Privacy Policy

HavenWise Advocates ("HavenWise," "we," "us," or "our") provides phone-first concierge advocacy services for older adults. This Privacy Policy describes how we collect, use, disclose, and protect Personal Information about visitors to havenwiseadvocates.com (the "Site") and people who contact us, fill out our booking form, or become our clients (collectively, "you").

This Policy applies to the Site, our booking form (delivered through Formspree), our authenticated client portal at portal.havenwiseadvocates.com (when launched), and email or phone correspondence with our team. By using the Site or submitting information to us, you confirm you have read this Policy.

1. Definitions

"Personal Information" means information that identifies, relates to, describes, references, or is reasonably capable of being associated with a particular individual or household.

"Sensitive Personal Information" means a subset of Personal Information that includes government-issued identification numbers (Social Security, driver's license, passport), financial account information, account login credentials, precise geolocation, racial or ethnic origin, religious beliefs, union membership, contents of mail/email/text messages, genetic data, biometric information used to uniquely identify an individual, health or medical information, and information about sex life or sexual orientation.

"Process" means any operation performed on Personal Information — collection, use, storage, disclosure, deletion, etc.

"Service Provider" means a third-party business that processes Personal Information on our behalf under a written contract that restricts their use of that information to the services they provide to us.

"Sell" and "Share" have the meanings given in the California Consumer Privacy Act ("CCPA") and similar state laws — generally, exchanging Personal Information for monetary or other valuable consideration, or disclosing it for cross-context behavioral advertising. We do neither.

2. Categories of Personal Information we collect

We collect the following categories of Personal Information, using the categories defined in the CCPA. For each, we describe the source and the purpose of collection.

A. Identifiers

Your first and last name; email address; phone number; your parent's first and last name (optional); your parent's city and state (derived from the ZIP code you provide). Source: you, through the booking form. Purpose: to contact you, schedule and prepare for the call, and identify you in our records.

D. Commercial information

Description of the services you've inquired about and your preferred time to talk. Source: you, through the booking form. Purpose: to determine fit and prepare for the call.

F. Internet or other electronic network activity

Aggregate website analytics — page views, browser type, country/region, referrer URL, load times. No individual tracking; no cookies; no IP addresses retained. Source: Cloudflare edge analytics. Purpose: site security and aggregate traffic insight.

G. Geolocation data

Approximate location at the country/region level from Site visits (Cloudflare). ZIP-code- level location for your parent, only if you submit the booking form. Source: Cloudflare; you. Purpose: aggregate analytics; identifying time zone and local services for your parent.

Categories we do NOT collect

We do not collect the following CCPA categories: B (California Customer Records Act information such as financial account info), C (protected classifications including race, religion, sexual orientation), E (biometric information), H (audio, electronic, visual, thermal, olfactory, or similar information), I (professional or employment information), J (education information), or K (inferences drawn to create profiles).

3. Sensitive Personal Information

We do not collect Sensitive Personal Information through the Site. The Site does not request and we do not knowingly receive:

• Social Security numbers
• Driver's license, passport, or other government-issued identification numbers
• Medicare, Medicaid, or insurance ID numbers
• Bank account, payment card, or other financial account information
• Account login credentials
• Precise geolocation (latitude / longitude)
• Racial or ethnic origin, religious or philosophical beliefs, union membership
• Health or medical information (beyond the general description you choose to share in the booking form)
• Biometric information
• Information about sex life or sexual orientation

If you become a client, our future authenticated portal may collect a limited subset of these categories under a separate, more secure intake process with its own notice at collection. The current Site does not.

4. How we use Personal Information

We process Personal Information for the following purposes, under the legal bases noted:

• To respond to your booking request and schedule a call. Legal basis: your request to take pre-contractual steps; legitimate interest.
• To prepare for the call and deliver our concierge services. Legal basis: performance of a contract (if you become a client); legitimate interest in pre-client conversations.
• To coordinate services on your family's behalf with third parties you authorize. Legal basis: your consent; performance of contract.
• To operate, secure, and analyze the Site in aggregate. Legal basis: legitimate interest in running a functional, secure website.
• To comply with applicable laws and respond to legal process. Legal basis: legal obligation; legitimate interest in protecting our rights and the safety of others.

We do not use your Personal Information for:

• Selling or "sharing" for cross-context behavioral advertising
• Marketing or promotional communications
• Building profiles, scoring you, or making automated decisions about you
• Any purpose not disclosed in this Policy

5. How we share Personal Information

We disclose Personal Information only as follows:

With our team. A small group of named HavenWise advocates and staff who need the information to do their job. Access is logged and limited.

With Service Providers bound by written contract to use the information only for the services they provide to us:

• Cloudflare — hosting, DNS, content delivery, edge analytics (privacy policy)
• Formspree — booking form delivery (privacy policy)
• Microsoft 365 — email and business productivity (privacy statement)
• Amazon Web Services (AWS) — cloud infrastructure for our authenticated client portal when launched (privacy notice)

With third parties you specifically authorize us to contact on your behalf (your parent's healthcare provider, pharmacy, insurance representative, etc.).

With law enforcement or in response to legal process when we are compelled by a valid subpoena, court order, or other legally enforceable demand, or when we believe in good faith that disclosure is necessary to protect our rights or the safety of others.

In connection with a business transaction. If HavenWise is acquired, merged, or sells substantially all of its assets, Personal Information may be transferred as part of that transaction. We will require any acquirer to honor this Policy, or to provide notice and an opportunity to object before applying materially different terms.

We do not disclose Personal Information to advertising networks, marketing companies, data brokers, social media platforms, or any party not listed above.

6. How long we keep Personal Information

• Booking form submissions from non-clients — retained 12 months from submission, then deleted, unless you convert to a client during that period.
• Client records — retained for the term of the engagement plus three (3) years afterward for record-keeping and any follow-up needs, then deleted.
• Email correspondence — retained three (3) years from the last interaction, then deleted.
• Aggregate analytics with no personal identifiers — retained indefinitely.

We may retain information longer when required by law (e.g., tax records, response to valid legal hold) or when reasonably necessary to defend an ongoing or anticipated legal claim.

7. Data security

We implement administrative, technical, and physical safeguards that are reasonably designed to protect Personal Information from unauthorized access, disclosure, alteration, or destruction. Current safeguards include:

• HTTPS / TLS encryption for all data in transit
• Access controls limiting employee access to information needed for their role
• Encrypted storage for sensitive data (AWS RDS Postgres with KMS encryption for the portal; cookie-based session tokens issued by AWS Cognito)
• Multi-factor authentication for staff accounts
• Periodic review of access logs
• Security and privacy assessments before engaging new Service Providers

No security measure is perfect. We cannot guarantee absolute security and are not responsible for unauthorized access that occurs despite reasonable efforts. We will notify affected individuals and applicable regulators of a security incident involving Personal Information as required by applicable law.

8. International data transfers

HavenWise is based in the United States and primarily processes Personal Information within the United States. Some of our Service Providers (Cloudflare, AWS, Microsoft) operate global networks and may process information in other countries. When information is transferred outside your country, we rely on the legal mechanisms those Service Providers maintain for cross-border transfers (such as Standard Contractual Clauses).

9. Cookies and similar technologies

The marketing site (havenwiseadvocates.com) does not set any cookies. No analytics cookies, no preference cookies, no advertising cookies, no session cookies. Cloudflare's edge analytics operate at the CDN level without setting any cookie on your device.

When our authenticated client portal launches at portal.havenwiseadvocates.com, it will set a single secure session cookie issued by AWS Cognito so signed-in users remain authenticated. The cookie is technically necessary for the portal to function, contains an opaque session token (no personal information readable by third parties), is marked HttpOnly and Secure, and is not used for advertising, analytics, or cross-site tracking.

Do Not Track and Global Privacy Control. We do not respond to Do Not Track ("DNT") browser signals because we don't engage in cross-site tracking. We honor Global Privacy Control ("GPC") signals where applicable and treat them as a valid opt-out for any sale or sharing of Personal Information (though we conduct neither).

10. Your privacy rights

Depending on your state or country of residence, you have one or more of the following rights. Where state law gives different residents different rights, the broader right applies for that resident.

• Right to know / access. Request the categories and specific pieces of Personal Information we hold about you, the sources, the purposes, and the categories of third parties with whom we share it.
• Right to delete. Request deletion of Personal Information we hold about you, subject to certain exceptions (legal obligations, ongoing services, security, completion of a transaction you initiated).
• Right to correct. Request correction of inaccurate Personal Information.
• Right to data portability. Request a copy of your information in a structured, commonly used, machine-readable format.
• Right to opt out of sale or sharing. Because we do not sell or share Personal Information for cross-context behavioral advertising, this right has no current operational effect — but the right exists.
• Right to limit use of Sensitive Personal Information. We do not collect Sensitive Personal Information through the Site, so this right is similarly inapplicable here.
• Right to non-discrimination. We will not deny services, charge different prices, or provide lower-quality services because you exercised a privacy right.
• Right to withdraw consent (where processing is based on your consent). Withdrawal does not affect the lawfulness of processing before withdrawal.

California, Colorado, Virginia, Connecticut, Tennessee, Utah, and other state residents: the rights above apply to you regardless of your state, and any state-specific rights are honored. Colorado, Virginia, and Connecticut residents additionally have a right to appeal — see Section 11.

EU / UK residents: to the extent the EU or UK General Data Protection Regulation ("GDPR") applies, you also have the right to data portability, the right to object to processing based on legitimate interest, and the right to lodge a complaint with your local supervisory authority.

11. How to exercise your privacy rights

Submitting a request. Email [email protected] with the subject line "Privacy Request" and describe what you want. If you've previously been in touch by phone, you may also leave a voicemail noting you're making a privacy request.

Verification. To protect your information against fraudulent requests, we'll need to verify your identity before substantively responding. For most requests this means matching the email address you used when you originally contacted us. For deletion or correction of sensitive information we may ask for additional verification.

Authorized agents. You may designate an authorized agent to make requests on your behalf. The agent must provide written proof of authorization, and we may contact you to confirm.

Response time. We acknowledge your request within 10 business days and substantively respond within 45 days. We may extend the response window by up to an additional 45 days when reasonably necessary, in which case we'll notify you of the extension and the reason.

Appeals (Colorado, Virginia, Connecticut residents). If we decline a request, you may appeal by replying to our response or sending a new email with subject line "Privacy Appeal." We respond to appeals within 60 days. If we decline the appeal, you may contact your state Attorney General to file a complaint.

No fee. We do not charge a fee for responding to verifiable privacy requests, except where the request is manifestly unfounded, excessive, or repetitive — in which case we may charge a reasonable fee or decline the request and explain why.

12. Children's privacy

The Site and our services are intended for adults working with their aging parents. We do not direct the Site to children and do not knowingly collect Personal Information from anyone under 18 years of age. Consistent with the Children's Online Privacy Protection Act ("COPPA"), we do not knowingly collect information from children under 13.

If you believe we have collected Personal Information from a minor, contact us at [email protected] and we will delete it.

13. About HIPAA

HavenWise Advocates is not a "covered entity" or "business associate" under the federal Health Insurance Portability and Accountability Act ("HIPAA"). We do not provide medical care, do not file insurance claims on your behalf, and do not maintain medical records. HIPAA therefore does not apply to us as a regulatory matter.

We treat health-adjacent information you choose to share with us as confidential and use it only to coordinate the services you've asked us to coordinate. Our administrative and technical safeguards are aligned with HIPAA's standards even where not legally required.

14. Third-party links

The Site may include links to third-party websites, services, or applications (including the privacy-policy links for our Service Providers above). We are not responsible for the privacy practices, content, or security of those third parties. Review their own privacy notices before submitting information to them.

15. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, services, or applicable law. The "Last updated" date at the top reflects the most recent revision.

We will notify active clients by email before material changes take effect. For non-material changes (clarifications, typo fixes, link updates), the updated date is the only notice we provide. If you do not agree with a change, your remedy is to stop using the Site and contact us to request deletion of your information.

16. Governing law and disputes

This Policy is governed by the laws of the State of Tennessee, without regard to its conflict-of-laws principles. Any dispute relating to this Policy or our handling of your Personal Information will be subject to the exclusive jurisdiction of the state and federal courts located in Davidson County, Tennessee, except where applicable consumer- protection law gives you the right to pursue claims elsewhere.

Nothing in this Policy waives or limits any non-waivable rights you have under applicable state, federal, or international privacy law.

17. Contact us

For any privacy question, request, or complaint, contact us at:

Email (preferred): [email protected]
Subject line for rights requests: "Privacy Request"
Subject line for appeals: "Privacy Appeal"

Mailing address:
HavenWise Advocates
Nashville, Tennessee
(Full street address to be added; request a confirmation by email and we'll respond from our official business email.)

This Policy is the entire agreement between you and HavenWise Advocates regarding the handling of your Personal Information by us. If any part of this Policy is held unenforceable, the remainder remains in full force and effect.