Privacy Policy
Last updated: June 17, 2026
NextChair (“we”, “us”) provides waitlist and intake software to therapists and clinics (“Practices”). This policy explains how we handle personal information for two groups: the Practices who use NextChair, and the prospective patients who submit intake forms.
1. Our role
For patient health information submitted through a Practice’s intake link, the Practice is the data controller (in the U.S., the “covered entity”) and NextChair acts as its service provider — a Business Associate under HIPAA, and an agent / information manager under Ontario’s PHIPA. We process patient information only on the Practice’s instructions and under a signed agreement.
2. Information we collect
- From patients, via intake forms: name, date of birth, contact details, insurance, guardian details for minors, care preferences, and the consents you provide.
- From Practices: account and profile details, and basic billing metadata (the count of active waitlist patients). Patient health information is never sent to our payment processor.
- Automatically: limited security and audit logs (timestamps, IP, actions taken).
3. How we use it
To operate the waitlist and intake workflow, coordinate openings and referrals at the Practice’s direction, secure the service, meet legal obligations, and bill Practices for usage. We do not sell personal information, and we do not use patient health information for advertising.
4. How we protect it
- Encryption in transit (TLS) and at rest.
- Tenant isolation so one Practice can never access another’s patients.
- Role-based access controls and append-only audit logging.
- Data minimization — we collect only what the workflow needs, and notifications are kept light on health detail.
5. Sharing
We share patient information only as the Practice directs (for example, an approved referral to a colleague), with infrastructure sub-processors bound by equivalent confidentiality and BAA terms, or where required by law.
6. Your rights
Patients can exercise access, correction, and deletion rights through the Practice that collected their information. Depending on your jurisdiction (HIPAA, PHIPA, PIPEDA, GDPR), additional rights may apply. Contact the Practice, or us at privacy@nextchair.co, and we will assist the Practice in responding.
7. Retention
We retain patient information for as long as the Practice maintains its account and as required by applicable law, then delete or de-identify it.
8. Minors
Intakes for minors are completed by a parent or legal guardian, who provides consent on the minor's behalf. We comply with COPPA and, in Canada, applicable provincial requirements. We do not knowingly collect information directly from children, and guardians may review or request deletion of a minor's information through the Practice.
9. Cookies & analytics
We use only essential cookies needed to keep you signed in and to secure the service. We do not use advertising cookies or sell data to advertisers. Any product analytics are limited and never include patient health information.
10. International data transfers
Patient data is stored in the region appropriate to the Practice's jurisdiction (U.S. or Canada). Where data is processed outside your country, we rely on appropriate safeguards (such as standard contractual clauses) and our agreements with sub-processors.
11. Your privacy rights
Depending on your jurisdiction you may have rights to access, correct, delete, or port your information, and to object to or restrict certain processing — including under HIPAA, PHIPA, PIPEDA, the GDPR, and U.S. state laws such as the CCPA/CPRA. Patients exercise these rights through the Practice that collected their information; we assist the Practice in responding. We do not discriminate against you for exercising your rights.
12. Breach notification
We maintain an incident-response process and will notify the affected Practice without undue delay of any breach of unsecured patient information, supporting the Practice's own notification obligations under HIPAA, PHIPA, and applicable state and provincial law.
13. Changes to this policy
We may update this policy from time to time. Material changes will be communicated to account owners, and the “last updated” date above will be revised.
14. Contact
Questions or requests: privacy@nextchair.co. For data handled on behalf of a Practice, please also contact that Practice as the controller of your information.