Privacy and Data Protection Policy
What are the data protection laws in the United States?
Unlike Brazil's LGPD or the European Union's GDPR, the United States does not have a single, comprehensive federal data protection law. Instead, data protection is governed by a patchwork of federal and state laws, each addressing specific sectors, types of data, or categories of individuals. This fragmented approach means that the rules that apply to your data depend on where you live, what type of data is involved, and who is processing it.
At the federal level, key statutes include the Health Insurance Portability and Accountability Act (HIPAA), which protects health information held by covered entities and their business associates; the Children's Online Privacy Protection Act (COPPA), which requires verifiable parental consent before collecting data from children under 13; and Section 5 of the Federal Trade Commission Act (FTC Act), which prohibits unfair or deceptive trade practices — including failing to honor the promises made in a privacy policy.
At the state level, a growing number of states have enacted comprehensive privacy legislation. California leads with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), which grants consumers rights to access, delete, correct, and opt out of the sale or sharing of their personal information. Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and several other states have enacted similar laws, each with its own definitions, thresholds, and enforcement mechanisms.
Who enforces data protection in the United States?
There is no single federal data protection authority equivalent to Brazil's ANPD or the EU's national supervisory authorities. Enforcement is distributed across multiple agencies:
Federal Trade Commission (FTC): the primary federal enforcer of consumer privacy. The FTC brings enforcement actions under Section 5 of the FTC Act against companies that engage in deceptive or unfair data practices, including those that fail to comply with their own privacy policies. The FTC has also issued numerous guidelines on data security, children's privacy, and health data.
Department of Health and Human Services (HHS) — Office for Civil Rights (OCR): enforces HIPAA and investigates complaints related to the privacy and security of protected health information (PHI).
State Attorneys General: each state's attorney general has authority to enforce state privacy laws and, in many cases, federal laws as well. California's Attorney General and the California Privacy Protection Agency (CPPA) jointly enforce the CCPA/CPRA.
California Privacy Protection Agency (CPPA): established by the CPRA in 2020 and fully operational since 2024, the CPPA is the first dedicated state-level privacy enforcement agency in the United States, with rulemaking and enforcement authority over the CCPA/CPRA.
What principles guide U.S. data protection?
Although there is no unified set of federal data protection principles, several recurring themes emerge across federal and state laws, FTC enforcement actions, and industry best practices:
Notice and transparency: organizations must clearly disclose their data collection and processing practices before or at the time of collection.
Purpose limitation: personal information should be collected and used only for the purposes disclosed to the consumer. Using data for materially different purposes requires additional notice or consent.
Data minimization: collect only the personal information reasonably necessary for the disclosed purpose. Both the CCPA/CPRA and the FTC emphasize this principle.
Consumer rights: state privacy laws grant consumers rights including access, deletion, correction, portability, and the right to opt out of the sale or sharing of their personal information.
Security: organizations must implement reasonable administrative, technical, and physical safeguards to protect personal information from unauthorized access, use, or disclosure.
Accountability: organizations should be able to demonstrate compliance with applicable laws and their own published privacy commitments.
Non-discrimination: consumers who exercise their privacy rights may not be discriminated against through denial of service, different pricing, or degraded quality — unless the difference is reasonably related to the value provided by the consumer's data.
These principles, while not codified in a single statute, effectively function as the standards against which the FTC and state regulators evaluate an organization's data practices.
What is sensitive personal information under U.S. law?
The concept of "sensitive" personal information varies by statute, but the general trend is toward heightened protection for certain categories of data:
HIPAA: defines "Protected Health Information" (PHI) as individually identifiable health information created or maintained by a covered entity or business associate. PHI includes medical records, diagnoses, treatment information, lab results, and billing data linked to an individual.
CCPA/CPRA: defines "sensitive personal information" to include government-issued identifiers (Social Security number, driver's license), financial account information with access credentials, precise geolocation, racial or ethnic origin, religious beliefs, contents of communications, genetic data, biometric data, and health information.
COPPA: treats all personal information collected from children under 13 as requiring parental consent, effectively treating it as sensitive regardless of category.
SERENITAS does not store medical records, diagnoses, treatments, or prescription information. However, the fact that a user schedules an appointment with a healthcare professional of a particular specialty may indirectly suggest health-related interests. SERENITAS treats this scheduling data with heightened care, consistent with the sensitivity principles outlined above.
Additionally, SERENITAS has evaluated its relationship to HIPAA and has determined that it does not function as a "covered entity" or "business associate" under HIPAA, as it does not create, receive, maintain, or transmit Protected Health Information on behalf of covered entities. The platform serves as a scheduling and connection intermediary; all clinical data remains under the sole control of the healthcare professional.
What are your rights as a consumer?
Your specific rights depend on your state of residence. The following table summarizes the key rights available under the most widely applicable state privacy laws:
Right | CCPA/CPRA (California) | VCDPA (Virginia) | CPA (Colorado) | CTDPA (Connecticut) |
|---|---|---|---|---|
Right to know / access | Yes | Yes | Yes | Yes |
Right to delete | Yes | Yes | Yes | Yes |
Right to correct | Yes | Yes | Yes | Yes |
Right to portability | Yes | Yes | Yes | Yes |
Right to opt out of sale | Yes | Yes | Yes | Yes |
Right to opt out of profiling | Yes (CPRA) | Yes | Yes | Yes |
Right to non-discrimination | Yes | Yes | Yes | Yes |
Right to appeal a denied request | — | Yes | Yes | Yes |
Even if you reside in a state without comprehensive privacy legislation, the FTC Act provides baseline protections against deceptive data practices, meaning that the commitments SERENITAS makes in its Privacy Policy are enforceable as a matter of federal law.
What are the penalties for non-compliance?
Penalties for data protection violations in the United States come from multiple sources:
FTC enforcement: the FTC can obtain consent decrees requiring companies to implement comprehensive privacy and security programs, submit to independent audits for up to 20 years, and pay civil penalties of up to $50,120 per violation per day for order violations (adjusted for inflation).
CCPA/CPRA (California): the CPPA and the Attorney General can impose administrative fines of up to $2,500 per unintentional violation and $7,500 per intentional violation or violation involving minors. Consumers also have a private right of action for data breaches involving certain categories of unencrypted personal information, with statutory damages of $100 to $750 per consumer per incident.
HIPAA: civil monetary penalties range from $100 to $50,000 per violation, with an annual maximum of $1,500,000 per violation category. Criminal violations can result in fines up to $250,000 and imprisonment up to 10 years.
State Attorneys General: can bring enforcement actions under state consumer protection laws and state-specific privacy legislation, with penalties varying by state.
Other state laws: Virginia, Colorado, Connecticut, and other states provide for civil penalties typically in the range of $7,500 to $20,000 per violation, generally enforced by the state attorney general.
How does SERENITAS handle your data?
SERENITAS operates as the controller (the entity that determines the purposes and means of processing) for the personal information collected directly from patients and healthcare professionals who use the Platform. All data is processed in accordance with applicable federal and state laws, and in keeping with the commitments made in our Privacy Policy.
The data collected by the Platform may include account information (name, email, phone number), usage and navigation data, approximate geographic location for finding healthcare professionals, and, when applicable, scheduling information voluntarily provided by the user. SERENITAS does not collect, store, or process medical records, diagnoses, treatment plans, or clinical notes.
Payment transactions are processed by Stripe, Inc. SERENITAS does not store credit card numbers, bank account details, or other complete payment credentials. We retain only transaction identifiers, amounts, dates, and payment status for record-keeping purposes.
SERENITAS implements technical and administrative security safeguards, including encryption of data in transit and at rest, role-based access controls, audit logging of sensitive operations, and periodic privacy risk assessments. The Platform uses only strictly necessary cookies for authentication, security, and user preferences.
How can you exercise your rights with SERENITAS?
Any user may exercise the rights available under applicable law in a simple and free manner. The available channels on the SERENITAS Platform are:
"My Account" section: access your privacy settings to view, correct, or request the deletion of your personal data.
Email: for requests that cannot be handled directly through the Platform, contact us at [CONTACT_EMAIL].
State regulators: if your request is not satisfactorily addressed, you may file a complaint with your state's attorney general, the FTC, or, for California residents, the California Privacy Protection Agency (CPPA).
Response times for data subject requests:
CCPA/CPRA: 45 days from receipt of a verifiable consumer request, extendable by an additional 45 days with notice.
VCDPA, CPA, CTDPA: 45 days from receipt, extendable by an additional 45 days.
General: SERENITAS commits to responding to all verifiable requests within 45 days.
Data deletion and the right to erasure
When you request the deletion of your personal data on SERENITAS, we will initiate the removal process within the applicable timeframe. However, it is important to note thatnot all data can be immediately and completely deleted.
Data tied to financial transactions — such as payment records, invoices, and receipts — are subject to legal retention obligations under federal and state tax law. These records must be retained for a minimum ofseven years from the date of the transaction, in accordance with IRS record-keeping guidelines and applicable state requirements.
During this mandatory retention period, SERENITAS willanonymize the retained data. In practice, this means that financial records will continue to be stored for legal compliance purposes, but will be stripped of any element that could directly or indirectly identify you. Your name, email, phone number, and any other personal identifiers will be removed or replaced with irreversible codes.
At the end of the legal retention period, the anonymized records will be permanently deleted from our systems. You will be notified by email when your deletion request has been processed, with clear information about which data has been removed and which has been anonymized for legal compliance.
References
Federal Trade Commission. FTC Act, Section 5 — Unfair or Deceptive Acts or Practices. 15 U.S.C. § 45.
U.S. Department of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA). Public Law 104-191, 1996.
California Legislature. California Consumer Privacy Act (CCPA). Cal. Civ. Code §§ 1798.100–1798.199.100, as amended by the California Privacy Rights Act (CPRA), 2020.
Virginia General Assembly. Virginia Consumer Data Protection Act (VCDPA). Va. Code §§ 59.1-575 through 59.1-585, 2021.
Colorado General Assembly. Colorado Privacy Act (CPA). C.R.S. §§ 6-1-1301 through 6-1-1313, 2021.
Connecticut General Assembly. Connecticut Data Privacy Act (CTDPA). Conn. Gen. Stat. §§ 42-515 through 42-525, 2022.
U.S. Congress. Children's Online Privacy Protection Act (COPPA). 15 U.S.C. §§ 6501–6506, 1998.