HealSend
Weight LossHormonesRecoverySexual HealthLongevitySkin & HairBrain HealthGut Health
Get Started

The GLP-1 Essentials

Tirzepatide InjectionsSemaglutide InjectionsTriple-R Weight Loss

Precision Recomposition

TesamorelinLipo-C (MIC/B12)Neuro-Metabolic

Daily Maintenance

Tirzepatide DropsTirzepatide TabletsSemaglutide TabletsMicrodose GLP-1
Personalized GLP-1. Lose weight.

Personalized GLP-1. Lose weight.

Explore now

Treatment Categories

Get Started

GLP-1 treatments

Personalized GLP-1 Treatments

From $129 first month*

*First month discount on 3-month plan.

Discover HealSend

Blog
Health Data RightsEffective October 5, 2025

Consumer Health Data Policy

How Healsend collects, uses, and protects your consumer health data under state health privacy laws.

WA MHMDABIPA compliantNo data sales
Health Data Rights

Consumer Health Data Policy

WA MHMDABIPA compliantNo data sales

Effective: October 5, 2025

1. Purpose and Scope

Effective Date: October 5, 2025

This Consumer Health Data & Biometric Privacy Policy ("Policy") is issued by Healsend Inc. ("Healsend"), a Management Services Organization (MSO) and technology facilitator. Healsend is not a medical provider, does not practice medicine, and does not independently function as a HIPAA-covered entity. The Professional Entities supported by Healsend's Platform are independent licensed healthcare providers who may be covered entities or business associates under HIPAA.

This Policy covers Consumer Health Data (CHD) and biometric data collected and processed by Healsend in its capacity as a technology platform and data controller — separate from PHI processed by Professional Entities under their own Notices of Privacy Practices and HIPAA Business Associate Agreements. This Policy supplements our Master Privacy Policy.

2. Definitions

  • Consumer Health Data (CHD): Personal information that identifies your past, present, or future physical or mental health status, including diagnoses, medications, health conditions, health-related payments, bodily functions, or characteristics regulated under WA MHMDA, NV SB370, or similar state laws.
  • Biometric Data: Data generated from physiological or behavioral characteristics used for identification, including fingerprints, voiceprints, iris scans, retinal scans, face geometry, and gait patterns.
  • Sensitive Health Data: A subset of CHD that includes reproductive and sexual health information, mental health status, substance use disorder information, and genetic data.
  • Personal Information: Information that identifies, relates to, or could reasonably be linked to an individual or household.
  • Professional Entity: Independent licensed physician groups, professional corporations, or PLLCs that use the Platform to deliver clinical care.
  • Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
  • Service Provider/Contractor: Entities that process data on Healsend's behalf under contracts restricting them to performing services for us.
  • De-identified Data: Information from which all direct and reasonably linkable identifiers have been removed under HIPAA Expert Determination or Safe Harbor methods.
  • Business Associate: Healsend, in its capacity as a BA under 45 CFR §160.103, when processing PHI on behalf of a covered Professional Entity under a signed BAA.
  • Consumer Request: A verifiable request from you to exercise a privacy right listed in Section 8.

3. Applicability of Federal and State Law

Federal Laws: HIPAA/HITECH (where Healsend acts as a BA), FTC Act §5 (unfair/deceptive practices), 21 CFR Part 11 (electronic records), ESIGN/UETA (electronic signatures), COPPA (not applicable — Platform is 18+ only), FTC Health Breach Notification Rule (for non-HIPAA PHR-related entities).

State Laws (stronger consumer protection prevails): California CCPA/CPRA; Washington MHMDA (RCW 19.373); Nevada SB370 (NRS 603A); Texas HB300 (Tex. H&S Code §181); Illinois BIPA (740 ILCS 14); Colorado CPA; Connecticut CTDPA; Virginia VCDPA; Utah UCPA; Iowa ICDPA; Montana MCDPA.

Where multiple laws apply to the same data processing activity, we apply the standard that affords the strongest consumer protection.

4. Information We Collect

A. Directly from You

  • Identifiers: name, contact info, date of birth, government ID for identity verification
  • Medical intake: symptoms, diagnoses, medications, allergies, surgical history, biometric measurements
  • Payment: billing address, transaction records (card numbers processed by third-party processors only)
  • Support: messages, feedback, survey responses

B. From Professional Entities & Pharmacies

  • Diagnosis codes, treatment plans, prescriptions, lab results, dispensing confirmations

C. Automatically

  • Device identifiers, IP address, cookie data, server logs, usage analytics

D. Biometric / Sensor Data

  • Facial geometry or voice patterns (where used for identity verification, with state-specific consent)
  • Wearable device data you authorize to connect to the Platform

E. Derived / Inferred

  • Treatment eligibility inferences, risk scores derived from intake data (used only for Platform routing, not for denial of medical care); de-identified aggregate data used for research and quality improvement

We do not knowingly collect information from individuals under 18.

5. How We Use Consumer Health and Biometric Data

5.1 Primary Uses (no additional consent required)

  • Platform operation: account management, authentication, technical support
  • Facilitating care delivery: routing intake to Professional Entities, care coordination
  • Payment processing and prescription/lab fulfillment
  • Analytics and platform improvement (using de-identified or aggregated data)
  • Support and communication: responding to inquiries and providing service updates
  • Regulatory compliance: recordkeeping, legal response, safety reporting
  • Security and fraud prevention

5.2 Secondary Uses (require your explicit consent)

  • We do not sell, lease, or trade CHD or biometric data
  • We do not use CHD for cross-context behavioral advertising
  • We do not use CHD to make employment, credit, or insurance decisions
  • We do not use automated health profiling to produce legally significant effects without your explicit, informed consent

5.3 Lawful Basis

  • Service delivery: Contractual necessity (fulfilling our Terms of Service)
  • Compliance: Legal obligation (HIPAA, state recordkeeping)
  • Security: Legitimate interest in protecting the Platform and users
  • Analytics: De-identified data — no legal basis required for purely de-identified processing
  • Marketing & secondary uses: Consent

6. When and Why We Share Data

6.1 Categories of Recipients

  • Professional Entities & Pharmacies: For care delivery and prescription fulfillment under BAAs or DPAs.
  • Service Providers (Contractors): Cloud hosting, payment processing, identity verification, analytics, email/SMS delivery — all bound by contracts limiting use to services on our behalf.
  • Corporate Affiliates & Successors: In mergers or acquisitions, subject to equivalent privacy protections.
  • Regulators & Law Enforcement: In response to valid legal process, to prevent imminent harm, or as required by law.
  • Authorized Agents: Individuals you have designated in writing to act on your behalf.

6.2 Safeguards for Vendors

All vendors handling CHD or biometric data must sign DPAs or BAAs requiring NIST SP 800-53 safeguards. Vendors must notify us of security incidents within 72 hours.

6.3 No Cross-Border Transfers

We do not transfer your consumer health data outside the United States.

6.4 No Sale of De-identified Data for Re-identification

We share de-identified or aggregate data only, never for the purpose of re-identifying individuals.

7. Retention and Deletion of Data

7.1 Retention Schedule

  • Account & profile data: Until account closure
  • Medical intake & clinical records: 7 years from last activity (per federal/state medical recordkeeping requirements)
  • Payment tokens: 7 years from last transaction (PCI compliance)
  • Biometric identifiers: No longer than 30 days after verification is complete, or less if required by state law
  • Security logs: 12 months (immutable; then anonymized)

7.2 Deletion Requests

Submit deletion requests to yourhealth@healsend.com. We verify your identity and complete verified deletion within 45 days. Backup copies are purged within 90 days. Certain data is retained to comply with legal obligations, resolve disputes, or prevent fraud.

7.3 Annual Review

We conduct an annual review of retained data and delete data that no longer serves a legitimate purpose.

8. Your Privacy Rights

8.1 Rights Available to You

  • Access/Transparency (45 days): Obtain the categories and specific pieces of CHD we hold about you.
  • Correction/Rectification (45 days): Request correction of inaccurate data.
  • Deletion/Erasure: Request deletion of CHD, subject to legal retention obligations.
  • Portability: Receive your CHD in a structured, machine-readable format (e.g., JSON or CSV).
  • Restriction/Opt-Out: Opt out of secondary uses of your CHD, including any targeted advertising or profiling.
  • Appeal (30 days): If we deny your request, you may appeal within 30 days of our response.

8.2 How to Submit a Request

Email yourhealth@healsend.com with subject line "CHD Privacy Request," or write to: Healsend Inc., 30 N Gould St Ste R, Sheridan WY 82801.

8.3 Fees

We do not charge a fee for the first verified request within any 12-month period.

9. State-Specific Disclosures

9.1 California (CCPA/CPRA)

CHD constitutes Sensitive Personal Information (SPI) under CPRA. We limit SPI use to purposes listed in Section 5.1. California residents may request disclosure of all categories of CHD collected, opt out of any cross-context behavioral advertising, and request deletion of CHD. Contact: yourhealth@healsend.com.

9.2 Washington (MHMDA — RCW 19.373)

We obtain your explicit opt-in consent before collecting CHD for any purpose beyond direct care delivery. A consumer health data notice is included on our Platform homepage. Washington residents may withdraw consent within 30 days and request a list of all third parties with whom their CHD has been shared.

9.3 Nevada (SB370 — NRS 603A)

We do not sell Nevada residents' consumer health data. Nevada residents may request deletion of their CHD at any time.

9.4 Texas (HB300 — Tex. H&S Code §181)

We provide annual privacy training to personnel who interact with Texas patients' health data and maintain training records for 6 years. Civil and criminal penalties may apply for violations.

9.5 Illinois (BIPA — 740 ILCS 14)

We obtain written/electronic informed consent before collecting any biometric identifier. We delete biometric data within 30 days of a verified deletion request. We do not sell or profit from biometric data.

9.6 Colorado, Connecticut, Virginia, Utah, Iowa, Montana

Residents of these states have access, correction, deletion, portability, and opt-out rights that we honor on a nationwide basis. Contact yourhealth@healsend.com to exercise these rights.

10. Data Security and Incident Response

10.1 Administrative Safeguards

Designated Privacy Officer and Security Officer; HIPAA and state privacy training for all personnel handling CHD; vendor management program with security certification requirements; least-privilege access policy.

10.2 Technical Safeguards

TLS 1.3 for all data in transit; AES-256 FIPS 140-2 at rest; MFA for administrative access; network segmentation; continuous automated vulnerability scanning; annual third-party penetration testing; 12-month immutable audit logs.

10.3 Physical Safeguards

Access-controlled facilities; cross-cut shredding for paper records; certified digital media wiping (NIST SP 800-88).

10.4 Incident Response

Upon discovery of a breach: (1) contain and assess; (2) notify affected individuals per 45 CFR §164.404 and applicable state laws; (3) conduct root cause analysis; (4) implement remediation. We maintain a documented incident response plan tested annually.

10.5 Audit

Annual internal HIPAA security audit; independent security assessment every 2 years; results shared with Covered Entity partners upon request.

11. Contact, Complaints, and Dispute Resolution

11.1 Privacy Office

Healsend Inc.
30 N Gould St Ste R
Sheridan, WY 82801
yourhealth@healsend.com

11.2 Officers

Healsend has designated a Privacy Officer and a Security Officer responsible for CHD compliance under this Policy.

11.3 Complaint Process

We acknowledge complaints within 10 business days and provide a substantive response within 30 days. If unresolved, you may escalate to the HHS Office for Civil Rights, the FTC, or your state Attorney General without retaliation.

11.4 No Retaliation

We will not retaliate against you for exercising your rights or filing a complaint.

11.5 Governing Law

Wyoming law governs this Policy. Disputes are subject to binding arbitration via AAA in Sheridan County, Wyoming, except that nothing in this Policy limits your right to file regulatory complaints with government authorities.

12. Changes to This Policy

We review this Policy annually and update it as needed to reflect changes in applicable law, our data practices, or Platform functionality. Updated versions are posted with a new Effective Date. Material changes are announced on the Platform homepage and by email to affected users where required by law. We maintain a 7-year archive of prior policy versions. Continued use of the Platform after the effective date of a revised Policy constitutes your acceptance of the changes.

Appendix A — Cookies: Essential (session/auth) | Analytics (13 mo) | Preference (12 mo) | Security Tokens (90 days rolling) | Platform honors GPC signals as opt-out.

Appendix B — Data Classification: Tier 1 PHI (AES-256, BAA required) | Tier 2 CHD (NIST SP 800-53) | Tier 3 Operational Metadata (de-identified, 12 mo) | Tier 4 Public (review before posting).

Appendix C — Record Retention: User accounts: until closed/secure erase | Medical encounters: 7 yr/encrypted purge | Payment: 7 yr/PCI deletion | Biometric: ≤30 days/auto wipe | Support tickets: 24 mo/purge | Audit logs: 12 mo/immutable.

Appendix D — Regulatory References: HIPAA Privacy Rule 45 CFR Part 164 Subpart E | HIPAA Security Rule 45 CFR Part 164 Subpart C | FTC 16 CFR 318 | CA Civil Code §1798.100 | WA RCW 19.373 | IL 740 ILCS 14 | TX HB300 | NV NRS 603A | NIST CSF v1.1 | ISO 27001.

Legal library

Privacy PolicyTerms of ServiceTelehealth ConsentSafety InformationConsumer Health DataRefund Policy

Questions?

Contact our compliance team for any concerns about these policies.

yourhealth@healsend.com
  • GLP-1 Treatments
  • Tirzepatide Injection
  • Tirzepatide Drops
  • Semaglutide Injection
  • PT-141 Nasal Spray
  • NAD+ Injection
  • NAD+ Nasal Spray
  • Sermorelin Injection
  • Telehealth Consent
  • Safety Information
  • My Health My Data
  • Terms
  • Privacy
  • Refund Policy
  • 1-631-800-9294
  • yourhealth@healsend.com
  • 31 Hudson Yards, NY, NY 10001

Popular Weight Loss

  • GLP-1 Treatments
  • Tirzepatide Injection
  • Tirzepatide Drops
  • Semaglutide Injection

Sexual Health

  • PT-141 Nasal Spray

Anti-aging

  • NAD+ Injection
  • NAD+ Nasal Spray
  • Sermorelin Injection

Legal

  • Telehealth Consent
  • Safety Information
  • My Health My Data
  • Terms
  • Privacy
  • Refund Policy

HealSend Patient Care

  • 1-631-800-9294
  • yourhealth@healsend.com
  • 31 Hudson Yards, NY, NY 10001
LegitScript verification badge
HealSend

© 2025 HealSend Inc. All Rights Reserved