Pure Nova Health Privacy Policy

Effective Date: September 20, 2025

Section 1: Introduction & Scope

1. Introduction & Scope

This Privacy Policy (“Policy”) describes how Pure Nova Health, LLC (“PNH,” “we,” “our,” or “us”) collects, uses, discloses, and protects your information when you use our websites, mobile applications, telehealth platform, patient portal, and related services (collectively, the “Services”).

This Policy is incorporated into and made part of our Terms of Use. Capitalized terms not defined in this Policy have the meanings given in the Terms of Use.

1.1 Applicability

  • This Policy applies to all personal information collected through our Services, including:
    • Information you provide directly when creating an account, completing intake forms, communicating with clinicians, or purchasing services.
    • Information collected automatically through your device (cookies, analytics, IP address, usage logs).
    • Information received from third parties such as affiliated pharmacies, laboratories, and payment processors.
  • If you are a patient receiving telehealth services, certain health information we collect and process on behalf of independent clinicians may be considered Protected Health Information (“PHI”) subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
  • When HIPAA applies, PHI will be used and disclosed only as permitted under HIPAA and our agreements with clinicians, pharmacies, and business associates.
  • If there is any inconsistency between this Policy and HIPAA with respect to PHI, HIPAA will control.

1.2 Washington Residents – My Health My Data Act (MHMD)

  • If you are a resident of Washington State, certain additional rights and disclosures apply to your Consumer Health Data, as defined by the My Health My Data Act (MHMD).
  • Please see the Washington MHMD Addendum attached to this Policy for details.

1.3 United States Only

  • PNH operates in the United States and our Services are intended solely for U.S. residents.
  • We do not target or market to residents of the European Union, United Kingdom, or other foreign jurisdictions, and we do not subject ourselves to the GDPR or UK DPA.
  • If you are located outside the United States, you should not use the Services.

1.4 Acknowledgment

By using the Services, you:

  • Confirm that you have read and understood this Policy;

  • Consent to the practices described herein; and

  • Agree to the collection, use, and disclosure of your information as described.

Section 2: Notice at Collection (California)

2. Notice at Collection (California)

If you are a California resident, we are required to provide you with a clear “Notice at Collection” explaining what categories of personal information we collect, the purposes for which we use them, whether we “sell” or “share” them, and how long we retain them.

The following table summarizes these requirements under the California Consumer Privacy Rights Act (CPRA).

2.1 Categories of Personal Information Collected

Category (as defined by CPRA)

Examples We Collect

Business or Commercial Purposes of Use

Sold/Shared for Cross-Context Behavioral Advertising?

Retention Period

Identifiers

Name, address, email, phone, IP address, account ID

Account creation, authentication, communication, order fulfillment

Not sold; may be shared with service providers

For as long as your account is active, plus up to 7 years for compliance

Protected Classifications (Optional)

Gender, age, date of birth (if provided for medical care)

Clinical evaluation, treatment appropriateness

Not sold/shared

Retained as part of medical records under HIPAA/state law (7–10 years)

Commercial Information

Purchase history, payment card details (processed by Stripe)

Billing, order management, customer support

Not sold/shared

7 years (tax/financial law)

Internet or Other Network Activity

Browsing data, device type, cookies, analytics logs

Site functionality, analytics, fraud prevention

May be shared with advertising/analytics providers (non-PHI only)

13–24 months

Geolocation Data

Approximate city/state from IP

Fraud prevention, regulatory compliance, availability of telehealth

Not sold/shared

Deleted after 13 months (analytics)

Sensitive Personal Information

Health-related information, PHI, diagnoses, prescriptions

Telehealth care, pharmacy services, compliance with HIPAA

Never sold/shared for advertising

Retained as required by HIPAA/state law (7–10 years)

Inferences

Segmentation into patient groups for services (e.g., weight loss program eligibility)

Improve services, personalize experience

Not sold/shared

Varies depending on clinical and business needs

2.2 Important Notes

  • No Sale of PHI: We do not sell or share PHI or any information covered by HIPAA.
  • Non-PHI Data: Limited non-health browsing/device data may be “shared” with analytics/advertising vendors. You can opt out through our cookie banner or by enabling Global Privacy Control (GPC) signals in your browser.
  • Sensitive Information: Sensitive data (such as health details) is collected only as necessary to deliver healthcare services, comply with law, or with your consent. It is never used for targeted advertising.
  • Retention: We keep personal information only for as long as necessary for the purposes described, or as required by law. See Section 8 (Data Retention) for details.

Section 3: Categories of Information We Collect & Sources

3. Categories of Information We Collect

We collect the following categories of information when you use the Services:

3.1 Information You Provide Directly

  • Account & Registration Information – name, email, phone, address, password.
  • Health Information / PHI – medical history, medications, symptoms, lab results, questionnaires, and other data you provide during telehealth visits.
  • Payment Information – credit/debit card number, billing details (processed securely by Stripe or similar processors; PNH does not store full card numbers).
  • Communications – messages, emails, phone calls, or SMS you send to us or to clinicians through the platform.
  • Identity Verification Documents – copies of government-issued ID or other materials if required for compliance.

3.2 Information Collected Automatically

  • Device & Technical Data – IP address, browser type, operating system, mobile device identifiers, app version.
  • Usage Information – pages visited, actions taken, referring/exit pages, session times.
  • Cookies & Similar Technologies – pixels, SDKs, and analytics tools used for site performance, fraud detection, and (non-PHI) advertising measurement. See Cookie Notice.
  • Approximate Location – derived from IP address, used for state eligibility, fraud prevention, and regulatory compliance.

3.3 Information We Receive from Third Parties

  • Clinicians & Pharmacies – treatment notes, prescription details, pharmacy fulfillment data.
  • Laboratories – diagnostic test results.
  • Payment Processors – transaction confirmations, fraud detection data.
  • Marketing / Lead Generation Partners – contact information for individuals who have opted in to receive communications.
  • Data Enrichment Services – limited demographic or contact updates to maintain accurate records (never used for PHI profiles).

3.4 Special Note on PHI

  • Health information that qualifies as PHI under HIPAA is collected, used, and disclosed in compliance with HIPAA and applicable state law.
  • PHI is never used for targeted advertising, profiling, or cross-context behavioral ads.

Section 4: How We Use Information

4. Purposes for Using Information

We use the information we collect for the following purposes, depending on the type of data and your relationship with Pure Nova Health (“PNH”):

4.1 Service Delivery & Account Management

  • To create and manage your account.
  • To verify your identity and eligibility to use our Services.
  • To schedule and conduct telehealth consultations.
  • To coordinate with affiliated clinicians, pharmacies, and laboratories.
  • To process orders, prescriptions, and payments.

4.2 Clinical Care & PHI-Specific Uses

  • To enable clinicians to evaluate your health, provide diagnoses, prescribe medications, and monitor treatment.
  • To send prescription orders to affiliated or third-party pharmacies for fulfillment.
  • To communicate results, care plans, and follow-up instructions.
  • To comply with HIPAA and applicable medical recordkeeping laws.
  • Note: PHI is used only for treatment, payment, and healthcare operations as permitted by HIPAA. It is not used for marketing or advertising.

4.3 Communication & Customer Support

  • To respond to your inquiries, requests, or complaints.
  • To send appointment confirmations, reminders, and account updates.
  • To send important safety or legal notices.
  • With your consent, to send marketing emails, SMS, or other communications about PNH products and services.

4.4 Security, Fraud Prevention & Compliance

  • To monitor, detect, and prevent fraud, abuse, and unauthorized access.
  • To enforce our Terms of Use and comply with legal obligations.
  • To respond to subpoenas, regulatory inquiries, or lawful government requests.

4.5 Analytics & Improvement

  • To analyze usage trends and measure engagement with our Services.
  • To improve site functionality, user experience, and service offerings.
  • To develop new features, products, and clinical programs.

4.6 Advertising & Personalization (Non-PHI Only)

  • To deliver relevant ads and measure campaign effectiveness using non-health data (such as cookie/device data).
  • To personalize your website experience (e.g., showing content relevant to your state or interests).
  • Important: PHI and sensitive health data are never used for targeted advertising or shared with ad networks.

Section 5: Your Privacy Rights & Choices

Depending on where you live, you may have certain privacy rights under state law. These rights are in addition to protections you already have under HIPAA for your Protected Health Information (PHI).

5.1 California (CCPA/CPRA)

If you are a California resident, you have the following rights with respect to your personal information (not including PHI, which is governed by HIPAA):

  • Right to Know: You may request access to the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request that we delete personal information we collected from you, subject to certain exceptions (e.g., legal obligations, medical records retention).
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: You may opt out of our “sharing” of non-PHI personal information with third parties for targeted advertising.
  • Right to Limit Use of Sensitive Information: You may request that we limit the use of sensitive personal information (other than as required for telehealth or pharmacy services).
  • Right to Non-Discrimination: We will not discriminate against you for exercising these rights.

5.2 Virginia, Colorado, Connecticut, and Utah

Residents of these states may have similar rights, including the right to access, correct, delete, and opt out of targeted advertising or the sale of personal data.

5.3 Nevada

Nevada law allows residents to opt out of the sale of certain personal information. We do not sell personal information as defined under Nevada law, but you may still submit an opt-out request.

5.4 Washington (My Health My Data Act)

Washington residents have enhanced rights over Consumer Health Data, including:

  • Right to access, delete, or withdraw consent for processing of Consumer Health Data.
  • Right to be informed about sharing or sale of Consumer Health Data (PNH does not sell Consumer Health Data).
  • Right to withdraw consent at any time.

5.5 How to Exercise Your Rights

You may exercise your privacy rights by contacting us at:

  • Email: info@purenovahealth.com
  • Phone: 512-796-2537
  • Mailing Address: 730 Shade Tree Dr, Austin, TX 78748

We may need to verify your identity before fulfilling your request. If we deny your request, you may appeal by replying to our denial notice. Washington residents may further escalate appeals to the Washington Attorney General’s Office.

Section 6: Disclosures & Sharing of Information

We may disclose your information in the following ways. We do not sell PHI or Consumer Health Data.

6.1 Service Providers & Vendors

We share personal information with trusted service providers who perform services on our behalf, such as:

  • Payment processors
  • Cloud hosting providers
  • Customer support platforms
  • Analytics and fraud prevention tools

These providers may only use your information to perform services for us and must protect it under contractual agreements.

6.2 Clinicians & Pharmacies

We disclose PHI to affiliated licensed clinicians and third-party pharmacies in order to deliver telehealth services, prescribe medications, and fulfill orders.

  • Clinicians and pharmacies operate independently and are responsible for their own legal and professional obligations.
  • We share only the minimum necessary information to enable care and fulfillment.

6.3 Laboratories & Diagnostic Partners

If you use lab testing services, we share necessary information with laboratories to process orders and deliver results.

6.4 Legal, Regulatory & Safety Obligations

We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to:

  • Protect the rights, property, or safety of PNH, our users, or the public.
  • Detect, prevent, or address fraud, misuse, or security issues.
  • Comply with applicable state or federal law (including HIPAA).

6.5 Business Transfers

If PNH is involved in a merger, acquisition, restructuring, or sale of assets, your information may be transferred as part of that transaction. We will provide notice if your personal information becomes subject to a materially different privacy policy.

6.6 Advertising & Analytics Partners (Non-PHI Only)

We may share limited, non-health personal information (e.g., cookie/device identifiers) with advertising or analytics partners to measure site performance and marketing effectiveness.

  • We do not share or sell PHI for advertising.
  • You may opt out of such sharing as described in Section 5.

Section 7: Data Security & Safeguards

We take the security of your information seriously. While no system is 100% secure, we implement administrative, technical, and physical safeguards designed to protect your information from unauthorized access, use, or disclosure.

7.1 Administrative Safeguards

  • Access to PHI is limited to authorized personnel and clinicians who need it to perform their duties.
  • Workforce members receive training on privacy and HIPAA compliance.
  • Policies and procedures are maintained to respond to security incidents and breaches.

7.2 Technical Safeguards

  • Data is encrypted in transit and at rest using industry-standard protocols.
  • Secure authentication, firewalls, and intrusion detection tools are used to protect our systems.
  • Session timeouts and audit logs help monitor access and prevent misuse.

7.3 Physical Safeguards

  • Data centers used by our vendors employ physical security measures, including restricted access and environmental protections.
  • Paper records (if any) are stored securely and disposed of using appropriate destruction methods.

7.4 Breach Notification

In the event of a data breach involving your personal information or PHI, we will notify you and applicable regulators as required by HIPAA, state law, or other applicable law. Our goal is to provide notice promptly, and in no case later than 60 days after discovery, unless a shorter period is required by law.

7.5 Your Responsibilities

You are responsible for maintaining the security of your own account credentials, devices, and internet connection. Please notify us immediately at info@purenovahealth.com if you believe your account has been compromised.

Section 8: Data Retention & Deletion

We retain your information only for as long as necessary to fulfill the purposes described in this Policy, comply with legal requirements, resolve disputes, and enforce our agreements.

8.1 Protected Health Information (PHI)

  • Medical records and PHI are retained in accordance with federal HIPAA requirements and applicable state medical record retention laws.
  • Generally, this means records are kept for at least 6 years from the date of creation or last use, unless state law requires a longer period (some states require up to 10 years or more).

8.2 Personal Information (Non-PHI)

  • Account data, communications, and transaction history are retained as long as you maintain an account with us.
  • If you close your account, we may retain certain information for legal, regulatory, fraud prevention, or business continuity purposes.

8.3 Cookies & Tracking Data

  • Cookie and device data are retained according to the lifespan of the cookie (see our Cookie Notice).
  • Some cookies are session-based and expire when you close your browser; others may persist for up to 24 months unless you delete them.

8.4 Deletion Requests

  • You may request deletion of personal information (non-PHI) by contacting us at info@purenovahealth.com.
  • Requests to delete PHI will be handled in compliance with HIPAA and medical record retention laws, which may limit deletion in certain cases.
  • When deletion is not possible (for example, due to legal obligations), we will de-identify or anonymize information where feasible.

8.5 Aggregated & De-Identified Data

We may retain de-identified or aggregated information that cannot reasonably be used to identify you, even after you request deletion.

Section 9: Subprocessors & Third-Party Vendors

To deliver our Services, we rely on trusted third-party vendors (“subprocessors”) who process personal information on our behalf.

9.1 Categories of Vendors We Use

We may engage vendors to provide services such as:

  • Cloud hosting & infrastructure (e.g., data centers, storage providers)
  • Communication services (e.g., SMS platforms, email delivery)
  • Payment processors (e.g., secure billing and subscription management)
  • Analytics providers (e.g., website traffic and performance tools)
  • Customer support platforms (e.g., ticketing and chat systems)
  • Laboratory and pharmacy partners (for prescriptions and testing services)

9.2 Vendor Obligations

  • Vendors may only use information as necessary to provide services to us.
  • Vendors are contractually required to maintain security and confidentiality standards consistent with HIPAA (for PHI) and applicable privacy laws (for non-PHI).
  • Vendors must notify us in the event of a data breach affecting your information.

9.3 Transparency

We maintain an updated list of subprocessors available upon request. You may contact us at info@purenovahealth.com to request a current copy.

9.4 Changes to Vendors

If we materially change the types of vendors we use (for example, adding a new advertising partner or replacing a core cloud provider), we will update this Policy and, where legally required, notify you in advance.

Section 10: Cookies, Tracking Technologies & Online Advertising

We use cookies and similar technologies (such as pixels, SDKs, and device identifiers) to help operate our Services, measure performance, and improve user experience.

10.1 Types of Cookies & Technologies

  • Strictly Necessary – Required for core functionality (e.g., login, security, transactions).
  • Functional / Preference – Remember your settings and preferences.
  • Performance / Analytics – Collect aggregated data to understand how our Services are used.
  • Advertising / Targeting (Non-PHI Only) – Used to deliver relevant ads or measure marketing campaigns. We never use PHI or Consumer Health Data for advertising.

10.2 Consent & Choices

  • On first visit, you may be presented with a cookie banner to manage preferences.
  • You may disable cookies through your browser settings.
  • You may opt out of targeted advertising cookies through our Cookie Notice or by enabling Global Privacy Control (GPC) signals, where legally required.

10.3 Third-Party Partners

We may allow third-party partners (such as analytics or advertising providers) to set cookies or similar technologies on your device.

  • These partners may collect limited non-health personal information.
  • They are contractually prohibited from using PHI or Consumer Health Data for advertising purposes.

10.4 Retention

  • Session cookies expire when you close your browser.
  • Persistent cookies may remain for up to 24 months, unless you delete them.
  • See our Cookie Notice [link] for more details.

10.5 “Do Not Track”

Our Services do not currently respond to browser “Do Not Track” signals. We do, however, honor legally required opt-out mechanisms such as Global Privacy Control.

Section 11: Communications, Marketing & Consent (Email/SMS)

11.1 Service Communications

By creating an account or using our Services, you may receive transactional communications, such as:

  • Appointment reminders
  • Prescription and shipping updates
  • Account security alerts
  • Administrative notices about your subscription or Services

These communications are considered essential to providing care and cannot generally be opted out of.

11.2 Marketing Communications

With your consent, we may send promotional messages (by email, SMS, or phone) about services, products, or programs that may be of interest to you.

  • Consent for marketing communications is not required to use our Services.
  • You can withdraw your consent at any time by using the opt-out mechanism provided (e.g., “unsubscribe” links in emails or “STOP” replies for SMS).

11.3 TCPA & SMS Disclosure

By providing your phone number, you consent to receive SMS messages related to your use of the Services, including reminders and promotions (if opted in).

  • Message frequency may vary.
  • Message and data rates may apply.
  • Reply STOP to opt out of marketing texts. Reply HELP for assistance.
  • Carriers are not liable for delayed or undelivered messages.

11.4 Consent Records

We maintain records of your communication preferences and opt-ins to ensure compliance with the Telephone Consumer Protection Act (TCPA) and applicable state laws.

11.5 Sensitive Information

We do not include sensitive medical information or PHI in marketing messages. Limited clinical information may appear in service communications (such as prescription or appointment reminders), consistent with HIPAA and applicable law.

Section 12: Automated Decision-Making & Profiling

12.1 Use of Automated Systems

We may use automated systems, algorithms, or AI tools to support certain functions of our Services, such as:

  • Screening for duplicate accounts or fraudulent activity
  • Assisting with appointment scheduling
  • Supporting customer service (e.g., chatbots)
  • Suggesting relevant non-clinical resources or programs

12.2 No Solely Automated Clinical Decisions

We do not use automated systems to make clinical or medical decisions about your care.

  • All prescribing and clinical determinations are made exclusively by licensed clinicians.
  • Automated tools may support clinicians by providing information or workflow assistance, but clinicians retain final decision-making authority.

12.3 Your Rights

Depending on your state of residence (e.g., California, Colorado, Virginia), you may have the right to:

  • Request information about the use of automated decision-making related to your personal information.
  • Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
  • Appeal decisions you believe were unfairly influenced by automated processing.

To exercise these rights, contact us at info@purenovahealth.com or call 512-796-2537.

Section 13: Children’s & Teen Privacy

13.1 Children Under 13

Our Services are not directed to children under 13 years of age.

  • We do not knowingly collect personal information from children under 13.
  • If we become aware that we have inadvertently collected information from a child under 13, we will delete it as required by the Children’s Online Privacy Protection Act (COPPA).
  • Parents or guardians who believe we may have collected such information should contact us at info@purenovahealth.com.

13.2 Teen Users (13–17)

For patients between 13 and 17 years of age:

  • Access to Services may require parental or guardian consent, depending on state law.
  • Certain states grant minors specific rights to consent to care (e.g., reproductive health, mental health, gender-affirming care). Where applicable, PNH follows those state requirements.
  • We treat all information about minors with heightened sensitivity and will not use it for advertising or non-clinical profiling.

13.3 Marketing Restrictions

  • We do not knowingly target or sell any information about children or teens for marketing or advertising purposes.
  • PHI and Consumer Health Data are never shared with advertising platforms, regardless of user age.

Section 14: International Users Disclaimer

14.1 U.S.-Only Services

Our Services are intended only for individuals located within the United States.

  • We do not offer or market our Services to individuals in the European Union, the United Kingdom, or any other jurisdiction outside the U.S.
  • We do not target or knowingly collect information from international users where the General Data Protection Regulation (GDPR), UK GDPR, or other non-U.S. privacy laws would apply.

14.2 Data Location

All personal information and Protected Health Information (PHI) are stored and processed in the United States, subject to U.S. federal and state law.

14.3 No International Rights or Remedies

By using the Services, you acknowledge and agree that:

  • You are subject exclusively to U.S. law.
  • Non-U.S. privacy rights (such as GDPR or UK GDPR rights) do not apply to your use of the Services.
  • We disclaim all responsibility for compliance with laws outside the United States.

Section 15: Policy Changes & Updates

15.1 Right to Revise

We may update or revise this Privacy Policy (and any related addenda, such as the Washington MHMD Addendum or Cookie Notice) from time to time to reflect:

  • Changes in law or regulation
  • Updates in our business practices or technology
  • New services or product offerings
  • Feedback from regulators or patients

15.2 Notice of Changes

If we make material changes, we will notify you by:

  • Posting the revised Privacy Policy on our website with a new “Last Updated” date;
  • Providing notice by email or within your account, when appropriate.

15.3 Effective Date of Changes

All changes are effective on the date posted, unless otherwise required by law. Your continued use of the Services after changes become effective constitutes your acceptance of the revised Policy.

15.4 Archiving

We maintain version history of prior Privacy Policies upon request, so you may review the evolution of our practices.

Section 16: Contact Information & Privacy Officer

16.1 Privacy Officer

We have appointed a Privacy Officer to oversee compliance with this Policy, HIPAA, and applicable state privacy laws.

Privacy Officer – Pure Nova Health
 Email: info@purenovahealth.com
 Phone: 512-796-2537
 Mailing Address: 730 Shade Tree Dr, Austin, TX 78748

16.2 Exercising Your Rights

To submit a privacy request, including access, correction, deletion, or appeal of a prior request:

  • Email us at info@purenovahealth.com with “Privacy Request” in the subject line; or
  • Call us at 512-796-2537.

We will respond to verified requests within the time required by law (generally 45 days, with an extension if permitted).

16.3 Appeals & Escalation

If we deny your request and you disagree, you may:

  • File an appeal with us by emailing info@purenovahealth.com with “Privacy Appeal” in the subject line.
  • If you remain dissatisfied, you may escalate to your state’s Attorney General or relevant regulator, as provided under applicable law.

16.4 Questions

If you have any questions about this Privacy Policy or our data practices, please contact our Privacy Officer using the details above.