Privacy Policy

ESA Letter Online is a technology platform that facilitates telehealth ESA evaluations. ESA Letter Online operates as a HIPAA-compliant Business Associate and takes its obligations to protect your Protected Health Information (PHI) seriously. ESA letters issued through the platform bear the letterhead of Counseling Now® (a DBA of Kentucky Counseling Center LLC), a licensed clinical practice that serves as the clinical brand for verification purposes. For a full description of each entity's role, see Section 2 of our Terms of Service.

We collect the following types of information:

• Identity Information: Full name, date of birth, email address
• Health Information: Reported symptoms, current treatments, mental health history (PHI)
• Pet Information: Type and name of your emotional support animal
• Housing Information: Type of housing situation
• Payment Information: Processed by Stripe — we do not store raw card data
• Technical Data: IP address, browser type, device info (for security purposes)

• To facilitate your telehealth evaluation and connect you with a licensed clinician
• To generate and deliver your ESA letter (if approved)
• To process your payment and manage your account
• To comply with legal obligations, including HIPAA
• To improve platform functionality (aggregated, de-identified data only)

We do not sell your personal information. We do not use your health information for advertising.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Your information is shared only with:

• Assigned Clinician: The licensed mental health professional conducting your evaluation
• Stripe: For payment processing, under their own privacy policy
• SendGrid: For secure email delivery of your documents
• Law enforcement: Only when legally compelled

As a client, you have the right to:

• Access a copy of your health information
• Request corrections to inaccurate information
• Request an accounting of disclosures
• Request restrictions on use of your PHI
• File a complaint with the U.S. Department of Health and Human Services

To exercise these rights, contact us.

We use industry-standard security measures including:

• TLS/SSL encryption for all data in transit
• Encrypted database storage for all PHI
• Role-based access control — clinicians only see their assigned clients
• Session expiration and secure authentication

We retain your health records for a minimum of 7 years following your evaluation, as required by applicable state and federal regulations. You may request deletion of non-PHI account data at any time.

We use session cookies to keep you logged in. We do not use tracking or advertising cookies. You may disable cookies in your browser settings, though some features may not function properly.

Our services are not directed to individuals under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us information, please contact us immediately.

We may update this policy periodically. We will notify you of material changes via email. Continued use of our services after changes constitutes your acceptance.

For privacy or general support questions, please visit our contact page.