Cima Growth Solutions logo

Healthcare Enterprise Privacy Policy

Last Updated: January 2026

Thank you for using the Cima Growth Solutions LLC platform, including our website, mobile applications, software, and related services (collectively, the "Services"). This Privacy Policy ("Policy") explains how Cima Growth Solutions LLC ("Cima," "Company," "we," "us," or "our") collects, uses, discloses, and safeguards information when providing a healthcare-focused SaaS platform.

This Policy is designed to meet the expectations of healthcare organizations, enterprise buyers, and regulators.

By accessing or using the Services, you acknowledge that you have read and understood this Policy.

1. Scope of This Policy

This Policy applies to information collected:

  • Through www.cimagrowth.com and related domains
  • Through Cima-branded mobile applications
  • Through email, SMS, voice, and in-app communications
  • Through forms, CRM workflows, AI-assisted tools, and integrations

This Policy does not apply to third-party websites or services accessed through integrations or links. Their privacy practices are governed by their own policies.

2. Healthcare Data, PHI, and HIPAA

Cima is a technology platform provider and does not provide medical care or clinical services.

Business Associate Role

In certain configurations, the Services may process Protected Health Information (PHI) on behalf of healthcare providers ("Covered Entities") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). In those circumstances:

  • Cima acts solely as a Business Associate
  • Processing of PHI is governed by a separate Business Associate Agreement (BAA)
  • PHI is used only to provide contracted services and for no other purpose

No BAA, No PHI

If a BAA is not in place, users must not submit PHI into the Services. Cima is not responsible for PHI submitted outside an executed BAA.

No PHI for Advertising or AI Training

3. Information We Collect

A. Information You Provide

  • Identifiers: Name, email, phone number, organization, job title, username
  • Account Data: Login credentials, preferences, permissions
  • Transaction Data: Billing details processed via PCI-compliant processors (e.g., Stripe)
  • User Content: Data submitted through forms, CRM records, messages, and uploads
  • Communications: Support requests, calls, emails, and chat records

B. Information Collected Automatically

  • Device & Network Data: IP address, browser type, OS, device identifiers
  • Usage Data: Pages viewed, features used, timestamps, interaction logs
  • Cookies & Similar Technologies: Cookies, pixels, SDKs, local storage
  • Location Data: Approximate or precise location if enabled

C. Information from Third Parties

  • Advertising and analytics platforms (e.g., Google, Meta)
  • Public or professional data sources
  • Authorized integrations (e.g., Zapier, Twilio, Mailgun)

4. How We Use Information

We use information to:

  • Provide, operate, and maintain the Services
  • Configure workflows and automations
  • Process payments and provide support
  • Communicate service-related and promotional messages
  • Perform analytics, security monitoring, and fraud prevention
  • Improve platform functionality

AI and Automated Tools

Certain features may use AI-assisted or automated processing to support messaging, workflow optimization, or analytics. These tools:

  • Do not provide medical advice, diagnoses, or treatment recommendations
  • Are configurable by the customer
  • Operate under strict data access controls

5. Legal Bases for Processing (EEA/UK)

Where applicable, we process data based on:

  • Consent
  • Contractual necessity
  • Legal obligations
  • Legitimate interests, including platform security and improvement

6. Sharing and Disclosure

We may share information with:

  • Service Providers & Subprocessors: Hosting, communications, payments, analytics
  • Affiliates: Under common ownership
  • Legal Authorities: As required by law
  • Business Transfers: Mergers, acquisitions, or asset sales
  • With Consent: As directed by the customer

Cima does not sell PHI, phone numbers, or SMS opt-in consent.

A current list of subprocessors is available upon request.

7. Advertising & Tracking

Cima may use standard analytics and advertising tools for its own marketing. Healthcare customer data and PHI are never used for advertising, retargeting, or audience modeling.

Users may opt out of non-essential tracking via browser settings or industry opt-out tools.

8. Your Rights and Choices

Depending on jurisdiction, you may have rights to:

  • Access, correct, or delete personal data
  • Restrict or object to processing
  • Opt out of targeted advertising or profiling

Requests may be submitted using the contact information below.

9. U.S. State Privacy Rights

Cima honors applicable state privacy laws, including but not limited to:

  • California (CCPA/CPRA)
  • Virginia, Colorado, Connecticut, Utah
  • Other U.S. states as laws come into effect

Sensitive Personal Information is handled in accordance with applicable law.

10. Children's Privacy

The Services are not intended for children under 13 (or under 16 where required by law). We do not knowingly collect children's data.

11. Data Retention

Data is retained only as long as necessary for:

  • Contractual obligations
  • Legal compliance
  • Security and dispute resolution

When no longer required, data is securely deleted or anonymized.

12. Data Security

Cima maintains administrative, technical, and physical safeguards including encryption, access controls, and monitoring. No system is completely secure.

13. International Transfers

Data may be processed in the United States or other jurisdictions with appropriate safeguards.

14. Terms of Use

Use of the Services is subject to our Terms of Use.

15. Contact Information

Cima Growth Solutions LLC
3467 Trexler Blvd
Allentown, PA 18104
Phone: +1-484-480-9296
Email: support@cimagrowth.com

Business Associate Agreement (BAA)

This Business Associate Agreement ("Agreement") is entered into by and between ("Business Associate") and the healthcare customer executing this Agreement ("Covered Entity"). This Agreement is effective as of the date it is executed by the parties.

1. Purpose

This Agreement is intended to comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), including the Privacy Rule, Security Rule, and HITECH Act, and governs the use and disclosure of Protected Health Information ("PHI") by Business Associate.

2. Definitions

All capitalized terms not defined herein have the meanings set forth in HIPAA.

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI solely to:

  • Perform services for Covered Entity as defined in the applicable services agreement
  • Support platform functionality, troubleshooting, and security
  • Comply with legal obligations

Business Associate shall not use PHI for advertising, marketing, or generalized AI training.

4. Safeguards

Business Associate shall:

  • Implement administrative, technical, and physical safeguards
  • Protect against unauthorized access, use, or disclosure
  • Ensure workforce compliance with HIPAA obligations

5. Subcontractors

Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI agrees in writing to equivalent HIPAA protections.

6. Reporting

Business Associate shall report to Covered Entity:

  • Any use or disclosure not permitted by this Agreement
  • Any Security Incident or Breach of Unsecured PHI without unreasonable delay

7. Access and Amendment

To the extent required by HIPAA, Business Associate shall:

  • Provide access to PHI
  • Amend PHI
  • Incorporate amendments as directed by Covered Entity

8. Accounting of Disclosures

Business Associate shall make information available as necessary to provide an accounting of disclosures.

9. Term and Termination

This Agreement remains in effect until terminated. Covered Entity may terminate for material breach if not cured within a reasonable time.

Upon termination, Business Associate shall return or destroy PHI where feasible.

10. Compliance with HIPAA

Business Associate agrees to comply with applicable provisions of HIPAA and HITECH.

11. Indemnification

Each party shall be responsible for its own violations of HIPAA and applicable law.

12. Survival

The obligations relating to PHI survive termination of this Agreement.

13. Miscellaneous

This Agreement is governed by the laws specified in the underlying services agreement. This Agreement may be executed electronically.