Privacy Policy

PHI Privacy Policy

Website Privacy Policy

Last Updated: 10-07-2025

This Privacy Policy covers both our healthcare platform services and our general business operations, ensuring comprehensive protection for all personal information we collect and process.

Xealth recognizes the importance of the privacy and confidentiality of your personal information, including protected health information (“PHI”).

PHI Privacy Policy

 

What We Do

Xealth provides a digital health platform (the “Xealth Platform”) that enables healthcare providers and care team members (“Health Systems”) to provide patients with digital content, apps, or services that can help manage health. The Xealth Platform connects digital healthcare solutions partners (“Partners”) with patients to increase patient education, engagement, and improve outcomes.

Protected Health Information (PHI)

What is PHI? PHI includes all “individually identifiable health information” that is transmitted or maintained in any form or medium by a covered entity. This includes any information that can be used to identify an individual and that was created, used, or disclosed in the course of providing healthcare services such as diagnosis or treatment.

How PHI Differs from Other Personal Information: While personally identifiable information (PII) can be used to distinguish or trace an individual’s identity, PHI specifically relates to health information. The PHI shared on the Xealth Platform may include certain data metrics that do not directly identify you as an individual, such as gender, weight, and age.

How We Use Your Information

For Healthcare Services: When a physician or care team member selects a Partner for a patient, Xealth provides the minimum amount of PHI required for the Partner to deliver their services. We temporarily store data necessary to ensure successful data transfer.

For Business Purposes: We use non-PHI personal information to manage our business relationships, improve our services, communicate with clients and prospects, and comply with legal obligations.

Legal Framework: Xealth functions as a HIPAA Business Associate of its health system clients, facilitating the transfer of information between health systems and third-party applications that clinicians may use for permissible purposes under HIPAA.

Data Retention

The type of data we store and retention periods are governed by:

  • Business Associate Agreements with health system clients
  • HIPAA requirements (minimum 6 years for HIPAA-related documents)
  • Applicable state and federal laws
  • Business necessity and legal obligations

How We Protect Your Information

We implement comprehensive security measures including:

Technical Safeguards:

  • Encryption of all stored and transmitted data
  • Secure network connections in accordance with industry standards
  • Authentication and access controls
  • Regular security assessments

Administrative Safeguards:

  • Staff training on security procedures
  • Clearance procedures and workforce supervision
  • Security incident response procedures
  • Emergency access and contingency planning

Physical Safeguards:

  • Secure facilities and equipment
  • Appropriate storage, backup, and disposal procedures

Privacy Policy for Data Collected on our Website

This section describes the categories of personal information we collect from our website, the purposes for which we use it, and whether we sell or share this information.

From Website Visitors and Business Contacts (Non-PHI):

  • Contact information (name, email, phone number, company) if you enter in into our website
  • Professional information (job title, company details) if you provide it to us in our website
  • Website usage data (IP address, browser type, pages visited, browsing behavior)
  • Communication preferences and marketing consent
  • Technical information (device type, operating system, cookies and similar identifiers)
  • Online identifiers and device information collected through cookies and tracking technologies
  • Internet or network activity information (interaction with our website and advertisements)

Purposes for Collection and Use of Website Data

We collect and use personal information for the following purposes:

  • Business Operations: Managing client relationships, customer support, and business communications
  • Website Functionality: Providing and improving our website experience
  • Marketing and Communications: Sending relevant information about our services (with consent), and delivering targeted advertising and measuring advertising effectiveness
  • Advertising and Analytics: Measuring website performance, analyzing visitor behavior, and delivering relevant advertisements across websites through third-party advertising partners
  • Legal Compliance: Meeting regulatory requirements including HIPAA and CCPA
  • Analytics: Understanding how our website is used to improve functionality

Sale or Sharing of Personal Information

We do not sell personal information for monetary consideration. However, under California law, “sharing” personal information for cross-context behavioral advertising may be considered a “sale.” We share personal information collected from our website with third-party advertising and analytics partners, which may constitute “sharing” under the CCPA.

Categories of third parties with whom we share information:

  • Advertising networks and platforms (Google Ads, LinkedIn Ads)
  • Marketing automation providers (HubSpot)
  • Analytics services (Google Analytics, ZoomInfo)
  • Service providers who assist with our business operations
  • Legal authorities when required by law

Third-Party Tracking Technologies

We use third-party tracking technologies on our website, including:

  • Google advertising cookies and pixels for remarketing and conversion tracking
  • LinkedIn Insight Tag for conversion tracking and analytics
  • HubSpot marketing pixels for visitor tracking and engagement
  • ZoomInfo pixels for lead identification and tracking

These third parties may collect information about your online activities over time and across different websites when you use our website.

Your Privacy Rights Under California Law (CCPA)

If you are a California resident, you have specific rights regarding your personal information collected from our website::

Your Rights

Right to Know:

  • Request information about the categories and specific pieces of personal information we collect on our website
  • Request information about the purposes for collection and use on our website
  • Request information about categories of third parties with whom we share information from our website

Right to Delete:

  • Request deletion of personal information we have collected about you from our website
  • Note: Some information may be retained as required by law or for legitimate business purposes collected from our website

Right to Correct:

  • Request correction of inaccurate personal information

Right to Opt-Out of Sale/Sharing:

  • Opt out of the sharing of personal information for cross-context behavioral advertising
  • You can exercise this right by clicking “Do Not Sell or Share My Personal Information” in our website footer or through our cookie consent banner

Right to Non-Discrimination:

  • You will not be discriminated against for exercising your privacy rights

How to Exercise Your Rights on Data Collected From Our Website

Submit Requests:

  • Email: privacy@xealth.io
  • Include your full name and the specific right you wish to exercise
  • Provide sufficient detail to allow us to locate your information

Verification Process: We may need to verify your identity before processing requests. This may require additional information to confirm you are the person about whom we have collected information.

Response Timeline: We will respond to verified requests within 45 days, with the possibility of extending this period by an additional 45 days when reasonably necessary.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization and you may be required to verify your identity directly with us.

Additional Information

Updates to This Policy

We may update this Privacy Policy periodically. Changes become effective when we post the revised policy on our website or otherwise notify you. Continued use of our services after changes indicates acceptance of the revised policy.

Children’s Privacy

Our website and services are intended only for individuals 18 years of age or older. We do not knowingly collect personal information from individuals under 18 years of age.

International Users

Our services are primarily intended for use within the United States. If you access our services from outside the U.S., your information may be transferred to and processed in the United States.

Contact Information

Privacy Questions: privacy@xealth.io

 

Please note that email communications are not always secure, so do not include sensitive information in emails to us.