Your Privacy Matters

This Privacy Policy applies to ElevateMD Clinic (operated by RegenHairSolutions LLC dba ElevateMD Clinic), including our website at elevatemdclinic.com, our patient portal, telehealth consultations, SMS communications, and all related services. By using our services, you acknowledge that you have read and understand this Privacy Policy.

1. What Information We Collect

We collect several categories of information to provide, maintain, and improve our medical services. The types of information we collect depend on how you interact with our practice.

Personal Information

Identification Data

• Full legal name, date of birth, gender, and government-issued identification numbers
• Photographs submitted for identity verification or medical evaluation

Contact Information

• Email address, phone number (including mobile), and mailing address
• Emergency contact details

Account Information

• Login credentials, account preferences, and communication preferences
• Patient portal activity and account history

Professional Information

• Occupation and employer (when relevant to treatment)
• Referring physician information

Health Information

As a medical practice, we collect Protected Health Information (PHI) as defined under HIPAA, including but not limited to:

• Medical History: Past diagnoses, surgeries, hospitalizations, allergies, and family medical history
• Current Health Status: Symptoms, vital signs, current conditions, and ongoing treatments
• Lifestyle Factors: Diet, exercise, sleep patterns, stress levels, substance use, and other wellness-related data
• Laboratory Results: Blood panels, biomarker tests, hormone levels, metabolic panels, and other diagnostic results
• Physician Notes: Clinical observations, treatment plans, progress notes, and consultation records
• Genetic Information: Genetic test results when relevant to treatment planning
• Prescription Information: Current and past medications, dosages, pharmacy preferences, and medication adherence records

Payment & Billing Information

Payment Details

• Credit/debit card numbers, expiration dates, and billing addresses
• Payment processor tokens and transaction identifiers

Transaction Records

• Purchase history, subscription details, payment dates, and amounts
• Refund and credit records

Insurance Information

• While ElevateMD does not accept insurance, we may collect insurance information if voluntarily provided for coordination of care or documentation purposes

Device & Usage Data

Device Information

• Device type, operating system, browser type and version, screen resolution, and unique device identifiers

Usage Data

• Pages visited, features used, time spent on pages, click patterns, and navigation paths

Log Data

• IP address, access times, referring URLs, and error logs

Cookies

• Session cookies, persistent cookies, and third-party cookies (detailed in Section 5)

Location Data

• General geographic location derived from IP address (used to verify Florida residency for telehealth compliance)

2. How Your Data Is Used

We use the information we collect for specific, legitimate purposes related to your medical care and our operations.

Medical Service Provision

• Evaluation: Conducting patient eligibility screenings, medical evaluations, and telehealth consultations
• Records: Creating and maintaining accurate medical records as required by law
• Treatment: Developing personalized treatment plans, prescribing medications, and coordinating with compound pharmacies
• Monitoring: Tracking treatment progress, lab results, and patient outcomes over time
• Pharmacy: Transmitting prescriptions to licensed 503A compound pharmacies for fulfillment and delivery

Communication

• Appointments: Scheduling, confirming, and sending reminders for telehealth consultations
• Updates: Providing treatment updates, lab result notifications, and prescription status updates
• Support: Responding to patient inquiries, providing customer support, and resolving issues
• Educational: Sharing relevant health education, wellness tips, and treatment-related information
• Marketing: Sending promotional communications about new services, special offers, and practice updates (with your consent)
• SMS: Text message communications as detailed in Section 3

Payment Processing

• Subscriptions: Processing recurring subscription payments and managing billing cycles
• Invoices: Generating invoices, receipts, and billing statements
• Fraud Prevention: Detecting and preventing fraudulent transactions and unauthorized payment activity

Service Improvement

• Analytics: Analyzing usage patterns to understand how patients interact with our services
• Research: Conducting de-identified, aggregate research to improve treatment protocols and outcomes
• Development: Developing new features, services, and treatment offerings
• User Experience: Improving website functionality, patient portal usability, and overall service delivery

Legal Compliance

• Regulatory: Complying with federal and state healthcare regulations, including telehealth laws
• HIPAA: Meeting all obligations under the Health Insurance Portability and Accountability Act
• Government: Responding to lawful requests from government agencies and law enforcement when required
• Records: Maintaining records for the legally required retention periods
• Fraud Prevention: Detecting, investigating, and preventing fraud, abuse, and other illegal activities

3. SMS & Text Messaging

ElevateMD Clinic may use SMS (Short Message Service) and text messaging to communicate with you. This section details our SMS practices in compliance with carrier and regulatory requirements.

Phone Number Collection

We collect your phone number through the following sources:

• Patient intake forms and eligibility screenings
• Account registration on our website or patient portal
• Direct communication with our care team
• Appointment scheduling requests
• Opt-in forms and consent forms

Types of SMS Communications

• Appointment Reminders: Upcoming consultation reminders, scheduling confirmations, and rescheduling notifications
• Treatment Updates: Prescription status, shipping notifications, lab result availability, and treatment plan updates
• Service Notifications: Account alerts, billing reminders, service changes, and important practice announcements
• Promotional (Opt-In Only): New service announcements, special offers, wellness tips, and educational content
• Health Reminders: Medication reminders, follow-up appointment prompts, and lab retest notifications
• Account Security: Verification codes, login alerts, and security notifications

Message Frequency

Message Type	Expected Frequency
Appointment Reminders	1–3 messages per month
Treatment Updates	1–2 messages per month
Service Notifications	Less than 1 message per month
Promotional Messages	0–4 messages per month

Carrier Charges: Message and data rates may apply. ElevateMD is not responsible for any charges imposed by your mobile carrier for receiving SMS messages. Please contact your carrier for details about your messaging plan.

Opt-In Methods

You may opt in to receive SMS communications through:

• Checking the SMS consent box during patient intake or registration
• Providing verbal consent during a telehealth consultation
• Texting a designated keyword to our practice number
• Opting in through your patient portal settings
• Completing a written consent form

Opt-Out

Opting out of promotional SMS does not affect transactional messages related to your active medical care (such as appointment reminders or prescription notifications), which may continue as part of your treatment.

Consent Requirements

Your consent to receive SMS messages is not a condition of purchasing any service from ElevateMD. You may receive care without opting in to SMS communications. Promotional SMS messages require separate, explicit opt-in consent.

4. Mobile Information Sharing

Protected Mobile Information

The following mobile-related data is protected and never shared for marketing:

• Mobile phone number
• SMS opt-in/opt-out status
• SMS consent records and timestamps
• Text message content and history
• Mobile carrier information

Limited Service Provider Sharing

We may share your phone number with the following categories of service providers solely for the purpose of delivering our medical services:

• Twilio: SMS delivery platform used to transmit text messages on our behalf
• AWS SNS: Backup notification delivery service for critical alerts
• Pharmacy Partners: Licensed compound pharmacies that may send shipping and delivery notifications
• Scheduling Platforms: Appointment management systems for sending scheduling confirmations
• Patient Portal: Secure patient communication platform for account-related notifications

Service Provider Requirements

All service providers who access your mobile information are required to:

• Sign Business Associate Agreements (BAAs) when handling Protected Health Information
• Comply with HIPAA regulations and maintain appropriate security safeguards
• Use your information only for the specific services they provide to ElevateMD
• Delete or return your information upon termination of their service agreement

Our Explicit Commitments

ElevateMD makes the following explicit commitments regarding your mobile information:

• We will never sell your phone number to any third party for any purpose
• We will never rent your phone number or mobile data to data brokers, advertisers, or any other entity
• We will never share your phone number with third-party marketers for their own promotional campaigns or communications

5. Cookies & Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your experience, analyze usage, and support our marketing efforts.

Cookie Types

Cookie Type	Purpose	Duration
Essential	Required for basic site functionality, security, and session management. Cannot be disabled.	Session / 1 year
Performance	Monitor site speed, error rates, and page load performance to maintain service quality.	1 year
Analytics	Collect anonymous usage data including page views, traffic sources, and user flow to improve our website.	2 years
Functional	Remember your preferences such as language, region, and display settings for a personalized experience.	1 year
Marketing	Track visitors across websites to display relevant advertisements and measure campaign effectiveness.	90 days – 2 years

Google Analytics

We use Google Analytics to analyze website traffic and usage patterns. Google Analytics collects information such as:

• How often you visit our site and which pages you view
• How you arrived at our site (search engine, direct link, referral, etc.)
• Your general geographic location (city/region level)
• Device type, browser, and operating system
• Time spent on pages and interaction events

Google Analytics data is processed in aggregate and does not include personally identifiable health information. You can opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-on.

Additional Tracking Technologies

• Pixels: Small transparent images embedded in emails and web pages to track opens, clicks, and conversions
• Local Storage: Browser-based storage used to save preferences and improve site performance
• Session Storage: Temporary browser storage cleared when you close your browser tab, used for form data and navigation state
• Device Identifiers: Anonymous identifiers used for analytics and fraud prevention

Cookie Management

You can manage your cookie preferences through the following methods:

• Browser Settings: Most browsers allow you to block or delete cookies through their settings menu
• Opt-Out Links: Many advertising networks offer opt-out mechanisms through the Network Advertising Initiative or Digital Advertising Alliance
• Do Not Track: We honor Do Not Track (DNT) browser signals where technically feasible

Please note that disabling essential cookies may affect the functionality of our website and patient portal.

6. Data Security & Handling

We implement comprehensive technical, administrative, and physical safeguards to protect your information in accordance with HIPAA Security Rule requirements and industry best practices.

Encryption

• In Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• At Rest: Stored data is encrypted using AES-256 encryption standards
• End-to-End: Telehealth video consultations and patient portal messages use end-to-end encryption

Access Controls

• Multi-Factor Authentication (MFA): Required for all staff accessing patient records and administrative systems
• Role-Based Access: Staff members only have access to the minimum information necessary for their role
• HIPAA Training: All staff complete mandatory HIPAA privacy and security training upon hire and annually thereafter
• Audit Logging: All access to patient records is logged and monitored for unauthorized activity

Physical Security

• Secure, access-controlled facilities for any physical records or equipment
• Cloud infrastructure hosted in SOC 2 Type II certified data centers
• Secure disposal procedures for physical media containing patient information

Data Retention

Data Type	Retention Period
Active Treatment Records	Maintained for the duration of the active patient relationship
Medical Records (Post-Encounter)	Minimum 6 years after the last patient encounter, as required by Florida law
Billing & Financial Records	7 years in accordance with IRS requirements
Backup Data	90 days on encrypted backup systems, then securely deleted

Breach Response Protocol

In the event of a data breach involving Protected Health Information, ElevateMD will:

• Investigate and contain the breach within 24 hours of discovery
• Notify affected individuals within 60 days as required by HIPAA
• Report the breach to the U.S. Department of Health and Human Services (HHS)
• Notify major media outlets if the breach affects 500 or more individuals
• Provide affected individuals with steps to protect themselves, including credit monitoring when appropriate
• Document the breach, response actions, and preventive measures implemented

7. Your Privacy Rights

You have specific rights regarding your personal and health information. We are committed to honoring these rights promptly and transparently.

General Rights

• Right to Access: Request a copy of the personal information we hold about you
• Right to Correct: Request correction of inaccurate or incomplete personal information
• Right to Delete: Request deletion of your personal information, subject to legal retention requirements
• Right to Opt-Out: Opt out of marketing communications, SMS messages, and non-essential data collection
• Right to Portability: Receive your data in a structured, commonly used, machine-readable format
• Right to Restrict: Request limitation of how your personal information is processed
• Right to Withdraw Consent: Withdraw previously given consent at any time without affecting the lawfulness of prior processing

HIPAA-Specific Rights

Under HIPAA, you have additional rights specific to your Protected Health Information:

• Access to Medical Records: Request access to and obtain a copy of your medical records in your preferred format
• Amendments: Request amendments to your medical records if you believe they contain errors
• Restrictions: Request restrictions on certain uses and disclosures of your PHI
• Confidential Communications: Request that we communicate with you through specific channels or at specific locations
• Accounting of Disclosures: Request a list of instances where we disclosed your PHI for purposes other than treatment, payment, or healthcare operations
• Complaints: File a complaint with ElevateMD or the U.S. Department of Health and Human Services if you believe your privacy rights have been violated

CCPA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information held by businesses and their service providers
• Right to opt out of the sale of personal information (ElevateMD does not sell personal information)
• Right to non-discrimination for exercising your CCPA rights

Note: HIPAA-covered health information is exempt from certain CCPA provisions. Your health data is protected under the more stringent HIPAA framework.

How to Exercise Your Rights

You may submit a privacy rights request through any of the following methods:

Response Timeline

We will acknowledge your request within 5 business days and provide a substantive response within 30 calendar days. If additional time is needed (up to 30 additional days), we will notify you of the reason for the extension.

8. Contact Information

Practice Information

Privacy Officer

For privacy-specific questions, concerns, or requests, you may contact our Privacy Officer:

Regulatory Complaints

If you believe your privacy rights have been violated, you have the right to file a complaint with the following regulatory bodies:

• U.S. Department of Health and Human Services (HHS): Office for Civil Rights — www.hhs.gov/ocr/complaints
• California Attorney General: For CCPA-related complaints — oag.ca.gov/privacy
• Florida Attorney General: For Florida-specific consumer privacy concerns — myfloridalegal.com

You will not be retaliated against for filing a complaint.

Policy Updates

ElevateMD reserves the right to update this Privacy Policy at any time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify active patients via email or patient portal notification
• Post a prominent notice on our website for at least 30 days

Your continued use of our services after any changes to this Privacy Policy constitutes your acceptance of the updated terms. We encourage you to review this page periodically.