Privacy Policy

Last updated: June 23, 2026

This is a HIPAA-aware privacy policy for the Vitale Health platform and may be updated. It is provided alongside any Notice of Privacy Practices (“NPP”) that applies to your care. Where this policy and an applicable NPP differ as to your Protected Health Information, the NPP controls.

Vitale Health, Inc. (“we,” “us,” or “our”) respects your privacy and is committed to protecting the information you share with us. This Privacy Policy explains what information we collect, how we use, share, and protect it, and the choices and rights you have. Some of the information we handle is Protected Health Information (“PHI”) governed by the Health Insurance Portability and Accountability Act (“HIPAA”); other information you provide before establishing care is not PHI but is still protected as described here.

Our commitment on health data and advertising. We do not sell your personal or health information, and we do not share your health information with advertising or social-media networks for their own marketing. We do not place third-party advertising or social-media tracking technologies on the pages where you provide medical intake information or manage your care.

Information we collect

  • Account information— such as your name, email address, phone number, date of birth, and password.
  • Medical intake information (PHI)— the health history, symptoms, medications, measurements, and related information you provide so a licensed clinician can evaluate whether treatment is appropriate.
  • Identity and verification information— information used to confirm your identity and eligibility (such as state of residence and, where required, government identification).
  • Order and shipping information— products requested, shipping address, and order history. Payment card details are processed by our payment processor; we do not store full card numbers.
  • Communications— messages you exchange with our care team and support, and your communication preferences and consents.
  • Technical and usage information— limited analytics such as device and browser type, IP address, and pages visited, collected as described in our Cookie Policy.

We collect this information directly from you, automatically through your use of the Service, and from service providers who help us operate (for example, our pharmacy and payment processor confirming order and payment status).

How we use information

We use the information we collect to:

  • Provide telehealth services and connect you with licensed clinicians;
  • Process and fulfill your orders and arrange shipping;
  • Communicate with you about your account, care, and orders;
  • Verify identity and eligibility and prevent fraud and abuse;
  • Operate, secure, and improve the Service;
  • Comply with our legal, regulatory, and recordkeeping obligations.

PHI is used and disclosed only as permitted by HIPAA — principally for treatment, payment, and health care operations — or with your authorization, or as otherwise required by law. We do not use PHI for targeted advertising.

How we share information

We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising. We disclose information only as needed to provide the Service, including with:

  • the independently licensed clinicians (and affiliated professional entities) who provide your care;
  • the licensed pharmacy that compounds and ships your medication;
  • our payment processor and shipping carriers, to bill you and deliver your order;
  • technology service providers (such as hosting, infrastructure, and privacy-preserving analytics) that support our operations under contracts that require them to protect your information, including HIPAA business associate agreements where applicable.

We may also disclose information when required by law, to comply with a valid legal process, to enforce our agreements, or to protect the rights, safety, and security of our members, our personnel, and the public. If we are involved in a merger, acquisition, or sale of assets, information may be transferred subject to this policy and applicable law.

Your HIPAA rights

With respect to your PHI, and subject to applicable law, you have the right to access and obtain a copy of your records, request corrections or amendments, request restrictions on certain uses and disclosures, request confidential communications, request an accounting of certain disclosures, and receive a copy of any applicable NPP. To exercise these rights, contact us at privacy@vitalehealth.shop. You may also file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights, and you will not be retaliated against for doing so.

Your state privacy rights

Depending on your state of residence (for example, under the California Consumer Privacy Act as amended by the CPRA, and comparable laws in Virginia, Colorado, Connecticut, and other states), you may have additional rights regarding information that is not governed by HIPAA, including the right to know what personal information we collect and how we use it, to access or delete it, to correct inaccuracies, to obtain a portable copy, and to opt out of any sale or sharing or targeted advertising. We do not sell or share your personal information and do not use it for targeted advertising. We honor browser-based opt-out signals such as the Global Privacy Control where required. We will not discriminate against you for exercising these rights. To submit a request, email privacy@vitalehealth.shop; we will verify your request and may ask for information to confirm your identity, and you may use an authorized agent where the law permits. Information already protected as PHI under HIPAA is handled under the HIPAA rights described above.

Data retention

We retain medical and account records for as long as necessary to provide the Service and to meet our legal, regulatory, and professional recordkeeping obligations, which for medical records may extend for a number of years after your last interaction as required by state law. When information is no longer required, we securely delete or de-identify it.

Security

We use administrative, technical, and physical safeguards to protect your information. PHI is encrypted at rest and in transit, access is limited to authorized clinicians and administrators on a need-to-know basis, and access to sensitive records is logged. We are actively working toward formal security certification (SOC 2). No method of transmission or storage is completely secure, but we work to protect your information consistent with applicable law.

Breach notification

If we become aware of a breach affecting your information, we will notify you and the appropriate authorities as required by HIPAA and applicable state law, without unreasonable delay.

Children's privacy

The Service is intended for adults 18 and older. We do not knowingly collect personal information from children under 18. If we learn that we have collected such information, we will delete it.

Where we operate

The Service is intended for use in the United States, and your information is processed in the United States. The Service is not directed to individuals located outside the United States.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above and, where required, provide additional notice.

Contact us

Questions about this Privacy Policy or our privacy practices, and requests to exercise your rights, can be sent to privacy@vitalehealth.shop.