This Privacy Policy explains how Rooted Health Hormones & MedSpa, LLC ("Rooted Health," "we," "us") collects, uses, and shares information through rootedhealthmember.com and our member portal (the "Services"). This policy applies to general website data. Protected Health Information ("PHI") is governed by our HIPAA Notice of Privacy Practices.
1. Information we collect
- Account data — name, email, phone, date of birth, address.
- Health intake — quiz responses, goals, medication history, consents.
- Payment data — handled by Stripe; we do not store full card numbers.
- Technical data — IP address, device, browser, timestamps, audit logs.
2. How we use information
- To provide care, schedule visits, message you, and process payments.
- To verify identity, prevent fraud, and meet legal/regulatory obligations.
- To improve the Services and analyze de-identified usage trends.
We do not sell your personal information. We do not use PHI for advertising.
3. Sharing
We share information only with: (a) our clinicians and workforce on a need-to-know basis; (b) Business Associates under written BAAs (hosting, payment, e-prescribing, lab partners); (c) authorities when required by law; (d) you and people you authorize in writing.
4. Security
Data is encrypted in transit (TLS 1.2+) and at rest. Role-based access controls and immutable audit logs are enforced at the database layer (row-level security). We follow HIPAA Security Rule administrative, physical, and technical safeguards.
5. Your choices and rights
- Access, correct, or download your account data.
- Request deletion subject to record-retention laws (Ark. Code § 17-95-107 generally requires retention of medical records for at least 10 years for adults; longer for minors).
- Opt out of non-essential email by replying or contacting us.
- HIPAA rights are described in our Notice of Privacy Practices.
6. Children
The Services are intended for adults 18+ unless a parent or legal guardian establishes a minor's account. We do not knowingly collect data from children under 13 online.
7. Cookies
We use a minimal, HIPAA-safe cookie model. When you first visit the site you will see a cookie banner where you can accept all categories, reject non-essential categories, or configure each category individually. Your choice is stored locally on your device under the key rh.cookie-consent and is honored across the site until you change it.
We use two categories:
- Strictly necessary (always on) — authentication tokens, session, CSRF/security, load balancing, and the cookie-consent record itself. These are required for the Services to function and cannot be disabled. Examples: Supabase auth session, Stripe Checkout/Customer Portal session, our consent record.
- Analytics (off by default, opt-in) — aggregated, de-identified usage measurement to help us improve the site (page views, feature usage, performance). The analytics script is only loaded after you opt in and is removed if you later opt out. Analytics events are never linked to your account, your identifiers, or any Protected Health Information, and we do not share analytics data with advertising networks.
We do not set advertising, retargeting, social-media tracking, or cross-site profiling cookies, and we do not sell or share your information for behavioral advertising. The patient portal and any page that displays Protected Health Information never load third-party analytics regardless of consent.
Change your choice at any time from the "Cookie preferences" link in the site footer, or by clearing the rh.cookie-consent entry in your browser's site storage. We honor browser "Do Not Track" and Global Privacy Control signals as a rejection of non-essential categories.
8. Changes
Material changes will be posted here and, when required, sent to you by email at least 30 days before they take effect.
9. Contact
Privacy Officer: privacy@rootedhealthmember.com.