Effective Date: April 18, 2026 Last Reviewed: April 18, 2026
NexResearch LLC, a Wyoming limited liability company doing business as ThriveAxis ("ThriveAxis," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect information when you visit our website at thriveaxis.org, create a ThriveAxis member account, or use our telehealth optimization platform and related services (collectively, the "Services").
This policy covers two distinct categories of information:
Protected Health Information (PHI) — individually identifiable health information regulated by the Health Insurance Portability and Accountability Act (HIPAA). PHI is primarily governed by our separately published HIPAA Notice of Privacy Practices, which is incorporated by reference herein and available at thriveaxis.org/hipaa-notice. Where this Policy addresses PHI, it supplements (but does not replace) the HIPAA Notice.
Non-PHI Personal Data — all other personal information collected in connection with the Services, including account data, payment data, device and usage data, marketing data, and health data that falls outside HIPAA's scope (e.g., health data of non-patients, or data collected in a non-treatment context).
ThriveAxis is a technology platform that facilitates access to independent licensed telehealth providers. ThriveAxis itself does not provide medical services. Independent providers who use ThriveAxis's platform to deliver care to members operate as separate entities and may have independent privacy practices.
Our Services are available only to residents of the United States who are 18 years of age or older. We do not knowingly collect personal information from children under 18.
Account and Identity Information When you create a ThriveAxis account, we collect: your full name, date of birth, email address, phone number, home address, and account credentials (username and password or single sign-on token).
Health and Medical Information (PHI and Non-PHI) In connection with onboarding and ongoing care coordination, we collect: - Health intake questionnaire responses (current health conditions, symptoms, medications, allergies, medical history, goals); - Bloodwork results, lab reports, and laboratory orders; - Body scan photographs and measurements submitted for AI body composition analysis; - Hormone levels, metabolic markers, and other clinical measurements; - Prescription history, medication names, dosages, and pharmacy information; - Physician notes and care plan information from independent providers; - Information about the specific ThriveAxis programs you use (e.g., GLP-1 therapy, TRT, BHRT, peptide therapy, nutrition plans, fitness coaching).
To the extent this information is PHI under HIPAA, its use and disclosure is governed by our HIPAA Notice of Privacy Practices.
Payment and Billing Information We collect subscription tier selection ($149, $249, or $399/month), billing cycle, payment method details (processed by Stripe — ThriveAxis does not store raw card numbers), HSA/FSA account information when applicable, and transaction history.
Communications We collect the content of messages you send to ThriveAxis support (support@thriveaxis.org), feedback you submit, and records of your interactions with our customer service team.
User-Generated Content If you submit testimonials, progress photographs, reviews, or other content through the platform or any connected social media integrations, we collect that content.
Device and Usage Data When you access the Services, we automatically collect: IP address, browser type and version, operating system, device type and identifier, referring URL, pages viewed, time and date of access, session duration, clickstream data, and error logs.
Cookies and Similar Tracking Technologies We use cookies, web beacons, pixel tags, local storage objects, and similar technologies. See Section 6 for a detailed description of our cookie practices.
Analytics Data ThriveAxis does not currently use third-party analytics platforms. We collect server-level access logs for security monitoring purposes only. If this changes, this Privacy Policy will be updated to name the analytics providers and describe how your data is used before any such service is deployed.
ThriveAxis offers AI-powered features including: - AI Body Composition Analysis: You may upload body scan photographs. Our AI system analyzes these photographs to generate estimated body composition metrics (e.g., body fat percentage, muscle mass distribution). The photographs and derived metrics are stored as part of your health record. - AI Bloodwork Interpretation: You may upload bloodwork results. Our AI system analyzes these results to generate informational summaries. These summaries are reviewed and may be supplemented by independent providers. - AI Meal Plans: Based on your health profile and goals, our AI system generates personalized nutrition guidance.
Important: AI-generated outputs are informational tools only and are not medical diagnoses, medical advice, or substitutes for provider review. Providers may override, supplement, or disregard AI outputs.
AI Training Data: ThriveAxis does not use your identifiable personal health information or PHI to train or improve AI models without your explicit, separate written consent. De-identified or aggregated data may be used to evaluate and improve AI feature accuracy.
We use information we collect for the following purposes:
You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting support@thriveaxis.org. Opting out of marketing communications does not affect transactional and care-related communications.
ThriveAxis does not sell your personal information to third parties. ThriveAxis does not sell your PHI. The following describes the categories of entities with whom we share your information and the purposes of such sharing:
Your health information, intake data, bloodwork results, and body scan analysis are shared with the independent licensed providers on ThriveAxis's platform who are evaluating you or providing care to you. Providers receive only the information necessary to evaluate your eligibility for treatment, conduct consultations, and manage your care plan. These providers are separate covered entities under HIPAA and are bound by their own HIPAA obligations and, where applicable, Business Associate Agreements with ThriveAxis.
ThriveAxis shares your prescription and contact information with U.S.-based, state-licensed compounding and retail pharmacies to fulfill medication orders. We share your identity and testing orders with clinical laboratory providers to facilitate bloodwork and diagnostic testing. These entities are bound by applicable HIPAA Business Associate Agreements and their own privacy obligations.
ThriveAxis uses Stripe (Stripe, Inc. and Stripe Payments Company) to process all payment card transactions. Stripe is certified as PCI DSS Level 1 compliant. ThriveAxis does not store raw payment card numbers on its systems. Stripe processes payment data in accordance with its own Privacy Policy, available at https://stripe.com/privacy. When you use an HSA or FSA, your payment processor or benefits administrator may receive limited health-related payment information for substantiation purposes.
We share information with third-party service providers who perform services on our behalf, including:
| Category | Examples of Use |
|---|---|
| Cloud hosting and infrastructure | Hosting the ThriveAxis platform and databases |
| Website hosting | Netlify (front-end hosting) |
| Email and messaging | [Insert email service provider name when deployed] for transactional and care coordination emails. ThriveAxis signs a Data Processing Agreement and, where applicable, a HIPAA Business Associate Agreement with all email service providers. |
| Analytics | Not currently deployed. This row will be updated if an analytics platform is added. |
| Customer support | Support ticketing and CRM systems |
| Identity verification | Verifying user identity in connection with prescription workflows |
| AI feature providers | Powering body composition analysis, bloodwork interpretation, and meal plan AI features |
| Security and fraud prevention | Detecting and preventing unauthorized access and fraudulent transactions |
All service providers who access PHI are required to execute Business Associate Agreements. All service providers are contractually required to use your information only to perform services for ThriveAxis and not for their own purposes.
If ThriveAxis is involved in a merger, acquisition, asset sale, financing, or other corporate transaction, your information may be transferred to a successor entity. We will provide notice before your information becomes subject to a materially different privacy policy. Any successor entity that acquires PHI will be required to comply with HIPAA as a condition of the transfer.
We may disclose your information to third parties when required by law, in response to legal process, or when we believe disclosure is necessary to protect the rights, property, or safety of ThriveAxis, our members, or others. See our HIPAA Notice of Privacy Practices for rules governing disclosure of PHI to law enforcement and government agencies.
We may share your information in other ways when you give us explicit consent, such as sharing your testimonial or success story publicly with your express permission, or sharing your data with a third-party integration you have authorized.
We retain your personal information for as long as necessary to provide the Services, comply with applicable law, resolve disputes, and enforce our agreements. The following general principles apply:
Following the applicable retention period, we will securely delete or de-identify your information.
ThriveAxis implements and maintains reasonable and appropriate administrative, technical, and physical safeguards designed to protect your personal information and PHI against unauthorized access, use, alteration, or destruction, including:
Payment card data is processed exclusively by Stripe (PCI DSS Level 1 certified) and is not stored on ThriveAxis systems.
No method of data transmission or storage over the internet is 100% secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security. If you have reason to believe your account has been compromised, please contact support@thriveaxis.org immediately.
| Cookie Type | Purpose | Examples |
|---|---|---|
| Strictly Necessary | Essential for the platform to function (authentication, session management, security) | Session tokens, CSRF protection cookies |
| Performance/Analytics | Collect anonymous usage data to improve the platform | Analytics platform cookies |
| Functional | Remember preferences and personalize experience | Language preferences, saved settings |
| Marketing/Advertising | Deliver relevant advertisements and track marketing effectiveness | Ad network pixels, retargeting cookies |
ThriveAxis does not currently deploy third-party analytics or behavioral tracking technologies on its website. If this changes, this section will be updated to describe the technologies used and your opt-out options.
Browser controls: Most browsers allow you to refuse or delete cookies through your browser settings. Note that disabling cookies may affect platform functionality.
Opt-out tools: - Google Analytics opt-out: https://tools.google.com/dlpage/gaoptout - Network Advertising Initiative: https://optout.networkadvertising.org - Digital Advertising Alliance: https://optout.aboutads.info
Our cookie consent manager: When you first visit thriveaxis.org, you will be presented with a cookie consent banner ([COOKIE BANNER TECHNOLOGY — e.g., OneTrust, Cookiebot]) that allows you to accept or decline non-essential cookies.
Global Privacy Control (GPC): ThriveAxis honors the Global Privacy Control browser signal as an opt-out of sale and sharing of personal data for residents of states whose laws require it (including California, Colorado, Connecticut, and others).
ThriveAxis's Services are intended solely for individuals who are 18 years of age or older. We do not knowingly collect, use, or disclose personal information from children under the age of 13, as defined by the Children's Online Privacy Protection Act (COPPA), or from individuals under 18 years of age.
If you are under 18, do not use ThriveAxis's Services and do not provide any personal information through the platform. If we learn that we have inadvertently collected personal information from a person under 18, we will promptly delete that information. If you believe we may have information about a minor, please contact us at privacy@thriveaxis.org.
ThriveAxis serves residents across the United States (excluding North Dakota, which is "Coming Soon"). The following sections describe the privacy rights available to residents of states with applicable privacy laws, and how to exercise them. To submit a privacy rights request, please email privacy@thriveaxis.org. Once a privacy request portal is deployed, this section will be updated with the URL.
We will verify your identity before processing any privacy rights request and will respond within the timeframes required by applicable law (generally 30–45 days, with possible extensions). We will not discriminate against you for exercising your privacy rights.
California residents have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):
Categories of Personal Information Collected In the preceding 12 months, ThriveAxis has collected the following categories of personal information about California residents, as defined under CCPA: - Identifiers (name, email, address, IP address, account ID) - Personal information under California Civil Code § 1798.80 (e.g., financial account information) - Protected classification characteristics (health information, age) - Commercial information (subscription records, transaction history) - Internet/other electronic network activity (usage data, cookies) - Biometric information (body scan photographs and AI-derived composition metrics, which may qualify as biometric information under California law) - Sensory data (photographs) - Health and medical information - Inferences drawn from personal information (AI-derived body composition estimates, health risk indicators)
Your California Rights - Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes for collection, and the categories of third parties with whom we share your information. - Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions (e.g., completing transactions, security, compliance with law, PHI subject to HIPAA retention requirements). - Right to Correct: Request correction of inaccurate personal information. - Right to Opt Out of Sale or Sharing: We do not sell your personal information for monetary consideration. We do not share your personal information for cross-context behavioral advertising (as defined by CPRA) except as described in Section 6 (cookies and analytics). You may opt out of sharing for targeted advertising purposes by using our cookie consent tool or by broadcasting the Global Privacy Control (GPC) signal. - Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information (including health data, financial data, and biometric data) to the purposes specified under the CPRA. - Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.
Authorized Agent: California residents may designate an authorized agent to submit requests on their behalf. We will require verification of the agent's authority and your identity.
Data Retention: See Section 4 for our general data retention practices.
Financial Incentives: ThriveAxis does not offer financial incentives in exchange for the collection, retention, or sale of personal information.
Virginia residents have rights under the Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023, including rights to: access, correct, delete, portability, and opt out of sale, targeted advertising, and profiling for significant decisions. To exercise these rights, contact privacy@thriveaxis.org. Appeals of denied requests may be submitted within 60 days of our response.
Colorado residents have rights under the Colorado Privacy Act (CPA), effective July 1, 2023, including rights to access, correction, deletion, data portability, and opt out of targeted advertising, sale, and profiling. We honor Global Privacy Control signals as opt-out of sale and targeted advertising for Colorado residents. Appeals may be submitted within 45 days of our response.
Connecticut residents have rights under the Connecticut Data Privacy Act (CTDPA) including rights to access, correct, delete, data portability, and opt out of targeted advertising, sale, and profiling. We honor Global Privacy Control signals. Appeals may be submitted within 60 days of our response.
Utah residents have rights under the Utah Consumer Privacy Act (UCPA), including rights to access, delete, and portability. Utah residents may also opt out of the sale of personal data and targeted advertising.
Texas residents have rights under the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, including rights to access, correction, deletion, portability, and opt out of sale, targeted advertising, and profiling for significant decisions.
Oregon residents have rights under the Oregon Consumer Privacy Act (OCPA), effective July 1, 2024, including rights to access, correction, deletion, portability, and opt out of sale, targeted advertising, and profiling. Oregon residents also have the right to a list of specific third parties to whom their data was disclosed.
Montana residents have rights under the Montana Consumer Data Privacy Act, effective October 1, 2024, including rights to access, correction, deletion, portability, and opt out of sale, targeted advertising, and profiling.
Iowa residents have rights under the Iowa Consumer Data Protection Act, effective January 1, 2025, including rights to access, deletion, and portability, and to opt out of the sale of personal data.
Tennessee residents have rights under the Tennessee Information Protection Act (TIPA), effective July 1, 2025, including rights to access, correction, deletion, portability, and opt out of sale, targeted advertising, and profiling.
Delaware residents have rights under the Delaware Personal Data Privacy Act (DPDPA), effective January 1, 2025, including rights to access, correction, deletion, portability, and opt out of sale, targeted advertising, and profiling. Delaware law applies a notably low threshold of 35,000 consumers.
New Hampshire residents have rights under the New Hampshire Privacy Act, effective January 1, 2025, including rights to access, correction, deletion, portability, and opt out of sale, targeted advertising, and profiling.
New Jersey residents have rights under the New Jersey Data Privacy Act (NJDPA), effective January 15, 2025, including rights to access, correction, deletion, portability, and opt out of sale, targeted advertising, and profiling.
Minnesota residents have rights under the Minnesota Consumer Data Privacy Act, effective July 31, 2025, including rights to access, correction, deletion, portability, and opt out of sale, targeted advertising, and profiling. Minnesota law includes a right to a list of specific third parties to whom data was disclosed.
Maryland residents have rights under the Maryland Online Data Privacy Act (MODPA), effective October 1, 2025 (processing activities after April 1, 2026). MODPA includes strict data minimization requirements for sensitive data (including health data). MODPA prohibits the sale of sensitive data. Maryland residents have rights to access, correction, deletion, portability, and opt out of targeted advertising, sale, and profiling. ThriveAxis does not sell sensitive data, including consumer health data, in any form.
Indiana (SB 5), Kentucky (HB 15), and Rhode Island (HB 7787/SB 2500) comprehensive privacy laws became effective January 1, 2026. Residents of these states have rights to access, correction, deletion, portability, and opt out of sale, targeted advertising, and profiling.
Nebraska residents have rights under the Nebraska Data Privacy Act, effective January 1, 2025, including rights to access, deletion, portability, and opt out of sale and targeted advertising.
To exercise any of the rights described in this Section 8, please: - Email: privacy@thriveaxis.org (subject line: "State Privacy Rights Request — [Your State]") - Patient portal: if you are a logged-in member, submit your request from Settings → Privacy → Submit a Rights Request; - Mail: NexResearch LLC, DBA ThriveAxis, Attn: Privacy Officer (mailing address provided on authenticated request).
We will verify your identity before processing your request. We will respond within the timeframe required by your state's law (typically 30–45 days, with up to one 45-day extension). We will not charge a fee for the first request in any 12-month period; we reserve the right to charge a reasonable fee for repetitive or manifestly unfounded requests.
In addition to HIPAA and general state privacy laws, ThriveAxis operates in compliance with the following health-specific privacy statutes:
The Washington My Health My Data Act (effective March 31, 2024) applies to consumer health data of Washington State residents and extends beyond what HIPAA covers. Under MHMDA:
Nevada's Senate Bill 370 (effective March 31, 2024) regulates consumer health data of Nevada residents similarly to Washington's MHMDA. Under SB 370:
Note: SB 370 includes an entity-level HIPAA exemption. To the extent ThriveAxis processes Nevada residents' data as a HIPAA-covered entity or business associate, the HIPAA exemption applies. For non-PHI consumer health data, SB 370 governs.
Connecticut's data privacy framework (CTDPA, as amended) includes heightened protections for health data. ThriveAxis obtains explicit consent before collecting sensitive health data from Connecticut residents and complies with applicable restrictions on health data sharing.
As described in Section 8.15, MODPA imposes strict "strictly necessary" data minimization standards for consumer health data and prohibits the sale of sensitive data including health information. ThriveAxis collects health data only to the extent strictly necessary to provide the services you have requested.
ThriveAxis's Services are directed to U.S. residents. However, if you are located in the European Economic Area (EEA), the United Kingdom (UK), or another jurisdiction with applicable data protection laws (including the General Data Protection Regulation (GDPR) or UK GDPR), the following additional information applies:
Legal Basis for Processing Our primary legal bases for processing personal data of EEA/UK residents are: - Performance of a contract (Article 6(1)(b) GDPR): To provide the Services you have requested; - Legal obligation (Article 6(1)(c) GDPR): To comply with applicable legal requirements; - Legitimate interests (Article 6(1)(f) GDPR): For fraud prevention, security, analytics, and platform improvement, where these interests are not overridden by your privacy rights; - Consent (Article 6(1)(a) GDPR): For marketing communications, non-essential cookies, and any processing of special category data (health data) under Article 9.
For health data (special category data under Article 9 GDPR), we rely on: your explicit consent (Article 9(2)(a)); necessity for healthcare provision (Article 9(2)(h)) where applicable; or other applicable exceptions.
International Data Transfers ThriveAxis is based in the United States. If you are located in the EEA, UK, or another jurisdiction with data transfer restrictions, your personal data will be transferred to and processed in the United States. We rely on applicable transfer mechanisms, which may include Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA).
Your GDPR/UK GDPR Rights EEA and UK residents have the right to: access (Article 15); rectification (Article 16); erasure ("right to be forgotten") (Article 17); restriction of processing (Article 18); data portability (Article 20); object to processing (Article 21); and not to be subject to solely automated decision-making (Article 22). To exercise these rights, contact privacy@thriveaxis.org.
Supervisory Authority Complaints EEA residents may lodge complaints with their local data protection supervisory authority. UK residents may contact the Information Commissioner's Office (ICO) at https://ico.org.uk.
EU/UK Representative ThriveAxis does not currently meet the GDPR Article 27 / UK GDPR thresholds requiring appointment of an EU or UK representative. EEA and UK residents may exercise their rights, including supervisory-authority complaints, by contacting privacy@thriveaxis.org. We will reassess this position if our processing activities meet the Article 27 thresholds, and will update this Policy accordingly.
Our website and platform may contain links to third-party websites, social media platforms, or applications. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.
We may update this Privacy Policy from time to time. If we make material changes, we will provide you with notice by: (a) prominently posting the updated Policy on our website with a new "Last Reviewed" date; and (b) sending you an email notification at the email address associated with your account. For material changes affecting your rights, we will provide at least 30 days' advance notice before the changes take effect.
Your continued use of the Services after the effective date of a revised Policy constitutes your acceptance of the revised terms, to the extent permitted by applicable law. If you do not agree to the revised Policy, you must discontinue use of the Services.
For questions about this Privacy Policy, to exercise your privacy rights, or to report a privacy concern:
Privacy Officer Email: privacy@thriveaxis.org
General Support Email: support@thriveaxis.org
Mailing Address: NexResearch LLC, DBA ThriveAxis c/o our Wyoming registered agent (mailing address provided on authenticated request via privacy@thriveaxis.org) Attn: Privacy Department
NexResearch LLC, DBA ThriveAxis Effective Date: April 18, 2026