Legal
Privacy Policy
Last updated: April 2026
HIPAA Notice: Aurum Health is a Covered Entity under HIPAA. All Protected Health Information (PHI) is handled in accordance with the HIPAA Privacy Rule and Security Rule. For your full rights, see our Notice of Privacy Practices.
1. Information We Collect
Identity and Contact Information
- Full name, date of birth, biological sex
- Email address, phone number, mailing address
- Government-issued ID (for identity verification)
Health and Medical Information
- Medical history, current diagnoses, medications, supplements
- Laboratory results (88-marker comprehensive blood panel)
- Prescription history issued through our physician network
- Intake questionnaire responses including PHQ-2 screening, family history, lifestyle factors
- Symptom ratings and self-reported health data
Wearable and Biometric Data
- Heart rate variability (HRV), resting heart rate
- Sleep staging, sleep quality scores, and readiness scores
- Body temperature (baseline and deviation)
- Activity levels, recovery metrics
- Continuous monitoring data from connected devices (Oura, WHOOP, Garmin)
Financial Information
- Payment card information (processed by Stripe — we do not store raw card numbers)
- Billing address and transaction history
Usage and Technical Data
- IP address, browser type, device identifiers
- Platform usage patterns, session duration, feature interactions
- UTM parameters and referral source
2. How We Use Your Information
- Provide health optimization services and deliver your personalized protocol
- Generate AI-assisted recommendations through Aris, our clinical intelligence system
- Facilitate physician review of your lab results, intake data, and flagged conditions
- Fulfill lab orders with our partner laboratories (Quest Diagnostics, Labcorp, Getlabs)
- Dispense prescribed medications through our compounding pharmacy partners
- Communicate with you about your protocol, results, and account
- Process payments and maintain billing records
- Improve our platform and AI models (using de-identified data only)
- Comply with legal, regulatory, and licensing requirements
3. Data Storage and Security
All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. We use Supabase for database infrastructure and Vercel enterprise infrastructure for application hosting. Both platforms maintain SOC 2 Type II compliance. Access to PHI is restricted to authorized personnel and Business Associates on a need-to-know basis. All access is logged and audited.
4. Business Associates and Third-Party Sharing
We share PHI only with Business Associates who have signed a BAA with Aurum Health as required by HIPAA:
- Physician Network Partner — clinical review and prescription issuance
- Compounding Pharmacy Partner — licensed compounding pharmacy services
- Quest Diagnostics / Labcorp — laboratory processing and result reporting
- Getlabs — mobile phlebotomy and specimen collection
- Anthropic — AI model inference for clinical recommendations
- Supabase — database and authentication infrastructure
- Vercel — application hosting and edge infrastructure
- Stripe — payment processing
- Resend — transactional email delivery
We do not sell your personal information to any third party, ever.
5. Your HIPAA Rights
- Right to Access: Request a copy of your PHI within 30 days.
- Right to Amend: Request correction of inaccurate or incomplete PHI.
- Right to Accounting of Disclosures: Request a list of disclosures in the prior six years.
- Right to Request Restrictions: Request restrictions on use or disclosure of your PHI.
- Right to File a Complaint: File with us or with HHS Office for Civil Rights without retaliation.
6. Data Retention
Member health records are retained for a minimum of seven (7) years following the last date of service, as required by HIPAA and applicable state medical record retention laws. Financial records are retained for seven years. You may request deletion of non-health account data at any time.
7. Cookies and Tracking
- Authentication cookies: Required for maintaining your secure session
- Google Analytics (GA4): Aggregate usage analytics to improve the platform
- Meta Pixel: Conversion tracking for advertising campaigns
- LinkedIn Insight Tag: Conversion tracking for LinkedIn advertising
Analytics cookies do not include PHI and cannot be used to identify individual health data.
8. California Residents (CCPA)
- Right to Know: Request disclosure of categories and specific pieces of personal information we have collected.
- Right to Delete: Request deletion of personal information, subject to health record retention requirements.
- Right to Opt-Out: Aurum Health does not sell personal information. There is nothing to opt out of.
9. Contact