Privacy Policy

ADONIS Health (“ADONIS,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our telemedicine platform, website, mobile applications, and related services (collectively, the “Services”).

By accessing or using our Services, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our Services.

1. Information We Collect

Personal Information

We may collect the following personal information when you create an account, use our Services, or communicate with us:

• Full name, date of birth, and gender
• Email address, phone number, and mailing address
• Government-issued identification (for identity verification)
• Payment and billing information (processed securely by our payment partners)

Protected Health Information (PHI)

As a telemedicine provider, we collect health-related information necessary to deliver clinical services, including:

• Medical history, current medications, and allergies
• Laboratory results and diagnostic data
• Treatment plans, prescriptions, and clinical notes
• Communications with your care team (messages, telehealth session records)
• Health intake questionnaires and symptom assessments

Automatically Collected Information

When you interact with our Services, we may automatically collect:

• Device type, operating system, and browser information
• IP address and general geographic location
• Usage data such as pages visited, features used, and session duration
• Cookies and similar tracking technologies (see Section 10)

2. How We Use Your Information

We use the information we collect for the following purposes:

• Clinical Care: To provide telemedicine consultations, develop treatment plans, process prescriptions, and coordinate your care with licensed providers
• Account Management: To create and manage your account, verify your identity, and process payments
• Communication: To send you appointment reminders, lab results, treatment updates, and respond to your inquiries
• Service Improvement: To analyze usage patterns and improve the functionality, performance, and security of our platform
• Compliance: To comply with legal obligations, including HIPAA requirements for maintaining and auditing health records
• Safety: To detect, prevent, and address fraud, security issues, or technical problems

3. HIPAA Compliance & Notice of Privacy Practices

ADONIS Health is committed to complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and all implementing regulations (45 CFR Parts 160 and 164). This section serves as our Notice of Privacy Practices, describing how your Protected Health Information (PHI) may be used and disclosed and how you can access it.

Permitted Uses and Disclosures Without Authorization

Under HIPAA, we may use and disclose your PHI without your written authorization for the following purposes:

• Treatment: To provide, coordinate, and manage your healthcare, including sharing PHI with your prescribing physician, consulting specialists, pharmacies, and laboratory partners involved in your care
• Payment: To bill and collect payment for your treatment, including submitting claims and verifying insurance eligibility where applicable
• Healthcare Operations: To support quality assessment, compliance audits, staff training, and internal improvement of our Services
• As Required by Law: When disclosure is mandated by federal, state, or local law, including public health reporting, FDA-related activities, and responses to lawful court orders or subpoenas
• Health and Safety: To prevent a serious and imminent threat to your health or safety, or the health or safety of the public

Uses Requiring Your Written Authorization

We will obtain your written authorization before using or disclosing your PHI for purposes not described above, including but not limited to:

• Marketing communications (other than face-to-face communications or promotional gifts of nominal value)
• Sale of PHI
• Most uses of psychotherapy notes, if applicable
• Any other use or disclosure not permitted or required by HIPAA

You may revoke any authorization in writing at any time. Revocation will not affect any actions taken prior to receiving your revocation.

Minimum Necessary Standard

When using or disclosing your PHI, we apply the HIPAA minimum necessary standard, limiting access to only the information reasonably necessary to accomplish the intended purpose.

Administrative, Physical, and Technical Safeguards

• We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C)
• All electronic PHI (ePHI) is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• We maintain comprehensive audit logs of all access to PHI in accordance with 45 CFR § 164.312(b)
• Our workforce members receive HIPAA privacy and security training upon hire and annually thereafter
• We have designated a Privacy Officer and a Security Officer responsible for HIPAA compliance
• We enter into Business Associate Agreements (BAAs) with all third-party service providers who create, receive, maintain, or transmit PHI on our behalf

4. How We Share Your Information

We do not sell your personal information or PHI. We may share your information in the following limited circumstances:

• Healthcare Providers: With licensed physicians, nurse practitioners, and clinical staff involved in your care
• Pharmacies: With licensed 503A compounding pharmacies and retail pharmacies to fulfill prescriptions authorized by your provider
• Laboratory Partners: With CLIA-certified laboratories to order and receive lab tests and results
• Technology & Infrastructure Providers: Cloud hosting providers, database services, and IT security vendors who maintain our platform infrastructure, subject to BAAs
• Payment Processors: PCI DSS-compliant payment processors to handle billing transactions (we do not store full credit card numbers on our systems)
• Communication Services: HIPAA-compliant messaging, email, and telehealth video platforms used to deliver care, subject to BAAs
• Legal Requirements: When required by law, court order, or governmental regulation, including public health authorities, the FDA, and law enforcement when legally compelled
• Health Oversight: To health oversight agencies for activities authorized by law, including audits, investigations, and inspections
• Safety: When necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public
• With Your Authorization: In any other circumstance where you have provided explicit written authorization, which you may revoke at any time

5. Data Retention

We retain your personal information and PHI for as long as necessary to provide our Services, comply with legal obligations, and fulfill the purposes outlined in this policy. Medical records are retained in accordance with applicable state and federal requirements, which generally require retention for a minimum of six (6) to ten (10) years from the date of the last patient encounter, or longer as required by applicable law.

6. Data Security

We take the security of your information seriously and implement industry-standard measures, including:

• 256-bit AES encryption for data at rest and TLS 1.2+ for data in transit
• Role-based access controls limiting PHI access to authorized personnel
• Multi-factor authentication for provider and administrative accounts
• Regular security assessments and vulnerability testing
• HIPAA-compliant audit logging of all system access

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any breach in accordance with applicable laws.

7. Breach Notification

In the event of a breach of unsecured Protected Health Information, ADONIS Health will comply with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) and all applicable state breach notification laws:

• Individual Notice: We will notify affected individuals without unreasonable delay, and in no case later than 60 calendar days following the discovery of a breach, via first-class mail or email (if you have agreed to electronic notice).
• HHS Notification: If a breach affects 500 or more individuals, we will notify the U.S. Department of Health and Human Services (HHS) contemporaneously. Breaches affecting fewer than 500 individuals will be reported to HHS annually.
• Media Notice: If a breach affects more than 500 residents of a single state or jurisdiction, we will provide notice to prominent media outlets serving that area.
• Content of Notice: Breach notifications will include a description of the breach, the types of information involved, steps you should take to protect yourself, what we are doing in response, and contact information for follow-up questions.
• Substitute Notice: If contact information is insufficient or outdated for 10 or more individuals, we will post a conspicuous notice on our website for at least 90 days and provide a toll-free phone number for affected individuals.

8. Telehealth-Specific Disclosures

As a telemedicine platform, the following additional disclosures apply to your use of our Services:

• Informed Consent: Before your first telehealth consultation, you will be asked to provide informed consent acknowledging the nature and limitations of telemedicine services, including potential risks related to technology failures and the inability to perform physical examinations.
• Video & Audio Sessions: Telehealth consultations are conducted over HIPAA-compliant, encrypted video and audio platforms. Sessions are not recorded unless you are informed and provide explicit consent. If sessions are recorded for quality or clinical purposes, recordings are treated as PHI and subject to all protections described in this policy.
• Interstate Practice: Your provider is licensed in the state where you are physically located at the time of your consultation. We verify licensure and comply with all applicable state telemedicine laws and regulations.
• Prescribing: Prescriptions, including compounded medications and peptides, are issued only after a valid provider-patient relationship has been established through clinical evaluation. All prescriptions require a valid prescription order from a licensed provider and are dispensed through licensed pharmacies.
• Emergency Limitations: Our telehealth Services are not intended for medical emergencies. If you are experiencing a medical emergency, call 911 or go to your nearest emergency room immediately.

9. Your Rights Under HIPAA and Applicable Law

You have the following rights with respect to your Protected Health Information and personal data:

• Right to Access: You may request a copy of your PHI and medical records in a designated record set. We will provide the requested information within 30 days (or 60 days with a written extension notice). A reasonable, cost-based fee may apply for copies.
• Right to Amend: You may request an amendment to your PHI if you believe it is inaccurate or incomplete. We may deny the request under certain circumstances permitted by HIPAA and will provide a written explanation if denied.
• Right to Restrict: You may request restrictions on certain uses and disclosures of your PHI for treatment, payment, or healthcare operations. We are not required to agree to all restriction requests, except that we must honor a request to restrict disclosures to a health plan when you have paid for services in full out of pocket.
• Right to Confidential Communications: You may request that we communicate with you about your health information by alternative means or at alternative locations (e.g., contacting you only at a specific phone number or address).
• Right to an Accounting of Disclosures: You may request a list of certain disclosures of your PHI that we have made, other than those for treatment, payment, healthcare operations, and certain other exceptions. The accounting will cover up to six (6) years prior to the date of your request.
• Right to a Paper Copy: You may request a paper copy of this Notice of Privacy Practices at any time, even if you previously agreed to receive it electronically.
• Right to Data Portability: You may request a portable copy of your data in a commonly used electronic format.
• Right to Deletion: You may request deletion of your personal information, subject to HIPAA medical record retention requirements and applicable state law.
• Right to File a Complaint: If you believe your privacy rights have been violated, you may file a complaint with ADONIS Health or directly with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. We will not retaliate against you for filing a complaint.

To exercise any of these rights, please contact our Privacy Officer at privacy@adonis.health. We will respond to all valid requests within the timeframes required by law.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience, analyze site traffic, and understand usage patterns. Types of cookies we use include:

• Essential Cookies: Required for the platform to function properly (e.g., authentication, session management)
• Analytics Cookies: Help us understand how users interact with our Services
• Preference Cookies: Remember your settings and preferences

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our Services.

11. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

12. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected information from a minor, we will take steps to delete it promptly.

13. State-Specific Privacy Rights

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete your data, and the right to opt out of the sale or sharing of your personal information. We do not sell your personal information.

Other State Privacy Laws

Residents of other states with comprehensive privacy laws (such as Virginia, Colorado, Connecticut, and others) may have similar rights. Please contact us to exercise your rights under applicable state law.

14. De-Identification of Data

We may use de-identified health information for research, analytics, and service improvement. De-identified data has all 18 HIPAA identifiers removed in accordance with the Safe Harbor method (45 CFR § 164.514(b)) or has been certified by a qualified statistical expert under the Expert Determination method. De-identified data is no longer considered PHI and is not subject to the restrictions of this policy. We do not attempt to re-identify de-identified data, and we require the same commitment from any third party that receives such data.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the updated policy on our website and updating the “Last Updated” date. Your continued use of our Services after any changes constitutes your acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how your information is handled, please contact us:

If you believe your privacy rights have been violated, you also have the right to file a complaint with: