

3. The Methods of Data Collection

Our approach to data collection is grounded in the principle of data minimization, ensuring we only collect the information that is strictly necessary, directly relevant, and legally permissible for the specific purposes of providing effective therapeutic care, managing the organization, or fulfilling contractual obligations. Data is collected through several distinct channels, each with its own corresponding data type and security protocol.

3.1. Direct Collection via Client Intake and Therapeutic Sessions

The overwhelming majority of Sensitive Therapeutic Data (STD) and essential Personal Data (PD) is collected directly from the Participant, their legal guardian, or the referring professional during the initial intake process, through subsequent one-on-one sessions, and during formal clinical assessments. Intake Forms are comprehensive paper or digital forms utilized during the onboarding phase to collect necessary contact information, emergency contacts, medical history, and initial symptom presentations required to build the foundational client profile and ensure safety within the ranch environment. Session Documentation involves licensed therapists and certified equine specialists meticulously documenting session notes (Therapeutic Data) during or immediately following each engagement with the animal partners. These notes capture real-time observations, client verbalizations, behavioral responses, and the corresponding animal reactions, forming the clinical record. Consent and Contract Forms involve the collection of signatures and affirmations on required waivers, liability releases, consent to treat, and billing agreements.

3.2. Digital and Online Data Collection

As a modern organization, we utilize digital tools and our online presence for administrative and outreach purposes, leading to the collection of both Personal and Non-Personal Data. Website Analytics and Cookies are used by our website to collect Non-Personal Data about visitor interaction, page navigation flow, and device type, used purely for performance optimization and understanding user experience. Contact Forms and Email Inquiries submitted by an individual include their name, email address, and the content of the message collected as Personal Data for the explicit purpose of responding to the request and initiating the triage process. Online Donation Platforms are used to collect essential Financial Details (name, transaction amount, billing address) when donations are processed through our website. Crucially, credit card numbers are handled securely by PCI-compliant third-party payment processors and are never stored directly on HHWH servers.

3.3. Third-Party and Referral Data Acquisition

In alignment with our clinical and community mission, data may be received from external, trusted entities only with the explicit written consent of the Participant or their legal guardian, or as legally required. Referral Documentation is received from referring licensed clinicians, schools, social workers, or physicians, strictly necessary to ensure continuity of care and appropriate program planning. Background Checks are performed using certified third-party services for all prospective staff and dedicated volunteers, resulting in the collection of sensitive identification and background data.

4. The Specific Uses of Collected Information

Every piece of data collected by Healing Hearts with Hooves is utilized solely for legitimate, predefined purposes that directly align with our core mission of providing effective therapeutic services, ensuring the safety of our environment, and maintaining the financial viability of our non-profit operations. Our utilization of data is compartmentalized based on the sensitivity level of the information.

4.1. Primary Use: Provision of Therapeutic Services (Sensitive Data)

The most critical and primary use of all Sensitive Therapeutic Data (STD) is the direct delivery and continuous refinement of the Participant’s tailored treatment plan. This includes: Clinical Assessment and Diagnosis, where Therapeutic Data is analyzed by the clinical team to accurately understand the Participant’s presenting challenges and continuously track the efficacy of the animal-assisted interventions. Safety and Risk Management, as knowing a Participant’s medical history is paramount to ensuring their physical and emotional safety while interacting with the large, sensitive animal partners in the arena, allowing us to implement necessary modifications to the therapeutic activities. Continuity of Care, where session notes and progress summaries are used to brief the collaborative therapeutic team (licensed therapist and animal specialist) before each new session, ensuring a unified, consistent, and well-informed approach throughout the entire course of treatment.

4.2. Operational and Administrative Management (Personal Data)

Personal Data (PD) is utilized for all necessary administrative, communication, and financial functions that enable the smooth operation of the organization. This includes: Scheduling and Communication, where PD is used for the explicit, necessary functions of scheduling sessions, confirming appointments, and sending essential service-related communications. Financial and Billing Compliance, where PD and Financial Details are used to issue accurate invoices, process payment transactions securely, manage donor receipts, and comply with essential financial auditing and tax reporting requirements. Volunteer and Staff Management, where PD from applicants and active team members is used to manage personnel records, facilitate payroll, administer internal training and certification tracking, and ensure compliance with employment and volunteer service regulations.

4.3. Research, Program Development, and Quality Improvement (Non-Personal Data)

Non-Personal Data (NPD) and rigorously de-identified Therapeutic Data are used exclusively to enhance the quality, efficacy, and scope of our mission and programs, always protecting the identity of the original Participants. This includes: Program Efficacy Studies, where aggregated, anonymous data is analyzed to scientifically assess the measurable outcomes of our animal-assisted models across different populations. Grant Reporting and Fundraising, where NPD is used to accurately report our organizational impact and community reach to potential grant-awarding foundations and donors, securing the essential funding required to offer subsidized services. Website and Digital Optimization, where NPD is used to track and analyze website performance, identifying areas for improvement in navigation, content clarity, and outreach effectiveness.

5. Sharing and Disclosure of Information

Healing Hearts with Hooves maintains a strict policy of non-disclosure of all client data. We will never sell, rent, or trade any Personal Data or Sensitive Therapeutic Data to any external third party for marketing or commercial purposes. Data is only shared under extremely limited, specific, and legally defined circumstances, always prioritizing the Participant’s safety and well-being.

5.1. Sharing for Treatment and Healthcare Coordination

Confidential data is shared only with the explicit, written consent of the client or legal guardian, solely for the purpose of ensuring necessary continuity of care or coordination of parallel therapeutic services. Referring/Outside Professionals may receive clinical summaries to ensure all professionals involved in the client’s care are aligned on the treatment strategy, provided we have a current, signed, and specific Release of Information (ROI) form on file. Internal Treatment Team members—the licensed therapist, the certified animal specialist, and the Clinical Director—routinely and necessarily share Sensitive Therapeutic Data, operating under the same strict confidentiality agreements and professional ethical standards required for clinical supervision and optimal team communication.

5.2. Necessary Third-Party Service Providers

We engage select, highly vetted, and contractually bound third parties to perform essential operational functions on our behalf. These third parties are legally prohibited from using the data for any purpose other than the specific service they are contracted to provide and are required to maintain equal or superior security safeguards. Electronic Medical Records (EMR) System Provider utilizes a HIPAA-compliant, specialized, encrypted system to securely store all Therapeutic Data and clinical records digitally. Payment Processors handle financial transactions (donations, fee payments), and we only share the minimum necessary Financial Details for transaction completion. Cloud Hosting and IT Security Providers manage our secure data backups, server maintenance, and advanced network security to ensure protection against unauthorized intrusion and data loss.

5.3. Mandatory Legal and Safety Requirements (Exceptions to Confidentiality)

Disclosure will occur without the client’s consent only when legally or ethically mandated, as required to protect public safety, the client, or the well-being of our animals. Duty to Warn/Protect legally requires us to disclose Therapeutic Data to relevant authorities if the client expresses a clear, imminent, and credible threat of serious bodily harm to themselves or to an identifiable third party. Abuse and Neglect Reporting means we are mandated reporters for any suspected or confirmed instances of child abuse, elder abuse, or animal abuse/neglect observed or reported during sessions. Legal Process mandates disclosure only when required by a legally binding court order, valid subpoena, or government investigative demand that has been duly reviewed by our legal counsel.

6. Data Security and Data Retention Protocols

The protection of your data is paramount, especially the sensitive clinical information generated through our therapeutic services. Healing Hearts with Hooves employs a layered, comprehensive security strategy encompassing physical, technical, and administrative safeguards to protect data integrity and prevent unauthorized access or disclosure.

6.1. Technical and Digital Security Measures

Encryption is employed for all Sensitive Therapeutic Data stored in our EMR system, protected using industry-leading, asymmetric encryption algorithms. All electronic data transmitted is also encrypted using Transport Layer Security (TLS) protocols to prevent interception during transit. Access Control and Authentication to digital clinical records is strictly controlled on a need-to-know basis, requiring mandatory multi-factor authentication (MFA) and rigorous role-based access controls within the EMR system. Network Security utilizes advanced firewalls, intrusion detection systems, and real-time malware protection on all network endpoints and servers to continuously monitor and immediately counteract malicious activity.

This layered security approach is designed to withstand modern cyber threats.

6.2. Physical and Administrative Safeguards

Physical Security ensures that any minimal paper records are stored in locked, fire-resistant filing cabinets located in a physically secure, access-controlled office area at our Bradenton facility, accessible only by authorized personnel. Staff Training is mandatory and annual for all employees and volunteers with data access, covering data handling best practices, PHI confidentiality protocols, and the strict adherence requirements of this policy. Breach Response Plan ensures we maintain a formal, documented, and regularly tested security incident response plan designed to immediately contain, investigate, and mitigate the impact of any suspected or confirmed data breach.

6.3. Data Retention and Destruction

We retain Personal Data and Sensitive Therapeutic Data only for the period strictly necessary to fulfill the purposes outlined in this policy, satisfy legal, clinical record-keeping, and administrative requirements, or as dictated by the professional licensing board for therapeutic records in the State of Florida. Therapeutic Data is subject to retention periods mandated by professional ethics and state law (e.g., typically 7 to 10 years following the last date of service for adults, or longer for minors). Non-Clinical Data is typically retained for a shorter period (e.g., 2 years) unless required for financial auditing purposes. Secure Destruction is employed once the mandatory retention period expires, with all physical records destroyed via cross-shredding and all digital data purged, permanently erased, and rendered unrecoverable using industry-approved sanitization methods.

7. Your Rights and Choices Regarding Your Data

In alignment with modern data protection principles worldwide, you maintain significant rights and control over your Personal Data and Sensitive Therapeutic Data processed by Healing Hearts with Hooves. We are committed to honoring these rights upon verification of your identity and the legality of the request.

7.1. Right to Access and Correction

You have the fundamental right to request confirmation regarding whether we process your data and, if so, to request a copy of the specific Personal Data and Therapeutic Data we hold about you (Access). Access to sensitive clinical notes will be provided in consultation with the Clinical Director to ensure the information is presented in a manner that is clinically appropriate and safe for the Participant. If you believe any of the data we hold is inaccurate, incomplete, or outdated, you have the right to request that we immediately rectify or update the information in our records (Correction), and we will do so without undue delay.

7.2. Right to Deletion (Right to Erasure)

You maintain the right to request the complete deletion or erasure of your Personal Data when that data is no longer necessary for the purpose for which it was collected. Please note, however, that this right is subject to significant and essential clinical and legal constraints: Retention Conflicts mean we cannot delete Sensitive Therapeutic Data that we are legally mandated to retain for mandatory clinical record-keeping periods or data required for legal defense, financial auditing, or essential safety requirements. De-identification may be employed, where we opt to fully de-identify data rather than permanently delete it, thereby preserving the anonymous information for necessary research and program efficacy reporting while ensuring the data can no longer be linked back to you personally.

7.3. Right to Restrict Processing and Withdraw Consent

You have the right to request that we temporarily restrict or limit the processing of your Personal Data under certain circumstances (Restriction). You have the full right to withdraw your consent for any non-essential data processing at any time (Withdrawal), particularly for marketing or non-clinical research purposes. However, withdrawing consent for the essential processing of Sensitive Therapeutic Data may impact our ability to safely and effectively continue providing therapeutic services to you, and we will require a formal discussion with the Clinical Director about the potential ramifications of such a withdrawal before ceasing services.

7.4. Exercising Your Rights

To exercise any of these fundamental rights, you must submit a formal, verifiable request in writing to the contact email provided below. We are required to verify your identity to ensure that we are not releasing confidential information to an unauthorized party. We will respond to all valid, verifiable requests within 30 days of receipt, informing you of the action taken or the reasons why we are unable to comply (e.g., due to legal or clinical record retention obligations).

8. Children’s Privacy and Policy Updates

8.1. Commitment to Children’s Privacy

Healing Hearts with Hooves is deeply committed to the protection of the privacy of young Participants. We do not intentionally collect Personal Data from children under the age of 13 without the verifiable, explicit, and legally binding consent of a parent or legal guardian. The intake process for all minor clients (under age 18) requires the full participation and verifiable consent of a legal guardian, as mandated by state law and ethical clinical practice. All therapeutic sessions and the management of a minor’s Sensitive Therapeutic Data are conducted with the highest deference to the legal rights and responsibilities of the custodial parent or guardian.

8.2. Policy Updates and Review

This Privacy Policy may be updated periodically to reflect changes in our data processing practices, evolving technology, or changes in legal and regulatory requirements. We reserve the right to modify this policy at any time, effective immediately upon posting the revised version on our official website. We will always place the effective date at the beginning of the document to alert users to the most current version. For significant material changes that substantially alter how we use your Sensitive Therapeutic Data, we will provide a prominent notice on our website and may contact you directly via email to ensure you are fully informed and have the opportunity to acknowledge and consent to the updated terms of service and care.

9. Contact Information and Complaint Procedures

We take the responsibility of protecting your privacy with the utmost seriousness, and we welcome any questions, concerns, or feedback you may have regarding our data handling and privacy practices.

9.1. Designated Privacy Contact

All inquiries related to this Privacy Policy, requests to exercise your rights, or reports of suspected breaches must be directed to our designated Privacy Contact Officer, who manages all data governance and compliance for the organization:

Privacy Contact Officer Healing Hearts with Hooves 402 43RD STREET WEST, BRADENTON, FL 34209 Email: info@hhwh.click (Please use the subject line: Privacy Policy Inquiry)

9.2. Complaint Resolution

If you believe that Healing Hearts with Hooves has not complied with the terms of this Privacy Policy or applicable data protection laws, we strongly encourage you to contact our Privacy Contact Officer first to allow us the opportunity to investigate the matter thoroughly and resolve your concern internally and respectfully. If you are not satisfied with our response or believe we are not handling your Personal Data in accordance with legal requirements, you have the right to file a complaint with the relevant data protection or health privacy supervisory authority in your jurisdiction.