Consumer Health Data Privacy Policy
Effective Date: July 2, 2026
This Consumer Health Data Privacy Policy explains how Uplevel Bio collects, uses, shares, and protects "consumer health data" as that term is defined under state health-data laws — including Washington's My Health My Data Act (RCW 19.373), Nevada SB370, Connecticut's Data Privacy Act, and any similar law that applies to residents of the state where you live.
This policy applies in addition to our Privacy Policy and our Patient Privacy Practices. Where any of them conflict on a topic covered by consumer-health-data law, this policy controls.
What is consumer health data
State health-data laws define "consumer health data" broadly. It includes personal information that identifies your past, present, or future physical or mental health status, and — depending on the state — extends beyond information already protected by HIPAA. Examples include:
- Health conditions, symptoms, and diagnoses
- Medications you take, treatments you've received, and treatments you've sought
- Biometric data (heart rate variability, sleep, activity, blood oxygen) from devices you connect to your account
- Reproductive or sexual health information
- Gender-affirming care information
- Data about your attempts to acquire health products or services from us
- Inferences we draw from the above about your health
Consumer health data includes both information you provide directly and information we infer from your interactions with our services.
Categories of consumer health data we collect
We collect the following categories of consumer health data:
- Intake responses — health history, current medications, allergies, symptoms, treatment goals, height, weight, and other information you submit during your provider intake
- Prescription and treatment records — protocols prescribed, dosing history, prescription refills, prescribing provider identity
- Lab results — biomarker values from panels ordered through us and performed by independent laboratories
- Connected-device data — sleep, HRV, recovery scores, resting heart rate, respiratory rate, blood oxygen, activity, strain, and workout data from wearable devices you optionally connect
- Communications — messages you send to your provider or to our support team about your health, treatment, side effects, or concerns
- Product-interaction data — protocols and diagnostics you view, add to cart, or purchase, and searches you run on our site
- Inferences — information we derive about your health status, protocol adherence, treatment response, and clinical needs from the categories above
Sources of consumer health data
- Directly from you, when you complete your intake, submit messages, or otherwise provide information through your account
- From your prescribing provider, who documents your consultation, prescriptions, and clinical notes
- From our pharmacy partners, who confirm fills and shipments
- From independent laboratories, who return your lab results to us
- From connected devices, when you authorize us to sync via OAuth
- Automatically, when you interact with our website (product views, cart activity)
How we use consumer health data
We use consumer health data only for purposes reasonably necessary to provide the services you have requested, comply with legal obligations, and protect the safety of members and providers. Specifically:
- To route your intake to a qualified independent licensed provider for review
- To fulfill approved prescriptions through licensed 503A compounding pharmacies
- To display trends from connected devices back to you and, with your consent, to your provider
- To communicate with you about your care, orders, refills, and account
- To respond to your requests for support
- To maintain records required by state medical, pharmacy, and consumer-health-data laws
- To detect and prevent fraud, abuse, and safety risks
We do not use consumer health data for advertising, targeted marketing, cross-context behavioral advertising, or to train third-party artificial intelligence systems.
Categories of third parties we share consumer health data with
We share consumer health data only with the categories of third parties listed below, and only to the extent necessary for the purpose stated:
- Independent licensed clinicians (through the Asher Med provider network), for clinical review, prescription decisions, and ongoing care
- State-licensed 503A compounding pharmacies, for prescription fulfillment
- Independent clinical laboratories (such as Quest Diagnostics or Labcorp), for panel testing you order through us
- Third-party device providers (such as Oura or WHOOP), only via the OAuth flow you initiate, and only for the categories you approve
- Service providers who host our platform, process payments, deliver email, or provide analytics — all under contractual confidentiality obligations that prohibit use for their own purposes
- Government agencies and law enforcement, only when required by valid legal process or where necessary to protect life
We do not share consumer health data with data brokers, advertising networks, or social media platforms.
Sale of consumer health data
We do not sell consumer health data. We have not sold consumer health data in the twelve months preceding the effective date of this policy and we do not intend to sell it in the future. "Sell" here has the broad definition used by state consumer-health-data laws, which includes exchanges for any consideration, not only monetary consideration.
Your rights
If you are a resident of a state that grants consumer-health-data rights (including Washington, Nevada, Connecticut, and others), you have the right to:
- Confirm whether we are collecting, sharing, or selling your consumer health data
- Access the consumer health data we hold about you
- Delete consumer health data we have collected from you (subject to legal record-retention requirements applicable to medical and pharmacy records)
- Withdraw consent for our future collection or sharing of your consumer health data
- Appeal a denial of any of the above requests
To exercise any of these rights, email us at privacy@uplevel.bio or write to Uplevel Bio, 9 Maple Street, Scituate, MA 02066. We will respond within the timeframes required by applicable law (typically 45 days, with the possibility of a 45-day extension where reasonably necessary).
If we deny your request, our response will explain the reason and your right to appeal. To appeal, reply to our response within 45 days. If we deny your appeal, you may contact your state attorney general or applicable regulator.
Data retention
Consumer health data associated with your medical care is retained in accordance with state and federal medical- and pharmacy-record retention requirements — typically at least seven years from the last date of service, and longer for minors. Non-medical account data is retained for as long as your account is active or as needed to provide services.
If you close your account, we will delete or de-identify your consumer health data on the schedule permitted by law and by our record-retention obligations.
Security
We implement administrative, technical, and physical safeguards designed to protect consumer health data — including encryption in transit and at rest, role-based access controls, provider authentication, and audit logging. We limit access to authorized personnel and to your treating provider. No system is perfectly secure; we monitor continuously and update our controls as risks change.
Changes to this policy
We may update this Consumer Health Data Privacy Policy from time to time. Material changes will be posted here with an updated effective date. If a change materially expands the categories of consumer health data we collect, the purposes for which we use it, or the categories of third parties with whom we share it, we will obtain fresh consent as required by applicable law before applying the change to information collected before the change.
Contact
For consumer-health-data privacy questions, rights requests, or appeals:
Email: privacy@uplevel.bio Mail: Uplevel Bio, 9 Maple Street, Scituate, MA 02066