PostParty | Privacy Policy

Privacy Policy

Effective date: [18/09/2025]

PostParty respects your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit yourpostparty.com (the “Site”) and/or use our services. Please read this policy carefully. If you do not agree with the terms, please do not use the Site or our services.

1. Information We Collect

A. Information you provide directly

Contact information: name, email address, phone number, postal address.
Account data: username, password (securely stored), profile preferences.
Booking and service intake data: appointment details, preferences, referral source.
Health and sensitive information: postpartum notes, lactation or medical history, medications, dietary restrictions — when voluntarily provided in intake forms, communications, or clinician notes.
Communications: messages, support requests, survey responses, reviews.
Marketing preferences: opt-ins/opt-outs for newsletters and promotional communications.

B. Information collected automatically

Log and device data: IP address, device identifiers, browser type and version, operating system, pages viewed, referral URL, time and date of visits, clickstream and session information.
Cookies and similar technologies: persistent and session cookies, local storage, web beacons, tracking pixels for analytics, functionality, and (where applicable) advertising.
Analytics identifiers used by third-party analytics services.

C. Information from third parties

Social login info (if you sign in via third-party providers such as Google or Facebook), according to your permissions.
Referral, advertising, and partner data (for example, if you register through a partner or are referred).
Publicly available information (where applicable).

2. How We Use Your Information (Purposes)

We use Personal Information for the following purposes:

To provide and manage the Services: processing bookings, managing appointments, delivering services you requested, and processing payments.
To communicate with you: confirmations, appointment reminders, support responses, and transactional messages.
To personalize and improve the Site and Services: product/service recommendations, content personalization, and UX improvements.
For analytics and business insights: measuring, analyzing, and optimizing our Services and marketing.
For marketing and promotions: sending newsletters and promotional offers where you have given consent. You may opt out at any time.
For security, fraud prevention, and legal compliance: detecting fraud or abuse, enforcing our Terms, responding to legal requests, and protecting rights and safety.
For business operations: accounting, auditing, internal reporting, and recordkeeping.

3. Legal Bases & Legitimate Interests
While U.S. law does not use GDPR-style legal bases, we rely on the following practical justifications:

Contract performance: to fulfill orders, bookings, and contracts you request.
Consent: for marketing and other optional processing; consent may be withdrawn.
Legitimate interests: for security, fraud prevention, and improving our services (balanced against privacy interests).
Legal obligation: to comply with courts, government orders, tax laws, and other legal duties.

4. Sharing & Disclosure

We may share Personal Information in the following circumstances:

Service Providers / Vendors. We share data with third parties who perform services on our behalf (hosting, payment processors, email delivery, analytics, CRM). These providers are authorized to use Personal Information only as necessary to provide services to PostParty.
Healthcare partners / consultants. With your explicit consent (or where permitted by law), we may share health-related information with clinicians, lactation consultants, or other care providers to deliver coordinated services. If HIPAA applies, BAAs will be used (see Section 8).
Legal and safety reasons. To comply with laws, court orders or respond to lawful requests from public authorities; to protect the rights, property or safety of PostParty, our users, or the public.
Business transfers. In connection with a merger, acquisition, reorganization, asset sale or financing — in which case Personal Information may be transferred to the acquiring entity. We will use reasonable efforts to notify users.
With your consent. When you authorize sharing for a specific purpose (e.g., sharing your intake with a family member or external specialist).

We require service providers to maintain confidentiality and use reasonable security measures.

5. Sensitive Data & Health Information

If you voluntarily provide health or other sensitive information (e.g., postpartum recovery details), we treat it as Sensitive Personal Data and apply additional safeguards:

Access to sensitive data is restricted to authorized personnel on a need-to-know basis.
Data minimization: we ask only for information necessary to provide the requested service.
Consent: where required, we obtain explicit consent for collection and sharing of health information.
Retention and deletion: sensitive data is retained only as long as necessary and deleted or de-identified thereafter, subject to legal retention requirements.

HIPAA note: If PostParty acts as a Business Associate or Covered Entity under HIPAA (for example, when providing services on behalf of a HIPAA-covered provider), we will enter into Business Associate Agreements (BAAs) with covered entities and implement HIPAA-required safeguards for electronic protected health information (ePHI). If you believe your information is PHI and expect HIPAA protections, contact us immediately so we can confirm and implement the appropriate safeguards and agreements.

6. Cookies, Tracking & Advertising

We use cookies, pixel tags, and similar technologies to provide site functionality, maintain sessions, remember preferences, and collect analytics.
Third-party analytics and advertising partners may set cookies and collect information independently under their own privacy policies. We do not control third-party cookies.
You can manage or disable cookies through your browser settings; however, disabling certain cookies may degrade site functionality.

7. Security & Data Safeguards

We implement administrative, technical, and physical safeguards designed to protect Personal Information consistent with industry standards and the New York SHIELD Act’s “reasonable safeguards” requirement. Examples of our safeguards include:
Administrative safeguards

Written information security policies and a designated security officer.
Employee privacy and security training; role-based access controls.
Vendor risk assessments and contractual security requirements.

Technical safeguards

Encryption in transit (TLS/HTTPS) and encryption at rest where appropriate.
Multi-factor authentication (MFA) for administrative user access.
Firewalls, intrusion detection, security logging, and monitoring.
Regular vulnerability scanning, penetration testing, and patch management.

Physical safeguards

Secure server facilities for any on-premise infrastructure; secure disposal of physical records and devices.

Despite our safeguards, no system is completely secure. If you suspect misuse of your data, notify us immediately (contact details in Section 12).

8. Data Breach / Incident Response
What we do if a breach occurs. We maintain an incident response plan to investigate and remediate security incidents. In the event of an unauthorized acquisition of personal data:

We will promptly (and in any case as required by law) investigate the incident and take steps to contain and remediate the breach.
New York residents: consistent with New York law, we will provide notification to affected New York residents and any required regulators. We will include information about the incident, the types of information affected, steps we are taking, and recommended steps you can take to protect yourself. If required by law, we will also file required reports with the New York Attorney General or other regulators.
Notification timelines and content will follow applicable statutes and regulatory guidance. We will coordinate with law enforcement as appropriate.

9. Your Rights & Choices

Depending on your jurisdiction and applicable law, you may have rights, including:

Access: request a copy of the personal data we hold about you.
Correction: request correction of inaccurate or incomplete data.
Deletion: request deletion of your data, subject to legal exceptions (e.g., retention for tax or fraud prevention).
Opt-out: opt out of marketing communications at any time via unsubscribe links or by contacting us.
Restrict / object: request restriction of certain processing activities.
Withdraw consent: for processing based on consent.

To exercise these rights, contact us using the information in Section 12. We will verify the identity of requestors before fulfilling requests and will respond within the timeframes required by applicable law.

10. International Transfers

Personal Information may be processed in the United States and in other countries where our service providers operate. If we transfer Personal Information outside your jurisdiction, we will take reasonable measures to ensure that appropriate protections are in place (contractual safeguards, vendor controls) consistent with this Policy and applicable law.

11. Third-Party Websites & Links

The Site may contain links to third-party websites, widgets, or services. We do not control and are not responsible for third-party privacy practices. We encourage you to read their privacy policies before providing Personal Information.

12. How to Contact Us

Contact Us for privacy requests, please include your name, email address, and a clear description of the request. We will verify your identity before responding to requests that involve access, correction, or deletion.
If you are a New York resident and believe your rights under applicable state law have been violated, you may contact the New York Attorney General’s Office. If HIPAA applies and you believe your PHI was mishandled, you may file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights.

Privacy Policy

1. Information We Collect A. Information you provide directly

Contact information: name, email address, phone number, postal address.

Account data: username, password (securely stored), profile preferences.

Booking and service intake data: appointment details, preferences, referral source.

Health and sensitive information: postpartum notes, lactation or medical history, medications, dietary restrictions — when voluntarily provided in intake forms, communications, or clinician notes.

Communications: messages, support requests, survey responses, reviews.

Marketing preferences: opt-ins/opt-outs for newsletters and promotional communications.

B. Information collected automatically

Log and device data: IP address, device identifiers, browser type and version, operating system, pages viewed, referral URL, time and date of visits, clickstream and session information.

Cookies and similar technologies: persistent and session cookies, local storage, web beacons, tracking pixels for analytics, functionality, and (where applicable) advertising.

Analytics identifiers used by third-party analytics services.

C. Information from third parties

Social login info (if you sign in via third-party providers such as Google or Facebook), according to your permissions.

Referral, advertising, and partner data (for example, if you register through a partner or are referred).

Publicly available information (where applicable).

2. How We Use Your Information (Purposes) We use Personal Information for the following purposes:

To provide and manage the Services: processing bookings, managing appointments, delivering services you requested, and processing payments.

To communicate with you: confirmations, appointment reminders, support responses, and transactional messages.

To personalize and improve the Site and Services: product/service recommendations, content personalization, and UX improvements.

For analytics and business insights: measuring, analyzing, and optimizing our Services and marketing.

For marketing and promotions: sending newsletters and promotional offers where you have given consent. You may opt out at any time.

For security, fraud prevention, and legal compliance: detecting fraud or abuse, enforcing our Terms, responding to legal requests, and protecting rights and safety.

For business operations: accounting, auditing, internal reporting, and recordkeeping.

3. Legal Bases & Legitimate Interests While U.S. law does not use GDPR-style legal bases, we rely on the following practical justifications:

Contract performance: to fulfill orders, bookings, and contracts you request.

Consent: for marketing and other optional processing; consent may be withdrawn.

Legitimate interests: for security, fraud prevention, and improving our services (balanced against privacy interests).

Legal obligation: to comply with courts, government orders, tax laws, and other legal duties.

4. Sharing & Disclosure We may share Personal Information in the following circumstances:

Service Providers / Vendors. We share data with third parties who perform services on our behalf (hosting, payment processors, email delivery, analytics, CRM). These providers are authorized to use Personal Information only as necessary to provide services to PostParty.

Healthcare partners / consultants. With your explicit consent (or where permitted by law), we may share health-related information with clinicians, lactation consultants, or other care providers to deliver coordinated services. If HIPAA applies, BAAs will be used (see Section 8).

Legal and safety reasons. To comply with laws, court orders or respond to lawful requests from public authorities; to protect the rights, property or safety of PostParty, our users, or the public.

Business transfers. In connection with a merger, acquisition, reorganization, asset sale or financing — in which case Personal Information may be transferred to the acquiring entity. We will use reasonable efforts to notify users.

With your consent. When you authorize sharing for a specific purpose (e.g., sharing your intake with a family member or external specialist).

We require service providers to maintain confidentiality and use reasonable security measures.

5. Sensitive Data & Health Information If you voluntarily provide health or other sensitive information (e.g., postpartum recovery details), we treat it as Sensitive Personal Data and apply additional safeguards:

Access to sensitive data is restricted to authorized personnel on a need-to-know basis.

Data minimization: we ask only for information necessary to provide the requested service.

Consent: where required, we obtain explicit consent for collection and sharing of health information.

Retention and deletion: sensitive data is retained only as long as necessary and deleted or de-identified thereafter, subject to legal retention requirements.

6. Cookies, Tracking & Advertising

Written information security policies and a designated security officer.

Employee privacy and security training; role-based access controls.

Vendor risk assessments and contractual security requirements.

Technical safeguards

Encryption in transit (TLS/HTTPS) and encryption at rest where appropriate.

Multi-factor authentication (MFA) for administrative user access.

Firewalls, intrusion detection, security logging, and monitoring.

Regular vulnerability scanning, penetration testing, and patch management.

Physical safeguards

Secure server facilities for any on-premise infrastructure; secure disposal of physical records and devices.

Despite our safeguards, no system is completely secure. If you suspect misuse of your data, notify us immediately (contact details in Section 12).

8. Data Breach / Incident Response What we do if a breach occurs. We maintain an incident response plan to investigate and remediate security incidents. In the event of an unauthorized acquisition of personal data:

We will promptly (and in any case as required by law) investigate the incident and take steps to contain and remediate the breach.

Notification timelines and content will follow applicable statutes and regulatory guidance. We will coordinate with law enforcement as appropriate.

9. Your Rights & Choices Depending on your jurisdiction and applicable law, you may have rights, including:

Access: request a copy of the personal data we hold about you.

Correction: request correction of inaccurate or incomplete data.

Deletion: request deletion of your data, subject to legal exceptions (e.g., retention for tax or fraud prevention).

Opt-out: opt out of marketing communications at any time via unsubscribe links or by contacting us.

Restrict / object: request restriction of certain processing activities.

Withdraw consent: for processing based on consent.