This website privacy policy (“policy”) explains how Amy Calmann LCSW Psychotherapy (the “practice,” “I”, “we,” “us,” or “our”) collects, uses, stores, and protects personal information obtained through the public website located at https://www.amytherapynyc.com (the “site”).​

​

Scope
This Policy applies solely to non-clinical personal information gathered through the website such as contact details or analytics data. It does not apply to Protected Health Information (“PHI”) created or received in connection with psychotherapy or Telehealth services. PHI is governed by our Notice of Privacy Practices (NPP) in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and related federal and state privacy laws.

 

Acceptance
By using the Site, you consent to the collection and use of information as described in this Policy. If you do not agree, please discontinue use of the Site.

 

Regulatory Context
This Policy is drafted in accordance with applicable federal and state privacy statutes, including HIPAA (for context), the New York SHIELD Act (General Business Law §§ 899-aa, 899-bb), and comparable New Jersey and Connecticut privacy provisions.

 

 

 

Practice Identity and Contact Information

​

Operator
The Site is owned and operated by:

Amy Calmann LCSW Psychotherapy
1140 Broadway Suite 204
New York, NY 10001
Email: amy@amytherapynyc.com
Phone: 347-948-4702 

​

Privacy Officer
For questions, concerns, or requests under this Policy, contact the Practice’s Privacy Officer at the above address or by email at amy@amytherapynyc.com. 

 

Licensure
Amy Calmann is a licensed clinical social worker (LCSW) in the state of New York (License No. 086211), a licensed clinical social worker (LCSW) in the state of New Jersey (License No. 44SC06583500), and a licensed clinical social worker in the state of Connecticut (License No. 15483).

​

​

 

Relationship to the Notice of Privacy Practices (HIPAA)

​

Separate Frameworks
The Practice maintains a legally required Notice of Privacy Practices (NPP) describing how PHI is used and disclosed for treatment, payment, and healthcare operations. The NPP governs all client-specific or clinical information.

​

Website Data vs. Clinical Data
Information submitted through public pages of the Site — such as name, email, or phone number in a general inquiry form - is treated as non-PHI. Do not submit clinical details, diagnoses, or therapy notes through such forms.

 

HIPAA-Compliant Systems
PHI may be exchanged only through the Practice’s secure, HIPAA-compliant Portal or Telehealth platform. Messages transmitted outside those systems (for example, via unencrypted email) are not considered PHI until formally incorporated into a patient record.

​

Conflict of Policies.
If a provision of this Policy conflicts with the NPP as it relates to PHI, the NPP terms take precedence.

​​

​

​

Information We Collect through the Site (Non-PHI)

​

We collect and process the following categories of non-clinical data:

 

Information You Provide Voluntarily
When you complete a contact form, join an email list, or otherwise correspond with the Practice, you may provide identifying details such as your name, email address, or phone number.

​

Technical and Usage Data
When you browse the Site, standard server logs automatically capture information such as your IP address, browser type, device type, operating system, referring URLs, and pages viewed.

​

Cookies and Analytics
The Site may employ essential cookies for session management and limited analytics tools to evaluate aggregate usage. These do not collect PHI or personally identify clients.

​

Sensitive Information
The Site is not designed to collect social security numbers, credit-card details, medical histories, or other sensitive data. Please refrain from submitting such information through public forms.

​

​

​

How We Use the Information We Collect

 

Operational Uses
We use non-PHI data to operate, maintain, and improve the Site, monitor its performance, and ensure security and functionality.

​

Response to Inquiries
Contact details you provide are used solely to respond to your inquiry or request and are not added to marketing lists or shared externally without consent.

​

Analytics and Improvement
Aggregate analytics may be used to evaluate which pages are most visited, improve user experience, and maintain technical performance.

​

Legal and Security Compliance
We may use information to detect or prevent security incidents, comply with legal obligations, enforce our Terms and Conditions, and fulfill record-keeping duties under applicable law.

​

No Sale of Information
The Practice does not sell, rent, or trade personal information for marketing or any other commercial purpose.

​

​

​

Legal Bases and Permitted Disclosures

​

Service Providers
We share limited non-PHI data with vendors that host, secure, or analyze the Site, subject to contractual confidentiality obligations. Vendors that handle PHI are Business Associates under HIPAA and are covered by separate Business Associate Agreements (BAAs).

​

Legal Requirements
We may disclose information if required by law, subpoena, court order, or governmental request, or when necessary to protect our rights, safety, or compliance obligations.

​

Business Transfers
In the unlikely event of a professional succession (e.g., sale or transfer of the Practice), non-PHI website data may be transferred as part of that transition, subject to equivalent privacy safeguards.

​

Aggregate Data
We may disclose non-identifiable, aggregate statistics about website usage for legitimate reporting or improvement purposes.

​

​

​

Cookies, Tracking Technologies, and Analytics

 

Essential Cookies
The Site may use minimal cookies necessary to operate basic features such as navigation, session management, or security. These cookies do not identify individual users.

 

Analytics Tools
If analytic tools (such as Google Analytics 4) are employed, they are configured to avoid capturing PHI, precise geolocation, or data that could identify individual clients. Data collected are used solely for aggregated statistical analysis.

​

Cookie Control
You can adjust browser settings to refuse or delete cookies. Disabling cookies may affect certain Site features but will not block access to core content.

​

No Behavioral Advertising
The Practice does not use cookies or pixels for behavioral advertising, retargeting, or tracking across unaffiliated sites.

 

Tracking Disclosures
At this time, the Site does not respond to “Do Not Track” browser signals. Should standards change, the Policy will be updated accordingly.

​

Compliance Reminder
For avoidance of doubt, any tracking or analytics vendors used for the Site are contractually prohibited from receiving or processing PHI.

​

​

​

Data Security and Safeguards

​

Administrative, Technical, and Physical Protections
The Practice employs administrative, technical, and physical safeguards designed to protect information collected through the Site against loss, misuse, unauthorized access, disclosure, alteration, or destruction. Measures include encrypted website hosting, limited administrative access, device security controls, and secure server configurations maintained by professional vendors.

​

Vendor Obligations
Vendors that process website data on our behalf are selected for their security competence and must agree in writing to maintain confidentiality, integrity, and availability of information consistent with New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and applicable privacy standards.

​

Data Transmission Risks
While the Practice uses industry-standard security methods, no electronic transmission or storage system is perfectly secure. The transmission of information via the Internet is at your own risk, and the Practice cannot guarantee absolute protection against unauthorized access or breaches beyond its reasonable control.

 

Breach Notification
If a data incident occurs involving personal information collected through the Site that creates a material risk of harm, the Practice will comply with applicable notification obligations under the SHIELD Act, HIPAA (if PHI is affected), and other relevant state and federal laws.

​

 

 

Data Retention and Disposal

​

Retention Principle
The Practice retains website-related information only as long as reasonably necessary to fulfill the purposes for which it was collected, to meet operational requirements, or to comply with legal and ethical obligations.

​

Illustrative Durations
(a) General website inquiries are typically retained up to 24 months from last correspondence.
(b) Server and security logs are typically retained up to 12 months for system integrity and troubleshooting.
(c) Aggregated analytics data are stored up to 26 months for trend analysis.

​

Secure Disposal
When data are no longer needed, they are securely destroyed, anonymized, or deleted from systems in a manner consistent with professional data-disposal standards and HIPAA retention principles (for PHI systems).

​

Clinical Records
Client treatment records and PHI are retained under separate legal and ethical obligations applicable to licensed mental-health professionals and are outside the scope of this Policy.

​

​

​

Your Rights and Choices

​

Access and Correction (Website Data).
You may request a copy of non-clinical information you have submitted through the Site, or request correction of factual inaccuracies. The Practice will confirm receipt and comply where feasible, subject to legitimate verification of identity and applicable exceptions.

 

Deletion (Right to Erasure)
You may request deletion of non-PHI data held by the Practice that was obtained through the Site. The Practice will honor such requests except where retention is required by law, necessary for legitimate business purposes, or in compliance with professional recordkeeping duties.

​

Cookies and Analytics
You can manage cookies through browser settings. Where optional analytics or cookies are introduced in future, you will be offered clear notice and choice.

 

Email and Contact Preferences
By initiating email or form contact, you consent to receive a reply through the same channel. You may opt out of future non-clinical communications at any time by written notice; this will not affect legitimate administrative correspondence.

​

Verification
Before fulfilling any request concerning personal data, the Practice may verify identity through reasonable means to protect against unauthorized access or deletion.

 

Limitations
These rights apply only to non-PHI website data. Requests relating to psychotherapy records or PHI must be directed through the HIPAA Notice of Privacy Practices.

​

​

​

State-Specific Privacy Disclosures

​

New York SHIELD Act Compliance
As a New York-based healthcare practice, we comply with the SHIELD Act (General Business Law §§ 899-aa, 899-bb). The Act requires reasonable data-security safeguards and prompt notification in the event of unauthorized acquisition of “private information.”

 

Connecticut Data Privacy Law
The Practice follows the spirit of the Connecticut Data Privacy Act (CTDPA) for non-PHI data processed from Connecticut residents. While the Practice’s small size may exempt it from formal applicability thresholds, we voluntarily adhere to its transparency and access principles.

​

California and Other States
Although the Practice does not meet the volume thresholds for the California Consumer Privacy Act (CCPA) or similar laws, it does not sell, share, or use data for cross-context behavioral advertising. Residents of states with applicable privacy statutes may contact us to exercise access or deletion rights concerning non-PHI data.

 

New Jersey
Upon issuance of a New Jersey license, this Policy will extend to users accessing the Site from New Jersey, subject to the New Jersey Identity Theft Prevention Act and comparable privacy provisions.

 

​

​

International Visitors and Data Transfers

 

U.S. Operation
This Site is operated in and governed by the laws of the United States. By using the Site from outside the U.S., you understand that your data may be transferred to, processed in, and stored within the United States.

 

Cross-Border Safeguards
Vendors handling international transfers are contractually required to maintain appropriate safeguards, such as standard contractual clauses (SCCs) approved by the European Commission, to protect personal information.

 

Legal Bases (EU/UK Visitors)
If the EU General Data Protection Regulation (“GDPR”) or UK Data Protection Act applies, we rely on legitimate interests to operate the Site and respond to inquiries, and on consent where required (for non-essential cookies or analytics).

 

Data Subject Requests
International visitors may request access, correction, or deletion of non-PHI website data by contacting the Privacy Officer. Such requests will be addressed consistent with applicable law and practical feasibility.

 

 

 

Children’s Privacy

​

No Intentional Collection from Children
The Site is not directed to children under the age of thirteen (13). The Practice does not knowingly collect personal information from children under 13, nor permit such individuals to use interactive features.

 

Parental Involvement
If you are a parent or guardian and believe your child has submitted personal information through the Site, please contact us. Upon verification, we will delete such information as required by the Children’s Online Privacy Protection Act (COPPA).

​

Minors in Treatment
Therapy services for minors are governed by parental consent and confidentiality rules established under state law and are addressed within the Notice of Privacy Practices and treatment consents, not this Policy.

 

 

 

Testimonials, Reviews, and External Listings

 

Testimonials
Testimonials displayed on the Site are published only with written authorization consistent with HIPAA requirements (45 C.F.R. § 164.508). They reflect personal experiences of individual clients and may not represent typical results.

 

Third-Party Reviews
Reviews appearing on third-party platforms (e.g., Google, Healthgrades, Psychology Today) are subject to those platforms’ privacy policies and data-collection practices. The Practice does not control or moderate content hosted externally.

​

Editing and Consent
Testimonials may be lightly edited for clarity, grammar, or length but never for substance. Clients may revoke testimonial consent at any time in writing, upon which the testimonial will be promptly removed from the Site.

 

Media Mentions
References to professional listings or media features (“as seen in TV, film, or print”) are informational only and do not constitute endorsement by those outlets.

​

​

​

Third-Party Links and Embedded Tools

​

Linked Sites
The Site may include links to external websites or embedded services (such as maps, scheduling widgets, or payment processors). These services are operated independently, and their privacy practices are not governed by this Policy.

 

No Responsibility for External Practices
The Practice is not responsible for the privacy, security, or content of third-party sites. Users should review the privacy policies of any external websites they visit through the Site.

 

HIPAA-Related Vendors
For integrations that handle PHI (e.g., secure telehealth platforms or patient portals), the Practice ensures those vendors are under active Business Associate Agreements (BAAs) in compliance with HIPAA.

​

​

​

Do Not Track and Automated Decision-Making

​

Do Not Track
At present, the Site does not respond to browser “Do Not Track” (DNT) signals due to lack of consensus on the technical standard. Should regulatory guidance evolve, this Policy will be updated to reflect any adopted response mechanism.

​

No Automated Decision-Making
The Practice does not use automated tools or profiling algorithms that produce legal or significant effects on individuals. All clinical and administrative decisions are made by licensed professionals or authorized personnel.

 

 

 

Data Breach Response

 

Detection and Containment
In the event of a suspected data incident involving non-PHI website information, the Practice will promptly investigate, contain, and evaluate the scope and cause of the event.

​

Notification Procedures
If a breach of private information as defined under New York or Connecticut law is confirmed, the Practice will provide timely notice to affected individuals and relevant authorities in accordance with applicable state and federal statutes.

 

Remediation and Review
Following a breach, the Practice will take corrective actions to mitigate harm, strengthen security controls, and prevent recurrence. Documentation of remediation steps will be retained as part of compliance records.

 

Policy Updates and Versioning

 

Effective Date and Revisions
The Effective Date of this Policy is shown at the top. Updates take effect upon posting a revised version with a new “Last Updated” date.

​

Material Changes
If substantive changes affect how personal data are handled, the Practice will post a clear notice on the Site and may communicate directly if contact information has been previously collected.

 

Historical Versions
Previous versions of this Policy may be archived for reference and compliance documentation.

 

Continued Use
Continued use of the Site after publication of an updated Policy constitutes your acknowledgment and acceptance of the revised terms.

​

​

​

Governing Law and Enforcement

 

Jurisdiction
This Policy and any disputes arising out of or relating to it are governed by the laws of the State of New York, without regard to conflict-of-laws principles.

 

Venue
The exclusive venue for any dispute relating to this Policy or the Site shall be the state or federal courts located in New York County, New York.

​

No Waiver of Rights
Failure of the Practice to enforce any provision of this Policy shall not constitute a waiver of that or any other provision.

 

Severability
If any provision of this Policy is held unlawful or unenforceable, the remaining provisions shall remain in full force and effect.

​

Contact Information

Privacy Officer Contact
For questions, requests, or concerns about this Website Privacy Policy or the handling of your information, please contact:

​

Amy Calmann LCSW Psychotherapy
Attn: Privacy Officer
1140 Broadway Suite 204
New York, NY 10001
Email: amy@amytherapynyc.com
Telephone: 347-948-4702 

 

 

 

Complaints
If you believe your privacy rights have been violated or that we have not addressed your concerns adequately, you may contact the Office for Civil Rights, U.S. Department of Health and Human Services, or the appropriate state privacy authority.

 

Acknowledgment.
By using this Site, you acknowledge that you have read, understood, and accepted this Privacy Policy as it applies to website data.