Privacy Policy

1. Scope of this policy

This Privacy Policy applies to information collected by {{ENTITY_NAME}} (“Livozo”) through the consumer-facing parts of the Platform — the website, marketing pages, intake forms, and apps. This policy does not govern the protected health information (PHI) that clinicians collect when they provide medical care. That information is covered by HIPAA and the separate Notice of Privacy Practices issued by {{PC_NAME}}.

2. Information we collect

We collect the following categories of personal information:

• Identifiers: name, postal address, email address, phone number, IP address, device identifiers, account ID.
• Commercial information: products viewed or purchased, billing history, subscription plan, payment method (tokenized; we do not store full card numbers).
• Internet activity: pages viewed, referring URL, browser type, OS, session duration.
• Geolocation: state-level location inferred from IP, ZIP code submitted in intake.
• Health-adjacent information you submit to Livozo: limited eligibility answers (height, weight, ZIP) collected before a clinician-patient relationship exists. Once a clinician accepts your intake, the answers become PHI held by the affiliated professional corporation under HIPAA.
• Inferences: derived attributes such as eligibility status or content preferences.
• Communications: messages you send to support, survey responses, complaints.

3. Sources

We collect information from these sources:

• Directly from you when you create an account, take the intake, contact support, or subscribe.
• Automatically from your device and browser when you visit the Platform.
• From third-party service providers (such as payment processors, identity verification, fraud-prevention services) where you have authorized the transfer.

4. How we use information

• Operate, maintain, and secure the Platform.
• Process orders, payments, refunds, and chargebacks.
• Route your intake to {{PC_NAME}} clinicians and pharmacy partners.
• Provide customer support and respond to inquiries.
• Send transactional messages (order confirmations, shipping updates).
• Send marketing messages where you have consented; you can opt out at any time.
• Detect and prevent fraud, abuse, security incidents, and harm.
• Comply with legal obligations, court orders, and regulatory requests.
• Conduct internal analytics and product improvement using de-identified or aggregated data.

5. How we share information

We share personal information only as described below:

• Affiliated providers and pharmacies: with clinicians at {{PC_NAME}} and the dispensing pharmacy network that fulfills prescriptions.
• Service providers: vetted vendors that host, store, process, ship, or analyze data on our behalf under written contracts that limit use to providing services to Livozo. Examples: hosting (Cloudflare), payment (Stripe), transactional email (Postmark or Resend), SMS (Twilio), identity verification (Stripe Identity or Persona), customer support (Front), error tracking (Sentry).
• Legal and safety: to comply with valid legal process, to enforce our Terms, or to protect rights, property, or safety.
• Business transfers: in connection with a merger, financing, acquisition, or sale of all or part of our assets, subject to contractual protections.
• With your consent: any other sharing only with your specific consent.

We do not sell personal information for money.We do not share personal information with social media advertising platforms in a way that would constitute a “sale” or “sharing” under California law. See our California Residents Notice for additional detail.

6. Pixels, tracking, and analytics

We do not deploy Meta Pixel, Google Ads conversion tracking, TikTok Pixel, Snap Pixel, or any third-party advertising pixel on pages that collect or display health information (including the intake flow, account dashboard, prescription pages, and post-purchase pages).

Marketing pages may use first-party analytics (currently planned: self-hosted PostHog) to measure aggregate traffic and conversion. Where ad-platform conversion data is needed, we use server-side conversion APIs that send only non-PHI signals (e.g., a purchase event with hashed email and order amount).

7. Cookies and Do Not Track

We use first-party cookies and similar technologies to operate the site, remember preferences, and analyze usage. You can disable cookies in your browser; some features may not work. We do not respond to Do Not Track (DNT) browser signals at this time, but we do honor Global Privacy Control (GPC) signals as an opt-out of sale/sharing for visitors who appear to be in California, Colorado, Connecticut, Utah, Virginia, and other states with comparable laws.

8. Data retention

We retain personal information for as long as needed to provide the Platform, comply with legal obligations, resolve disputes, and enforce agreements. Medical records held by {{PC_NAME}}are retained according to state medical record retention laws (often 6–10 years from last service; longer for minors). Marketing communications data is retained until you opt out plus a reasonable suppression-list period.

9. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including TLS in transit, encryption at rest for sensitive fields, access controls, vendor risk management, and a written information security program. No system is perfectly secure. If we become aware of a security incident affecting your data, we will notify you as required by law.

10. Children's privacy

The Platform is intended for adults 18 and older. We do not knowingly collect personal information from children under 13 (or under 16 where local law applies). If we learn that we have collected information from a child without the required parental consent, we will delete it.

11. International transfers

The Platform is operated in the United States. If you access the Platform from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from your home country.

12. State privacy rights

Depending on where you live, you may have rights to access, correct, delete, and port your personal information, to opt out of certain processing, to limit use of sensitive personal information, and to be free from discrimination for exercising your rights. See:

• California Residents Notice (CCPA/CPRA, CMIA, Shine the Light)
• Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Virginia (VCDPA): same exercise channel below

To exercise a right, email [email protected] or write to the address in Contact. We will verify your identity before fulfilling requests. We will respond within statutory timeframes (typically 45 days).

13. Changes to this policy

We may revise this Privacy Policy from time to time. The “Last updated” date at the top of this page tells you when the latest version took effect. Material changes will be communicated by email or in-app notice.

14. Contact

Email [email protected] or write to {{ENTITY_NAME}}, Attn: Privacy, {{ENTITY_ADDRESS}}.