Notice of Privacy Practices

Gentle Health ("we," "us," "our") is a telehealth platform that connects patients with licensed clinicians for GLP-1 and peptide-based weight-management therapies. We do not dispense medications — all prescriptions are filled by a licensed US pharmacy. This notice describes how we may use and disclose your protected health information (PHI) to carry out treatment, payment, and health care operations, and for other purposes that are permitted or required by law. It also describes your rights to access and control your PHI.

For treatment

We share your medical intake, visit notes, and prescription information with the licensed clinician assigned to your care so they can evaluate, prescribe, and follow up with you. We share prescription details with our licensed US pharmacy for dispensing and shipping.

For payment

We use a payment processor (Stripe) to charge for your consultation and medication. We share only the minimum data needed to process payment — payment processors do not receive your medical record.

For health care operations

We use PHI internally for quality assurance, clinical training, compliance, and operating our care platform. Access is limited to the smallest set of personnel who need it for these purposes.

Text messages

If you opt in to appointment reminder texts, we use your phone number only to send them. Mobile numbers and text-message opt-in consent are never shared with third parties or affiliates for marketing. Reply STOP at any time to opt out.

Required and permitted by law

We may use or disclose PHI without your authorization when required by law: to the U.S. Department of Health and Human Services (HHS) for compliance investigations; to public health authorities; for required reporting of abuse, neglect, or domestic violence; in response to a court order, subpoena, or warrant; to coroners, medical examiners, or funeral directors; for organ donation; for workers' compensation as required; and to avert a serious threat to health or safety.

Other disclosures only with your authorization

Uses and disclosures of PHI not described above will be made only with your written authorization, including: marketing communications that involve us receiving payment; the sale of PHI; and disclosure of psychotherapy notes. You may revoke any authorization in writing at any time.

We work with a small number of service providers who handle PHI on our behalf — including Google Cloud Platform (hosting and storage), Resend (transactional email), and our licensed US pharmacy. Each is bound by a written Business Associate Agreement that requires them to safeguard your PHI under the same standards we follow.

You have the following rights regarding your PHI:

• Inspect and copy. You may request a copy of your medical record. We will provide it in the format you request when reasonably possible; we may charge a cost-based fee. We will respond within 30 days.
• Request an amendment. If you believe information in your record is incorrect or incomplete, you may request a correction. We may deny a request that is not in writing or that does not include a reason; if we deny, you may submit a statement of disagreement that will be included in your record.
• Request restrictions. You may ask us to restrict how we use or disclose your PHI for treatment, payment, or operations. We are not required to agree except for disclosures to a health plan for items you paid for in full out of pocket.
• Request confidential communications. You may ask us to contact you in a specific way (e.g., a particular email or phone number). We will accommodate reasonable requests.
• Request an accounting of disclosures. You may request a list of certain disclosures of your PHI we have made in the six years preceding your request, other than disclosures for treatment, payment, operations, or those you authorized.
• Receive a paper copy of this notice. Even if you have agreed to receive it electronically, you may request a paper copy at any time.
• Be notified of a breach. If your unsecured PHI is breached, we will notify you in accordance with the HIPAA Breach Notification Rule — generally within 60 days of discovery.
• File a complaint. See "Complaints" below.

To exercise any of these rights, contact us at support@gentle.health.

We are required by law to maintain the privacy and security of your PHI, to provide you with this notice describing our legal duties and privacy practices, to abide by the terms of the notice that is currently in effect, and to notify you following a breach of your unsecured PHI. We may change the terms of this notice at any time; any new notice will be effective for all PHI we maintain, and we will post the current notice on this page with a new effective date.

If you believe your privacy rights have been violated, you may file a complaint with us by emailing support@gentle.health. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services, Office for Civil Rights:

• Online: hhs.gov/ocr/privacy/hipaa/complaints/
• By phone: 1-877-696-6775
• By mail: U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Washington, D.C. 20201

We will not retaliate against you for filing a complaint.

We protect PHI with administrative, physical, and technical safeguards, including: TLS encryption of data in transit and AES-256 encryption at rest; role-based access controls limiting PHI access to assigned clinicians and authorized care-team members; audit logging of PHI changes and access-path logging at the application layer; signed Business Associate Agreements with vendors handling PHI; and documented breach-response procedures.

We use third-party analytics and advertising services (currently Google Analytics, Google Ads, and the Meta (Facebook) Pixel) to understand how visitors and patients use our site, to measure the performance of our advertising, and to show our ads to people who have visited our site (remarketing). These services run only on our public marketing pages and blog — never on the intake, account, or clinician pages where health information appears. They receive opaque page paths, anonymous session identifiers, an opaque internal user identifier for signed-in patients, and the dollar amount of completed purchases. They do not receive your name, email, date of birth, address, phone number, intake responses, diagnosis, medication name or dose, or any other identifying or clinical information. We maintain an internal policy governing what data may be sent to these providers and review it whenever we add a new event. You can control how Google personalizes ads to you in your Google Ad Settings and your Meta ad preferences.

For questions about this notice, to exercise any of your rights, or to contact our Privacy Official, email support@gentle.health.