Cima Growth Solutions logo

    Healthcare Enterprise Privacy Policy

    Last Updated: May 2026

    Thank you for using the Cima Growth Solutions LLC platform, including our website, mobile applications, software, and related services (collectively, the "Services"). This Privacy Policy ("Policy") explains how Cima Growth Solutions LLC ("Cima," "Company," "we," "us," or "our") collects, uses, discloses, and safeguards information when providing a healthcare-focused SaaS platform.

    This Policy is designed to meet the expectations of healthcare organizations, enterprise buyers, and regulators.

    By accessing or using the Services, you acknowledge that you have read and understood this Policy.

    1. Scope of This Policy

    This Policy applies to information collected:

    • Through www.cimagrowth.com and related domains
    • Through Cima-branded mobile applications
    • Through email, SMS, voice, and in-app communications
    • Through forms, CRM workflows, AI-assisted tools, and integrations
    • Through the GrowthOS mobile application available on the Apple App Store and Google Play Store

    This Policy does not apply to third-party websites or services accessed through integrations or links. Their privacy practices are governed by their own policies.

    2. Healthcare Data, PHI, and HIPAA

    Cima is a technology platform provider and does not provide medical care or clinical services.

    Business Associate Role

    In certain configurations, the Services may process Protected Health Information (PHI) on behalf of healthcare providers ("Covered Entities") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). In those circumstances:

    • Cima acts solely as a Business Associate
    • Processing of PHI is governed by a separate Business Associate Agreement (BAA)
    • PHI is used only to provide contracted services and for no other purpose

    No BAA, No PHI

    If a BAA is not in place, users must not submit PHI into the Services. Cima is not responsible for PHI submitted outside an executed BAA.

    No PHI for Advertising or AI Training

    3. Information We Collect

    A. Information You Provide

    • Identifiers: Name, email, phone number, organization, job title, username
    • Account Data: Login credentials, preferences, permissions
    • Transaction Data: Billing details processed via PCI-compliant processors (e.g., Stripe)
    • User Content: Data submitted through forms, CRM records, messages, and uploads
    • Communications: Support requests, calls, emails, and chat records

    B. Information Collected Automatically

    • Device & Network Data: IP address, browser type, OS, device identifiers
    • Usage Data: Pages viewed, features used, timestamps, interaction logs
    • Cookies & Similar Technologies: Cookies, pixels, SDKs, local storage
    • Location Data: Approximate or precise location if enabled

    C. Information from Third Parties

    • Advertising and analytics platforms (e.g., Google, Meta)
    • Public or professional data sources
    • Authorized integrations (e.g., Zapier, Twilio, Mailgun)

    4. How We Use Information

    We use information to:

    • Provide, operate, and maintain the Services
    • Configure workflows and automations
    • Process payments and provide support
    • Communicate service-related and promotional messages
    • Perform analytics, security monitoring, and fraud prevention
    • Improve platform functionality

    AI and Automated Tools

    Certain features may use AI-assisted or automated processing to support messaging, workflow optimization, or analytics. These tools:

    • Do not provide medical advice, diagnoses, or treatment recommendations
    • Are configurable by the customer
    • Operate under strict data access controls

    5. Legal Bases for Processing (EEA/UK)

    Where applicable, we process data based on:

    • Consent
    • Contractual necessity
    • Legal obligations
    • Legitimate interests, including platform security and improvement

    6. Sharing and Disclosure

    We may share information with:

    • Service Providers & Subprocessors: Hosting, communications, payments, analytics
    • Affiliates: Under common ownership
    • Legal Authorities: As required by law
    • Business Transfers: Mergers, acquisitions, or asset sales
    • With Consent: As directed by the customer

    Cima does not sell or share PHI, phone numbers, or SMS opt-in consent with third parties or affiliates for marketing or promotional purposes. See Section 21 for full SMS terms.

    A current list of subprocessors is available upon request.

    7. Advertising & Tracking

    Cima may use standard analytics and advertising tools for its own marketing. Healthcare customer data and PHI are never used for advertising, retargeting, or audience modeling.

    Users may opt out of non-essential tracking via browser settings or industry opt-out tools.

    8. Your Rights and Choices

    Depending on jurisdiction, you may have rights to:

    • Access, correct, or delete personal data
    • Restrict or object to processing
    • Opt out of targeted advertising or profiling

    Requests may be submitted using the contact information below.

    Account Deletion

    You may request deletion of your account and associated personal data through any of the following methods:

    • Use the "Delete Account" option available in App Settings within the GrowthOS mobile application
    • Send an email to support@cimagrowth.com with the subject line "Account Deletion Request"
    • Call us at +1-484-480-9296

    Upon receiving a verified account deletion request, we will process the deletion within 30 calendar days. During this period, your account will be deactivated. Once deleted, your personal data will be permanently removed from our active systems.

    We may retain certain information beyond the 30-day deletion period only where required by legal or contractual obligations (e.g., tax records, regulatory compliance). Healthcare customers operating under an executed Business Associate Agreement (BAA) are subject to the data retention terms specified in that agreement, which may require longer retention of certain records to comply with HIPAA and applicable healthcare regulations.

    9. U.S. State Privacy Rights

    Cima honors applicable state privacy laws, including but not limited to:

    • California (CCPA/CPRA)
    • Virginia, Colorado, Connecticut, Utah
    • Other U.S. states as laws come into effect

    Sensitive Personal Information is handled in accordance with applicable law.

    10. Children's Privacy

    The Services are not intended for children under 13 (or under 16 where required by law). We do not knowingly collect children's data.

    11. Data Retention

    Data is retained only as long as necessary for:

    • Contractual obligations
    • Legal compliance
    • Security and dispute resolution

    When no longer required, data is securely deleted or anonymized.

    12. Data Security

    Cima maintains administrative, technical, and physical safeguards including encryption, access controls, and monitoring. No system is completely secure.

    13. International Transfers

    Data may be processed in the United States or other jurisdictions with appropriate safeguards.

    14. Terms of Use

    Use of the Services is subject to our Terms of Use.

    15. Mobile Application Privacy

    This section applies specifically to the GrowthOS mobile application available on the Apple App Store and Google Play Store.

    A. Data Collected by the App

    In addition to the data described elsewhere in this Policy, the GrowthOS mobile application may collect:

    • Device tokens for push notification delivery
    • Device information (model, operating system version, unique device identifiers)
    • Crash data and performance diagnostics
    • Push notification preferences and interaction data

    B. Push Notifications

    The GrowthOS app may send push notifications to keep you informed about:

    • New patient or client inquiries
    • Upcoming and updated appointments
    • Messages and internal communications
    • System updates and important alerts

    You can manage or disable push notifications at any time through your device Settings. Disabling push notifications does not affect other app functionality.

    C. App Tracking and Advertising

    The GrowthOS mobile application does not engage in advertising tracking. Specifically:

    • We do not use advertising tracking or interest-based advertising within the app
    • We do not perform cross-app tracking or cross-site tracking
    • We do not access or use the Apple Identifier for Advertisers (IDFA) or equivalent Android advertising identifiers
    • We do not share any user data with advertising networks or data brokers

    We may collect anonymized, aggregate analytics data solely to improve app performance and user experience. This data cannot be used to identify individual users.

    D. Third-Party SDKs and Services

    The GrowthOS mobile application integrates the following third-party services:

    ServicePurposeData Accessed
    SupabaseBackend infrastructure and authenticationAccount credentials, user data
    OpenAIAI-powered chatbot and workflow assistanceUser messages (no PHI transmitted)
    TwilioSMS and voice communicationsPhone numbers, message content
    StripePayment processing (PCI DSS compliant)Payment information (tokenized)
    Apple Push Notification ServiceiOS push notificationsDevice token only
    Firebase Cloud MessagingAndroid push notificationsDevice token only

    E. Data Storage and Security

    The GrowthOS mobile application employs the following security measures:

    • All data transmitted between the app and our servers is encrypted using TLS 1.2 or higher
    • Sensitive credentials are stored using iOS Keychain (Apple devices) or Android Keystore (Android devices)
    • No Protected Health Information (PHI) is stored locally on the device
    • Biometric authentication (Face ID, Touch ID, fingerprint) is processed entirely on-device and is never transmitted to our servers

    F. Offline Access

    The GrowthOS app may provide limited offline access to certain non-sensitive, cached data. All locally cached data is encrypted and is automatically cleared when you sign out of the application. No PHI or sensitive personal data is available offline.

    16. Meta Platform (Facebook, Instagram, WhatsApp)

    When a clinic connects their Meta account to our Services for advertising purposes, we use Meta's Facebook Login for Business flow and request the following permissions. For each permission we describe what we access, why, and how long we retain it.

    • ads_management, ads_read — we create, manage, and read ad campaigns, ad sets, creatives, and performance insights for the ad account you select, so our platform can publish campaigns on your behalf and show you analytics. Retained while your connection is active.
    • business_management — we identify the Meta Business Manager assets you have access to so you can select the correct ad account and Facebook Page.
    • pages_show_list — we list the Facebook Pages you manage so you can choose which Page your ads will run from. Every Meta ad must reference a Page.
    • pages_read_engagement — we read Page engagement metrics to inform ad targeting and reporting.
    • instagram_basic — we identify the Instagram Business account, if any, linked to your Page so we can serve ads to Instagram placements.
    • whatsapp_business_management, whatsapp_business_messaging — used only for Click-to-WhatsApp advertising features when you explicitly enable them; we read WhatsApp Business Account metadata and phone number status to enable this ad format.

    We store the Facebook user ID of the person who authorized the connection, long-lived access tokens (encrypted at rest), the selected ad account ID, Facebook Page ID, and Instagram Business account ID (if applicable). We do not access, store, or process any Meta user's personal content (messages, posts, photos) beyond what is strictly necessary to operate the ad features you enable.

    17. Google Services

    When a customer connects their Google account to our Services for Gmail, Google Calendar, Google Ads, or Google Business Profile features, we request only the OAuth scopes necessary for the feature being used. This section describes our practices for Google user data in detail.

    Limited Use Disclosure

    Cima Growth Solutions' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

    Specifically, with respect to data obtained through Google APIs, Cima Growth Solutions:

    1. Will only use access to Gmail message bodies, attachments, metadata, headers, and settings, and to Google Calendar events, to provide or improve user-facing features that are prominent in the GrowthOS user interface — specifically inbound email reading for lead discovery and patient conversation surfacing, and consultation scheduling.
    2. Will not transfer Google user data to others except as necessary to provide or improve these user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to the affected user.
    3. Will not use Google user data to serve advertisements, including retargeting, personalized, or interest-based advertising.
    4. Will not allow human personnel to read Google user data unless (a) the user has given explicit consent for specific messages, (b) it is necessary for security purposes (such as investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymized for internal operational purposes.

    Google OAuth Scopes We Request

    We request the following OAuth scopes only when a customer explicitly connects the corresponding feature in GrowthOS. A customer may grant any subset of these scopes; declining one scope only disables the corresponding feature and does not affect other parts of the platform.

    ScopeTierWhat We AccessWhy We Need It
    openid, userinfo.email, userinfo.profileBasicYour Google account email, name, and profile photoTo identify the connected Google account and display your name and photo within the application
    gmail.readonlyRestrictedRead-only access to your Gmail inbox messages and metadataTo surface inbound patient and prospective lead emails inside GrowthOS conversations (the "Lead Discovery" feature), so your team can respond from one place instead of switching between Gmail and GrowthOS. We do not send email through Gmail (outbound email is sent through SendGrid from your verified domain) and we do not modify, label, or delete any Gmail messages.
    calendar.readonlySensitiveRead-only access to your calendar list and free/busy dataTo detect when you are available for patient consultations and avoid scheduling conflicts
    calendar.eventsSensitiveRead and write access to events on your calendarTo create patient consultation appointments on your Google Calendar, update events when patients reschedule, and remove events when patients cancel
    adwords (Google Ads API)SensitiveYour Google Ads campaign, ad group, and performance dataTo create and manage Google Ads campaigns on behalf of your clinic, when you enable the AI Ads feature

    What We Do With Google User Data

    • Storage: OAuth refresh tokens are encrypted at rest in our database (Supabase, US region) using industry-standard encryption. Gmail message content accessed through the Gmail API is stored only insofar as it appears in a corresponding GrowthOS conversation thread (the same way a SendGrid-delivered email body is stored), so your team can read it inside our platform. Calendar event data is stored as a GrowthOS appointment record.
    • Processing: Limited to the user-facing features described above. Where AI classification is applied to inbound email (for example, to detect unsubscribe requests or auto-replies), the email content is sent to the Anthropic Claude API for classification and is not used by Anthropic to train its models under our enterprise API terms.
    • Retention: Google user data and OAuth tokens are retained for the duration of your active GrowthOS subscription plus 30 days after cancellation or disconnection, after which all tokens are revoked and associated data is deleted.
    • Sharing: We do not sell Google user data. We do not share Google user data with third parties except for the specific subprocessors required to deliver the user-facing feature (for example, Anthropic for classification, Supabase for storage), each of which is listed in Section 18 and bound by contractual confidentiality and security obligations.
    • AI / Machine Learning: Google user data is not used to train any AI or machine-learning models, whether by Cima Growth Solutions or by our subprocessors.

    How to Revoke Access or Request Deletion

    You can revoke our access to your Google account at any time:

    1. Visit https://myaccount.google.com/permissions
    2. Find "GrowthOS" in the list of connected applications
    3. Click "Remove access"

    When you revoke access, our systems will detect the revocation on next use and remove the corresponding tokens from our database. To request deletion of any associated data already processed, email privacy@cimagrowth.com and we will complete deletion within 30 days, subject to the legal and contractual retention exceptions described in Sections 8 and 11.

    18. Third-Party Service Providers

    We use the following third-party service providers (subprocessors) to operate the Services. A current list is available on request to privacy@cimagrowth.com and includes, at the time this Policy was last updated:

    • Supabase — database, authentication, storage, and serverless function hosting
    • Anthropic — Claude large-language-model API for AI features; inputs are not used to train Anthropic's models under our API terms
    • Google (Google Cloud, Vertex AI) — Gemini API for specific text-generation tasks
    • SendGrid — transactional and marketing email delivery
    • Twilio — SMS and voice messaging infrastructure
    • Whop, GoHighLevel, Stripe — billing and subscription management
    • Meta Platforms, Google — advertising delivery and measurement, when a customer connects those platforms

    We require each subprocessor to provide appropriate contractual protections and technical safeguards, including Business Associate Agreements where the subprocessor will handle protected health information.

    19. Data Deletion

    You can request deletion of your information at any time:

    1. For your Cima Growth Solutions account, email privacy@cimagrowth.com from the address on file. We will verify your identity and complete the deletion within 30 days.
    2. For Meta Platform data specifically, remove our application from Facebook Business Integrations, or use Facebook's data deletion option in your account settings. When you do, our systems will automatically receive a signed request from Meta, delete your Facebook user ID, access tokens, and selected account information, and return a confirmation code you can use to verify the status of your deletion.
    3. For information held by a clinic customer about you as a patient, contact the clinic directly. The clinic is the data controller of that information under HIPAA and applicable state laws.

    20. Cookies and Tracking Technologies

    We use strictly necessary cookies for login sessions and security; these cannot be disabled without breaking core functionality. We use analytics and marketing cookies only with your consent. On your first visit you will be asked to accept all, reject all, or customize your choices; you can change those preferences at any time by clicking Cookie Preferences in the site footer. We honor the Global Privacy Control (GPC) signal where legally required — when your browser sends GPC we automatically reject non-essential cookies without prompting.

    21. SMS and Text Messaging Communications

    This section describes how Cima Growth Solutions collects, uses, and protects phone numbers and SMS consent information.

    A. How We Collect SMS Consent

    Phone numbers are collected when a visitor submits a form on cimagrowth.com (including the contact form at cimagrowth.com/contact) and affirmatively checks an unchecked-by-default SMS consent checkbox. The checkbox is displayed separately from any email or newsletter opt-in. Consent is never a condition of purchase or service.

    B. How We Use Phone Numbers and SMS Consent

    We use phone numbers submitted through SMS opt-in solely to send:

    • Consultation scheduling confirmations
    • Follow-up communications after discovery calls
    • GrowthOS platform onboarding updates

    Message frequency is up to four messages per recipient per month. Message and data rates may apply.

    C. SMS Opt-Out

    Recipients may reply STOP to any message to immediately and permanently opt out of all SMS communications. Replying HELP returns customer support contact information. All opt-out requests are honored in real time and the phone number is added to an internal suppression list.

    D. Sharing of Phone Numbers and SMS Consent

    Phone numbers and SMS opt-in consent information are NOT shared with any third parties or affiliates for marketing or promotional purposes under any circumstances. This includes, without limitation, lead-generation partners, advertising networks, data brokers, and affiliate marketers.

    Phone numbers may be shared only with the subprocessors strictly required to deliver SMS messages (e.g., Twilio for SMS infrastructure), each of which is contractually bound to use the information only to deliver our messages and not for any other purpose.

    E. SMS Consent Records

    We maintain records of SMS consent including the date, time, IP address, opt-in source URL, and exact consent language presented at the time of opt-in, in accordance with TCPA and CTIA requirements.

    22. Contact Information

    Cima Growth Solutions LLC
    3467 Trexler Blvd
    Allentown, PA 18104
    Phone: +1-484-480-9296
    Email: support@cimagrowth.com

    Business Associate Agreement (BAA)

    This Business Associate Agreement ("Agreement") is entered into by and between ("Business Associate") and the healthcare customer executing this Agreement ("Covered Entity"). This Agreement is effective as of the date it is executed by the parties.

    1. Purpose

    This Agreement is intended to comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), including the Privacy Rule, Security Rule, and HITECH Act, and governs the use and disclosure of Protected Health Information ("PHI") by Business Associate.

    2. Definitions

    All capitalized terms not defined herein have the meanings set forth in HIPAA.

    3. Permitted Uses and Disclosures

    Business Associate may use or disclose PHI solely to:

    • Perform services for Covered Entity as defined in the applicable services agreement
    • Support platform functionality, troubleshooting, and security
    • Comply with legal obligations

    Business Associate shall not use PHI for advertising, marketing, or generalized AI training.

    4. Safeguards

    Business Associate shall:

    • Implement administrative, technical, and physical safeguards
    • Protect against unauthorized access, use, or disclosure
    • Ensure workforce compliance with HIPAA obligations

    5. Subcontractors

    Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI agrees in writing to equivalent HIPAA protections.

    6. Reporting

    Business Associate shall report to Covered Entity:

    • Any use or disclosure not permitted by this Agreement
    • Any Security Incident or Breach of Unsecured PHI without unreasonable delay

    7. Access and Amendment

    To the extent required by HIPAA, Business Associate shall:

    • Provide access to PHI
    • Amend PHI
    • Incorporate amendments as directed by Covered Entity

    8. Accounting of Disclosures

    Business Associate shall make information available as necessary to provide an accounting of disclosures.

    9. Term and Termination

    This Agreement remains in effect until terminated. Covered Entity may terminate for material breach if not cured within a reasonable time.

    Upon termination, Business Associate shall return or destroy PHI where feasible.

    10. Compliance with HIPAA

    Business Associate agrees to comply with applicable provisions of HIPAA and HITECH.

    11. Indemnification

    Each party shall be responsible for its own violations of HIPAA and applicable law.

    12. Survival

    The obligations relating to PHI survive termination of this Agreement.

    13. Miscellaneous

    This Agreement is governed by the laws specified in the underlying services agreement. This Agreement may be executed electronically.

    Every day without GrowthOS is another day of patients choosing the clinic that responded first.

    See results in 30 days or we'll work with you until you do. No setup fee. Live in 48 hours.