Legal · Privacy

Privacy policy.

EffectiveMay 31, 2026 Last updatedMay 31, 2026 Version1.0 Applies tocommunitybridgefoundationca.org

This website is a public marketing surface. We do not collect protected health information through any form, file upload, portal, or chat on this site.

When you visit, our host records standard server logs (IP address, browser, timestamp). That's it — no analytics, no tracking pixels, no advertising cookies set by us.

If a referring care team sends a patient referral to referrals@communitybridgefoundationca.org, that email is treated as protected health information under HIPAA and handled accordingly.

If you donate, the website does not process payments directly. Donation inquiries are routed to our team by email so we can arrange a check, wire, or stock gift. We never collect card details through this site.

01 · Information we collect

What we collect.

Server logs (everyone who visits)

Our host, Netlify, automatically logs standard request data when you load a page: IP address, user agent string, referring URL, timestamp, and the resource requested. These logs exist to keep the site running, protect against abuse, and diagnose problems.

Email correspondence (if you write to us)

If you email any of our inboxes (referrals@, partnerships@, give@, or privacy@), we receive whatever you put in the message, including any attachments. Email is hosted on Google Workspace under a business associate agreement (BAA) with Google.

Donation information (if you give)

If you choose to support our mission, we currently arrange donations by direct correspondence — typically check, wire, or stock gift coordinated through our donations inbox. We do not operate an online payment form or accept card payments through this website. If we add a third-party payment processor in the future, this policy will be updated and the processor will handle your payment details under its own privacy and security terms.

Phone calls (when phone is live)

When our phone line becomes active, calls and voicemail will be handled through a telephony provider operating under a business associate agreement appropriate for the protected health information that may be communicated by referring care teams. We will confirm BAA scope before publishing the phone number on this site.

What we don't collect on this site

  • No web forms that gather patient information
  • No file uploads
  • No member or patient portal login
  • No live chat
  • No advertising or marketing analytics in this version of the site. If we add analytics or similar tracking in the future, we will update this policy before turning it on
02 · How we use information

How we use it.

We use the information we collect only for the purposes for which it was provided:

  • Server logs — operate, secure, and improve the site.
  • Email you send us — respond to you, coordinate care for referred members, manage partnerships, and document the interaction as required by law or contract.
  • Donation records — process your gift, send you an acknowledgement, and meet our recordkeeping obligations as a California nonprofit.
  • Phone calls and voicemail — return calls, route referrals, and document care coordination.

We do not sell your information. We do not use your information for advertising. We do not share your information with marketers. Donor names and contact details are treated as confidential and are used only to acknowledge gifts and meet our recordkeeping and reporting obligations as a California 501(c)(3) public charity; we do not rent, trade, or share our donor list.

03 · Service providers and disclosures

Who we share it with.

We share information with a small number of vendors who help us run the organization. Each is bound to use the information only on our behalf and in line with applicable law.

  • Netlify — static web hosting. Receives server access logs and serves this site to your browser.
  • Google Workspace — email and document infrastructure. Hosts our inboxes (including referrals@) under a HIPAA business associate agreement.
  • Telephony provider — when phone service is live, our phone, voicemail, and call routing will be provided on our Google Workspace tenant under the same BAA.
  • Payment processor — not currently used. If we add a third-party processor for online donations in the future, this policy will be updated to identify it.
  • Health plans, providers, and government agencies — for members we serve under CalAIM, we share information with the Medi-Cal Managed Care Plan that authorized care, with treating providers, and with the California Department of Health Care Services (DHCS) and its delegates, as required by the Medi-Cal program. These disclosures follow HIPAA and the terms of our contracts.
  • Legal disclosures — we will disclose information if required by subpoena, court order, or other legal process, or to protect the rights, safety, or property of CBF, our members, or the public.
04 · Protected health information

PHI and HIPAA.

Community Bridge Foundation operates under HIPAA's privacy and security requirements in connection with the protected health information we receive from referring care teams and Medi-Cal Managed Care Plans. We expect to formally be a covered entity once our Medi-Cal Managed Care Plan contracts take effect; in the interim we treat the information we hold to the same standard. The website itself does not collect protected health information (PHI), but our referrals@ inbox and, when active, our phone line do.

For referring care teams

Patient referrals sent to referrals@communitybridgefoundationca.org are received by staff authorized to handle PHI. Email is delivered through Google Workspace under a business associate agreement.

Standard email between your organization and ours is not end-to-end encrypted on the open internet. If your organization requires secure email (encrypted gateway, Direct messaging, or another secure channel), tell us — we'll route the referral through a method your compliance team approves.

Individuals whose PHI we maintain have rights under the HIPAA Privacy Rule, including the right to:

  • Access and obtain a copy of their PHI
  • Request that we amend PHI they believe is incorrect
  • Receive an accounting of certain disclosures
  • Request restrictions on how their PHI is used or disclosed
  • Request that we communicate with them by alternative means or at alternative locations
  • File a complaint with our Privacy Officer (see the contact section below) or with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr/privacy/hipaa/complaints. We will not retaliate against anyone who files a complaint.

To exercise any of these rights, see the contact section below.

05 · California medical information

CMIA notice for California residents.

California's Confidentiality of Medical Information Act (CMIA) gives California residents additional protections for medical information held by health care providers and their contractors. When we receive a referral or coordinate care for a California Medi-Cal member, we handle that information in accordance with CMIA in addition to HIPAA.

You may request access to, correction of, or accounting of disclosures of medical information we maintain about you. Send those requests to the Privacy Officer (see below).

06 · Your choices and rights

Your choices and rights.

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) define "business" in a way that generally excludes nonprofit organizations and entities under specific revenue and data-volume thresholds. We do not believe CBF currently meets the statutory definition of a covered business, and protected health information we hold is in any event excluded from those laws. Even so, our practice is to honor reasonable requests from anyone, regardless of where they live:

  • Access — ask what information about you we hold
  • Correction — ask us to correct information that is wrong
  • Deletion — ask us to delete information, subject to our legal and contractual obligations to retain records
  • Stop contacting you — ask us to remove you from our outreach lists

For information that is part of a member's health record under HIPAA or CMIA, the procedures in those statutes apply and take precedence over the general practice above. We may need to verify your identity before responding to a request.

07 · Security

How we protect information.

We use reasonable administrative, physical, and technical safeguards to protect the information we hold:

  • Email and documents on Google Workspace with enforced multi-factor authentication and a HIPAA BAA
  • Staff access limited to those with a legitimate need
  • HTTPS transport encryption for traffic between your browser and this website, and TLS encryption in transit between standard email providers, though standard email is not end-to-end encrypted on the open internet (see Section 04)
  • Privacy and security expectations communicated to anyone authorized to handle referral information, with formal HIPAA workforce training implemented as we onboard care management staff under our Medi-Cal Managed Care Plan contracts

No system is perfectly secure. If we become aware of a breach of unsecured protected health information or unauthorized access to medical information, we will provide notice to affected individuals, the U.S. Department of Health and Human Services, and California regulators to the extent and within the timeframes required by HIPAA, California Civil Code §§ 1798.29 / 1798.82, and the Confidentiality of Medical Information Act.

08 · Data retention

How long we keep it.

We keep information only as long as necessary to fulfill the purposes described in this policy, or as required by law and the Medi-Cal program. PHI and member records are retained according to the schedules required by HIPAA, CMIA, and our contracts with Medi-Cal Managed Care Plans and DHCS — generally measured in years, not days. General email, server logs, and donation records are kept on shorter schedules consistent with normal business needs and tax recordkeeping.

09 · Children's privacy

Children's privacy.

This website is not directed at children under 13, and we do not knowingly collect information from children through it. We do, of course, serve minors in the course of providing CalAIM services — that information is handled under HIPAA and CMIA, not through this website.

10 · Cookies and similar technologies

Cookies and similar technologies.

We do not set our own cookies or use analytics or advertising trackers on this site. The third parties that help us serve the site — our host (Netlify) and the font provider (Google Fonts) — may set technical cookies or log requests in the normal course of delivering their services. If we add analytics or other tracking in the future, we will update this policy first.

11 · Changes to this policy

Changes to this policy.

We may update this policy as our services, vendors, or applicable law change. When we make a material change, we will update the "Last updated" date at the top and, for significant changes, post a notice on this page for a reasonable period. The current version always lives at this URL.

12 · Contact

How to reach us.

For general privacy questions about this website, email our partnerships inbox. For requests involving PHI under HIPAA or medical information under CMIA — access, amendment, accounting, restriction, or complaint — contact our Privacy Officer.

Get in touch.

General privacy questions partnerships@communitybridgefoundationca.org
PHI / HIPAA / CMIA requests Privacy Officer
Community Bridge Foundation
privacy@communitybridgefoundationca.org
Referrals (care teams only) referrals@communitybridgefoundationca.org
Federal complaints You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

This privacy policy is published in plain English and is intended to describe our actual practices. It is not legal advice.