Privacy Policy & HIPAA Notice
1. Notice at Collection (California)
At the point you provide information through HerEstrogen, we collect the following categories of personal information for the purposes listed. We do not sell your personal information for money. We may "share" personal information with advertising partners for cross-context behavioral advertising in limited circumstances; you can opt out using the link below.
| Category | Examples | Purpose | Retention |
|---|---|---|---|
| Identifiers | Name, email, phone, mailing address, IP address, cookie identifiers | Account management, intake, communications, fulfillment, fraud prevention | Duration of your relationship with us + [period to be set with counsel] |
| Customer records | Date of birth, billing address, shipping address | Candidacy verification, payment processing, shipping | Same as above |
| Consumer health data (sensitive) | Symptoms, hormone-stage self-report, treatment history, communications with clinicians | Clinical intake review by OpenLoop Health | Held by OpenLoop Health per HIPAA-required retention; marketing-side intake summary retained only as needed |
| Commercial information | Plan selected, purchase history, refund history | Order fulfillment, customer service, accounting | Tax and accounting retention as required by law |
| Internet / device activity | Browser type, device type, pages viewed, referring URL | Site operation, security, aggregate analytics on the public marketing pages only | [Period to be set with counsel] |
| Geolocation (general) | State, postal code | State-based licensing eligibility, shipping | Same as identifiers |
"Do Not Sell or Share My Personal Information." If you do not want us to share your personal information with advertising partners for cross-context behavioral advertising, email privacy@herestrogen.com with the subject line "Do Not Sell or Share." We honor Global Privacy Control (GPC) signals where supported.
2. Sensitive Personal Information & Consumer Health Data
Information you share during the intake about symptoms, hormone history, or treatment goals is consumer health data under laws including Washington's My Health, My Data Act (MHMDA), and "sensitive personal information" under CCPA/CPRA. We process this information only:
- To enable clinical review by OpenLoop Health (the BAA-covered medical partner);
- For order fulfillment, billing, customer service, and required record-keeping; and
- As you have authorized — including by checking the intake consent box.
You may withdraw your authorization at any time by emailing privacy@herestrogen.com; withdrawal does not affect processing already performed.
3. Protected Health Information (HIPAA Notice of Privacy Practices)
REQUIRES COUNSEL REVIEW. HerEstrogen's business-associate posture and the scope of any data treated as Protected Health Information must be confirmed in writing by counsel. The authoritative HIPAA Notice of Privacy Practices for clinical encounters is issued by our medical partner, OpenLoop Health, and is available on request from OpenLoop. The telehealth informed-consent document used by OpenLoop is available at openloophealth.com/telehealth-consent.
Protected Health Information (PHI) is information that identifies you and relates to your past, present, or future physical or mental health, the provision of health care to you, or payment for that health care. PHI may include:
- Health questionnaire responses and clinician communications;
- Provider notes, diagnoses, treatment decisions, and prescriptions;
- Lab and pharmacy records related to your care.
You have the right under HIPAA to:
- Inspect and obtain a copy of your PHI;
- Request correction of inaccurate PHI;
- Receive an accounting of certain disclosures;
- Request restrictions on how PHI is used or disclosed;
- Request confidential communications;
- Be notified of any breach of unsecured PHI; and
- File a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) at hhs.gov/ocr, by mail (200 Independence Avenue, S.W., Washington, D.C. 20201), by phone (1-800-368-1019), or via email (OCRMail@hhs.gov). We will not retaliate against you for filing a complaint.
4. How We Share Your Information (Processor & Recipient List)
We share personal information with the third parties listed below for the purposes shown. Each is contractually limited to using your data only for the disclosed purpose.
| Recipient | Role | Data shared | BAA? |
|---|---|---|---|
| OpenLoop Health | Medical partner (clinical intake review & prescribing) | Intake responses, contact info, date of birth, treatment data | Yes — verify in writing. REQUIRES COUNSEL/VINCENT VERIFICATION |
| Licensed pharmacy partner(s) | Fulfillment of prescriptions | Shipping address, name, prescription details | BAA required. REQUIRES VINCENT VERIFICATION |
| Supabase | Database hosting for marketing-side intake records | Quiz response summary, email, first name, date of birth | HIPAA add-on required. REQUIRES VINCENT VERIFICATION |
| Klaviyo | Email lifecycle and SMS marketing | Email, first name, marketing engagement (no symptom data sent while BAA status unconfirmed) | REQUIRES VINCENT VERIFICATION |
| Vercel | Website hosting | Server-log identifiers, IP, request metadata | REQUIRES VINCENT VERIFICATION |
| Payment processor (currently routed via OpenLoop) | Payment processing | Cardholder data, billing address (collected on the processor's hosted page; we do not store card numbers) | Subject to processor's PCI controls |
Tracking technologies status. As of the Effective Date, Meta Pixel, Google Analytics, and Vercel Web Analytics have been removed from all health-context pages of this site (the quiz, results, confirmation, privacy, and terms pages). We do not knowingly disclose health-condition context to advertising partners. Any future reactivation of tracking will be subject to counsel review and updated disclosure here.
5. Your Privacy Rights (CCPA/CPRA, CO, CT, VA, UT, OR, TX, MT, WA MHMDA, GDPR)
Depending on where you live, you have rights to:
- Know / access the personal information we hold about you;
- Delete personal information we hold about you (subject to retention required by law);
- Correct inaccurate personal information;
- Portability — receive a copy in a machine-readable format;
- Limit use of sensitive personal information;
- Opt out of "sale" or "sharing" for cross-context behavioral advertising (see Section 1);
- Withdraw authorization for processing of consumer health data (MHMDA);
- Non-discrimination for exercising any of these rights; and
- Appeal a denial of any of the above.
To exercise any of these rights, email privacy@herestrogen.com with the right you are exercising and enough information for us to verify your identity (typically your email on file). We will respond within the time required by the law of your state (generally 45 days, extendable as permitted).
6. Cookies & Online Identifiers
We use a minimal set of first-party cookies for site operation and preference storage (for example, to remember your in-progress quiz draft). Third-party tracking cookies are not set on our health-context pages. A cookie consent banner with category controls is in development — until it is published, we recommend using Global Privacy Control (GPC) signals or browser tracking-protection tools if you wish to block analytics on our public marketing home page.
REQUIRES VINCENT ACTION: implement a consent management platform that honors GPC and provides category-level toggles before paid traffic launches.
7. SMS & Email Marketing
You may receive marketing emails from HerEstrogen (you can opt out via the unsubscribe link in every message) and, where you have separately opted in by checking the SMS consent box on the intake, recurring marketing and care-related text messages. Message frequency varies; message and data rates may apply. Reply STOP to opt out, HELP for help. Consent is not a condition of any purchase.
8. Children's Privacy
HerEstrogen is for adults aged 18 or older and is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it. State laws covering minors aged 13–17 in health-data contexts apply where required.
9. Data Security
We implement administrative, technical, and physical safeguards designed to protect personal and health information against unauthorized access, disclosure, alteration, and destruction, including:
- Transport encryption (TLS) and at-rest encryption;
- Role-based access controls and least-privilege principles;
- Vetted third-party processors with executed contracts;
- Documented incident-response and breach-notification procedures.
No method of transmission or storage is 100% secure. We will notify you consistent with applicable law in the event of a breach involving your unsecured personal or health information.
10. Adverse Event Reporting
If you experience a side effect or adverse event you believe is related to a medication, please contact your clinician immediately. You may also report adverse events directly to the FDA's MedWatch program at fda.gov/safety/medwatch.
11. International Transfers
HerEstrogen operates in the United States. If you access the site from outside the United States, your information will be processed in the United States, which may not have the same data-protection laws as your country of residence. By using the site you understand that your information will be transferred to, stored in, and processed in the United States. GDPR rights, where applicable, are honored as described in Section 5.
12. Changes to This Notice
We may update this Notice from time to time. Material changes will be posted here with an updated "Last Updated" date and, where required by law, communicated to you by email. Continued use of the site after a change indicates acceptance of the updated Notice.
13. Contact Us
Privacy questions and requests:
HHS OCR complaints (HIPAA): 1-800-368-1019 · hhs.gov/ocr.