Legal

Privacy Policy

Last updated: April 2026

Elyvate, Inc. ("Elyvate," "we," "us," or "our") is committed to protecting the privacy and security of your personal and health information. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our platform at elyvate.health and related services.

1. Information We Collect

Personal Information

  • Full legal name
  • Email address
  • Date of birth
  • Biological sex
  • State of residence
  • Account password (hashed — never stored in plaintext)

Protected Health Information (PHI)

  • Health history provided during intake screening
  • Current medications and hormone therapies
  • Treatment goals and selected protocol
  • Physician review notes and prescribing decisions
  • Order and shipment records

Payment Information

Payment card details are processed directly by Stripe. Elyvate does not store raw card numbers. We retain Stripe customer IDs and subscription records.

Technical Information

  • IP address and user-agent (retained for security audit logging)
  • Browser type and operating system
  • Session tokens (stored securely, not linked to PHI in logs)

2. How We Use Your Information

  • Physician review: Your health intake and personal information is transmitted to our clinical partner, OpenLoop Health, so that a licensed physician can evaluate your eligibility and issue a prescription if appropriate.
  • Pharmacy fulfillment: Prescription and patient information is transmitted to our 503A compounding pharmacy partner via CareValidate for order preparation and shipment.
  • Billing and subscription management: We use your email and Stripe customer ID to manage monthly subscriptions and process payments.
  • Account management: We use your email to send order updates, physician decisions, and service notifications.
  • Security and compliance: We log access events and authentication actions for HIPAA audit trail requirements.

3. PHI Encryption and HIPAA Compliance

Elyvate operates as a HIPAA-covered entity and treats all patient health information as Protected Health Information (PHI) under 45 CFR Parts 160 and 164.

  • All PHI fields (name, email, date of birth) are encrypted at rest using AES-256-GCM encryption before storage in our database.
  • Lookup operations use a one-way SHA-256 hash of the email address — the plaintext email is never stored or indexed directly.
  • All data transmission uses TLS 1.2 or higher.
  • Access to PHI is logged with timestamp, IP address, and user-agent for audit purposes.
  • We maintain Business Associate Agreements (BAAs) with all third-party services that access PHI.

For our full HIPAA Notice of Privacy Practices, see elyvate.health/hipaa.

4. Third-Party Services

OpenLoop Health

Clinical partner. Licensed physicians employed by OpenLoop independently review patient intakes and issue prescriptions. OpenLoop is a HIPAA-covered entity operating under a BAA with Elyvate.

CareValidate

Health verification and pharmacy coordination platform. Patient and prescription data is transmitted to CareValidate to facilitate order fulfillment. CareValidate operates under a BAA with Elyvate.

Stripe

Payment processing. Stripe handles all card data under PCI-DSS compliance. Elyvate receives only a customer identifier and subscription status — no raw card data.

Amazon Web Services (AWS)

Cloud infrastructure provider. Our database and application servers are hosted on AWS in US regions under a BAA with Elyvate for services that process PHI.

5. Data Retention

  • Patient records and PHI are retained for a minimum of 6 years from the date of creation, or longer if required by applicable state law, in compliance with HIPAA requirements.
  • Audit logs are retained for a minimum of 6 years.
  • Upon account deletion request, we will de-identify your record to the extent permitted by law. Certain records may be retained for legal compliance purposes.

6. Your Rights Under HIPAA

  • Right to access: You may request a copy of your PHI held by Elyvate.
  • Right to amend: You may request corrections to inaccurate or incomplete PHI.
  • Right to an accounting of disclosures: You may request a list of disclosures we have made of your PHI.
  • Right to request restrictions: You may request that we restrict certain uses or disclosures of your PHI.
  • Right to confidential communications: You may request that we communicate with you through specific channels or at specific addresses.
  • Right to file a complaint: You may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your privacy rights have been violated.

7. Cookies and Tracking

We use session cookies for authentication purposes only. We do not use third-party advertising trackers, behavioral analytics, or tracking pixels. We do not sell patient data to any third party.

8. Contact

For privacy-related inquiries, to exercise your rights, or to submit a complaint:

Elyvate, Inc. — Privacy Officer

privacy@elyvate.health