Zepbound® now available — FDA-approved weight loss medication, shipped from the manufacturer or sent to a local pharmacy you choose. Check your eligibility

Privacy Policy

Last updated: April 12, 2026

Notice Regarding Health Information

Valitide collects and processes Protected Health Information (PHI) as part of its telehealth services. This policy describes how your health information is handled. For a summary of your HIPAA rights, see our Notice of Privacy Practices.

1. Overview

Valitide LLC (“we,” “us,” or “our”) is committed to protecting your privacy and the confidentiality of your health information. This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding that information. By using the Platform, you consent to the practices described here.

2. Information We Collect

a. Personal Information

  • Account information — name, email address, and phone number when you create an account.
  • Contact information — email addresses collected through forms on the Platform.
  • Listing applications — company name, website, email, and other business details.

b. Protected Health Information (PHI)

When you use our telehealth services, we collect health-related information including but not limited to:

  • Medical history, current medications, and allergies
  • Height, weight, vital signs, and body mass index (BMI)
  • Pre-existing conditions and clinical contraindications
  • Lifestyle information (diet, exercise, sleep, substance use)
  • Insurance information (carrier, plan, member ID)
  • Messages exchanged with healthcare providers through the Platform
  • Eligibility screening results and provider clinical notes

This information is collected solely for the purpose of enabling licensed healthcare providers to evaluate your eligibility for treatment and provide appropriate medical care.

c. Information Collected Automatically

  • Click analytics — when you click outbound links, we record the event without personally identifiable information.
  • Standard web analytics — we may use privacy-respecting analytics to understand traffic patterns. We do not use invasive tracking pixels or sell data to advertisers.
  • Session data — IP address, browser type, and access timestamps are recorded in audit logs for security and HIPAA compliance purposes.

3. How We Use Your Information

  • To facilitate telehealth consultations between you and licensed providers.
  • To process and store your medical intake questionnaire for provider review.
  • To send you notifications about your intake status, provider messages, and treatment updates.
  • To enable secure patient-provider messaging.
  • To process payments for consultation services.
  • To operate, maintain, and improve the Platform.
  • To maintain audit trails of access to your health information as required by HIPAA.
  • To review listing applications from vendors and pharmacies.
  • To comply with legal and regulatory requirements.

4. Health Information Privacy (HIPAA)

Valitide handles Protected Health Information (PHI) as a business associate to the licensed healthcare providers who use our platform. We maintain the following safeguards in accordance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule:

Administrative Safeguards

  • Designated privacy and security officer responsible for HIPAA compliance.
  • Business Associate Agreements (BAAs) executed with all infrastructure vendors that process or store PHI.
  • Workforce access to PHI is limited to authorized personnel on a need-to-know basis.
  • Periodic risk assessments to identify and mitigate threats to PHI.
  • Documented policies and procedures for PHI handling, breach notification, and incident response.

Technical Safeguards

  • All data is encrypted in transit using TLS 1.2 or higher.
  • Data at rest is encrypted using AES-256 encryption.
  • Unique user identification and authentication for all users accessing PHI.
  • Automatic session timeout after 15 minutes of inactivity on provider portal.
  • Session tokens expire after 8 hours, requiring re-authentication.
  • Account lockout after 5 failed login attempts (15-minute cooldown).
  • Comprehensive audit logging of all access to PHI, including who accessed what, when, and from where.
  • Password hashing using PBKDF2 with 100,000 iterations (Web Crypto API).
  • PHI is minimized in email notifications — message content and full medical details are never included in email.
  • Payment processing metadata does not contain PHI.

Physical Safeguards

  • All data is stored in SOC 2 compliant cloud infrastructure (no on-premises servers).
  • Provider workstations are subject to the inactivity timeout policy.

5. Data Storage and Service Providers

Your data is processed by the following service providers, each operating under contractual obligations to protect your information:

  • Amazon Web Services (AWS) — Application hosting, database, and storage infrastructure (BAA in place).
  • Stripe — Payment processing only. No PHI is transmitted to Stripe.
  • Resend — Transactional email notifications only. No PHI is included in any email content.

6. Data Sharing and Disclosure

We do not sell, rent, or share your personal or health information with third parties for marketing purposes. We may share data only in the following limited circumstances:

  • Healthcare providers — your medical intake information is shared with the licensed provider assigned to evaluate your case.
  • Pharmacies — if prescribed, your prescription and necessary patient information is transmitted to the dispensing pharmacy.
  • Infrastructure providers — service providers listed above process data as necessary to operate the Platform, subject to BAAs and contractual data protection obligations.
  • Legal requirements — if required by law, subpoena, court order, or legal process.
  • Public health activities — as required by law for public health reporting.
  • Safety — to avert a serious threat to health or safety.

We will never disclose your PHI for marketing, fundraising, or underwriting purposes without your explicit written authorization.

7. Data Retention

Medical intake records and associated health information are retained for a minimum of seven (7) years from the date of the last patient interaction, in accordance with standard medical record retention practices and applicable state laws. Audit logs are retained for a minimum of six (6) years. Account information is retained as long as your account is active. You may request deletion of non-medical data at any time. Medical records may be retained beyond your request as required by law.

8. Breach Notification

In the event of a breach of unsecured PHI, Valitide will:

  • Notify affected individuals without unreasonable delay, and no later than 60 days after discovery of the breach.
  • Notify the U.S. Department of Health and Human Services (HHS) as required.
  • If the breach affects 500 or more individuals, notify prominent media outlets serving the affected area.
  • Provide a description of the breach, the types of information involved, steps you should take, what we are doing to investigate and mitigate, and contact information.

9. Cookies

The Platform uses minimal cookies. We use httpOnly session cookies for authentication across all patient, provider, admin, and coordinator accounts. We do not use third-party advertising cookies, cross-site tracking, or persistent tracking cookies.

10. Your Rights

Under HIPAA and applicable state law, you have the following rights:

  • Right of access — You may request a copy of the health information we hold about you. We will respond within 30 days.
  • Right to amend — You may request corrections to your health information if you believe it is inaccurate or incomplete.
  • Right to an accounting of disclosures — You may request a list of certain disclosures we have made of your health information.
  • Right to restrict — You may request restrictions on certain uses and disclosures of your health information.
  • Right to confidential communications — You may request that we communicate with you about health matters through a specific method or at a specific location.
  • Right to data portability — You may request your data in a portable, machine-readable format.
  • Right to revoke authorization — You may withdraw consent for telehealth services at any time.
  • Right to complain — You may file a complaint with us or with the HHS Office for Civil Rights if you believe your privacy rights have been violated. We will not retaliate against you for filing a complaint.

To exercise any of these rights, contact us at privacy@valitide.com or submit a request through your patient dashboard.

11. State-Specific Rights

California residents: Under the CCPA/CPRA, you have the right to know what personal information we collect, to request deletion, and to opt out of the sale of personal information. We do not sell personal information. Health information governed by HIPAA is exempt from CCPA.

EU/EEA residents: Under GDPR, you have additional rights including the right to erasure, data portability, and the right to lodge a complaint with a supervisory authority.

12. Children

The Platform and its telehealth services are not intended for use by anyone under 18 years of age. We do not knowingly collect information from minors. If we learn that we have collected information from a person under 18, we will delete that information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. If we make material changes to how we handle health information, we will notify you via email and a prominent notice on the Platform prior to the changes taking effect. Continued use of the Platform after changes constitutes acceptance of the revised policy.

14. Contact

For privacy-related inquiries, data requests, or to file a complaint:

You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr/complaints.