Privacy Policy
Last updated: April 5, 2026
Your privacy is critically important to us. This policy details how CULTR Health ("we," "us," or "our") collects, uses, and protects your information.
1. Information We Collect
We collect the following categories of information:
- Contact information: Name, email address, phone number, mailing address
- Account credentials: Email and authentication tokens
- Payment information: Processed securely via Stripe — we do not store card numbers
- Health information (PHI): Medical history, intake form responses, lab results, prescription information, and consultation records
- Usage data: Pages visited, features used, device type, browser type
- Cookies: Session management, attribution tracking (30-day affiliate cookies), and analytics
2. HIPAA Compliance
CULTR Health is committed to protecting your Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- PHI is stored in HIPAA-compliant systems with encryption at rest and in transit
- We maintain Business Associate Agreements (BAAs) with all vendors who access or process PHI
- We do not sell, rent, or trade your health data to any third party
- Access to PHI is restricted to authorized personnel on a need-to-know basis
- We conduct regular security assessments and maintain audit logs of PHI access
- Our platform enforces automatic session timeouts (30 minutes of inactivity) for pages containing PHI
3. How We Use Your Information
- Provide, maintain, and improve our healthcare platform services
- Connect you with licensed healthcare providers for clinical evaluation
- Process payments and manage your membership
- Send transactional communications about your care (appointment confirmations, lab results, prescription updates)
- Comply with legal and regulatory obligations
- Improve website functionality through aggregated, de-identified analytics
4. Service Providers & Clinical Partners
We work with carefully selected service providers to operate the platform, process payments, fulfill prescriptions, and support secure clinical workflows. We only enable a vendor to handle PHI when the required contractual and security controls are in place for that use case.
| Provider | Purpose | BAA Status |
|---|---|---|
| St. Luke Compounding Pharmacy | Medication compounding and dispensing | Operational care partner |
| Healthie EHR | Clinical intake, appointment scheduling, and patient workflow | BAA required before PHI activation |
| Stripe | Payment processing | Payment data only — PHI not intentionally sent |
| Vercel / Neon | Application hosting and database infrastructure | Security and contractual controls required for authorized data |
| Resend | Transactional email delivery | Routine PHI excluded from email content |
| SiPhox Health | At-home lab testing | Clinical partner handling lab workflows |
| Cloudflare | CDN, security, bot protection | Security traffic data only |
| Google Analytics | Aggregated website analytics (no PHI pages) | N/A — no PHI access |
5. Data Security
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Automatic session timeout after 30 minutes of inactivity
- Secure, HttpOnly cookies with SameSite protections
- Regular security audits through our infrastructure providers
- Infrastructure providers maintain enterprise security controls and independent audit programs where applicable
6. Data Retention
We retain your health information for a minimum of 7 years following your last interaction, consistent with medical record retention requirements. Account and billing data is retained for the duration required by applicable tax and financial regulations. You may request deletion of non-medical data at any time.
7. Your Rights
Under HIPAA and applicable state privacy laws, you have the right to:
- Access: Request copies of your health records
- Correction: Request amendments to inaccurate health information
- Restriction: Request restrictions on certain uses of your PHI
- Accounting: Request an accounting of disclosures of your PHI
- Deletion: Request deletion of your personal (non-medical) data
- Portability: Receive your data in a commonly used electronic format
To exercise any of these rights, contact us at privacy@cultrhealth.com.
8. Breach Notification
In the event of a breach of unsecured PHI, we will notify affected individuals within 60 days as required by the HIPAA Breach Notification Rule. Breaches affecting 500 or more individuals will also be reported to the U.S. Department of Health and Human Services and, where required, to local media.
9. Cookies & Tracking
We use cookies for session management, affiliate attribution (30-day window), and analytics. Analytics cookies collect aggregated, non-identifiable usage data. We do not use tracking cookies on authenticated pages that may display health information.
10. Changes to This Policy
We may update this privacy policy periodically. Material changes will be communicated via email or a notice on our platform. Your continued use of our services after changes constitutes acceptance.
11. Contact
For privacy-related inquiries or to exercise your rights:
- Email: privacy@cultrhealth.com
- Support: support@cultrhealth.com