Privacy Policy and Health Data Notice

This Privacy Policy and Health Data Notice explains how VitalScan collects, uses, shares, stores, and protects information when you use the website, reserve early access, apply as a host location, communicate with us, or participate in a VitalScan testing workflow.

This policy applies to information collected through tryvitalscan.com, VitalScan booking forms, partner-location forms, communications, customer intake, payment workflows, testing-day operations, and related service providers.

This policy is a public privacy notice. Separate terms, testing consent, lab authorization, communications consent, host-location agreements, and provider or lab notices may also apply depending on the service.

We collect information you submit directly to VitalScan, including name, email address, phone number, ZIP code, city, state, selected service, preferred date and time, selected location, booking ID, communication preferences, and messages you send to us.

For partner-location applications, we collect contact name, business name, role, email, phone number, location type, city, state, ZIP code, website or social URL, estimated member or client base, available space notes, and other information submitted through the application.

VitalScan uses early-access reservations to understand demand, plan routes, evaluate market clusters, and prioritize host locations. Reservation information may include ZIP code, market stage, selected testing level, preferred schedule, deposit status, and booking workflow events.

A reservation may be used to communicate route timing, host-location readiness, deposit status, appointment preparation, cancellation options, and follow-up steps.

Before a testing day, VitalScan may collect health-related intake information needed to determine whether the requested service is appropriate to perform, prepare the testing workflow, and deliver results or follow-up.

This may include information about age range, sex, height, weight, pregnancy status where relevant to testing safety, medications or supplements, activity level, training goals, recent injuries, medical history, symptoms, contraindications, allergies, fasting status, and other information you choose to provide.

The exact intake questions may vary by service, market, operator, lab partner, and applicable requirements.

If you participate in DEXA testing, VitalScan may collect or receive scan appointment details, DEXA output, body composition metrics, bone-density-related metrics where available, technician notes, and result-delivery records.

DEXA results may include body fat, lean mass, visceral fat, bone density, regional body composition, trend history, and related interpretation or report data.

DEXA data is health-related information and is not shared with host locations unless you explicitly authorize that sharing.

VitalScan does not operate as a clinical laboratory. If a service includes blood collection, specimens are collected by qualified staff and processed through third-party CLIA/NYS-permitted lab partners or other authorized lab workflows.

Lab-related information may include test orders, specimen identifiers, collection date and time, fasting status, accession numbers, courier or transfer information, lab results, reference ranges, abnormal flags, report delivery status, and communications with lab or clinical partners.

Lab partners, ordering providers, physician networks, or clinical reviewers may have their own privacy notices, consent forms, authorization language, and retention obligations.

If you participate in VO2 or RMR testing, VitalScan may collect performance-testing information such as resting metabolic rate, oxygen consumption, carbon dioxide output, heart-rate data, exercise protocol details, perceived exertion, training zones, device readings, operator notes, and result reports.

VitalScan positions VO2/RMR as performance-focused testing for training, metabolism, and wellness insight. It is not clinical CPET and is not intended to diagnose, treat, or monitor cardiopulmonary disease.

If VitalScan offers genetic, pharmacogenomic, microbiome, hormone, or other specialty testing in the future, additional consent, lab authorization, provider review, and privacy terms may apply before that testing is performed.

VitalScan will not use genetic or specialty-test results for employment, insurance, or host-location marketing decisions.

Deposits and payments are processed by Stripe or another payment processor. VitalScan does not store full payment card numbers, card security codes, or full bank-account credentials on this website.

VitalScan may receive payment status, transaction identifiers, deposit amount, refund status, last-four card references, billing contact information, fraud-prevention signals, and related booking metadata from payment processors.

VitalScan may collect and store information related to email, SMS, phone, and form communications, including message content, delivery status, consent status, unsubscribe status, STOP or START replies, timestamps, source forms, and support history.

Transactional communications may be used for reservations, deposits, appointment reminders, intake, results delivery, operational updates, cancellations, refunds, and safety-related information.

Marketing communications, including offers, upgrades, review requests, and educational content, are separate from transactional communications and are sent only where permitted and with applicable opt-out controls.

When you use the website, VitalScan or its service providers may collect device and usage information such as IP address, browser type, device type, pages visited, referral URL, time on site, errors, form events, approximate location from ZIP code or IP address, and technical logs.

This information is used to operate the site, debug issues, improve conversion flow, prevent fraud or abuse, understand demand by market, and measure the effectiveness of outreach.

VitalScan may use cookies, local storage, pixels, analytics tools, and similar technologies to keep the site working, remember form state, measure traffic, understand campaign performance, and protect the service.

VitalScan does not use individual health results for targeted advertising. If advertising or retargeting tools are added later, VitalScan will not provide those tools with individual health results, lab results, DEXA outputs, genetic results, or other sensitive health-result information.

VitalScan uses information to operate the website, process reservations and deposits, evaluate market demand, review partner locations, schedule host days, provide customer support, prepare for appointments, collect intake, coordinate testing, deliver results, send communications, improve services, prevent fraud, maintain records, and comply with applicable obligations.

VitalScan may also use de-identified, aggregated, or market-level information to understand demand, plan routes, evaluate host-location categories, prepare investor materials, improve pricing, and make operational decisions.

VitalScan uses service providers to operate the business. These may include hosting providers, database providers, payment processors, email providers, SMS providers, analytics providers, customer-support tools, scheduling tools, testing vendors, equipment vendors, lab partners, courier providers, qualified operators, clinical reviewers, legal advisors, accountants, and other professional service providers.

Service providers are expected to use information only for the services they provide to VitalScan, subject to contractual, legal, technical, or operational limits appropriate to the workflow.

When testing requires a lab, ordering provider, physician network, clinical reviewer, medical director, or other healthcare partner, VitalScan may share information needed to order, collect, process, review, interpret, report, or deliver the requested testing.

These partners may be subject to HIPAA, CLIA, state laboratory requirements, professional licensing rules, medical-record retention rules, or their own privacy notices. Their obligations may differ from VitalScan's obligations.

VitalScan host locations help provide space, member or client promotion, arrival instructions, parking information, and event-day support. Host locations are not responsible for processing payments, operating testing, or delivering results.

Host locations may receive operational event information, such as expected appointment volume, arrival windows, attendance status, event-day logistics, aggregate demand metrics, and information needed to coordinate the hosted testing day.

Host locations do not receive individual health results, lab results, DEXA outputs, VO2/RMR outputs, genetic results, or intake responses unless you explicitly authorize that sharing.

VitalScan may disclose information when necessary to comply with law, respond to lawful requests, protect rights and safety, investigate fraud or abuse, enforce terms, resolve disputes, complete a business transaction, support insurance or accounting needs, or protect VitalScan, customers, partners, operators, vendors, or the public.

If VitalScan is involved in a merger, financing, acquisition, reorganization, sale of assets, bankruptcy, or similar transaction, information may be transferred as part of that transaction subject to appropriate confidentiality and privacy protections.

HIPAA applies to covered entities and business associates in specific healthcare workflows. Depending on the final service model, certain VitalScan data flows may involve HIPAA-covered partners, business associate arrangements, or separate HIPAA notices.

Where HIPAA applies, HIPAA requirements and any applicable partner notice or authorization will control for protected health information in that workflow. Where HIPAA does not apply, VitalScan still treats health-related information as sensitive and applies privacy, security, access-control, vendor, retention, and breach-response safeguards.

VitalScan does not use the phrase HIPAA compliant as a marketing claim unless the specific workflow, vendors, contracts, and procedures have been confirmed for that use.

Consumer health technologies that are not covered by HIPAA may still be subject to FTC rules, including rules against unfair or deceptive practices and, depending on the data flow, the FTC Health Breach Notification Rule.

VitalScan evaluates health-data workflows for unauthorized access, unauthorized disclosure, breach notification, vendor management, and consent obligations. If a reportable incident occurs, VitalScan will provide required notices according to applicable law.

VitalScan is launching with an Upstate New York focus and handles security and breach-response planning with New York requirements in mind, including reasonable administrative, technical, and physical safeguards for private information.

Depending on where a customer lives, additional state privacy, consumer health data, breach notification, biometric, genetic, or marketing laws may apply. VitalScan will honor applicable rights and obligations where required.

VitalScan does not sell individual health results, lab results, DEXA outputs, VO2/RMR outputs, genetic results, or customer intake responses.

VitalScan does not provide individual health results to advertising networks, data brokers, employers, insurers, or host locations for their independent marketing use.

VitalScan may use de-identified, aggregated, or market-level information for analytics, route planning, investor reporting, host-location evaluation, pricing, product development, service improvement, and public communications.

For example, VitalScan may report that a market has strong demand for DEXA or that a host category produced high reservation interest. VitalScan will not intentionally identify an individual customer in those reports without permission.

VitalScan keeps information for as long as needed for the purpose collected, unless a longer period is required or permitted by law, contract, lab workflow, medical-record requirement, tax requirement, accounting need, dispute, fraud-prevention need, or legitimate business purpose.

Reservation and demand data may be retained to support route planning. Payment records may be retained for accounting, tax, dispute, and fraud-prevention purposes. Health-related records may be retained according to applicable healthcare, lab, provider, or operational requirements.

VitalScan uses administrative, technical, and organizational safeguards designed to protect personal and health-related information. Safeguards may include access controls, role-based permissions, authentication, vendor review, encryption where appropriate, logging, least-privilege access, staff training, secure development practices, and incident-response procedures.

No website, network, system, or data transmission can be guaranteed to be completely secure. If you believe information you provided to VitalScan is no longer secure, contact privacy@tryvitalscan.com.

VitalScan maintains a breach-response approach for suspected unauthorized access, acquisition, disclosure, or loss of information. Response steps may include investigation, containment, vendor coordination, legal review, customer notification, regulator notification, and remediation.

The timing and content of any notice will depend on the information involved, the affected individuals, applicable law, vendor obligations, and whether the information is covered by HIPAA, FTC health breach rules, state breach laws, or other requirements.

You may contact VitalScan to request access, correction, deletion, export, restriction, suppression, or clarification of certain information. We will respond according to applicable law and operational requirements.

Some requests may be limited if information must be retained for payment records, fraud prevention, safety, lab records, provider records, legal obligations, dispute resolution, security, or suppression-list management.

You may unsubscribe from marketing email using the unsubscribe link in the message or by contacting VitalScan. You may opt out of marketing SMS by replying STOP where supported.

Opting out of marketing messages does not prevent VitalScan from sending transactional or operational messages related to reservations, deposits, appointments, test preparation, safety, results delivery, account support, or legal notices.

The VitalScan website is not directed to children under 13, and VitalScan does not knowingly collect personal information from children under 13 through the website.

Services for minors, if offered, may require parent or guardian consent, additional screening, and separate operational procedures.

VitalScan may link to third-party websites, lab portals, payment pages, host-location websites, map services, or partner resources. VitalScan is not responsible for the privacy practices of those third parties.

Review the privacy notices and terms of third-party services before submitting information to them.

VitalScan may update this Privacy Policy and Health Data Notice as the service, vendors, testing workflow, legal requirements, or business model changes. The updated date will show when the policy was last revised.

Material changes may be communicated through the website, email, SMS, booking flow, or another reasonable method where required or appropriate.

Privacy questions, access requests, correction requests, deletion requests, suppression requests, or security concerns may be sent to privacy@tryvitalscan.com.

Please include your name, contact information, the nature of your request, and enough detail for VitalScan to locate the relevant record. We may need to verify your identity before responding to certain requests.