Privacy Policy & Notice of Privacy Practices

1. Introduction

Bloom Metabolics (“we,” “us,” or “our”) is committed to protecting the privacy and security of your health information. This Notice of Privacy Practices describes how we collect, use, and disclose your Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and applicable state privacy laws.

2. Information We Collect

We collect the following categories of information to provide telehealth services:

• Personal Information: Name, date of birth, address, email address, phone number, and state of residence
• Protected Health Information (PHI): Medical history, symptoms, diagnoses, lab results, prescriptions, treatment records, and health goals
• Payment Information: Payment details processed securely through Stripe. We do not store credit card numbers on our servers
• Technical Data: IP address, browser type, pages visited, and usage patterns collected to improve our platform

3. How We Use Your Information

We may use and disclose your PHI for the following purposes without requiring your additional authorization:

• Treatment: To provide, coordinate, and manage your medical care, including sharing information with your prescribing physician, pharmacies, and laboratory partners
• Payment: To process payments and manage billing for services rendered
• Healthcare Operations: To conduct quality assessments, training, compliance activities, and improve our services
• Legal Requirements: To comply with applicable federal and state laws, court orders, or lawful government requests
• Business Associates: We share PHI with third-party service providers (including OptiMantra EHR, Stripe, and laboratory partners) who operate under Business Associate Agreements (BAAs) requiring them to protect your information in accordance with HIPAA

All other uses or disclosures of your PHI not described above require your written authorization.

4. How We Protect Your Information

We implement the following safeguards to protect your PHI:

• HIPAA-compliant data handling, storage, and transmission
• Encrypted data transmission using TLS/SSL technology
• Secure cloud infrastructure with role-based access controls
• Regular security risk assessments and monitoring
• Staff training on HIPAA privacy and security requirements
• Business Associate Agreements with all third-party vendors who access PHI

5. Your Rights Under HIPAA

You have the following rights regarding your Protected Health Information:

• Right to Access: Request a copy of your medical records and PHI in our possession
• Right to Amend: Request correction of inaccurate or incomplete PHI
• Right to Restrict Disclosures: Request restrictions on how we use or disclose your PHI (we will accommodate reasonable requests)
• Right to Confidential Communications: Request that we contact you through specific means or at specific locations
• Right to an Accounting of Disclosures: Request a list of disclosures of your PHI made for purposes other than treatment, payment, and operations
• Right to Receive a Copy of This Notice: You may request a paper copy of this notice at any time
• Right to Opt Out of Marketing: We will not use your PHI for marketing purposes without your written authorization

To exercise any of these rights, contact us at privacy@bloommetabolics.com.

6. Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals within 60 days of discovery as required by the HIPAA Breach Notification Rule. Notification will be provided via email or written notice and will include a description of the breach, the types of information involved, steps you should take to protect yourself, and actions we are taking to address the breach.

7. SMS/Text Messaging Communications

What Information We Collect

When you opt in to receive SMS/text messages from Bloom Metabolics, we collect and store:

• Your mobile phone number
• Your opt-in consent record (timestamp, method of consent, and consent language version)
• Message delivery and interaction data (delivery receipts, opt-out requests)

How We Use Your Phone Number

We use your mobile phone number exclusively to send you SMS/text messages related to:

• Appointment confirmations and reminders
• Care coordination (lab reminders, intake follow-ups, post-visit check-ins)

Information Sharing

We do not sell, rent, or share your phone number or SMS consent data with any third party for their marketing purposes. Your phone number may be shared only with:

• Our SMS service provider (for message delivery only, subject to a Business Associate Agreement)
• As required by law, regulation, or legal process

Message Frequency and Rates

Message frequency varies based on your interactions with our services. You will receive transactional messages related to scheduled appointments, intake follow-ups, lab coordination, and post-consultation check-ins. Standard message and data rates from your wireless carrier may apply.

How to Opt Out

You may opt out of SMS communications at any time by:

• Replying STOP to any message from us
• Contacting us at [SUPPORT EMAIL] or [SUPPORT PHONE]
• Updating your communication preferences in your patient portal

After opting out, you will receive one final confirmation message and no further SMS communications. Opting out of SMS does not affect other communications (email, patient portal messages) or your care relationship with Bloom Metabolics.

How to Get Help

Reply HELP to any message from us, or contact:

• Email: [SUPPORT EMAIL]
• Phone: [SUPPORT PHONE]
• Web: https://bloommetabolics.com/contact

HIPAA Compliance

Bloom Metabolics is a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). Our SMS communications are limited to operational and logistical content (appointment reminders, intake follow-ups, care check-ins) and do not contain Protected Health Information (PHI). Our SMS service provider operates under a signed Business Associate Agreement (BAA) and is contractually obligated to safeguard any data transmitted through the messaging platform in accordance with HIPAA requirements.

Carrier Disclaimer

Bloom Metabolics and mobile carriers are not liable for delayed or undelivered messages. Message delivery is subject to effective transmission by your wireless carrier.

SMS Data Retention

We retain your phone number and consent records for the duration of your patient relationship plus seven (7) years, in accordance with healthcare record retention requirements. Message logs are retained for three (3) years for compliance purposes. You may request deletion of your phone number from our marketing systems at any time (subject to legal retention obligations for clinical records).

Changes to SMS Practices

If we make material changes to how we use SMS communications, we will notify you via text message before changes take effect and provide an opportunity to opt out.

This section was drafted in accordance with CTIA Messaging Principles and Best Practices (2024), TCPA requirements, and carrier content policy guidelines.

8. Complaints

If you believe your privacy rights have been violated, you may file a complaint with us at privacy@bloommetabolics.com or with the U.S. Department of Health and Human Services Office for Civil Rights at:

• Website: hhs.gov/ocr/privacy/hipaa/complaints
• Phone: 1-800-368-1019

We will not retaliate against you for filing a complaint.

9. Cookies and Analytics

We use essential cookies necessary to operate our platform and analytics tools to improve the patient experience. When you first visit our website, you are presented with a cookie consent banner where you can accept all cookies, reject non-essential cookies, or customize your preferences. Analytics and marketing cookies are disabled by default. You can revisit your cookie preferences at any time by clearing your browser cookies for this site. Analytics data is aggregated and does not contain PHI.

10. Changes to This Notice

We reserve the right to update this Notice of Privacy Practices at any time. The updated notice will be posted on our website with a revised effective date. Material changes will be communicated to active patients via email.

11. Your Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal retention requirements, ongoing treatment).
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: You may direct us to limit the use and disclosure of your sensitive personal information (including health information) to purposes necessary for providing services.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

How to Submit a Request: Email privacy@bloommetabolics.com with your request. We will verify your identity before processing. We respond within 45 days of receiving a verifiable request. If additional time is needed, we will notify you of the extension (up to 90 days total).

Note: Where HIPAA applies to your health information, HIPAA requirements govern over CCPA/CPRA. HIPAA-protected health information is exempt from certain CCPA provisions.

Authorized Agents: California consumers may designate an authorized agent to submit privacy rights requests on their behalf. Authorized agents must provide proof of authorization and identity. For authorized agent requests, contact privacy@bloommetabolics.com with documentation.

12. Sensitive Personal Information (CPRA)

Under the CPRA, health information is classified as “sensitive personal information.” Bloom Metabolics handles sensitive personal information as follows:

• Use of sensitive PI is limited to providing the requested telehealth services and complying with legal obligations.
• Bloom does not use sensitive PI for cross-context behavioral advertising.
• Bloom does not sell sensitive PI.
• Sensitive PI is encrypted at rest and in transit.
• Patients have the right to limit use and disclosure of sensitive PI as described in Section 11.

13. California Confidentiality of Medical Information Act (CMIA)

As a healthcare provider operating in California, Bloom Metabolics is also subject to the California Confidentiality of Medical Information Act (CMIA), which provides additional protections for medical information beyond HIPAA. Under the CMIA:

• Your medical information will not be disclosed without your written authorization except as permitted by law (e.g., treatment, payment, certain public health purposes).
• You have the right to receive a copy of your medical records.
• Unauthorized disclosure of medical information may result in civil penalties and damages.
• CMIA protections apply in addition to HIPAA — where both laws apply, the stricter standard governs.

14. Third-Party Service Providers

We share information with the following third-party processors to provide our services. Where PHI is involved, Business Associate Agreements (BAAs) are required.

* Stripe processes payment data only. Payment metadata uses opaque patient identifiers; PHI is not transmitted to Stripe. BAA status for other vendors will be updated as agreements are executed.

15. We Do Not Sell Personal Information

Bloom Metabolics does not sell personal information or Protected Health Information to third parties. We do not share personal information for cross-context behavioral advertising. This applies to all categories of personal information, including sensitive personal information as defined under the CPRA.

16. Children's Privacy

Bloom Metabolics services are for adults 18 years of age and older residing in California. We do not knowingly collect personal information from children under 18. If we become aware that personal information from a minor under 18 has been collected, we will delete it promptly. Parents or guardians who believe their child's information may have been collected can contact privacy@bloommetabolics.com.

17. Data Retention

We retain your information in accordance with applicable legal requirements:

• Medical Records: Retained for a minimum of 7 years from the date of last treatment, as required by California law (10 years for minors from the date of majority).
• HIPAA Audit Logs: Retained for a minimum of 6 years as required by HIPAA.
• Payment Records: Retained per PCI DSS requirements and applicable tax law (generally 7 years).
• Consent Records: Retained for the duration of the patient relationship plus the applicable retention period.
• Marketing Data: Retained until you opt out or request deletion, subject to legal obligations.

When retention periods expire, records are securely destroyed or de-identified in accordance with HIPAA and NIST guidelines.

18. Contact Information

For privacy-related questions, requests, or to exercise your HIPAA or CCPA/CPRA rights:

• Email: privacy@bloommetabolics.com
• Mailing address: Bloom Metabolics, Irvine, CA