Privacy & Data Protection

We collect name, date of birth, contact information, and state of residence during registration to establish your identity, verify residency eligibility, and facilitate HIPAA-compliant record linkage with licensed practitioners and compounding pharmacies.

During clinical intake, we collect medical history, comorbidities, current medications, vital measurements, and treatment objectives. This data is used exclusively for physician clinical evaluation, prescription determination, contraindication screening, and ongoing titration management.

All PHI is classified, encrypted, and processed under 45 CFR §§ 164.300–318. Administrative, physical, and technical safeguards meet or exceed HIPAA Security Rule standards. Access controls, audit logging, and encryption in transit/at rest are continuously monitored. Data breaches are reported per 45 CFR § 164.400 within 60 days.

Your data serves as the clinical bridge between assessment, physician review, prescription issuance, and ongoing care coordination. PHI is transmitted via secure HIPAA Business Associate Agreements (BAAs) with licensed providers and compounding pharmacies only.

Prescription data is transmitted only to licensed 503A compounding pharmacies or FDA-registered partner pharmacies. Each pharmacy relationship is governed by a formal BAA ensuring HIPAA compliance, secure labeling, temperature-controlled packaging, and chain-of-custody tracking.

Data at rest uses AES-256-GCM encryption. Data in transit uses TLS 1.2+ with HMAC-SHA256 message authentication. Database backups are encrypted and stored in geographically isolated vaults. Encryption keys are managed under NIST SP 800-57 guidelines.

Role-based access controls (RBAC) limit PHI access to authorized clinical staff only. All access attempts are logged with user ID, timestamp, and action type. Audit logs are retained for 6 years and reviewed quarterly for anomalies.

We do not sell, rent, or lease personal data to any third party. Your information is never used for marketing purposes, targeted advertising, or any non-clinical commercial activity. Data sharing is limited to HIPAA-covered entities (licensed providers, pharmacies) and required legal processes only.

We may disclose PHI to law enforcement, courts, or regulatory authorities only when compelled by valid legal process (subpoena, court order, or warrant) and after reasonable notice to you unless prohibited by law.

You have the right to access, receive a copy of, and inspect your complete PHI within 30 days of request. Copies are provided in electronic or paper format. We may charge reasonable costs for copying and shipping.

You may request correction of any inaccurate PHI. We review your request within 10 business days and either correct the record or deny the request with written explanation.

Upon termination of your account, clinical records are retained for 7–10 years per state regulations. De-identified data may be retained indefinitely for service improvement. You may request permanent deletion, which is processed via cryptographic erasure.

We use session cookies to maintain authentication and protect your account during login. These are essential for secure operation and do not track you across websites.

We use Google Analytics with IP anonymization enabled to measure site performance, user behavior patterns, and feature usage. We do not associate analytics data with PHI. You can opt out using Google's browser extension.

Active clinical records are retained for the duration of your relationship with Irisvitality. Upon account termination, records are retained for 7 years (standard medical record retention) to 10 years (per state medical board requirements), then securely destroyed via cryptographic erasure and certified data destruction.

For privacy inquiries, data subject requests, or breach reports, contact support@irisvitality.com. We respond within 24 hours to urgent requests and within 10 business days to standard privacy requests.