Effective Date: March 12, 2026

At Treetop ABA Therapy ("Treetop," "we," "us," or "our"), your privacy is important to us. This Privacy Policy explains how we collect, use, disclose, and protect your personal information — including protected health information (PHI) — when you visit our website, submit forms, or receive our services. By using our website or providing your information, you agree to the practices described in this policy.

• Name, phone number, email address, and mailing address
• Child's name, date of birth, and diagnosis (when provided through intake forms)
• Insurance information and Medicaid/AHCCCS identifiers

• IP address, browser type, operating system, and device identifiers
• Pages visited, time spent on pages, referral URLs, and click behavior
• Geolocation data (city/state level, not precise location)

• Consent and opt-out status for phone, SMS, and email communications
• Records of correspondence between you and Treetop

• UTM parameters, campaign source identifiers, and ad click data (e.g., GCLID, FBCLID)
• Conversion and engagement data used to evaluate advertising performance

We use the information we collect for the following purposes:

• To respond to service inquiries, schedule consultations, and manage the intake process
• To coordinate ABA therapy services and communicate with caregivers
• To send appointment reminders, service updates, and administrative notices
• To share educational content and promotional material (only with your consent)
• To verify insurance eligibility and process authorizations
• To measure and improve the effectiveness of our website and advertising campaigns
• To comply with legal, regulatory, and contractual obligations

Important: When Treetop collects or creates health information as part of providing ABA therapy services, that information is classified as Protected Health Information (PHI) and is governed by the Health Insurance Portability and Accountability Act (HIPAA) and applicable state health privacy laws.

The use and disclosure of PHI — including diagnosis, treatment plans, session notes, and insurance claims data — is governed by our Notice of Privacy Practices, which is provided separately to clients at the start of services. Key points include:

• Treatment, Payment, and Operations: We may use and share PHI for treatment coordination, billing and payment processing, and internal quality assurance without additional authorization.
• Authorization Required: Uses of PHI beyond treatment, payment, and healthcare operations require your written authorization, which you may revoke at any time.
• Minimum Necessary Standard: We limit the PHI we use or disclose to the minimum amount necessary to accomplish the intended purpose.
• Business Associates: Third parties that handle PHI on our behalf (e.g., EHR systems, billing processors) are bound by Business Associate Agreements (BAAs) requiring HIPAA-compliant safeguards.
• Breach Notification: In the event of an unauthorized disclosure of PHI, we will notify affected individuals and relevant authorities as required by law.

This website privacy policy does not replace or override our HIPAA Notice of Privacy Practices. If there is a conflict between this policy and the Notice of Privacy Practices regarding the handling of PHI, the Notice of Privacy Practices will control.

Our website uses online intake and contact forms (powered by JotForm) to collect information from prospective and current families. When you submit a form on our website or landing pages, we collect the data you provide, which may include:

• Parent/guardian name, email address, and phone number
• Child's name, date of birth, and diagnosis
• Insurance provider and member ID
• Preferred location and service type (in-clinic or in-home)
• How you heard about us (referral source)

• Collection: Form submissions are processed by JotForm, a third-party form platform. JotForm maintains its own privacy and security practices, including data encryption in transit and at rest. You can review JotForm's Privacy Policy for details.
• Transfer: Submitted data is routed to our internal systems, including our CRM (Salesforce), for intake coordination and follow-up.
• Advertising Attribution: Forms may capture UTM parameters, click identifiers (GCLID, FBCLID), and landing page URLs to help us understand which advertising channels are effective. This data is used for campaign optimization and is not used to identify you personally in advertising platforms.
• Retention: Form submission data is retained in our systems for the duration of the client relationship and as required by law. Submissions from individuals who do not become clients are retained for up to 24 months and then deleted.

Note: Information submitted through our website forms prior to the start of clinical services is not considered Protected Health Information under HIPAA. Once a client relationship is established, your data is subject to the protections described in Section 3.

By providing your phone number through our website, forms, or in person, you expressly consent to receive:

• Text messages (SMS/MMS)
• Phone calls, including those using auto-dialed or prerecorded technology
• Voicemails, including messages using synthetic or prerecorded voices

These communications may include appointment reminders, service coordination, intake follow-ups, satisfaction surveys, and — with additional consent — marketing and promotional messages.

Consent is not a condition of receiving services. Standard message and data rates may apply. Message frequency varies.

• Text Messages: Reply STOP to any message to unsubscribe, or reply HELP for assistance.
• Phone Calls: Request removal during any call, or contact us directly.
• Email: Click the "unsubscribe" link in any email, or email us at [email protected].

We honor all opt-out requests promptly and will stop contacting you via the requested method.

We do not sell or rent your personal information. We may share information with the following categories of recipients:

• Healthcare Providers: Physicians, specialists, and other providers involved in your child's care coordination.
• Insurance Companies: For benefit verification, pre-authorization, and claims processing.
• Service Providers: Trusted vendors that assist with website hosting, analytics, email delivery, CRM operations, and advertising platforms — all bound by data protection agreements.
• Legal & Regulatory: Government agencies, courts, or law enforcement when required by law, subpoena, or to protect our legal rights.

Our website uses cookies and similar tracking technologies to analyze usage, improve your experience, and measure advertising effectiveness. These include:

• Google Analytics: Collects anonymized data about page views, session duration, and user behavior to help us improve our website.
• Google Ads (including GCLID tracking): Tracks conversions from Google advertising campaigns to measure and optimize ad performance.
• Meta Pixel (Facebook/Instagram): Tracks website activity from users who interact with our Meta advertising, enabling conversion tracking and audience optimization.
• Essential Cookies: Required for basic website functionality such as form submission and navigation.

You can manage your cookie preferences through your browser settings. Disabling cookies may affect certain website features. Most browsers allow you to block or delete cookies, and you can opt out of interest-based advertising through the Digital Advertising Alliance or Network Advertising Initiative.

Healthcare Advertising Note: We do not use tracking pixels or cookies to collect or transmit Protected Health Information to advertising platforms. Advertising data is limited to website engagement activity (page views, form submissions) and does not include clinical or diagnostic information.

We maintain administrative, technical, and physical safeguards designed to protect your information, including:

• Encryption of data in transit (TLS/SSL) and at rest where applicable
• Role-based access controls limiting who can view personal and health data
• Regular security reviews and employee training on data handling
• Secure, access-controlled physical locations for records

We retain personal information only for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, or resolve disputes. Health records are retained in accordance with applicable state and federal requirements.

Our website is intended for use by parents, guardians, and caregivers of children who may receive ABA therapy services. We do not knowingly collect personal information directly from children under the age of 13.

Information about minors receiving ABA services (such as name, date of birth, and diagnosis) is collected from parents or legal guardians during the intake process and is handled in accordance with HIPAA, the Children's Online Privacy Protection Act (COPPA), and applicable state laws.

If you believe we have inadvertently collected information from a child under 13 without proper parental consent, please contact us immediately so we can take appropriate action.

We respect browser "Do Not Track" (DNT) signals where technically feasible and comply with the National Do-Not-Call Registry and applicable state Do-Not-Call laws. If you ask us not to contact you, we will honor your request promptly.

Some third-party analytics and advertising platforms used on our site may not respond to DNT signals. You can manage your preferences through the opt-out tools described in Section 7.

Depending on your state of residence, you may have additional rights regarding your personal information:

Arizona residents have rights under state data breach notification law. If your personal information is involved in a security breach, we will notify you in accordance with A.R.S. § 18-552.

North Carolina residents are protected under the Identity Theft Protection Act (N.C.G.S. § 75-61 et seq.) and are entitled to notification in the event of a data breach involving their personal information.

Under the Utah Consumer Privacy Act (UCPA), Utah residents may have the right to access, delete, and obtain a copy of their personal data, as well as opt out of the sale of personal data or targeted advertising. To exercise these rights, contact us using the information below.

Under the Colorado Privacy Act (CPA), Colorado residents may have the right to access, correct, delete, and obtain a portable copy of their personal data. You may also opt out of the sale of personal data, targeted advertising, and certain profiling. To exercise these rights, contact us below.

Residents of states where we operate may have additional privacy rights under emerging state privacy legislation. We are committed to complying with applicable privacy laws in every state where we provide services. Contact us with any state-specific questions.

To exercise any state-specific privacy right, please contact us at [email protected] or by phone. We will respond to verified requests within the timeframe required by applicable law.

Regardless of where you live, you may:

• Access the personal information we hold about you
• Correct inaccurate personal information
• Request deletion of your personal data (subject to legal retention requirements)
• Withdraw consent for marketing communications at any time
• Opt out of targeted advertising by adjusting cookie settings or using the opt-out links in Section 7

For requests related to Protected Health Information, please refer to our Notice of Privacy Practices or contact our Privacy Officer.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will update the "Effective Date" at the top of this page. We encourage you to review this policy periodically.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

Treetop ABA Therapy — Privacy Inquiries

Email: [email protected]

Phone: (855) 800-9361

Mailing Address:
Treetop ABA Therapy
3048 East Baseline Road, STE 101
Mesa, Arizona 85204

© 2026 Treetop ABA Therapy. All rights reserved.