Aellē Digital
0%

Privacy Policy

AELLĒ DIGITAL

Privacy Policy

Effective date: May 23, 2026

1. Notice at Collection of Personal Information

This section is provided as a Notice at Collection under the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), Cal. Civ. Code § 1798.100(a).

At or before the point of collection, Aellē LLC (“Aellē,” “we,” “us,” or “our”) collects the categories of Personal Information listed in Section 3 below, for the business and commercial purposes listed in Section 4. We retain Personal Information for the periods described in Section 12. We do not sell Personal Information. We share Personal Information with third parties for cross-context behavioral advertising as described in Section 7; you have the right to opt out of such sharing using the mechanisms described in Section 10.

We do not use or disclose Sensitive Personal Information for purposes other than those permitted under CCPA § 1798.121, and we do not infer characteristics from Sensitive Personal Information for advertising purposes.

2. Scope and Introduction

This Privacy Policy describes how Aellē LLC, a California limited liability company headquartered at 2121 Avenue of the Stars, Suite 800, Century City, CA 90067, collects, uses, discloses, and protects Personal Information when you visit aelle.io and our subdomains, communicate with us, engage our services, or interact with our advertising. This policy applies to information processed by Aellē as a Business — that is, as a controller of the data. Where Aellē processes information on behalf of a behavioral health Covered Entity client as a Business Associate or Service Provider, the client’s notices and our underlying agreement with that client govern.

Aellē provides marketing, patient acquisition, and acquisition-intelligence services to behavioral health programs, including residential, partial hospitalization, intensive outpatient, outpatient, and ABA programs. We operate the AellēX platform on behalf of those clients. Some of the data we process may include health-related information; please review Section 8 carefully.

3. Categories of Personal Information We Collect

In the twelve months preceding the effective date of this policy, we have collected the following categories of Personal Information as enumerated under CCPA § 1798.140(v):

3.1 Identifiers

Name, postal address, email address, telephone number, IP address, online identifiers, account names, and similar identifiers.

3.2 Customer records information

Information described in Cal. Civ. Code § 1798.80(e), including employer, job title, organization name, professional contact information, and information submitted through inquiry or intake forms.

3.3 Commercial information

Records of services considered, requested, or purchased; consulting engagement details; billing and payment records.

3.4 Internet or other electronic network activity information

Browsing history, search history, pages viewed, links clicked, time spent on pages, advertising interactions, device and browser type, and information regarding your interaction with our website, emails, and advertisements.

3.5 Geolocation data

Approximate geographic location derived from IP address. We do not collect precise geolocation data through our website.

3.6 Professional or employment-related information

Role within the organization, professional qualifications relevant to the services, and decision-making authority.

3.7 Inferences

Inferences drawn from the above to create a profile reflecting professional preferences, characteristics, behavior, and aptitudes relevant to behavioral health program operations.

3.8 Sensitive Personal Information

We do not knowingly collect Sensitive Personal Information through our public website. Where Aellē processes Sensitive Personal Information on behalf of a Covered Entity client (for example, in the course of intake automation services where we receive information identifying an individual as seeking behavioral health treatment), that processing is governed by the Business Associate Agreement and Service Agreement with the client, and is conducted in accordance with CCPA § 1798.121, HIPAA, and applicable state law.

4. Sources From Which We Collect Personal Information

  • Directly from you, through website forms, email, telephone, scheduled consultations, and other communications.
  • Automatically through your interaction with our website and advertising, including via cookies, pixels, software development kits, and server-side conversion measurement APIs.
  • From advertising platforms including Google, Meta, Microsoft, TikTok, Amazon Ads, and similar networks.
  • From analytics providers including Google Analytics, Microsoft Clarity, and similar tools.
  • From our behavioral health program clients, who may share contact information of authorized representatives engaged in our services.
  • From publicly available business databases and professional networking platforms.
  • From service providers performing services on our behalf.

5. Business and Commercial Purposes for Which We Use Personal Information

  • To respond to inquiries and provide information about our services.
  • To operate, maintain, secure, and improve our website and the AellēX platform.
  • To deliver services agreed in an engagement, including campaign management, attribution measurement, intake automation, and reporting.
  • To communicate with you about service offerings, industry updates, events, and content that you have requested or that we reasonably believe is of professional interest.
  • To measure the performance of our marketing campaigns and website.
  • To detect, investigate, and prevent fraud, security incidents, and unauthorized activity.
  • To comply with applicable legal obligations, including those under HIPAA, 42 CFR Part 2, the CCPA, and analogous state laws, and to respond to lawful government requests.
  • To enforce our contractual terms and protect our legal rights.
  • To carry out a business transition such as a merger, acquisition, or financing.

6. How We Disclose Personal Information

In the twelve months preceding the effective date, we disclosed each of the categories of Personal Information listed in Section 3 to the following categories of recipients:

6.1 Service providers and contractors

Hosting, cloud infrastructure, analytics, advertising measurement and attribution, customer relationship management, marketing automation, SMS and voice communications, email delivery, payment processing, accounting, professional services, and security providers. Each service provider is bound by a written contract that restricts processing to the purposes specified by Aellē. Service providers that may handle Protected Health Information are bound by a separate Business Associate Agreement.

6.2 Clients

Where you submit information through an Aellē-managed campaign or landing page that has been clearly identified as belonging to or operated on behalf of a specific behavioral health program, we may share that information with that program for the purpose of contacting you about treatment.

6.3 Advertising and analytics partners

In limited circumstances, Aellē may share online identifiers and interaction data with advertising and analytics partners for the purpose of measuring advertising performance. Where this constitutes “sharing” under the CCPA, you may opt out using the mechanisms in Section 10. We do not share Sensitive Personal Information or any data identifying an individual as a behavioral health treatment-seeker with advertising platforms for cross-context behavioral advertising.

6.4 Legal and protective disclosures

To comply with applicable law, regulation, legal process, or governmental request; to enforce our agreements; to detect, prevent, or address fraud, security, or technical issues; and to protect the rights, property, or safety of Aellē, our clients, our users, or the public.

6.5 Business transitions

In connection with a merger, acquisition, financing, reorganization, bankruptcy, receivership, or sale of all or a portion of our assets, subject to standard confidentiality protections and post-transition notice.

6.6 Affiliates

Within Aellē’s corporate family, where applicable, for the purposes described in this policy.

7. Web Tracking Technologies, Cookies, Pixels, and SDKs

This section is provided in light of the December 2022 Bulletin (revised March 2024) issued by the U.S. Department of Health and Human Services Office for Civil Rights regarding the use of online tracking technologies by HIPAA-regulated entities and their business associates, and in light of Federal Trade Commission enforcement actions against operators in the digital health advertising space.

7.1 Cookies

We and our service providers use first-party and third-party cookies and similar technologies (collectively, “Cookies”) to operate our website, remember preferences, measure performance, and inform advertising. Cookies fall into the following categories:

  • Strictly necessary Cookies — required for the website to function and cannot be disabled.
  • Performance and analytics Cookies — measure how visitors use our website. Set by Aellē and by Google Analytics, Microsoft Clarity, or similar providers.
  • Functional Cookies — remember choices you make to improve your experience.
  • Advertising and targeting Cookies — set by us and by advertising platforms (Google, Meta, Microsoft, TikTok, Amazon, LinkedIn) to deliver relevant advertising and measure campaign performance.

7.2 Pixels and tags

Our website and certain client landing pages we operate use pixels and tags from advertising platforms — including the Meta Pixel, Google Ads tag, Microsoft UET tag, TikTok Pixel, LinkedIn Insight Tag, and similar — to measure conversion events and inform advertising. On websites and landing pages where the purpose, content, or audience may identify a visitor as seeking behavioral health treatment, we restrict pixel deployment in accordance with HHS OCR guidance and the policies of the relevant Covered Entity client. Where Aellē serves as a Business Associate, configuration of tracking technologies follows the terms of the applicable Business Associate Agreement.

7.3 Server-side conversion APIs

To reduce the volume of personal information transmitted to advertising platforms via the browser, Aellē commonly uses server-side conversion APIs (including the Meta Conversions API, Google Ads Enhanced Conversions, Microsoft Offline Conversions, and TikTok Events API) with hashed, non-identifying signals. We do not transmit Protected Health Information through these APIs.

7.4 Software development kits and call tracking

Aellē uses call tracking and intake automation services that may record metadata and, with appropriate notice and consent, the contents of inbound calls or SMS messages for the purpose of measuring campaign effectiveness, training, quality assurance, and compliance. Recording is performed only in accordance with applicable state and federal recording laws, including dual-consent jurisdictions, and only under the terms of the applicable Business Associate Agreement where PHI is involved.

7.5 Your choices

You can control Cookies through your browser settings; refuse non-essential Cookies through our cookie preferences interface (where available); and opt out of certain advertising Cookies through industry tools such as the Digital Advertising Alliance (optout.aboutads.info), the Network Advertising Initiative (optout.networkadvertising.org), and the European Interactive Digital Advertising Alliance (youronlinechoices.eu). We honor Global Privacy Control (“GPC”) signals where required by applicable law as a valid opt-out of the sale or sharing of Personal Information.

8. Health-Related Information, HIPAA, and 42 CFR Part 2

8.1 HIPAA Business Associate role

Where Aellē processes Protected Health Information (“PHI”) on behalf of a HIPAA-covered behavioral health program (a “Covered Entity”), Aellē acts as a Business Associate as defined under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”). Aellē executes a Business Associate Agreement (“BAA”) with each such Covered Entity client, which governs the permitted uses and disclosures of PHI, the safeguards in place, breach notification obligations, and termination requirements.

Aellē does not collect PHI through unsecured public-facing channels including the contact forms on aelle.io. Please do not transmit PHI to us by means of unsecured email, SMS, public forms, or social media.

8.2 42 CFR Part 2

Many of our clients operate substance use disorder treatment programs that are subject to the federal confidentiality regulations at 42 CFR Part 2 (“Part 2”). Where Aellē processes information identifying an individual as having been diagnosed with, treated for, or referred for a substance use disorder by a Part 2 program, that information is subject to the additional protections of Part 2. Aellē processes such information only in accordance with patient consent obtained by the Part 2 program and the terms of the applicable contract.

8.3 Consumer Health Data

Where Aellē processes “consumer health data” as that term is defined under the Washington My Health My Data Act (RCW 19.373), the Nevada Consumer Health Data Privacy Law (NRS 603A), or analogous state laws — including information that identifies a consumer’s physical or mental health status, condition, diagnosis, or treatment, and including information from which such status, condition, diagnosis, or treatment can reasonably be inferred — Aellē processes that data in accordance with the requirements of those laws, including authorization, valid authorization, and geofencing restrictions where applicable. See Section 11 for specific Washington My Health My Data Act rights.

9. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the CCPA, as amended by the CPRA:

9.1 Right to know

You have the right to request that we disclose the categories of Personal Information we collect, sell, or share about you; the categories of sources from which the information is collected; the business or commercial purpose for which we collect, sell, or share Personal Information; the categories of third parties with whom we share Personal Information; and the specific pieces of Personal Information we have collected about you.

9.2 Right to delete

You have the right to request that we delete Personal Information we have collected from you, subject to the exceptions in CCPA § 1798.105(d), including where retention is necessary to complete a transaction, detect security incidents, exercise free speech, comply with legal obligations, or for internal uses compatible with the context in which you provided the information.

9.3 Right to correct

You have the right to request correction of inaccurate Personal Information.

9.4 Right to opt out of sale or sharing

Aellē does not sell Personal Information for monetary consideration. To the extent any disclosure constitutes “sharing” for cross-context behavioral advertising, you may opt out by sending your request to [email protected], by enabling Global Privacy Control in your browser, or by following the opt-out instructions provided through advertising-industry tools.

9.5 Right to limit use of Sensitive Personal Information

Aellē does not use Sensitive Personal Information for purposes beyond those permitted under CCPA § 1798.121(a).

9.6 Right to non-discrimination

We will not discriminate against you for exercising any of your privacy rights, including by denying services, charging different prices, providing a different level or quality of services, or suggesting that you will receive different prices or service quality.

9.7 Authorized agents

You may designate an authorized agent to submit requests on your behalf. The agent must provide written, signed permission, and we may require you to verify your identity directly with us or to confirm to us that you provided the agent with permission.

9.8 Exercising your rights

To exercise these rights, contact us at [email protected] or by mail at the address in Section 19. We will verify your identity using reasonable methods consistent with the sensitivity of the request. We will respond within 45 days, extendable once by an additional 45 days where reasonably necessary. There is no fee for exercising your rights unless a request is manifestly unfounded or excessive.

10. Other US State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (ICDPA), Florida (FDBR), Washington (WPA where applicable, and the My Health My Data Act), New Hampshire (NHPA), New Jersey (NJDPA), Maryland (MODPA), Kentucky (KCDPA), Rhode Island (RIDTPPA), Minnesota (MNCDPA), Delaware (DPDPA), and Nebraska (NDPA) may have additional privacy rights under their respective state laws, including:

  • Right to confirm processing and access Personal Information.
  • Right to delete Personal Information.
  • Right to correct inaccuracies.
  • Right to data portability.
  • Right to opt out of targeted advertising, sale of Personal Information, and certain profiling activities.
  • Right to appeal a denial of a privacy request, where applicable.

To exercise these rights, contact us at [email protected]. We will verify your identity and respond within the timeframes required by your state’s law (generally 45 days). If we deny your request, you may appeal by replying to our response or contacting [email protected] with the subject line “Appeal.”

11. Washington My Health My Data Act

If you are a Washington resident, or if Personal Information is collected from you while you are in Washington, the My Health My Data Act (RCW 19.373) provides you with the following rights with respect to “consumer health data”:

  • The right to confirm whether Aellē is collecting, sharing, or selling your consumer health data, and to access such data.
  • The right to have your consumer health data deleted.
  • The right to withdraw consent from collection and sharing of consumer health data.

To exercise these rights, contact us at [email protected] with the subject line “Washington My Health My Data Request.” The MHMD Act provides a private right of action under Washington’s Consumer Protection Act. Aellē does not sell consumer health data. Aellē does not use geofencing around any in-person healthcare facility for the purpose of identifying, tracking, collecting data from, or sending notifications to consumers regarding their consumer health data or healthcare services.

12. Data Retention

We retain Personal Information for the period reasonably necessary to fulfill the purposes for which it was collected and to satisfy our legal obligations:

  • Inquiry and contact form submissions: 24 months from the most recent contact.
  • Active client engagement records: for the duration of the engagement and 7 years thereafter for tax, accounting, and legal-defense purposes.
  • Marketing communications data: until you unsubscribe or for 24 months from the most recent engagement, whichever is sooner.
  • Website analytics data: 14 to 26 months depending on the analytics platform.
  • Advertising platform conversion data: as governed by the retention practices of the respective platform.
  • Protected Health Information: retained only for the period and purposes set forth in the applicable Business Associate Agreement.
  • Records subject to legal hold: retained for the duration of the hold.

13. Information Security

Aellē maintains administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, alteration, disclosure, and destruction. These include access controls and role-based permissions; encryption of Personal Information in transit using TLS 1.2 or higher; encryption of Personal Information at rest where stored on our systems; logging and monitoring of access to Personal Information; vendor security assessments; and a written information security program reasonably designed to meet the requirements of the HIPAA Security Rule where applicable. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

In the event of a Security Breach affecting Personal Information, we will notify affected individuals and applicable regulators as required by applicable law, including the HIPAA Breach Notification Rule (where PHI is involved), state breach notification statutes, and the FTC Health Breach Notification Rule (where applicable).

14. Children’s Privacy

Our website and services are directed to adults engaged in the operation, administration, or financing of behavioral health programs. We do not knowingly collect Personal Information directly from children under 13 through our website. If we become aware that we have collected Personal Information from a child under 13 without verifiable parental consent, we will take steps to delete it.

Many of our behavioral health program clients serve adolescent populations. Where Aellē processes data of a minor on behalf of a Covered Entity client, that processing is governed by the Business Associate Agreement and is conducted in accordance with HIPAA, COPPA where applicable, and any state-specific protections for minors’ health information. Aellē does not direct advertising to minors and does not knowingly collect identifiers of minors for advertising purposes.

15. Email, SMS, and TCPA

By providing your email address or phone number through our website or in the course of an engagement, you consent to receive transactional and service-related communications from Aellē. Marketing communications are sent only with your express consent, and you may opt out at any time by following the unsubscribe instructions in each message, replying STOP to text messages, or contacting [email protected].

Where Aellē operates intake automation or SMS messaging on behalf of a behavioral health program client, those communications are sent by or under the authority of the client and are subject to the client’s consent records under the Telephone Consumer Protection Act (“TCPA”), 47 U.S.C. § 227, and analogous state laws.

16. Do Not Track and Global Privacy Control

We honor Global Privacy Control (“GPC”) signals as a valid opt-out of the sale or sharing of Personal Information for residents of jurisdictions whose laws require recognition of universal opt-out signals. We do not currently respond to traditional browser-based Do Not Track signals because no industry standard for such signals has been finalized.

17. International Users and Cross-Border Data Transfers

Aellē is established in the United States, and our servers and service providers are located primarily in the United States. If you access our website or services from outside the United States, you understand that your information will be transferred to, processed in, and stored in the United States, which may have data protection laws that differ from those of your jurisdiction. Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (or, where applicable, the EU-U.S. Data Privacy Framework) as a lawful transfer mechanism, supplemented by appropriate technical and organizational measures.

18. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Effective date” at the top of this policy. Material changes will be communicated by prominent notice on our website and, where required by law, by direct notice. Continued use of our website or services after the effective date of an update constitutes acceptance of the updated policy.

19. Contact and Privacy Requests

To submit a privacy request, exercise your rights, or contact our Privacy Office, use one of the following:

Email: [email protected]

Mail: Aellē LLC, Attn: Privacy Office, 2121 Avenue of the Stars, Suite 800, Century City, CA 90067

Phone: +1 (424) 281-9495