1. Introduction

Sullivan Management and Consulting Group, LLC ("SMCG," "we," "us," or "our") is a healthcare business management and consulting firm that provides credentialing, revenue cycle management, and consulting services to hospitals, physician practices, and healthcare organizations across the United States. This Privacy Policy describes how we collect, use, disclose, and protect information gathered through our website at sullivanmcg.com (the "Website").

As a business-to-business (B2B) professional services firm, we primarily process contact information from healthcare administrators, practice managers, physicians, and other business professionals for marketing, service delivery, and recruiting purposes. We are committed to protecting your privacy and maintaining transparency about our data practices.

Important Distinctions:

• Website Data vs. Client Engagement Data: This Privacy Policy applies only to information collected through our Website and marketing activities. It does not cover Protected Health Information (PHI) or confidential business information we may access during client consulting engagements.
• HIPAA Business Associate Relationships: When SMCG provides credentialing, revenue cycle management, or other consulting services involving access to PHI, we act as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). PHI processing is governed by separate Business Associate Agreements (BAAs) with our clients, not this Privacy Policy.
• Professional Services Confidentiality: Client confidential information, proprietary methodologies, and engagement work products are protected under separate contractual confidentiality obligations beyond the scope of this policy.

By using our Website, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our Website or provide us with your information.

2. Information We Collect

We collect several types of information through our Website and business operations:

2.1 Business Contact Information

When you interact with our Website, request information about our services, subscribe to our newsletter, or submit a career inquiry, we may collect:

• Name and professional title
• Work email address
• Business phone number
• Company/organization name and address
• Job title and department
• Professional interests and service needs
• Resume, work history, and professional qualifications (for career inquiries)

2.2 Technical and Usage Information

We automatically collect certain technical information when you visit our Website:

• IP address and general geographic location
• Browser type, version, and language settings
• Device type, operating system, and screen resolution
• Pages viewed, time spent on pages, and navigation paths
• Referring website or source
• Date and time of access
• Links clicked and files downloaded

2.3 Cookies and Tracking Technologies

We use cookies, web beacons, and similar technologies to collect information about your Website usage. See Section 5 (Cookies and Tracking Technologies) for detailed information.

2.4 Information from Third-Party Sources

We may supplement the information we collect with data from:

• Professional networking platforms (e.g., LinkedIn)
• Business contact databases and lead generation services
• Industry conferences and events where you provide business cards
• Referrals from existing clients or business partners

3. How We Use Your Information

We use the information we collect for the following business purposes:

3.1 Service Delivery and Client Communication

• Responding to service inquiries and consultation requests
• Providing information about our credentialing, revenue cycle management, and consulting services
• Scheduling meetings, demonstrations, and consultations
• Managing ongoing client relationships (separate from engagement work governed by contracts)

3.2 Marketing and Business Development

• Sending newsletters, industry updates, and thought leadership content (with your consent)
• Delivering targeted advertising about our services to healthcare decision-makers
• Analyzing market trends and service demand in the healthcare industry
• Improving our service offerings based on expressed interests and needs
• Conducting surveys and gathering feedback

3.3 Career Opportunities and Recruiting

• Maintaining a database of qualified candidates for positions with SMCG and our clients
• Sharing candidate profiles with clients seeking to hire healthcare professionals
• Notifying candidates about relevant job opportunities
• Coordinating interviews and hiring processes

3.4 Website Functionality and Improvement

• Analyzing Website performance, user experience, and traffic patterns
• Optimizing Website content, design, and navigation
• Troubleshooting technical issues and improving site security
• Conducting A/B testing and measuring campaign effectiveness

3.5 Legal Compliance and Protection

• Complying with applicable laws, regulations, and legal processes
• Enforcing our Terms of Service and other agreements
• Detecting, preventing, and addressing fraud, security issues, or technical problems
• Protecting the rights, property, and safety of SMCG, our clients, and others

3.6 Legal Basis for Processing (GDPR)

For individuals in the European Economic Area (EEA), UK, or Switzerland, our legal bases for processing include:

• Consent: When you provide explicit consent for marketing communications or optional data collection
• Legitimate Interests: For business development, website improvement, security, and fraud prevention, where our interests do not override your privacy rights
• Contract Performance: To respond to your service inquiries and fulfill requested information
• Legal Obligations: To comply with applicable laws and regulations

4. Data Sharing and Third-Party Service Providers

We share your information with the following categories of third parties:

4.1 Service Providers and Technology Partners

We engage trusted third-party service providers who process data on our behalf under contractual obligations. These providers assist us with:

• Email Marketing and Communications: MailChimp (Intuit) for newsletter delivery and marketing automation
• Analytics and Performance: Google Analytics 4 and Google Tag Manager for website traffic analysis and user behavior tracking
• Advertising Platforms: Google Ads, Microsoft Advertising, and LinkedIn Marketing Solutions for targeted advertising campaigns
• Website Hosting and Infrastructure: Rocket.net and performance optimization services
• Security and Functionality: Two-factor authentication, SEO tools, and transactional email delivery

For a complete list of cookies, tracking technologies, and detailed third-party provider information, please see our Cookie Policy.

4.2 Client Organizations (Career Candidates)

When you submit your professional information for career opportunities, we may share your resume, qualifications, and contact information with healthcare organizations seeking to hire. Each hiring organization acts as an independent data controller with its own privacy practices. We encourage you to review their privacy policies when engaging in their hiring processes.

4.3 Business Transfers

If SMCG is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our Website before your information becomes subject to a different privacy policy.

4.4 Legal Requirements and Protection of Rights

We may disclose your information when required by law or when we believe disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests
• Enforce our policies and contracts
• Protect our rights, property, or safety, or that of our clients and users
• Investigate potential violations or fraud
• Respond to emergency situations

4.5 Aggregated and De-Identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you. This includes anonymized analytics, industry benchmarks, and statistical reports.

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your Website usage and improve your experience. For detailed information about our use of cookies, please review our comprehensive Cookie Policy.

5.1 Types of Cookies We Use

• Essential Cookies: Required for basic Website functionality, security, and form submissions
• Analytics Cookies: Collect information about Website usage and performance (Google Analytics 4)
• Marketing Cookies: Enable targeted advertising and measure campaign effectiveness (Google Ads, Microsoft Ads, LinkedIn Insight Tag, Facebook Pixel)
• Functionality Cookies: Remember your preferences and improve your experience

5.2 Server-Side Analytics Implementation

Our Google Analytics 4 implementation uses server-side tracking via Taggrs.io with a subdomain of sullivanmcg.com. This enhances privacy, improves data accuracy, and provides better control over data collection compared to traditional client-side implementations.

5.3 Managing Your Cookie Preferences

You can control cookies through:

• Browser Settings: Most browsers allow you to block or delete cookies through settings
• Analytics Opt-Out: Install the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout
• Advertising Opt-Outs:
  • Google Ads Settings: adssettings.google.com
  • Microsoft Advertising: account.microsoft.com/privacy/ad-settings
  • LinkedIn: linkedin.com/psettings/guest-controls
  • Digital Advertising Alliance: optout.aboutads.info

Note that blocking certain cookies may affect Website functionality. Essential cookies required for security and basic operations cannot be disabled.

6. Data Security

We implement industry-standard technical, administrative, and physical security measures to protect your information from unauthorized access, disclosure, alteration, and destruction:

• Encryption: Data transmitted to and from our Website is encrypted using Transport Layer Security (TLS 1.2 or higher). Stored data is encrypted using AES-256 encryption standards.
• Access Controls: We limit access to personal information to authorized employees, contractors, and service providers who need access to perform their job functions. All personnel are bound by confidentiality obligations.
• Multi-Factor Authentication: Our team uses two-factor authentication (WP 2FA) to access administrative systems.
• Security Monitoring: We conduct regular security assessments, vulnerability scans, and monitoring for suspicious activity.
• Vendor Security: Our service providers are contractually required to maintain appropriate security measures and comply with applicable data protection laws.
• Incident Response: We maintain procedures to respond to data breaches and security incidents in accordance with applicable breach notification laws.
• Employee Training: Our staff receives regular training on data protection, security best practices, and confidentiality obligations.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but continuously work to improve our security practices.

7. Your Privacy Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

7.1 General Rights

• Access: Request information about the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your information (subject to legal retention obligations)
• Opt-Out of Marketing: Unsubscribe from marketing emails using the "unsubscribe" link in any email or by contacting us directly
• Cookie Control: Manage cookie preferences through browser settings and advertising platform opt-outs as described in Section 5

7.2 Email Marketing Opt-Out (CAN-SPAM Compliance)

All marketing emails from SMCG include a clear unsubscribe mechanism. We will process your opt-out request within 10 business days. Note that you may continue to receive transactional emails related to our services (e.g., responses to your inquiries, service updates) even after opting out of marketing communications.

7.3 Career Database Opt-Out

If you submitted your resume or professional information for career opportunities, you may opt out of future job notifications by emailing careers@sullivanmcg.com. We will remove you from our active candidate database but may retain your information on a suppression list to prevent future contact.

8. California Residents' Privacy Rights

California residents have specific privacy rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Important Note About B2B Data: The CCPA's business-to-business (B2B) exemption expired on January 1, 2023. California residents who provide business contact information now have the same privacy rights under California law, even in a B2B context.

8.1 Your California Privacy Rights

California residents have the right to:

• Right to Know: Request disclosure of:
  • Categories and specific pieces of personal information we collected
  • Categories of sources from which information was collected
  • Business or commercial purposes for collection
  • Categories of third parties with whom we share information
  • Categories of information sold or shared (if any)
• Right to Delete: Request deletion of personal information we collected from you, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the "sale" or "sharing" of personal information. While we do not sell information for monetary consideration, the use of advertising technologies may constitute "sharing" under CPRA definitions.
• Right to Limit Use of Sensitive Personal Information: Limit the use of sensitive personal information (if collected) to purposes permitted by law
• Right to Non-Discrimination: Exercise your rights without receiving discriminatory treatment

8.2 How to Exercise Your California Rights

To submit a privacy rights request, you may:

• Email us at privacy@sullivanmcg.com
• Call us at (832) 323-3691

We will verify your identity before responding to your request. We will respond within 45 days of receiving your request (with a possible 45-day extension if necessary). You may designate an authorized agent to make requests on your behalf.

8.3 Categories of Information Collected and Shared (Past 12 Months)

We collect and may share the following categories of information from California residents:

• Identifiers: Name, email address, phone number, IP address
• Commercial Information: Service interests, inquiry details
• Professional Information: Job title, company, professional background
• Internet Activity: Website browsing behavior, interaction data
• Geolocation Data: General location based on IP address
• Inferences: Preferences and characteristics derived from your activity

8.4 "Do Not Sell or Share My Personal Information"

While SMCG does not sell personal information for monetary consideration, we use advertising technologies (such as Google Ads, Microsoft Ads, and LinkedIn Insight Tag) that may constitute "sharing" for targeted advertising purposes under California law. California residents may opt out of this sharing by:

• Using the advertising opt-out links provided in Section 5.3 (Cookies and Tracking Technologies) above
• Adjusting your browser settings to block third-party cookies
• Contacting us directly at privacy@sullivanmcg.com

8.5 California "Shine the Light" Law

California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please contact privacy@sullivanmcg.com.

9. Other U.S. State Privacy Rights

Residents of certain U.S. states have privacy rights under state comprehensive privacy laws. However, most of these laws include exemptions for business-to-business (B2B) data processing.

9.1 Applicable State Laws with B2B Exemptions

The following states have enacted comprehensive privacy laws that generally exempt information collected in a B2B context:

• Virginia (Consumer Data Protection Act - CDPA)
• Colorado (Colorado Privacy Act - CPA)
• Connecticut (Connecticut Data Privacy Act - CTDPA)
• Utah (Utah Consumer Privacy Act - UCPA)
• Montana, Oregon, Texas, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island

If you are a resident of one of these states and believe you have provided personal information outside a B2B context, you may have rights including:

• Confirm whether we process your personal information
• Access your personal information
• Correct inaccurate information
• Delete personal information
• Obtain a copy of your information in portable format
• Opt out of targeted advertising, sale of personal information, or profiling

9.2 Texas Residents

As a Texas-based company, we want to ensure Texas residents understand their rights under the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024. The TDPSA includes B2B exemptions similar to other states. If you have questions about how Texas privacy law applies to your information, please contact us at privacy@sullivanmcg.com.

9.3 How to Exercise State Privacy Rights

To exercise rights under applicable state laws, please email privacy@sullivanmcg.com or call (832) 323-3691. We will respond within the timeframes required by applicable law (typically 45 days).

10. International Visitors and Data Transfers

SMCG is based in Texas, United States, and our services are designed primarily for U.S. healthcare organizations. Our Website is hosted on U.S.-based servers operated by Rocket.net. If you access our Website from outside the United States, your information will be transferred to, stored, and processed in the United States, which may have different data protection laws than your country of residence.

10.1 European Economic Area (EEA), United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have specific rights under the General Data Protection Regulation (GDPR) and UK GDPR, including:

• Right of Access: Obtain confirmation of whether we process your data and receive a copy of your personal information
• Right to Rectification: Request correction of inaccurate or incomplete personal information
• Right to Erasure: Request deletion of your personal information under certain circumstances
• Right to Restriction: Request that we limit processing of your personal information in certain situations
• Right to Data Portability: Receive your personal information in a structured, commonly used, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on your consent
• Right to Lodge a Complaint: File a complaint with your local supervisory data protection authority

Our legal basis for processing your information includes: (1) your consent where you have provided it; (2) our legitimate interests in operating our business, marketing our services, and improving our Website; (3) performance of a contract when responding to your service inquiries; and (4) compliance with legal obligations.

10.2 International Data Transfers

When we transfer personal data from the EEA, UK, or Switzerland to the United States, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Our service providers' participation in recognized data transfer frameworks (such as the EU-U.S. Data Privacy Framework for Google and Microsoft services)
• Your explicit consent where applicable

10.3 Contact for International Privacy Inquiries

For questions about international data transfers or to exercise your rights under GDPR, please contact us at privacy@sullivanmcg.com. We will respond to your request within one month as required by GDPR.

11. Data Retention

We retain your personal information for different periods depending on the purpose for which it was collected and legal requirements:

• Service Inquiries and Lead Forms: 5 years from last contact to accommodate healthcare consulting sales cycles and statute of limitations for business contracts
• Newsletter Subscribers (Active): Until you unsubscribe or 3 years of inactivity (no email opens or clicks), whichever comes first
• Unsubscribed Email Addresses: Email addresses maintained indefinitely on suppression list to honor opt-out preferences and comply with CAN-SPAM requirements
• Career Candidate Database: 3 years from last update or interaction to notify you of relevant opportunities while complying with EEOC record retention requirements
• Website Analytics Data: 26 months (Google Analytics 4 setting) to enable year-over-year performance comparisons
• Server Logs and Security Data: 90-180 days for security monitoring and incident investigation, with extended retention for specific security incidents
• Client Engagement Records: 10 years after engagement completion to meet professional services standards, support ongoing client relationships, and defend against potential claims
• Business Associate Agreements and Contracts: 7 years post-termination (HIPAA requirements) or longer if needed for legal defense

Upon expiration of the retention period, we securely delete or anonymize personal information using industry-standard methods including secure overwriting, cryptographic erasure, or physical destruction. Cloud-hosted data deletion includes removal from all backups and replicas, typically completed within 30-90 days to account for backup cycles.

We may retain certain information longer when required by law, necessary for legal proceedings, or to protect our rights and interests.

12. Information for Career Candidates

If you submit your professional information through our Website for career opportunities, please note:

• Database Inclusion: Your information will be added to our candidate database and may be shared with healthcare organizations seeking to hire professionals in your field
• Client Sharing: When we share your profile with potential employers, they become independent data controllers with their own privacy practices
• Retention Period: We retain active candidate profiles for 3 years from your last update or interaction
• Opt-Out: You may request removal from our candidate database at any time by emailing careers@sullivanmcg.com
• Continued Opportunities: We may continue to notify you of opportunities unless you specifically request complete removal

SMCG complies with Equal Employment Opportunity Commission (EEOC) recordkeeping requirements. We do not make hiring decisions based on protected characteristics and maintain candidate records in accordance with federal employment laws.

13. Children's Privacy

Our Website and services are designed for healthcare business professionals and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information from our systems promptly. If you believe we have collected information from a child under 18, please contact us immediately at privacy@sullivanmcg.com.

14. Third-Party Websites and Services

Our Website may contain links to third-party websites, including social media platforms, partner organizations, and service providers. This Privacy Policy applies only to our Website and does not cover information collected by third-party websites.

We are not responsible for the privacy practices, content, or security of third-party websites. Third-party websites may have different data collection, use, and security practices than SMCG.

Some third-party services integrated into our Website (such as social media plugins or embedded content) may collect information about your browsing behavior even if you do not interact with them. We disclose these integrations in Section 5 (Cookies and Tracking Technologies).

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on this page with a new "Last Updated" date.

For material changes that significantly affect your privacy rights or how we process your information, we will provide prominent notice through one or more of the following methods:

• Email notification to newsletter subscribers and registered users
• Prominent banner or notice on our Website
• Direct communication to recent service inquiries

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our Website after changes become effective constitutes acceptance of the updated policy.

Prior versions of this Privacy Policy are available upon request by contacting privacy@sullivanmcg.com.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Related Legal Documents:

• Cookie Policy: sullivanmcg.com/cookie-statement/ - Learn about cookies and tracking technologies we use
• Terms of Use: sullivanmcg.com/terms-of-use/ - Understand the terms governing your use of our Website
• Legal Disclaimer: sullivanmcg.com/disclaimer/ - Important disclaimers about Website content and use

For specific privacy rights requests:

• California residents (CCPA/CPRA): privacy@sullivanmcg.com
• EEA/UK/Switzerland residents (GDPR): privacy@sullivanmcg.com
• Other state residents: privacy@sullivanmcg.com
• Career candidates: careers@sullivanmcg.com

We will respond to your inquiry or request within the timeframe required by applicable law, typically within 45 days.