Privacy Policy
Effective Date: 2026-08-01 Last Updated: 2026-05-06 Version: 1.0
This Privacy Policy explains how Halftime Health LLC (“Halftime Health,” “we,” “us,” or “our”) collects, uses, shares, and protects information about visitors, prospective members, and members of our website at halftime.health and our related digital properties (collectively, the “Site”).
This Privacy Policy applies to information we collect through the Site, our marketing channels, and our consumer-facing platform. Protected Health Information (“PHI”) that the Clinical Affiliate (defined below) creates, receives, or maintains in connection with telehealth care is separately governed by the Notice of Privacy Practices for Patients of the Clinical Affiliate, available at /legal/hipaa-notice. Where this Privacy Policy and the Notice of Privacy Practices overlap, the Notice of Privacy Practices controls with respect to PHI.
1. Who we are
| Legal entity | Halftime Health LLC |
| State of formation | Delaware |
| Operating address | 600 W. 6th Street, Suite 400, Fort Worth, TX 76102 |
| Registered agent (Delaware) | United States Corporation Agents, Inc., 131 Continental Drive, Suite 305, Newark, DE 19713 |
| Privacy contact | privacy@halftime.health |
| Postal contact | Halftime Health LLC, Attn: Privacy, 600 W. 6th Street, Suite 400, Fort Worth, TX 76102 |
Halftime Health is a direct-to-consumer telehealth brand. Halftime Health is not a medical practice or licensed clinical entity. Clinical services available through the Site are provided by an independent professional medical entity managed by OpenLoop Health, Inc. (the “Clinical Affiliate”), whose licensed clinicians evaluate, diagnose, and prescribe where clinically appropriate. Compounded medications prescribed through the Clinical Affiliate are dispensed by independent licensed compounding pharmacies, with BoomRx as the primary pharmacy partner and MediVera as the backup pharmacy partner. Halftime Health is a HIPAA Business Associate of the Clinical Affiliate with respect to the technology, payment, member-experience, customer-support, and analytics services it provides.
2. Categories of personal information we collect
We collect the following categories of information, organized by source and purpose. Some categories qualify as “personal information” under California, Texas, Virginia, Colorado, Connecticut, Utah, Oregon, Montana, and other state privacy laws. Some categories qualify as “sensitive personal information” or “consumer health data” under those same laws or under the Washington My Health My Data Act, the Nevada SB 370 health-data law, and similar consumer-health-data statutes. Where required, we describe the elevated treatment those categories receive.
2.1 Account and identity data
Name, email address, mobile phone number, postal address, and date of birth; account credentials (password hashes, multi-factor authentication enrollment); communication preferences and consent records (Notice of Privacy Practices acknowledgment, telehealth consent, marketing opt-in, SMS opt-in, age affirmation, Terms of Service acceptance).
2.2 Health and wellness data
Self-reported intake responses (medical history, current medications, allergies, goals, lifestyle); bloodwork and laboratory results uploaded by you or transmitted by partner labs; protocol assignments, dose logs, and clinical communications conducted through the Site or our platform; voice intake transcripts (if you opt into a voice-assisted intake).
When this information is created, received, or maintained by the Clinical Affiliate in the context of treatment, payment, or healthcare operations, it is PHI under HIPAA and is governed by the Notice of Privacy Practices. When the same information is collected by Halftime Health on the Clinical Affiliate’s behalf, Halftime Health processes it under a HIPAA Business Associate Agreement with the Clinical Affiliate. Some of this information may also qualify as “consumer health data” under the Washington My Health My Data Act and similar state laws, and we treat it as such, including by obtaining the consent and providing the disclosures those laws require. See Section 8.4 (Washington and consumer health data) for the rights and disclosures specific to that category.
2.3 Payment data
Billing name and address; payment-method tokens and last-four / expiration metadata returned by our payment processor; subscription, invoice, refund, and chargeback history. We do not store full payment-card numbers or CVV codes. Payment-card data is collected and tokenized by Stripe, our payment processor, under PCI-DSS scope. Stripe is a HIPAA Business Associate of the Clinical Affiliate where its services touch PHI in connection with payment.
2.4 Technical and device data
IP address, browser type and version, operating system, device identifiers, and approximate location (derived from IP); pages viewed, referrer URL, session timing, and interaction events; cookies and similar technologies (see Section 7).
2.5 Marketing and engagement data
Email and SMS engagement (opens, clicks, unsubscribes, deliverability events); UTM parameters, ad-click identifiers, and on-site conversion events; third-party advertising identifiers where you have consented to their use.
2.6 Information from third parties
Identity, fraud, and address-verification signals from our processors and verification vendors (including Persona, Stripe Identity, and Stripe Radar); lab results and clinical data from labs and providers you have authorized to share with us; public information you provide on social channels (when you tag us, comment, or otherwise interact publicly).
3. How we use your information
We use the information described above to:
- Provide, operate, and improve the Site and platform.
- Create and maintain your account and authenticate you.
- Route your information to the Clinical Affiliate for clinical evaluation and to dispensing pharmacies for fulfillment, where you have consented.
- Process payments, subscriptions, refunds, and chargebacks.
- Communicate with you about your account, orders, shipments, and clinical care (transactional).
- Send you marketing communications where you have consented and respect your opt-outs.
- Protect against fraud, abuse, and unauthorized access.
- Comply with legal, regulatory, accounting, and audit obligations.
- Conduct analytics, research, and product development on de-identified or aggregated data.
We do not sell personal information for monetary consideration. We may “share” personal information for cross-context behavioral advertising only with your consent, and you may opt out at any time (see Section 8 and Section 7).
4. Notice to visitors outside the United States
Halftime Health offers the Site only to residents of, and only intends to be accessed by users physically located in, the United States. We do not solicit, market, or knowingly offer services to residents of the European Economic Area, the United Kingdom, Switzerland, or any other jurisdiction outside the United States. If you access the Site from outside the United States, you do so on your own initiative and you are responsible for compliance with local laws. We process and store information in the United States, where data-protection laws may differ from those of your jurisdiction.
5. How we share your information
We share personal information with the following categories of recipients:
| Recipient category | Purpose | Examples |
|---|---|---|
| Clinical Affiliate | Clinical evaluation, prescribing, ongoing care | The OpenLoop-managed professional medical entity providing clinical services on the Halftime Health platform |
| Compounding pharmacies | Dispensing prescribed medications | BoomRx (primary), MediVera (backup) |
| Laboratory partners | Bloodwork ordering and result delivery | Quest Diagnostics, Evexia Diagnostics, Getlabs |
| Payment processor | Payment authorization, billing, refunds | Stripe |
| Fulfillment and shipping | Order fulfillment, tracking | ShipBob and other licensed carriers |
| Email and SMS providers | Transactional and marketing messaging | AWS SES, Twilio, Klaviyo, Postscript |
| Cloud infrastructure | Hosting, storage, security | AWS, Cloudflare, Fly.io |
| Analytics and product platforms | Site analytics, error monitoring, A/B testing | Datadog, Sentry |
| Identity, fraud, and compliance | Identity verification, fraud prevention | Persona, Stripe Identity, Stripe Radar |
| Consent and preference management | Cookie banner, GPC honor, privacy-request workflow | Transcend |
| Professional advisors | Legal, accounting, audit | Counsel and accountants under confidentiality |
| Authorities and successors | Legal process, law enforcement, business transfers | As required by law or in connection with a merger or sale |
Where these recipients receive PHI in connection with treatment, payment, or healthcare operations, they do so under a HIPAA Business Associate Agreement with the Clinical Affiliate (or with Halftime Health, as a Business Associate, under a subcontractor BAA).
We may disclose personal information without your further consent where required to: comply with a subpoena, court order, or other legal process; protect our rights, property, or safety, or the rights, property, or safety of any person; investigate or respond to suspected fraud or abuse; or in connection with a corporate transaction, including a merger, acquisition, financing, or sale of assets.
6. Data retention
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, to provide our services, and to satisfy legal, accounting, tax, and regulatory obligations. Specific retention periods include:
| Category | Retention |
|---|---|
| Active member profile | While account is active + 7 years post-cancellation |
| Intake responses, clinical notes, bloodwork (PHI) | At least 7 years (state medical-records law and HIPAA), longer where the longest applicable state retention period requires |
| Orders and invoices | 7 years (tax and HIPAA) |
| Payment-method tokens | Until cancellation + 60 days (refund window) |
| HIPAA audit and access logs | 6 years minimum |
| Voice intake transcripts | 7 years if used for clinical decisioning; 2 years otherwise |
| Voice intake call audio | Not retained (dropped in flight); a 30-day audio retention may apply if you opt into a tiebreaker review mode |
| Support transcripts | 3 years |
| Marketing engagement data | Until opt-out + 30 days |
| Application logs | 90 days hot, 1 year cold, then deleted |
| Consumer health data (WA MHMDA / similar) | The shortest of (a) the period for which you have provided consent, (b) the period necessary to provide the requested service, or (c) the retention periods set forth above |
Where we retain de-identified or aggregated data after these periods, we do not attempt to re-identify it.
7. Cookies and tracking technologies
We and our service providers use cookies, pixels, SDKs, and similar technologies to operate the Site, remember your preferences, measure performance, and (where you consent) deliver advertising. Our consent management platform is Transcend.
You can manage cookie preferences through our consent banner. For browsers and add-ons that transmit a Global Privacy Control (“GPC”) signal, we treat that signal as a valid request to opt out of “sale” and “sharing” of personal information for cross-context behavioral advertising, in accordance with the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and other state privacy laws that recognize universal opt-out signals. You may also withdraw consent at any time by re-opening the consent banner from the link in the Site footer.
We use the following advertising and analytics tags subject to your consent: Meta CAPI, Google Ads, TikTok, Klaviyo, and similar tags. We treat the use of these tags as “sharing” personal information for cross-context behavioral advertising under California law and as “targeted advertising” under other state privacy laws. Your opt-out, your GPC signal, or your decision to decline non-essential cookies will disable these tags.
8. Your privacy rights
Subject to verification and applicable exceptions, you may exercise the following rights:
8.1 Rights under U.S. state privacy laws
Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island, and Kentucky (and other states with comprehensive privacy laws as they take effect) have the following rights, subject to the specific scope of each state’s law:
- Access / Know. Confirm whether we process your personal information and obtain a copy.
- Delete. Request deletion of personal information we have collected from you.
- Correct. Request correction of inaccurate personal information.
- Portability. Receive a copy of your personal information in a portable format.
- Opt out of sale or share. Opt out of “sale” or “sharing” for cross-context behavioral advertising.
- Opt out of targeted advertising and certain profiling.
- Limit use of sensitive personal information (where applicable).
- Appeal an adverse decision on a privacy request (where applicable).
- Non-discrimination for exercising any of these rights.
You may submit a request through the in-product privacy request flow at /account/privacy, by emailing privacy@halftime.health, or by writing to the postal address above. We will verify your identity using information already in your account (email + verification token at minimum) before responding.
8.2 California “Shine the Light”
California residents may request, once per calendar year, a list of categories of personal information disclosed to third parties for those parties’ direct-marketing purposes during the prior calendar year. Submit this request to privacy@halftime.health.
8.3 Authorized agent
You may designate an authorized agent to make a request on your behalf. We will require written authorization signed by you and may verify the request directly with you.
8.4 Washington and consumer health data
We process consumer health data, including bloodwork and self-reported intake responses, that is regulated by the Washington My Health My Data Act and similar consumer-health-data statutes. A separate Washington Consumer Health Data Privacy Policy is published at /legal/wa-consumer-health-data, as required by the My Health My Data Act, and describes:
- The categories of consumer health data we collect and the purposes for which they are collected and used.
- The categories of sources from which the data are collected.
- The categories of consumer health data we share and the categories of recipients.
- How you may exercise your rights to confirm, withdraw consent, and request deletion of consumer health data.
We do not use a “geofence” around any in-person facility providing health-care services to identify, track, collect data from, or send notifications, messages, or advertisements to consumers regarding their consumer health data or health-care services.
8.5 Children
The Site is not directed to children under 13, and we do not knowingly collect personal information from children under 13. The platform is restricted to adults 18 and over (see Terms of Service at /legal/terms). If we learn we have collected information from a child under 13 in violation of the Children’s Online Privacy Protection Act, we will delete it.
9. Security
We use administrative, physical, and technical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These include encryption in transit and at rest, role-based access controls, multi-factor authentication on sensitive surfaces, audit logging, and vendor due diligence. No system is impenetrable, and we cannot guarantee the absolute security of any information transmitted or stored.
In the event of a breach affecting unsecured personal information or unsecured PHI, we will notify affected individuals, the Clinical Affiliate, the U.S. Department of Health and Human Services, and state authorities as required by HIPAA, state breach-notification laws, and applicable contractual obligations.
10. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will revise the “Last Updated” date and, where required by law or appropriate, notify you by email or through the Site. Your continued use of the Site after the effective date of an updated Privacy Policy constitutes acceptance of the updated Privacy Policy.
11. How to contact us
Halftime Health LLC Attn: Privacy 600 W. 6th Street, Suite 400 Fort Worth, TX 76102 Email: privacy@halftime.health
For complaints regarding HIPAA-protected information, see also the Notice of Privacy Practices at /legal/hipaa-notice and your right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.