Nova Lab Clinic — Privacy Policy

PRIVACY POLICY

NOVALAB HUMAN PERFORMANCE CLINIC LLC

https://novalab.clinic

Last Updated: December 2024

1. INTRODUCTION AND SCOPE

NOVALAB HUMAN PERFORMANCE CLINIC LLC, doing business as Nova Lab Clinic (“Company,” “we,” “us,” or “our”), is committed to protecting your privacy and safeguarding your personal information. This Privacy Policy (“Policy”) describes how we collect, use, disclose, store, and protect information obtained through our website (https://novalab.clinic), mobile applications, telehealth platforms, and all related services (collectively, the “Services”).

This Policy applies to all patients, prospective patients, website visitors, and any individual who interacts with our Services. BY CHECKING THE ACCEPTANCE BOX, CLICKING “I AGREE,” CREATING AN ACCOUNT, OR OTHERWISE USING OUR SERVICES, you acknowledge that you have read, understood, and agree to the practices described in this Policy. Your continued use of our Services constitutes ongoing acceptance of this Policy.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

Personal Identification Information:

Full legal name, date of birth, and gender
Social Security Number (for identity verification purposes only)
Government-issued identification numbers
Contact information (email address, phone number, mailing address)
Emergency contact information

Health and Medical Information (Protected Health Information or “PHI”):

Medical history, current health conditions, and diagnoses
Prescription history and current medications
Laboratory test results and diagnostic imaging
Treatment plans, progress notes, and clinical observations
Allergies and adverse reactions
Genetic information (if provided for treatment purposes)
Mental health information
Substance use history

Financial and Billing Information:

Credit card, debit card, or bank account information
Billing address
Insurance information (if applicable)
Payment history and transaction records

Communications:

Messages sent through our patient portal, email, or SMS
Recorded telehealth consultations (with your consent)
Survey responses and feedback

2.2 Information Collected Automatically

When you access our website or use our Services, we automatically collect certain technical information:

IP address and geolocation data
Device type, operating system, and browser type
Unique device identifiers
Pages visited, time spent on pages, and clickstream data
Referring URLs and exit pages
Cookies, pixels, and similar tracking technologies (see Section 7)

2.3 Information from Third Parties

We may receive information about you from:

Healthcare providers who refer you to our Services
Laboratories and diagnostic facilities
Compounding pharmacies fulfilling your prescriptions
Payment processors and financial institutions
Identity verification services
Marketing partners (with your consent)

3. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

Healthcare and Treatment:

Providing telehealth consultations and medical services
Developing personalized treatment plans
Coordinating care with pharmacies, laboratories, and other providers
Monitoring treatment progress and outcomes
Communicating with you about your care

Operational Purposes:

Processing payments and managing billing
Verifying your identity and eligibility for services
Maintaining accurate medical and business records
Responding to inquiries and providing customer support
Scheduling appointments and sending reminders

Legal and Compliance:

Complying with applicable laws, regulations, and legal processes
Meeting HIPAA and state privacy law requirements
Responding to subpoenas, court orders, or regulatory inquiries
Investigating potential fraud, security incidents, or policy violations

Business Improvement:

Analyzing usage patterns to improve our Services
Conducting internal research and quality improvement
Training staff and improving operational efficiency

Marketing (with consent):

Sending promotional communications about our Services
Providing information about new treatments or offerings
Conducting surveys and collecting feedback

4. LEGAL BASES FOR PROCESSING (WHERE APPLICABLE)

Depending on your jurisdiction, we process your information based on one or more of the following legal grounds:

Your explicit consent
Performance of a contract (the provision of healthcare services)
Compliance with legal obligations
Protection of vital interests (in emergencies)
Legitimate business interests (where not overridden by your rights)

5. DISCLOSURE OF YOUR INFORMATION

We do not sell your personal information or Protected Health Information. We may disclose your information in the following circumstances:

5.1 Authorized Disclosures for Treatment

Licensed healthcare providers and clinical staff directly involved in your care
Compounding pharmacies filling your prescriptions
Laboratories performing diagnostic testing
Other healthcare providers to whom you are referred

5.2 Service Providers and Business Associates

We engage third-party service providers who assist in operating our business. These providers are contractually bound to protect your information and may only use it for specified purposes:

Secure electronic health record (EHR) platform providers
Telehealth technology vendors
Payment processors and billing services
Cloud storage and data hosting providers
Email and SMS communication platforms
Identity verification services
Analytics and website optimization services

All service providers handling PHI are required to sign HIPAA Business Associate Agreements (BAAs).

5.3 Legal and Regulatory Disclosures

We may disclose your information without your consent when required or permitted by law:

To comply with federal, state, or local laws and regulations
In response to valid subpoenas, court orders, or legal process
To public health authorities for disease prevention and control
To government agencies for health oversight activities
To law enforcement in specific circumstances permitted by HIPAA
To prevent or mitigate serious threats to health or safety
For workers’ compensation purposes

5.4 Business Transactions

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will provide notice of any such transfer and any choices you may have.

6. DATA SECURITY

We implement comprehensive administrative, technical, and physical safeguards to protect your information:

Technical Safeguards:

Encryption of data in transit (TLS/SSL) and at rest (AES-256)
Secure, HIPAA-compliant data centers with SOC 2 certification
Multi-factor authentication for system access
Firewalls, intrusion detection, and continuous security monitoring
Regular security assessments and penetration testing
Automated threat detection and response systems

Administrative Safeguards:

Comprehensive HIPAA privacy and security policies
Mandatory staff training on privacy and security practices
Access controls based on minimum necessary principles
Regular audits of system access and data handling
Incident response and breach notification procedures
Designated Privacy Officer and Security Officer

Physical Safeguards:

Secure facilities with controlled access
Workstation security policies
Secure disposal of physical records and electronic media

While we employ industry-standard security measures, no system can guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

7. COOKIES AND TRACKING TECHNOLOGIES

7.1 Types of Cookies We Use

Essential Cookies:

Required for basic website functionality, authentication, and security. These cannot be disabled.

Functional Cookies:

Remember your preferences and personalization settings to enhance your experience.

Analytics Cookies:

Help us understand how visitors interact with our website through aggregated, anonymized data.

Marketing Cookies (with consent):

Used to deliver relevant advertisements and measure campaign effectiveness.

7.2 Your Cookie Choices

You can manage cookie preferences through your browser settings or our cookie consent tool. Note that disabling essential cookies may impair website functionality. We honor “Do Not Track” browser signals where technically feasible.

8. YOUR RIGHTS AND CHOICES

8.1 HIPAA Rights (For Protected Health Information)

Under HIPAA, you have the following rights regarding your PHI:

Right to Access: Request copies of your medical records
Right to Amend: Request corrections to inaccurate information
Right to Restriction: Request limits on how we use or disclose your PHI
Right to Confidential Communications: Request communications through specific channels
Right to Accounting: Receive a list of certain disclosures of your PHI
Right to Paper Copy: Obtain a paper copy of this Privacy Policy
Right to Revoke Authorization: Withdraw previously granted authorizations

8.2 Additional Rights (Depending on Jurisdiction)

Depending on your state or country of residence, you may have additional rights:

Right to deletion of personal information
Right to data portability
Right to opt out of sale of personal information
Right to non-discrimination for exercising privacy rights
Right to correct inaccurate personal information
Right to know what information is collected about you

8.3 Exercising Your Rights

To exercise any of these rights, contact us at:

Nova Lab Clinic

10 Dominion Dr, Suite 2201, San Antonio, TX 78257

Phone: (210) 954-5729

Email: privacy@novalab.clinic

We will respond to requests within the timeframes required by applicable law (generally 30-45 days). We may require identity verification before processing requests.

9. DATA RETENTION

We retain your information in accordance with applicable law and our retention policies:

Medical Records: Minimum of seven (7) years from the last date of treatment, or as required by state law
Financial Records: Minimum of seven (7) years for tax and audit purposes
Marketing Consent Records: Duration of consent plus three (3) years
Website Analytics: Generally up to two (2) years in aggregated form

We securely dispose of information when no longer needed using appropriate methods (shredding, secure deletion, etc.).

10. SMS AND TEXT MESSAGE COMMUNICATIONS

If you opt in to receive SMS communications, you agree to the following:

You consent to receive automated and non-automated text messages related to your care, appointments, and services
Message frequency varies based on your treatment and appointment schedule
Standard message and data rates may apply based on your carrier plan
You may opt out at any time by replying STOP to any message
You may request help by replying HELP or contacting us directly
We will not share your phone number with third parties for their marketing purposes

Opting out of SMS communications will not affect your ability to receive care.

11. TELEHEALTH-SPECIFIC PRIVACY CONSIDERATIONS

When using our telehealth services, please be aware:

Video consultations may be recorded for quality assurance and medical record purposes (with your consent)
You are responsible for ensuring privacy during telehealth sessions (private location, secure network)
Third-party platforms used for telehealth comply with HIPAA requirements
Technical issues may occasionally affect session quality or security

12. CHILDREN’S PRIVACY

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If we learn that we have collected information from a child under 18, we will take steps to delete such information promptly.

13. INTERNATIONAL USERS

Our Services are intended for users located in the United States. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

14. CHANGES TO THIS PRIVACY POLICY

We may update this Policy periodically to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Material changes will be communicated through:

Posting the updated Policy on our website with a new “Last Updated” date
Email notification for significant changes
In-app notifications where applicable

Your continued use of our Services after changes become effective constitutes acceptance of the updated Policy.

15. CONTACT INFORMATION

If you have questions, concerns, or complaints about this Privacy Policy or our privacy practices, please contact:

Privacy Officer

NOVALAB HUMAN PERFORMANCE CLINIC LLC

10 Dominion Dr, Suite 2201

San Antonio, TX 78257

Phone: (210) 954-5729

Email: privacy@novalab.clinic

You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your privacy rights have been violated.