Privacy Notice

This Privacy Notice describes how Tirion LLC ("we", "us", "our") collects and uses your personal information in relation to the Chimera appointment booking platform, including our website, application, and related services (together, "Chimera Services").

This Privacy Notice does not apply to patient information ("content") processed, stored, or hosted by clinics using Chimera Services. See the agreement governing your Chimera account and, where applicable, the Business Associate Agreement for more information about how we handle content.

Personal Information We Collect

We collect your personal information in the course of providing Chimera Services.

• Information You Give Us: Information you provide when creating an account, configuring your clinic, contacting us, or subscribing to a plan. This includes your name, email address, phone number, clinic name, and payment information.
• Automatic Information: Information collected when you interact with Chimera Services, such as IP address, browser type, device information, pages visited, and usage patterns.
• Information from Other Sources: Information from payment processors (Stripe) to manage your subscription and billing.

How We Use Personal Information

• Provide Chimera Services: Processing registrations, subscriptions, and payments.
• Improve Chimera Services: Measuring usage, analyzing performance, fixing errors, and improving the platform.
• Communicate with You: Responding to support requests, sending service updates, and transactional emails.
• Comply with Legal Obligations: Collecting or retaining information as required by law.
• Fraud and Abuse Prevention: Protecting the security of our platform and users.

How We Share Personal Information

We are not in the business of selling your personal information. We share personal information only as described below.

• Third-Party Service Providers: We use services such as Stripe (payments), Resend (email), and Twilio (SMS) to operate Chimera. These providers access only the information needed to perform their functions.
• Optional Integrations: If you connect third-party services through Chimera's Apps feature (such as Google Calendar, Outlook Calendar, or Zoom), appointment data may be shared with those services to create calendar events or video meetings. By default, only non-identifying scheduling information is shared (provider name, date, time, duration). Patient names and contact details are only shared if you explicitly enable PHI certification for that integration, certifying that your account with the third-party service is HIPAA-compliant. OAuth tokens and credentials for connected services are encrypted at rest.
• Google Calendar Integration: When you connect Google Calendar through Chimera's Apps feature, we request access to your Google Calendar data using OAuth 2.0 with the following scopes: (1) the ability to create, read, and delete calendar events, and (2) read-only access to list your available calendars. We use this access solely to create appointment events on your selected calendar when bookings are made, update events when appointments are rescheduled, and remove events when appointments are cancelled. We do not read, modify, or delete any pre-existing calendar events. We do not share your Google Calendar data with any third parties. Your OAuth refresh token is encrypted at rest using Fernet symmetric encryption. When you disconnect the Google Calendar integration, we revoke the OAuth token with Google and permanently delete all stored credentials and calendar metadata from our systems. You may also revoke access at any time through your Google Account permissions page.
• Business Transfers: In the event of a sale, merger, or acquisition, personal information may be transferred as a business asset, subject to this Privacy Notice.
• Protection of Us and Others: We may release information when we believe it is appropriate to comply with law, enforce our terms, or protect rights, property, or safety.

How We Secure Information

Security is our highest priority. All patient information stored in Chimera is encrypted at rest using Fernet symmetric encryption. We use encryption in transit (TLS), maintain access controls, and follow security best practices including rate limiting, audit logging, and clinic-level data isolation.

Data Retention

We keep your personal information for as long as your account is active or as needed to provide Chimera Services. We retain information as required by law (including for tax, accounting, and HIPAA compliance purposes). Accounts more than 90 days delinquent may be deleted without recovery.

Your Rights

• Access and Update: You can view and update your account information through your Chimera dashboard at any time.
• Deletion: You may request deletion of your account and personal information by contacting us.
• Communications: You can unsubscribe from promotional emails via the unsubscribe link in any email we send.

Children's Personal Information

Chimera Services are not directed to children. If you are under 18, you may use Chimera only with the involvement of a parent or guardian.

California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• The right to know what personal information we collect, use, and disclose.
• The right to request deletion of your personal information.
• The right to opt out of the sale of personal information. We do not sell personal information.
• The right to non-discrimination for exercising your privacy rights.

Changes to This Notice

We may update this Privacy Notice from time to time. We will notify you of material changes by posting the updated notice on our website or by email. Continued use of Chimera Services after changes constitutes acceptance of the updated notice.

Contact Us

If you have questions about this Privacy Notice or want to exercise your rights, please contact us through the contact form on our website.