Privacy Policy

Version 1.1 updated 09/09/2025

AltusDX (“Company,” “we,” “us,” or “our”) is committed to protecting your privacy and safeguarding your personal information. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our website, platform, testing services, and related services (collectively, the “Services”).

It is important to note that we do not sell your information for third-party marketing purposes, and we maintain a strict security program to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction.

This Privacy Policy applies to all Users of the Services, including individuals who register for Services, access results, or otherwise interact with us. By using the Services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

This Privacy Policy is incorporated by reference into our Terms of Service and should be read together with those Terms.

1. Information We Collect

AltusDX collects several categories of information to operate the Services. The type of information we collect depends on how you interact with the Services, the Services provided, and the role of the Wellness Provider through whom the Services are offered.

1.1 Personally Identifiable Information (PII). We collect PII that identifies you as an individual, including:

Identity and contact details – full name, date of birth, mailing address, shipping address, email address, and phone number.

Account credentials – username, password, and authentication details used to access your account or results.

Communications – information you provide when contacting AltusDX, such as questions, support requests, or other correspondence. PII is required to register Kits, deliver results, and communicate with you about the Services. Communications may include emails, phone calls, or text messages (SMS) that you initiate for customer support, including questions related to test kit orders, shipping, activation, or troubleshooting.

1.2 Protected Health Information (PHI). When Services involve health-related testing, we process PHI in compliance with HIPAA and other privacy laws. PHI may include:

Test requisition data – the test ordered, physician authorization, and associated intake questionnaire responses.

Laboratory results – values, reference ranges, and annotations transmitted by CLIA-certified laboratories.

Identifiers – information linking laboratory results to you, including name, date of birth, or Service identifiers.

Health-related data – self-reported information collected during registration, such as biological sex, height, weight, and race and ethnicity.

PHI is collected only as necessary to provide the Services, including laboratory routing, physician review, and secure delivery of results.

1.3 Payment Information. We do not collect or process consumer payments. All payments, refunds, and billing are handled directly by the Wellness Provider from whom you ordered the Services. If you provide payment information, it is collected and processed solely by the Wellness Provider or its designated payment processor.

1.4 Technical and Device Information. When you use the Services, we automatically collect technical data through cookies, log files, and analytics tools, including:

Internet Protocol (IP) address

Browser type and version

Operating system and device identifiers

Referring and exit pages, date and time of access, and error logs

This information helps us secure the platform, monitor usage patterns, and troubleshoot technical issues.

1.5 Usage Data and Activity Logs. We maintain logs of your activity within the Services, including:

Dates and times of Service registration, questionnaire completion, and account logins

Pages or features accessed, including when results are viewed or downloaded

Administrative actions taken by us or Wellness Providers (e.g., resetting accounts or updating registration data)

These logs are maintained to ensure security, compliance, and auditability under HIPAA and other applicable laws.

1.6 Information from Wellness Providers. In some cases, we receive information about you directly from the Wellness Provider from whom you ordered Services. This may include eligibility information, demographic details, or other identifiers needed to match you with the correct Services and test requisition.

1.7 Information from Third Parties. We may receive limited personal information from laboratories, fulfillment vendors, or digital health platforms when necessary to provide the Services. For example, a laboratory may return test results linked to your Services, or a fulfillment vendor may confirm delivery status.

1.8 Originator Opt-In SMS Messaging and Consent Data. Text messaging originator opt-in data and consent information are excluded from the general categories of personal information described above and are treated as restricted-use data. We do not sell, rent, or share SMS opt-in or consent information with third parties for marketing, advertising, or purposes unrelated to providing SMS-based support services. Users may stop SMS communications at any time by replying STOP.

We may share limited personal data, including SMS opt-in or consent status, solely with third-party service providers that assist us in delivering text messages, such as messaging platform providers, telecommunications carriers, and customer support vendors. These parties are permitted to use such information only to provide messaging services on our behalf and are contractually required to protect it.

2. How We Use Information

2.1 To Provide the Services. We use your information to register Services, verify eligibility, and link your identity to a unique service identifier number. We use it to route specimens to CLIA-certified laboratories for testing, ensure that tests are ordered or reviewed by independent licensed physicians where required, and securely transmit laboratory results to you, your Wellness Provider, and the partnered digital health platform.

2.2 To Communicate with You. We use your information to send administrative notifications such as order confirmations, eligibility updates, and status alerts. We also use it to respond to your questions, support requests, feedback, and to contact you about changes to the Services, this Privacy Policy, or our Terms and Conditions. We may respond to user-initiated text messages (SMS) for operational support purposes only. We do not send marketing or promotional text messages, and we do not communicate test results or clinical information via SMS. We instruct users not to send protected health information (PHI) via SMS. If PHI is received inadvertently, it is handled in accordance with our incident response and data minimization procedures.

2.3 To Maintain Security and Compliance. We use information to monitor system activity and access logs to detect unauthorized use, investigate and address security incidents, breaches, or suspicious behavior, and ensure compliance with HIPAA, CLIA, and other legal obligations related to PHI. We also keep audit records as required by applicable law.

2.4 To Improve Our Services. We analyze usage data to understand how the Services are accessed and used. We use that information to develop new features, improve performance, and enhance user experience. We may also use it to create training, process improvements, or compliance updates based on user activity.

2.5 To Create De-Identified or Aggregated Data. We remove identifiers from PHI to produce de-identified datasets in accordance with HIPAA standards. We use de-identified or aggregated data for analytics, quality assurance, service improvement, and product development, and we will not attempt to re-identify individuals from de-identified data.

2.6 To Comply with Legal and Regulatory Requirements. We use your information to respond to subpoenas, court orders, or lawful requests by regulators or law enforcement. We also use it to meet obligations under federal and state health privacy laws and to cooperate with audits, inspections, or investigations by government authorities.

3. How We Share Information

3.1 With Wellness Providers. We share information with the Wellness Provider from whom you ordered Services, including personal information and test results where applicable. The Wellness Provider may use this information in accordance with its own policies and obligations.

3.2 With Laboratories. We share necessary identifiers and specimen details with CLIA-certified laboratories to perform the requested testing. Laboratories return results to us, which are then transmitted to you and, where applicable, to the Wellness Provider.

3.3 With Physicians. We share information with independent licensed physicians who authorize or review tests and provide oversight for certain Services. These physicians act under their own licenses and are not employees of us.

3.4 With the Digital Health Platform. We share laboratory results and related data with a partnered digital health platform that serves as the consumer-facing interface. The platform allows you to view, store, and manage your results and to decide whether to share them with others, including your Wellness Provider.

3.5 With Fulfillment Vendors. We share PII such as your name, shipping address, and contact details with FDA-registered fulfillment vendors that assemble, package, and ship test kits. These vendors do not receive PHI.

3.6 With Service Providers. We share information with third-party service providers that support our operations, such as cloud hosting providers, IT security vendors, and analytics providers. These providers are required to safeguard information in accordance with contractual obligations.

3.7 With Regulators or Law Enforcement. We may disclose information as required by law, regulation, or legal process, including to respond to subpoenas, court orders, or lawful requests by regulators or government authorities.

3.8 Prohibited Uses. We do not sell PHI or PII for third-party marketing purposes.

4. User Choices and Controls

4.1 Managing Results Sharing. Through the digital health platform, you control if and how your results are shared with others. You can choose to share results with your healthcare providers, the Wellness Provider who ordered your Kit, or other third parties, or you can keep your results private. Your sharing preferences can be updated anytime within the platform.

4.2 Access and Correction. You have the right to request access to the personal information we store about you, including PII and, where applicable, PHI. If you believe any of your information is inaccurate or incomplete, you may request that we correct or update it. We will respond to such requests within the timeframes required by law.

4.3 Restrictions on Use or Disclosure of PHI. If your testing involves PHI, you can request that we restrict certain uses or disclosures of your PHI. We will comply with restrictions we are legally required to honor under HIPAA and other applicable privacy laws.

4.4 Withdrawal of Consent. In certain situations, you may withdraw your consent for us to process your information. For example, if you no longer wish for us to maintain your account, you can request its deletion, subject to applicable retention requirements. Please be aware that withdrawing consent may result in some Services becoming unavailable to you, and we may be required to retain certain information for legal or regulatory reasons.

4.5 State-Specific Rights. Depending on where you live, you may have additional rights under state privacy laws. For example, California residents may have rights under the California Consumer Privacy Act (CCPA/CPRA), such as the right to know what personal information is collected, the right to request deletion of personal information, and the right to opt out of its sale. Similar rights may apply in Virginia, Colorado, and other states. We do not sell personal information.

4.6 How to Submit Requests. To exercise your rights, submit privacy-related requests, or ask questions, you may contact us at [email protected]. We may require you to verify your identity before fulfilling your request. We will respond to requests within the timeframes required by applicable law.

5. Data Security

5.1 Security Program. We maintain a security program to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction. The program includes administrative, technical, and physical safeguards consistent with industry standards and legal obligations.

5.2 Encryption. All PHI and PII transmitted through the Services is encrypted during transmission using secure protocols. Data that we store is encrypted at rest to minimize the risk of unauthorized access.

5.3 Access Controls. Access to personal information is limited to authorized personnel only. We use role-based permissions to make sure that employees and contractors can only access the information they need to perform their jobs.

5.4 Monitoring and Auditing. We monitor systems for unauthorized access attempts, vulnerabilities, and other security threats. We keep logs of system activity and perform regular audits to verify compliance with our security policies and applicable laws, including HIPAA.

5.5 Vendor Security. Third-party vendors that process PII or PHI on our behalf are required by contract to implement safeguards at least as protective as those used by us. Vendors handling PHI are required to sign agreements that comply with HIPAA.

5.6 Workforce Training. We require employees and contractors with access to PHI or PII to complete privacy and security training. Policies and procedures are enforced through disciplinary actions when necessary.

5.7 Incident Response. We maintain an incident response plan to investigate and handle security incidents. If a breach of unsecured PHI occurs, we will notify affected individuals, clients, and regulators as required by HIPAA and relevant state breach notification laws.

6. Data Retention

6.1 General Retention Policy. We retain personal information only as long as necessary to provide the Services, fulfill the purposes described in this Privacy Policy, comply with contractual and regulatory requirements, resolve disputes, and enforce our agreements. Retention periods vary depending on the type of information and the legal context in which it is collected.

6.2 Protected Health Information (PHI). PHI collected during laboratory testing is regulated by federal and state laws, including HIPAA and CLIA. These laws may require laboratories and business partners like us to retain PHI, test records, and related data for specified periods, which can range from two to ten years or longer, depending on the jurisdiction. PHI is stored only as long as legally required, then securely destroyed or anonymized.

6.3 Personally Identifiable Information (PII). PII such as contact details, account credentials, and communications with us are retained for as long as your account remains active and for a reasonable period afterward. This allows us to respond to account-related inquiries, support investigations, and keep audit trails. If you request the deletion of your PII, we will comply unless retention is legally required.

6.4 Operational and Technical Logs. System logs, usage data, and technical records are kept to maintain the security and stability of the Services. These records may include account login timestamps, registration activities, and system access logs. Logs are usually retained for shorter periods than PHI unless a longer retention is required for auditing, legal compliance, or security investigations.

6.5 De-Identification and Long-Term Use. When data is no longer required to be kept in an identifiable form, we will either securely destroy it or convert it into de-identified data according to HIPAA standards. De-identified or aggregated data may be kept indefinitely and used for analytics, research, service improvement, and product development.

6.6 User Requests for Deletion. You can request the deletion of your personal information at any time. AltusDX will review and respond to your request in accordance with HIPAA, state privacy laws, and contractual obligations with Clients. If we are unable to delete certain information due to legal requirements, we will limit its use to compliance-related purposes and notify you of the reason for retention.

6.7 Backup and Archival Systems. Information stored in system backups or archives may remain for a limited time after active data is deleted. Backup retention is managed according to our security and disaster recovery policies, and backup copies are eventually overwritten or destroyed during normal operations.

7. Children’s Privacy

The Services are intended only for individuals who are 18 years or older. We do not provide Services directly to minors, and minors are not allowed to register for Services or create accounts.

We do not intentionally collect, store, or use personal information from children under 18. If we learn that such information has been inadvertently collected, we will act promptly to remove it from our systems.

If you are a parent or legal guardian and suspect that your child has provided personal information to us without your permission, please contact us at [email protected]. We will take appropriate steps, including deleting the information and blocking further access to the Services.

We comply with applicable children’s privacy laws, including the Children’s Online Privacy Protection Act (COPPA), which limits collecting information from children under 13, along with similar state privacy laws. Even though our Services are not aimed at anyone under 18, we extend protections broadly to prevent the accidental collection of minors’ data.

8. Your Rights Under HIPAA and State Laws

8.1 HIPAA Rights. If your testing involves PHI, HIPAA gives you certain rights regarding that information. These rights include the ability to access and obtain a copy of your PHI, request amendments if your PHI is incomplete or inaccurate, request an accounting of specific disclosures of your PHI, and ask for restrictions on how your PHI is used or shared. While AltusDX will consider all restriction requests, we may not be able to fulfill every request if HIPAA does not require it.

8.2 California Rights (CCPA/CPRA). If you are a California resident, you have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. These rights may include the right to know what personal information we collect and disclose, the right to request deletion of personal information (with some exceptions), the right to correct inaccurate personal information, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising. California residents also have the right not to be discriminated against for exercising their privacy rights.

8.3 Virginia Rights (VCDPA). If you are a Virginia resident, you may have rights under the Virginia Consumer Data Protection Act. These include the right to verify if we process your personal information, access and get a copy of your personal information, the right to correct any inaccuracies, request deletion, and opt out of targeted advertising or the sale of personal data. We do not sell personal data.

8.4 Colorado Rights (CPA). If you are a Colorado resident, you may have rights under the Colorado Privacy Act. These rights are similar to those in Virginia and California, including rights of access, correction, deletion, data portability, and the option to opt out of targeted advertising and sales of personal data. We do not participate in targeted advertising or sell personal data.

8.5 Other State Rights. Other states may provide residents with additional privacy rights. We will comply with state-specific laws to the extent they apply to our Services.

8.6 How to Exercise Rights. To exercise your rights under HIPAA or state law, you may contact us at [email protected]. We may require you to verify your identity before fulfilling your request. We will respond within the timeframes required by applicable law.

9. Changes to This Policy

We may update, revise, or otherwise modify this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Services we provide.

If we make material changes, we will post the updated Privacy Policy on our website and update the “Last Updated” date at the top of the Policy. In some instances, we may also provide additional notice, such as by email or a notice presented during Service registration.

Your continued use of the Services after the updated Privacy Policy is posted constitutes your acceptance of the revised Policy. If you do not agree with the changes, you must discontinue using the Services.

10. Contact Information

If you have questions, concerns, or feedback about this Privacy Policy or our privacy practices, you may contact us at:

AltusDX, LLC
1312 17th Street, Suite #759
Denver, CO 80202
Email: [email protected]

We will make reasonable efforts to respond to inquiries in a timely manner and will address feedback in accordance with applicable privacy laws.

Terms

Product Consent

Support

Our mission is to help elevate health

by empowering passionate wellness

organizations with advanced testing

and digital health solutions.

AltusDX is a healthcare technology and service facilitator. We are not a clinical laboratory, medical provider, or telehealth practice. All laboratory testing is performed by independent CLIA-certified laboratories, and any clinical review, oversight, or telehealth services are provided solely by independent licensed professionals. AltusDX does not provide medical advice, diagnosis, or treatment. The information and services we provide are for operational and wellness-related informational purposes only and are not a substitute for professional medical care or advice. Any medical questions should be directed to a qualified healthcare provider.