Cima Growth Solutions logo

    Healthcare Enterprise Privacy Policy

    Last Updated: March 2026

    Thank you for using the Cima Growth Solutions LLC platform, including our website, mobile applications, software, and related services (collectively, the "Services"). This Privacy Policy ("Policy") explains how Cima Growth Solutions LLC ("Cima," "Company," "we," "us," or "our") collects, uses, discloses, and safeguards information when providing a healthcare-focused SaaS platform.

    This Policy is designed to meet the expectations of healthcare organizations, enterprise buyers, and regulators.

    By accessing or using the Services, you acknowledge that you have read and understood this Policy.

    1. Scope of This Policy

    This Policy applies to information collected:

    • Through www.cimagrowth.com and related domains
    • Through Cima-branded mobile applications
    • Through email, SMS, voice, and in-app communications
    • Through forms, CRM workflows, AI-assisted tools, and integrations
    • Through the GrowthOS mobile application available on the Apple App Store and Google Play Store

    This Policy does not apply to third-party websites or services accessed through integrations or links. Their privacy practices are governed by their own policies.

    2. Healthcare Data, PHI, and HIPAA

    Cima is a technology platform provider and does not provide medical care or clinical services.

    Business Associate Role

    In certain configurations, the Services may process Protected Health Information (PHI) on behalf of healthcare providers ("Covered Entities") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). In those circumstances:

    • Cima acts solely as a Business Associate
    • Processing of PHI is governed by a separate Business Associate Agreement (BAA)
    • PHI is used only to provide contracted services and for no other purpose

    No BAA, No PHI

    If a BAA is not in place, users must not submit PHI into the Services. Cima is not responsible for PHI submitted outside an executed BAA.

    No PHI for Advertising or AI Training

    3. Information We Collect

    A. Information You Provide

    • Identifiers: Name, email, phone number, organization, job title, username
    • Account Data: Login credentials, preferences, permissions
    • Transaction Data: Billing details processed via PCI-compliant processors (e.g., Stripe)
    • User Content: Data submitted through forms, CRM records, messages, and uploads
    • Communications: Support requests, calls, emails, and chat records

    B. Information Collected Automatically

    • Device & Network Data: IP address, browser type, OS, device identifiers
    • Usage Data: Pages viewed, features used, timestamps, interaction logs
    • Cookies & Similar Technologies: Cookies, pixels, SDKs, local storage
    • Location Data: Approximate or precise location if enabled

    C. Information from Third Parties

    • Advertising and analytics platforms (e.g., Google, Meta)
    • Public or professional data sources
    • Authorized integrations (e.g., Zapier, Twilio, Mailgun)

    4. How We Use Information

    We use information to:

    • Provide, operate, and maintain the Services
    • Configure workflows and automations
    • Process payments and provide support
    • Communicate service-related and promotional messages
    • Perform analytics, security monitoring, and fraud prevention
    • Improve platform functionality

    AI and Automated Tools

    Certain features may use AI-assisted or automated processing to support messaging, workflow optimization, or analytics. These tools:

    • Do not provide medical advice, diagnoses, or treatment recommendations
    • Are configurable by the customer
    • Operate under strict data access controls

    5. Legal Bases for Processing (EEA/UK)

    Where applicable, we process data based on:

    • Consent
    • Contractual necessity
    • Legal obligations
    • Legitimate interests, including platform security and improvement

    6. Sharing and Disclosure

    We may share information with:

    • Service Providers & Subprocessors: Hosting, communications, payments, analytics
    • Affiliates: Under common ownership
    • Legal Authorities: As required by law
    • Business Transfers: Mergers, acquisitions, or asset sales
    • With Consent: As directed by the customer

    Cima does not sell PHI, phone numbers, or SMS opt-in consent.

    A current list of subprocessors is available upon request.

    7. Advertising & Tracking

    Cima may use standard analytics and advertising tools for its own marketing. Healthcare customer data and PHI are never used for advertising, retargeting, or audience modeling.

    Users may opt out of non-essential tracking via browser settings or industry opt-out tools.

    8. Your Rights and Choices

    Depending on jurisdiction, you may have rights to:

    • Access, correct, or delete personal data
    • Restrict or object to processing
    • Opt out of targeted advertising or profiling

    Requests may be submitted using the contact information below.

    Account Deletion

    You may request deletion of your account and associated personal data through any of the following methods:

    • Use the "Delete Account" option available in App Settings within the GrowthOS mobile application
    • Send an email to support@cimagrowth.com with the subject line "Account Deletion Request"
    • Call us at +1-484-480-9296

    Upon receiving a verified account deletion request, we will process the deletion within 30 calendar days. During this period, your account will be deactivated. Once deleted, your personal data will be permanently removed from our active systems.

    We may retain certain information beyond the 30-day deletion period only where required by legal or contractual obligations (e.g., tax records, regulatory compliance). Healthcare customers operating under an executed Business Associate Agreement (BAA) are subject to the data retention terms specified in that agreement, which may require longer retention of certain records to comply with HIPAA and applicable healthcare regulations.

    9. U.S. State Privacy Rights

    Cima honors applicable state privacy laws, including but not limited to:

    • California (CCPA/CPRA)
    • Virginia, Colorado, Connecticut, Utah
    • Other U.S. states as laws come into effect

    Sensitive Personal Information is handled in accordance with applicable law.

    10. Children's Privacy

    The Services are not intended for children under 13 (or under 16 where required by law). We do not knowingly collect children's data.

    11. Data Retention

    Data is retained only as long as necessary for:

    • Contractual obligations
    • Legal compliance
    • Security and dispute resolution

    When no longer required, data is securely deleted or anonymized.

    12. Data Security

    Cima maintains administrative, technical, and physical safeguards including encryption, access controls, and monitoring. No system is completely secure.

    13. International Transfers

    Data may be processed in the United States or other jurisdictions with appropriate safeguards.

    14. Terms of Use

    Use of the Services is subject to our Terms of Use.

    15. Mobile Application Privacy

    This section applies specifically to the GrowthOS mobile application available on the Apple App Store and Google Play Store.

    A. Data Collected by the App

    In addition to the data described elsewhere in this Policy, the GrowthOS mobile application may collect:

    • Device tokens for push notification delivery
    • Device information (model, operating system version, unique device identifiers)
    • Crash data and performance diagnostics
    • Push notification preferences and interaction data

    B. Push Notifications

    The GrowthOS app may send push notifications to keep you informed about:

    • New patient or client inquiries
    • Upcoming and updated appointments
    • Messages and internal communications
    • System updates and important alerts

    You can manage or disable push notifications at any time through your device Settings. Disabling push notifications does not affect other app functionality.

    C. App Tracking and Advertising

    The GrowthOS mobile application does not engage in advertising tracking. Specifically:

    • We do not use advertising tracking or interest-based advertising within the app
    • We do not perform cross-app tracking or cross-site tracking
    • We do not access or use the Apple Identifier for Advertisers (IDFA) or equivalent Android advertising identifiers
    • We do not share any user data with advertising networks or data brokers

    We may collect anonymized, aggregate analytics data solely to improve app performance and user experience. This data cannot be used to identify individual users.

    D. Third-Party SDKs and Services

    The GrowthOS mobile application integrates the following third-party services:

    ServicePurposeData Accessed
    SupabaseBackend infrastructure and authenticationAccount credentials, user data
    OpenAIAI-powered chatbot and workflow assistanceUser messages (no PHI transmitted)
    TwilioSMS and voice communicationsPhone numbers, message content
    StripePayment processing (PCI DSS compliant)Payment information (tokenized)
    Apple Push Notification ServiceiOS push notificationsDevice token only
    Firebase Cloud MessagingAndroid push notificationsDevice token only

    E. Data Storage and Security

    The GrowthOS mobile application employs the following security measures:

    • All data transmitted between the app and our servers is encrypted using TLS 1.2 or higher
    • Sensitive credentials are stored using iOS Keychain (Apple devices) or Android Keystore (Android devices)
    • No Protected Health Information (PHI) is stored locally on the device
    • Biometric authentication (Face ID, Touch ID, fingerprint) is processed entirely on-device and is never transmitted to our servers

    F. Offline Access

    The GrowthOS app may provide limited offline access to certain non-sensitive, cached data. All locally cached data is encrypted and is automatically cleared when you sign out of the application. No PHI or sensitive personal data is available offline.

    16. Contact Information

    Cima Growth Solutions LLC
    3467 Trexler Blvd
    Allentown, PA 18104
    Phone: +1-484-480-9296
    Email: support@cimagrowth.com

    Business Associate Agreement (BAA)

    This Business Associate Agreement ("Agreement") is entered into by and between ("Business Associate") and the healthcare customer executing this Agreement ("Covered Entity"). This Agreement is effective as of the date it is executed by the parties.

    1. Purpose

    This Agreement is intended to comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), including the Privacy Rule, Security Rule, and HITECH Act, and governs the use and disclosure of Protected Health Information ("PHI") by Business Associate.

    2. Definitions

    All capitalized terms not defined herein have the meanings set forth in HIPAA.

    3. Permitted Uses and Disclosures

    Business Associate may use or disclose PHI solely to:

    • Perform services for Covered Entity as defined in the applicable services agreement
    • Support platform functionality, troubleshooting, and security
    • Comply with legal obligations

    Business Associate shall not use PHI for advertising, marketing, or generalized AI training.

    4. Safeguards

    Business Associate shall:

    • Implement administrative, technical, and physical safeguards
    • Protect against unauthorized access, use, or disclosure
    • Ensure workforce compliance with HIPAA obligations

    5. Subcontractors

    Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI agrees in writing to equivalent HIPAA protections.

    6. Reporting

    Business Associate shall report to Covered Entity:

    • Any use or disclosure not permitted by this Agreement
    • Any Security Incident or Breach of Unsecured PHI without unreasonable delay

    7. Access and Amendment

    To the extent required by HIPAA, Business Associate shall:

    • Provide access to PHI
    • Amend PHI
    • Incorporate amendments as directed by Covered Entity

    8. Accounting of Disclosures

    Business Associate shall make information available as necessary to provide an accounting of disclosures.

    9. Term and Termination

    This Agreement remains in effect until terminated. Covered Entity may terminate for material breach if not cured within a reasonable time.

    Upon termination, Business Associate shall return or destroy PHI where feasible.

    10. Compliance with HIPAA

    Business Associate agrees to comply with applicable provisions of HIPAA and HITECH.

    11. Indemnification

    Each party shall be responsible for its own violations of HIPAA and applicable law.

    12. Survival

    The obligations relating to PHI survive termination of this Agreement.

    13. Miscellaneous

    This Agreement is governed by the laws specified in the underlying services agreement. This Agreement may be executed electronically.

    Ready to stop losing patients?

    Every day without GrowthOS is another day of leads going cold. See the platform or start today.