THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Effective Date: April 18, 2026
This Notice of Privacy Practices ("Notice") is provided by NexResearch LLC, a Wyoming limited liability company doing business as ThriveAxis ("ThriveAxis," "we," "us," or "our"), and applies to protected health information ("PHI") that ThriveAxis creates, receives, maintains, or transmits in its capacity as a covered entity or business associate under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Omnibus Rule (collectively, "HIPAA").
Platform Nature. ThriveAxis is a technology platform that facilitates access to independent, licensed telehealth providers. ThriveAxis itself does not provide medical services, diagnoses, or treatments. The independent licensed providers who use ThriveAxis's platform to deliver care to members are separate covered entities or workforce members who may operate under their own Notices of Privacy Practices. When a provider uses ThriveAxis's platform, ThriveAxis may function as a business associate of that provider with respect to PHI the provider creates, and/or as a covered entity in its own right with respect to PHI ThriveAxis independently receives and maintains (such as intake health questionnaires, membership health records, and related data). This Notice governs ThriveAxis's own handling of PHI.
Applies To. This Notice applies to all PHI created, collected, or maintained through the ThriveAxis platform, including intake health questionnaires, bloodwork results, body scan photographs and AI-derived body composition data, medication records, subscription health history, and any other individually identifiable health information you provide in connection with ThriveAxis services.
ThriveAxis may use and disclose your PHI to facilitate the provision of healthcare treatment and services by independent licensed providers. This includes coordinating care, transmitting health information necessary for prescribing, sharing your health history and intake information with the provider who will evaluate you, forwarding bloodwork results or body composition data to providers for clinical review, transmitting prescriptions to licensed compounding or retail pharmacies, and coordinating with laboratories and diagnostic services.
Example: When you complete a health intake form on ThriveAxis, that information is transmitted to the independent licensed provider who will conduct your telehealth consultation. The provider may use this information to evaluate your eligibility for GLP-1 therapy, testosterone replacement therapy (TRT), bioidentical hormone replacement therapy (BHRT), peptide therapy, or other services. The provider may share your prescription with a state-licensed compounding pharmacy to fulfill your medication order.
ThriveAxis may use and disclose your PHI to obtain payment for services rendered through the platform. This includes processing your subscription membership payments, billing for medications dispensed separately, transmitting billing information to payment processors (including Stripe), verifying insurance (if applicable), and assisting with HSA/FSA payment substantiation where required by IRS regulations.
Example: If you use an HSA or FSA account to pay for ThriveAxis services, we may need to provide your payment processor or FSA/HSA administrator with information confirming that the charges qualify as medical expenses under applicable tax law.
ThriveAxis may use and disclose your PHI for health care operations, which are activities necessary to run the platform and support quality care. Health care operations include:
Example: ThriveAxis may review aggregated and de-identified health outcome data to evaluate whether members using GLP-1 therapy achieve measurable health improvements, to improve the platform's care coordination workflows.
ThriveAxis may use and disclose your PHI to inform you about treatment alternatives, health-related services, or programs that may be of interest to you, including new service tiers, changes to your care plan options, or pharmacy programs. These communications are permitted without your authorization when they relate to your current or potential treatment.
ThriveAxis may disclose your PHI to third-party service providers ("business associates") who perform functions on our behalf or provide services to us, provided those parties agree in writing (via a Business Associate Agreement, or BAA) to use and disclose PHI only as permitted by HIPAA. Business associates may include: cloud hosting providers, technology infrastructure vendors, data analytics services, secure messaging providers, and laboratory or pharmacy coordination platforms.
In addition to the Treatment, Payment, and Health Care Operations described above, HIPAA permits or requires us to use or disclose your PHI in the following circumstances without your written authorization:
We will disclose your PHI when required to do so by federal, state, or local law, including in response to a court order, subpoena, warrant, summons, or similar legal process. We will make reasonable efforts to notify you before complying unless doing so is prohibited by law.
We may disclose your PHI to public health authorities or other government agencies authorized to receive such information for purposes such as:
We may disclose your PHI to health oversight agencies (such as the U.S. Department of Health and Human Services, state health departments, state medical boards, or the Drug Enforcement Administration) for oversight activities authorized by law, including audits, investigations, inspections, and licensure activities.
We may disclose your PHI in the course of judicial or administrative proceedings, including in response to a court order, a subpoena, a discovery request, or other lawful process, subject to applicable legal protections.
We may disclose your PHI to law enforcement officials for purposes such as: identifying or locating a suspect, fugitive, material witness, or missing person; responding to a court order, warrant, or grand jury subpoena; alerting law enforcement to a crime committed on our premises; or reporting in limited circumstances to avert a serious threat to health or safety.
We may use or disclose your PHI when we believe in good faith that it is necessary to prevent or lessen a serious and imminent threat to the health or safety of you or another person, and the disclosure is made to a person or persons reasonably able to prevent or lessen the threat.
We may disclose your PHI to a coroner, medical examiner, or funeral director as necessary to carry out their legally authorized duties.
We may disclose your PHI to organ procurement organizations or other entities involved in organ, eye, or tissue procurement, banking, or transplantation.
We may use or disclose your PHI for research purposes when an institutional review board or privacy board has approved the research and waived the authorization requirement, or when your PHI has been de-identified in accordance with HIPAA standards.
We may disclose your PHI as authorized by and to the extent necessary to comply with workers' compensation laws or other similar programs.
We may disclose your PHI in limited circumstances for military and veterans' activities, national security and intelligence activities, protective services for the President, and correctional facility activities.
Incidental uses and disclosures that are a by-product of an otherwise permitted use or disclosure may occur. For example, other users of a shared portal may occasionally see limited information. ThriveAxis implements reasonable safeguards to limit these occurrences.
For uses and disclosures not described in this Notice, ThriveAxis is required to obtain your written authorization before using or disclosing your PHI. The following uses and disclosures always require your written authorization:
ThriveAxis will not use your PHI for marketing purposes — meaning communications that encourage you to purchase or use a product or service that are not directly related to your current treatment — without your written authorization. Certain limited communications about health-related products and services directly related to your care (such as notifications about changes to your medication provider) may not require authorization; however, ThriveAxis will err on the side of obtaining authorization when in doubt.
Note: ThriveAxis will never receive direct or indirect remuneration from a third party in exchange for making a marketing communication to you without your explicit authorization.
ThriveAxis will not sell your PHI (i.e., disclose your PHI in exchange for direct or indirect remuneration) without your written authorization. A sale does not include disclosures for treatment, payment, operations, public health, research with appropriate protections, transfers in a merger or acquisition where the successor entity agrees to be bound by this Notice, or disclosures required by law.
If you disclose information that constitutes psychotherapy notes (as defined by HIPAA), ThriveAxis will not use or disclose those notes without your specific written authorization, except in very limited circumstances permitted by law.
Any use or disclosure of your PHI not described in this Notice will require your prior written authorization. You may revoke any written authorization you have given us at any time by submitting a written revocation to privacy@thriveaxis.org. Revocation is not retroactive — we may have already taken action in reliance on your authorization.
You have the following rights regarding your PHI. To exercise any of these rights, please contact our Privacy Officer at the information provided in Section 7. We may require that requests be submitted in writing.
You have the right to inspect and obtain a copy of your PHI that we maintain in a designated record set. This includes health intake information, bloodwork records, body scan data, medication records, and billing information. We will respond to your request within thirty (30) days (or sixty (60) days if a single extension is required with notice to you). We may charge a reasonable, cost-based fee for copies. We may deny your request in certain limited circumstances; if we do, we will provide you with a written explanation and information about how to request a review of our denial.
Electronic Access. If you request a copy of your PHI in an electronic format, and we maintain your PHI electronically, we will provide it in a readable electronic format.
You have the right to request that we amend PHI that you believe is inaccurate or incomplete. We will review your request and respond within sixty (60) days (with one possible thirty (30)-day extension). We may deny your amendment request if we determine that the information was not created by ThriveAxis, is not part of our designated record set, is accurate and complete, or is not otherwise available for inspection. If we deny your request, we will explain the reason in writing.
You have the right to request that we restrict certain uses and disclosures of your PHI for treatment, payment, or health care operations, or disclosures to family members or others involved in your care. We are not required to agree to your request unless: (a) the restriction is for disclosure to a health plan for payment or operations purposes, and (b) the PHI relates solely to a healthcare item or service for which you (or someone on your behalf, other than the health plan) has paid in full. If we agree to a restriction, we will comply with it except in emergency situations.
You have the right to request that we communicate with you about your PHI in a specific way or at a specific location. For example, you may request that we contact you only by email or only at a particular address. We will accommodate reasonable requests that specify an alternative means or location and do not require an explanation of the underlying reason.
You have the right to request an accounting of certain disclosures of your PHI that we have made in the six (6) years prior to the date of your request. This accounting does not include disclosures made for treatment, payment, or health care operations; disclosures made to you; disclosures made pursuant to your authorization; incidental disclosures; and certain other disclosures. We will provide the first accounting in any twelve (12)-month period at no charge; for additional requests within the same period, we may charge a reasonable fee.
You have the right to receive a paper copy of this Notice at any time. You may request a paper copy by emailing support@thriveaxis.org or by writing to us at the address in Section 7.
If a breach of your unsecured PHI occurs, you have the right to receive timely notification of that breach. ThriveAxis will notify you by first-class mail (or by email if you have indicated a preference for electronic communication) without unreasonable delay and no later than sixty (60) calendar days after we discover the breach. The notification will include: a description of the breach; the types of PHI involved; steps you should take to protect yourself; a description of steps we are taking to investigate and mitigate harm; and contact information for obtaining further information.
If the breach affects 500 or more individuals in a state or jurisdiction, we will also notify prominent media outlets in that state. All breaches affecting 500 or more individuals will be reported to the U.S. Department of Health and Human Services (HHS) without unreasonable delay and no later than 60 days after discovery. Breaches affecting fewer than 500 individuals will be reported to HHS on an annual basis, no later than 60 days after the end of the calendar year in which they occurred.
ThriveAxis is required by law to:
Maintain the Privacy and Security of Your PHI. We must maintain the privacy of your PHI and must abide by the terms of the notice currently in effect. We maintain and implement administrative, technical, and physical safeguards to protect your PHI from unauthorized access, use, or disclosure.
Provide You with This Notice. We are required to provide this Notice to you when you first access ThriveAxis services and upon request thereafter.
Abide by the Terms of This Notice. We must follow the procedures described in this Notice. If we make material changes to our privacy practices, we will revise this Notice and make the new Notice available on our website and upon request.
Notify You of a Breach. We are required to notify you following a breach of unsecured PHI, as described in Section 4.7.
Non-Retaliation. We will not retaliate against you for exercising any right described in this Notice, filing a complaint, or participating in any investigation.
Minimum Necessary Standard. When using or disclosing PHI for purposes other than treatment (and where permitted exceptions do not apply), we will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose.
ThriveAxis reserves the right to change this Notice at any time and to make the revised Notice effective for PHI we already have about you as well as any PHI we receive in the future. We will post the current effective Notice on our website at thriveaxis.org. If we make a material change to our privacy practices, we will provide you with notice of the change via email or other reasonable means. You may request a copy of any current or previous Notice by contacting our Privacy Officer.
We will not change our privacy practices to provide you less protection of your PHI without providing you advance notice and the opportunity to object or withdraw from ThriveAxis services, to the extent required by law.
If you have questions about this Notice, wish to exercise any of your rights, or have concerns about our privacy practices, please contact our designated Privacy Officer:
ThriveAxis Privacy Officer Email: privacy@thriveaxis.org General Support: support@thriveaxis.org Mailing Address: NexResearch LLC, DBA ThriveAxis c/o our Wyoming registered agent (mailing address provided on authenticated request via privacy@thriveaxis.org) Attn: Privacy Officer
Telephone: available on authenticated request via privacy@thriveaxis.org. We will respond within one (1) business day with a routed contact number.
If you believe ThriveAxis has violated your privacy rights, you have the right to file a complaint with us and/or with the Secretary of the U.S. Department of Health and Human Services. We will not retaliate against you in any way for filing a complaint.
To file a complaint with ThriveAxis: Contact our Privacy Officer as described in Section 7.1 above. Please describe your concern in writing. We will acknowledge your complaint within five (5) business days and investigate promptly.
To file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR):
U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W. Washington, D.C. 20201 Toll-Free: 1-800-368-1019 TDD: 1-800-537-7697 Fax: 202-619-3818 Online: https://ocrportal.hhs.gov/ocr/portal/lobby.jsf Email: OCRComplaint@hhs.gov
You may also contact your regional HHS/OCR office. A list of regional offices is available at https://www.hhs.gov/ocr/about-us/contact-us/index.html.
ThriveAxis's platform facilitates connections between members and independent licensed telehealth providers. These providers operate as independent contractors and are separate covered entities or members of covered entities under HIPAA. The independent providers who conduct your telehealth consultations, order lab work, or prescribe medications through ThriveAxis's platform may maintain their own Notices of Privacy Practices that describe their independent use and disclosure of your PHI. ThriveAxis encourages you to request and review those notices as well.
To the extent ThriveAxis acts as a business associate of an independent provider, our handling of PHI on that provider's behalf is governed by applicable Business Associate Agreements and by the HIPAA Privacy and Security Rules. ThriveAxis will not use or disclose PHI received in its business associate capacity in ways that are not permitted under those agreements or HIPAA.
In some states, state laws may provide additional privacy protections for certain categories of health information, such as mental health records, substance use disorder records, HIV/AIDS status, and reproductive health information. Where applicable state laws provide greater protections than HIPAA, ThriveAxis will comply with the more protective state law. Please contact our Privacy Officer if you have questions about how your state's laws may affect the privacy of your health information.
NexResearch LLC, DBA ThriveAxis This Notice is effective as of April 18, 2026. Previous versions of this Notice are available upon request from our Privacy Officer.