Effective date: 5/22/26 Last updated: 5/22/26
1. About this Policy
This Consumer Health Data Privacy Policy (“Consumer Health Data Privacy Policy”) describes how bVital Inc and its related entities (collectively, “bVital,” “we,” “us,” or “our”) process Consumer Health Data that we collect through our digital or online properties or services that link to this Consumer Health Data Privacy Policy — including our websites bvital.com and brainregen.com, our marketing channels, and other activities described below (collectively, the “Service”).
For purposes of this Policy, “Consumer Health Data” means personal information that identifies your past, present, or future physical or mental health status, or that otherwise constitutes “consumer health data” or equivalent terms as defined by applicable U.S. state laws, including but not limited to Washington’s My Health My Data Act (“MHMDA”), Nevada’s consumer health data law, and Connecticut’s expanded health data provisions. This Consumer Health Data Privacy Policy applies to the extent required by those laws.
This Policy supplements our main bVital Privacy Policy. It is not a replacement for it. In the event of a conflict between our main Privacy Policy and this Consumer Health Data Privacy Policy with respect to Consumer Health Data, this Consumer Health Data Privacy Policy controls, to the extent consistent with applicable U.S. state law.
This Policy does not apply to Protected Health Information (“PHI”). PHI is health information protected by the Health Insurance Portability and Accountability Act (“HIPAA”) and is collected only after you become a patient of bVital and complete our patient intake and HIPAA authorization/consent process. Our use and disclosure of PHI is governed by our separate Notice of Privacy Practices (“NPP”), available by emailing in**@****al.com.
2. Consumer Health Data We Collect
We collect Consumer Health Data from and about you in four ways.
A. Information you provide directly
When you fill out a form on our Sites, register for a webinar, download a guide, schedule a consultation, subscribe to our newsletter, communicate with us, or otherwise interact with us, you may provide:
- Identifiers when combined with a health-related interest: name, email address, phone number, mailing address, and account login credentials, where you provide them in the context of a health-related inquiry, program interest, or wellness goal
- Demographic data: age, date of birth, gender, location, and (only if you choose to share) information such as ethnicity or sex assigned at birth
- Wellness interests: conditions or topics you’d like help with, goals, family history context, lifestyle information, and other self-reported health-related information you provide outside the patient intake process
- Audiovisual data: recordings of phone calls (inbound and outbound through our phone system), recordings of Zoom or video consultations, and recordings of webinars in which you participate
- Communications: the contents of your emails, texts, voice messages, chat messages, and form submissions where they relate to or could reveal information about your health
- User-generated content: testimonials, reviews, before/after stories, photos, video clips, social posts that tag us, and other content you choose to submit
- Commercial information: programs or services you’ve purchased or shown interest in, where those programs relate to health (e.g., Brain Regen, Brain Camp, Thrive)
- Marketing preferences: the health-related topics you’ve subscribed to and your engagement with our communications about those topics
B. Information collected automatically
When you visit our Sites, we and our service providers may automatically collect:
- Device information: IP address, browser type, operating system, device identifiers
- Approximate location: geographic location derived from IP address (typically city-level)
- Online activity data: pages or screens you viewed on our Sites, time spent, navigation paths, search terms, and click activity
- Communication interaction data: whether you opened our emails or clicked links within them (collected via tracking pixels embedded in email)
C. Information from third parties
We may receive Consumer Health Data from:
- Service providers who help us operate our Service (e.g., our CRM, dialing platform, video conferencing, email and marketing platforms, hosting providers)
- Advertising and analytics partners (e.g., Google, Meta) about your interactions with our ads — limited to engagement and conversion data, not health-condition data
- Lead generation partners where they have your consent to share your information with us
- Publicly available sources
We do not currently obtain Consumer Health Data from corporate affiliates, enterprise customers (such as employers or gyms), research partners, or linked third-party devices (such as wearables). If that changes in the future, we will update this Policy.
D. Information we generate or infer
We may generate Consumer Health Data about you using automated means, including:
- Inferences and derived data: lead scores, audience segments, and interest tags based on your activity with our Sites, ads, and communications. We use these to route follow-up, tailor content, and prioritize outreach. We do not use these inferences to make decisions that meaningfully affect your pricing, program access, or healthcare options — a human reviews those decisions.
- Aggregated and de-identified data: we may combine Consumer Health Data with information about other individuals in a form that cannot reasonably be linked back to you. Subject to applicable law, we do not treat aggregated or de-identified data as Consumer Health Data, and we will not attempt to re-identify it except as permitted by law (such as to test our de-identification processes).
3. How We Use Your Consumer Health Data
We use Consumer Health Data for the purposes described below. Each purpose may involve any of the categories of Consumer Health Data described in Section 2.
| Purpose | What this means in practice |
|---|---|
| Service delivery and operations | Providing and operating the Service, responding to your inquiries, scheduling consultations and reminders, fulfilling your purchases, managing your account, providing customer support, processing payments, and detecting and preventing fraud, security incidents, and abuse. |
| Communications | Sending you marketing and educational content you’ve opted in to receive, delivering transactional messages (appointment confirmations, account notices, receipts), administering webinars and events you register for, and responding to your messages across email, SMS, phone, and chat. |
| Personalization | Tailoring content and offers to your stated interests, routing follow-up based on lead scoring and segmentation, and remembering your preferences as you navigate our Sites. |
| Marketing and advertising | Promoting our programs to similar audiences via custom audience uploads to Meta and Google. These uploads contain hashed email addresses only — no health-condition information is included. See our main Privacy Policy, Section 6, for our full health-advertising commitments. |
| Insights, analytics, and service improvement | Analyzing how our Sites and marketing perform, conducting research, and improving our Services. |
| Recordings for quality, training, and documentation | Reviewing call recordings, video consultation recordings, and webinar recordings for quality assurance, training, and documentation. |
| Compliance and protection | Complying with applicable laws, lawful requests, and legal process; responding to subpoenas, investigations, and government requests; defending against legal claims; auditing our internal processes; enforcing the terms that govern our Service; and protecting the rights, safety, or property of bVital, our patients, our employees, or others. |
| Creating aggregated or de-identified data | Producing aggregated or de-identified data from Consumer Health Data for research, analytics, and business insights. Aggregated and de-identified data is no longer treated as Consumer Health Data, subject to applicable law. |
4. Consent
Washington’s My Health My Data Act and similar laws require us to obtain your affirmative, opt-in consent before collecting or sharing your Consumer Health Data for purposes beyond what is necessary to provide the Service you’ve requested.
How we obtain consent. When you submit a form, create an account, register for a webinar, schedule a consultation, or otherwise voluntarily share Consumer Health Data with us, you are providing your consent for us to collect and use that data for the specific purposes disclosed at the point of collection and as further described in this Policy. We will obtain separate consent before processing your Consumer Health Data for any new purpose that is materially different from the purposes for which we originally collected it.
Sharing Consumer Health Data with third parties. We do not share Consumer Health Data with third parties for advertising or any other purpose without your consent or as otherwise permitted or required by law. The custom audience uploads we make to Meta and Google contain only hashed email addresses with no health-condition information attached, and we do not consider that sharing to be a sharing of Consumer Health Data.
Withdrawing consent. You have the right to withdraw your consent for our future collection or sharing of your Consumer Health Data at any time. To withdraw consent, email us at in**@****al.com. Withdrawing consent does not affect the lawfulness of our prior processing. If you withdraw consent for Consumer Health Data we need to provide a service you’ve requested, we may not be able to continue providing that service.
5. How We Share Your Consumer Health Data
We share Consumer Health Data only as described below. We do not sell your Consumer Health Data, and we do not require or accept any “valid authorization to sell” Consumer Health Data, because we do not engage in such sales.
Service providers. Third parties that provide services on our behalf and are contractually required to use Consumer Health Data only as needed to perform those services. These include:
- CRM, marketing automation, and patient pipeline platforms (e.g., GoHighLevel)
- Dialing, call recording, and SMS platforms (e.g., Kixie)
- Video conferencing and webinar platforms (e.g., Zoom)
- Email delivery, analytics, and tag management (e.g., Google Analytics, Google Tag Manager)
- Website hosting, cloud storage, and IT infrastructure providers
- Customer support and chat tools
- Marketing contractors who help us produce content and operate our marketing systems
Payment processors. Any payment card information you provide to make a purchase is collected and processed directly by our payment processors. We do not store full payment card numbers.
Lab and provider partners. Independent third-party healthcare and laboratory service providers that deliver clinical and diagnostic services on your behalf when you become a patient. Sharing of PHI in connection with these services is governed by our NPP, not this Policy.
Professional advisors. Lawyers, accountants, auditors, bankers, and insurers, where necessary in the course of professional services they render to us.
Authorities and others. Law enforcement, government authorities, courts, and private parties where we believe in good faith that disclosure is necessary or appropriate to comply with law, respond to legal process, enforce our terms, or protect the rights, safety, or property of bVital, our patients, or others.
Business transferees. If bVital is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your Consumer Health Data may be transferred as part of that transaction. We will require any successor to honor the commitments in this Policy or notify you of changes.
With your consent or at your direction. We may share Consumer Health Data for other purposes with your consent or when you instruct us to (for example, sharing your records with a healthcare provider you designate).
We do not currently share Consumer Health Data with corporate affiliates, research partners, enterprise customers, linked third-party services (such as Google or Facebook login), or linked third-party devices (such as wearables or Internet of Things devices), because we do not have those relationships. If that changes in the future, we will update this Policy and obtain any required consent.
6. Your Rights
Subject to applicable law, you have the following rights with respect to your Consumer Health Data:
- Withdraw consent. You have the right to withdraw your consent for our future collection or sharing of your Consumer Health Data.
- Access and confirm. You have the right to ask us to confirm whether we have collected, shared, or sold your Consumer Health Data, and to request a copy of the Consumer Health Data we have collected, shared, or sold. You also have the right to access a list of all third parties and affiliates with whom we have shared or sold your Consumer Health Data.
- Correction. You have the right to ask us to correct inaccuracies in your Consumer Health Data.
- Deletion. You have the right to ask us to delete your Consumer Health Data.
- Appeal. If we deny any of the requests above, you have the right to appeal that decision. We will provide details on how to appeal in our response.
To exercise any of these rights, email us at in**@****al.com with the subject line “Consumer Health Data Request.” We will respond within the time required by applicable law (typically 45 days, with one possible extension).
7. Verification of Identity and Authorized Agents
Verification. To protect your privacy, we will verify your identity before fulfilling access, correction, deletion, or withdrawal-of-consent requests. We may ask you to confirm information we already have on file (such as your name, email, phone number, and recent interactions with us). If we cannot verify your identity based on what we have on file, we may request additional information solely to verify your identity, and we will use that additional information only for verification, security, and fraud-prevention purposes.
Authorized agents. You may designate an authorized agent to make a request on your behalf. We may require the agent to provide written authorization signed by you, and we may require you to verify your identity directly with us before we act on the agent’s request.
8. Declining to Provide Consumer Health Data
We need to collect certain Consumer Health Data to provide some of our Services. If you decline to provide Consumer Health Data we identify as required, request that we delete required Consumer Health Data, or withdraw your consent for future collection of required Consumer Health Data, we may not be able to provide those Services to you.
9. No Sale of Consumer Health Data
bVital does not sell Consumer Health Data, as that term is defined under Washington’s My Health My Data Act or any similar U.S. state law. We have not sold Consumer Health Data in the past, and we do not require or accept any “valid authorization to sell” from any consumer.
10. Children’s Consumer Health Data
Our Services are intended for adults aged 18 and older. We do not knowingly collect Consumer Health Data from anyone under 18, except where a parent or legal guardian provides written, express consent for a minor’s participation in a specific program. For more information on how we handle minors’ information, see Section 16 of our main Privacy Policy.
11. Changes to this Policy
We reserve the right to modify this Consumer Health Data Privacy Policy at any time. If we make material changes, we will notify you by updating the “Last updated” date at the top of this Policy and posting the updated Policy on our Sites, or by other appropriate means. Any modifications are effective when posted (or as otherwise indicated at the time of posting). Your continued use of the Service after the effective date of any modified Policy indicates your acknowledgment of the modified Policy.
12. How to Contact Us
bVital Inc Attn: Privacy 1755 Prospector Ave #100 Park City, UT 84060
Email: in**@****al.com Phone: 435-962-6363
For Consumer Health Data rights requests specifically, please email in**@****al.com with the subject line “Consumer Health Data Request.”