Privacy Policy

1. Information We Collect

We collect information you provide directly, information generated through your use of the Services, and information received from third parties that support clinical care or business operations. Categories of information include:

• Identity and contact: legal name, date of birth, email address, phone number, and mailing or shipping address.
• Health information: medical history, current medications, allergies, symptoms, intake responses, laboratory results, clinician notes, prescription records, and other PHI.
• Identification documents: government-issued ID and photographs used to verify identity where required.
• Payment information: billing address, last four digits of the payment card, and transaction history. Full card numbers are collected and stored by our payment processor, not by us.
• Communications: secure messages to clinicians and support, email correspondence, and call records for scheduling or customer care.
• Technical and usage: IP address, device and browser type, pages viewed, referring URLs, and cookie identifiers.

2. How We Use Information

We use the information we collect to deliver and improve the Services. Specifically, we use information to:

• Create and maintain your account and authenticate access to the platform.
• Facilitate clinical care, including routing intakes to the clinical entity, supporting licensed clinicians in treatment decisions, coordinating laboratory services, and supporting pharmacy fulfillment.
• Process payments, produce receipts and refunds, and maintain records for accounting and tax purposes.
• Send transactional communications about your care, including appointment reminders, prescription status, shipment notifications, and required disclosures.
• Send marketing communications that you have opted to receive. You can opt out at any time.
• Monitor and improve performance, security, and usability of the Services, including fraud prevention and abuse detection.
• Comply with applicable laws and respond to lawful requests from regulators, licensing boards, or law enforcement.

3. Disclosure and Subprocessors

We do not sell personal information. We share information with service providers and clinical partners who process data on our behalf under written agreements that restrict their use of information and, where required, Business Associate Agreements under HIPAA. Our current categories of subprocessors include:

• Clinical entity of Saad Mohammad, MD (Clinical Director): the independent professional entity through which licensed clinicians deliver care on the platform.
• Beluga Health: clinician network and telemedicine support services.
• DoseSpot: electronic prescribing and pharmacy routing.
• Quest Diagnostics: laboratory collection, testing, and results delivery.
• Stripe: payment processing and storage of cardholder data.
• Resend: transactional and marketing email delivery.
• Anthropic: large language model infrastructure used to power supportive, non-diagnostic AI features within the platform.

We may also disclose information to comply with applicable law, enforce our Terms of Service, protect the rights, property, or safety of patients, clinicians, or third parties, and in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections.

4. Retention

We retain PHI in medical records for a minimum of seven (7) years, consistent with Florida medical record retention requirements (see, e.g., Fla. Stat. § 395.3025 and related Board of Medicine rules). Billing and tax records are retained in accordance with applicable federal and state law. Account, communication, and technical logs are retained for as long as your account is active and for a reasonable period thereafter to meet operational, legal, or audit requirements. When information is no longer needed, we dispose of it using reasonable administrative, physical, and technical safeguards.

5. Your Rights

Depending on the type of information and applicable law, you have the right to:

• Access: request a copy of the information we maintain about you, including your designated record set under HIPAA.
• Correction and amendment: request correction of inaccurate information or amendment of PHI in your designated record set.
• Deletion: request deletion of personal information that we are not required to retain for clinical, regulatory, or other legal reasons.
• Opt out of marketing: unsubscribe from marketing emails using the link in each message. Transactional communications about your care are not optional while you hold an active account.
• Complaints: file a complaint with us or with a regulator. Filing a complaint will not result in retaliation.

To exercise any of these rights, contact us using the information below. We will verify your identity before responding to a request.

6. Security

We maintain administrative, physical, and technical safeguards designed to protect information from unauthorized access, use, or disclosure. These include access controls, encryption in transit, restricted production access, logging, and regular review of vendor security postures. No system is perfectly secure, and we cannot guarantee absolute security.

7. Children

The Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take appropriate steps to delete it.

8. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last Updated” date at the top of this page reflects the most recent revision. Material changes will be communicated through the Services or by email.

9. Contact Us

Questions about this Privacy Policy, your information, or exercise of your rights can be directed to our Privacy Officer at legal@getignite.health.