Consumer Health Data Privacy Policy

Effective Date: April 27, 2026 · Last Reviewed: April 27, 2026
NexResearch LLC, DBA ThriveAxis · thriveaxis.org

This Consumer Health Data Privacy Policy is published in addition to our general Privacy Policy and our HIPAA Notice of Privacy Practices, as required by the Washington My Health My Data Act (RCW 19.373), Nevada SB 370 (NRS 603A.400 et seq.), Connecticut's CTDPA health-data provisions, Maryland's Online Data Privacy Act (MODPA), and other state consumer-health-data statutes that may apply.

If a conflict exists between this policy and our general Privacy Policy regarding consumer health data, the terms of this policy control.

1. What this policy covers

"Consumer Health Data" means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. Under the Washington My Health My Data Act and Nevada SB 370, this includes (but is not limited to):

Individual health conditions, treatment, diseases, or diagnoses;
Social, psychological, behavioral, and medical interventions;
Health-related surgeries or procedures;
Use or purchase of prescribed medication;
Bodily functions, vital signs, symptoms, or measurements (including weight, body composition, blood pressure, hormone levels, lab values);
Reproductive or sexual health data;
Gender-affirming care information;
Biometric data (including body-scan photographs and derived measurements);
Genetic data;
Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;
Data identifying a consumer seeking healthcare services; and
Information that is derived or extrapolated from non-health information (such as algorithmic inferences) and that is used to identify a consumer's health status.

This policy applies to Consumer Health Data of residents of Washington, Nevada, Connecticut, Maryland, and any other state whose health-data law requires a separate consumer-facing disclosure. Where the law of your state of residence does not require this separate policy, our general Privacy Policy governs.

2. Categories of Consumer Health Data we collect

We collect the following categories of Consumer Health Data directly from you, from your independent licensed provider, or generated by our platform:

Intake and questionnaire data — current health conditions, symptoms, medication and allergy history, family history, lifestyle factors, and goals.
Clinical and diagnostic data — bloodwork results, lab orders, hormone panels, metabolic markers, vital signs, and provider notes.
Biometric data — body-scan photographs, body-composition measurements, weight, height, and any derived metrics produced by AI analysis.
Treatment data — medications prescribed (including GLP-1, testosterone, peptide, and BHRT therapies), dosing, refill history, pharmacy of record, and adherence data.
Behavioral and progress data — coaching check-ins, progress photographs, accountability data, fitness and nutrition tracking inputs.
Inferences — profiles or scores generated about your health status from any of the above.

3. Sources of Consumer Health Data

Directly from you — account creation, intake forms, uploaded photographs, messages, and portal entries.
From your independent licensed provider — provider notes, prescriptions, and care plans entered through the platform.
From laboratory partners — bloodwork results returned through our integrated lab partners (with your authorization).
From pharmacy partners — dispensing and refill records.
Generated by our platform — AI-derived body-composition metrics, lab summaries, adherence calculations, and risk indicators.

4. How we use Consumer Health Data

We use Consumer Health Data only for the following purposes:

Providing the Services you have requested — routing your information to the licensed provider matched to your state, generating treatment recommendations, dispatching prescriptions, scheduling refills, supporting your care team, and operating your patient portal.
Quality, safety, and clinical oversight — provider supervision, peer review, lab-result quality control, adverse-event monitoring, and clinical-protocol improvement.
Legal and regulatory compliance — complying with HIPAA, state medical-record retention laws, prescription-drug monitoring program reporting, mandatory adverse-event reporting, and other legal obligations.
Security, fraud prevention, and platform integrity — detecting and preventing unauthorized access, identity fraud, prescription-drug diversion, and abuse of the Services.
Aggregated and de-identified analysis — generating de-identified or aggregated datasets that no longer identify any individual consumer, used for service improvement and clinical analytics.

What we do NOT do with your Consumer Health Data:

We do not sell Consumer Health Data. We have not sold Consumer Health Data in the preceding 12 months and we have no plans to do so.
We do not use Consumer Health Data for cross-context behavioral advertising or for targeted advertising on third-party platforms.
We do not share Consumer Health Data with data brokers.
We do not use geofencing technology around healthcare facilities to identify, track, collect data from, or send health-related communications to consumers.
We do not use Consumer Health Data to train third-party generative-AI models.

5. Categories of third parties who may receive Consumer Health Data

We share Consumer Health Data only with the following categories of third parties, only for the purposes described below, and only to the extent necessary for those purposes:

Category	Purpose	Examples
Independent licensed providers	Treatment, consultation, prescribing	Physicians, nurse practitioners, and physician assistants licensed in your state who provide care through the platform
Licensed pharmacies	Dispensing and refilling prescriptions	State-licensed compounding and retail pharmacies
Clinical laboratories	Performing ordered bloodwork and returning results	CLIA-certified laboratory partners
HIPAA-compliant infrastructure vendors (Business Associates)	Hosting, storage, transmission, security, and platform operations under signed Business Associate Agreements	Cloud hosting, encrypted messaging, telehealth video, EHR/PM systems
Payment processors	Processing membership and medication payments	Stripe (does not receive PHI; receives only billing identifiers and amounts)
Identity-verification providers	Confirming you are the consumer requesting access, deletion, or other rights	Identity-verification vendor used solely for rights-request authentication
Legal, regulatory, and law-enforcement recipients	Compliance with subpoenas, court orders, mandated reporting, or as otherwise required by law	Federal/state regulators, courts, law enforcement (with valid legal process)
Affiliates of NexResearch LLC	Operating the Services as a single corporate group, where applicable	Wholly-owned affiliates bound by the same privacy obligations as ThriveAxis

Upon authenticated request, Washington and Nevada residents are entitled to receive a list of the specific third parties and affiliates with whom their Consumer Health Data has been shared, including contact information for those recipients. See Section 7 below.

6. Affirmative consent and authorization

Under the Washington My Health My Data Act, Nevada SB 370, Connecticut's CTDPA health-data provisions, and Maryland's MODPA, we obtain your affirmative consent before:

Collecting Consumer Health Data that is not strictly necessary to provide the specific Services you have requested;
Sharing Consumer Health Data with any third party except those acting as our HIPAA Business Associate or service provider necessary to deliver the Services; and
Using Consumer Health Data for any purpose materially different from the purpose for which it was originally collected.

Where applicable law requires separate, distinct authorization for the sale of Consumer Health Data, we will not sell Consumer Health Data unless we obtain that separate authorization. As stated above, we do not sell Consumer Health Data.

You may withdraw consent at any time by emailing privacy@thriveaxis.org or by using the controls in your patient portal. Withdrawal of consent does not affect the lawfulness of processing performed before the withdrawal.

7. Your rights regarding Consumer Health Data

7.1 Rights summary

If you are a Washington, Nevada, Connecticut, or Maryland resident, you have the following rights with respect to your Consumer Health Data:

Right to confirm whether we are processing your Consumer Health Data and to access that data.
Right to a list of recipients — a list of all third parties and affiliates with whom we have shared your Consumer Health Data, including the recipients' active contact information.
Right to withdraw consent — to revoke any prior consent for the collection or sharing of your Consumer Health Data.
Right to deletion — to request deletion of your Consumer Health Data, subject to the limited retention exceptions described in Section 8 below.
Right to non-discrimination — we will not deny services, charge different prices, or provide a different level of service because you exercised any of these rights, except where the requested deletion makes it impossible for us to provide the Services.
Right to appeal — if we deny a rights request, you have the right to appeal that decision.

7.2 How to exercise your rights

To submit a Consumer Health Data rights request:

Email: privacy@thriveaxis.org with the subject line "Consumer Health Data Rights Request — [Your State]"
From your patient portal: Settings → Privacy → Submit a Rights Request
Mail: NexResearch LLC, DBA ThriveAxis, Attn: Privacy Officer, c/o our Wyoming registered agent (mailing address provided on authenticated request via privacy@thriveaxis.org)

We will verify your identity before processing your request. We will respond to authenticated deletion requests within 30 days as required by the Washington My Health My Data Act, and within the timeframes required by other applicable state law for other rights. If we cannot complete your request within that period, we will explain why and provide you the right to appeal.

7.3 Authorized agents

You may designate an authorized agent to submit a request on your behalf. We will require written authorization from you and verification of the agent's identity before acting on the request.

7.4 Appeals

If we deny your rights request, you may appeal by replying to our denial email or writing to privacy@thriveaxis.org within 60 days. We will respond to your appeal within 60 days. If your appeal is denied, you may submit a complaint to your state attorney general:

Washington: atg.wa.gov/file-complaint
Nevada: ag.nv.gov/Complaints/File_Complaint
Connecticut: portal.ct.gov/AG
Maryland: marylandattorneygeneral.gov/Pages/CPD

8. Retention and deletion

We retain Consumer Health Data only for as long as necessary to provide the Services, comply with applicable law, resolve disputes, and enforce our agreements. The applicable retention rules are described in Section 4 of our general Privacy Policy. In summary:

Active health records and PHI: retained for the minimum period required by HIPAA and applicable state medical-record retention laws (typically 6–10 years from date of service).
Body-scan photographs and biometric measurements: retained for the duration of your active membership plus three (3) years following account closure, or until you request deletion (whichever is shorter), in accordance with the Illinois BIPA, Texas CUBI, and Washington MHMDA retention limits.
Account and billing data: retained for seven (7) years following account closure for tax, accounting, and legal-claims purposes.
De-identified or aggregated data: may be retained indefinitely.

When you request deletion of Consumer Health Data, we will delete or de-identify your data within 30 days, except where retention is required by law (for example, where state medical-record retention rules require us to keep treatment records for a minimum period). Where we cannot delete data because of a legal-retention obligation, we will limit our use of that data to the purpose that requires retention.

9. Security

We maintain administrative, technical, and physical safeguards designed to protect Consumer Health Data against unauthorized access, alteration, disclosure, or destruction. Safeguards include encryption of data in transit and at rest, role-based access controls, multi-factor authentication for personnel accessing health data, vendor risk management with signed Business Associate Agreements where required by HIPAA, and regular security assessments. See Section 5 of our Privacy Policy for additional detail.

10. Children

The Services are available only to U.S. residents 18 years of age or older. We do not knowingly collect Consumer Health Data from any individual under 18, and we do not market the Services to minors.

11. Changes to this policy

We may update this Consumer Health Data Privacy Policy from time to time. If we make material changes affecting your rights or how we process Consumer Health Data, we will provide you with notice by (a) posting the updated policy on our website with a new "Effective Date" and "Last Reviewed" date, and (b) emailing you at the address associated with your account at least 30 days before the changes take effect. Your continued use of the Services after the effective date constitutes your acceptance of the revised policy, to the extent permitted by applicable law.

12. Contact the Privacy Officer

Privacy Officer — NexResearch LLC, DBA ThriveAxis
Email: privacy@thriveaxis.org
Subject line: "Consumer Health Data Rights Request — [Your State]"
Mail: NexResearch LLC, DBA ThriveAxis, Attn: Privacy Officer, c/o our Wyoming registered agent (full mailing address provided on authenticated request via privacy@thriveaxis.org or your patient portal)

For HIPAA-specific concerns, see our HIPAA Notice of Privacy Practices. For all other privacy questions, see our general Privacy Policy.

This Consumer Health Data Privacy Policy is published in compliance with the Washington My Health My Data Act (RCW 19.373.020), Nevada SB 370 (NRS 603A.400 et seq.), Connecticut Public Act No. 22-15 (CTDPA), and the Maryland Online Data Privacy Act (MODPA). Where applicable state law imposes more protective requirements, those requirements control.