Privacy Policy
Last updated
1.Scope
This Policy applies to information collected through the Zepym Health platform. It does not apply to information collected by third parties (including independent Clinicians, Pharmacy Partners, and laboratories) that operate under their own privacy practices, except where they act as our business associate under HIPAA.
2.Information We Collect
Account & identity data: name, email address, mailing address, date of birth, phone number, government-issued ID where required.
Health information: intake responses, medical history, medications, allergies, photos you upload, weight and biometric data, and messages with your care team. To the extent this is PHI held by the Affiliated Medical Group, it is governed by our HIPAA Notice.
Payment data: billing address and payment-card data, processed by our PCI-DSS compliant payment processor; we do not store full card numbers on our servers.
Device & usage data: IP address, browser type, device identifiers, pages viewed, referring URL, timestamps, and similar diagnostic data.
Communications: records of messages, calls, and support tickets you initiate with us.
3.Sources
We collect information directly from you (during sign-up, intake, and use of the Service), automatically through your device, and from third parties such as identity-verification services, pharmacy partners, laboratories, and analytics providers.
4.How We Use Information
We use information to: (a) operate and maintain the Service; (b) facilitate clinical care, prescriptions, and pharmacy fulfillment; (c) process payments and prevent fraud; (d) communicate with you about your account, treatment, and the Service; (e) comply with legal obligations and respond to lawful requests; (f) monitor, improve, and develop the Service; and (g) with your consent, send marketing communications, which you may opt out of at any time.
5.How We Share Information
Affiliated Medical Group & Clinicians. To enable your care.
Pharmacy Partners & laboratories. To fulfill prescriptions and process test results.
Service providers. Hosting, analytics, payment processing, customer support, shipping, and similar vendors that act on our behalf under written contracts requiring confidentiality and, where applicable, HIPAA business-associate terms.
Legal & safety. When required by law, subpoena, or to protect the rights, safety, or property of Zepym Health, our users, or others.
Business transfers. In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality protections.
With your consent. For any other purpose disclosed at the time of collection.
6.No Sale of Personal Information
We do not sell your personal information or PHI for monetary consideration. We do not share PHI for marketing purposes without your authorization. Some analytics and advertising cookies may constitute “sharing” under California law; you may opt out via the controls in Section 7 and Section 12.
7.Cookies & Tracking Technologies
We use cookies, pixels, and similar technologies for authentication, security, analytics, and product improvement. You can control cookies through your browser settings. Disabling some cookies may impair functionality. We honor Global Privacy Control (GPC) signals as a request to opt out of sharing for cross-context behavioral advertising, where applicable.
8.Data Retention
We retain information for as long as needed to provide the Service, comply with our legal obligations (including state-law medical-record retention requirements, which may be seven years or longer), resolve disputes, and enforce our agreements. When information is no longer required, we delete or de-identify it.
9.Security
We maintain administrative, technical, and physical safeguards designed to protect information, including encryption in transit and at rest, access controls, logging, and regular security reviews. No method of transmission or storage is 100% secure; we cannot guarantee absolute security. Notify us at security@zepym.com of any suspected breach.
10.Children
The Service is not directed to children under 18 and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact privacy@zepym.com and we will delete it.
11.Your Privacy Rights
Subject to applicable law, you may request to: (a) access the personal information we hold about you; (b) correct inaccurate information; (c) delete information; (d) restrict or object to certain processing; (e) receive a portable copy; and (f) opt out of marketing. Rights regarding PHI are described in our HIPAA Notice.
To exercise these rights, email privacy@zepym.com. We will verify your identity and respond within the timeframes required by applicable law. You may use an authorized agent to submit a request on your behalf with written authorization.
12.State-Specific Disclosures
California (CCPA/CPRA). California residents have the rights described in Section 11 plus the right to know the categories of personal information collected and the purposes of use; the right to limit use of sensitive personal information; and the right to non-discrimination for exercising these rights.
Virginia, Colorado, Connecticut, Utah, Texas, and similar states. Residents of states with comprehensive privacy laws have the right to access, correct, delete, port, and opt out of targeted advertising, sale of personal data, and certain profiling decisions, subject to the limits of each statute. Appeals: if we deny your request, you may appeal at privacy@zepym.com.
Florida. Florida residents may exercise rights under the Florida Digital Bill of Rights to the extent applicable.
Washington & Nevada. Residents may exercise rights under the My Health My Data Act and Nevada SB 370, respectively, with respect to consumer health data.
13.Do Not Track
Our Service does not respond to browser “Do Not Track” signals at this time. We honor Global Privacy Control signals as described in Section 7.
14.International Users
The Service is intended for users in the United States. If you access the Service from outside the U.S., you understand that your information will be processed in the U.S., which may have different data-protection laws than your country of residence.
15.Changes to This Policy
We may update this Policy. Material changes will be communicated by email or in-app notice. The “Effective Date” above reflects the most recent update.
16.Contact Us
WYNTON LLC d/b/a Zepym Health — Privacy Office





