Privacy Policy

1. What information we collect

As a physician-directed medical practice, we collect information needed to provide care and operate our practice.

• Personal information: name, date of birth, contact details, mailing address, government-issued ID for identity and age verification, emergency contact, and referring physician information
• Health information (PHI): medical history, current health status and symptoms, lifestyle factors, laboratory and biomarker results, physician notes and treatment plans, relevant genetic information, and prescription/medication records
• Payment & billing: card details processed by our payment processor (tokens and transaction identifiers), purchase and subscription history, and refund records. ElevateMD does not accept insurance but may record insurance details if voluntarily provided
• Device & usage data: device and browser information, pages visited and interactions, IP address and log data, cookies (Section 5), and general geographic location derived from IP to verify residency in a licensed state for telehealth compliance

2. How your data is used

We use the information we collect for specific, legitimate purposes related to your care and our operations:

• Medical service provision: eligibility screening, evaluation and telehealth consultations, maintaining medical records, developing treatment plans, transmitting prescriptions to licensed 503A pharmacies, and monitoring outcomes
• Communication: scheduling and reminders, treatment and lab updates, support, education, and (with your consent) marketing
• AI-assisted communications: We use automated and AI-assisted systems to help respond to inbound inquiries across our messaging channels (such as SMS and social messaging). These systems process the content of your messages to generate responses. Clinical questions are escalated to ElevateMD’s licensed clinical team, and AI-assisted messages provide general, administrative, and product information only and do not constitute medical advice. Your protected health information is not used to train third-party AI models
• Payment processing: recurring billing, invoicing, and fraud prevention
• Service improvement: de-identified, aggregate analytics and research to improve our services
• Legal compliance: meeting HIPAA and federal/state healthcare obligations, lawful government requests, and required record retention

3. SMS & text messaging

We collect your phone number through intake and eligibility forms, account registration, direct communication, scheduling, and opt-in/consent forms. Your phone number is never sold to third parties for marketing purposes.

SMS may include appointment reminders, treatment and shipping updates, service and billing notifications, health reminders, account-security codes, and (with separate opt-in) promotional messages (typically 0–4/month). Message and data rates may apply.

To opt out, reply STOP to any message (you’ll get one confirmation), or contact us at [email protected] or (786) 574-2428. Opting out of promotional SMS does not affect transactional messages tied to your active care. Your consent to receive SMS is not a condition of purchasing any service.

4. Mobile information sharing

Your mobile number, SMS consent status and records, message content, and carrier information are protected and never shared for marketing. We share your number only with service providers solely to deliver our services, for example our SMS delivery platform (Twilio), backup notification delivery, licensed pharmacy partners (shipping notifications), scheduling platforms, and the patient portal.

All such providers must sign Business Associate Agreements when handling PHI, comply with HIPAA, use your information only for the services they provide to us, and delete or return it on termination. We will never sell, rent, or share your phone number with third-party marketers for their own campaigns.

5. Cookies & tracking technologies

Our website uses essential, performance, analytics, functional, and marketing cookies to enable functionality, measure performance, and support our marketing. We use Google Analytics to analyze aggregate traffic and usage; it does not include personally identifiable health information, and you can opt out via the Google Analytics Opt-Out Browser Add-on.

We also use advertising and analytics pixels — including the Meta (Facebook) pixel, Google Analytics, and the TikTok pixel — along with local and session storage and anonymous device identifiers, for analytics, measurement, advertising, and fraud prevention. These technologies may share limited website-usage and device data with those providers; they do not transmit the contents of your medical records, and the protected health information inside your patient account is kept separate from them. You can manage or disable cookies through your browser settings, opt out through the advertising industry programs (NAI and DAA), and use the platform-level controls offered by those providers. We honor browser Do Not Track signals where technically feasible. Disabling essential cookies may affect site and portal functionality.

6. Data security & handling

We implement technical, administrative, and physical safeguards in accordance with the HIPAA Security Rule:

• Encryption: TLS 1.2+ in transit and AES-256 at rest; encrypted patient-portal messaging
• Access controls: multi-factor authentication, role-based least-privilege access, mandatory HIPAA training, and audit logging of record access
• Physical security: access-controlled facilities, SOC 2 Type II cloud infrastructure, and secure media disposal
• Retention: medical records kept a minimum of 6 years after the last encounter (per Florida law), billing records 7 years (IRS), and encrypted backups 90 days before secure deletion

Breach response: in the event of a breach involving PHI, we investigate and contain within 24 hours of discovery, notify affected individuals within 60 days as required by HIPAA, report to HHS (and notify media if 500+ individuals are affected), and document our response and preventive measures.

7. Your privacy rights

You have rights regarding your information, and we honor them promptly:

• General rights: access, correction, deletion (subject to legal retention), opt-out of marketing, portability, restriction of processing, and withdrawal of consent
• HIPAA rights: access to and copies of your medical records, amendments, restrictions on certain uses/disclosures, confidential communications, an accounting of disclosures, and the right to file a complaint
• California (CCPA/CPRA) and similar state laws: rights to know, access, correct, delete (subject to legal retention), portability, and non-discrimination, plus the right to opt out of the “sale” or “sharing” of personal information and to limit the use of sensitive personal information. We do not sell your personal information for money, and we never sell or share the contents of your medical records or your phone number for third-party marketing. However, our website uses third-party advertising and analytics technologies (such as the Meta pixel, Google Analytics, and the TikTok pixel — see Section 5) that may share limited website-usage and device identifiers with those providers for advertising and measurement; under some state privacy laws this activity may be considered a “sale” or “sharing.” To opt out, you may use the browser-based and industry opt-out tools described in Section 5, adjust your cookie settings, or contact us at [email protected] and we will honor your request. Protected health information that you provide inside your patient account is governed by HIPAA and our Notice of Privacy Practices, not by these website advertising technologies

To exercise your rights, email [email protected], call (786) 574-2428, or write to RegenHairSolutions LLC dba ElevateMD, 8051 N. Tamiami Trail, Suite E6, Sarasota, FL 34243. We acknowledge requests within 5 business days and provide a substantive response within 30 calendar days (with notice if an extension is needed). You may also file a complaint with HHS Office for Civil Rights, the California Attorney General, or the Florida Attorney General without retaliation.

8. Contact & policy updates

RegenHairSolutions LLC dba ElevateMD
8051 N. Tamiami Trail, Suite E6, Sarasota, FL 34243
Email: [email protected] · Phone: (786) 574-2428
For privacy-specific requests, contact our Privacy Officer at [email protected] (Subject: Privacy Officer).

We may update this Privacy Policy at any time. For material changes, we update the “Last updated” date, notify active patients via email or portal, and post a prominent notice on our website for at least 30 days. Continued use of our services after changes constitutes acceptance.