Privacy policy.
We collect what is needed to treat you and ship your medication. Nothing more. We do not sell your data.
On this page
The short version
Selvara collects only the information needed to run an intake, generate a prescription, ship a medication, and bill your card. Health information is protected under HIPAA and stored on encrypted, audited infrastructure. We do not sell your data. We do not share your health information with advertisers. You can request, correct, or delete your data at any time.
What we collect
Information you give us
- Name, date of birth, address, phone, email.
- Medical history, current medications, symptoms, goals (from the intake).
- Photos you upload (for some protocols).
- Bloodwork results.
- Messages you send to your practitioner and to support.
- Payment information, tokenized by Stripe; we store only the last four digits and the token.
Information collected automatically
- Device, browser, IP address, time of visit.
- Pages viewed and actions taken on the website.
- Cookies and similar identifiers (see the Cookies section).
How we use it
- Match your intake to a licensed practitioner in your state.
- Allow the practitioner to review, message you, and prescribe.
- Send your prescription to a pharmacy and ship your medication.
- Run your account: charging your card, sending receipts, recording your protocol history.
- Send transactional emails (intake confirmations, ship notifications, refill reminders).
- Send marketing emails you have opted into (you can unsubscribe with one click in any email).
- Improve the website with aggregated, de-identified analytics.
HIPAA and PHI
Health information you share with a Selvara practitioner is Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act. Selvara's affiliated professional entities are HIPAA Covered Entities; Selvara Health, Inc. is a Business Associate under signed Business Associate Agreements.
PHI is stored in encrypted databases on infrastructure that has SOC 2 Type II audit reports on file. Access is restricted to the practitioner who treats you, the pharmacy that fills your prescription, and the Selvara staff whose job role requires it. Every access event is logged.
You have HIPAA rights including the right to request your PHI in electronic form, the right to request a correction, and the right to know who Selvara has shared your PHI with. Email privacy@selvarahealth.com to use any of these rights.
Who we share data with
We share data only with parties that need it to run the service:
- The practitioners who treat you (medical history, intake, messages).
- The pharmacies that compound and ship your medication (name, address, prescription, allergies).
- Carriers (name, address, phone for delivery).
- Stripe for payment processing (card token, charge amount).
- Service providers under written contracts: hosting (AWS), email delivery (Postmark), analytics (de-identified only), customer support tooling. All bound by BAAs when PHI is involved.
- Legal authorities when required by a valid subpoena, court order, or law.
We do not share PHI with advertisers, data brokers, or marketing networks. We do not sell personal information.
Cookies and tracking
Selvara uses two kinds of cookies:
- Strictly necessary: login session, intake state, shopping flow. These cannot be disabled while you use the site.
- Analytics and marketing: Google Analytics 4, Meta Pixel, TikTok Pixel, Google Ads. These are loaded only after you give consent through the cookie banner. None of them ever receive PHI.
You can change your consent at any time using the "Cookie settings" link in the footer (coming with the consent banner update). On the marketing pages, conversion tracking fires only on non-PHI events (page-view, lead-submitted, checkout-started, purchase-completed).
Your rights
All members
- Access a copy of the information we hold about you.
- Correct inaccurate information.
- Delete your account and your data (subject to record-keeping rules for prescription history, which the federal DEA requires us to retain for two years from the last fill).
- Object to marketing emails (unsubscribe link in every email).
- Port your data to another provider in a machine-readable format.
California (CCPA / CPRA)
California residents have the right to know what categories of personal information Selvara collects, the right to delete, the right to correct, the right to opt out of any "sale" or "share" of personal information (we do neither), and the right to non-discrimination for using these rights.
Other states
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have parallel rights. Email privacy@selvarahealth.com from the email on your account and we will respond within 45 days.
How long we keep data
| Category | Retention |
|---|---|
| Prescription records | 2 years after the last fill (federal DEA rule) |
| Medical chart, bloodwork | 7 years (state medical record retention) |
| Billing records | 7 years (tax) |
| Account profile | Until you delete your account, then 30 days in soft-delete, then erased |
| Marketing email preferences | Until you unsubscribe |
| Web analytics | 14 months (de-identified) |
Security
Selvara encrypts data in transit (TLS 1.3) and at rest (AES-256). Production databases live in private VPCs with no public access. Engineering access requires hardware-key two-factor authentication and is logged. Every quarter we run a third-party penetration test; findings are remediated under a published SLA. The full security overview is available on request.
Children's privacy
Selvara is not directed at anyone under 18. We do not knowingly collect information from minors. If you believe a minor has submitted information, email privacy@selvarahealth.com and we will delete it.
Changes to this policy
We will post any changes here with a new "Last updated" date. Material changes get email notice 30 days before they take effect.
Contact
Selvara Health, Inc.
Privacy Officer · privacy@selvarahealth.com
Los Angeles, California