Privacy Policy

1. Introduction & Roles

Effective Date: October 5, 2025

Healsend Inc. ("Healsend," "we," "us," "our") operates as a Management Services Organization (MSO). We provide technology infrastructure, administrative services, billing coordination, and platform management to a network of licensed independent Professional Entities — physician groups, professional corporations, and other licensed healthcare providers — that independently deliver clinical care to patients through the Platform.

We are a technology and administrative services company, not a medical provider. Healsend does not practice medicine, does not diagnose or treat patients, does not employ licensed clinicians in a clinical capacity, and does not function as a covered entity under HIPAA with respect to its own platform operations. The Professional Entities we support are independent licensed entities that may be covered entities or business associates under HIPAA, and Healsend serves as a Business Associate under those arrangements.

This Privacy Policy applies to all information collected through healsend.com and all associated applications, platforms, portals, and services (collectively, the "Platform"). Our mailing address is 30 N Gould St Ste R, Sheridan WY 82801. Contact: yourhealth@healsend.com | https://healsend.com.

2. Scope; U.S.-Only Audience

This Policy applies to all individuals who: visit or interact with healsend.com or the Platform; create an account or register as a patient; complete health intake questionnaires or consultations; purchase or use any service through the Platform; or contact us for support or information.

This Policy does not apply to information processed exclusively by Professional Entities in their capacity as independent covered entities. Patients seeking access to their Protected Health Information (PHI) held by a treating Professional Entity should contact that entity directly or submit a HIPAA request to Healsend's Privacy Officer (see Section 28).

Our Platform and services are available only to residents of the United States who are 18 years of age or older. We do not knowingly market to or process information of non-U.S. residents or individuals under 18.

3. Key Definitions

Personal Information (PI): Any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular individual or household.
Consumer Health Data (CHD): Personal information that identifies your past, present, or future physical or mental health condition, including health history, diagnoses, medications, treatment, and related data. Where collected outside a HIPAA business associate context, CHD is regulated under state consumer health data laws such as Washington's My Health My Data Act (MHMDA) and Nevada SB 370.
Sensitive Personal Information (SPI): A subset of PI that includes: Social Security Number or government ID; precise geolocation; racial or ethnic origin; religious beliefs; union membership; content of personal communications; genetic or biometric data; health information; sexual orientation or gender identity; and financial account credentials. SPI receives the highest level of protection under this Policy.
Protected Health Information (PHI): Individually identifiable health information created, received, maintained, or transmitted by a HIPAA-covered entity or Business Associate that relates to health condition, provision of care, or payment.
Professional Entity: Independent licensed physician groups, professional corporations, PLLCs, and other licensed healthcare providers that contract with Healsend's MSO and independently deliver clinical care to patients.
Service Provider / Business Associate: Third parties that process data on behalf of Healsend or Professional Entities under Data Processing Agreements (DPAs) or Business Associate Agreements (BAAs) that contractually limit their use of data.

4. Categories of Personal Information Collected

We collect the following categories of personal information depending on how you interact with the Platform:

Identifiers & Contact Information

Name, email, phone, mailing address, date of birth
Username and account credentials (passwords stored as salted hashes; we never store plaintext passwords)
IP address, device identifier, session tokens, browser fingerprint

Health & Clinical Intake

Responses to health intake questionnaires (symptoms, medical history, medications, allergies, surgical history, family history)
Consultation notes, clinical determinations, and treatment preferences
Lab results, imaging reports, or medical records you upload or authorize providers to share
Weight, height, BMI, body measurements, and self-reported biometric data

Financial & Transaction

Payment card details (processed by PCI-DSS-compliant third-party processors; we store only payment tokens)
Billing address, transaction history, subscription status

Internet & Network Activity

Browser type, operating system, referring URLs
Pages visited, features used, time on Platform, click patterns, search queries within Platform
Cookie identifiers and tracking pixel data (see Section 12)

Geolocation

State and ZIP code (required for provider licensing compliance); city-level IP-inferred location

Communications

Messages you send to support, providers, or through Platform messaging
Survey responses, feedback submissions, and call recordings (where disclosed)

Images & Media

Profile photos or identification images uploaded for identity verification
Clinical photos uploaded at provider request (e.g., skin condition images)

Inferences

Treatment eligibility inferences drawn from intake data
Risk or wellness scores derived from self-reported health information (used only for platform routing, not for denial of care)

Biometric (where collected)

Face geometry for identity verification (where applicable; subject to state biometric law disclosures — see Section 10)

1. Introduction & Roles

2. Scope; U.S.-Only Audience

3. Key Definitions

4. Categories of Personal Information Collected

Identifiers & Contact Information

Health & Clinical Intake

Financial & Transaction

Internet & Network Activity

Geolocation

Communications

Images & Media

Inferences

Biometric (where collected)

5. Sources of Personal Information

6. Purposes of Processing

7. Our Role as MSO/Technology Provider; Provider Role

8. HIPAA/HITECH Boundary; Business Associate Arrangements

9. Consumer Health Data (WA MHMDA; NV SB370)

10. Biometric &amp; Sensor Data

11. Sensitive Personal Information

12. Cookies, Tracking, and Global Privacy Control (GPC)

13. Targeted Advertising, Analytics, and Opt-Outs

14. Disclosures to Providers, Pharmacies, Service Providers, and Others

15. Retention &amp; Disposal

16. Security Program

17. Incident Response &amp; Breach Notification

18. Patient/Consumer Privacy Rights

19. California Privacy Rights (CCPA/CPRA)

20. Other State Privacy Rights

21. Children's &amp; Minors' Privacy

22. Marketing, SMS/Text, and Email Communications

23. Financial &amp; PCI Matters

24. Controlled Substances; 42 CFR Part 2

25. Accessibility &amp; Non-Discrimination

26. Automated Decision-Making &amp; AI Use

27. Telehealth "Store and Forward"; Cross-Entity Data Flows

28. Data Subject Request Process &amp; Verification

29. Changes to This Policy

30. Contact Information

10. Biometric & Sensor Data

15. Retention & Disposal

17. Incident Response & Breach Notification

21. Children's & Minors' Privacy

23. Financial & PCI Matters

25. Accessibility & Non-Discrimination

26. Automated Decision-Making & AI Use

28. Data Subject Request Process & Verification