Privacy Policy

Last updated: 2026-05-21

GetPepWell, Inc. ("GetPepWell," "we," "us," or "our") is committed to protecting your privacy and safeguarding your personal and health information. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our telehealth platform, website, and related services (collectively, the "Services").

Health information that we use, disclose, or maintain in connection with your healthcare is Protected Health Information ("PHI") under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). PHI is also governed by our Notice of Privacy Practices, which describes your HIPAA-specific rights in detail. This Privacy Policy covers non-PHI personal information (account, billing, device, usage) and references the HIPAA-specific protections that apply to PHI.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy.

Information We Collect

Personal Information

We collect the following personal information when you register for or use our Services:

Full name, date of birth, and gender or sex assigned at birth (clinical relevance)
Email address and mailing address
Government-issued identification (when required for identity verification)
Payment and billing information (processed by our PCI DSS Level 1 compliant payment processor)
Account credentials and authentication data (managed through our identity provider)

Health Information (PHI)

To provide telehealth services and facilitate peptide therapy, we collect health-related information, including:

Medical history and current health conditions
Medications you are currently taking or have recently taken
Allergies and adverse reactions
Medical-intake questionnaire responses
Consultation notes and physician assessments
Prescription records and treatment plans
Laboratory results (when applicable)
Adverse-event reports you submit

Usage and Device Data

Pages visited, features used, and actions taken within the platform
Session duration and frequency of visits
Referring URLs and search terms
Error logs and performance data
Device type, operating system, and browser type
IP address and approximate geographic location
Unique device identifiers
Screen resolution and language preferences

How We Use Your Information

Treatment and Care

Facilitating telehealth consultations between you and licensed physicians
Processing prescriptions and coordinating with compounding pharmacies
Managing your treatment plan and monitoring progress
Sending medication reminders and follow-up communications

Communication

Responding to your inquiries and support requests
Sending appointment confirmations, shipping notifications, and service updates
Providing educational content related to your treatment
Delivering important notices about changes to our Services or policies

Billing and Payments

Processing subscription payments and one-time charges
Managing refunds and billing disputes
Generating invoices and payment receipts
Preventing fraudulent transactions

Service Improvement

Analyzing usage patterns to improve our platform and user experience
Conducting research and analytics using de-identified data only
Developing new features and services
Ensuring the security and integrity of our platform

HIPAA and Protected Health Information

GetPepWell is committed to complying with HIPAA, the HIPAA Privacy Rule (45 CFR Part 164 Subpart E), the HIPAA Security Rule (Subpart C), the HIPAA Breach Notification Rule (Subpart D), and applicable state health-information privacy laws. We apply the following safeguards to PHI:

We apply the minimum necessary standard, accessing only the PHI required to accomplish the intended purpose
We maintain Business Associate Agreements (BAAs) with all third-party service providers that handle PHI on our behalf - including our authentication provider, database provider, file-storage provider, email provider, hosting provider, and error monitoring provider
We implement administrative, physical, and technical safeguards to protect PHI from unauthorized access, use, or disclosure
We maintain HIPAA-compliant audit logs with chain-hash tamper detection that record access to and modifications of PHI
We apply role-based access controls and row-level security to limit PHI access to authorized personnel only
We follow defined incident-response and breach-notification procedures consistent with 45 CFR § 164.404

For a complete description of how we use and disclose PHI, your HIPAA rights, and how to file a HIPAA complaint, see our Notice of Privacy Practices.

Information Sharing and Disclosure

We do not sell your personal information or PHI. We share information in the following circumstances:

Healthcare providers

We share relevant health information with the licensed physicians on our platform to enable your consultations, clinical decision-making, and treatment plans.

Compounding pharmacies

We share prescription and shipping information with our compounding pharmacy partners to fulfill your medication orders. Pharmacy partners that receive PHI are bound by BAAs and HIPAA requirements.

Payment processor

We share billing information with our PCI DSS Level 1 compliant payment processor to handle subscription payments, one-time charges, refunds, and chargebacks. The payment processor receives the minimum data needed for the transaction.

Legal requirements

We may disclose your information when required by law, including:

In response to a court order, subpoena, or other legal process
To comply with applicable federal, state, or local laws and regulations
To cooperate with law enforcement or government agencies as legally required
To protect the rights, safety, or property of GetPepWell, our users, or the public

Data Security

We implement the following security measures to protect your information:

Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256) for sensitive information
Role-based access controls and row-level security to limit data access to authorized personnel only
HIPAA-compliant audit trails with chain-hash tamper detection for PHI access events
Automatic idle session timeout to reduce the risk of unauthorized access to unattended sessions
Recurring security assessments and vulnerability testing
Employee training on data privacy and security
Documented incident-response and breach-notification procedures

State Privacy Rights

Depending on your state of residence, you may have additional privacy rights under state law. State-level rights typically apply to non-PHI personal information (account data, device data, usage data); PHI is governed primarily by HIPAA and the rights described in our Notice of Privacy Practices.

The following states have active comprehensive consumer privacy laws:

California: California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
Virginia: Virginia Consumer Data Protection Act (VCDPA)
Colorado: Colorado Privacy Act (CPA)
Connecticut: Connecticut Data Privacy Act (CTDPA)
Utah: Utah Consumer Privacy Act (UCPA)
Texas: Texas Data Privacy and Security Act (TDPSA)
Oregon, Montana, New Hampshire, Delaware, Maryland, Indiana, Iowa, New Jersey, and others have additional comprehensive consumer privacy laws with varying effective dates

Where applicable, you may have the right to:

Access: request a copy of the personal information we hold about you
Correction: request that we correct inaccurate or incomplete personal information
Deletion: request that we delete your personal information, subject to legal and regulatory retention requirements
Data portability: request a copy of your data in a structured, machine-readable format
Opt-out of sale or sharing: we do not sell your personal information or PHI; if you are a California resident you may submit a Do Not Sell or Share request and we will confirm
Targeted advertising opt-out: we do not engage in cross-context behavioral advertising of our Services
Non-discrimination: we will not retaliate against you for exercising any of these rights

To exercise any of these rights, email privacy@getpepwell.com with the request type and your account email. We respond to verifiable requests within 30 days (or the period required by applicable state law).

Cookies and Tracking Technologies

We use the following cookies and tracking technologies:

Essential cookies: required for authentication, security, and core platform functionality. These cannot be disabled
Preference cookies: store your settings such as language selection
Analytics cookies: help us understand how visitors interact with our platform so we can improve the user experience. We use first-party analytics and limit retention windows

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our Services.

Third-Party Services

Our platform is built on a HIPAA-eligible infrastructure stack. We maintain BAAs with each provider that handles PHI on our behalf. Each provider operates under its own privacy policy, and we encourage you to review their policies to understand how they handle your information.

Our principal infrastructure providers include:

Identity provider: authentication, user management, and single sign-on
Database provider: serverless PostgreSQL with encryption at rest and in transit
File-storage provider: encrypted object storage for ID documents and patient-uploaded files
Hosting provider: web application hosting and content delivery
Email provider: transactional email (appointment confirmations, shipping notifications, billing receipts)
Payment processor: PCI DSS Level 1 compliant payment processor for subscription and one-time charges
Error and performance monitoring: server and client error tracking to maintain platform reliability

Data Retention

We retain your information for as long as needed to fulfill the purposes for which it was collected, to deliver the Services, and to satisfy our legal and regulatory obligations:

Medical records: retained for the period required by the medical records retention statute of your state. State minimums vary - generally between 5 and 10 years from the most recent visit, longer in some cases (for example, until a minor reaches the age of majority plus an additional retention period)
HIPAA documentation: retained for at least 6 years from creation or last effective date, as required by 45 CFR § 164.530(j)
Audit logs: retained for at least 6 years
Account and billing records: retained for the duration of your account plus the period required to comply with applicable tax and consumer-protection laws
Eligibility-screening responses: retained per medical-records retention requirements when associated with an account

When information is no longer needed for the purposes above, we delete or de-identify it.

Children's Privacy

Our Services are intended for individuals 18 years of age or older. We do not knowingly collect personal information from individuals under 18. If you are a parent or guardian and believe that a person under 18 has provided us with personal information, please contact us at privacy@getpepwell.com and we will investigate and delete such information.

International Users

GetPepWell Services are intended for individuals located in the United States. We do not target our Services to users outside the United States, and we do not knowingly process information for users physically located outside the United States in connection with telehealth services.

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or operations. When we make material changes, we will post the updated policy on our website and update the "Last updated" date at the top of this page. For significant changes, we may also notify you via email or an in-platform notification.

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

Privacy Officer: privacy@getpepwell.com
General support: support@getpepwell.com