Privacy Policy

Scope of this policy

• This Policy covers personal information collected online and offline, including through virtual care visits, forms, and support channels.

• Protected Health Information (PHI) handled in the course of providing clinical services is also governed by HIPAA and the Notice of Privacy Practices (NPP). Where HIPAA applies, the NPP controls any conflicting terms.

Information collected

• Identification and contact: name, email, phone, mailing address, date of birth.

• Account and support: login credentials, preferences, communications, and support history.

• Health information (PHI): medical history, symptoms, clinician notes, vitals, orders, diagnoses, treatments, lab results, pharmacy data.

• Transaction data: order details, shipping details, partial payment details processed via PCI‑compliant providers.

• Device and usage: IP address, device identifiers, browser type, pages viewed, timestamps, referral URLs, and approximate location.

• Cookies and similar tech: session and preference cookies, analytics, and limited marketing pixels as configured.

• User content: forms, reviews, questionnaires, and messages submitted through the site or patient portal.

How information is used

• Deliver care: schedule visits, verify identity, coordinate labs and pharmacies, prescribe and dispense where permitted, and ship treatments discreetly.

• Operate and improve services: secure accounts, troubleshoot, analyze performance, and enhance features.

• Personalize experiences: tailor content, recommendations, and care plans based on preferences and clinical guidance.

• Communicate: send appointment updates, results notifications, service messages, and, where permitted, educational and promotional content.

• Compliance and safety: meet legal, regulatory, and reporting obligations; prevent fraud, abuse, and security incidents.

Cookies and tracking

• Types used:

  • Strictly necessary: core site, authentication, security.

  • Functional: preferences, language, saved progress.

  • Analytics: site performance and aggregate usage insights.

  • Limited marketing: only where permitted and never for PHI‑based targeting.

• Controls: most browsers allow blocking cookies; site features may be limited if disabled. A cookie banner and preferences center can honor selections, including opt‑outs where required.

• Do Not Track: current systems may not respond to DNT signals; applicable regional opt‑out mechanisms are respected where mandated (e.g., CPRA/CPA).

When information is shared

• Service providers: HIPAA‑compliant vendors that support operations (EHR/telehealth platforms, labs, pharmacies, payment processors, cloud hosting, secure messaging). Sharing is limited to the minimum necessary to perform contracted services.

• Care coordination: clinicians and licensed partners involved in diagnosis, treatment, lab orders, and pharmacy dispensing.

• Legal and safety: to comply with law, court orders, public health reporting, insurance audits, or to protect rights, safety, and security.

• Business transfers: in mergers, acquisitions, or reorganization, information may transfer subject to this Policy’s protections.

• With consent: for any other purpose disclosed at collection and approved in advance.

• No sale of PHI: PHI is not sold or used for cross‑context behavioral advertising. Non‑PHI is not sold as defined by state privacy laws.

PHI vs. non‑PHI

• PHI is governed by HIPAA and the Notice of Privacy Practices. Typical examples include visit notes, labs, diagnoses, and prescriptions.

• Non‑PHI includes site analytics, general account data, and marketing preferences. When information can be reasonably linked to care, it is treated with heightened protection consistent with HIPAA.

Data retention

• Information is retained only as long as needed for care delivery, legal, accounting, and regulatory requirements.

• Medical records are retained in accordance with federal and applicable state law and then securely archived or deleted.

Security

• Administrative, technical, and physical safeguards are employed, including access controls, encryption in transit and at rest where appropriate, vendor due diligence, and workforce training.

• No method of transmission or storage is fully secure; risk‑based safeguards are continuously improved.

Choices and controls

• Account and profile: update contact details, communication preferences, and certain settings in the account or by contacting support.

• Marketing: unsubscribe links are provided in non‑transactional emails; essential service communications continue.

• Cookies: manage via the site’s cookie preferences and browser settings.

Individual rights

• HIPAA rights for PHI: access, amendment, accounting of disclosures, and restrictions as provided by law; see the Notice of Privacy Practices.

• State privacy rights: residents of California (CPRA), Colorado (CPA), Virginia (VCDPA), Connecticut (CTDPA), Utah (UCPA), and similar laws may have rights to access, correct, delete, and opt‑out of certain processing.

• EEA/UK residents (if services are accessed there): rights under GDPR, including access, rectification, erasure, restriction, portability, and objection, plus the right to lodge a complaint with a supervisory authority.

• How to exercise: submit a verifiable request via the contact methods below; an authorized agent may act on a verified consumer’s behalf where permitted. Identity verification may be required.

Children’s privacy

• Services are intended for adults. For any services provided to minors as allowed by law, parental or guardian consent is required, and PHI is protected under HIPAA.

• If information about a child is believed to have been collected without appropriate consent, request deletion using the contact methods below.

International transfers

• Data may be processed in the United States and other locations where vendors operate. Appropriate safeguards, such as contractual protections, are used for cross‑border transfers where required.

Third‑party links and tools

• Links to external sites or embedded tools may be provided; those parties maintain their own privacy practices. Reviewing their policies is recommended before use.

Changes to this Policy

• This Policy may be updated periodically to reflect operational, legal, or regulatory changes.

• Material changes will be highlighted on the site, and the “Effective date” will be updated. Continued use after changes indicates acceptance.

Contact us

• Email: privacy@ginspirehealth.com

• Mailing: 1733, Avenida Del Sol, Boca Raton , FL, 33432 USA

Domain coverage

• This Policy covers dev.ginspirehealth.com during the development phase and will apply to ginspirehealth.com upon launch. Any environment‑specific differences will be noted at the point of collection.

Regulatory disclosures (summary)

• No discrimination for exercising privacy rights. Requests are processed within timelines required by applicable law.

• Appeals process: Colorado and Virginia residents may appeal a denied request by replying to the decision notice; a written response will be provided within the statutory period.

Design notes for page build

• Include a short, human‑readable Summary at the top with anchor links to sections (Collect, Use, Share, Choices, Rights, Security, Contact).

• Add a sidebar table of contents for quick navigation and a prominent link to the HIPAA NPP.

• Provide an in‑page privacy request form and cookie preferences modal accessible from the footer.

Implementation placeholders to finalize

• Effective date

• Privacy email confirmation

• Physical mailing address and ZIP

• Cookie banner/preference center configuration

If a jurisdiction‑specific notice or additional vendor list is needed, a brief addendum can be provided for California, Colorado, and other state laws, plus a public-facing subprocessors list for transparency.