PRIVACY POLICY

Pointer Marketing and Data Solutions

Effective Date: 01/01/2026
Last Updated: 01/31/2026

Pointer Marketing and Data Solutions ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect personal information when you visit our website or use our services.

By accessing our website or using our services, you agree to the practices described in this Privacy Policy.

1. COMPANY INFORMATION

Company Name: Pointer Marketing and Data Solutions

Website: www.pointermarketinganddatasolutions.com

Email: [email protected]

Physical Address: 1215 W Fultz St Wichita, KS 67217

Phone: 316-366-0641

Services: AI voice agents, AI chatbots, marketing automation, and related digital marketing services for local businesses, including healthcare providers such as chiropractic practices

2. SCOPE OF THIS PRIVACY POLICY

This Privacy Policy applies to:

• Visitors to our website

• Our business clients

• Customers and end users of our clients who interact with AI voice agents, chatbots, or automated communications we manage on behalf of our clients

We act as:

• A Data Controller for information collected directly from our website and clients

• A Data Processor for data processed on behalf of our clients

• A Business Associate under HIPAA when providing services to healthcare providers (including chiropractic practices)

3. INFORMATION WE COLLECT

A. Information We Collect From Our Clients

• Name and business name

• Email address

• Phone number

• Billing and payment details

• Business information and service preferences

• Login and account-related information

B. Information We Collect From Our Clients' Customers

When end users interact with AI systems we deploy for our clients, we may collect:

• Names

• Phone numbers

• Email addresses

• Call recordings

• Call transcripts

• Chat messages and chatbot transcripts

• Appointment and service request details

• Protected Health Information (PHI) when providing services to HIPAA-covered entities (see Section 21)

C. Automatically Collected Information

• IP address

• Browser type and device information

• Pages visited and usage behavior

• Cookies and tracking technologies

4. HOW WE USE INFORMATION

We use personal information to:

• Provide, operate, and maintain our services

• Deploy and manage AI voice agents and chatbots

• Process calls, messages, and conversations

• Improve AI performance and automation workflows

• Process payments and manage subscriptions

• Communicate with clients about services and support

• Analyze website and campaign performance

• Comply with legal and regulatory obligations

For HIPAA-Covered Clients: We use and disclose PHI only as permitted by our Business Associate Agreement (BAA) and HIPAA regulations.

5. AI-SPECIFIC DATA USAGE AND TRAINING

• AI systems may process call recordings, transcripts, and chat messages to generate responses.

• We do not use Client or customer data to train public or generalized AI models unless explicitly authorized.

• We do not use PHI to train AI models under any circumstances.

• AI outputs are generated probabilistically and may not always be accurate.

• Clients are responsible for ensuring lawful consent for AI interactions.

• We may use anonymized or aggregated data for internal service improvements, provided such data is fully de-identified in accordance with HIPAA standards when derived from PHI.

6. CALL RECORDINGS AND TRANSCRIPTS

• Calls may be recorded for quality assurance, automation, and service delivery.

• Transcripts may be generated using AI transcription services.

• Clients are responsible for complying with call recording and consent laws.

• We are not responsible for unlawful recordings initiated by clients.

• Recordings and transcripts are retained only as long as necessary for service delivery or legal compliance.

• For healthcare clients: Call recordings containing PHI are encrypted, access-controlled, and retained according to HIPAA requirements and our Business Associate Agreement.

7. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and analytics tools, including Google Analytics, to:

• Understand website usage

• Improve performance and user experience

• Track marketing effectiveness

You may disable cookies through your browser settings. Disabling cookies may limit functionality.

Note: Cookies and tracking technologies on our website do not collect or process PHI.

8. THIRD-PARTY SERVICES AND DATA SHARING

We share data only as necessary to deliver services, including with:

• GoHighLevel (CRM, automation, messaging)

• Twilio (voice and SMS delivery)

• OpenAI (AI processing and response generation)

• Google Analytics (website analytics)

• Stripe (payment processing)

• AWS and/or Google Cloud (data storage and hosting)

These providers process data under their own privacy policies and security standards.

For HIPAA-Covered Clients:

• We only share PHI with third-party service providers (subcontractors) who have signed HIPAA-compliant Business Associate Agreements.

• All subcontractors are required to implement appropriate safeguards to protect PHI.

• A list of current subcontractors who may access PHI is available upon request.

8a. Mobile Information Sharing

We respect your privacy and are committed to protecting your mobile information. No mobile information will be shared, sold, rented, or disclosed to third parties or affiliates for marketing, promotional, or advertising purposes.

All phone numbers, SMS consent records, and related mobile data collected by us are used solely for the purpose of providing our services, responding to inquiries, and delivering messages that users have explicitly opted in to receive.

Text messaging originator opt-in data and consent will not be shared with any third parties, except as required to deliver the messaging service (e.g., telecommunications providers) or as required by law.

SMS opt-in consent is obtained through opt-in forms found at https://pointermarketinganddatasolutions.com and consent is only provided for messaging from Pointer Marketing and Data Solutions and is not transferred to third parties.

9. PAYMENT INFORMATION

We do not store full payment card details. Payments are processed securely through a third-party processor, Stripe. We only retain transaction metadata necessary for accounting and compliance.

10. DATA RETENTION

We retain personal data only as long as necessary to:

• Provide services

• Meet contractual obligations

• Comply with legal and regulatory requirements

Data may be deleted or anonymized upon service termination unless retention is legally required.

For HIPAA-Covered Clients:

• PHI is retained for a minimum of six (6) years from the date of creation or the date when it last was in effect, whichever is later, or as otherwise required by applicable state law.

• Upon termination of services, we will return or destroy PHI as directed by the covered entity, except where retention is required by law.

11. DATA SECURITY MEASURES

We use commercially reasonable safeguards, including:

• Secure hosting environments

• Access controls and authentication

• Encryption where appropriate

• Limited internal access to sensitive data

For HIPAA-Covered Clients, we implement additional security measures including:

• Administrative Safeguards:

  • Designated Privacy and Security Officers

  • Workforce training on HIPAA compliance

  • Written policies and procedures

  • Risk assessment and management processes

  • Business Associate Agreements with all subcontractors

• Physical Safeguards:

  • Secure facility access controls

  • Workstation and device security policies

  • Secure disposal procedures for PHI

• Technical Safeguards:

  • Encryption of PHI in transit and at rest

  • Unique user authentication and access controls

  • Audit controls and activity logging

  • Automatic logoff mechanisms

  • Data backup and disaster recovery procedures

No system is 100% secure, and we cannot guarantee absolute security. However, we maintain safeguards that meet or exceed HIPAA Security Rule requirements.

12. USER RIGHTS (GDPR & CCPA)

Depending on your location, you may have the right to:

• Access your personal data

• Correct inaccurate data

• Request deletion of data

• Restrict or object to processing

• Request data portability

• Opt out of data sale or sharing (we do not sell personal data)

Requests may be submitted to: [email protected]

We will respond within legally required timeframes.

Note for Healthcare Clients: Rights regarding PHI are governed by HIPAA and managed through the covered entity (your healthcare provider). Please contact your healthcare provider directly for PHI-related requests.

13. OPT-OUT PROCEDURES

You may opt out of:

• Marketing emails by using unsubscribe links

• SMS messages by replying "STOP"

• Certain cookies via browser settings

Clients control opt-out handling for their own customers.

Important: Appointment reminders and service-related communications containing PHI are not subject to marketing opt-out provisions, as they are necessary for treatment, payment, or healthcare operations.

14. MARKETING COMMUNICATIONS

We may send service-related or promotional communications. You may opt out of marketing communications at any time. Transactional or service-related messages may still be sent.

For Healthcare Clients: We do not use PHI for marketing purposes without proper authorization as required by HIPAA.

15. CHILDREN'S PRIVACY

Our services are not intended for children under 18. We do not knowingly collect personal data from minors. If we become aware of such data, we will delete it promptly.

Exception: PHI of minor patients may be processed when providing services to healthcare providers in accordance with HIPAA and applicable state laws regarding parental consent and minors' healthcare rights.

16. INTERNATIONAL DATA TRANSFERS

Data may be processed or stored in the United States or other countries. When required, we use appropriate safeguards such as contractual protections to support lawful international data transfers.

For HIPAA-Covered Clients: PHI is stored and processed within the United States in HIPAA-compliant data centers. International transfers of PHI require explicit authorization and appropriate safeguards.

17. DATA BREACH NOTIFICATION

In the event of a data breach affecting personal data:

• We will investigate promptly.

• We will notify affected clients or users as required by law.

• Notifications will include information on the nature of the breach and recommended actions.

For HIPAA-Covered Clients - Breach of Unsecured PHI:

In accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), we will:

• Discover and Assess: Investigate any suspected breach or security incident involving PHI within one (1) business day of discovery.

• Notify Covered Entity: Notify the covered entity (healthcare provider) of any breach of unsecured PHI without unreasonable delay and no later than sixty (60) days from discovery of the breach.

• Provide Required Information:

  • Identification of each individual whose PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed

  • A brief description of what happened, including the date of the breach and the date of discovery

  • A description of the types of PHI involved

  • Steps individuals should take to protect themselves

  • What we are doing to investigate, mitigate harm, and prevent further breaches

  • Contact information for individuals to ask questions

• Cooperation: Fully cooperate with the covered entity in meeting their breach notification obligations to affected individuals, the Secretary of Health and Human Services (HHS), and when required, the media.

• Documentation: Maintain documentation of all breaches, security incidents, and risk assessments for at least six (6) years.

Notification Timelines:

• To Covered Entity: Within 60 days of breach discovery

• The covered entity is responsible for notifying affected individuals within 60 days of discovering the breach

• For breaches affecting 500+ individuals, notification to HHS and media may be required

18. CLIENT RESPONSIBILITIES

Clients are responsible for:

• Obtaining lawful consent from their customers

• Providing required disclosures

• Complying with privacy, marketing, and communication laws

• Managing customer data requests related to their campaigns

Additional Responsibilities for Healthcare Clients:

• Executing a Business Associate Agreement (BAA) before any PHI is shared

• Ensuring they have proper authorizations to disclose PHI to us

• Providing notice to patients about our role as a Business Associate

• Determining permissible uses and disclosures of PHI

• Responding to patient requests regarding their PHI (access, amendment, accounting of disclosures)

• Ensuring compliance with HIPAA Privacy and Security Rules

• Notifying us of any limitations on their own Notice of Privacy Practices that may affect our use or disclosure of PHI

19. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. Updates will be posted on our website with a revised "Last Updated" date. Continued use of our services constitutes acceptance of the updated policy.

For HIPAA-Covered Clients: Material changes affecting the use or disclosure of PHI will be communicated directly to covered entities and may require amendment of existing Business Associate Agreements.

20. CONTACT US

If you have questions or requests regarding this Privacy Policy, contact:

Pointer Marketing and Data Solutions
Email: [email protected]
Physical Address: 1215 W Fultz St, Wichita, KS 67217
Phone: 316-366-0641

Privacy Officer: Jonah Wagner
Security Officer: Jonah Wagner

21. HIPAA COMPLIANCE FOR HEALTHCARE CLIENTS

A. Business Associate Status

When we provide services to healthcare providers, including chiropractic practices, that involve the use or disclosure of Protected Health Information (PHI), we act as a Business Associate as defined under the Health Insurance Portability and Accountability Act (HIPAA).

B. Business Associate Agreement (BAA) Requirement

Before providing services that involve PHI, we execute a Business Associate Agreement with each covered entity client. This agreement:

• Defines permitted uses and disclosures of PHI

• Establishes safeguarding obligations

• Requires compliance with HIPAA Privacy and Security Rules

• Sets forth breach notification procedures

• Addresses subcontractor requirements

• Defines termination conditions and PHI disposition

C. What is Protected Health Information (PHI)?

PHI includes individually identifiable health information transmitted or maintained in any form or medium that:

• Relates to an individual's past, present, or future physical or mental health condition

• Relates to the provision of healthcare to an individual

• Relates to past, present, or future payment for healthcare

• Identifies the individual or could reasonably be used to identify the individual

Examples in chiropractic practice context:

• Patient names combined with appointment details

• Call recordings discussing symptoms, treatments, or health conditions

• Chat transcripts requesting appointments for specific health issues

• Payment information linked to specific treatments

• Any identifiable health-related communications

D. Permitted Uses and Disclosures

We use and disclose PHI only as:

• Permitted by our Business Associate Agreement with the covered entity

• Required by law

• Authorized by the patient through a valid HIPAA authorization

We do NOT:

• Sell PHI

• Use PHI for marketing without authorization

• Use PHI for purposes unrelated to our services

• Disclose PHI to unauthorized parties

E. Minimum Necessary Standard

We limit the use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, except where otherwise required or permitted by HIPAA.

F. Individual Rights Regarding PHI

Individuals have rights under HIPAA regarding their PHI. As a Business Associate, we:

• Access: Will provide PHI to the covered entity within 30 days to fulfill individual access requests

• Amendment: Will incorporate amendments to PHI as directed by the covered entity

• Accounting of Disclosures: Will provide information needed for accounting of disclosures within 30 days of request

• Restriction Requests: Will comply with agreed-upon restrictions as communicated by the covered entity

Note: Individuals should direct these requests to their healthcare provider (the covered entity), not directly to us.

G. Subcontractors and HIPAA Compliance

Any subcontractor that creates, receives, maintains, or transmits PHI on our behalf must:

• Sign a HIPAA-compliant Business Associate Agreement

• Implement appropriate administrative, physical, and technical safeguards

• Report any security incidents or breaches

• Comply with all applicable HIPAA requirements

Current HIPAA-Compliant Subcontractors include:

• GoHighLevel (BAA executed)

• Twilio (BAA executed)

• AWS/Google Cloud (BAA executed)

(Complete list available upon request)

H. Security Incident and Breach Response

Security Incidents:

• We maintain systems to detect, respond to, and report security incidents

• We document all security incidents and assess for potential PHI breaches

• We report successful unauthorized access, use, or disclosure of PHI to covered entities

Breach Response Process:

1. Detection: Immediate investigation upon discovering potential breach

2. Assessment: Risk assessment within 24-48 hours

3. Notification: Covered entity notified within 60 days (typically much sooner)

4. Mitigation: Immediate steps to mitigate harm and prevent recurrence

5. Documentation: Complete documentation maintained for 6+ years

I. Training and Workforce Compliance

• All workforce members with access to PHI receive HIPAA training

• Training occurs upon hire and annually thereafter

• Access to PHI is granted only on a need-to-know basis

• Workforce members sign confidentiality agreements

• Violations result in disciplinary action up to and including termination

J. Audit Controls and Monitoring

We maintain systems that:

• Log access to PHI

• Record user activity

• Monitor for unauthorized access attempts

• Generate reports for security audits

• Retain audit logs for at least 6 years

K. Termination and PHI Return/Destruction

Upon termination of services or BAA:

• We will return or destroy all PHI in our possession as directed by the covered entity

• If return or destruction is infeasible, we will extend protections and limit further use

• We will obtain similar assurances from subcontractors

• We will provide written certification of destruction if requested

L. HIPAA Compliance Attestation

Pointer Marketing and Data Solutions attests that:

✓ We maintain comprehensive HIPAA compliance policies and procedures
✓ We conduct regular risk assessments
✓ We implement appropriate safeguards for PHI
✓ We train our workforce on HIPAA requirements
✓ We execute Business Associate Agreements before handling PHI
✓ We maintain required documentation and audit trails
✓ We have incident response and breach notification procedures
✓ We cooperate fully with covered entities' compliance obligations

M. Questions About HIPAA Compliance

For questions about our HIPAA compliance program, Business Associate Agreements, or PHI handling:

Contact: Jonah Wagner, Privacy & Security Officer
Email: [email protected]
Phone: 316-366-0641

END OF PRIVACY POLICY

By using our services, you acknowledge that you have read and understood this Privacy Policy. For healthcare providers, a separate Business Associate Agreement must be executed before any PHI is shared or processed.