Privacy Policy

This Privacy Policy describes how amplifyOMS, Inc. ("amplifyOMS," "we," "us," or "our") collects, uses, and shares personal information when you visit our website at amplifyoms.com, request a demo, or use the amplifyOMS software platform as a customer.

In short: we collect personal information when you visit our website, request a demo, or use our platform as a customer. We use that information to operate the website, respond to inquiries, deliver the platform, and run the business. We share information with the third-party service providers that help us run the platform (listed below). We retain information for as long as we have a business reason to do so, and we delete customer data 30 days after account termination. We respect your rights under applicable privacy laws, including California's CCPA and similar state laws, and you can contact us to exercise those rights.

Protected Health Information (PHI) processed inside customer amplifyOMS instances is governed by the Business Associate Agreement that each customer signs during onboarding, not by this Privacy Policy.

If you have questions, contact us at privacy@amplifyoms.com.

This Privacy Policy applies to the amplifyOMS website at amplifyoms.com, including all subpages, the demo request flow, and any other public-facing surface operated by amplifyOMS.

It also applies to the amplifyOMS software platform with respect to customer account information (billing details, primary contact information, administrative records), but excluding PHI processed inside customer instances. PHI is governed separately by the Business Associate Agreement each customer executes during onboarding.

This Privacy Policy does not apply to third-party websites that may be linked from our website. We are not responsible for the privacy practices of third-party websites.

We collect personal information through three primary channels.

2.1 Information You Provide Directly

When you fill out a demo request form, contact us, or otherwise communicate with us, we collect the information you provide, which typically includes your name, email address, phone number, practice name, practice location, and any details you share about your current systems or evaluation needs.

When you become a customer, we collect billing and contact information necessary to operate your account, including your name, business name, business address, billing contact, payment method information (processed through our payment processors; we do not directly store full card numbers), and the administrative information needed to provision and support your account.

2.2 Information Collected Automatically

When you visit amplifyoms.com, we collect technical information about your visit through standard web technologies. This includes your IP address, browser type and version, operating system, the pages you visit on our website, the time and duration of your visit, and the website that referred you to us (if any). We use this information to operate the website, understand how visitors use the site, and improve the user experience.

We use a limited set of cookies and similar tracking technologies. See Section 9 (Cookies and Tracking) for details.

2.3 Information From Third Parties

We may receive information about you from third parties in limited circumstances. For example, if you book a demo through a calendar tool, we receive the scheduling information through that tool. If you sign in through a third-party authentication provider in the future, we will receive the basic identity information that provider shares. We do not purchase marketing lists or supplement our records with third-party data.

We use the information we collect for the following purposes.

• To operate the website and platform, including delivering pages, processing demo requests, provisioning accounts, and providing the software services our customers pay for.
• To communicate with you, including responding to your inquiries, sending administrative communications about your account, sending product updates and service-related notifications, and (where you have not opted out) sending occasional marketing communications.
• To provide customer support, including diagnosing technical issues, responding to support requests, and improving the support experience.
• To improve the website and platform, including analyzing usage patterns, testing new features, and optimizing performance.
• To comply with legal obligations, including responding to subpoenas, court orders, and lawful regulatory requests.
• To protect our legitimate business interests, including detecting and preventing fraud, applying our terms of service, and protecting the security of our website and platform.

We do not sell personal information. We do not share personal information with hearing aid manufacturers, marketing companies, or other third parties for their direct marketing purposes.

amplifyOMS is a business-to-business company. We do not target consumers, we do not market to individuals in a personal capacity, and our website is designed to communicate with practice owners and administrators in their professional capacity. Our lawful basis for processing personal information is the legitimate interest we have in operating the business, communicating with prospective and current customers, and delivering the platform.

Where you provide information to us through a contact form or demo request, your submission constitutes consent to our processing of that information for the purposes described in this policy. You may withdraw that consent at any time by contacting us at privacy@amplifyoms.com.

We share personal information with the following categories of recipients.

5.1 Subprocessors

We use third-party service providers (subprocessors) to deliver the website and platform. Subprocessors process personal information on our behalf under contractual obligations to use the information only for the purposes we direct, to safeguard the information, and to comply with applicable law. Our current subprocessors are:

• Amazon Web Services (AWS), for cloud hosting of the platform infrastructure and customer data.
• Google Cloud, for cloud infrastructure services supporting specific platform functions.
• Google Workspace, for internal email, document collaboration, and business productivity functions.
• Twilio, for the telephony and SMS infrastructure powering the native Contact Center inside the amplifyOMS platform.
• HighLevel (GHL), for marketing automation infrastructure supporting customer-facing lifecycle communications inside the amplifyOMS Growth Engine.
• Square, for payment processing on the customer-billing side and for in-clinic point-of-sale transactions where applicable.
• iPOS Pays, for payment processing supporting customer-billing operations.

We may add, replace, or remove subprocessors from time to time as our infrastructure evolves. Material changes to the subprocessor list will be reflected in the next revision of this Privacy Policy.

5.2 Service Providers and Professional Advisors

We may share information with attorneys, accountants, auditors, and other professional advisors who are bound by confidentiality obligations.

5.3 Legal Compliance and Protection

We may share information when required by law, including in response to subpoenas, court orders, lawful regulatory requests, or other legal process. We may also share information to protect the rights, property, or safety of amplifyOMS, our customers, or others, including to investigate suspected fraud or violations of our terms.

5.4 Business Transfers

If amplifyOMS is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify customers and update this policy if such a transaction occurs.

5.5 With Your Direction

We may share information with third parties at your direction or with your consent, including when you authorize an integration between amplifyOMS and a third-party application.

amplifyOMS provides software services to hearing care practices that involve the processing of Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.

In our role processing PHI on behalf of our customers, amplifyOMS acts as a Business Associate as defined under HIPAA. Each customer signs a Business Associate Agreement (BAA) with amplifyOMS at onboarding. That BAA governs all aspects of our processing of PHI on behalf of the customer, including permitted uses and disclosures, security safeguards, breach notification obligations, and the rights of individuals with respect to their PHI.

This Privacy Policy does not govern our handling of PHI. PHI is handled exclusively under the terms of the applicable BAA.

The personal information governed by this Privacy Policy includes information that is not PHI, such as website visitor information, demo prospect information, and customer account administrative information (billing, contact, account preferences).

If you are a patient of an amplifyOMS customer practice and have questions about your health information, please contact the practice directly. The practice is the Covered Entity responsible for your PHI under HIPAA, and they can address your specific questions through their patient privacy procedures.

We maintain reasonable administrative, technical, and physical safeguards designed to protect the personal information we collect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These safeguards include access controls, encryption of data in transit and at rest, secure development practices, regular security reviews, and HIPAA-compliant infrastructure for the portions of the platform that handle PHI.

No system is perfectly secure. We work to maintain reasonable security in line with industry standards and applicable regulations, but we cannot guarantee absolute security.

We retain personal information for as long as we have a business reason to retain it or as required by applicable law.

For website visitor and demo prospect information, we typically retain records for the duration of the active sales relationship plus a reasonable period afterward for follow-up and audit purposes, unless you request earlier deletion.

For active customer account information, we retain records for the duration of the customer relationship.

For customer data (account information and the data customers store inside the amplifyOMS platform), we delete the data 30 days after the termination or cancellation of the customer's account, unless a longer retention period is required by law or has been separately agreed in writing. During the 30-day period after termination, the customer may request export of their data in structured formats. After the 30-day period, the data is deleted from our production systems. PHI handling at termination is additionally governed by the BAA.

Backup retention may extend beyond these timeframes in line with standard backup practices. Backup data is overwritten on a rolling schedule and is not accessed except in the case of a disaster recovery event.

We use a limited set of cookies and similar tracking technologies on amplifyoms.com.

• Strictly necessary cookies that enable the website to function (session management, security).
• Analytics cookies that help us understand how visitors use the website, including Google Analytics or similar services. These cookies collect aggregated information that does not identify individual visitors.
• Conversion tracking pixels associated with paid advertising campaigns, where we run them, to measure the performance of advertising spend.

We do not use cookies for cross-site behavioral advertising. We do not sell cookie data.

Your browser settings allow you to control cookies. Most browsers let you decline some or all cookies, but doing so may affect the functionality of the website. The "Do Not Track" browser signal is not currently honored by most websites, including ours; we treat your overall data subject rights (described in Section 10) as the primary mechanism for opt-out.

Depending on where you reside, you may have rights with respect to the personal information we hold about you.

10.1 Rights Available Under U.S. State Laws

California residents have rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to access and obtain a copy of that information, the right to request deletion, the right to correct inaccurate information, the right to opt out of the sale or sharing of personal information (we do not sell personal information), and the right to non-discrimination for exercising these rights.

Residents of other states with comparable privacy laws (including but not limited to Virginia, Colorado, Connecticut, Utah, and Texas) have generally similar rights under those state laws.

10.2 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@amplifyoms.com with your specific request. We will respond within the timeframe required by the applicable law, typically within 45 days.

We may need to verify your identity before responding to certain requests. We will not respond to requests we are unable to verify.

You can also unsubscribe from marketing communications at any time by following the unsubscribe link in any marketing email or by contacting us.

The amplifyOMS website and platform are not directed to children. We do not knowingly collect personal information from children under 13 (or the equivalent age threshold under applicable state or federal law) through the website.

amplifyOMS customers may process information about minor patients inside their amplifyOMS instances as part of providing hearing care services. This information is PHI and is governed by the Business Associate Agreement and the customer's own privacy practices, not by this Privacy Policy. The customer (the hearing care practice) is the Covered Entity responsible for compliance with HIPAA and any applicable laws governing the protection of minor patient information.

amplifyOMS is a United States company and operates its infrastructure primarily in the United States. If you visit our website from outside the United States, your personal information will be transferred to, processed in, and stored in the United States. By using the website or requesting a demo, you consent to that transfer.

We do not currently target customers outside the United States. If we begin offering services to customers in the European Economic Area, the United Kingdom, or other jurisdictions with comparable data protection regimes, this Privacy Policy will be updated to reflect the additional disclosures and rights required under those regimes.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of the policy and provide additional notice through the website or by email to customers as appropriate. Your continued use of the website or the platform after changes take effect constitutes acceptance of the updated policy.

For questions, concerns, or requests related to this Privacy Policy or your personal information, contact amplifyOMS, Inc. at privacy@amplifyoms.com. A mailing address will be published here at deployment.

For questions about Protected Health Information (PHI) processed inside an amplifyOMS customer instance, please contact the customer practice directly. The practice is the Covered Entity responsible for your PHI under HIPAA.