Privacy Policy

DRAFT FOR ATTORNEY REVIEW. Original starting draft for Biomarker Health. Not legal advice; must be reviewed and finalized by counsel before it goes live in production.

1. Introduction

This Privacy Policy explains how Biomarker Health Holdings LLC, doing business as Biomarker Health ("Biomarker Health," "we," "us," or "our"), collects, uses, shares, and protects information when you visit biomarker-health.web.app, use our applications and telehealth platform, or interact with our clinic and Services (collectively, the "Services").

Important — two sets of rules apply to your information. Much of the health information we hold as a healthcare provider is "protected health information" (PHI) governed by the Health Insurance Portability and Accountability Act (HIPAA). Our handling of PHI is described in our separate Notice of Privacy Practices, which controls in any conflict with this Policy for information that is PHI. This Privacy Policy covers our broader data practices, including website and app information and information that is not PHI.

By using the Services, you agree to this Policy. If you do not agree, do not use the Services.

2. Information We Collect

Information you provide to us:

• Account and identity information: name, date of birth, email, phone, mailing and billing address, and login credentials.
• Health information: the medical history, symptoms, medications, lifestyle details, and intake responses you submit; biomarker and laboratory results; and information generated during consultations and treatment, including hormone, peptide, and GLP-1 plans.
• Payment information: payment-card or other payment details, processed by our payment provider (we do not store full card numbers).
• Communications: messages you send to us or to providers through the Services, and records of support interactions.

Information we collect automatically:

• Device and usage data: IP address, device type, browser, operating system, pages viewed, and interactions with the Services.
• Cookies and similar technologies: as described in Section 6.

Information from third parties:

• Laboratories and pharmacies that process your tests or prescriptions.
• Service providers and identity-verification or fraud-prevention vendors.
• Referral sources, if you were referred to us.

3. How We Use Information

We use information to:

• Provide, operate, and improve the Services, including scheduling, lab ordering, consultations, and treatment-plan management;
• Verify your identity and eligibility and prevent fraud and misuse;
• Process payments and administer memberships;
• Communicate with you about appointments, results, your account, and service updates;
• Provide customer support and respond to your requests;
• Maintain the security and integrity of our systems;
• Comply with legal, regulatory, and professional obligations;
• With your consent where required, send you marketing or educational communications (you can opt out at any time).

We do not sell your personal information, and we do not use or disclose PHI for marketing except as permitted by HIPAA and described in our Notice of Privacy Practices.

4. How We Share Information

We share information only as needed to run the Services and as permitted by law:

• With your treating providers and clinical staff to deliver care.
• With laboratories and pharmacies to fulfill testing and prescriptions.
• With service providers (for example, cloud hosting and infrastructure, payment processing, communications, scheduling, and analytics) who act on our behalf under contracts that require them to protect your information. Where these vendors handle PHI, they do so as HIPAA "business associates" under a Business Associate Agreement.
• For legal and safety reasons: to comply with applicable law, subpoenas, or government requests; to enforce our Terms; or to protect the rights, safety, or property of you, us, or others.
• In a business transaction: in connection with a merger, financing, acquisition, or sale of assets, subject to appropriate confidentiality protections and applicable law.
• With your direction or consent: when you ask us to share information with a third party.

5. Our Technology Stack and Data Location

We use cloud infrastructure (including Google Cloud Platform and Firebase) and other reputable service providers to host and operate the Services within the United States. We require our infrastructure and service providers to maintain appropriate security and, where they handle PHI, to sign Business Associate Agreements.

6. Cookies and Tracking Technologies

We and our service providers use cookies and similar technologies to keep you logged in, remember preferences, measure performance, and improve the Services. We use analytics and tracking tools (which may include Google Analytics and similar services) to understand how visitors find and use our website and app, measure engagement, and improve the Services. You can control cookies through your browser settings, and you can opt out of certain analytics collection using the opt-out mechanisms those vendors provide. Disabling some cookies may affect functionality.

7. Data Retention

We retain personal information for as long as needed to provide the Services and for legitimate business and legal purposes. Medical records are retained for the period required by applicable Florida and federal law, which may be longer than the period for other data. When information is no longer required, we securely delete or de-identify it.

8. How We Protect Information

We maintain administrative, technical, and physical safeguards designed to protect your information, including encryption in transit and at rest, access controls, and monitoring. No system is perfectly secure, and we cannot guarantee absolute security. If a breach affecting your information occurs, we will notify you as required by law.

9. Your Privacy Choices and Rights

Depending on where you live, you may have rights regarding your personal information, such as the right to:

• Access a copy of the personal information we hold about you;
• Correct inaccurate information;
• Delete certain information;
• Opt out of marketing communications;
• Opt out of certain processing such as targeted advertising or the "sale" or "sharing" of personal information (we do not sell personal information).

Florida residents have rights under the Florida Digital Bill of Rights, and residents of other states may have similar rights under their state laws. Note: rights regarding PHI are governed separately by HIPAA and described in our Notice of Privacy Practices. To exercise a right, contact us using Section 12. We will verify your identity before responding and will not discriminate against you for exercising your rights. You may also designate an authorized agent where the law allows.

10. Children's Privacy

The Services are intended for adults 18 and older. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected such information, we will delete it.

11. Changes to This Policy

We may update this Policy from time to time. We will post the updated version with a new effective date and, for material changes, provide additional notice through the Services. Your continued use after the update constitutes acceptance.

12. Contact Us

Biomarker Health Holdings LLC d/b/a Biomarker Health Attn: Privacy Orlando, Florida Email: legal@biomarkerhealth.com

For questions specifically about protected health information, see our Notice of Privacy Practices.