Consumer Health Data

Healsend Consumer Health Data & Biometric Privacy Policy

Effective Date: October 5 2025

Issued by: Healsend Inc.

30 N Gould St Ste R, Sheridan WY 82801

Email: yourhealth@healsend.com

1. Purpose and Scope

This Privacy Policy explains how Healsend Inc. (“Healsend,” “we,” “us,” or “our”) collects,

uses, shares, and protects Consumer Health Data and Biometric Data belonging to

individuals located in the United States who use our websites, telehealth portals, mobile

apps, and other technology-based administrative services (collectively, the “Services”).

Healsend functions solely as a management-services organization (MSO) and technology

facilitator.

We do not provide or bill for medical care, and we do not determine clinical treatment.

Independent, licensed medical groups (each, a “Professional Entity”) deliver patient-care

services through the platform.

Each Professional Entity maintains its own Notice of Privacy Practices under the Health

Insurance Portability and Accountability Act of 1996 (“HIPAA”).

This Policy covers the data that Healsend controls or processes in connection with

operating and improving the Services, supporting affiliated Professional Entities, managing

patient-provider interactions, and complying with applicable federal and state privacy

laws.

When Healsend acts as a Business Associate under HIPAA, the applicable Business

Associate Agreement (BAA) governs any potential conflict between that BAA and this

Policy.

2. Definitions

To promote clarity, these key terms are used consistently throughout this Policy:

Term

Meaning

Consumer

Health Data

(CHD)

Information that identifies or can reasonably be linked to an individual

and that concerns the individual’s physical or mental health status,

medical condition, treatment information, medication history, or health

behaviors.

Biometric Data

A record of measurable biological characteristics—such as facial

geometry, fingerprint, voiceprint, retina pattern, or gait—used forTerm

Meaning

identity verification or health assessment.

Sensitive Health

Data

Subsets of CHD that include genetic data, reproductive or sexual-health

information, mental-health records, substance-use history, or any other

category defined as “sensitive” under state law.

Personal

Information (PI)

Any data that identifies, relates to, or could reasonably be linked with a

particular individual or household.

Professional

Entity

A separately incorporated, independently licensed medical group that

contracts with Healsend for non-clinical administrative and technology

services.

Processing

Any operation performed on data—collection, recording, organization,

storage, analysis, sharing, retention, or deletion.

Service Provider

/ Contractor

A third-party vendor that processes CHD or PI on Healsend’s behalf

pursuant to a written agreement containing confidentiality and data

security obligations.

De-identified

Data

Information that cannot reasonably be used to identify an individual,

consistent with 45 CFR § 164.514 (b) and applicable state laws.

Business

Associate

The meaning given in 45 CFR § 160.103: an entity that creates, receives,

maintains, or transmits protected health information (PHI) on behalf of

a covered entity for a function regulated by HIPAA.

Consumer

Request

A verified written or electronic request made by an individual, or an

authorized agent, invoking rights under state privacy law.

3. Applicability of Federal and State Law

Healsend’s data-handling obligations arise under a complex framework of U.S. privacy,

security, and consumer-protection laws. We comply with, or operate consistently with,

the following authorities:

Federal Statutes and Regulations



HIPAA & HITECH (45 CFR Parts 160 and 164) — governs PHI handled as a

Business Associate.

FTC Act § 5 (15 U.S.C. § 45) — prohibits unfair or deceptive acts, including false

privacy representations.



21 CFR Part 11 — electronic records and signatures for telehealth documentation.



Electronic Signatures in Global and National Commerce Act (ESIGN) and

Uniform Electronic Transactions Act (UETA) — govern e-consent.



Children’s Online Privacy Protection Act (COPPA) — restricts collection from

users under 13.



Federal Trade Commission Health Breach Notification Rule (16 CFR 318).

State Statutes



California Consumer Privacy Act (CCPA/CPRA)



Washington My Health My Data Act (MHMDA)



Nevada Senate Bill 370 (Consumer Health Data Law)



Texas Health Privacy Law (HB 300)



Illinois Biometric Information Privacy Act (BIPA)



Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Virginia

Consumer Data Protection Act (VCDPA), Utah Consumer Privacy Act (UCPA),

and similar laws.

Where these laws conflict, the law affording stronger consumer protection prevails.

4. Information We Collect

Healsend collects and processes information only to the extent necessary for lawful

business, administrative, and compliance purposes.

We categorize data as follows:

1. Information Provided Directly by You



Identification details: name, DOB, gender, shipping address, email, phone.



Government-issued IDs for identity verification (driver’s license or passport).



Medical-intake responses, health questionnaires, and uploaded attachments.



Payment information (e.g., credit card token via PCI-compliant gateway).



Support requests or communications with our help team.B. Information Received from Professional Entities or Pharmacies



Diagnosis codes (ICD-10), prescription details, treatment notes, laboratory results,

and order status data transmitted under secure channels (“store and forward”).



Dispensing confirmation or shipping tracking numbers.

1. Automatically Collected Technical Data



Device identifiers, IP address, browser type, operating system, and session

metadata.



Cookies and similar technologies used for session management and security

analytics (see Appendix A).



Log files recording access times, referral URLs, and clickstream activity.

1. Biometric and Sensor Data



Facial or voice measurements for identity verification or engagement tracking.



Data captured by wearables integrated with the platform (heart rate, step count,

etc.).

1. Derived and Inferred Data



Risk scores, eligibility classifications, and usage patterns generated through

analytics and machine-learning models; all such outputs are de-identified before use

in research or product improvement.

Healsend does not knowingly collect data from individuals under 18 years of age without

verifiable parental consent, and any such information discovered is promptly deleted.

5. How We Use Consumer Health and Biometric Data

We use Consumer Health Data (“CHD”) and Biometric Data only for legitimate, clearly

defined purposes allowed by law and by the agreements we maintain with Professional

Entities and service providers.

5.1 Primary Uses

1. Platform Operation and Account Management — to authenticate users, maintain

secure logins, prevent unauthorized access, and manage session activity.

2. Facilitating Care — to transfer data to the relevant Professional Entity for

scheduling, telehealth encounters, and prescription routing.3. Payment and Fulfillment — to process payments through PCI-DSS-compliant

processors and to coordinate pharmacy shipment or order tracking.

4. Analytics and Product Improvement — to aggregate and de-identify usage data,

measure feature performance, and evaluate outcomes while removing identifiers

before analysis.

5. Customer Support and Communication — to respond to inquiries, confirm

transactions, send legally required notifications, and, with consent, provide

educational or marketing materials.

6. Regulatory and Legal Compliance — to comply with HIPAA, HITECH, FTC Act § 5,

state consumer-privacy laws, FDA advertising standards, and financial-record

obligations.

7. Security and Fraud Prevention — to monitor for suspicious activity, credential

compromise, or misuse of the Services.

5.2 Secondary Uses (Prohibited Without Consent)

Healsend does not sell, lease, or trade CHD or Biometric Data for monetary gain.

We do not use these data for cross-context behavioral advertising, employment decisions,

or automated profiling that produces legal or similarly significant effects without explicit

consent.

5.3 Lawful Basis for Processing

Purpose

Legal Basis

Service delivery

Contractual necessity

Regulatory compliance Legal obligation

Security

Legitimate interest

Analytics

De-identified data use

Marketing

Consent

6. When and Why We Share Data

Healsend limits disclosure of CHD and Biometric Data to circumstances that are lawful,

documented, and auditable.

6.1 Categories of Recipients

Professional Entities and Pharmacies — for treatment and prescription

fulfillment under HIPAA or applicable state law.



Service Providers — secure hosting, data storage, communications, and payment

vendors bound by written contracts incorporating confidentiality, security, and

breach-notification clauses.



Corporate Affiliates and Successors — if we reorganize, merge, or sell assets,

provided the successor continues equivalent protections.



Regulators and Law Enforcement — when required by subpoena, court order, or

to protect rights and safety.



Your Authorized Agents or Designees — when you instruct us to release records

to another entity.

6.2 Business Associate and Vendor Obligations

All vendors who may handle PHI or CHD must:

1. Sign a Business Associate Agreement (BAA) or data-processing agreement.
2. Implement safeguards consistent with 45 CFR § 164.308–312 and NIST SP 800-53.
3. Limit use to the contracted purpose.
4. Notify Healsend of any security incident within 72 hours of discovery.

6.3 Cross-Entity Transfers

Data are hosted and processed exclusively within the United States. Healsend does not

transfer CHD or Biometric Data across U.S. borders or store them on foreign servers.

6.4 De-identified and Aggregate Information

We may share de-identified or aggregate statistics (e.g., system-uptime metrics, total

encounters) that cannot reasonably identify individuals.

De-identification follows 45 CFR § 164.514(b) and state law equivalents.

7. Retention and Deletion of Data

Healsend maintains data for no longer than is necessary to fulfill the stated purpose or as

required by law.

7.1 General Retention PeriodsCategory

Typical Retention

Legal Reference

Account and profile

data

Until account closure

Business records (15 U.S.C.

• 41 et seq.)

Medical intake and

encounter records

7 years or state-specific minimum

(e.g., Cal. Bus. & Prof. Code § 2266)

Health-record retention

laws

Payment and billing

data

7 years

IRS Regs § 1.6001-1

Biometric identifiers

≤ 30 days after verification

740 ILCS 14/15 BIPA

Security logs

12 months

NIST SP 800-92

recommendation

7.2 Deletion Requests

Individuals may request deletion by emailing yourhealth@healsend.com.

Upon verification, we will erase data from active systems and instruct vendors to do the

same unless retention is required for:



compliance with a legal obligation;



completion of an ongoing transaction;



defense or establishment of legal claims; or



internal security auditing.

Back-up copies are overwritten on a rolling 90-day cycle.

7.3 Data Retention Review

Healsend reviews retention schedules annually and updates them to reflect regulatory

changes or operational needs.

A summary of current schedules is available upon request.

8. Your Privacy Rights

We honor every individual right granted by federal and state law and extend those rights

uniformly across the United States whenever feasible.

8.1 Overview of Your RightsRight

Description

Access and

Transparency

You may request a summary or copy of the Consumer Health Data we

hold about you. We will provide this information in a portable format

within 45 days of verification, unless an extension is permitted by law

(45 CFR § 164.524 (b)(2)).

Correction /

Rectification

You can ask us to correct inaccurate or incomplete information. We

must respond within 45 days and inform you if the request is granted or

denied (45 CFR § 164.526).

Deletion /

Erasure

You can request that we delete data we hold about you, except when we

must retain it for legal or regulatory reasons.

Portability

You may receive your information in a structured, commonly used,

machine-readable format and transmit it to another entity.

Restriction /

Opt-Out

You may opt out of data use for analytics or marketing and limit our use

of Sensitive Health Data for non-essential purposes.

Appeal

If we deny a request, you may appeal within 30 days. We will review the

appeal and respond in writing within 45 days.

8.2 Submitting Requests

Send verified requests to yourhealth@healsend.com or by mail to:

Healsend Inc. • 30 N Gould St Ste R, Sheridan WY 82801.

Please include your full name, contact information, and the specific right you wish to

exercise. We verify identity through multi-factor authentication or matching data elements

we already maintain.

Authorized agents may submit requests if they present written authorization or a lawful

power of attorney.

8.3 Response Time and Fees

We do not charge a fee for the first request in a 12-month period. Subsequent requests that

are manifestly unfounded or excessive may incur a reasonable fee or be denied (consistent

with state law).

9. State-Specific Disclosures

Because Healsend operates nationwide, we include enhanced rights summaries for major

state laws.9.1 California (CCPA/CPRA)



Residents may request disclosure of the categories and specific pieces of PI

collected, sources, purposes, and third parties with whom data is shared.



Healsend does not sell or share PI for cross-context behavioral advertising.



You may limit use of Sensitive Personal Information (“SPI”) to that which is

necessary to provide Services.



Designated methods for requests: email and postal mail (as above).

9.2 Washington (My Health My Data Act)



Explicit opt-in consent is required before collecting or sharing CHD.



Healsend publishes a “Consumer Health Data Notice” summarizing our processing

on our website homepage.



Consumers may withdraw consent at any time; Healsend must honor within 30

days.

9.3 Nevada (SB 370)



We do not sell covered information as defined under NRS 603A et seq.



You may request deletion of CHD at any time without discrimination.

9.4 Texas (HB 300)



Healsend employees and contractors handling PHI complete annual privacy

training.



Unauthorized disclosure of PHI is subject to state civil and criminal penalties.

9.5 Illinois (BIPA)



Biometric identifiers are collected only with written or electronic consent and are

deleted within 30 days after verification or the purpose is fulfilled.



We will not sell, lease, or profit from Biometric Data (740 ILCS 14/15).

9.6 Other States

Colorado, Connecticut, Virginia, Utah, Iowa, and Montana grant similar rights to access,

correction, deletion, and appeal. Healsend applies those rights nationwide as a matter of

policy.10. Data Security and Incident Response

Healsend maintains a comprehensive Information Security Program (“ISP”) built on NIST

SP 800-53, ISO/IEC 27001, and HIPAA Security Rule 45 CFR § 164.308–312 standards.

10.1 Administrative Safeguards



Appointment of a Privacy Officer and Security Officer responsible for oversight.



Mandatory employee training on HIPAA, state privacy laws, and social-engineering

awareness.



Vendor management program requiring risk assessments and written agreements.



Least-privilege access controls and quarterly permission reviews.

10.2 Technical Safeguards



Data encryption in transit (TLS 1.3) and at rest (AES-256, FIPS 140-2 validated).



Multi-factor authentication for administrative accounts.



Network segmentation and firewall protections.



Continuous vulnerability scanning and annual penetration testing.



Immutable audit logging with retention for at least 12 months.

10.3 Physical Safeguards



Secure, access-controlled offices and data centers with visitor logs.



Document destruction by cross-cut shredding and certified media wiping.

10.4 Incident Response and Breach Notification

1. Detection & Reporting — All employees must report suspected incidents within

one business day.

2. Assessment — Privacy and Security Officers determine scope and risk level within

72 hours.

3. Containment & Eradication — Systems are isolated and malicious access revoked.
4. Notification — Affected individuals and regulators are notified as required by 45

CFR § 164.404 and state breach laws (generally within 30 days).

5. Post-Incident Review — Root-cause analysis and corrective actions are

documented.10.5 Audit and Testing

Healsend conducts internal HIPAA Security Rule audits annually and engages independent

security assessors at least every two years. Reports are reviewed by executive management

and remediation tracked to completion.

12. Contact, Complaints, and Dispute Resolution

12.1 Primary Contact for Privacy Matters

Healsend Inc.

Attn: Privacy Office

30 N Gould St Ste R, Sheridan WY 82801

Email: yourhealth@healsend.com

12.2 Designated Privacy Officer

Healsend has appointed a Privacy Officer and Security Officer responsible for enforcing

this Policy, monitoring compliance, and acting as liaison to regulators and Professional

Entities.

12.3 Submitting Complaints

If you believe your Consumer Health Data or Biometric Data has been misused:



Contact Healsend first via the address or email above.



We acknowledge complaints within 10 business days and aim to resolve within 30

days.



If unresolved, you may escalate to:

o

U.S. Department of Health and Human Services, Office for Civil Rights

(OCR) — for HIPAA matters.

o

Federal Trade Commission (FTC) — for consumer-protection issues.

o

Your state Attorney General — for state privacy violations.

12.4 No Retaliation

Healsend prohibits retaliation against any individual who exercises privacy rights or files a

good-faith complaint.

12.5 Arbitration and Governing Law

All disputes arising under this Policy shall be governed by Wyoming law, excluding its

conflict-of-laws rules.

Unless prohibited by law, disputes will be resolved by binding arbitration under theAmerican Arbitration Association (AAA) Consumer Rules, seated in Sheridan County,

Wyoming.

This clause does not limit your right to file a complaint with regulators.

13. Changes to This Policy

13.1 Policy Updates

Healsend reviews this Policy at least annually or sooner if laws or technologies change.

Material updates will include:



A revised “Effective Date” at the top of this document.



Prominent notice on our website homepage.



Email notification to registered users when required.

13.2 Version Control

Older versions are archived internally for seven years and can be provided upon request.

13.3 Continuing Use as Acceptance

By continuing to use the Services after an update takes effect, you acknowledge and accept

the revised Policy.

Appendix A — Cookies and Tracking Technologies

Cookie Type

Purpose

Retention

Opt-Out

Essential

Cookies

Maintain session,

authenticate users

Session only

Cannot disable (required for

operation)

Analytics

Cookies

Aggregate usage statistics

13 months

Browser settings or “Do Not

Track”

Preference

Cookies

Save user choices

12 months

Delete cookies manually

Security Tokens Detect fraud, prevent abuse

Rolling 90

days

N/A

Healsend honors Global Privacy Control (GPC) signals for opt-out preference.Appendix B — Data Classification and Security Controls

Classification

Example

Control Standard

Tier 1 — Protected Health

Information

Medical records,

prescriptions

HIPAA Security Rule §164.308–312;

AES-256 encryption

Tier 2 — Consumer Health

Data

Intake forms, biometric

templates

NIST SP 800-53; Access Control (AC-

2), Audit (AU-2)

Tier 3 — Operational

Metadata

Logs, usage analytics

De-identified; 12-month retention

Tier 4 — Public Data

Anonymized statistics

Public posting allowed only after

review

Appendix C — Record Retention Summary

Record Type

Retention Period

Disposal Method

User accounts

Until closed

Secure erasure (NIST 800-88)

Medical encounters 7 years (minimum)

Encrypted purge after period

Payment data

7 years

PCI-DSS secure deletion

Biometric identifiers ≤ 30 days post-verification Automatic wipe scripts

Support tickets

24 months

Database purge

Audit logs

12 months

Immutable then expired

Appendix D — Regulatory References

Authority

Citation

HIPAA Privacy Rule

45 CFR Part 164 Subpart E

HIPAA Security Rule

45 CFR Part 164 Subpart C

FTC Health Breach Notification Rule

16 CFR Part 318Authority

Citation

California Civil Code

• 1798.100 et seq. (CCPA/CPRA)

Washington My Health My Data Act

RCW 19.373

Illinois Biometric Information Privacy Act 740 ILCS 14

Texas Health Privacy Law

HB 300 (2012)

Nevada SB 370

NRS 603A

NIST Cybersecurity Framework

v1.1 (2018)

ISO/IEC 27001

Information Security Management System