Notice of Privacy Practices
About This Notice
[ENTITY_NAME], LLC voluntarily adopts the privacy and security standards established by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), for the protection of your health information.
Important context: Vital IQ is a wellness technology company, not a healthcare provider, health plan, or healthcare clearinghouse. We are not a "covered entity" as defined by HIPAA. However, we believe your health data deserves the highest standard of protection available, and we voluntarily commit to handling your health information in accordance with HIPAA's Privacy Rule and Security Rule standards.
This Notice of Privacy Practices ("Notice") describes how we protect your health information and explains your rights regarding that information. It applies to all health information we create, receive, maintain, or transmit in the course of providing the Vital IQ Service.
This Notice should be read together with our Privacy Policy, which provides comprehensive information about all of our data practices, and our Consumer Health Data Privacy Policy, which provides disclosures required by state consumer health data laws.
Our Commitment
By voluntarily adopting HIPAA standards, we commit to:
- Maintaining administrative, physical, and technical safeguards that meet or exceed the requirements of the HIPAA Security Rule
- Following the HIPAA Privacy Rule's minimum necessary standard — using and disclosing only the minimum amount of health information needed for each purpose
- Processing your health data through HIPAA-compliant infrastructure under an active Business Associate Agreement with Google Cloud Platform
- Training our personnel on privacy and security obligations
- Maintaining an incident response program with breach notification capabilities consistent with the HIPAA Breach Notification Rule
- Conducting regular risk assessments and compliance monitoring
- Documenting our privacy and security practices for accountability
Health Information We Protect
For purposes of this Notice, "health information" includes all individually identifiable health data we collect, create, or maintain about you, including:
- Laboratory results: Biomarker values, reference ranges, lab names, and test dates from reports you upload
- Biological age and health scores: Calculations derived from your biomarker data using our algorithms
- AI-generated health insights: Biomarker interpretations, personalized analysis, correlation insights, daily briefings, and companion chat responses
- Medication and supplement records: Names, dosages, frequencies, schedules, adherence logs, interaction results, and photo-extracted medication data
- Health conditions: Conditions you report during onboarding or through the Service
- Wearable health data: Heart rate, heart rate variability, sleep data, step counts, and blood glucose readings synced from connected devices
- Journal and voice data: Symptom journal entries, voice check-in transcripts, quick log entries (mood, energy, stress, and related health indicators)
- Provider documents: Clinical notes, medical records, and other documents you upload for processing
- Health questionnaire responses: Answers you provide about your health history, goals, and lifestyle
How We May Use and Disclose Your Health Information
Uses and Disclosures for Service Operations
We use and disclose your health information as necessary to provide and operate the Service you have requested, including:
Analysis and Interpretation
- Processing your uploaded lab reports through our AI pipeline to extract, standardize, and interpret biomarker results
- Calculating biological age using validated algorithms
- Generating health scores and projections
- Running correlation analysis across your health data to identify patterns
- Generating daily health briefings tailored to your data
- Re-analyzing results when your health context changes
Personalization
- Injecting your health context (medications, conditions, wearable data, journal entries) into AI interpretation prompts so that results account for your full health picture
- Generating personalized follow-up questions about your biomarker results
- Tailoring AI Health Companion responses based on your health profile
- Personalizing engagement content based on your feature usage
Medication Management
- Checking your active medications and supplements for drug-drug interactions
- Processing medication photos and barcode scans for identification
- Parsing freeform supplement stack descriptions into structured records
- Monitoring medication supply levels and sending reminders
Quality Assurance
- Using independent AI audit agents to verify the accuracy of extraction, classification, and interpretation outputs
- Monitoring pipeline quality metrics
- Generating quality reports for internal review
Uses and Disclosures with Your Authorization
We will obtain your specific authorization before using or disclosing your health information for purposes not described in this Notice. You may revoke any authorization at any time by contacting us at [PRIVACY_EMAIL], except to the extent we have already taken action in reliance on the authorization.
Uses and Disclosures Required or Permitted by Law
We may use or disclose your health information without your authorization in the following limited circumstances, as required or permitted by applicable law:
- Legal process: In response to a court order, subpoena, warrant, or other lawful legal process, after evaluating the request for validity and scope
- Law enforcement: As required by applicable law in response to a valid law enforcement request, limited to the minimum information necessary
- Public health and safety: To prevent or lessen a serious and imminent threat to the health or safety of a person or the public, disclosed only to someone reasonably able to prevent or lessen the threat
- Required by law: Where disclosure is mandated by federal, state, or local law
Our commitment regarding legal requests: We will evaluate every legal request for validity, specificity, and scope. When legally permitted, we will notify you before disclosing your health information. We will oppose requests we believe are overly broad or otherwise improper. We will not voluntarily disclose your health information to law enforcement absent a valid legal requirement.
Uses and Disclosures Involving De-Identified Data
We may create de-identified data derived from your health information by removing all 18 categories of identifiers specified by the HIPAA Safe Harbor de-identification method. Once de-identified, this data is no longer subject to HIPAA protections because it cannot reasonably be used to identify you. We use de-identified, aggregated data for Service improvement and research purposes. We contractually prohibit any recipient of de-identified data from attempting re-identification.
Your Rights Regarding Your Health Information
Even though our adoption of HIPAA standards is voluntary, we provide you with the following rights consistent with the HIPAA Privacy Rule:
Right to Access
You have the right to inspect and obtain a copy of your health information that we maintain. You may:
- View your health information directly within the app (reports, medications, journal entries, wearable data, companion sessions, insights, and scores)
- Request a comprehensive data export containing all of your health information (Settings > Privacy > Export My Data)
- Request a copy of your data in electronic format (JSON)
We will provide the requested access within 30 days of a verified request. If we need additional time (up to 30 additional days), we will notify you of the reason for the delay.
Right to Amendment
You have the right to request that we amend your health information if you believe it is inaccurate or incomplete. You may:
- Correct account information directly in the app (age, biological sex, weight, conditions)
- Add, modify, or delete medications and supplements
- Edit or delete journal entries
- Contact us to request amendments to data that cannot be edited in-app
We will respond to amendment requests within 60 days. If we deny an amendment request, we will provide the reason in writing and inform you of your right to submit a statement of disagreement.
Right to an Accounting of Disclosures
You have the right to receive an accounting of certain disclosures of your health information that we have made. This accounting covers disclosures made for purposes other than service operations, payment, and those you authorized. To request an accounting, contact us at [PRIVACY_EMAIL]. We will provide the accounting within 60 days.
Right to Request Restrictions
You have the right to request that we restrict how we use or disclose your health information. While we are not required to agree to your request (consistent with HIPAA's standard for non-covered entities voluntarily adopting these practices), we will consider all restriction requests in good faith. If we agree to a restriction, we will abide by it except in emergency situations.
To request a restriction, contact us at [PRIVACY_EMAIL] with a description of the specific restriction you are requesting.
Right to Confidential Communications
You have the right to request that we communicate with you about your health information through specific means or at specific locations. For example, you may request that we send notifications only to a specific email address. We will accommodate reasonable requests.
To request confidential communications, adjust your notification preferences in the app (Settings > Notifications) or contact us at [PRIVACY_EMAIL].
Right to a Copy of This Notice
You have the right to obtain a paper or electronic copy of this Notice at any time. This Notice is available:
- In the app (Settings > Legal)
- On our website at [WEBSITE_URL]/hipaa
- By request to [PRIVACY_EMAIL]
Right to Withdraw Consent
You have the right to withdraw your consent for the collection and processing of your health information at any time. Withdrawal of consent will disable AI-powered features that require your health data. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
To withdraw consent, visit Settings > Privacy > Manage Consents in the app.
Right to Deletion
Consistent with both HIPAA best practices and applicable state privacy laws, you have the right to request deletion of your health information. We will complete deletion within 30 days of a verified request, subject to limited exceptions for data we are required by law to retain.
To request deletion, use the account deletion feature in the app (Settings > Privacy > Delete My Account) or contact us at [PRIVACY_EMAIL].
Our Duties
Under our voluntary adoption of HIPAA standards, we commit to the following duties:
- Maintain this Notice: We are required to abide by the terms of this Notice currently in effect
- Notify you of changes: We will notify you if we make material changes to this Notice
- Protect your information: We will maintain administrative, physical, and technical safeguards consistent with the HIPAA Security Rule
- Minimum necessary: We will use and disclose only the minimum health information necessary for each purpose
- Breach notification: We will notify you in the event of a breach of your unsecured health information (see below)
Breach Notification
In the event of a breach of your unsecured health information, we will notify you consistent with the following standards:
What Constitutes a Breach
A breach is the unauthorized acquisition, access, use, or disclosure of your health information in a manner that compromises the security or privacy of the information. A breach does not include:
- Unintentional access by an authorized person acting in good faith within the scope of their authority, provided the information is not further used or disclosed improperly
- Inadvertent disclosure between persons authorized to access health information at Vital IQ, provided the information is not further used or disclosed improperly
- A disclosure where we have a good faith belief that the unauthorized person would not reasonably be able to retain the information
Notification Timeline
- We will notify affected individuals without unreasonable delay and no later than 30 days after discovery of the breach (meeting the stricter of HIPAA's 60-day standard and Florida's 30-day FIPA requirement)
- If more than 500 individuals are affected, we will also notify the Florida Attorney General and the U.S. Department of Health and Human Services (even though the HHS notification is technically required only of covered entities, we voluntarily commit to it for transparency)
- If more than 500 residents of a single state are affected, we will notify prominent media outlets serving that state
Notification Content
Breach notifications will include:
- A description of what happened, including the date of the breach and the date of discovery
- The types of health information involved
- Steps you should take to protect yourself
- What we are doing to investigate, mitigate harm, and prevent future breaches
- Contact information for you to ask questions or obtain additional information
Notification Method
We will notify you by:
- Email to the address associated with your account
- In-app notification or banner
- If we do not have sufficient contact information, substitute notice through our website
FTC Health Breach Notification Rule
As a vendor of personal health records under the FTC's Health Breach Notification Rule (16 CFR Part 318), we are also subject to the FTC's breach notification requirements. Our notification procedures are designed to satisfy both the HIPAA Breach Notification Rule standards (voluntarily adopted) and the FTC Health Breach Notification Rule (legally required). Under the FTC rule, "breach" includes unauthorized disclosures, not only cybersecurity incidents.
Business Associates
We maintain Business Associate Agreements (or equivalent data protection agreements) with service providers that create, receive, maintain, or transmit your health information on our behalf:
| Business Associate | Service | BAA Status |
|---|---|---|
| Google Cloud Platform (Google LLC) | Cloud infrastructure, database, storage, computing, Document AI, Vertex AI | Active BAA |
| SendGrid (Twilio Inc.) | Email delivery | Active BAA (emails structured to exclude PHI) |
Service providers that do not access health information (and therefore do not require BAAs) include: RevenueCat (subscription status only), Stripe (payment data only), and Better Stack (system status only).
We require our business associates to:
- Use appropriate safeguards to protect your health information
- Report any security incidents or breaches to us promptly
- Return or destroy health information when the relationship ends
- Ensure their subcontractors agree to the same restrictions
Our Infrastructure and Security Safeguards
Consistent with the HIPAA Security Rule, we maintain the following categories of safeguards:
Administrative Safeguards
- Designated privacy officer responsible for privacy and security compliance
- Written privacy and security policies and procedures
- Personnel training on privacy and security obligations
- Regular risk assessments
- Incident response procedures
- Business associate management program
- Compliance monitoring (daily automated checks, weekly quality digests)
Physical Safeguards
- All data is hosted on Google Cloud Platform, which maintains SOC 1/2/3, ISO 27001, HIPAA, and FedRAMP certifications
- Google's data centers employ comprehensive physical security controls
- No health data is stored on local servers or employee devices
Technical Safeguards
- Encryption in transit (TLS) and at rest (AES-256)
- Role-based access controls with admin role gating
- Firestore security rules enforcing document-level access (users access only their own data)
- Immutable audit logging of administrative actions
- Automated anomaly detection for unusual access patterns
- Automated system health monitoring (5-minute polling, 30-minute functional checks)
- Unique user authentication via Firebase Authentication
- Optional biometric authentication (fingerprint, Face ID)
- Encrypted local storage for authentication tokens (iOS Keychain, Android Keystore)
Changes to This Notice
We reserve the right to change this Notice at any time. Changes may apply to health information we already hold as well as information we receive in the future. When we make material changes:
- We will update the "Last Updated" date at the top of this Notice
- We will make the revised Notice available in the app and on our website
- We will notify you through the Service of material changes
- The revised Notice will be effective for all health information we maintain from the effective date forward
Questions and Complaints
If you have questions about this Notice or believe your privacy rights have been violated, you may:
Contact our Privacy Officer:
[ENTITY_NAME], LLC
Attn: Privacy Officer
[ADDRESS_LINE_1]
[CITY], Florida [ZIP]
Email: [PRIVACY_EMAIL]
File a complaint: You have the right to file a complaint if you believe your privacy rights have been violated. You may file a complaint with us directly at [PRIVACY_EMAIL] or, because we voluntarily adopt HIPAA standards, you may also contact:
- U.S. Department of Health and Human Services, Office for Civil Rights — while HHS jurisdiction technically extends to HIPAA-covered entities, we welcome their guidance and will cooperate with any inquiry: www.hhs.gov/hipaa/filing-a-complaint
- Florida Attorney General — for complaints under Florida state privacy laws: www.myfloridalegal.com
- Federal Trade Commission — for complaints under the FTC Health Breach Notification Rule: www.ftc.gov/complaint
We will not retaliate against you for filing a complaint. Filing a complaint will not affect your access to or use of the Service.
We will acknowledge receipt of any complaint within 5 business days and provide a substantive response within 30 days.
This Notice of Privacy Practices is part of Vital IQ's legal documentation, which also includes our Privacy Policy, Consumer Health Data Privacy Policy, Terms of Service, Medical Disclaimer, and Cookie Policy.