Your privacy choices.

We do not sell your personal information, but we do use it for marketing.

WellMensRX does not sell your personal information for money. We treat your health information with HIPAA-grade safeguards, and clinical data (intake answers, Rx history) stays inside the treatment workflow — never used for marketing.

We do, however, use your email address and basic interaction data (pages you viewed, products you clicked, whether you started an intake) to send you promotional offers and to deliver retargeting ads on platforms like Meta, Google, and similar. That counts as "sharing" under California's CCPA and equivalent state laws. You can opt out of any of this at any time — instructions are below.

If you live in California, Virginia, Colorado, Connecticut, Utah, or any other state with a consumer privacy law, the sections below explain exactly what rights you have and how to use them.

Categories of personal information we collect.

• Identifiers: name, email, postal address, phone number, IP address, device identifiers.
• Health information: intake answers, current medications, medical history, provider notes, Rx history, shipment records.
• Commercial information: order history, payment method (tokenized; we never store full card numbers), subscription status.
• Internet or network activity: pages viewed, session timestamps, referring URL, browser and device metadata.
• Geolocation: approximate location derived from IP for state eligibility and shipping.
• Inferences: none. We do not build profiles or infer traits beyond what you tell us during intake.

We collect this information directly from you (when you sign up, complete intake, or contact support), automatically from your device (session logs), and from service providers (payment processors, shipping carriers, the compounding pharmacy filling your Rx).

Purposes of collection and use.

• To provide telehealth services — intake review, prescribing, dispensing, shipping, refills.
• To operate your account — authentication, order history, customer support.
• To process payments and prevent fraud.
• To comply with law — prescription records, state licensing, pharmacy audits.
• To market and retarget — once you've entered our flow (visited a product page, started an intake, or signed up), we may email you about promotions and deals, and share limited interaction data with ad platforms (Meta, Google, etc.) so you see our ads on other sites. Clinical/health information (intake answers, diagnoses, Rx history) is never used for this.
• To improve the service — aggregated, de-identified analytics on performance and errors.

We do not sell your personal information for money. We do not use your clinical or HIPAA-protected health information for advertising. You can opt out of marketing communications and retargeting at any time — see the "Marketing & retargeting" and "Submit a request" sections below.

Who we share information with.

• Your reviewing physician and care team: to evaluate intake and manage your treatment.
• The compounding pharmacy: to prepare and ship your prescription.
• Payment processor: to process charges (they see only tokenized payment data).
• Shipping carriers: USPS, UPS, or similar — to deliver your order.
• Infrastructure and security vendors: bound by contract to HIPAA-compliant handling, used only to operate the platform.
• Marketing and advertising platforms: Meta (Facebook/Instagram), Google, TikTok, and similar ad networks. We share hashed email addresses and interaction data (products viewed, funnel stage) so we can show you relevant ads and measure campaign performance. This is what state laws classify as "sharing for cross-context behavioral advertising." We never share your intake answers, diagnoses, Rx history, or any HIPAA-protected health information with these platforms.
• Email service providers: to deliver marketing emails (promotions, deals, refill reminders). Every marketing email has a one-click unsubscribe.
• Law enforcement or regulators: only if legally compelled, and we will notify you unless prohibited.

We do not sell personal information in exchange for money. We do share limited non-health data for retargeting as described above — which state privacy laws treat as a "sale" or "share." You have the right to opt out at any time.

What happens when you enter our flow.

If you visit a product page, start an intake, submit your email, or interact with our ads in any way, you have entered what we call "our flow." From that point forward, we may:

• Email you about promotions, deals, new formulas, and refill reminders
• Show you retargeting ads on Meta, Google, TikTok, and similar platforms
• Look-alike-model to reach people similar to you (using hashed, non-health data only)
• Measure which marketing touches led to which conversions (standard attribution)

We do not disclose to ad platforms that you have an intake, a prescription, a specific condition, or a diagnosis. Clinical information stays in HIPAA-protected systems. What ad platforms see is limited to: hashed email, page URL visited, whether a purchase happened, and the dollar amount.

Your rights under state privacy laws.

If you live in a state with a consumer privacy law — including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) — you have the following rights:

• Right to know / access: request the categories and specific pieces of personal information we have about you.
• Right to correct: ask us to fix inaccurate information.
• Right to delete: ask us to delete your personal information, subject to legal retention requirements (state prescription-records law can require 5–10 years).
• Right to opt out of sale or sharing: we do not sell for money, but we do share limited non-health data with advertising platforms for retargeting. Email privacy@wellmensrx.com to opt out, or enable Global Privacy Control in your browser — we honor it automatically.
• Right to limit the use of sensitive personal information: we already limit this to what is medically necessary.
• Right to non-discrimination: we will not deny service, charge different prices, or provide lower quality for exercising your rights.
• Right to appeal (VA, CO, CT): if we deny a request, you may appeal. We will respond within 60 days.

Verification: to protect your records, we may ask you to confirm identity before fulfilling an access or deletion request. We will not share verification details with anyone else.

Exercise your rights.

The fastest path is email. We respond within 15 business days and fulfill valid requests within 45 days (extensible once by 45 days for complex requests, with notice).

Global Privacy Control (GPC).

Our site honors the Global Privacy Control signal. If your browser sends a GPC header, we treat it as a request to opt out of sale or sharing for that device. You can still submit an account-wide opt-out via email above.

If your information is ever compromised.

The HITECH Act requires we notify you within 60 days of discovering a breach of unsecured protected health information. Notification includes what happened, what information was involved, what steps you should take, and what we are doing to investigate and contain. For breaches affecting 500 or more individuals, we also notify the U.S. Department of Health and Human Services and, where required, the media.

We maintain documented incident-response, forensic-investigation, and notification procedures. Breach response is overseen by our Privacy Officer. If a breach involves non-health personal information, we follow the applicable state breach-notification law in your state, which may have shorter timelines.

Business Associate Agreements protect your health data.

When we work with third parties who touch protected health information (PHI) — our compounding pharmacy, our electronic health record vendor, our secure messaging provider, our cloud infrastructure vendor, our shipping and fax partners — each one is bound by a Business Associate Agreement (BAA). That contract legally requires them to apply HIPAA-compliant safeguards, report breaches back to us, and use the data only for the agreed purpose.

Vendors that only touch non-PHI data (email service providers, Meta, Google, TikTok, analytics) are not Business Associates. They never receive your intake answers, diagnoses, medications, or any other PHI. What they receive is limited to hashed email addresses and non-health interaction signals (pages viewed, funnel stage, purchase confirmation).

Some states protect you beyond HIPAA.

Several states give you stronger health-privacy protections than federal HIPAA. Where state law is more protective, we follow the state law.

• California: Confidentiality of Medical Information Act (CMIA) applies to all medical information, broader than HIPAA. CCPA/CPRA covers non-PHI personal data.
• Texas: Texas Medical Records Privacy Act (TMRPA) applies to any entity handling medical records in Texas, not just HIPAA covered entities.
• Washington: My Health My Data Act — expanded consumer health data protections.
• New York: SHIELD Act for data security; separate protections for mental health and genetic information.
• Virginia, Colorado, Connecticut, Utah: state consumer privacy laws that cover health-adjacent data beyond HIPAA.

The full HIPAA-required Notice of Privacy Practices lives at our NPP page.

Marketing & messaging consent during sign-up.

When you complete your intake, you'll be asked to provide specific consents — separate from the HIPAA treatment consent. These are optional; qualifying for treatment does not require them.

• Marketing email consent: opt in to promotional emails about deals, new formulas, and refill reminders. You can unsubscribe from every email we send; clicking unsubscribe stops all marketing email within one business day.
• SMS/text marketing consent (TCPA): optional. Required by federal law to have separate express written consent for marketing texts. You can reply STOP to any text to opt out. Message frequency varies; message & data rates may apply.
• Retargeting / advertising: if you visit our site or enter any part of the funnel, we may share hashed email and non-health interaction data with advertising platforms for retargeting — unless you opt out (email privacy@wellmensrx.com or enable Global Privacy Control).
• HIPAA marketing authorization: we do not use your protected health information for any marketing. If we ever wanted to, we would ask for separate written authorization as HIPAA requires.