Vea Health - Premium Performance Solutions You Can Trust.

Vea Health, Inc Privacy Policy

50 States, Doctor-Prescribed, U.S.-Sourced.

Effective Date: May 7, 2026 Last Updated: May 7, 2026

Introduction

Vea Health, Inc. ("Vea Health," "we," "us," or "our") is committed to protecting your privacy and safeguarding your personal information, including Protected Health Information (PHI). This Privacy Policy explains how we collect, use, disclose, store, and protect information when you access or use our website, applications, telehealth services, and related offerings (collectively, the "Services").

By accessing or using the Services, you acknowledge and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Services.

This Privacy Policy applies to information we collect on veahealth.co, app.veahealth.co, quiz.veahealth.co, and any other website or application operated by Vea Health.

Vea Health and Your Healthcare Provider

Vea Health is a management services organization. Your medical care is delivered by an independent professional medical corporation (the "Practice") that contracts or employs licensed clinicians. The Practice is your healthcare provider; Vea Health operates the platform, manages your account and payments, and provides the technology that connects you to the Practice. Vea Health acts as a HIPAA business associate of the Practice.

This Privacy Policy describes the information practices for which Vea Health is responsible. Sections 9 through 12 below describe the Practice's information practices in detail and constitute the Notice of Privacy Practices required by the Health Insurance Portability and Accountability Act (HIPAA), 45 CFR § 164.520.

Privacy Officer

Our designated Privacy Officer is Jason Simmons, Chief Strategy Officer. You can reach the Privacy Officer at privacy@veahealth.co or by mail at Vea Health, Inc., 1111B S Governors Ave STE 92678, Dover, DE 19904, or by phone at (424) 283-6790.

Information We Collect

We collect information in the following ways.

1. Information You Provide to Us

You may voluntarily provide information when using our Services, including:

Identifiers: legal name, preferred name, date of birth, email address, phone number, mailing and shipping address, and billing address.

Account Information: login credentials and account preferences.

Health Information (PHI): medical history, current medications, allergies, conditions, symptoms, intake answers, diagnoses, treatment information, prescriptions, and other information necessary to provide telehealth services.

Payment Information: payment method type, last four digits of your card, expiration date, and billing zip. The full card number is collected by our payment processor and is not stored by Vea Health.

Communications: messages, emails, customer support requests, survey responses, and audio or video sent through the Services.

2. Information Collected Automatically

When you access our Services, we may automatically collect:

Device and Usage Data: IP address, browser type and version, operating system, device type, language preferences, timezone, pages viewed, features used, links clicked, time spent, referring URL, and click identifiers from advertising platforms (such as gclid from Google or fbclid from Meta).

Cookies and Similar Technologies: cookies, pixels, and analytics tools used to operate and improve the Services. Section 7 describes the specific tracking technologies we use.

Inferred Information: information we derive about you based on your activity, such as which products you have viewed or how you interact with our communications.

3. Information from Third Parties

We may receive information from third-party service providers, analytics partners, healthcare partners, payment processors, identity verification providers, and pharmacy partners that fulfill prescriptions issued through the Services.

How We Use Information

We use collected information to:

Provide and operate our Services, including routing your intake to a licensed clinician, enabling messages between you and your clinician, and storing your medical history.

Facilitate telehealth consultations and care coordination.

Verify identity, eligibility, and age, and prevent fraud.

Communicate with you about appointments, services, prescription updates, account activity, and customer support.

Process payments and issue receipts and refunds.

Improve functionality, performance, and user experience.

Conduct internal analytics using de-identified or aggregated data.

Comply with legal, regulatory, and contractual obligations.

We do not use PHI for marketing or for any purpose other than treatment, payment, or healthcare operations without your written authorization. Marketing communications using non-PHI contact information are subject to your separate consent and your right to opt out.

How We Share Information

We may share information in the following circumstances.

With Healthcare Providers: licensed clinicians involved in your care, and the pharmacies that fulfill your prescriptions.

With Service Providers: vendors that support our operations, including hosting, application infrastructure, analytics, payment processing, customer support, identity verification, and communications. We require service providers to protect your information consistent with this Privacy Policy and applicable law, including by signing Business Associate Agreements where they handle PHI.

With Our Telehealth Platform Vendor: the patient app at app.veahealth.co is operated by a third-party telehealth-platform technology vendor that is bound by a HIPAA Business Associate Agreement. The platform vendor engages its own subcontractors for operational support, each of whom is bound by appropriate flow-down privacy obligations.

With Advertising Partners: where you use our marketing site at veahealth.co, certain advertising and analytics partners (including Meta and Google) may receive limited information to measure ad performance and serve relevant advertising. We do not share PHI with advertising partners, and advertising tracking does not run on the telehealth platform.

For Legal and Regulatory Reasons: when required to comply with applicable laws, subpoenas, court orders, regulatory investigations, or other legal process, or to protect the safety of our patients, staff, or others.

In Connection with a Business Transfer: in the event of a merger, acquisition, financing, sale of assets, or similar transaction, where we will require the recipient to honor this Privacy Policy or provide notice and opt-out where required.

With Your Consent: with any party you direct us to share with through written authorization.

We do not sell your medical information. Section 7 describes our use of advertising tracking on the marketing site and your opt-out rights under California and similar state laws.

Tracking Technologies and Online Advertising

Our online presence has two distinct surfaces, each with different tracking practices.

The marketing site at veahealth.co uses cookies, pixels, and analytics tools, including Meta Pixel, Google Analytics, Google Tag Manager, Google Ads, an affiliate-tracking pixel, and our own first-party analytics, to understand how visitors find and use our site, measure advertising effectiveness, and improve our marketing. These technologies collect device and usage information described in Section 4 above, including page URLs, click events, IP address, browser characteristics, and certain identifiers stored in cookies set by Meta and Google.

The telehealth platform at app.veahealth.co does not run third-party advertising or analytics tracking. No Meta Pixel, Google Ads, Google Analytics, TikTok Pixel, or LinkedIn Insight Tag fires on the platform. The platform relies on operational technologies provided by our HIPAA-compliant platform vendor solely for the purpose of running the Services.

The intake form at quiz.veahealth.co collects only your product interest and email address, and does not run third-party advertising or analytics tracking.

We also use the Meta Conversions API and Google Enhanced Conversions API to send a small set of non-PHI conversion signals (such as a generic "lead" event) from our marketing surface to Meta and Google. These signals do not include any health condition, treatment type, medication name, or other protected health information.

You can manage cookies through your browser settings. As we expand our privacy controls, we may add a cookie-preferences interface and honor Global Privacy Control browser signals; if and when those controls are available, they will appear on our website footer.

Sale and Sharing for Cross-Context Behavioral Advertising

Under California's Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and similar state laws, the use of advertising and analytics technologies described in Section 7 may constitute a "sale" or "sharing" of personal information for cross-context behavioral advertising. California residents and residents of other states with similar rights have the right to opt out of this sharing. To opt out, email privacy@veahealth.co with the subject "Do Not Sell or Share My Personal Information." We will honor your request promptly. As we expand our online privacy controls, we may add a "Do Not Sell or Share" link in our website footer and recognize Global Privacy Control browser signals as a valid opt-out request.

We do not engage in advertising tracking or sharing with respect to the telehealth platform, our patient platform, or any PHI.

Protected Health Information and HIPAA

The following sections describe the Practice's information practices with respect to your PHI and constitute the Notice of Privacy Practices required by HIPAA.

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

The Practice (Dr Telx, PLLC) is the licensed medical professional corporation that delivers your telehealth medical services. Vea Health acts as the Practice's business associate. The Practice is required by federal law to maintain the privacy of your PHI, provide you with this notice of its legal duties and privacy practices, notify you following a breach of unsecured PHI, and abide by the terms of the notice currently in effect.

Protected Health Information includes information that identifies you and relates to your past, present, or future physical or mental health condition, the healthcare you receive, or payment for that healthcare. PHI includes your name, date of birth, contact information, medical history, medications, lab results, prescriptions, treatment notes, and clinical communications.

Permitted Uses and Disclosures

The Practice may use and disclose your PHI without your authorization for treatment, payment, healthcare operations, and other purposes permitted by HIPAA.

For treatment, the Practice may share your PHI with the licensed clinician who reviews your intake, the pharmacy that fulfills your prescription, the laboratory that performs any tests the Clinician orders, and other healthcare providers at your direction.

For payment, the Practice may use and disclose PHI to charge for services, coordinate billing with the dispensing pharmacy, and work with your insurer if you submit out-of-network claims for reimbursement.

For healthcare operations, the Practice may use and disclose PHI for quality improvement, clinician credentialing, compliance, audit, and customer service activities related to your care.

The Practice may also disclose PHI to its business associates, including Vea Health, hosting and infrastructure providers, secure-messaging vendors, and pharmacies. Each business associate signs an agreement requiring it to safeguard your PHI consistent with HIPAA.

The Practice may disclose PHI when required by law, including reports of suspected child abuse or domestic violence, reporting reactions to medications or quality problems with FDA-regulated products, public-health activities, health-oversight activities, judicial and administrative proceedings, law enforcement, prevention of serious threats to health or safety, communications with coroners and medical examiners, workers' compensation, and disclosures to family or friends involved in your care with your verbal agreement.

Some categories of information receive heightened protection under federal or state law, including substance use disorder treatment records (42 CFR Part 2), mental health records, HIV/AIDS information, genetic information, and reproductive healthcare information. The Practice follows the applicable rules, which sometimes require your specific authorization.

Uses and Disclosures Requiring Your Authorization

The Practice will not use or disclose your PHI for marketing, sale, or psychotherapy notes without your written authorization. Any use or disclosure not described in this section and not otherwise permitted or required by law will be made only with your written authorization. You may revoke any authorization in writing at any time, except to the extent the Practice has already acted in reliance on it.

Your HIPAA Rights

You have the right to inspect and obtain a copy of your PHI in a designated record set. The Practice will respond within 30 days, with one possible 30-day extension if we provide written notice. We may charge a reasonable, cost-based fee for copies and may provide the copy in a particular electronic format if it is readily producible.

You have the right to request that the Practice amend PHI it maintains about you if you believe it is incorrect or incomplete. The Practice will respond within 60 days. The Practice may deny the request in certain circumstances, in which case you may submit a written statement of disagreement.

You have the right to request a list of disclosures of your PHI made for purposes other than treatment, payment, or healthcare operations and other than disclosures you authorized. The first accounting in any 12-month period is free.

You have the right to request restrictions on certain uses and disclosures. The Practice is not required to agree, except where you pay for a healthcare item or service in full out of pocket and request that the information not be disclosed to a health plan for payment or healthcare-operations purposes.

You have the right to request that we communicate with you in a particular way (for example, by mail to a specific address or only by email). We will accommodate reasonable requests.

You have the right to be notified following a breach of your unsecured PHI as described below.

You have the right to a paper copy of this Notice of Privacy Practices on request, even if you have agreed to receive it electronically.

You have the right to file a complaint with the Practice's Privacy Officer if you believe your privacy rights have been violated. You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at 200 Independence Avenue SW, Washington, DC 20201, by phone at 1-877-696-6775, or online at https://www.hhs.gov/ocr. We will not retaliate against you for filing a complaint.

Breach Notification

If we discover a breach of your unsecured PHI, we will notify you in writing within 60 days of discovery. If a breach affects 500 or more individuals, we will also notify the U.S. Department of Health and Human Services and prominent media outlets in the affected state. The notice will describe what happened, what information was involved, what we are doing in response, what you can do to protect yourself, and how to contact us.

To Contact the Practice's Privacy Officer

The Practice's Privacy Officer is responsible for the Practice's HIPAA privacy program. You may reach the Privacy Officer at privacy@veahealth.co, by phone at (424) 283-6790, or by mail to Vea Health, Inc., 1111B S Governors Ave STE 92678, Dover, DE 19904. Routing through Vea Health's privacy desk is consistent with the Business Associate Agreement; the Practice's Privacy Officer or designee will respond.

Consumer Health Data

In addition to PHI governed by HIPAA, certain information we collect about you may constitute "consumer health data" under Washington's My Health My Data Act, Nevada's Health Data Privacy Act, and similar state laws. Consumer health data includes information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status, including individual health conditions, treatments, diagnoses, medications, procedures, symptoms, reproductive or sexual health information, gender-affirming care information, biometric data, genetic data, precise location information indicating a consumer's attempt to acquire or receive health services, and any inferences derived from the above.

We collect consumer health data primarily through your intake, your communications with the Practice, and your account activity. We use consumer health data only for the purposes described in this Privacy Policy, principally to provide telehealth services, fulfill prescriptions, run the platform, comply with the law, and protect against fraud or abuse. We do not process consumer health data for advertising or for sale to third parties.

We share consumer health data with the Practice (your healthcare provider), the pharmacies that fulfill your prescriptions, our hosting and infrastructure providers, our payment processor, our customer-support and communications providers, our telehealth-platform vendor (under a HIPAA Business Associate Agreement), and government agencies when required by law. We do not sell consumer health data as defined in RCW 19.373.020.

Vea Health does not implement, and prohibits its vendors and partners from implementing on Vea's behalf, geofencing within a radius of 1,750 feet of any healthcare facility for the purpose of identifying or tracking consumers seeking healthcare services, collecting consumer health data, or sending notifications, messages, or advertisements related to consumer health data or healthcare services.

If you ever wish to confirm whether we are collecting your consumer health data, access it, request its deletion, withdraw consent for its collection or sharing, or receive a list of third parties that have received it, contact us at privacy@veahealth.co. We extend these rights to all U.S. residents as a matter of best practice. Washington's My Health My Data Act provides a private right of action under the Washington Consumer Protection Act for violations.

SMS and Text Messages

By providing your mobile phone number and consenting to receive text messages from Vea Health, you agree to receive SMS and MMS messages from Vea Health, which may include exclusive member offers, promotions, product announcements, health and wellness content, appointment reminders, prescription and refill notifications, lab result alerts, care follow-ups, and shipping updates.

Marketing SMS consent is not a condition of purchase. Message frequency varies based on promotions and campaigns. Message and data rates may apply. You may opt out at any time by replying STOP to any message. After opting out, you will receive a one-time confirmation and no further marketing texts. For help, reply HELP or contact us at team@veahealth.co or (424) 283-6790. Carriers are not liable for delayed or undelivered messages. We do not sell, rent, or share your phone number or opt-in data with third parties for promotional purposes.

This SMS section is intended to satisfy the prior-express-written-consent requirement of the Telephone Consumer Protection Act and FCC implementing rules.

Your Privacy Rights Under State Law

Depending on your state of residence, you may have additional privacy rights, including the right to know what personal information we have collected, the right to access that information, the right to request its deletion or correction, the right to data portability, the right to opt out of sale or sharing for cross-context behavioral advertising or targeted advertising, the right to limit our use of sensitive personal information, the right to opt out of profiling for significant decisions, and the right to non-discrimination for exercising your rights.

These rights are available to residents of California, Virginia, Colorado, Connecticut, Texas, Utah, Oregon, Iowa, Tennessee, Indiana, Florida, Montana, New Hampshire, Delaware, Maryland, Minnesota, Nebraska, and other states whose privacy laws apply. The exact scope of each right depends on your state's law.

To exercise any right, email privacy@veahealth.co with the subject "Privacy Rights Request" and include your state of residence. We will verify your identity (typically by confirming information already in our records) before responding. We respond within the time required by your state's law (typically 45 days, with a possible 45-day extension where reasonably necessary). You may designate an authorized agent to make a request on your behalf with proof of authorization.

We will not discriminate against you for exercising your rights. We will not deny you Services, charge a different price, or provide a lesser quality of Services because you exercised a right.

The California "Shine the Light" law (Cal. Civ. Code § 1798.83) entitles California residents to ask once per year, by free request, for a list of third parties to whom we disclosed personal information for the third parties' direct-marketing purposes in the preceding calendar year, if any.

Sensitive Personal Information

Under the California Privacy Rights Act and similar state laws, "sensitive personal information" includes precise geolocation, racial or ethnic origin, religious beliefs, sexual orientation, genetic data, biometric identifiers, health information, and account credentials. We collect sensitive personal information principally as part of your intake, treatment, and account history.

We use sensitive personal information for the purposes disclosed in this Privacy Policy, principally to provide telehealth services, fulfill prescriptions, run the platform, comply with the law, and protect against fraud or abuse. We do not use sensitive personal information to infer characteristics about you for advertising or to make significant decisions through automated profiling.

Where permitted by your state's law, you have the right to limit our use of your sensitive personal information to that which is necessary to provide the Services. To exercise this right, contact privacy@veahealth.co. Limiting our use of health-related sensitive personal information may impair our ability to provide telehealth services to you.

Data Security

We use a combination of administrative, physical, and technical safeguards to protect your information, calibrated to its sensitivity. Administrative safeguards include role-based access controls, training for staff and contractors who handle PHI, vendor due diligence, written incident-response procedures, and ongoing security review. Technical safeguards include encryption in transit (TLS 1.2 or higher), encryption at rest where supported by the underlying platform, multi-factor authentication on administrative accounts, audit logs, and regular security testing.

While we strive to protect your information, no method of transmission or storage is completely secure. If a security incident affects your information, we will notify you in accordance with applicable law.

Data Retention

We retain medical records and PHI for at least six years from the date of last contact, or longer where state law requires (for example, California: seven years from last visit; New York: six years from last contact, longer for minors). Account information is retained for the duration of your account plus three years after closure. Billing and transaction records are retained for seven years for tax and accounting purposes. Communications and customer-support records are retained for three years from last interaction. Marketing preferences and opt-out records are retained while you remain on our list and for 18 months after opt-out, to demonstrate compliance with TCPA and CAN-SPAM. Audit logs and security-incident records are retained for six years.

When the retention period expires, we delete or de-identify the information consistent with HIPAA's Safe Harbor or Expert Determination methods at 45 CFR § 164.514. Records subject to a litigation hold are retained until the hold is released.

Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 13, who are protected by the Children's Online Privacy Protection Act. If we learn that we have collected information from a child under 13, we will delete it promptly. Parents or guardians who believe their child has provided information to us should contact privacy@veahealth.co.

Clinical Decisions

Licensed clinicians make all clinical decisions. We do not use automated processing, artificial intelligence, or profiling to make decisions about your care. If your state's law gives you a right to opt out of automated decision-making for significant decisions, you may exercise that right by contacting privacy@veahealth.co.

International Transfers

Vea Health operates from the United States, and our infrastructure providers operate primarily in the United States. We do not currently engage in routine international transfers of your information. If you access our Services from outside the United States, you consent to the transfer of your information to the United States, where data-protection laws may differ from those in your country.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted with an updated effective date. For material changes that meaningfully affect what information we collect, how we use it, or your rights, we will notify you in advance by email to the address associated with your account or by a conspicuous in-product notice. For material changes that affect your dispute-resolution rights, the changes will not apply to claims arising before the effective date, and we will give you a reasonable opportunity to reject the changes.

Continued use of the Services after changes are posted constitutes acceptance of the revised policy.

Contact Information

For questions about this Privacy Policy or to exercise your privacy rights, contact our Privacy Officer.

Privacy Officer: Jason Simmons, Chief Strategy Officer Vea Health, Inc. 1111B S Governors Ave STE 92678 Dover, DE 19904 Email: privacy@veahealth.co Phone: (424) 283-6790

For HIPAA questions specifically, you may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at https://www.hhs.gov/ocr or by calling 1-877-696-6775.