Notice of Privacy Practices

Effective: May 13, 2026  ·  Last reviewed: May 13, 2026  ·  Version: 1.0 (draft)

1. Who we are

RehabLookup operates an online directory service that helps individuals and families locate licensed addiction-treatment facilities and related recovery resources across the United States. We are not a treatment provider and do not deliver medical care.

To the extent that information we collect on behalf of treatment-facility partners qualifies as Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), we act as a Business Associate of those facilities and maintain Business Associate Agreements (BAAs) with the partners and downstream vendors that handle PHI on our behalf.

2. Information we collect

Depending on how you use our service, we may collect:

• Contact information — name, email address, phone number, postal address or ZIP code.
• Treatment-seeking information — the substance or condition you indicate, the treatment level or program type you are interested in, your insurance carrier (if you provide it), and preferences such as gender-specific programs or location.
• Communications — messages you send through our intake forms, the concierge service, or email/SMS replies.
• Technical information — device type, browser, IP address, approximate geolocation, and how you navigate our site, collected through cookies and similar technologies.

You may use much of the site without providing any personally identifying information. We only collect treatment-seeking information when you submit it to us through a form or our concierge intake.

3. How we use your information

We use the information described above for the following purposes:

• Service delivery. Matching you with licensed treatment facilities, connecting you with our concierge advocates, and confirming insurance verification when you request it.
• Communications. Sending you the information you requested, follow-up messages about your inquiry, and account-related notifications (for providers using our platform).
• Operations and improvements. Understanding which features help people find care, diagnosing technical problems, preventing fraud and abuse, and improving the directory.
• Compliance. Meeting our legal, regulatory, and contractual obligations.

We do not sell personal information. We do not use treatment-seeking information for behavioral advertising.

4. When we share your information

We share information only in these limited circumstances:

• With treatment-facility partners you ask us to contact. When you submit an inquiry to a specific facility or request concierge placement, we share the information necessary for that facility to respond to you.
• With service providers under written contract. Including email delivery (Resend), database and hosting (Supabase), site hosting (Vercel), payment processing for facility subscriptions (Stripe), SMS delivery (Twilio), and analytics. These providers may only use your information to provide services to us and are bound by confidentiality, security, and (where required) Business Associate Agreements.
• When required by law. In response to a valid subpoena, court order, or other legal process; to comply with applicable law; or to protect the rights, safety, or property of RehabLookup, our users, or the public.
• In connection with a corporate transaction. Such as a merger, acquisition, or sale of assets — only if the recipient agrees to honor commitments made in this Notice.

Other disclosures, including any use of your treatment-seeking information for purposes not described in this Notice, require your written authorization. You may revoke any authorization you give us at any time, except to the extent we have already acted on it.

5. Your rights regarding your information

You have the following rights regarding information we hold about you. To exercise any of these rights, contact us using the details in section 9.

• Right to access. You may request a copy of the personal information and any PHI we hold about you. We will respond within thirty (30) days, with a possible thirty (30) day extension if needed.
• Right to amend. If you believe information we hold about you is inaccurate or incomplete, you may request that we amend it. We may deny the request in certain limited circumstances and will explain any denial in writing.
• Right to request restrictions. You may ask us to limit how we use or disclose information about you. We are not required to agree to every request, but we will consider each one.
• Right to confidential communications. You may ask us to contact you by alternative means or at an alternative address (for example, by email instead of phone, or at a work address instead of home). We will accommodate reasonable requests.
• Right to an accounting of disclosures. You may request a list of disclosures we have made of PHI about you in the six years prior to your request, other than disclosures for treatment, payment, healthcare operations, or those made with your authorization.
• Right to a paper copy of this Notice. Even if you have received this Notice electronically, you may request a paper copy at any time.

6. How we protect your information

We use a combination of technical, administrative, and physical safeguards to protect your information, including:

• Encryption in transit (HTTPS/TLS) for all traffic between your browser and our service.
• Encryption at rest for stored data, including encrypted database backups.
• Role-based access control, with access to PHI restricted to personnel whose duties require it.
• Audit logging of access to records containing PHI, with regular review.
• Multi-factor authentication for staff accounts that can access sensitive records.
• Written Business Associate Agreements with service providers that handle PHI on our behalf.

No method of transmission or storage is perfectly secure. If we discover a breach of unsecured PHI affecting you, we will notify you and, where required, the U.S. Department of Health & Human Services and the media, in accordance with the HIPAA Breach Notification Rule.

7. Children

Our service is intended for adults aged 18 and over. We do not knowingly collect information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

8. Our responsibilities

We are required by law to:

• Maintain the privacy and security of PHI we hold about you;
• Provide you with this Notice and follow the terms currently in effect; and
• Notify you in the event of a breach involving your unsecured PHI, as required by the HIPAA Breach Notification Rule.

We may change the terms of this Notice. Material changes will apply to all information we hold about you, including information collected before the change. We will post the revised Notice on this page and update the "Effective" date above. If you have a service account with us, we will also notify you by email.

9. Contact us / how to file a complaint

If you believe we have violated your privacy rights, you may file a complaint with us using the contact information above. You may also file a complaint with the U.S. Department of Health & Human Services Office for Civil Rights:

• By mail: 200 Independence Avenue SW, Washington, D.C. 20201
• By phone: 1-877-696-6775
• Online: hhs.gov/hipaa/filing-a-complaint

We will not retaliate against you for filing a complaint.

10. Changes to this Notice

This is version 1.0, dated May 13, 2026. A history of material changes will be maintained here once revisions are made. Any prior version may be requested by emailing the privacy contact above.

This Notice is provided as a working draft to comply with our public-facing posting obligations. The final version of this Notice will be reviewed by legal counsel before being finalized. If you spot something that looks wrong or unclear, please email privacy@rehablookup.com.

← Return to RehabLookup home  ·  Privacy Policy  ·  Terms of Service