Tendly — Notice of Privacy Practices

Effective date: April 13, 2026

Last reviewed: April 13, 2026

This Notice describes how Tendly handles Protected Health Information as a Business Associate under HIPAA. It is separate from and supplements the Tendly Privacy Policy. If you are a practitioner using the Tendly App, both documents apply to you.

1. Who This Notice Applies To

This Notice of Privacy Practices ("Notice") is published by The Price Group Holdings LLC, doing business as Tendly ("Tendly"). It describes how Tendly, acting as a HIPAA Business Associate, handles Protected Health Information ("PHI") that practitioners store, transmit, and process through the Tendly application.

Tendly is a Business Associate — not a Covered Entity. Tendly provides practice management software to healthcare providers, therapists, coaches, and other wellness practitioners ("practitioners"). Practitioners are the Covered Entities (or work for Covered Entities) under HIPAA. Tendly processes PHI on their behalf pursuant to a Business Associate Agreement ("BAA").

This Notice is provided for transparency. Your practitioner clients' rights with respect to their PHI are governed by your own Notice of Privacy Practices, which you as a practitioner are required to provide to your clients.

Contact for all HIPAA and privacy matters:

Email: privacy@tendly.health

2. What Is Protected Health Information

PHI is individually identifiable health information that relates to:

•An individual's past, present, or future physical or mental health condition
•The provision of healthcare to an individual
•Past, present, or future payment for the provision of healthcare

Within the Tendly App, PHI includes but is not limited to: client names, dates of birth, contact information, diagnoses, session notes, treatment plans, progress notes, assessments, medications, insurance information, and clinical correspondence.

3. How Tendly Uses and Discloses PHI

As a Business Associate, Tendly uses and discloses PHI only as permitted or required by the BAA and applicable law. Tendly does not use or disclose PHI in a manner that would violate HIPAA if done by the practitioner directly.

3.1 Permitted uses and disclosures

Tendly uses and discloses PHI only for the following purposes:

Providing contracted services to practitioners:

•Storing client records, session notes, treatment plans, and clinical documentation
•Enabling telehealth sessions via Daily.co (HIPAA-compliant video)
•Processing insurance claims via Claim.MD where the practitioner has enabled insurance billing
•Generating AI-assisted session notes via OpenAI where the practitioner has enabled this feature
•Sending appointment reminders and secure messages via Twilio and Resend
•Displaying PHI within the practitioner's dashboard, client portal, and reporting features

For Tendly's own operations as a Business Associate:

•Managing and administering the BAA
•Legal and compliance activities including responding to regulatory inquiries
•De-identifying PHI for analytics or quality improvement purposes where applicable HIPAA de-identification standards are met

As required by law:

•Responding to lawful orders, subpoenas, or government requests
•Reporting as required under applicable public health laws

3.2 Disclosures to subprocessors

Tendly discloses PHI to the following subprocessors, each of which has signed a BAA with Tendly:

Subprocessor	Nature of disclosure
Supabase	Database storage — all PHI stored in the App resides in Supabase infrastructure
Vercel	Application hosting — PHI transits through Vercel's infrastructure when accessed
Daily.co	Telehealth video — video session content for practitioners using built-in telehealth
OpenAI	AI note generation — session audio or text descriptions submitted by practitioner for note drafting; not retained or used for training
Twilio	SMS reminders — client phone numbers and appointment details for notification delivery
Resend	Email delivery — client email addresses and appointment details for transactional emails
Claim.MD	Insurance billing — claim data and clinical information for claim submission and ERA processing for practitioners using the insurance billing add-on

Tendly does not disclose PHI to any subprocessor not listed above without updating this Notice and, where required, obtaining appropriate authorisations.

3.3 Uses and disclosures Tendly will not make

•Tendly will not sell PHI
•Tendly will not use PHI for marketing purposes
•Tendly will not use PHI to train AI models (Tendly's or any third party's)
•Tendly will not disclose PHI to third parties for their independent use without a valid BAA and authorisation from the practitioner
•Tendly will not use PHI for any purpose not specified in the BAA or this Notice

4. Safeguards Tendly Maintains

Tendly maintains administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI in accordance with the HIPAA Security Rule:

Administrative safeguards:

•Formal security management policies and procedures
•Workforce training on HIPAA requirements and data handling
•Risk analysis conducted and documented
•Designated security and compliance function within the organisation

Physical safeguards:

•All PHI stored in cloud infrastructure with physical security controls managed by Supabase
•No PHI stored on local or personal devices without encryption

Technical safeguards:

•AES-256 encryption of all PHI at rest
•TLS 1.2 or higher encryption of all PHI in transit
•Role-based access control restricting access to PHI to authorised personnel only
•Unique user identification for all accounts
•Automatic session timeout after period of inactivity
•Immutable audit logs recording all access to PHI with timestamps, user identity, and IP address, retained for a minimum of 6 years
•Multi-factor authentication available and recommended for all practitioner accounts
•Emergency access procedures documented and tested
•Regular vulnerability assessments and penetration testing

5. Breach Notification

In the event of a breach of unsecured PHI involving data entrusted to Tendly, we will:

Notify the affected practitioner(s) without unreasonable delay and no later than 60 days following discovery of the breach
Provide the following information in our notification:
- –A brief description of what happened, including dates of the breach and discovery
- –A description of the types of PHI involved
- –Steps individuals should take to protect themselves from potential harm
- –Steps Tendly is taking to investigate, mitigate, and prevent future occurrences
- –Contact information for the affected practitioner to ask questions

Practitioners remain responsible for notifying their affected clients, the U.S. Department of Health and Human Services ("HHS"), and where applicable, prominent media outlets, as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).

Tendly will cooperate fully with any practitioner's breach response and investigation, and will provide all information in Tendly's possession reasonably necessary for the practitioner to fulfil their breach notification obligations.

6. Rights of Practitioners Under the BAA

The Business Associate Agreement you entered into with Tendly upon account creation includes the following terms relevant to PHI:

Access and amendment: Tendly will make PHI available to you as the practitioner in the manner described in the BAA to allow you to fulfil access and amendment requests from your clients.

Accounting of disclosures: Tendly will make available to you information about disclosures of PHI made by Tendly in a manner that allows you to respond to requests for an accounting of disclosures.

Minimum necessary: Tendly accesses and uses the minimum amount of PHI necessary to carry out its obligations under the BAA.

Return or destruction: Upon termination of the BAA (i.e. closure of your Tendly account), Tendly will destroy all PHI in its systems within 30 days, unless retention is required by law, in which case Tendly will maintain the protections described in this Notice for so long as it retains the PHI.

HHS access: Tendly will make its internal practices, books, and records available to HHS for purposes of determining compliance with HIPAA, as required by 45 CFR § 164.504(e)(2)(ii)(H).

7. Retention of PHI

PHI stored in the Tendly App is retained for the duration of the practitioner's active account. When an account is deleted or terminated:

•Client records, session notes, clinical documentation, and all associated PHI are permanently deleted within 30 days
•Audit logs required by HIPAA are retained for a minimum of 6 years from creation
•Billing records may be retained for up to 7 years for tax and financial compliance purposes; such records are not PHI in the clinical sense but may contain limited identifiers

Practitioners may request deletion of specific client records at any time from within the App. Practitioners may request complete account deletion by contacting privacy@tendly.health.

8. Complaints

If you believe Tendly has violated your rights or the terms of the BAA with respect to PHI, you may:

•Contact Tendly directly at privacy@tendly.health
•File a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at hhs.gov/ocr/privacy/hipaa/complaints

Tendly will not retaliate against any practitioner for filing a complaint.

9. Changes to This Notice

Tendly reserves the right to change this Notice at any time. Changes will be effective immediately upon posting of the revised Notice, except that for material changes to how we handle PHI, we will provide at least 14 days' advance notice by email to affected practitioners.

The current version of this Notice is always available at app.tendly.health/legal/notice-of-privacy-practices and will reflect the effective date of the most recent revision.

10. Contact

For all questions, concerns, or requests relating to this Notice or to PHI handled by Tendly:

The Price Group Holdings LLC (DBA Tendly)

Email: privacy@tendly.health

We will respond to all enquiries within 30 days.

This Notice was last reviewed April 13, 2026.