Skip to main content

Privacy Policy

Effective Date: 2026-03-04 • Last Updated: 2026-03-24

At Hollis Health, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or communicate with us.

DRAFT - FOR ATTORNEY REVIEW

Privacy Policy

Effective Date: March 4, 2026

This Privacy Policy ("Policy") describes how Hollis Health LLC, a Texas limited liability company ("Hollis Health," "Company," "we," "us," or "our"), collects, uses, discloses, retains, and protects information in connection with our website, mobile application, member portal, consultations, memberships, supplement program, and related wellness services (collectively, the "Services").

This Policy applies to information that we collect directly from you or about you in connection with our consumer-facing Services. It also explains, at a high level, how we handle protected health information ("PHI") that we may receive, maintain, or transmit on behalf of contracted licensed physicians, partner laboratories, or other healthcare providers acting as Covered Entities under HIPAA.

This Policy does not serve as a Notice of Privacy Practices ("NPP") for any physician, laboratory, or other Covered Entity. If you receive clinical services from an independently licensed physician or other Covered Entity associated with the Hollis Health program, that provider maintains its own NPP and remains independently responsible for its own clinical privacy practices.

Please read this Policy carefully. By using the Services, creating an account, enrolling in a membership, or otherwise interacting with Hollis Health, you acknowledge that you have reviewed this Policy.

1. Privacy Roles and Data Categories

Hollis Health may handle information in more than one legal and operational role. Those roles matter because different legal rules may apply to different categories of data.

1.1 Direct Member and Consumer Data. This includes information you provide directly to Hollis Health through consultations, enrollment, the website, the mobile application, the member portal, messaging tools, nutrition logs, workouts, journals, supplement orders, support requests, and similar consumer-facing touchpoints. This data may include sensitive health and wellness information even when it is not regulated as HIPAA PHI.

1.2 PHI Handled on Behalf of Clinical Partners. In some workflows, Hollis Health may receive, maintain, display, or transmit PHI on behalf of independently licensed physicians, partner laboratories, or other Covered Entities pursuant to Business Associate Agreements ("BAAs"). In those workflows, Hollis Health acts as a service provider or Business Associate to the Covered Entity, and the applicable Covered Entity remains responsible for its own clinical privacy notices and HIPAA rights workflows.

1.3 Mixed Workflows. Some program features may combine direct-member wellness data with data received from clinical partners. Where that occurs, Hollis Health applies administrative, technical, and contractual safeguards designed to separate roles, limit access, and route HIPAA-specific requests to the appropriate Covered Entity when required.

1.4 Public-Facing Health App Considerations. Because Hollis Health operates consumer-facing digital health and wellness tools, some information we collect directly from you may be subject to laws and guidance outside HIPAA, including state consumer privacy laws and health data breach notification requirements, where applicable.

2. Information We Collect

We may collect the following categories of information.

2.1 Contact and Account Information.

  • Full legal name
  • Date of birth
  • Email address
  • Telephone number
  • Mailing and billing address
  • Emergency contact information
  • Username, password hash, authentication settings, and security metadata

2.2 Membership, Billing, and Commercial Information.

  • Consultation records
  • Selected membership tier, term, and add-ons
  • Contract documents and signature records
  • Billing dates, invoices, receipts, refunds, credits, and payment status
  • Supplement orders and fulfillment status

2.3 Health and Wellness Information Submitted Directly to Hollis Health.

  • Intake forms and questionnaires
  • Goals, complaints, preferences, and program objectives
  • Training attendance, exercise logs, and performance metrics
  • Body composition and non-diagnostic assessment data
  • Nutrition logs, meal plans, hydration tracking, and food photos
  • Recovery modality usage logs
  • Sleep, energy, mood, stress, and journal entries
  • Self-reported medications, supplements, injuries, and conditions

2.4 Connected Device and Platform Data. Where you grant permission, our mobile application may read selected data from Apple HealthKit, Google Health Connect, wearable integrations, or similar connected sources, such as:

  • Step count
  • Heart rate
  • Resting heart rate
  • Calories burned
  • Distance and activity data
  • Body weight
  • Sleep data
  • Workout records

Our application reads this data to support your wellness program. Unless expressly stated in a feature-specific disclosure, we do not write, modify, or delete data in HealthKit or Health Connect.

2.5 PHI Received from Clinical Partners. When independently licensed physicians, partner laboratories, imaging providers, or other clinical partners transmit information to us in workflows governed by BAAs, we may receive categories of PHI such as:

  • Laboratory test results
  • Clinical screening findings
  • Imaging summaries
  • Diagnoses or clinical impressions
  • Medication or supplement directions issued by a licensed clinician
  • Care coordination notes transmitted by a clinical partner

2.6 Technical, Device, and Usage Data.

  • IP address
  • Device identifiers and push notification tokens
  • Operating system, browser, and app version
  • Session activity and feature usage logs
  • Crash logs and security events
  • Authentication and access metadata

2.7 Communications.

  • Emails, text messages, push notifications, and in-app messages
  • Support tickets and customer service communications
  • Survey responses and feedback

3. How We Use Information

We may use information for the following purposes.

3.1 Service Delivery and Administration. To provide consultations, enroll members, manage accounts, deliver wellness programming, schedule sessions, coordinate services, and administer memberships and supplement orders.

3.2 Program Personalization. To tailor training, nutrition, recovery, and engagement features based on your goals, preferences, wellness metrics, and authorized connected-device data.

3.3 Coordination with Clinical Partners. To support clinical and administrative coordination with independently licensed physicians, laboratories, imaging providers, and other third-party healthcare providers involved in your program.

3.4 Billing and Collections. To process payments, manage renewals, prevent fraud, collect outstanding amounts, investigate chargebacks, and maintain financial records.

3.5 Communications. To send transactional communications, service updates, program-related messages, security alerts, and, where you have opted in or where permitted by law, marketing communications.

3.6 AI-Assisted Features. To support features such as meal-photo analysis, drafting of wellness content, summarization of user-submitted information, and operational assistance tools. AI-assisted features are used to support wellness programming and administrative workflows. They are not a substitute for physician judgment, medical diagnosis, or emergency care.

3.7 Security, Compliance, and Risk Management. To authenticate users, monitor for misuse or unauthorized access, investigate incidents, enforce our agreements, comply with legal obligations, and protect the rights, safety, and property of Hollis Health, our users, and the public.

3.8 Internal Operations and Service Improvement. To improve the platform, test new features, analyze operational performance, conduct internal quality assurance, and use aggregated or de-identified information for business planning, analytics, and service improvement where lawful.

We do not sell your personal information or use your health or wellness data for third-party behavioral advertising.

4. How We Share Information

We may share information in the following categories and circumstances.

4.1 Workforce and Internal Access. Authorized workforce members, contractors, and service personnel may access information on a need-to-know basis to deliver services, support members, secure systems, or carry out permitted operational functions.

4.2 Clinical Partners and Healthcare Providers. We may share information with independently licensed physicians, partner laboratories, imaging providers, pharmacies, and other healthcare providers where needed for coordination, scheduling, results routing, order support, or other authorized functions.

4.3 Service Providers and Subprocessors. We may disclose information to vendors and infrastructure providers that support our Services, including categories such as:

  • Cloud hosting and storage providers
  • Authentication and identity providers
  • Payment processors
  • Secure messaging and communications vendors
  • AI and machine-learning service providers
  • Crash reporting and security monitoring tools
  • Logistics, fulfillment, and professional service providers

Examples of vendors we may use include Google Cloud services, Amazon Web Services, Stripe, and Sentry. Vendor use varies by feature and workflow. When a vendor handles PHI on our behalf in a HIPAA-governed workflow, we require appropriate contractual protections, including a BAA where applicable.

4.4 AI and Machine-Learning Processing. Some user-submitted content, such as meal photographs and related wellness context, may be processed by AI-enabled vendors to support feature functionality. We do not permit such vendors to use your data for their own advertising purposes. We work to limit retention, logging, and secondary use consistent with applicable contracts and service configurations.

4.5 Legal, Compliance, and Safety Disclosures. We may disclose information when we reasonably believe disclosure is required by law, court order, subpoena, legal process, regulatory inquiry, or to prevent fraud, misuse, security incidents, or imminent harm.

4.6 Business Transactions. If Hollis Health undergoes a merger, acquisition, financing, restructuring, sale of assets, or similar transaction, information may be transferred subject to confidentiality obligations and applicable law.

4.7 De-Identified and Aggregated Information. We may use or disclose de-identified or aggregated information for analytics, service improvement, program evaluation, business planning, or other lawful purposes.

5. HIPAA-Related Information

5.1 PHI Handled Through Clinical Partner Workflows. Where Hollis Health receives, maintains, or transmits PHI on behalf of an independently licensed physician, laboratory, or other Covered Entity, that PHI is handled in accordance with applicable BAAs and HIPAA requirements.

5.2 HIPAA Rights Requests. If your request concerns PHI maintained on behalf of a Covered Entity, your HIPAA rights, including access, amendment, restriction, and accounting requests, are generally exercised through the applicable Covered Entity. For convenience, you may contact us, and we will route or coordinate the request where appropriate.

5.3 Direct Member Data Outside HIPAA. Not all information in the Hollis Health ecosystem is HIPAA PHI. Information you provide directly to Hollis Health through consumer-facing wellness features may be governed by this Policy and by other applicable federal or state privacy laws rather than by HIPAA.

5.4 Separate HIPAA Notice. For a more detailed explanation of Hollis Health's role with respect to PHI handled on behalf of clinical partners, please review our separate Health Data Privacy Notice.

6. Your Rights and Choices

Your rights depend on the type of information at issue and the law that applies.

6.1 Account and Profile Controls. You may update certain account information directly in the platform or by contacting us.

6.2 Marketing Opt-Out. You may opt out of non-essential marketing emails and similar optional promotional communications at any time. Opting out of marketing does not stop transactional or security-related messages.

6.3 Access, Correction, and Deletion Requests for Direct Member Data. Subject to verification, applicable law, and operational limitations, you may request access to, correction of, or deletion of certain information that Hollis Health maintains directly in its consumer-facing role. We may deny or limit requests where retention is required by law, contract, fraud prevention, claims defense, security, backup integrity, or other legitimate business or legal needs.

6.4 HIPAA Rights. If your request concerns PHI handled on behalf of a Covered Entity, please review Section 5.2 above. We may redirect or coordinate such requests with the applicable physician, laboratory, or other Covered Entity.

6.5 California and Other State Privacy Rights. Residents of certain states may have additional rights regarding access, deletion, correction, opt-out, or appeal under applicable state privacy laws. We will evaluate verified requests under the law that applies to the request and the data at issue.

To submit a privacy request, contact us at legal@hollis.health with a clear description of your request.

7. Cookies, Analytics, and Similar Technologies

7.1 Essential Technologies. We use cookies, session tokens, local storage, and similar technologies necessary for authentication, security, platform functionality, fraud prevention, and user preferences.

7.2 Limited Analytics. We may use first-party or service-provider analytics tools to understand feature usage, performance, and stability. We do not use health or wellness data for third-party behavioral advertising.

7.3 No Sale or Behavioral Advertising of Health Data. We do not sell your health or wellness data, and we do not use it for cross-context behavioral advertising.

7.4 Browser Controls. You may configure your browser or device settings to manage cookies or similar technologies, although doing so may affect platform functionality.

8. Data Retention

We retain information for different periods depending on the category of data, the role in which we received it, and our legal, contractual, operational, and security obligations.

8.1 General Retention Principles. We retain information for as long as reasonably necessary to:

  • provide the Services;
  • maintain account and transaction records;
  • comply with legal, tax, accounting, and contractual obligations;
  • investigate incidents, chargebacks, and disputes;
  • preserve evidence for claims defense and audits; and
  • satisfy retention obligations applicable to health-related records.

8.2 Membership and Transaction Records. Membership agreements, billing records, payment history, refunds, and related business records are typically retained for no less than seven (7) years after the end of the relevant relationship, and longer where required or advisable.

8.3 Health and Wellness Program Records. Health and wellness records may be retained for longer periods where needed for program continuity, claims defense, care coordination, or compliance with provider, contractual, or legal retention obligations.

8.4 PHI Governed by Covered Entity Relationships. Where Hollis Health maintains PHI on behalf of a Covered Entity, retention may be governed by the applicable BAA, provider record-retention requirements, and applicable law.

8.5 Backups and Residual Copies. Deleted or suppressed information may remain in backups, archives, logs, or disaster-recovery systems for a period of time and may not be immediately removable from every system.

9. Security

We use administrative, technical, and physical safeguards designed to protect information against unauthorized access, loss, misuse, alteration, or disclosure.

These safeguards may include:

  • encryption in transit and at rest where appropriate;
  • role-based access controls;
  • authentication controls and multi-factor authentication for privileged access;
  • audit logging;
  • vendor due diligence and contractual controls;
  • backup and recovery controls;
  • workforce training and incident response procedures.

No system can guarantee absolute security. If we determine that a security incident requires notice under applicable law, we will provide notice in accordance with the law that applies to the data and workflow involved.

10. Children's Privacy

Our Services are intended for adults. Unless Hollis Health expressly offers a particular minor-access workflow with separate consent and onboarding requirements, we do not knowingly provide consumer-facing accounts to individuals under eighteen (18).

If you believe that information from a minor has been submitted to us in error outside an approved workflow, contact us at legal@hollis.health.

11. Changes to This Policy

We may update this Policy from time to time. If we make a material change, we will provide notice through an appropriate channel, such as email, website notice, or in-app notice, as reasonably required by law and appropriate to the change.

The "last updated" date above indicates when this Policy was last revised.

12. Contact Us

For privacy-related questions, verified requests, or complaints regarding this Policy, please contact:

Hollis Health LLC
Attn: Privacy
691 S Seguin
New Braunfels, TX 78130
(Current administrative office; not a representation that member services are provided at this address.)

Email: legal@hollis.health
Phone: (210) 891-9005

For HIPAA-related concerns involving PHI handled on behalf of a clinical partner, you may also review our Health Data Privacy Notice or contact the applicable physician or clinical provider directly.

This Privacy Policy was last updated on March 24, 2026.

DRAFT - FOR ATTORNEY REVIEW. NOT FOR PUBLIC DISTRIBUTION UNTIL ATTORNEY APPROVAL.

Terms of ServiceHIPAA NoticeCancellation Policy