PRIVACY POLICY
Last modified March 14, 2026
PLEASE REVIEW THIS POLICY CAREFULLY
The following describes how Spine & Sport Rehabilitation Institute, PLLC, DBA “Lumara Concierge” ("Lumara Concierge," "we," or "ours") uses and disseminates information you provide through https://www.experiencelumara.com/ and its sub-domains and affiliated sites, as well as Lumara Concierge pages and accounts on Meta®, LinkedIn®, ITikTok®, and YouTube® (the "Sites). This Privacy Policy also describes how we handle “protected health information” ("PHI") as required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH"). If you ever have questions about this Privacy Policy, please contact me at the information below. Please also review my full Terms and Conditions of Use, which also govern your use of the Sites. By using this Site, you are consenting to this Privacy Policy.
INFORMATION SUBJECT TO THIS PRIVACY POLICY
This Privacy Policy applies, in part, to information about you called PHI that is protected under the federal law "HIPAA." PHI includes health-related information that Lumara Concierge collects, creates, receives, or maintains in connection with your user account and that reasonably could be used to identify you. Lumara Concierge may receive your PHI directly from you or from a third party, such as your employer-sponsored health plan.
Lumara Concierge has developed and implemented policies and procedures designed to comply with HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009 ("HITECH"), and the Privacy, Security, Breach Notification and Enforcement regulations thereunder (45 C.F.R. Parts 160 and 164), as the same may be amended from time to time ("HIPAA/HITECH Policies"). Lumara Concierge’s use of PHI obtained or provided by you or a third party while using the Sites will comply with its HIPAA/HITECH Policies, HITECH, HIPAA, and the rules and regulations promulgated thereunder. Further, any security breach incident shall be handled in accordance with all federal, state and local laws, rules and regulations concerning breach notification requirements.
Lumara Concierge will maintain a valid, existing Business Associate Agreement or Subcontractor Business Associate Agreement (collectively referred to herein as a "BAA") with any third party as required by the HIPAA/HITECH Policies. A BAA requires that a business associate, among other things, will not use or further disclose PHI other than as permitted or required by the BAA or as required by law. Lumara Concierge will at all times comply with its applicable BAA when using or disclosing your PHI.
COLLECTION OF YOUR PERSONAL INFORMATION
Unless we expressly note otherwise, we do not collect personally identifiable information from users of our Sites. When you visit our Sites, some information about your computer hardware and software is inherently automatically collected, such as your IP address, domain name, browser type, access time and referring website addresses. We typically do not use this information for any purpose, but an example of when we may use this information is in implementing improvements and analyzing the Sites and for troubleshooting purposes. We also utilize this information to monitor and improve services and to ensure that your use of the Sites is in compliance with our Terms of Use. Most of our services do not require any form of registration, allowing you to visit the Sites without telling us who you are. However, some services, such as email opt-ins may require you to provide us with Personal Data. If you create an account through our Sites and/or mobile application, you may be asked to provide personal information including, but not limited to, your name, telephone number, mailing address, email address, gender, health insurance information, PHI, and other such information. In such a case, you may choose to withhold any Personal Data requested by us, but it may not be possible for you to gain access to certain parts of the site or content. We require only the information that is reasonably required to enter into a contract with you. We will not require you to provide consent for any unnecessary processing as a condition of entering into a contract with us.
Non-Personal Information
Lumara Concierge may collect non-personal information about your activity on the Sites, including but not limited to information that you provide to us or generate using our Sites, records and copies of your correspondence with us, your responses to surveys we might ask you to complete, and details of transactions you carry out through our Sites. This information, if collected, may be collected via computer code sent to your computer (commonly referred to as "cookies" or "web beacons"). We do not collect personal information automatically, but we may tie this non-personal information to personal information about you that we collect from other sources or you provide to us.
COOKIES: WHAT THEY ARE, AND WHY THEY ARE NEEDED
A cookie is a data text file sent from a website to your browser, for the purpose of identifying the user and allows access to portions of the website, thus alleviating the need to continually log in with your username and password. Cookies may be stored within your system. To the extent we use cookies, we can only access information from a cookie sent by one of the Sites, not other websites. We may use cookies to personalize your visit to our Sites because tracking usage allows us to best determine the needs of our customers and advertisers.
"Cookies" are small text files that are placed on your device by a web server when you access our services. We may use both session Cookies and persistent Cookies to identify that you've logged into the services and to tell us how and when you interact with our services. We may also use Cookies to monitor aggregate usage and web traffic routing on our services and to customize and improve our services. Unlike persistent Cookies, session Cookies are deleted when you log off from the services and close your browser. You may refuse to accept browser cookies by activating the appropriate settings on your browser. However, if you select this setting you may be unable to access certain parts of our Sites. Some third-party service providers that we engage may also place their own Cookies on your device. Please note that this Privacy Policy covers only our use of Cookies and does not include use of Cookies by such third parties.
"Web Beacons" (also referred to as clear gifs, pixel tags, and single-pixel gifs) are tiny graphics with a unique identifier that may be included on our Sites for several purposes, including to deliver or communicate with Cookies, to track and measure the performance of our services, to monitor how many visitors view our services, and to monitor the effectiveness of our advertising. Unlike Cookies, which are stored on the user's hard drive, Web Beacons are typically embedded invisibly on web pages (or in an e-mail).
The Sites may automatically record certain information about how you or any other individual accessing our Sites on your behalf ("User") use our services (we refer to this information as "Log Data"). Log Data may include information such as a User's Internet Protocol (IP) address, browser type, operating system, the web page that a User was visiting before accessing our services, the pages or features of our services to which a User browsed and the time spent on those pages or features, search terms, the links on our services that a User clicked on, and other statistics. We use Log Data to administer the services and we analyze (and may engage third parties to analyze) Log Data to improve, customize and enhance our services by expanding their features and functionality and tailoring them to our Users' needs and preferences.
HOW WE MAY USE AND SHARE YOUR PROTECTED HEALTH INFORMATION
We may use and share your PHI for the following purposes without first asking for your written permission:
Treatment
We may use and share your PHI for treatment-related purposes of a health care provider.
Payment
We can use and share your PHI with a covered entity or health care provider for payment-related purposes.
Health Care Operations
We may use and share your PHI with a covered entity for healthcare operations.
Contractors
Third-party contractors provide certain services to us or you on our behalf. We may share your PHI with these third-party contractors for treatment, payment, or health care operation purposes in accordance with HIPAA and the applicable BAA between Lumara Concierge and said third party. These contractors are required by law to protect your PHI the same way we do.
Your Health Plan / Insurers
We may use and share your PHI with your health plan administrator, insurers, or their other service providers as permitted by applicable law.
Other Uses or Disclosures
We may, and sometimes are required to, use or share your PHI in special circumstances without first asking for your written permission (e.g., when required by court order). We must meet many conditions in the law before we can share your information for these purposes.
HOW WE MAY SHARE YOUR PHI WITH PARTIES INVOLVED IN YOUR CARE
Generally, we will not share your PHI or communicate with someone other than patients, health plans, insurers, third party service providers, or health care providers directly.
If you are represented by a legally appointed personal representative, we will communicate with your representative in the same manner we would communicate with you, provided that Lumara Concierge has received a valid health authorization designating such representative to receive your PHI.
In special circumstances, we may share your PHI or communicate with individuals identified as family members, personal relatives, close personal friends, or others involved in your care with your permission or, if you are unable to give permission, only if we believe it is necessary and in your best interest. We will only disclose PHI that is directly relevant to their involvement with your care or payment related to your health care, or as otherwise needed for notification purposes.
To protect your privacy and the security of your user account, we strongly recommend that you never share your account password or other sign-in information with anyone else. When someone signs into your user account, we will assume that you gave your permission to that person to access the information in your user account.
DATA SECURITY
Lumara Concierge has implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. All information you provide to us is stored on our secure servers behind firewalls. Any payment transactions and certain disclosures/uses of PHI will be encrypted using SSL technology when necessary. The safety and security of your information also depends on you. Where you have chosen a password to access certain parts of the Sites, you are responsible for keeping this password confidential. Lumara Concierge strongly advises against sharing your password with anyone. Unfortunately, the transmission of information via the Internet is not completely secure. Although we do our best to protect your personal information, we cannot give a 100% guarantee of the security of your personal information transmitted to our Sites. Any transmission of personal information is at your own risk.
DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION
In certain circumstances, HIPAA may require Lumara Concierge to de-identify PHI prior to making certain disclosures. In such a case, Lumara Concierge shall, prior to making any disclosure, de-identify the PHI in accordance with Section 164.514 of the HIPAA Privacy Rule. De-identification requires the elimination of primary or obvious identifiers and secondary identifiers through which a user could determine an individual's identity.
USE OF YOUR PERSONAL INFORMATION
If you do choose to provide your personal information, we will not willingly share your information with companies outside my organization, except as described in this Privacy Policy. You may at times receive communications from me related to products and services that we believe might interest you. While we believe these services may enhance your time spent at the Sites, you will at all times have the option and ability to opt out from receiving these communications by specifically choosing to do so via a link which will be provided within emails that we send to you. We may disclose total aggregated user statistics in order to describe our services to potential advertisers, other third parties, affiliate companies, and for other lawful purposes.
The information we gather from you may be used in several ways, either now or in the future, to gain a better understanding of our Sites' users and their usage pattern as a whole, for site administration and troubleshooting, to process transactions, contest entries and other matters you initiate, to identify preferences in content and advertising, to target editorial, advertising or other content (such as promotions, special offers or other content) we think might be of interest to you. We may also use information we gather from you to communicate changes and improvements to our website or any registration you have made.
You have the right to request access to the information we have for you. You can do this by contacting us at your support email. We will respond within 45 calendar days from the day the request is received. If there are extenuating circumstances preventing the fulfillment of your request, we reserve the right to reasonably extend our response due date, if reasonably necessary, and will notify you of such extension by mail/electronically. We will make sure to provide you with a copy of the data we process about you. In order to comply with your request, we may ask you to verify your identity. We will fulfill your request by sending your copy electronically unless the request specifies a different method. If you believe that the information we have about you is incorrect, or if you wish to remove your private information (such as an email address provided in an opt-in), you may contact us at your support email. Any data that is no longer needed for the purposes specified herein will be deleted.
We do not give away, sell, rent or lease any users' personally identifiable information to any merchant, advertiser or web publisher. However, non-personally identifiable user information (such as usage pattern, browser type, and your computer) may be shared with third party businesses or advertisers with which I have a business or contractual relationship. We reserve the right to disclose personal information when needed to comply with the law or a legal process, cooperate with investigations of purported unlawful activities, to identify persons violating the law, in connection with the sale of part or all of Company's or its affiliates' assets, or to enforce our Terms of Use.
We will not share your information with any third party outside of our organization, other than with trusted partners to help us fulfill your request, perform statistical analysis, send you email or postal mail, provide customer support, or to provide other services to Website users, or otherwise consistent with HIPAA, HITECH, or other applicable law, rule or regulation. Lumara Concierge has taken and will continue to take measures to ensure the secure and safe handling of your personal information.
Please keep in mind that if you disclose personally identifiable information in a public manner through the Sites, this information may be collected and used by others accessing those portions of the Sites. We do not monitor information you disclose on the Sites nor do we accept any liability associated with your voluntary disclosure of the same.
You are responsible for reviewing the privacy statements and policies of other websites you choose to link to or from the Sites, so that you may understand how those sites collect, use and store your information. We are not responsible for the privacy statements, policies or content of any other websites. Websites containing co-branding (referencing our name and a third party's name) contain content delivered by the third party and not us.
INFORMATION DISCLOSED IN CONNECTION WITH LEGAL REQUIREMENTS
Lumara Concierge may disclose any personal (in compliance with the rules and regulations set forth in HIPAA and HITECH) or non-personal information collected to the extent it reasonably believes that such disclosure is necessary to comply with the law, such as in response to any subpoena, to the extent reasonably necessary to establish or defend a legal claim, and for other purposes permitted by applicable law.
INFORMATION SENT BY YOUR MOBILE DEVICE
We collect certain information that your mobile device sends when you use our services. For example, we may collect a device identifier, user settings, and the operating system of your device, as well as information about your use of our services.
LOCATION INFORMATION
When you use the Sites, we may collect and store information about your location by converting your IP address into a rough geo-location or by accessing your mobile device's GPS coordinates if you enable location services on your device. We may use location information to improve and personalize our services for you. If you do not want us to collect location information, you may disable that feature on your mobile device.
USE OF INFORMATION WITH AI
We will take all possible technical, administrative, and organizational precautions necessary to keep your data safe including but not limited to taking all actions within my control to keep this GPT private, barring OpenAI from scraping information from this custom GPT, and only requesting necessary information from you. However, no Internet or email transmission is ever fully secure or error free, and we cannot guarantee that OpenAI does not utilize information for its own purposes. Thus, we strongly encourage you to take special care in what information you send to us through this app or the use of any GPT on our site. Additionally, we strongly recommend you do not input any information into the GPT provided that would be deemed private or unnecessary including identifying information of yourself or another person. You should take special care in deciding what information to input into this GPT, and only input information into the GPT that is minimally necessary for your desired output. We will continue to research and review current security law, and review our security measures and privacy policies specifically in relation to AI and custom GPTs. By using this site, and any GPT capability provided therein, you expressly agree and acknowledge that you are doing so by your own volition and assume all risks associated with such action.
OUR POLICY WITH MINORS
Our Sites are not intended for individuals under the age of 18. We do not collect or maintain information from anyone known to be under the age of 18, and no part of this website is designed to attract anyone under the age of 18. We do not sell products or services intended for purchase by children. Only parents/guardians of a minor child may submit any personal or non-personal information (including PHI) concerning their minor child. Any information provided via the Sites by a parent/guardian of a minor child that concerns a minor child shall (i) be deemed given with the parent's/guardian's informed consent, and (ii) shall be treated consistent with this Privacy Policy and applicable law. If we discover or are otherwise notified that we have received any such information from a child in violation of this policy, we will delete that information.
DATA RETENTION
We only retain Personal Data collected from Users for as long as the User's account is active or otherwise for a limited period of time as long as we need it to fulfill the purposes for which we have initially collected it unless otherwise required by law. We will retain and use information as necessary to comply with my legal obligations, resolve disputes, and enforce our agreements for a period of [2] years.
OUR RESPONSIBILITIES
We are required by law to maintain the privacy and security of your protected health information.
If you have given us permission to use or share your PHI in a certain way, you may change your mind at any time. Please let us know by contacting us at the information provided below.
States may require additional privacy rights (e.g., California, Colorado, Connecticut, Utah, and Virginia). Please see the applicable state-specific sections of this Privacy Policy below.
INTERNATIONAL PRIVACY LAWS AND YOUR RIGHTS UNDER THE GDPR
If you are visiting the Site from outside the United States, please be aware that you are sending information to the United States where my servers are located. Information you submit may then be transferred within the United States or back out of the United States to other countries outside of your country of residence, depending on the type of information and how it is stored by me. These countries (including the United States) may not necessarily have data protection laws as comprehensively protective as your country of residence; however, our collection, storage, and use of your data will at all times continue to be governed by this Privacy Policy.
If you are a member of the European Union (EU), you have special rights under the GDPR. Those include: You have the right to object to the processing of your data and the right to portability of your data. All complaints must be sent to your support email address or email address of your GDPR representative or data processor. You also have the right to erasure, rectification, access, or to seek restrictions to the processing of your personal data in our system. To the extent you provide consent to our processing of your personal data, you have the right to withdraw that consent at any time. Any withdrawal of consent does not apply to data collected lawfully prior to such consent. You have the right to lodge a complaint with a supervisory authority containing jurisdiction over GDPR related issues.
LIMITATIONS
By using the Sites you agree that we are not responsible for: (i) any disclosure of your personal information made by you to a third party through your use of the Sites; (ii) any disclosure of your personal information obtained illegally from us; or (iii) any accidental disclosure of your personal information made by us.
POLICY CHANGES
We may modify this Privacy Policy from time to time. Any modifications will be effective immediately when we post them. We will take steps to notify users of any modifications, however, you are responsible for reviewing any modified terms. When we update our Policy, we will note the date of revisions at the top of the Policy. Your continued use of a Site following any changes means you accept and agree to any changes. For your convenience and future reference, the date of the Privacy Policy is included so that you can compare any different versions of the Privacy Policy to determine any changes made to the Privacy Policy.
YOUR COMMENTS AND CONCERNS
This website is operated by Spine & Sport Rehabilitation Institute, PLLC, DBA “Lumara Concierge”, located at 217 Jamestown Park Road, Suite 7, Brentwood, Tennessee 37027. All other feedback, comments, requests for technical support and other communications relating to the Sites should be directed to [info@experiencelumara.com].
Get a Copy of This Privacy Policy: You may ask us for a paper copy of this Privacy Policy at any time by emailing us at [Insert Email]. We will provide you with a paper copy promptly.
Revoke Permission: If you have given Lumara Concierge permission to use or share your PHI in a certain way, you may change your mind at any time. Let us know by emailing us at [info@epxeriencelumara.com].
Notice under California Consumer Privacy Act
Last modified March 14, 2026
This Privacy Notice explains, in general, the procedures behind our collection, storage, and process of the information we may collect from you online, if any. This notice is intended to operate as a supplement to our Privacy Policy, for the sole purpose of defining rights that California consumers may have with respect to our Sites under the California Consumer Privacy Act of 2018 ("CCPA").
Terms such as "personal information" and "processing" that are defined in the CCPA will have the same definitions in this Notice as we understand them to have under the CCPA. This includes exceptions to certain terms under the CCPA. For example, "personal information" under the CCPA does not include publicly available, aggregate consumer information, or de-identified information.
The following chart is for the sole purpose of demonstrating the categories of information we may collect online, and other relevant information, such as why we collect information, how it is shared, if it is shared, and whether we sell that personal information.
Personal Information:
Type of Information Collected
Purpose for Collection
Who do we share Information with?
Name, email address, phone number, referral information
Information requested on our contact page, located at [domain]
Third party service providers as necessary to administer, facilitate, and enhance the provision of our Sites under agreements that such providers maintain the information confidential.
Information available through your Internet Protocol address (e.g., collected via Google Analytics)
Collected automatically through various website tools we employ, as defined in our Cookie Notice. Collection of such information aids in improving our website for our visitors.
Third party service providers as necessary to administer, facilitate, and enhance the provision of our Sites under agreements that such providers maintain the information confidential.
PHI (protected health information) collected in connection with your user account
To provide, administer, and improve healthcare-related services; for treatment, payment, and healthcare operations as permitted under HIPAA.
Health care providers, health plans, business associates, and third party contractors as permitted or required by HIPAA and applicable BAAs.
If you would like to request additional information, please email [info@experiencelumara.com], and complete the following:
Identify yourself
Specify the information you request to be accessed, corrected, or removed
Please note that we reserve the right to request additional information to verify the above, including a form of government-issued identification. We additionally reserve the right to decline to process requests if you fail to provide either of the above, if we believe the request will violate any other law or legal requirement, cause the information to be incorrect, or jeopardize the privacy of others.
Written responses to information requested under this section will be delivered by mail/electronically. We will respond within 45 calendar days from the day the request is received. If there are extenuating circumstances preventing the fulfillment of your request, we reserve the right to extend our response due date, if reasonably necessary, and will notify you of such extension by mail/electronically. If a request is declined, we will provide an explanation as to why. You have the right to appeal a denial. We will not discriminate against you for exercising any rights available to you under applicable law.
We additionally reserve the right to modify, or delete some or all of your information collected. In such a case, we will retain data as reasonably necessary to comply with any legal obligations, including regulatory, security, or dispute requirements, law enforcement requirements, to prevent fraud or abuse, or to enforce obligations, including any other requests from you.
To make a request, you're welcome to contact us at the information provided in our Privacy Policy. You can designate an agent to make a request on your behalf in one of two ways: (1) having your agent send us a letter, signed by you, certifying that the agent is acting on your behalf and showing proof that they are registered with the California Secretary of State; or (2) by you and the agent executing and sending us a notarized power of attorney stating that the agent is authorized to act on your behalf. Please note that we may still require you to verify your identity before we process a request submitted by your agent.
STATE-SPECIFIC PRIVACY RIGHTS
Certain state privacy laws grant residents additional rights with respect to their personal information. Please review the applicable section below for your state of residence. Note that where Company Name is acting as a covered entity or business associate under HIPAA, state privacy laws that conflict with HIPAA's requirements are generally preempted by federal law.
California
California residents may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Please refer to our California Consumer Privacy Act Notice above. Note that under CalOPPA, we are required to disclose how we respond to "Do Not Track" signals. We do not currently respond to Do Not Track browser signals or similar mechanisms.
Colorado
The Colorado Privacy Act (CPA) does not apply to information and documents created for purposes of complying with HIPAA and its implementing regulations. To the extent the CPA applies to non-PHI data we collect, Colorado residents may have additional rights including the right to access, correct, delete, and obtain a copy of personal data, and to opt out of certain processing activities.
Connecticut
Entities subject to HIPAA are exempt from the Connecticut Data Privacy Act (CTDPA) with respect to PHI. To the extent the CTDPA applies to other data we collect, Connecticut residents may have additional rights.
Delaware
Under the Delaware Personal Data Privacy Act (DPDPA), PHI and information provided by or to a Covered Entity or Business Associate is exempt. To the extent the DPDPA applies to other data we collect, Delaware residents may have additional rights.
Virginia
Virginia residents may have rights under the Virginia Consumer Data Protection Act (VCDPA) with respect to non-PHI data we collect, including the right to access, correct, delete, and obtain a copy of personal data, and to opt out of certain processing activities.
Other States
Residents of Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, and Utah may also have rights under applicable state data privacy laws. Please contact us at [info@experiencelumara.com]] for more information about your rights under applicable state law.
To exercise any applicable state privacy rights, please contact us at [info@experiencelumara.com]. We will respond within the timeframe required by applicable law.