Privacy Policy

How we protect your information

How SRS Web Solutions and our family of healthcare technology products — mConsent, Caretap, mPayr, and Zaha AI — collect, use, and safeguard personal information when you visit our websites or interact with us.

Effective Date May 8, 2026
Last Updated May 8, 2026
Version 2026.4
Scope United States

This Privacy Policy explains how SRS Web Solutions, Inc. and its products—mConsent, Caretap, mPayr, and Zaha AI—collect, use, and share personal information about visitors to our websites and prospects who contact us.

If you are a patient, caregiver, employee, or other end user whose information was provided to us by a healthcare provider, home care agency, or other SRS customer, please see Section 8 (Customer Data and HIPAA). That information is governed by our contract with the organization that provided it — not by this Privacy Policy.

Section 01

Introduction and Scope

SRS Web Solutions, Inc. (“SRS,” “we,” “us,” or “our”) is a Minnesota corporation that builds healthcare technology. Our family of products includes mConsent (digital patient intake and consent), Caretap (Electronic Visit Verification and billing for home care agencies), mPayr (payments for dental practices), and Zaha AI (AI-assisted receptionist for dental offices). Throughout this Policy, we refer to these collectively as the “Services.”

This Privacy Policy describes how we collect, use, and share personal information when you:

  • visit srswebsolutions.com, mconsent.net, caretap.net, or any other website we own (our “Websites”);
  • request a demo, quote, or information about our Services;
  • subscribe to our marketing communications, newsletters, or events;
  • apply for employment with SRS; or
  • otherwise interact with us as a prospective customer, partner, investor, or member of the public.

What this Policy does not cover. This Policy does not apply to personal information that our customers upload into our Services about their patients, caregivers, employees, or other end users (“Customer Data”). That information—including Protected Health Information (PHI) under HIPAA—is handled under our customer agreements and Business Associate Agreements, not under this Policy. See Section 8 (Customer Data and HIPAA) for how we treat Customer Data and how to contact us if you believe we hold information about you as an end user of one of our customers.

By visiting our Websites or otherwise providing us with your personal information, you acknowledge that you have read and understood this Policy.

Section 02

Geographic Scope

SRS offers its Services to customers and prospects located in the United States. We do not target or knowingly offer our Services to residents of the European Economic Area, the United Kingdom, Switzerland, or other non-U.S. jurisdictions, and we have not designated a representative under the EU or UK General Data Protection Regulation.

If you access our Websites from outside the United States, please be aware that your information will be transferred to, stored in, and processed in the United States. Some of our engineering, quality assurance, and technical support personnel work from our affiliate office in Trivandrum, India, and may access limited information in the course of building, maintaining, and supporting our Services. Access by India-based personnel is governed by the same confidentiality, security, and access-control requirements that apply to our U.S. personnel. Customer Data containing Protected Health Information is accessed by India-based personnel only as necessary to provide and support the Services and only under the terms of the applicable Business Associate Agreement between SRS and the customer.

Section 03

Information We Collect

We collect the following categories of personal information, organized below using the taxonomy established by the California Consumer Privacy Act (CCPA) so you can see at a glance what we do and do not collect from website visitors.

3.1 Categories of personal information

Category Examples collected by SRS on our Websites
Identifiers Name, email address, phone number, company/practice name, job title, postal address (if provided), IP address, device identifiers, online identifiers.
Commercial information Products and Services you have inquired about, demos requested, sales conversations, purchase history (if you become a customer).
Internet or electronic network activity Pages visited on our Websites, referral source, time on page, clicks, scroll depth, browser type, device type, operating system, and other standard web/device telemetry collected via cookies and similar technologies (see Section 7). On mconsent.net and caretap.net, this also includes session-recording and heatmap data captured by Microsoft Clarity, which records visitor mouse movements, clicks, scrolls, and form interactions on the page.
Geolocation data Approximate (city/region) location derived from IP address. We do not collect precise GPS location from our Websites.
Professional or employment information Your role, employer, specialty, number of locations, practice management system in use — typically provided in a demo or contact form. For job applicants: resume, work history, references, and other information submitted through our applicant flow.
Audio / electronic information Recordings of sales or demo calls, voicemails, and email correspondence you send to us. We do not record calls without notice.
Inferences Marketing segments we derive from the information above (e.g., practice size, specialty, estimated interest) to tailor our communications.
Sensitive personal information We do not request, prompt, or design our Websites to collect sensitive personal information (such as Social Security number, driver’s license, financial account credentials, precise geolocation, racial or ethnic origin, religion, sex life, health information, or biometric identifiers) from website visitors. Please do not include sensitive information in forms or emails you send to us.
Important

The categories above describe information SRS collects about website visitors and prospects. Health information, caregiver records, insurance data, payment card data, and similar sensitive information that flows through our Services is Customer Data owned and controlled by our customers (typically a healthcare provider or home care agency), and is governed by our customer agreements and Business Associate Agreements. See Section 8.

3.2 Sources of personal information

We collect personal information from three categories of sources:

  • Directly from you — when you submit a contact or demo form, respond to marketing, attend an event, apply for a job, or email or call us.
  • Automatically — through cookies, pixels, server logs, and similar technologies when you visit our Websites. See Section 7.
  • From third-party sources — such as publicly available business directories, professional and trade publications, event organizers, business partners who refer you to us, and standard B2B contact-enrichment providers, in each case used in accordance with applicable law.

3.3 Notice at Collection

This Section 3, together with Section 4 (How We Use Information) and Section 9 (Data Retention), constitutes our notice at or before the point of collection for purposes of Cal. Civ. Code § 1798.100(b) and the California Privacy Protection Agency regulations. We provide a link to this Privacy Policy on each web form on which we collect personal information so that you have access to this notice before submitting your information.

Section 04

How We Use Information

We use the personal information we collect for the following purposes:

Operating our business and communicating with you

  • Responding to demo requests, quotes, support inquiries, and other communications you send us.
  • Scheduling and conducting sales conversations, demos, and product evaluations.
  • Providing service notifications, billing, account administration, and post-sale support if you become a customer (subject to your separate customer agreement).
  • Processing and evaluating employment applications.

Marketing, advertising, and outreach

  • Sending newsletters, product updates, educational content, invitations to webinars and events, and other marketing communications — subject to your communication preferences and applicable law.
  • Tailoring the content of our marketing and Websites based on the inferences described above.
  • On mconsent.net and caretap.net, delivering and measuring advertising on third-party platforms (including Meta and, on caretap.net, HubSpot), measuring conversions from advertising campaigns, and showing retargeted advertisements to visitors who have previously visited those sites.
  • Measuring the effectiveness of our marketing and events.

Website operations, analytics, and improvement

  • Operating, maintaining, and securing our Websites.
  • Understanding how visitors find and use our Websites so we can improve content, navigation, and performance, including (on mconsent.net and caretap.net) reviewing aggregated session-recording and heatmap data from Microsoft Clarity.
  • Debugging, monitoring for fraud and abuse, and otherwise protecting the integrity of our systems.

Legal, compliance, and protection

  • Complying with applicable laws, regulations, and legal process.
  • Enforcing our Terms of Use and other agreements.
  • Protecting the rights, property, and safety of SRS, our customers, our employees, and the public.
  • Conducting audits, investigations, and corporate due diligence.

With your consent or at your direction

  • Any other purpose disclosed to you at the point of collection or for which you provide consent.
Section 05

How We Share Information

We share personal information only with the following categories of recipients, and only for the purposes described above or with your consent.

Service providers and sub-processors

We engage third parties to help us operate our business—such as website hosting, email delivery, form processing, analytics, session-recording analytics, advertising and conversion measurement, marketing automation, cookie consent management, customer relationship management (CRM), and recruiting. These service providers are contractually restricted from using personal information for their own purposes, except as expressly permitted under the applicable contract or, for advertising and marketing-automation providers, as disclosed in this Policy and the Cookie Policy. A current list is in Section 6.

Within SRS and across our product family

We share information among SRS Web Solutions, Inc., its subsidiaries and affiliates, and our product teams (mConsent, Caretap, mPayr, Zaha AI) for the purposes described in this Policy. For example, if you contact us through mconsent.net, our SRS corporate sales or marketing team may follow up with you.

Business transfers

If SRS is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or similar transaction, personal information may be transferred as part of that transaction, subject to standard confidentiality protections. We will provide notice before your information becomes subject to a materially different privacy policy and, where required by applicable law, will offer you a reasonable opportunity to opt out of the transfer of your personal information or to request deletion before the change takes effect.

Legal, safety, and compliance

We may disclose personal information to government authorities, law enforcement, courts, or other third parties when we believe in good faith that disclosure is required or permitted by applicable law, legal process, or legitimate government request; to enforce our agreements; or to protect the rights, property, or safety of SRS, our customers, our employees, or others.

With your consent

We may share your personal information for any other purpose with your consent or at your direction.

Aggregated or de-identified information

We may share information that has been aggregated or de-identified so that it cannot reasonably be used to identify you. We do not attempt to re-identify de-identified data except as permitted by applicable law.

“Sale” and “sharing” under US state laws

SRS does not sell personal information for money.

For visitors to srswebsolutions.com, SRS does not “share” personal information for cross-context behavioral advertising. We do not deploy advertising pixels or data-broker enrichment services on our corporate Website that would constitute “sharing” under California or similar state privacy laws.

For visitors to mconsent.net and caretap.net, SRS deploys advertising and conversion-tracking pixels — including the Meta Pixel and (on caretap.net) HubSpot tracking — that may constitute “sharing” of personal information for cross-context behavioral advertising as defined under California and similar state privacy laws. California residents and other consumers with applicable rights may opt out of this sharing through the methods described in Section 12 and our Cookie Policy, including by clicking “Do Not Sell or Share My Personal Information” in the footer of those Websites.

Section 06

Sub-Processors and Service Providers

The table below lists the categories of service providers (sometimes called “sub-processors”) that SRS uses to operate our Websites and marketing operations. These vendors access personal information only as necessary to provide their services to us and are bound by contractual confidentiality and data-protection obligations. Where a sub-processor is deployed only on a specific domain, the applicable domain is identified in the “Purpose” column.

Category Provider Purpose
Website hosting Automattic, Inc. (WordPress.com) Hosting and content delivery for srswebsolutions.com.
Email and productivity Google LLC (Google Workspace) Business email, document storage, and internal collaboration.
Form processing WPForms, LLC Contact, demo, and investor inquiry forms on our Websites.
Website analytics Google LLC (Google Analytics 4) Measuring aggregate website traffic and performance, subject to cookie consent. mconsent.netcaretap.netsrswebsolutions.com (planned)
Session-recording analytics Microsoft Corporation (Microsoft Clarity) Heatmap and session-recording analytics that capture visitor mouse movements, clicks, scrolls, and form interactions on the page, used to understand how visitors navigate our product pages and improve usability. mconsent.netcaretap.net
Advertising and conversion tracking Meta Platforms, Inc. (Facebook Pixel and Conversions API) Measuring conversions from Meta (Facebook and Instagram) advertising campaigns and enabling retargeting to visitors who have previously visited our product pages. Constitutes “sharing” of personal information under California and similar state privacy laws. mconsent.netcaretap.net
Product-site analytics Zoho Corporation (Zoho Analytics) Visitor analytics on mconsent.net (separate from our Zoho CRM listed below). mconsent.net
Marketing automation and visitor tracking HubSpot, Inc. Marketing automation, lead tracking, and email-campaign attribution. May constitute “sharing” of personal information under California and similar state privacy laws. caretap.net
Cookie consent management Termly, Inc. Displaying our cookie banner, recording your consent choices, and honoring opt-outs and Global Privacy Control signals.
Customer relationship management (CRM) Zoho Corporation Managing sales inquiries, prospect records, and customer communications.
Applicant tracking (careers) LinkedIn Corporation; Indeed, Inc. Receiving and processing employment applications submitted through our careers page.
Engineering and technical support SRS affiliate office, Trivandrum, India Engineering, quality assurance, and Level 1/2 technical support. Access to personal information is limited to what is necessary for the role and is governed by the same policies as U.S. personnel.

We may update this list from time to time. Material additions will be reflected in a revised version of this Policy, and we will provide advance notice to customers through the notice mechanism in their Services Agreement. If you would like the current list of sub-processors that handle Customer Data under a Business Associate Agreement, contact privacy@srswebsolutions.com.

Section 07

Cookies, Analytics, and Tracking

We use cookies and similar technologies on our Websites to operate the sites, understand how visitors use them, and (with your consent where required) deliver and measure advertising. The categories below summarize what we deploy and on which domain. Detailed information about specific cookies and trackers, including durations and third-party recipients, is available in our Cookie Policy.

7.1 Categories of cookies we use

  • Strictly necessary cookies — required for the Websites to function, including session and security cookies, and the cookie that records your consent preferences. These cannot be disabled through the cookie banner.
  • Analytics cookies — we use Google Analytics 4 to understand aggregate visitor behavior. On mconsent.net and caretap.net, we additionally deploy Microsoft Clarity for heatmap and session-recording analytics, and on mconsent.net we deploy Zoho Analytics. These technologies record visitor interactions with the page (such as mouse movements, clicks, and form interactions in the case of Clarity) for the purpose of understanding usability and improving site performance.
  • Advertising cookies — on mconsent.net and caretap.net, we deploy the Meta Pixel for advertising-conversion measurement and retargeting on Meta platforms (Facebook and Instagram), and on caretap.net we deploy HubSpot tracking for marketing automation. These trackers may share information with the relevant advertising network and may constitute “sharing” of personal information for cross-context behavioral advertising under California and similar state privacy laws. Advertising cookies are not currently deployed on srswebsolutions.com. If we deploy additional advertising or marketing trackers on any of our Websites in the future, we will update this Policy and the Cookie Policy and provide an opt-out mechanism before the technology goes live.
  • Preference and functional cookies — record your cookie-consent choices, hold form state, and similar preferences. These are generally first-party cookies.

7.2 Your cookie choices

When you first visit our Websites, a consent banner managed by Termly appears asking you to accept or customize non-essential cookies. You can change your choices at any time by clicking “Cookie Settings” (and, where applicable, “Do Not Sell or Share My Personal Information”) in the footer of each Website.

You can also manage cookies through your browser settings, opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, and opt out of advertising cookies through the network-specific mechanisms identified in the Cookie Policy.

7.3 Global Privacy Control and Do Not Track

We honor the Global Privacy Control (GPC) signal as a valid opt-out of sale and sharing of personal information under California and other applicable state privacy laws. If your browser transmits a GPC signal, we will treat it as an opt-out request for that browser and device, including with respect to advertising cookies on mconsent.net and caretap.net. We do not currently respond to generic “Do Not Track” signals because there is no industry standard for how those signals should be interpreted.

Section 08

Customer Data and HIPAA

Our customers are healthcare providers, home care agencies, dental service organizations, and other organizations that use our Services to manage information about their patients, caregivers, employees, and other end users. We refer to all personal information that our customers upload to or generate through our Services as “Customer Data.”

Customer Data is not governed by this Policy

Customer Data is owned and controlled by the customer that provided it, and we process Customer Data only as permitted by our contract with that customer. This Privacy Policy does not apply to Customer Data. If you believe one of our customers holds information about you (for example, because you received care from a dental practice that uses mConsent, or are a caregiver or patient at a home care agency that uses Caretap), please contact that customer directly. They are responsible, as the data controller or covered entity, for responding to your request.

8.1 SRS as a HIPAA Business Associate

When Customer Data includes Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, “HIPAA”), SRS operates as a Business Associate of the customer (the Covered Entity or upstream Business Associate). In that capacity, SRS executes a Business Associate Agreement (“BAA”) with each applicable customer before handling PHI.

The BAA, together with the Services Agreement between SRS and the customer, governs how SRS may access, use, disclose, and safeguard PHI. To the extent any provision of this Privacy Policy conflicts with the BAA or the Services Agreement with respect to PHI or other Customer Data, the BAA and Services Agreement control. The advertising and session-recording technologies described in Section 7 are deployed on our marketing Websites for visitor analytics and advertising, and are not deployed within our customer-facing Services or used to process PHI.

8.2 Requests from patients, caregivers, and other end users

If you are a patient, caregiver, employee, or other end user of one of our customers and you wish to access, correct, delete, or otherwise exercise rights over information that your healthcare provider or home care agency has uploaded to our Services, please contact that organization directly. SRS will support our customers in responding to such requests as required by HIPAA and applicable state law, but we do not have the authority to act on Customer Data without the customer’s direction.

Section 09

Data Retention

We retain personal information for as long as needed to fulfill the purposes for which it was collected and to comply with our legal, tax, accounting, and audit obligations. Actual retention periods depend on the type of information and the context of collection. The table below summarizes our standard retention practices for website visitor and prospect information.

Type of information Typical retention period
Inquiry and demo request records (no resulting sale) Up to 36 months from last contact.
Marketing subscription and email lists Until you unsubscribe, plus a limited suppression period to honor your unsubscribe request.
Prospect / CRM records of active opportunities For the duration of the active opportunity plus up to 7 years, consistent with standard business record-keeping.
Customer records (after becoming a customer) Retained per the Services Agreement; generally 7 years after termination of services, except as extended by legal hold or applicable law.
Website analytics (Google Analytics 4) Event-level data is retained for up to 14 months; aggregate reporting is retained longer.
Session-recording data (Microsoft Clarity) Up to 13 months, per the Microsoft Clarity service.
Advertising and conversion data (Meta, HubSpot) Up to 13 months at the third-party platform; retention is governed by that platform’s policies.
Cookies Per individual cookie; details are available in our cookie consent platform and the Cookie Policy. Most cookies expire in 24 months or less.
Employment applications Retained for up to 24 months after the application is submitted, or longer where required by applicable employment or equal-opportunity law.
Records subject to legal hold Retained for the duration of the legal hold, regardless of the retention periods above.

When we no longer need personal information, we will securely delete, destroy, or de-identify it in accordance with our data-disposal procedures.

Section 10

Data Security

SRS maintains administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These safeguards include, as applicable to each environment:

  • Encryption of data in transit using industry-standard TLS, and encryption at rest for data stored in production systems handling Customer Data.
  • Role-based access controls, the principle of least privilege, and multi-factor authentication for administrative access to systems that process personal information.
  • Network segmentation, monitoring, logging, and intrusion-detection controls.
  • Background checks and confidentiality obligations for personnel with access to personal information, and annual security and privacy training.
  • Vendor due diligence and written agreements with sub-processors and service providers.
  • Periodic vulnerability assessments, penetration testing, and security reviews.
  • Documented incident response procedures.

No system can be guaranteed to be 100% secure. If you have a security concern or believe you have discovered a vulnerability affecting our Websites or Services, please contact security@srswebsolutions.com.

Section 11

Data Breach Notification

In the event of a security incident affecting your personal information, SRS will notify you in accordance with applicable law and without undue delay. Where SRS acts as a Business Associate under HIPAA, we will notify the affected Covered Entity in accordance with 45 C.F.R. § 164.410 and the terms of the applicable BAA. We will cooperate with our customers, regulators, and, where appropriate, law enforcement in investigating and responding to any security incident.

Section 12

Your US State Privacy Rights

Depending on the state in which you reside, you may have some or all of the following rights regarding your personal information. These rights apply to personal information that SRS collects about you as a website visitor, prospect, or job applicant — they do not apply to Customer Data held by our customers (see Section 8).

12.1 Rights that may be available to you

  • Right to know / access. Request confirmation that we process your personal information and receive a copy of the categories and specific pieces of personal information we have collected about you.
  • Right to correct. Request that we correct inaccurate personal information we hold about you.
  • Right to delete. Request deletion of personal information we have collected about you, subject to legal exceptions.
  • Right to portability. Request a copy of your personal information in a portable, machine-readable format.
  • Right to opt out of sale or sharing. SRS does not sell personal information for money. SRS does “share” personal information for cross-context behavioral advertising on mconsent.net and caretap.net through the Meta Pixel and (on caretap.net) HubSpot tracking, as described in Section 5 and our Cookie Policy. You have the right to direct us not to share your personal information for these purposes by clicking “Do Not Sell or Share My Personal Information” in the footer of those Websites, by rejecting advertising cookies in our cookie banner, or by submitting a request through the channels in Section 12.2.
  • Right to opt out of targeted advertising. You may opt out of targeted advertising on mconsent.net and caretap.net through the methods identified above.
  • Right to opt out of profiling that results in legal or similarly significant effects. We do not engage in this type of profiling with respect to website visitors.
  • Right to limit the use of sensitive personal information. We do not request, prompt, or design our Websites to collect sensitive personal information from website visitors (see Section 3).
  • Right to non-discrimination. We will not discriminate against you for exercising your privacy rights, including by denying services, charging different prices, or providing a different level of quality.
  • Right to appeal. If we deny a rights request, you may appeal that decision. We will review appeals and respond within the timeframe required by applicable law.

12.2 How to exercise your rights

You can submit a privacy rights request in any of the following ways:

  • “Do Not Sell or Share My Personal Information” link in the footer of mconsent.net or caretap.net (for opt-out of sharing for cross-context behavioral advertising).
  • Cookie Settings in the footer of any SRS Website.
  • Email: privacy@srswebsolutions.com, with a clear description of the right you are exercising and the state in which you reside.
  • Postal mail: SRS Web Solutions, Inc., Attn: Privacy Contact, 6885 139th LN NW, Suite 100, Ramsey, MN 55303.
  • Phone: 877-203-6767.

12.3 Verification

Before responding to a rights request, we will verify your identity. For most requests this means confirming that the email address, phone number, or other identifier you provide matches the information we have on file. For more sensitive requests or where required by law, we may ask for additional verification.

12.4 Authorized agents

You may use an authorized agent to submit a request on your behalf. We will require reasonable proof that the agent has permission to act for you (such as a signed, written authorization) and, where permitted by applicable law, may still ask you to verify your own identity directly with us.

12.5 Timing of response

We will confirm receipt of your request promptly and respond substantively within the timeframe required by the applicable law (generally 45 days, subject to extensions where permitted). If we need more time or cannot fulfill your request, we will tell you the reason.

Section 13

State-Specific Disclosures

The following disclosures supplement the rights described in Section 12 and apply to residents of the listed states. This section does not create rights in states that have not yet enacted comprehensive privacy laws, and it does not limit any right provided by applicable law.

13.1 California (CCPA/CPRA)

If you are a California resident, you have the rights described in Section 12 under the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the “CCPA”). This Section 13.1 provides the disclosures required by Cal. Code Regs. tit. 11, §§ 7011–7016.

(a) Categories of personal information collected in the preceding 12 months. During the 12 months preceding the Last Updated date of this Policy, SRS has collected the following CCPA categories of personal information about California residents who visit our Websites or contact us as prospects:

  • Identifiers (Cal. Civ. Code § 1798.140(v)(1)(A));
  • Commercial information (§ 1798.140(v)(1)(D));
  • Internet or other electronic network activity information (§ 1798.140(v)(1)(F));
  • Geolocation data, approximate only (§ 1798.140(v)(1)(G));
  • Audio, electronic, or similar information (§ 1798.140(v)(1)(H));
  • Professional or employment-related information (§ 1798.140(v)(1)(I)); and
  • Inferences drawn from the categories above (§ 1798.140(v)(1)(K)).

We have not collected, in the preceding 12 months, the following CCPA categories with respect to California website visitors: characteristics of protected classifications under California or federal law; biometric information; education information that is not publicly available personally identifiable information under FERPA; or sensitive personal information as defined under Cal. Civ. Code § 1798.140(ae).

(b) Sources of personal information. The categories of sources from which we collected the personal information described above are: directly from you; automatically through cookies, server logs, and similar technologies on our Websites; and from third-party sources such as publicly available business directories, professional and trade publications, event organizers, business partners, and B2B contact-enrichment providers. See Section 3.2.

(c) Business or commercial purposes for collection. We collected the personal information described above for the business and commercial purposes described in Section 4, including operating our business, communicating with you, marketing and advertising, website operations and analytics (including session-recording analytics on mconsent.net and caretap.net), legal and compliance, and any other purpose disclosed at the point of collection or to which you consent.

(d) Categories of third parties to whom personal information was disclosed for a business purpose, sold, or shared. In the preceding 12 months, we disclosed each of the categories identified in (a) above for a business purpose to the categories of recipients identified in Section 5 and Section 6: service providers and sub-processors (including hosting, email, form processing, analytics, session-recording analytics, advertising and conversion-tracking, marketing automation, consent management, CRM, and applicant tracking providers); SRS subsidiaries and affiliates; parties to a business transfer; and government authorities or other parties where required by law. We did not sell personal information for money. We “shared” personal information for cross-context behavioral advertising through the Meta Pixel deployment on mconsent.net and caretap.net, and through HubSpot tracking on caretap.net. Specifically, the Internet or electronic network activity information identified in (a) was shared with Meta Platforms, Inc. and (for caretap.net visitors) HubSpot, Inc. for cross-context behavioral advertising purposes.

(e) Sale and sharing. SRS does not sell personal information. SRS shares personal information for cross-context behavioral advertising on mconsent.net and caretap.net as described in (d) above. SRS has not sold the personal information of consumers under 16 years of age. SRS has no actual knowledge that we have shared the personal information of consumers under 16 years of age for cross-context behavioral advertising; our Websites are directed to adult healthcare professionals, not minors, and we do not knowingly process information about visitors under 16.

(f) Retention. We retain each category of personal information for the periods described in Section 9 (Data Retention).

(g) Sensitive personal information. We do not request, prompt, or design our Websites to collect sensitive personal information from visitors, and we do not use or disclose sensitive personal information for any purpose other than those permitted without an opt-out under Cal. Civ. Code § 1798.121(a) and Cal. Code Regs. tit. 11, § 7027(m).

(h) Financial incentives. We do not offer financial incentives in exchange for the retention or sale of personal information.

(i) Shine the Light. California Civil Code § 1798.83 permits California residents to request information about our disclosures of certain categories of personal information to third parties for those third parties’ direct marketing purposes. To make such a request, please contact privacy@srswebsolutions.com.

(j) Complaints. In accordance with California Civil Code § 1789.3, California residents may report complaints to the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs at 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210.

13.2 Texas (TDPSA)

If you are a Texas resident, you have the rights described in Section 12 under the Texas Data Privacy and Security Act (“TDPSA”). Under the TDPSA, we are required to:

  • Include a “NOTICE” in this Policy if we sell sensitive personal data. SRS does not sell sensitive personal data.
  • Include a “NOTICE” in this Policy if we sell biometric personal data. SRS does not sell biometric personal data.
  • Provide notice and an opt-out for the processing of personal data for targeted advertising. NOTICE: We may sell or process your personal data for targeted advertising on mconsent.net and caretap.net through the Meta Pixel and HubSpot tracking. You may opt out of this processing by clicking “Do Not Sell or Share My Personal Information” in the footer of those Websites or by emailing privacy@srswebsolutions.com.
  • Obtain your consent before processing sensitive personal data. SRS does not request, prompt, or design our Websites to collect sensitive personal data of Texas consumers.

13.3 Minnesota (MCDPA)

If you are a Minnesota resident, you have the rights described in Section 12 under the Minnesota Consumer Data Privacy Act (“MCDPA”), which took effect July 31, 2025. In addition to the rights above, the MCDPA gives you the right to question the result of any profiling decision, to be informed of the reasons the decision was reached, and to review the personal data used to reach the decision. SRS does not currently make automated profiling decisions about website visitors that produce legal or similarly significant effects. See Section 15 for our AI disclosure.

13.4 Virginia, Colorado, Connecticut, Utah, Oregon, Montana, Delaware, New Hampshire, New Jersey, Maryland, Indiana, Nebraska, Kentucky, Tennessee, Iowa, and Florida

If you are a resident of one of the listed states, you have the rights described in Section 12 under that state’s comprehensive privacy law (for example, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Oregon Consumer Privacy Act, the Montana Consumer Data Privacy Act, the Delaware Personal Data Privacy Act, the New Hampshire data privacy law, the New Jersey Data Privacy Act, the Maryland Online Data Privacy Act, the Indiana Consumer Data Protection Act, the Nebraska Data Privacy Act, the Kentucky Consumer Data Protection Act, the Tennessee Information Protection Act, the Iowa Consumer Data Protection Act, and the Florida Digital Bill of Rights).

The specific rights available to you, the thresholds for applicability, and the procedures for exercising rights vary by state. Where your state’s law provides a right to opt out of targeted advertising, you may exercise that right with respect to mconsent.net and caretap.net through the methods described in Section 12.2. If you are unsure what rights you have under your state’s law, contact us at privacy@srswebsolutions.com and we will work with you in good faith to identify and honor them.

Section 14

Consumer Health Data (Washington MHMD / Nevada SB 370)

Because SRS builds products in the healthcare and home care space, we take particular care with “Consumer Health Data,” a category of information defined under the Washington My Health My Data Act (“MHMD”), Nevada Senate Bill 370, and similar state laws. Consumer Health Data generally includes information that identifies a consumer’s past, present, or future physical or mental health status, including information that could be used to infer such status.

Scope of this section

Most health-related information we handle is Customer Data uploaded by our healthcare-provider and home-care-agency customers, and is therefore governed by HIPAA and our Business Associate Agreements rather than by the Washington and Nevada consumer health data laws. See Section 8. The protections described in this section apply to any Consumer Health Data that SRS directly collects from a website visitor outside of a HIPAA relationship.

14.1 Consumer Health Data we collect from visitors

SRS does not solicit Consumer Health Data through our corporate Websites and asks visitors not to submit it. Our Websites are not designed to elicit information about a visitor’s physical or mental health status, nor about any health condition, diagnosis, treatment, medication, or biometric or genomic data. Please do not include health information in contact forms, demo requests, or emails you send to us. Any health-related information that may incidentally be communicated to us by a prospect (for example, a customer describing their patient population in a sales conversation) is treated as confidential business information and is not used to identify any individual.

14.2 Your rights under Washington MHMD and Nevada SB 370

If you are a resident of Washington or Nevada and believe SRS has collected Consumer Health Data about you, you have the following rights:

  • The right to confirm whether we are processing your Consumer Health Data and to access that data.
  • The right to withdraw consent to our collection and processing of your Consumer Health Data.
  • The right to have your Consumer Health Data deleted.
  • The right to receive a list of third parties with which we have shared your Consumer Health Data, and to contact those third parties directly.

14.3 No sale of Consumer Health Data without authorization

SRS does not sell Consumer Health Data. Consistent with the Washington MHMD and Nevada SB 370, we will not sell Consumer Health Data unless we first obtain your valid, specific authorization that meets all of the statutory requirements.

14.4 How to contact us

To exercise any right described in this section, email privacy@srswebsolutions.com with “Consumer Health Data” in the subject line and a description of your request.

Section 15

AI and Automated Decisions

SRS builds and operates products that use artificial intelligence, including Zaha AI, our AI-assisted receptionist for dental practices. The disclosures below describe how AI is used in relation to personal information covered by this Policy.

15.1 AI on our corporate Websites

SRS does not use AI to make automated decisions about visitors to our corporate Websites that produce legal or similarly significant effects. Our sales and marketing teams may use AI-assisted tools to help categorize inquiries, draft replies, and prioritize outreach, but a human reviews and is responsible for any outcome that affects you.

15.2 AI within our Services

Within our Services, AI features operate on Customer Data under the direction of our customer and pursuant to the applicable Business Associate Agreement and Services Agreement. The availability, configuration, and scope of AI features vary by customer and by product. Human oversight is maintained for features that could materially affect patients, caregivers, or other individuals. See Appendix B for Zaha AI specifics.

15.3 Requests regarding automated decisions

If you believe you have been subject to an automated decision by SRS that produced a legal or similarly significant effect on you, contact privacy@srswebsolutions.com and we will review the situation, provide meaningful information about the logic involved to the extent required by applicable law, and, where required, provide an opportunity for human review.

Section 16

Children’s Privacy

Our Websites and Services are directed to healthcare and home care organizations and the adult professionals who operate them. They are not directed to children.

Children under 13. Consistent with the Children’s Online Privacy Protection Act (“COPPA”), we do not knowingly collect personal information from children under the age of 13 through our Websites. If we learn that we have inadvertently collected personal information from a child under 13, we will delete that information as soon as reasonably possible. If you believe that we may have collected information from a child under 13, please contact us at privacy@srswebsolutions.com.

Minors ages 13 to 15. SRS has not sold the personal information of minors ages 13 to 15. SRS does not knowingly share the personal information of minors ages 13 to 15 for cross-context behavioral advertising. Our Websites and Services are directed to adult healthcare professionals; we do not knowingly process information about visitors under 16. If a parent, guardian, or minor believes we have inadvertently received such information, please contact privacy@srswebsolutions.com and we will delete it.

Section 17

Third-Party Links

Our Websites may contain links to websites operated by third parties, including our product sites mconsent.net and caretap.net, our business partners, social media platforms, and other third-party services. This Privacy Policy does not apply to those websites. We are not responsible for the privacy practices, content, or security of websites we do not operate. We encourage you to review the privacy policies of any third-party website before providing personal information.

Section 18

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date at the top of this Policy and post the updated Policy on our Websites. For material changes—including any change that would expand the purposes for which we use personal information, broaden the categories of recipients with whom we share it, or reduce your rights—we will provide advance notice by prominent notice on our Websites or by email, at least 30 days before the changes take effect, and, where required by applicable law, we will seek your affirmative consent before applying the changes to information we have already collected.

Prior versions of this Policy are available on request from privacy@srswebsolutions.com.

Section 19

Contact Us

SRS Web Solutions, Inc. is the controller of the personal information described in this Policy. You can reach us using any of the channels below.

Privacy Contact
privacy@srswebsolutions.com
Legal
legal@srswebsolutions.com
Security Issues
security@srswebsolutions.com
Phone
877-203-6767

Mailing addresses

Headquarters: SRS Web Solutions, Inc., Attn: Privacy Contact, 6885 139th LN NW, Suite 100, Ramsey, MN 55303.
Texas office: SRS Web Solutions, Inc., 5345 Towne Square Dr, Suite 230, Plano, TX 75024.

We appoint a Privacy Contact to oversee our privacy program and respond to requests and inquiries under this Policy. The Privacy Contact can be reached at the email and address above.

Appendix A

Caretap — Electronic Visit Verification and Home Care Billing

Caretap is SRS’s home care operations platform, including Electronic Visit Verification (EVV), scheduling, documentation, and billing for home care and home health agencies. This Appendix supplements the main Policy and describes data flows specific to Caretap. Personal information processed through Caretap is almost always Customer Data owned and controlled by the home care agency customer, and is governed by the Services Agreement and Business Associate Agreement between SRS and that agency. See Section 8.

A.1 Categories of data processed through Caretap

  • Caregiver information — name, contact information, employee identifier, credentials, scheduling, time and attendance records, and location at visit check-in and check-out (GPS, telephone line verification, or fixed-device verification, as selected by the agency).
  • Patient / client information — name, address, date of birth, Medicaid or other payer identifier, plan of care, services authorized, services rendered, and visit notes, as entered by the agency or its caregivers.
  • Visit verification data — the six EVV data elements required by section 12006 of the 21st Century Cures Act: type of service performed, individual receiving services, date of service, location of service, individual providing service, and time the service begins and ends.
  • Billing and claims data — claims submitted to Medicaid, Medicare, managed care organizations, or other payers on behalf of the agency.

A.2 EVV-specific data sharing under the 21st Century Cures Act

Under section 12006 of the 21st Century Cures Act and implementing CMS guidance, EVV data must be transmitted to the applicable state Medicaid program’s designated EVV aggregator or system of record. Caretap performs that transmission on behalf of its agency customers and only at the customer’s direction, in the format and through the interface specified by the applicable state Medicaid agency or its contractor. This transmission is a permitted disclosure under HIPAA for treatment, payment, and healthcare operations.

A.3 Location data

EVV requires verification of the location of the service. Caretap captures location data only in connection with visit check-in and check-out and only to the extent necessary to satisfy the applicable state Medicaid program’s EVV method. Caregivers are informed of location collection by the employing agency. Location data is not used for real-time caregiver surveillance outside of visit verification.

A.4 Role of the agency

The home care agency that uses Caretap is the data controller (and, where applicable, the HIPAA Covered Entity) with respect to caregiver and patient data entered into the platform. Agencies are responsible for providing privacy notices to their caregivers and patients, for obtaining any required consents, and for responding to individual rights requests. SRS, as the agency’s Business Associate and service provider, supports the agency in meeting those obligations.

A.5 Requests from caregivers and patients

If you are a caregiver or patient whose information is in Caretap, please contact your employing agency or care provider first — they are responsible for responding to your request. If you cannot identify the agency or need help reaching them, contact privacy@srswebsolutions.com and we will do our best to route your request to the right organization.

Appendix B

mConsent, mPayr, and Zaha AI — Dental and Medical Front-Office Services

mConsent, mPayr, and Zaha AI are SRS’s front-office products for dental and medical practices. mConsent provides digital patient intake, consent management, insurance verification, and patient communication. mPayr provides payment-processing and billing tools. Zaha AI provides an AI-assisted receptionist for inbound voice and appointment scheduling. This Appendix supplements the main Policy and describes data flows specific to these products.

As with Caretap, personal information processed through mConsent, mPayr, and Zaha AI is almost always Customer Data owned and controlled by the dental or medical practice customer and is governed by the Services Agreement and Business Associate Agreement between SRS and that practice. See Section 8.

B.1 Categories of data processed

  • Patient information — name, contact information, date of birth, medical and dental history as completed by the patient or the practice, signatures on consent forms, photographs where the practice collects them, insurance information, and related records.
  • Appointment and communication records — scheduled and completed appointments, reminders, confirmations, messages, and call records.
  • Payment data (mPayr) — payment amount, date, invoice reference, and tokenized payment method references. Full payment card numbers are not stored by SRS. mPayr uses a PCI-DSS-validated payment processor to handle card data, and SRS handles only limited, tokenized references for reconciliation and reporting.
  • Voice and call data (Zaha AI) — audio from inbound calls handled by the Zaha AI receptionist, transcripts generated from those calls, appointment intents and slots proposed, and related metadata. Callers are notified that the call is being handled by an AI receptionist as required by applicable state call-recording laws and the practice’s operational policies.

B.2 Zaha AI — AI-assisted call handling

Zaha AI uses automated speech recognition, natural language understanding, and large language model technology to answer calls, triage inquiries, and schedule appointments on behalf of a practice. Features that would cause a legal or similarly significant effect on a patient—such as clinical triage, coverage denials, or payment decisions—are outside the scope of Zaha AI. Human practice staff retain authority over decisions that could affect patient care. Zaha AI operates only on Customer Data under the direction of the practice customer and pursuant to the applicable BAA.

B.3 Payment processing (mPayr)

mPayr routes card and ACH payments through a PCI-DSS-validated payment processor. SRS does not store full primary account numbers (PANs) or full bank account numbers in our systems. Cardholder data protections are maintained through the payment processor’s PCI-compliant environment. Any surcharging, processing fees, or payment-terms disclosures are the responsibility of the practice customer and must comply with applicable state and federal law.

B.4 Role of the practice

The dental or medical practice is the data controller and HIPAA Covered Entity with respect to patient information processed through mConsent, mPayr, and Zaha AI. Practices are responsible for providing notices of privacy practices to patients, obtaining required consents (including TCPA express written consent for any SMS programs the practice elects to run), and responding to individual rights requests. SRS, as the practice’s Business Associate and service provider, supports the practice in meeting those obligations.

B.5 Requests from patients

If you are a patient whose information is in mConsent, mPayr, or Zaha AI, please contact your dental or medical practice directly — they are responsible for responding to your request. If you need help reaching them, contact privacy@srswebsolutions.com and we will do our best to route your request to the right organization.