Privacy Policy

Last Updated: June 3, 2026

1. Introduction

Welcome to Cue (offered by Cue ABA, Inc., referred to as "Cue", "we", "us", or "our"). We provide a specialized, modern practice management platform designed for Applied Behavior Analysis (ABA) clinics, helping them run clinical operations, scheduling, training, billing, and caregiver communication from a single command center.

We respect your privacy and are committed to protecting it. This Privacy Policy describes how we collect, use, store, and disclose information when you visit our website at cueaba.com (the "Site"), use our SaaS platform accessible via app.usecue.com (the "Platform"), or communicate with us in any way.

2. HIPAA and Protected Health Information (PHI) Disclosures

Our customers (ABA clinics and practitioners) use the Cue Platform to upload and manage clinical records, treatment files, and diagnostic logs that contain Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

When Cue processes PHI on behalf of our customers, we act strictly as a Business Associate under HIPAA. Our processing, security, and disclosure of PHI are governed by our **Business Associate Agreement (BAA)** signed with each clinic, alongside the clinic's own patient consent policies. In the event of any conflict between this Privacy Policy and the BAA, the terms of the BAA will control with respect to that patient data.

3. Information We Collect

Depending on how you interact with Cue, we may collect several types of information:

A. Information Provided by Clinic Administrators and Staff

  • Account Registration: Name, professional email address, phone number, credentials, and clinic role (e.g., Owner, BCBA, RBT, Biller).
  • Billing Information: Stripe or other credit card details, billing address, and transaction histories used solely to pay for the Cue subscription.
  • Customer Support & Communications: Messages sent directly to our support team, feedback, and notes from training sessions.

B. Information Uploaded by Clinics (Client & Patient Data)

Our customers upload data regarding patients ("kiddos") receiving care. This includes:

  • Demographic information (patient name, date of birth, caregiver contact details).
  • Clinical clinical files (reauthorization dates, treatment plans, behavioral target data, session notes, co-signatures).
  • Insurance details and billing codes used for EDI claims processing.

C. Information Collected Automatically

We use automated diagnostic tools to monitor platform health, ensure security compliance, and generate our Daily Briefings. This collects:

  • System Log Data: IP address, browser type, operating system, device details, and timestamps of user actions.
  • Security Audit Trails: Granular records of who accessed, edited, or deleted clinical records (required under HIPAA).
  • Performance Metrics: Load times, page interactions, and system error logs.

4. How We Use Information

We process your data strictly to perform our contractual duties and maintain compliance in healthcare operations. Specifically, we use it to:

  • Provide and Support the Platform: Authenticate accounts, maintain database connections, host the Caregiver Portal, and handle custom RBT onboarding workflows.
  • Synthesize the Daily Briefing: Compile overnight events, unbilled clinical hours, and reauthorization deadlines into a unified 30-second daily dashboard.
  • Process Claims & Billing: Direct EDI integration to generate clean claims, manage claims workflows, and process payroll.
  • Security & HIPAA Auditing: Keep exact historical audit logs of record modifications to verify HIPAA compliance.
  • Communicate with You: Send critical service updates, feature rollouts, and support notifications. We do NOT send marketing emails to patient caregivers.

5. Data Sharing & Disclosure

We never sell, rent, or trade user or patient data under any circumstances. We only share information in the following limited scenarios:

  • Service Providers (Sub-processors): We work with trusted partners to host our servers (HIPAA-eligible cloud infrastructures), manage billing subscriptions (e.g., Stripe), and facilitate EDI billing clearings. All such sub-processors are bound by strict confidentiality clauses and Business Associate Agreements.
  • Clinic Coordination: Data entered by RBTs is shared instantly with supervising BCBAs and clinic owners as part of standard operational flows. Caregiver summary reports are shared with authorized parents through the secure Parent Portal.
  • Legal Compliance & Protection: We may disclose information if required to do so by law, subpoena, or government inquiry, particularly to protect the safety of a child or to adhere to health regulatory audits.

6. Data Security

Security is the baseline of our architecture. Cue implements robust physical, administrative, and technical controls to protect sensitive medical and administrative data:

  • Encryption: All Protected Health Information is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
  • SOC 2 Type II Compliance: Our platform is audited annually by independent firms to verify security, availability, and processing integrity.
  • Access Controls: Role-based access controls limit information strictly to staff authorized by the clinic owner. Single Sign-On (SSO) and multi-factor authentication are available.
  • Audit Logging: Every record access, export, or deletion is logged on non-alterable audit chains to prevent unauthorized exposure.

7. Your Rights

A. Patient and Caregiver Rights

If you are a patient or a caregiver of a patient whose information has been uploaded to Cue by a clinic, your rights regarding access, correction, or deletion of Protected Health Information (PHI) are governed by HIPAA and must be exercised directly through your healthcare provider (the clinic). Cue cannot modify or delete medical records independently without authorization from the clinic owner.

B. Clinic Staff Rights

Clinic administrators and staff members may access, correct, or update their personal account information directly within their profile dashboard, or by reaching out to support.

8. Changes to this Policy

We may update this Privacy Policy from time to time as our features or legal requirements evolve. If we make material modifications, we will notify clinic owners via email or alert banners inside the Platform interface before the changes take effect. Your continued use of the services after the last updated date constitutes your acceptance of the updated terms.

9. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data security practices, please contact our Security & Compliance Officer:

Cue ABA, Inc.
Attn: Privacy & Compliance Officer
Email: privacy@cueaba.com
Address: 100 Pine Street, Suite 1250, San Francisco, CA 94111