Privacy Policy

1. Introduction and Scope

This Privacy Policy applies to all information collected through our website, mobile applications, telehealth consultations, and any related services (collectively, the “Platform”). By accessing or using our Platform, you acknowledge that you have read and understood this policy.

VippHealth Solutions operates as a health information and patient referral service. We do not provide direct medical care, but we facilitate connections between you and licensed healthcare providers, pharmacies, and telehealth services. Because of this role, we treat all health-related information with the same protections required under HIPAA, even when not technically mandated by law.

If you are a California resident, this policy also incorporates the disclosures required by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). If you are located in the European Union, the United Kingdom, or other jurisdictions with data protection laws, your rights under those laws are respected to the fullest extent applicable.

2. HIPAA Compliance and Protected Health Information (PHI)

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting sensitive patient health information. While we are not a traditional covered entity (such as a hospital or insurer), we voluntarily adhere to HIPAA standards because we believe anything less is unacceptable when handling medical data.

Protected Health Information (PHI) includes any information that can identify you and relates to your past, present, or future physical or mental health, the provision of healthcare to you, or payment for that healthcare. This includes symptoms you report, medications you inquire about, consultation responses, and prescription history.

3. Information We Collect

We collect only the information necessary to facilitate your access to healthcare services, improve our platform, and comply with legal obligations.

3.1 Personal Identifiers

• Full name, date of birth, and contact information (email, phone, address)
• Government-issued ID for prescription verification (required by law)
• Insurance information, if voluntarily provided
• Payment method details (processed via PCI-DSS compliant gateways – we do not store full card numbers)

3.2 Health and Medical Information

• Responses to medical intake questionnaires and symptom assessments
• Current medications, allergies, and medical history
• Consultation notes from licensed physicians using our platform
• Prescription requests and fulfillment records
• Lab results or diagnostic reports you upload

3.3 Technical and Usage Data

• IP address, browser type, device identifiers, and operating system
• Pages visited, time spent, and navigation paths (anonymized where possible)
• Referral sources and search terms that led you to our site
• Cookies and similar tracking technologies (see Section 7)

4. How We Use Your Information

We use your information strictly for the following purposes. We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5. How We Share Your Information

We share your information only when necessary and only with parties who have agreed to protect it at the same standards we maintain.

5.1 Healthcare Providers and Pharmacies

Your medical information is shared with the licensed physicians who conduct telehealth consultations and the accredited pharmacies that fill your prescriptions. These parties are bound by HIPAA and have signed Business Associate Agreements (BAAs) with us. They may only use your information for your specific treatment and may not use it for marketing or research without your explicit consent.

5.2 Service Providers

We use third-party vendors for hosting, payment processing, customer support, and analytics. These providers access only the minimum data necessary to perform their functions and are contractually prohibited from using your data for any other purpose. Examples include our cloud hosting provider (encrypted environment) and payment processor (PCI-DSS Level 1 certified).

5.3 Legal and Safety Disclosures

We may disclose your information if required by law, such as in response to a subpoena, court order, or valid request from law enforcement. We may also disclose information to prevent imminent harm to you or others, or to report suspected abuse, neglect, or domestic violence as required by state mandatory reporting laws.

5.4 What We Never Do

6. Data Security and Retention

We implement industry-leading security measures to protect your data from unauthorized access, alteration, disclosure, or destruction.

6.1 Security Measures

• Encryption: All data transmitted between your browser and our servers uses TLS 1.3. Stored data is encrypted using AES-256.
• Access Controls: Multi-factor authentication (MFA) required for all staff. Role-based access limits employees to data necessary for their job function.
• Network Security: Firewalls, intrusion detection systems, and regular penetration testing by third-party security firms.
• Physical Security: Servers hosted in SOC 2 Type II certified data centers with 24/7 monitoring.

6.2 Data Retention

We retain your personal and medical information for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

• Active accounts: Retained for the duration of your account plus 7 years (standard medical record retention)
• Inactive accounts: Retained for 7 years after last activity, then securely deleted or anonymized
• Payment records: Retained for 7 years per IRS requirements
• Server logs: Retained for 90 days, then purged

7. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our website, analyze traffic, and understand user behavior. You can control cookies through your browser settings.

7.1 Types of Cookies We Use

• Essential Cookies: Required for site functionality, security, and prescription processing. Cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our site. Data is aggregated and anonymized.
• Preference Cookies: Remember your settings (language, dosage preferences) for convenience.

7.2 Third-Party Analytics

We use privacy-focused analytics tools that do not share your personal data with advertising networks. We do not use Facebook Pixel, Google Ads remarketing, or similar tools that could associate your health interests with your social media profiles.

8. Your Rights and Choices

Depending on your location and the nature of your interaction with us, you may have the following rights regarding your personal information.

8.1 How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within 45 days as required by law. For complex requests involving medical records, we may need to verify your identity using government-issued ID to prevent unauthorized access to your health information.

8.2 Right to Complain

If you believe we have violated your privacy rights, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) or your state Attorney General’s office. We will not retaliate against you for filing a complaint.

9. Children’s Privacy

Our Platform is intended for adults aged 18 and older. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child, we will delete it immediately. If you believe a child has provided us with personal information, contact us at [email protected].

Some medications discussed on our Platform (such as antibiotics or corticosteroids) may be prescribed to adolescents by licensed physicians in specific clinical circumstances. In such cases, the parent or legal guardian must provide consent and manage the account.

10. International Users

Our servers are located in the United States. If you access our Platform from outside the U.S., your information will be transferred to, stored, and processed in the U.S. By using our services, you consent to this transfer. We comply with applicable data protection frameworks and ensure that international transfers maintain protections equivalent to those in your home jurisdiction.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or healthcare regulations. If we make material changes that affect your rights or how we use your information, we will notify you by email (if you have an account) and post a prominent notice on our homepage at least 30 days before the changes take effect.

The “Last Updated” date at the top of this page indicates when the policy was last revised. We encourage you to review this policy regularly.

12. Contact Information