Privacy Policy

1. Who we are and what this policy covers

This Privacy Policy explains how The Institute for Spine Surgery, operated by New York Brain and Spine Surgery, P.C. (“ISS Health,” “we,” “us,” or “our”), collects and handles information through our website at iss.health and any related pages we control (the “Site”).

This policy covers information we collect through the Site, such as details you enter into a contact or appointment request form, files you download, and technical information your browser shares automatically when you visit.

This policy does not cover protected health information that we create or maintain as part of caring for you as a patient. That information is governed by the Health Insurance Portability and Accountability Act (HIPAA) and is described in our separate Notice of Privacy Practices, which you can find online or request from our office. If anything in this policy appears to conflict with our Notice of Privacy Practices regarding your protected health information, the Notice of Privacy Practices controls.

2. Please do not send sensitive health details through the Site

Our website forms are intended for general inquiries and appointment requests. Please do not include detailed medical history, test results, diagnoses, or other sensitive health information in a web form or email. Standard email and general web forms are not secure channels. If we need clinical information from you, our office will contact you through a secure method and explain how to share it safely.

3. Information we collect

Information you provide to us

When you fill out a contact form, request an appointment, ask a question, subscribe to updates, or download a resource such as our patient guide, we collect the information you choose to give us. This typically includes your name, email address, phone number, your reason for reaching out, and any message you write.

Information collected automatically

Like most websites, we and our service providers collect certain technical information when you visit, including your IP address, browser type, device type, operating system, the pages you view, the links you click, the referring page, and the date and time of your visit. We collect this through cookies and similar technologies described in Section 5.

Information from third parties

If you reach us through a directory listing, a referral source, or a social media link, we may receive limited information from that source, such as how you found us.

We do not knowingly collect more information than we need to respond to you and to operate the Site.

4. How we use information

We use the information described above to:

• Respond to your questions and appointment requests
• Schedule and confirm appointments and follow up with you
• Send resources or updates you have asked to receive
• Operate, maintain, secure, and improve the Site
• Understand how visitors use the Site so we can make it more useful
• Comply with our legal, regulatory, and professional obligations
• Detect, prevent, and respond to fraud, abuse, and security incidents

We do not use the information you provide through the Site to make automated decisions that produce legal or similarly significant effects about you.

5. Cookies, analytics, and tracking technologies

Cookies are small files placed on your device. We use them, along with similar technologies, for the purposes described below.

Essential cookies

These keep the Site working, remember your preferences, and help keep it secure. The Site relies on these to function. We also use Google reCAPTCHA to protect our forms from spam and abuse; its use is governed by the Google Privacy Policy and Terms of Service.

Analytics cookies

These help us understand which pages visitors find helpful and where the Site can be improved. We use privacy conscious analytics for this purpose.

Advertising and conversion measurement

We use Google Ads conversion tracking on select pages, including parts of our concussion program, to measure whether a visit followed one of our ads. We do not send your name, contact details, or any health or condition specific information to advertising or analytics networks. You can manage ad personalization in your Google Ad Settings, and we honor the Global Privacy Control signal as described under Your choices.

Your choices

Most browsers let you refuse or delete cookies through their settings. Blocking essential cookies may affect how the Site works. We also honor recognized browser based opt out signals, including the Global Privacy Control (GPC), as a request to opt out where applicable law gives that signal legal effect.

6. How we share information

We do not sell your personal information, and we do not share it for cross context behavioral advertising.

We share information only in these limited situations:

• Service providers. We use trusted vendors that host the Site, manage forms and scheduling, send communications, and provide analytics. They may handle your information only to perform services for us and are required to protect it. For example, appointment requests are delivered to our care team through Paubox, a HIPAA compliant email provider; see the Paubox Privacy Policy. Where a vendor handles protected health information on our behalf, we enter into a HIPAA business associate agreement with that vendor.
• Legal and safety reasons. We may disclose information when we believe in good faith that it is required by law, legal process, or a government request, or where disclosure is needed to protect the rights, safety, or property of our patients, our staff, or the public.
• Business changes. If our practice is involved in a merger, acquisition, or transfer of assets, information may be transferred as part of that transaction, subject to this policy.

7. Links to other sites

The Site may link to other websites we do not control, including affiliated practices, partner organizations, and resources mentioned in our content. This policy does not apply to those sites. We encourage you to review the privacy practices of any site you visit.

8. How we protect information

We maintain administrative, technical, and physical safeguards designed to protect the information we collect, consistent with our obligations under HIPAA and the New York SHIELD Act. These include encryption of data in transit, access controls, and ongoing monitoring. No method of transmission over the internet is completely secure, so we cannot guarantee absolute security, but we work to protect your information and to respond promptly if an issue arises.

9. How long we keep information

We keep the information you submit through the Site only as long as needed for the purposes described in this policy, to meet our legal, regulatory, and professional record keeping obligations, and to resolve disputes. When information is no longer needed, we take reasonable steps to delete it or render it unidentifiable. Medical records are retained according to the separate requirements that apply to patient records under applicable law.