Skip to main content
The waitlist is open. Claim your spot as a Founding 500 member.

Privacy Policy

Effective: June 20, 2026

1Scope and roles

1.1Who This Policy Covers

How Sipra collects, uses, and shares information when you visit sipra.com, create an account, complete an intake, attend a telehealth visit, or message support. Applies to website visitors, prospective patients, current patients, and anyone who contacts us.

1.2The Two Entities You Deal With

Sipra ("we," "us") is Sipra LLC, a Wyoming limited liability company. Sipra runs the website, patient portal, billing, support, and technology platform.

Your clinical provider is the affiliated medical practice (named in our HIPAA Notice of Privacy Practices). Its physicians evaluate, prescribe, and follow up. Sipra support: [email protected].

1.3HIPAA Roles

The affiliated medical practice is a Covered Entity under HIPAA (as amended by HITECH). Sipra LLC supports it as a Business Associate under a signed Business Associate Agreement (BAA) governing PHI.

The practice maintains its own HIPAA Notice of Privacy Practices as the Covered Entity. PHI is governed by that notice; see https://sipra.com/hipaa-notice. Non-PHI is governed by this policy.

1.4Scope Exclusions And Other Policies

  • Consumer health data. WA, NV, and CT residents have additional rights under our Consumer Health Data Privacy Policy. https://sipra.com/health-data-privacy
  • Cookies. See Section 6 and our cookie banner.
  • Terms of Service. Defined terms follow our Terms. https://sipra.com/terms
  • No international service. Sipra is US-only. See Section 13.

2Information we collect

Categories track those defined under CCPA, as amended by CPRA, at Cal. Civ. Code § 1798.140.

2.1Identifiers

Full legal name, date of birth, email, phone, mailing and shipping address, postal code, IP, online identifiers, account credentials. Government-issued ID when uploaded for identity verification.

2.2Personal Information Under Cal. Civ. Code § 1798.80(E)

Signature, physical characteristics or description, payment card information (tokenized by our processor), insurance information (we do not bill insurance, but you may volunteer it), and similar sign-up records.

2.3Protected Classification Information

Age, sex assigned at birth, gender identity, race or ethnicity (only if volunteered), pregnancy or breastfeeding status. Collected only where clinically relevant or you choose to share.

2.4Commercial Information

Subscription tier, products ordered, treatment plan acceptance/decline events, billing history, refund history, and product consideration. Abandoned carts not recorded beyond what is needed to recover at your request.

2.5Biometric Information, Limited

A photo or short video of your face during ID verification, and a body photo if your physician requests one. We do not extract or store biometric identifiers (faceprint, voiceprint). ID verification compares your photo to your government ID; no persistent biometric templates.

2.6Internet Or Electronic Network Activity

Browsing and search history on our public site, page clicks, intake-form interactions, scroll depth, time on page, and referring URLs.

2.7Geolocation

Approximate location from IP (city/state level). Precise geolocation only with device permission. We do not geofence near healthcare facilities, prohibited under RCW 19.373.060 and a Sipra anti-pattern.

2.8Audio, Electronic, Visual

ID-verification photos, body photos if requested, voicemails, and recordings of synchronous audio-video visits you elect to record. We do not record asynchronous chats beyond the standard portal messaging log.

2.9Professional Or Employment Information

Not requested. You may volunteer occupation in intake; we treat it as optional context for your physician.

2.10Education Information

Not collected.

2.11Inferences

We may draw inferences from the categories above to profile your preferences, characteristics, behavior, attitudes, predispositions, or aptitudes, e.g., inferring you prefer morning appointment reminders. Inferences are not used for adverse clinical decisions.

2.12Sensitive Personal Information

Under CPRA Cal. Civ. Code § 1798.140(ae), this includes: government IDs; account credentials; precise geolocation; racial or ethnic origin; religious or philosophical beliefs; union membership; message contents; genetic data; biometric information for unique identification; health information; sex life or sexual orientation. Collected only as needed to deliver care, complete ID verification, or as you choose. We treat gender-affirming care, reproductive care, and sexual orientation as sensitive by default.

Limit Use of Sensitive Personal Information. Sipra collects sensitive personal information including health data and biometric identifiers. California residents may direct Sipra to limit use by emailing [email protected] or via https://sipra.com/privacy-request. See Section 7.6.

2.13Recurring Check-In Data

Recurring check-in data: weight updates, reported side effects, dose tolerance, new medications or conditions, and any concerns or questions you submit between visits.

3Sources of information

3.1Directly From You

When you create an account, fill intake, message support, leave a voicemail, attend a visit, pay, request a refund, or join a waitlist.

3.2Automatically From Your Device

Standard web request data: IP, browser fingerprint elements, OS, language, referring URL, request time. Cookies and similar technologies record activity. See Section 6.

3.3From Your Physician

Your physician at the affiliated medical practice shares clinical notes, prescriptions, and care plans so we can operate the patient portal, schedule follow-ups, and coordinate pharmacy fulfillment, under our BAA.

3.4From Pharmacy Partners

Compounding and dispensing pharmacies share fulfillment status, shipping confirmations, and adverse-event reports. Healthcare Prosoft, LLC (operating the VSDH One Platform), Epiq Scripts LLC, Valiant Compounding Pharmacy, and Perfect RX, see https://sipra.com/pharmacy.

3.5From Identity Verification Vendors

Pass/fail result and a fraud-risk score. See Stripe Identity.

3.6From Payment Processors

Charge results, decline reasons, and dispute notifications. See Stripe.

3.7From Service Providers

Analytics, CRM, support, security, and infrastructure providers send reports and operational data under contract. They cannot use your data for their own purposes.

4How we use information

For these purposes only.

4.1Provide And Operate The Service

  • Care delivery, telehealth visits, prescriptions, follow-up
  • Billing, subscriptions, receipts, refunds
  • Account, creation, login, secure access
  • Support, questions and issue resolution
  • Transactional messages, appointment reminders, prescription updates, shipping confirmations

4.2Improve And Develop The Service

  • Diagnostics, debug, tune performance, prevent outages
  • Service quality, see which features help patients most
  • Outcomes research, population-level outcomes via de-identified data

4.3Marketing And Communications

  • With consent, marketing emails and SMS only on opt-in
  • Aggregate measurement, ad reach on public-website pages where you accept analytics cookies
  • Referrals, credit when a friend signs up

Marketing channels never contain PHI. Marketing data flows through our HIPAA-tier CRM under a signed BAA. To be executed prior to launch.

California, New York, Connecticut, and Colorado residents receive an annual subscription renewal notice consistent with applicable state law.

Notice of Financial Incentive (CCPA § 1798.125). Sipra's referral program offers credits or discounts for referrals. Participation is voluntary; only name and email are needed. Economic value of personal information collected: $0 to $25 per qualifying referral, equal to the credit issued. Material terms (reward, eligibility, fraud rules) are at the referral page. Opt out anytime: [email protected].

4.4Safety, Security, And Fraud Prevention

  • Fraud screening, fake accounts, stolen cards, fraudulent intakes
  • Security, misuse, abuse, or bypass attempts
  • Disputes, chargebacks and disputes

Bot Protection (Cloudflare Turnstile)

We use Cloudflare Turnstile to protect this website from automated abuse (bots, spam, credential stuffing). When you visit pages with forms, Cloudflare may collect technical signals from your browser (such as IP address, user agent, browser characteristics, and interaction patterns) to verify that you are a human visitor. No visible challenge is shown. Use of Turnstile is governed by Cloudflare's Turnstile Privacy Addendum, available at https://www.cloudflare.com/en-gb/turnstile-privacy-policy/.

4.5Legal And Compliance

  • Compliance, HIPAA, state privacy laws, FDA labeling, FTC, tax
  • Legal process, subpoenas, court orders, lawful government requests
  • Contracts, enforce our Terms
  • Claims, defend, protect, or pursue our rights and other patients' rights

4.6Other Purposes You Authorize

Other purposes when you permit, e.g., sharing records with an outside doctor.

5How we share information

We do not sell personal information for monetary consideration. We do not share for cross-context behavioral advertising as defined in CPRA. We share only as described below.

5.1With The Affiliated Medical Practice

We share information with the affiliated medical practice so your physician can evaluate, prescribe, and follow up. The practice is the Covered Entity; Sipra is its Business Associate under a signed BAA. PHI is governed by the practice's HIPAA NPP.

5.2With Pharmacy Partners

We share the prescription, shipping address, and necessary identifiers with the dispensing pharmacy. All pharmacy partners operate under a BAA, follow HIPAA-compliant procedures, and use your data only to fill and follow up on the prescription.

5.3With Service Providers (Data Processors)

Vetted vendors for payment processing, ID verification, cloud hosting, support tooling, analytics, security monitoring, and email/SMS delivery. Each works under a written contract limiting use to services we request. PHI handlers are bound by BAAs.

Categories: cloud infrastructure (AWS); payment processing (Stripe); CRM and email/SMS (HIPAA-tier vendor under BAA); support tooling; ID verification (Stripe Identity); session security monitoring; error logging.

Current list: https://sipra.com/subprocessors, updated promptly after any material change. Notice of new sub-processors via email notice and posting at https://sipra.com/subprocessors with a 30 days objection window. Version date: June 20, 2026.

5.4With Healthcare Partners

We share clinical records with labs, imaging facilities, or specialists you direct or your physician orders. PHI is shared for treatment, payment, or healthcare operations (HIPAA TPO).

5.5With Advertising Partners, Limited, Pre-Login Only

Cookies, pixels, and similar tools fire on our public, pre-login website only after you accept analytics or advertising cookies. No third-party tracking pixel inside the patient portal or on intake or quiz pages, and none on pages exchanging PHI or collecting/displaying Consumer Health Data. See Section 6.

5.6With Legal And Regulatory Authorities

We disclose when a lawful subpoena, court order, search warrant, or government request requires it; to investigate suspected fraud; to prevent serious threat to a person; or per HIPAA permitted-disclosure rules. We will tell you about a legal request before complying when allowed, unless the request prohibits notice or there is a real safety risk.

5.7In A Business Transfer

On a merger, acquisition, financing, sale, bankruptcy, or similar transaction, your information may transfer to the buyer or successor. We will require the buyer to honor this policy or notify you of any material change, and will not transfer to a buyer that does not promise to follow our HIPAA obligations.

5.8With Your Direction

We share with people or services you direct, e.g., an outside doctor, family member, or insurer (we do not bill insurance).

5.9De-Identified Or Aggregate Data

We may publish or share aggregate statistics that do not identify you. We follow HIPAA's de-identification standard at 45 CFR 164.514(b) for clinical data. De-identified information falls outside this policy.

5.10Mobile Information And SMS Consent

We do not sell, rent, or share your mobile phone number, or your consent to receive text messages, with third parties or affiliates for their own marketing or promotional purposes. We share this information only with service providers that help us deliver our messaging, and only to send the messages you requested. Text-messaging opt-in data and consent are never shared with third parties for marketing.

6Cookies, trackers, and analytics

6.1Cookie Banner With Granular Categories

Our CMP shows a cookie banner on first visit. Osano. Accept all, reject all, or choose by category. Revisit via the footer link.

6.2Cookie Categories We Use

  • Strictly necessary, sign-in, security, load balancing. No consent requested.
  • Functional, language preferences, region defaults.
  • Analytics, page views and traffic sources with IP truncation. Off by default.
  • Advertising, reach and conversion measurement. Off by default.

6.3Where We Never Deploy Third-Party Trackers

Sipra disables Meta Pixel, Google Analytics, TikTok Pixel, Microsoft Clarity, and any other third-party advertising or analytics trackers on:

  • (a) authenticated patient portal pages,
  • (b) intake forms,
  • (c) weight-loss calculator pages,
  • (d) pricing and product pages that collect health-related queries, and
  • (e) any pages displaying Consumer Health Data.

Server-side conversion tracking (Meta Conversions API (CAPI), Google Measurement Protocol) strips PII where applicable, excludes health-related parameters, and runs only on the public, pre-login website.

This commitment applies regardless of the AHA v Becerra ruling and its subsequent vacatur. It exceeds federal requirements and is informed by Maxwell v. Amazon (Feb 2025), OCR enforcement guidance, and state Consumer Health Data laws in WA, NV, and CT.

6.4Tracking Pixels And Tags, Disclosure

On the public website, after consent, we may use Google Analytics 4, Meta Pixel, Microsoft Clarity, TikTok Pixel, or similar tags for page-level activity, conversions, and aggregate traffic. We disable identifiers and IP collection where allowed. The list is disclosed in the cookie banner with one-click rejection. Adding/removing a tag triggers a banner refresh and re-consent prompt.

6.5Global Privacy Control (Gpc)

Sipra honors GPC signals globally across your browser, account, and any logged-in session, and propagates the opt-out to subprocessors where technically feasible. This applies to all online and authenticated experiences. GPC is treated as a verified opt-out of sale and sharing under CCPA, CPRA, CPA, CTDPA, and other state laws recognizing universal opt-out signals. Sipra honors GPC within 15 days of receipt.

6.6Do Not Track

Browsers offer DNT, but no industry-wide rule governs response. We rely on GPC and our cookie banner. DNT alone does not change behavior.

6.7Email Tracking Pixels

Transactional and marketing emails may include a small image ("pixel") recording when an email is opened. Disable image loading in your email client to block. SMS contains no trackers.

7Your privacy rights, universal

Available to all Sipra patients and visitors regardless of state. State laws add rights, see Section 8.

7.1Access

Confirm whether we hold your personal information and request a copy.

7.2Correction

Ask us to correct wrong information. We will correct or explain why not.

7.3Deletion

Ask us to delete. We will delete unless we must keep it to follow law, complete a transaction, run security or fraud prevention, defend a legal claim, or for clinical record-retention rules. PHI in your medical record cannot be deleted on request, see the practice's HIPAA NPP.

Consumer health data deletion SLA. For Washington and Nevada residents and others entitled to consumer health data deletion under state law, Sipra processes deletion requests within 30 days of receipt, with one 15-day extension where reasonable. Notice of any extension and reason will be provided before the original 30-day window expires.

7.4Portability

Request a copy in a portable, machine-readable format.

7.5Opt Out Of Sale Or Sharing

Sipra does not sell or share personal information for cross-context behavioral advertising. You may still opt out via our "Do Not Sell or Share My Personal Information" link at https://sipra.com/privacy#do-not-sell. GPC is treated as an opt-out (Section 6.5).

7.6Limit Use Of Sensitive Personal Information

Direct us to use sensitive personal information only for purposes the law permits without consent, service, security, fraud prevention, and similar. Email [email protected] or use https://sipra.com/privacy-request.

7.7Opt Out Of Profiling For Legally Significant Decisions

We do not make decisions that legally or significantly affect you based solely on automated profiling. If we change this, we will give opt-out and human-review rights. See Section 15.

7.8Withdraw Consent

Where we rely on consent (marketing emails, optional intake fields, advertising cookies), withdraw anytime. Withdrawal does not affect prior processing.

7.9Non-Discrimination

We will not deny service, change pricing, or change quality for exercising a privacy right. We may decline to ship medication if you delete clinically necessary information, a treatment limit, not a penalty.

7.10How To Exercise Rights

Email [email protected] or use the rights request form in our footer. Verified requests get a response within 45 days, extendable 45 days with notice. Authorized agents may act with proof of authorization.

8Your privacy rights, by state

Rights for residents of states with comprehensive privacy laws as of the effective date. If your state is not listed, you have the rights in Section 7.

8.1California (Ccpa / Cpra)

Under CCPA as amended by CPRA (Cal. Civ. Code § 1798.100 et seq.), California residents have the rights in Section 7, plus:

  • Right to know, categories and specific pieces collected, sources, purposes, recipients in the past 12 months
  • Right to delete, with statutory exceptions
  • Right to correct, inaccurate personal information
  • Right to opt out, sale or sharing; we honor browser-level GPC (Section 6.5)
  • Right to limit, sensitive personal information use to purposes Cal. Civ. Code § 1798.121 permits without consent
  • Non-discrimination, for exercising any privacy right

California Shine the Light (Cal. Civ. Code § 1798.83): Once per year, request a list of third parties to whom we disclosed personal information for their direct marketing in the past calendar year. Email [email protected], subject "Shine the Light Request." We do not disclose for third-party direct marketing, so the list is normally empty.

California § 1789.3 Consumer Complaint Unit: Contact the Complaint Assistance Unit, Division of Consumer Services, California Department of Consumer Affairs, 1625 North Market Boulevard, Suite N 112, Sacramento, CA 95834, or 1-800-952-5210. See https://oag.ca.gov/contact/consumer-complaint-against-business-or-company.

8.2Virginia (Vcdpa)

Under VCDPA (Va. Code § 59.1-575 et seq.), Virginia residents have rights to confirm, access, correct, delete, portability, and opt-out of targeted advertising, sale, and profiling with legal or similarly significant effects. Sipra does none of those. Appeal: [email protected], "VCDPA Appeal," then Virginia Attorney General.

8.3Colorado (Cpa)

Under CPA (Colo. Rev. Stat. § 6-1-1301 et seq.), Colorado residents have rights similar to Virginia, plus opt-out of profiling with legal or similarly significant effects. Colorado recognizes the Universal Opt-Out Mechanism; we honor GPC. Appeal: [email protected], "CPA Appeal." Unresolved: Colorado Attorney General.

8.4Connecticut (Ctdpa)

Under CTDPA (Conn. Gen. Stat. § 42-515 et seq.), CT residents have access, correction, deletion, portability, and opt-out rights, plus opt-in for sensitive data. Connecticut also requires consent before processing consumer health data, see our Consumer Health Data Privacy Policy. Appeal: [email protected], "CTDPA Appeal."

8.5Utah (Ucpa)

Under UCPA (Utah Code § 13-61-101 et seq.), Utah residents can confirm, access, delete, portability, and opt out of targeted advertising and sale. No appeals process. Email [email protected].

8.6Texas (Tdpsa)

Under TDPSA (Tex. Bus. & Com. Code § 541), Texas residents have rights to confirm, access, correct, delete, portability, and opt-out of targeted advertising, sale, and certain profiling. Sensitive data processing requires consent. Appeal: [email protected], "TDPSA Appeal." Unresolved: Texas Attorney General.

Texas residents: Pursuant to the TDPSA, Sipra (a) does not sell personal data, (b) does not engage in targeted advertising, and (c) gives Texas residents the same rights as California residents.

8.7Oregon (Ocpa)

Under OCPA (Or. Rev. Stat. Ch. 646A), Oregon residents have access, correction, deletion, portability, the right to a list of specific third parties to whom we disclosed personal data, and opt-out of targeted advertising, sale, certain profiling, and sensitive data processing. Appeal: [email protected], "OCPA Appeal."

8.8Montana (Mcdpa)

Under MCDPA (Mont. Code Ann. § 30-14-2801 et seq.), Montana residents have access, correction, deletion, portability, and opt-out rights. We honor GPC. Appeal: [email protected], "MCDPA Appeal."

8.9Tennessee (Tipa)

Under TIPA, Tennessee residents have access, correction, deletion, portability, and opt-out rights for targeted advertising and sale. Appeal: [email protected], "TIPA Appeal."

8.10Iowa (Icdpa)

Under ICDPA, Iowa residents have access, deletion, portability, and opt-out rights for sale and targeted advertising. No appeals process. Email [email protected].

8.11Indiana (Incdpa)

Under INCDPA, Indiana residents have access, correction, deletion, portability, and opt-out rights. Appeal: [email protected], "INCDPA Appeal."

8.12Delaware (Dpdpa)

Under DPDPA, Delaware residents have access, correction, deletion, portability, and opt-out rights for sale, targeted advertising, and certain profiling. Appeal: [email protected], "DPDPA Appeal."

8.13Maryland (Modpa)

Under MODPA, Maryland residents have access, correction, deletion, portability, and opt-out rights, plus stronger limits on sensitive data and a prohibition on selling sensitive data. Appeal: [email protected], "MODPA Appeal."

Maryland residents: Sipra does not sell sensitive personal data of Maryland residents under any circumstances per MODPA.

8.14Minnesota (Mcdpa)

Under the Minnesota Consumer Data Privacy Act, Minnesota residents have access, correction, deletion, portability, and opt-out rights, plus the right to question profiling decisions and request human review. Appeal: [email protected], "Minnesota Appeal."

8.15New Hampshire (Nhpa)

Under the New Hampshire Privacy Act, NH residents have access, correction, deletion, portability, and opt-out rights. Appeal: [email protected], "NHPA Appeal."

8.16New Jersey (Njdpcrr)

Under the NJ Data Privacy and Consumer Rights Rule, NJ residents have access, correction, deletion, portability, and opt-out rights for targeted advertising, sale, and certain profiling. Sensitive data, financial info, health data, sexual orientation, racial/ethnic origin, immigration status, requires consent. Appeal: [email protected], "New Jersey Appeal."

8.17Florida (Fdbr)

Under the Florida Digital Bill of Rights, FL residents have access, correction, deletion, portability, and opt-out rights for sale, targeted advertising, voice/facial recognition profiling, and sensitive data collection. FDBR applies above a revenue threshold; Sipra grants these rights to all FL residents regardless of threshold.

8.18Nevada (Sb 220)

Under Nev. Rev. Stat. § 603A.300-.360 (Nevada SB 220), Nevada residents may submit a verified request that we not sell covered information. We do not sell covered information. Email [email protected], "Nevada SB 220 Request." See https://ag.nv.gov/Complaints/File_Complaint/.

8.19Washington, Nevada, And Connecticut Consumer Health Data

WA, NV, and CT residents have additional rights under the Washington My Health My Data Act (Ch. 19.373 RCW), the Nevada Consumer Health Data Privacy Law (NRS Ch. 603A.500-.595), and the consumer health data provisions of the CTDPA. See our Consumer Health Data Privacy Policy at https://sipra.com/health-data-privacy. Sipra processes consumer health data deletion within 30 days of verified receipt, as in Section 7.3.

8.20How To Make A State Request

Email [email protected] with your state and the right exercised. We verify identity using account info plus a one-time confirmation. Authorized agents must provide a signed authorization letter. Response timing: 45 days CA/VA/CO/CT; 60 days Nevada SB 220; 30 days for consumer health data deletion under WA/NV, with one extension where the law allows.

9Sensitive data and reproductive health

9.1Sensitive Personal Information Generally

Collected only to deliver care, complete ID verification, comply with law, or where you choose. Not used for marketing, behavioral-advertising profiling, or any consent-required purpose unless consent given.

9.2Health-Adjacent Data And Explicit Consent

Health-related intake answers, clinical photos/videos, lab results, and prescription history are health-adjacent data. Processed on your explicit consent (captured at intake, reaffirmed at clinical milestones) and the HIPAA treatment-payment-operations permission where applicable.

9.3Reproductive Health Protections

The practice's HIPAA NPP implements the HIPAA Privacy Rule's reproductive health protections at 45 CFR 164.509 (effective Feb 26, 2026). We will not use or disclose PHI to investigate or prosecute lawful reproductive healthcare. We require an attestation before disclosing PHI that could relate to reproductive healthcare.

We extend the same stance to non-PHI reproductive-health-adjacent data (e.g., gender, pregnancy status). We will not voluntarily disclose to law enforcement or others for investigation or prosecution of lawful reproductive healthcare, except where valid legal process compels.

9.4Gender-Affirming And Sexual Orientation Data

Gender identity, gender-affirming care information, and sexual orientation are sensitive by default. Not used for ad targeting, profiling, or any purpose other than care, security, and legal compliance.

9.5Genetic Information

We do not currently order genetic testing. If we do, we follow GINA (42 USC § 2000ff; 45 CFR 164.502(a)(5)) and will not use genetic information for underwriting.

10Data retention

We keep information only as long as needed for the purpose collected, plus a reasonable period for legal, billing, audit, and security needs. State law may require longer for clinical records.

10.1Retention By Category

Final retention values confirmed annually. Account and identifier data: 7 years post-account-closure (HIPAA-aligned). Marketing communications data: until unsubscribe plus 30 days. Cookie and analytics data: 13 months. Identity verification photographs: 30 days. Audit logs: 6 years..

10.2Deletion On Request

We delete from production within 45 days of verifying the request. For WA/NV residents and others entitled to consumer health data deletion under state law, Sipra processes deletion within 30 days of receipt, with one 15-day extension where reasonable. Limited records may remain in suppression list, audit log, and backups. Deletion is documented in the audit log.

10.3De-Identification

We may keep de-identified data after the retention window. De-identified data lacks direct identifiers and is subject to a re-identification ban in our internal policies.

11Security measures

11.1Technical Safeguards

TLS 1.2+ in transit, AES-256 at rest. AWS in AWS us-east-1 under AWS shared-responsibility controls. PHI segregated from non-PHI. Single sign-on, role-based access, MFA for staff, quarterly least-privilege reviews.

11.2Administrative Safeguards

We follow the FTC Safeguards Rule (16 CFR Part 314), HIPAA Security Rule (45 CFR Part 164, Subpart C), and a written information security program. Staff privacy/security training at hire and annually. Vulnerability scans, dependency audits, external pen tests. BAAs with every PHI-handling vendor.

11.3Physical Safeguards

Remote-first; no brick-and-mortar clinic; no paper PHI. Cloud datacenters maintain SOC 2 Type II.

11.4Limits

No system is perfectly secure. Account security depends on your password and device. Use a strong, unique password and turn on MFA.

12Data breach notification

12.1Our Commitment

On a security incident compromising your personal information, we investigate, contain, and respond. We follow the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), FTC Health Breach Notification Rule (16 CFR Part 318), and applicable state breach laws.

12.2Timing

HIPAA requires individual notice within 60 days of discovery. Where personal data subject to the FTC Health Breach Notification Rule (16 CFR Part 318) is involved, Sipra notifies affected individuals within 60 days and notifies the FTC if 500+ are affected. We notify regulators within statutory deadlines (HHS OCR for HIPAA; FTC for 16 CFR Part 318; state AGs for state laws).

12.3Information You Will Get

Our notice describes what happened, categories involved, steps we are taking, steps you can take, and how to contact us. It will not include sensitive details enabling further harm.

13International users

Sipra is US-only. We do not market, sell, or knowingly provide telehealth services outside the US. Website and patient portal are hosted on US cloud infrastructure. We do not transfer personal information outside the US.

If you visit from outside the US, your information is still processed in the US. By using the service, you acknowledge US law governs.

14Children's privacy

14.1Service Not Directed To Minors

Sipra is for adults 18+. Not directed to children under 13. We do not knowingly collect from anyone under 13.

14.2Coppa

Under COPPA (15 USC §§ 6501-6506; 16 CFR Part 312), if we discover we collected from a child under 13 without parental consent, we delete promptly. Parents/guardians: email [email protected].

14.3Minors Aged 13-17

If we discover a user 13-17, we delete account and intake information unless a parent or legal guardian provides proof of consent and confirms eligibility. California minors under 18 have removal rights under Cal. Bus. & Prof. Code § 22581 for posted content; email [email protected].

15AI features and automated decision-making

15.1Where We Use AI

Intake parsing, triage routing, support agent assistance, fraud screening, and educational content generation. AI tools are assistants, not replacements for human judgment.

15.2What AI Never Does At Sipra

AI does not make clinical decisions. AI does not approve, decline, or change a treatment plan on its own. Every prescription decision is made by a licensed physician at the affiliated medical practice with full file review. AI does not write the message your physician sends without physician sign-off.

15.3No Model Training On Patient Data

We do not allow third-party AI vendors to train on your personal information, PHI, or messages. Third-party AI services are contracted for zero data retention and routed through HIPAA-eligible endpoints for any PHI-touching data.

15.4No Legally Significant Automated Decisions

We do not use automated decision-making (including profiling) to produce legal or similarly significant effects. If we change this, we will tell you in advance and give you human-review and opt-out rights.

15.5Tracking Pixels And Ai-Personalized Advertising

We do not use AI on healthcare-context data for ad personalization. Public-website ad measurement uses aggregate, non-clinical signals after consent. See Section 6.

16Changes to this policy

16.1How We Update

We update from time to time for new services, vendors, laws, or practices. Updates are posted with a new effective date and a brief change summary at the top.

16.2Notice

For material changes, new categories collected, new third-party recipients, or new secondary uses, we email account holders at least 30 days before the change takes effect and post a notice for at least 30 days. You may opt out of new uses where the law requires.

16.3Annual Review

Reviewed at least annually. Last reviewed: June 20, 2026.

17Privacy Officer and contact

17.1Privacy Officer

Sipra's designated Privacy Officer oversees our privacy program. Contact [email protected].

17.2General Contact

17.3HIPAA Complaints

File a complaint with HHS Office for Civil Rights at 200 Independence Avenue SW, Washington DC 20201, by phone at 1-877-696-6775, or online. See https://www.hhs.gov/hipaa/filing-a-complaint/. We will not retaliate against you for filing.

17.4Cross-References

Related policies:

  • HIPAA Notice of Privacy Practices, https://sipra.com/hipaa-notice
  • Consumer Health Data Privacy Policy (WA, NV, CT), https://sipra.com/health-data-privacy
  • Terms of Service, https://sipra.com/terms
  • Accessibility Statement, https://sipra.com/accessibility
  • Refund and Cancellation Policy, https://sipra.com/refunds

This is a draft prepared by Sipra. It is not legal advice and must be reviewed by qualified outside healthcare counsel before publication.