Effective Date: January 1, 2025
Last Updated: January 1, 2025
1. Introduction
Welcome to Rythm Health (“Rythm,” “we,” “us,” or “our”). We are committed to protecting your privacy. This Privacy Policy (“Policy”) explains how we collect, use, disclose, protect, and retain your personal information (“Personal Information”) when you use:
Our services,
Our websites and mobile applications, and
Any other platforms that reference or link to this Policy (collectively, the “Services”).
Important Note (No Medical Advice):
Rythm Health currently provides informational testing only; we do not diagnose, treat, or serve as a substitute for a licensed healthcare professional.
2. Scope & Applicability
U.S.-Based Services
Rythm Health operates across all 50 U.S. states and Washington, D.C. (“U.S.”). If you are using our Services from outside the U.S., your information may be transferred to and processed in the U.S., under U.S. data protection laws, which may differ from those in your home jurisdiction.
No Use by Minors
Our Services are not intended for individuals under 18 years of age. We do not knowingly collect data from minors under 18. If you believe we have inadvertently collected such data, contact us at [email protected] to request deletion.
Non-Exhaustive Compliance
This Policy aims to meet or exceed relevant U.S. privacy requirements (federal and state). If your local or state law imposes stricter obligations, we will do our best to comply. Please reach out with any questions or concerns.
3. Key Definitions
Personal Information (PI): Information that identifies, relates to, describes, or can be associated with a particular individual or household.
Consumer Health Data (CHD): Health-related data, such as blood test results, biometrics, or other metrics about your physical or mental condition.
Sensitive Personal Information (SPI): Data requiring heightened protection, including government-issued identifiers (SSN), precise geolocation, racial/ethnic origin, genetic data, health information, sexual orientation, or sex life.
Self-Reported Health Information: Data about your health that you voluntarily provide (e.g., lifestyle questionnaires, wearable data).
Sale/Sharing: Under certain state laws (e.g., California), “sale” or “sharing” can mean any disclosure of personal information to a third party for valuable consideration (including cross-context behavioral advertising), regardless of monetary exchange.
4. Information We Collect
4.1 Data You Provide
Identifiers: Name, email, phone, birth date (to confirm 18+), mailing/billing address, and account credentials if you register.
Health Data: Blood samples, lab results, genetic/biometric details if applicable, or future telehealth data.
Communications: Emails, phone calls, or social media interactions with our support or other channels.
4.2 Automatic Data Collection
Device & Log Data: IP addresses, browser/device types, site usage patterns, timestamps, and referral URLs.
Cookies & Tracking: We use cookies, web beacons, pixels, and similar tools to remember preferences, personalize content, and serve targeted ads. (See Section 10 for more details.)
4.3 Information from Third Parties
Service Providers: Shipping companies, payment processors, accredited labs, analytics vendors, marketing partners.
Potential Provider Networks: If we partner with telehealth clinicians or pharmacies, we may receive relevant data about consultations or prescriptions with your consent.
5. How We Use Your Information
Service Provision & Operations
Kit Orders & Lab Processing: We process purchases, ship test kits, arrange lab analyses, and deliver results securely.
Account Management: Create and manage your user profile, troubleshoot issues, and provide new features.
Communications
Administrative Messages: Updates about your account, test availability, security, or changes to this Policy.
Customer Support: Maintain correspondence records, troubleshoot user issues, and improve user experience.
Analytics & Improvements
Performance Metrics: Evaluate usage data, aggregated results, and site functionality to enhance accuracy.
Research & Development: De-identify or aggregate data for internal R&D or collaborative projects (with consent if required).
Marketing & Promotions
Email Marketing: With consent, we may send marketing emails about product updates, new offers, or related services.
Targeted Advertising: We may share limited data (e.g., IP address, browsing behavior) with ad partners for personalized ads, subject to your rights under applicable law.
Legal & Security Compliance
Regulatory Obligations: Fulfill reporting duties, respond to lawful requests from government bodies, subpoenas, or court orders.
Fraud & Abuse Detection: Investigate suspicious activities or enforce Rythm Health’s Terms of Service.
Business Transfers: If we merge, sell assets, or reorganize, your data may transfer to the new entity (with notice of major changes).
6. How We Share Your Data
Accredited Labs & Potential Healthcare Providers
We share only the minimum necessary data with labs for test processing or healthcare providers for relevant services.
Service Providers & Vendors
Payment Processors: Securely handle billing transactions; Rythm Health does not store full card details.
Shipping & Logistics: To send test kits and manage returns.
Analytics & Marketing Affiliates: Provide usage metrics, marketing insights, or ad-tech solutions under confidentiality obligations.
No Monetized “Sale” of Data
We do not sell your PI for monetary gain. However, certain disclosures for advertising or cross-context behavioral ads may be classified as a “sale” or “share” under state laws, granting you opt-out rights (see Section 11).
Legal Disclosures
We may disclose data to comply with a legal obligation or protect the rights or safety of Rythm, our employees, or users.
Business Transactions
In a merger, acquisition, or sale of assets, your data may transfer to the successor entity. We will notify you of major changes.
7. Data Retention & Security
7.1 Retention
We keep your Personal Information only as long as needed for our legitimate business or legal obligations (e.g., complying with health regulations). We may dispose of or delete data at any time unless otherwise required by law or under a specific agreement.
7.2 Security Measures
We implement industry-standard safeguards such as encryption (SSL/TLS), secure data centers, firewalls, and role-based access. However, no method of transmission or storage is 100% secure. By using our Services, you acknowledge the inherent risks of online data transmissions.
8. Children’s Privacy
Our Services are not directed to individuals under 18. We do not knowingly collect or store such data. If you believe we have information about a minor under 18, contact us at [email protected] so we can delete it.
9. New York-Specific Notice
Under the New York SHIELD Act, we implement reasonable administrative, technical, and physical safeguards to protect NY residents’ private information. If a data breach affects unencrypted private information of a New York resident, we will notify affected individuals per New York law.
10. Cookies & Tracking
10.1 Use of Cookies & Similar Tools
We use cookies (session and persistent), web beacons, pixels, and similar technologies to store preferences, analyze site traffic, and enable targeted advertising.
10.2 Managing Cookies
You can adjust your browser settings to block or alert you about cookies. However, disabling cookies could limit certain features of our Services.
10.3 Do Not Track & Global Privacy Control
Where required by law, we will honor “Do Not Track” (DNT) or Global Privacy Control (GPC) signals. Some tracking may still be necessary to provide core service functionality.
10.4 Cross-Context Behavioral Advertising
We may share user data (e.g., IP addresses, usage patterns) with third-party ad networks for personalized ads. If state law deems that a “sale” or “share,” you can opt out (see Section 11).
10.5 Third-Party Analytics & Advertising Partners
Third-party vendors may collect Personal Information (such as cookie IDs, IP addresses, browsing behavior) on our websites and apps for analytics and advertising purposes. Some of these disclosures may be considered “sales” or “shares” under state laws, granting you opt-out rights. Please see the “Choice and Control” and “State-Specific Privacy Notices” sections for more details.
Below are examples of third-party partners we use:
Company | Purpose | Privacy Notices | Manage Settings (Opt-Out) |
Advertising | |||
Google Analytics | Analytics |
These vendors may combine data from multiple sites or apps to improve analytics for their own or other parties’ purposes. For more details about how they collect, use, or share your information, please review their privacy policies directly.
11. State-Specific Privacy Notices & Consumer Rights
We respect and comply with major U.S. privacy laws, including those in California, Colorado, Connecticut, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Montana, Oregon, Texas, Utah, Virginia, Nevada, Washington, and D.C. Below are highlights:
11.1 California Privacy Notice (CCPA/CPRA)
Right to Know/Access: The categories and specific pieces of Personal Information collected, used, shared, or sold.
Right to Delete: Request deletion of PI (subject to legal exceptions).
Right to Correct: Correction of inaccurate or outdated Personal Information.
Right to Opt Out of Sale/Sharing: Directed to stop any disclosures that qualify as “sale” or “sharing” under CPRA (e.g., cross-context ads).
Right to Limit Use of SPI: Restrict usage of Sensitive Personal Information for secondary purposes like ads or profiling.
Right to Non-Discrimination: We will not refuse service or charge different prices if you exercise any CPRA rights.
Shine the Light: Request info about disclosures of PI to third parties for direct marketing in the previous year.
11.2 Rights Concerning Sensitive Personal Data
Certain states grant special protections or require opt-in consent for SPI (e.g., Colorado, Virginia). Where applicable, you can request to limit or opt out of such processing.
11.3 Other States’ Privacy Laws
Similar Rights: Access, Delete, Correct, Opt Out of Targeted Ads or Data Sales, etc.
Appeals: If your request is denied, we offer an internal appeals process.
Exercising Your Rights: Email [email protected] or call (628) 333-3787.
12. Appeals Process
If we deny a rights request (in whole or in part), you may appeal by emailing [email protected] with the subject line “Appeal of Privacy Request.” We will respond within any legally required timeframe. If you remain dissatisfied, you may file a complaint with your state’s attorney general or relevant consumer protection authority.
13. Protected Health Information & HIPAA
13.1 Relationship With Rythm Health
When you set up an account with Rythm Health, you create a direct customer relationship enabling you to use various aspects of our Services. Personal details you provide (e.g., name, email, address, phone number) are generally notconsidered “protected health information” (“PHI”) or “medical information” unless you submit them for a health or medical purpose governed by HIPAA or other state laws.
Although Rythm Health is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and its regulations (“HIPAA”), some labs, pharmacies, or telehealth partners we work with may be “covered entities” or “business associates.” In certain scenarios, Rythm Health may be deemed a “business associate.” HIPAA does not apply universally to all health data; it applies only to specific covered activities by covered entities or their business associates.
If we are ever deemed a business associate under HIPAA, we will handle “protected health information” in compliance with relevant HIPAA provisions. Additionally, any “medical or health information” subject to specific state protections (collectively, “Protected Information”) will be used or disclosed only as permitted by applicable law.
Note: Protected Information does not include data that has been de-identified in accordance with applicable regulations.
13.2 Separate Notices of Privacy Practices
Accredited labs, pharmacies, or other healthcare providers you interact with via Rythm Health’s Services may have their own Notice of Privacy Practices describing how they use and disclose PHI. By using our Services with those providers, you acknowledge you have received or been given the opportunity to review their Notice of Privacy Practices.
13.3 Non-PHI vs. PHI
Personal information provided outside of direct diagnostic or treatment contexts (e.g., name or address for shipping a test kit) is typically not Protected Information under HIPAA. Such information is governed by this Policy and applicable state law. Only health data specifically collected or used by a covered entity/business associate for a covered purpose under HIPAA is considered PHI.
13.4 Electronic Communications
You may communicate with Rythm Health, labs, or providers via unencrypted email, text (SMS), or other methods that may not be fully HIPAA-compliant. By choosing these channels, you accept the inherent security risks associated with unencrypted communication. If you have concerns, contact [email protected] for alternative options.
13.5 Retention of Protected Information
Rythm Health may retain Protected Information as required to fulfill our Services or comply with legal obligations. Labs, pharmacies, and telehealth providers may also keep your information for legal or business reasons. De-identified data is not subject to HIPAA retention requirements and may be retained or used without additional limitations.
14. Transactions & Payment Processing
14.1 Stripe Payment Processing
All credit card, debit card, and other monetary transactions on or through the Services occur via an online payment processing application. Our primary third-party online payment processing vendor is Stripe (“Stripe”). Additional information about Stripe’s privacy policy and its information security measures (collectively, the “Stripe Policies”) can be found at:
By contacting Stripe directly
Reference to the Stripe Policies is for informational purposes only; they are not incorporated into or made part of this Privacy Policy. Rythm Health’s relationship with Stripe is purely contractual, with Stripe acting as a third-party vendor; Stripe is not subject to Rythm Health’s direction or control. Thus, their relationship is not, and should not be construed as, one of fiduciaries, franchisors-franchisees, agents-principals, employers-employees, partners, or joint venturers.
14.2 Transaction Data
When you conduct transactions (e.g., purchasing test kits or services), you may be asked to provide payment details, billing/shipping addresses, or phone numbers. By submitting this information, you grant Rythm Health the right to share it with payment processors or other necessary third parties (e.g., shipping carriers) to facilitate the transaction. Payment processors maintain their own policies and practices for safeguarding your information.
15. Electronic Communications
By accessing or using our Services or communicating with us via emails, text messages, or other electronic methods, you consent to receive communications from us electronically. This includes but is not limited to:
Transactional communications (appointment or order confirmations, shipping notifications)
Administrative or technical messages (account details, security alerts)
Marketing or promotional offers (where permitted by law)
Note: If you choose to send or receive information about your health or any other sensitive information by text message or email, you do so at your own risk, as these channels may not be fully secure. You can opt out of marketing/promotional messages at any time.
16. Changes to This Privacy Policy
We reserve the right to modify this Policy periodically. When we make significant changes, we will:
Revise the “Last Updated” date at the top.
Provide prominent notice (e.g., email, banner on our website).
Your continued use of the Services after the changes become effective indicates your acknowledgment of the updated Policy.
17. Contact Us
If you have questions, concerns, or wish to exercise any privacy rights, please contact us at:
Email: [email protected]
Phone: (628) 333-3787
Mail:
Rythm Health, Inc.
2261 Market Street, Ste. 10490
San Francisco, CA 94114
Thank you for choosing Rythm Health. We remain committed to safeguarding your personal and health information and providing a secure, user-friendly experience.