Consumer Health Data Privacy Policy
Effective: June 20, 2026
1Scope
This Consumer Health Data Privacy Policy (the "policy") explains how Sipra collects, uses, shares, and protects consumer health data. It is required by:
- Washington My Health My Data Act (RCW Chapter 19.373).
- Nevada Consumer Health Data Privacy Law (NRS 603A.500-603A.595).
- Connecticut Data Privacy Act and its consumer health data amendments (Conn. Gen. Stat. Section 42-515 et seq.), as strengthened by SB 3 and SB 1295.
We apply this policy to anyone in the U.S. whose consumer health data we process, not only residents of those three states. This exceeds what the law requires.
Connecticut update. SB 3 and SB 1295 (both effective July 1, 2026) expand consumer rights and tighten requirements, including expanded geofencing prohibitions around mental health and sexual or reproductive health facilities. Sipra applies the stricter standard.
1.1Fit With Other Policies
Our Privacy Policy covers personal information. Our HIPAA Notice of Privacy Practices covers protected health information held by our affiliated medical practice. Where data is covered by both HIPAA and this policy, HIPAA controls.
1.2Our Role
Sipra is a regulated entity under RCW 19.373.010, the technology and marketing entity. The affiliated medical practice prescribes and provides care. Under HIPAA, the affiliated medical practice is the covered entity and Sipra is its business associate. Sipra processes PHI for the covered entity under a Business Associate Agreement (BAA).
2Definitions
Defined terms appear in bold on first use.
- Consumer, a person whose consumer health data we process, outside an employment or business role.
- Consumer health data, personal data linked or reasonably linkable to a consumer identifying their past, present, or future physical or mental health status. Includes diagnoses, treatments, medications, BMI, weight, biometric data, gender-affirming care, and reproductive or sexual health information.
- Process, any action with consumer health data: collect, store, use, share, sell, analyze, delete.
- Sell, exchanging consumer health data for money or valuable consideration. We do not.
- Share, providing consumer health data to a third party for a permitted purpose under written contract.
3Consumer health data we collect
We collect only what we need to provide care:
- Intake-reported health conditions, diagnoses, allergies, medical history.
- Body measurements, height, weight, BMI.
- GLP-1 medication name, dose, and titration history.
- Side effects reported during follow-ups.
- Prescription history with us, including refills and dose changes.
- Mental health information you share at intake.
- Reproductive health status (pregnancy, breastfeeding) relevant to GLP-1 eligibility.
- Identity-verification photos, where used. We do not extract or store biometric identifiers from them.
- Inferences drawn from the above, for example, candidacy for a specific medication.
4Where we get this data
- Directly from you, intake forms, follow-up surveys, support messages, account settings.
- From clinicians at the affiliated medical practice, clinical notes, prescribing decisions, care recommendations from your visit.
- From pharmacy partners, dispense records and shipping confirmations from the 503A compounding pharmacy filling your prescription.
- From devices or sensors, only if you connect them to your account.
5Why we use this data
We use consumer health data only to:
- Provide telehealth care through clinicians at the affiliated medical practice.
- Plan, dose, and adjust treatment.
- Monitor adverse events and report them to the FDA when required.
- Comply with state and federal law, including pharmacy and tax rules.
- Improve safety and quality on a de-identified basis only.
- Respond to your questions, support, and rights requests.
We will not use it for any new purpose without first asking for your consent.
6How we share this data
We share consumer health data only with:
- Clinicians at the affiliated medical practice, for treatment.
- Pharmacy partners, for compounding and dispensing.
- Subprocessors, such as our cloud host (AWS) and patient communications platform (GHL HIPAA tier). We sign BAAs with subprocessors handling PHI.
- Legal and regulatory recipients, for subpoenas, the U.S. HHS Office for Civil Rights (OCR), or a state medical or pharmacy board.
Current subprocessor list: https://sipra.com/subprocessors.
7We do not sell your consumer health data
Sipra does not sell consumer health data, regardless of whether it would be permissible under applicable law. We do not trade it, use it for cross-context behavioral advertising, or share it with advertising networks. This commitment exceeds what the law requires.
Maryland MODPA, hard sale ban. Sipra does not sell sensitive consumer health data of Maryland residents under any circumstances per the Maryland Online Data Privacy Act.
If this commitment ever changes, Sipra will provide a separate written valid authorization meeting all requirements of RCW 19.373.110, NRS 603A.515, or CTDPA, as applicable. Any such authorization would be specific, time-limited, revocable, and presented separately from any other consent or terms.
8How we get your consent
Before collecting consumer health data, we ask you to opt in with clear, conspicuous notice. We do not use pre-checked boxes or consent bundled with unrelated terms. For any materially different purpose, we will ask you to opt in again.
Plain consent governs collection and processing. Any sale would require a separate, written, valid authorization. Our commitment is not to sell.
9No geofencing near healthcare facilities
We do not use geofences within:
- 2,000 feet of any in-person healthcare facility (Washington, RCW 19.373.060).
- 1,750 feet of any in-person healthcare facility (Nevada, NRS 603A.520).
- 1,750 feet of any in-person mental health or sexual or reproductive health facility (Connecticut, SB 3).
This applies to advertising, identification, tracking, and data collection.
9.1Operational Verification
Sipra maintains a healthcare-facility exclusion list and applies geofencing controls across all paid advertising platforms (Meta, Google, TikTok). Sipra's privacy team reviews and signs off on each campaign before launch. The list is updated quarterly and available to regulators on request.
10Tracking technologies on health-related pages
Sipra disables third-party advertising and analytics trackers, including Meta Pixel, Google Analytics 4, TikTok Pixel, Microsoft Clarity, and any similar tools, on all pages that collect or display consumer health data:
- Intake forms.
- Weight-loss calculators.
- Pricing and product pages where health-related queries are submitted.
- Patient portal pages.
- Any post-acceptance pages.
For marketing measurement, Sipra uses server-side conversion tracking (Meta Conversions API, Google Measurement Protocol) with personal information removed where applicable. Server-side events are limited to non-clinical conversion signals and exclude consumer health data.
11Your rights and how to use them
You have the following rights over consumer health data we process about you.
11.1Right To Know
Confirm whether we process your data and what categories we hold.
11.2Right To Access
Request a copy in a portable, readily usable format.
11.3Right To Correct
Ask us to correct inaccurate data. We act within Section 17 timelines and instruct processors to update records.
11.4Right To Delete
Ask us to delete your data. We act within Section 17 timelines. We may retain data legally required to keep (e.g., FDA adverse-event reporting, tax compliance) and will tell you the basis.
11.5Right To Withdraw Consent
Withdraw consent at any time. We stop processing promptly. Withdrawing may stop certain services.
11.6Right To A List Of Recipients
Request a list of third parties and affiliates we have shared your data with in the prior 12 months.
11.7How To Submit A Request
- Email: [email protected]
- Online form: https://sipra.com/health-data-request
- Mail: 30 N Gould St, Ste R, Sheridan, WY 82801, attention Privacy Officer
12Identity verification and authorized agents
We must verify your identity before acting on a request. We will ask you to confirm information already on file (such as your account email) and will not request sensitive information we do not need.
You may use an authorized agent. We require written proof, such as signed permission or power of attorney, and may confirm with you.
13Appeals and how to file with a state Attorney General
If we deny a request in whole or in part, you may appeal by emailing [email protected]. We will respond in writing within 30 days explaining the final decision.
If you disagree, you can file a complaint:
- Washington Attorney General, atg.wa.gov/file-complaint.
- Nevada Attorney General, ag.nv.gov.
- Connecticut Attorney General, portal.ct.gov/AG.
14Data security
Administrative, technical, and physical safeguards protect consumer health data:
- AES-256 encryption at rest, TLS 1.2+ in transit.
- Role-based access, only staff who need data can see it.
- MFA for administrative and clinical access.
- BAAs with every subprocessor handling PHI.
- Vulnerability scans and periodic penetration tests.
- Continuous monitoring to identify, investigate, contain, and report incidents under applicable law.
15Data retention
We keep consumer health data only as long as needed for Section 5 purposes, or as law requires.
Detailed schedule by category: https://sipra.com/retention.
16Breach notification
We will notify affected consumers of a confirmed breach without unreasonable delay and in no case later than 60 calendar days after discovery, by email and by posting on sipra.com. This 60-day window aligns with 45 CFR 164.404 and 164.410 and the breach notification window stated in our HIPAA Notice of Privacy Practices. We will also follow applicable state breach laws, including California Civil Code Section 1798.82 and the New York SHIELD Act.
17State-specific addenda (Washington, Nevada, Connecticut)
CHD = consumer health data. AG = state Attorney General. UOOM = Universal Opt-Out Mechanism.
17.1Universal Opt-Out And Global Privacy Control
Sipra honors Global Privacy Control (GPC) signals globally, across browser, account, logged-in session, and device, and propagates the opt-out to subprocessors where technically feasible. An "Opt-Out Honored" indicator displays in the patient portal when GPC is active. We do not require account login to honor GPC.
This exceeds federal requirements and reflects the standard set by the California Attorney General's Disney enforcement action (February 2026, $2.75M).
17.2Litigation Awareness, Maxwell V. Amazon
Sipra is aware of Maxwell v. Amazon (W.D. Wash., filed Feb 10, 2025), the first class action under the Washington My Health My Data Act. Our compliance posture meets or exceeds standards illustrated by that litigation: pixel governance on health-related pages, GPC honoring, geofencing exclusion lists, and a no-sale commitment.
18Updates to this policy
For any material change, we will give at least 30 days advance notice by email and by posting on sipra.com. The Last Reviewed date reflects the most recent update.
19Contact us
- Privacy Officer: [email protected]
- Email: [email protected]
- Support: [email protected]
- Mail: 30 N Gould St, Ste R, Sheridan, WY 82801, attention Privacy Officer