Privacy Policy

Information you provide directly. When you create an account or use the Service we collect identifiers (name, email, phone number, date of birth, mailing address, government identification where required for prescribing), health questionnaire responses, medical history, current and prior medications, symptoms, goals, photographs you choose to upload, secure messages, and any other information you submit. We collect payment card details through our payment processor; we do not store full card numbers on our servers.

Information collected automatically. When you interact with the Service we collect device and usage data including IP address, device identifiers, browser type, operating system, referring and exit pages, dates and times of access, and interactions with features. We use cookies and similar technologies as described below.

Information from third parties. We receive laboratory results from CLIA-certified reference laboratories, clinical notes and prescription information from the Medical Group (OpenLoop Healthcare Partners, P.C. and its state-affiliated professional corporations), fulfillment and shipping data from partner pharmacies, payment confirmations from our payment processor, and information from analytics and advertising partners about your interactions with our marketing.

We collect categories of sensitive personal information that include health information, government identification numbers, and account credentials. We collect and use this information only as needed to operate the Service, deliver care through affiliated clinicians and partner pharmacies, comply with law, and protect against fraud or harm. We do not sell sensitive personal information, and we do not use or disclose it to infer characteristics about you for purposes other than those above.

We use personal information to:

• Operate, maintain, and improve the Service;
• Match you with affiliated independent clinicians and coordinate care, including arranging laboratory orders and prescription fulfillment by partner pharmacies;
• Process payments and manage subscriptions;
• Communicate with you about your account, your clinical engagement, billing, customer support, security, and changes to the Service;
• Send you marketing communications where you have not opted out and applicable law permits;
• Provide AI-assisted educational content and product features. We do not use personal health information to train third-party generative AI models;
• Conduct analytics, research, and product development, using aggregated or de-identified information where feasible;
• Detect, prevent, and respond to fraud, abuse, security incidents, and harm to you, other users, or the Service;
• Comply with legal obligations and respond to lawful requests.

We share personal information in the following circumstances:

• The Medical Group. Information necessary to evaluate, diagnose, treat, and follow up with you is shared with the independent licensed clinicians who provide your care and with OpenLoop Healthcare Partners, P.C. and its state-affiliated professional corporations through which they operate.
• Partner pharmacies and laboratories. Information necessary to fulfill prescriptions and complete laboratory testing is shared with partner pharmacies and CLIA-certified reference laboratories.
• Service providers. We use vendors who process information on our behalf, including hosting, email and SMS delivery, payment processing, analytics, customer support tooling, and security. These providers are bound by contract to use information only as instructed and to maintain appropriate safeguards.
• Legal and safety. We may disclose information when required by law, valid legal process, or government request; to enforce our terms; to protect the rights, property, or safety of Vane, our users, or others; and to respond to fraud or security incidents.
• Business transfers. If Vane is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction subject to standard confidentiality protections.
• With your consent. We share information for any other purpose with your direction or consent.

We do not sell personal information. We do not sell personal information for monetary consideration. We may share limited online identifiers with analytics or advertising partners for measuring and improving our marketing; this is sometimes treated as a “sale” or “sharing” under certain state privacy laws. See the state-rights sections below for how to opt out.

We use cookies, web beacons, and similar technologies to operate the Service, remember preferences, measure performance, and personalize content. Some cookies are strictly necessary for the Service to function and cannot be disabled without breaking core features. Others are used for analytics and marketing and can be controlled through your browser settings, an in-product cookie banner where presented, or industry opt-out tools such as the Network Advertising Initiative and Digital Advertising Alliance opt-outs. We honor Global Privacy Control (GPC) signals where required by applicable state law.

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit and at rest for sensitive information, access controls, employee training, and audit logging. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. We will notify you of a security incident affecting your information when required by law.

We retain personal information for as long as your account is active and as needed to provide the Service. After account closure we retain information for legitimate business purposes including legal, regulatory, tax, and accounting requirements. Medical records and other protected health information are retained by the affiliated clinicians and partner pharmacies under their own retention policies, which typically follow state-mandated minimums of at least seven years.

Depending on where you live you may have rights with respect to your personal information, including the right to access, correct, delete, port, or restrict processing of your information, and to withdraw consent where processing is based on consent. To exercise these rights, contact us at privacy@vanehealth.com. We will respond within the timeframes required by applicable law. We may need to verify your identity before fulfilling a request, and certain information may be retained where law or legitimate business needs require.

If you are a California resident the California Consumer Privacy Act and California Privacy Rights Act (collectively, the CCPA) give you the following rights:

• Right to know. The categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties to whom we disclosed it.
• Right to delete. The deletion of personal information we have collected from you, subject to exceptions permitted by law.
• Right to correct. Correction of inaccurate personal information.
• Right to opt out of selling and sharing. The right to direct us not to “sell” or “share” your personal information as those terms are defined under CCPA.
• Right to limit use of sensitive personal information. The right to limit our use and disclosure of sensitive personal information to purposes specified by law.
• Right to non-discrimination. We will not discriminate against you for exercising your privacy rights.

To exercise these rights, email privacy@vanehealth.com. You may also authorize an agent to make a request on your behalf. We will require reasonable verification before responding. We honor Global Privacy Control (GPC) signals as a valid opt-out of selling and sharing.

Categories collected. In the prior twelve months we have collected the following categories of personal information under CCPA: identifiers, customer records, characteristics of protected classifications (where you provide them), commercial information, internet activity, geolocation (approximate), audio and visual data (photos where you upload them), professional or employment-related information (where provided), inferences drawn from the foregoing, and sensitive personal information including health information and government identification numbers.

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, and other states with comprehensive privacy laws may have rights similar to those above, including the right to access, correct, delete, and port their personal information, and to opt out of certain processing activities. Exercise these rights by contacting privacy@vanehealth.com. You may appeal a denial by replying to our response and requesting reconsideration; we will respond to appeals within the timeframes required by applicable law.

The Service is intended for adults aged eighteen (18) and older. We do not knowingly collect personal information from individuals under thirteen (13) years old. If we learn we have collected personal information from a child under thirteen without verified parental consent, we will delete it. Parents or guardians who believe their child has provided us with personal information should contact privacy@vanehealth.com.

The Service is intended for United States residents and is operated from the United States. If you access the Service from outside the United States, information we collect may be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

The Service includes AI-assisted features such as an educational health coach and tools that surface relevant content. These features are informational and are not used to make decisions that produce legal or similarly significant effects on you. Clinical decisions, including whether to prescribe medication, are made by independent licensed clinicians applying professional judgment.

We may update this Privacy Policy from time to time. When we do we will revise the effective date above and, for material changes, will notify you by email or in-product notice before the changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

Questions about this Privacy Policy or our handling of your personal information may be directed to:

Vane Health, Inc.
Attn: Privacy
1266 Treat Avenue
San Francisco, CA 94110
privacy@vanehealth.com