Product Privacy Policy

Effective Date: February 20, 2026

This Platform Privacy & Data Processing Policy (“Policy”) applies to ABA Matrix’s software products and services, including the ABA Matrix platform and related applications and services (collectively, the “Platform”).

This Policy describes how ABA Matrix (“ABA Matrix,” “we,” “us,” “our”) collects, receives, uses, stores, shares, transfers, and processes information in connection with the Platform, and the rights that may apply.

ABA Matrix maintains a separate privacy policy for our public website. Website activity is governed by our ABA Matrix Website Privacy Policy.

1. Our Role and Relationship to Individuals

ABA Matrix provides software used by organizations (“Customers”) such as ABA agencies and healthcare providers to manage clinical and operational workflows.

  • Data Controller / Covered Entity: Our Customers determine what information is entered into the Platform and how it is used for their operations and patient care.
  • Processor / Service Provider / Business Associate: ABA Matrix processes information on behalf of Customers to provide the Platform.

ABA Matrix generally has no direct relationship with patients/clients whose information is entered into the Platform by a Customer. If you are a patient/client and have questions about your data, please contact your provider organization directly.

2. PHI and HIPAA

The Platform may process information that qualifies as Protected Health Information (“PHI”) under HIPAA when Customers use the Platform for healthcare operations.

When ABA Matrix processes PHI on behalf of a Customer, ABA Matrix does so under applicable agreements (including a Business Associate Agreement (“BAA”) where required) and applicable law. ABA Matrix uses and discloses PHI only as permitted by the BAA and applicable law.

3. Information Processed Through the Platform

The categories of information processed depend on Customer configurations and use. Customers may enter or generate:

  • Patient/client identifiers and demographics
  • Clinical records, notes, treatment plans, outcomes and progress data
  • Scheduling and service delivery information
  • Billing/claims and insurance-related information
  • Communications and uploaded files (as configured by Customers)
  • Customer workforce/employee data (user accounts, roles, activity)

Platform Usage and Technical Data (Automatically Collected)

We may collect:

  • Log data (IP address, timestamps, login events, device/browser metadata)
  • Security and audit logs
  • Performance and diagnostic data
  • Session identifiers (cookies or similar technologies required for Platform function)

4. How We Use Platform Information

We use Platform information to:

  • Provide, maintain, and secure the Platform
  • Authenticate users and manage access
  • Provide customer support and troubleshoot issues
  • Monitor performance, reliability, and feature usage
  • Detect, prevent, and respond to security incidents, fraud, or abuse
  • Meet legal, compliance, and contractual obligations

We do not sell Platform data.

We do not use PHI for advertising or marketing.

5. Sharing and Disclosure

We may share Platform information as follows:

A. Subprocessors / Service Providers

We may engage vetted third-party service providers (e.g., cloud hosting, infrastructure, monitoring, and support tools) to assist in operating and securing the Platform. These providers are contractually required to safeguard information and use it only in accordance with our instructions and applicable agreements.

A current list of significant subprocessors and infrastructure providers is available through the ABA Matrix Trust Center. Customers may review this information for transparency regarding our service provider ecosystem.

Where PHI is involved, required HIPAA assurances (including BAAs, as applicable) are maintained.

B. Legal and Safety

We may disclose information if required to comply with law, legal process, or to protect rights, safety, and security, consistent with applicable requirements.

C. Corporate Transactions

If ABA Matrix is involved in a merger, acquisition, reorganization, or sale, information may be transferred as part of that transaction, subject to appropriate safeguards.

6. Data Retention and Customer Data Return/Deletion

ABA Matrix retains Customer Platform data:

  • For the duration of the Customer relationship, and
  • As needed for legal, compliance, dispute resolution, audit, and security purposes.

Upon contract termination, Customers are responsible for exporting their data. ABA Matrix will retain Customer data for up to 60 days after termination to support export and account closure, unless:

  • A longer period is required by law, legal hold, or regulatory obligation, or
  • A longer period is agreed in writing, or
  • Secure deletion is required sooner per contract.

After the retention window (and absent legal requirements), ABA Matrix will delete or de-identify Customer data in accordance with contractual and legal obligations.

7. Individual Rights Requests

Patients/clients and end users should direct requests to access, correct, amend, or delete information to the applicable Customer organization (the data controller / covered entity).

Where applicable state privacy laws (such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act) apply, ABA Matrix will assist Customers in responding to verified requests in accordance with applicable law and contractual obligations.

If ABA Matrix receives a request directly, we may route the request to the relevant Customer and assist as required by contract and law.

8. Security Safeguards

ABA Matrix maintains administrative, technical, and physical safeguards designed to protect Platform data, consistent with industry practices and applicable HIPAA Security Rule requirements. Safeguards may include:

  • Encryption in transit (e.g., TLS)
  • Encryption at rest (where applicable)
  • Role-based access controls and least privilege
  • Audit logging and monitoring
  • Vulnerability and patch management processes
  • Incident response procedures
  • Vendor risk management controls

No system can be guaranteed 100% secure.

9. Cookies and Similar Technologies in the Platform

The Platform uses cookies or similar technologies necessary for authentication, session management, and Platform functionality. These are not used to sell PHI or for third-party advertising within the authenticated Platform environment.

10. Artificial Intelligence

If ABA Matrix offers AI-enabled features, those features will be governed by applicable contract terms and documentation. ABA Matrix will not use Customer PHI to train public or generalized AI models unless explicitly authorized by the Customer in writing and permitted by applicable law.

11. International Data Transfers

ABA Matrix primarily operates in the United States. If information is processed outside the U.S., we apply appropriate safeguards consistent with contractual and legal requirements.

12. Changes to This Policy

We may update this Policy from time to time. Updates will be posted with a revised effective date.

13. Contact Us