Privacy Policy and HIPAA Notice of Privacy Practices

1. Who we are and what we do

Crystal Clear is a healthcare-adjacent management services organization that operates the Site, the membership program, the patient-facing account experience, and the technology layer that connects you with our affiliated clinicians and our partner pharmacy. We are not, ourselves, a pharmacy, and our employees do not practice medicine. We do not diagnose conditions, prescribe medications, or dispense drugs directly.

Clinical services are provided by independent licensed clinicians who use a third-party telehealth platform called Qualiphy (the “Telehealth Platform”). When a clinician issues a prescription, the medication is compounded and dispensed by Precision Pharma Corp (the “Partner Pharmacy”), a 503A compounding pharmacy at 555 Heritage Drive, Lab 143, Jupiter, FL 33458.

Crystal Clear holds protected health information (“PHI”) about you in the course of providing the Services. We operate under HIPAA in our handling of that PHI. The Notice of Privacy Practices in Sections 8 and 9 describes how we use and disclose your PHI and the rights you have over it.

2. Information we collect

2.1 Information you give us

We collect what you give us directly, through the Site or by contacting us. That includes:

• Account information. Your name, email address, password (which we store in hashed form, not in the clear), and your shipping and billing address.
• Consult request information. Your name, email, phone number, date of birth, state of residence, and any health background you choose to share when you request a consult. This information is PHI once it is associated with your identity and the fact that you are seeking treatment.
• Clinical and treatment information. Information generated during or in connection with your treatment, including your responses to clinical intake questions, the medications a clinician prescribes for you, dosing, treatment history with us, status of your prescriptions, lab or vitals information you provide, and clinical correspondence you have with our care team. This is PHI.
• Membership and order information. The plan you select, your order history, the status of your shipments, your tracking numbers, and any client-service correspondence with us.
• Payment information. Payments are processed by our payment processor, PayMatrix. Full card numbers, CVV codes, and bank-account credentials are not stored on Crystal Clear’s servers. We receive a tokenized reference, the last four digits of a card, the card brand, and the billing ZIP code from PayMatrix so we can support your billing.
• Communications. If you email or call us at sales@ccrxpharm.com or (813) 215-2818, we collect what you send and any contact information you provide. Where your message relates to your treatment, that message is PHI.

2.2 Information collected automatically

When you visit the Site, certain technical and behavioral information is collected automatically by us, our hosting providers, our analytics tools, and the advertising platforms we use on our public marketing pages. This may include your IP address, browser type and version, device type, operating system, mobile device identifiers, the URL that referred you to us, the pages or screens you view, the links you click, terms you search for, actions you take on the Site, approximate location based on IP, and timestamps.

We do not run third-party advertising pixels, cross-context behavioral advertising trackers, or analytics tags on pages that render your identity, your account, your cart contents, your orders, your member portal, or your clinical content. The list of protected surfaces is described in Section 4.2.

2.3 Cookies, pixels, and similar technologies

We use cookies and similar technologies for three different reasons. We keep these clearly separated so you can choose what you want.

• Strictly necessary cookies. These keep the Site working. They handle session authentication, secure form submission, rep-attribution capture, and remembering your cookie preferences. They are always on. We cannot turn them off without breaking the Site.
• Analytics cookies. These help us understand how visitors actually use the Site so we can improve it. We use Google Analytics 4 (provided by Google LLC) on our public marketing pages only. The categories of information collected are the ones described in Section 2.2.
• Advertising and marketing cookies and pixels. These let us deliver targeted advertising on third-party platforms, measure how our ads perform, build custom and lookalike audiences, and reach people with similar interests. We currently use the Meta (Facebook/Instagram) Pixel, Google Ads conversion and remarketing tags, and the TikTok Pixel on our public marketing pages only. Once you sign in or enter a protected surface (Section 4.2), these tags do not fire and no information from those surfaces is shared with the advertising platforms.

The advertising platforms may use what they receive from our public marketing pages to identify you across devices and websites, to connect your activity here with your activity elsewhere, and to serve you ads on their own services and across the web. Their use of that information is governed by their own privacy policies, alongside this one.

2.4 Cookie consent

The first time you visit the Site, you will see a cookie consent banner giving you three choices. You can accept all cookies, reject all non-essential cookies in a single click, or manage your preferences by category. You can change those preferences any time using the “Cookie Preferences” link in the Site footer. The strictly necessary cookies cannot be disabled, for the reasons noted above.

2.5 Global Privacy Control

Some browsers and browser extensions transmit a Global Privacy Control (GPC) signal. If we receive one from your browser, we treat it as a valid request to opt out of (i) the “sale” of personal information, (ii) the “sharing” of personal information for cross-context behavioral advertising, and (iii) the use of non-essential advertising cookies on that device, in each case to the extent applicable under state law. GPC is the established opt-out signal today, so we do not separately respond to legacy “Do Not Track” headers.

3. How we use the information

We use the information we collect for the purposes you would expect, and some you might not. Specifically:

• To create and run your account, route your consult request to the Telehealth Platform, coordinate your treatment with the affiliated clinicians and the Partner Pharmacy, process your membership enrollment, and provide whatever Service you asked for.
• To process payments through PayMatrix and manage recurring billing on memberships.
• To talk to you about your account, your membership, your orders, client-service questions, and important changes to the Services or to this Policy.
• To send you marketing emails about our products, services, promotions, and educational content, where the law allows it. (See Section 7 for more on this, including how to opt out.) We do not use the content of your PHI (your medications, your diagnoses, your dosing) to target marketing, and we will not sell your PHI under any circumstances.
• To measure how the public Site, our marketing campaigns, and our advertising are performing; to run analytics; and to improve the Services based on what we learn. These analytics use the categories of information described in Section 2.2 from our public marketing pages, not from your account or your PHI.
• To run, secure, and improve the Site. This includes detecting and stopping fraud, abuse, and security incidents.
• To comply with the law, court orders, and other legal process; to enforce our Terms; and to protect Crystal Clear, our users, our partners, and the public.

Section 8 describes the additional, HIPAA-defined uses and disclosures we make of your PHI.

4. How we share information

We do not sell personal information for money, and we do not sell PHI under any circumstances. We do share information with the categories of recipients listed below. For some of those recipients (specifically, advertising platforms on the public marketing pages), state privacy laws may classify what we do as “sharing” for cross-context behavioral advertising. You can opt out of that sharing at any time, as described in Sections 2.4, 2.5, and 9.

4.1 Service providers and processors

These are the vendors that provide services to us under written contracts that limit how they can use the information. Where they receive PHI, they do so under a written Business Associate Agreement (“BAA”) as required by HIPAA.

• Vercel. Hosts the Site and related compute. BAA signed.
• Neon. Provides our managed Postgres database on a HIPAA-eligible tier. BAA signed.
• Paubox. Sends our transactional and clinical-coordination emails. BAA signed.
• PayMatrix. Processes payments and manages recurring billing. BAA signed.
• Qualiphy (Telehealth Platform). Hosts the telehealth consult and the clinical record. BAA signed.
• Precision Pharma Corp (Partner Pharmacy). Compounds and dispenses your prescriptions and ships to you. BAA signed.
• Google LLC, for Google Analytics 4 on the public marketing pages only. No PHI is shared with Google.
• Our professional advisors (legal, accounting, audit), who are bound by confidentiality obligations.

4.2 Pages where third-party tracking is blocked

Third-party advertising and analytics tags do not run on any of the following surfaces: your account, your member portal, your orders or cart, the checkout flow, the consult request, the admin console, the provider portal, the sales-rep portal, or anywhere else your identity or your PHI is rendered. The Meta Pixel, Google Ads tags, TikTok Pixel, Google Analytics, and any future analytics tags we adopt are restricted to the public marketing pages by configuration.

4.3 Advertising platforms (public marketing pages only)

The categories of information described in Section 2.3 are shared with the following advertising platforms for the purposes described in that section: Meta Platforms, Inc. (Facebook/Instagram), Google LLC (Google Ads), and TikTok. The sharing happens through tracking pixels and similar technologies on our public marketing pages, and may also happen through server-to-server integrations, conversion APIs, or custom-audience uploads built from non-PHI lead data.

Those platforms may use what they receive to identify you, link your activity on the Site to your activity elsewhere, and serve advertising to you on their services and across the internet. Your interactions with each platform are governed by that platform’s own privacy policy in addition to this one.

4.4 Legal disclosures

We may disclose information, including PHI to the extent permitted by HIPAA, when we believe in good faith that doing so is necessary to:

• Comply with a law, regulation, court order, subpoena, or other legal process.
• Cooperate with law enforcement, public authorities, or regulators.
• Investigate or prevent suspected illegal activity, fraud, security or technical issues, or violations of our Terms.
• Protect the rights, property, or safety of Crystal Clear, our users, our partners, or the public.

HIPAA constrains how and when we may make disclosures of PHI to law enforcement and in legal proceedings. Section 8 lists those constraints.

4.5 Business transfers

If Crystal Clear is involved in a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or anything similar, information may be transferred to the surviving or successor entity. Where the transferred information includes PHI, the successor will be required to comply with HIPAA. Where the transferred information includes non-PHI personal information, commercially reasonable confidentiality protections will apply.

4.6 With your consent

Beyond the above, we will share information for any other purpose only with your consent or at your direction. For PHI, that consent is a HIPAA-compliant written authorization, as described in Section 8.3.

5. Sensitive personal information

Several state privacy laws set heightened rules around “sensitive” categories of personal information. Those categories typically include data revealing health, sexuality, biometric identifiers, and precise geolocation. Crystal Clear collects health-category information because doing so is necessary to provide the Services. We collect, use, and disclose that information solely for the purposes described in this Policy and the HIPAA Notice of Privacy Practices in Sections 8 and 9. We do not use sensitive personal information to infer characteristics about a consumer for advertising purposes, and we instruct our service providers and advertising partners not to do so on our behalf. If you believe sensitive personal information was collected outside the scope of providing the Services, please contact us using the information in Section 14.

6. Data security

We use administrative, technical, and physical safeguards to protect the information we hold, including PHI. These include encryption in transit (industry-standard TLS), encryption at rest on our database and backups, access controls and least-privilege permissions, secure authentication including multi-factor where appropriate, audit logging of administrative access to your records, monitoring for unauthorized access, and ongoing vendor diligence under signed BAAs. We provide HIPAA security and privacy training to our workforce members who handle PHI. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for activity that happens under your account.

7. Marketing communications

If you have given us your email address (by creating an account, requesting a consult, or enrolling in a membership), we may send you marketing emails about Crystal Clear products, services, promotions, educational content, and related topics, where the law allows it. Every marketing email contains an unsubscribe link. You can also opt out by emailing sales@ccrxpharm.com with the subject “Unsubscribe.” We will honor your opt-out within the period required by the CAN-SPAM Act and any other applicable law.

Transactional, service, and treatment-coordination messages (account confirmations, billing receipts, shipment notifications, consult-decision notices, refill reminders, security alerts, important Service updates) are not marketing. Those will continue for as long as you have an account or an open transaction with us, regardless of your marketing preferences. HIPAA treats treatment-coordination communications as treatment, not as marketing.

As of the Effective Date of this Policy, we do not send marketing texts or SMS messages. If that changes, we will update this Policy and obtain any consent required by the Telephone Consumer Protection Act, the Florida Telephone Solicitation Act, and any other applicable law before sending you marketing texts. Any marketing communication that would use your PHI requires your prior HIPAA authorization (Section 8.3).

8. HIPAA Notice of Privacy Practices

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

This Section 8 and Section 9 together are our Notice of Privacy Practices (“Notice”) under HIPAA, 45 CFR §164.520. The Notice describes how we may use and disclose PHI about you, and your rights with respect to that information. Crystal Clear is required by law to maintain the privacy of your PHI, to provide you with this Notice, and to abide by the terms of the Notice currently in effect.

8.1 Uses and disclosures that do not require your written authorization

HIPAA allows us to use and disclose your PHI without your written authorization for the following purposes:

• Treatment. To provide, coordinate, or manage your treatment with the affiliated clinicians, the Telehealth Platform, the Partner Pharmacy, and any other healthcare providers involved in your care. Example: we send your shipping address and order detail to the Partner Pharmacy so they can dispense your medication to you.
• Payment. To bill and collect payment for the Services. Example: we share the minimum payment information PayMatrix needs in order to charge your card for a membership renewal.
• Health care operations. To run our internal operations, including quality assessment, training, vendor management, audits, and accreditation. Example: we audit access to your record to make sure only authorized personnel are viewing it.
• Public health activities. To report disease, injury, vital events, and product safety issues to a public health authority that is authorized by law to collect the information.
• Victims of abuse, neglect, or domestic violence. To report to a government authority authorized by law to receive such reports, when we reasonably believe you have been a victim and the disclosure is required or permitted by law.
• Health oversight activities. To a health oversight agency conducting an audit, investigation, inspection, licensure proceeding, or other oversight activity authorized by law.
• Judicial and administrative proceedings. In response to a court or administrative order, a subpoena, or other lawful process, where the conditions set by HIPAA are met (including, in some cases, notice to you or a qualified protective order).
• Law enforcement purposes. In response to a lawful court order or process, to identify or locate a suspect, in connection with certain crime victims, or when otherwise required or permitted by law.
• To avert a serious threat to health or safety. When necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person reasonably able to prevent or lessen the threat.
• Specialized government functions. For military and veterans activities, national security and intelligence, protective services for the President, and other functions specified in 45 CFR §164.512(k).
• Workers’ compensation. To comply with workers’ compensation laws and other similar programs that provide benefits for work-related injuries.
• Decedents. To coroners, medical examiners, and funeral directors, as necessary to carry out their duties.
• Organ and tissue donation.To organizations involved in procurement, banking, or transplantation of organs or tissue, as permitted by law.
• Research. Subject to approval by an Institutional Review Board or Privacy Board, where required by HIPAA. We do not currently disclose PHI for research.
• As required by law. For any other use or disclosure required by federal, state, or local law.

8.2 Uses and disclosures that require your written authorization

Other uses and disclosures of your PHI will be made only with your written HIPAA authorization. In particular, we will not use or disclose your PHI for the following purposes without your authorization:

• Most uses and disclosures of psychotherapy notes, where any exist.
• Marketing communications that meet HIPAA’s definition of “marketing,” other than the limited categories that HIPAA permits without authorization (such as treatment-coordination messages, certain refill reminders, and face-to-face communications).
• Sale of your PHI. We will never sell your PHI.
• Any other use or disclosure not described in Section 8.1 or otherwise permitted by law.

If you give us a written authorization, you may revoke it at any time by sending a written revocation to the contact in Section 14. The revocation will not apply to uses or disclosures we have already made in reliance on the authorization.

8.3 How to provide or revoke a HIPAA authorization

To provide a HIPAA authorization (for example, to direct us to send your PHI to a family member, another provider, or an attorney), email us at sales@ccrxpharm.com with the subject “HIPAA Authorization,” and we will send you a form. To revoke a previously-given authorization, send a written revocation to the same address.

8.4 Family members and friends involved in your care

Unless you object, we may disclose PHI relevant to a person’s involvement in your care or payment for your care to a family member, other relative, close personal friend, or other person you identify. If you are not present, or are incapacitated, we will use our professional judgment about whether the disclosure is in your best interest, consistent with HIPAA.

8.5 Breach notification

If a breach of your unsecured PHI occurs, we will notify you without unreasonable delay and in no case later than 60 calendar days after discovery of the breach, as required by HIPAA Subpart D. The notification will include a description of what happened, the types of PHI involved, the steps you should take to protect yourself, what we are doing to investigate and mitigate, and how to contact us with questions.

8.6 Changes to this Notice

We reserve the right to change this Notice and to make the new Notice effective for all PHI we maintain about you, including PHI we created or received before the change. When we make a material change, we will post the updated Notice on the Site and update the “Last Updated” date at the top of this document. You may also request a paper copy of the most current Notice from the contact in Section 14.

9. Your rights

9.1 Your rights under HIPAA

With respect to your PHI, you have the following rights. To exercise any of them, contact us using Section 14. We may require you to make the request in writing and to verify your identity.

• Right to access and obtain a copy. You have the right to inspect and obtain a copy of the PHI we maintain about you, in the format you request (including an electronic copy if we maintain the record electronically). We will provide the copy within 30 days of your request, with a single 30-day extension if needed. We may charge a reasonable, cost-based fee.
• Right to amend. You have the right to ask us to amend PHI we maintain about you, if you believe it is incorrect or incomplete. We may deny your request in limited circumstances permitted by HIPAA; you will receive a written denial explaining why and your right to submit a disagreement statement.
• Right to an accounting of disclosures. You have the right to receive a list of disclosures we have made of your PHI for purposes other than treatment, payment, health care operations, disclosures you authorized, and certain other exceptions, going back up to six years before the date of the request.
• Right to request restrictions. You have the right to ask us to restrict certain uses and disclosures of your PHI. We are not required to agree, except in one situation: if you paid out-of-pocket and in full for a specific item or service, and you ask us to restrict disclosure to your health plan for payment or health care operations, we will agree (HIPAA requires us to).
• Right to confidential communications. You have the right to request that we communicate with you about your PHI in a specific way or at a specific location (for example, mail to a different address). We will accommodate reasonable requests.
• Right to a paper copy of this Notice. You have the right to a paper copy of this Notice on request, even if you have agreed to receive it electronically.
• Right to be notified of a breach. You have the right to be notified following a breach of your unsecured PHI, as described in Section 8.5.
• Right to file a complaint. You have the right to file a complaint with us (Section 9.4) or with the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint.

9.2 Your rights under state privacy laws

Depending on where you live, and after we verify who you are, you may have additional rights with respect to non-PHI personal information under your state’s privacy law, including:

• Access. Ask us to confirm whether we process information about you, and to give you a copy.
• Correction. Ask us to fix information that’s inaccurate or incomplete.
• Deletion. Ask us to delete information about you. Some legal exceptions apply, including HIPAA-required retention of treatment records.
• Portability. Ask for a copy of your information in a portable, machine-readable format.
• Opt out of sale. We don’t sell information for money, but you can direct us not to in the future.
• Opt out of sharing for cross-context behavioral advertising and targeted advertising. The advertising pixels and similar technologies in Section 2.3 may count as “sharing” under some state privacy laws. You can opt out any time using the Cookie Preferences controls in Section 2.4, by sending a Global Privacy Control signal (Section 2.5), by clicking unsubscribe in any marketing email, or by contacting us using Section 14.
• Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. We do not currently engage in such profiling.
• Limit use of sensitive personal information. Where state law applies and HIPAA does not preempt, we will limit our use of sensitive personal information to the purposes permitted by law.
• Non-discrimination. We won’t discriminate against you for exercising any of these rights.
• Appeal. If we deny your request, you can appeal where applicable law gives you that right.

Residents of certain U.S. states have specific privacy rights under their state’s comprehensive privacy law. As of the date of this Policy, that group includes (depending on the law) California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. The rights described in this Section 9 are intended to cover those state-law requirements where they apply. Where HIPAA applies to specific PHI, state-law rights may be limited or superseded.

9.3 How to exercise your rights

Email us at sales@ccrxpharm.com or call (813) 215-2818, with the subject line “Privacy Rights Request.” We respond within the time periods required by applicable law (for HIPAA access requests, generally 30 days, with extensions possible; for state-law requests, generally 45 days). To prevent misuse, we may need to verify your identity before processing a request. Authorized agents acting for someone else must provide written proof of authority.

9.4 Filing a complaint

If you believe your privacy rights have been violated, you may file a complaint with us by contacting our Privacy Officer (Section 14). You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting hhs.gov/ocr/privacy/hipaa/complaints. We will not retaliate against you for filing a complaint.

10. Data retention

We keep personal information for as long as your account is active and for a reasonable period after, so we can provide the Services, comply with our legal and regulatory obligations, resolve disputes, enforce our agreements, and protect our legal rights. Treatment records and other PHI are kept for the retention period required by HIPAA, state pharmacy and telehealth laws, and our professional standards (generally at least six years from the date of creation or the date last in effect, whichever is later, and longer where state law requires). Marketing data is kept for the period reasonably necessary to run our marketing programs and to honor your opt-out preferences. Records subject to longer retention requirements (for example, certain payment records, dispensing records held by the Partner Pharmacy, or clinical records held by the Telehealth Platform) stay with the entity that holds them, under applicable law.

11. Children

The Services are intended for adults 18 and older. We do not knowingly collect personal information or PHI from children under 13, and we do not direct the Services to children. If you believe a child under 13 has provided personal information to us, contact us and we will take reasonable steps to delete it.

12. Visitors from outside the United States

The Services are run from, and intended for, residents of the United States, and only the states where the Partner Pharmacy is licensed and able to ship. If you access the Services from outside the U.S., that’s on your own initiative, and it is your responsibility to comply with the law where you are.

13. Changes to this Policy

This Policy will change from time to time. When it does, we update the “Last Updated” date at the top. For material changes, including any change to the Notice of Privacy Practices in Sections 8 and 9, we will provide notice through the Site, by email, or by other reasonable means before the change takes effect. If you continue using the Services after that, you are acknowledging the updated Policy.

14. Contact us

Privacy questions, HIPAA requests, complaints, and any other matter described in this Policy should go to our Privacy Officer: