Free consultation with specialists
Comprehensive bloodwork included
Discreet delivery to your door
Physician-monitored protocols
Pharmaceutical-grade compounds
24/7 medical support
Free consultation with specialists
Comprehensive bloodwork included
Discreet delivery to your door
Physician-monitored protocols
Pharmaceutical-grade compounds
24/7 medical support
Free consultation with specialists
Comprehensive bloodwork included
Discreet delivery to your door
Physician-monitored protocols
Pharmaceutical-grade compounds
24/7 medical support
Free consultation with specialists
Comprehensive bloodwork included
Discreet delivery to your door
Physician-monitored protocols
Pharmaceutical-grade compounds
24/7 medical support

Legal

Privacy Policy

This policy explains how Oriah Wellness LLC collects, uses, processes, discloses, and protects your personal information.

Effective: December 16, 2025Last updated: February 4, 2026

1. Introduction and Scope of This Policy

1.1 Our Commitment to Your Privacy

Oriah Wellness LLC (“Oriah,” “we,” “us,” or “our”) provides physician-supervised wellness and telehealth services, including weight-loss, longevity, hormone, and related care delivered with independent, state-licensed providers. Safeguarding your personal data is fundamental to how we operate. This Privacy Policy explains the collection, use, processing, disclosure, and protection of your personal information, consistent with the Delaware Personal Data Privacy Act (DPDPA), the Health Insurance Portability and Accountability Act (HIPAA), and other applicable state and federal regulations.

1.2 Applicability of This Policy

This policy applies to information we handle in connection with:

  • Our website and online properties (including oriahwellness.com);
  • The individuals who inquire about, apply for, or use our wellness and telehealth services; and
  • Information processed to support care delivered through our affiliated, independently licensed medical providers.

Our services are intended for residents of the United States only and are not directed to individuals under the age of 16.

2. Understanding Our Roles: Data Controller and Data Processor

2.1 Oriah as a Data Controller

We act as a Data Controller — determining the purposes and means of processing — when, for example:

  • You visit our website and we collect analytics, marketing, and device information;
  • You provide contact, account, or billing information to inquire about or use our services; and
  • You communicate with our support or member-experience teams.

In this role, Oriah bears direct responsibility for complying with applicable privacy laws.

2.2 Independent Providers and HIPAA

Clinical care is provided by independent, state-licensed healthcare providers and affiliated professional medical groups, who make all medical decisions. Where those providers are HIPAA “Covered Entities,” they act as the controllers of your Protected Health Information (PHI), and Oriah supports them as a Business Associate under a Business Associate Agreement (BAA), handling non-clinical operations and implementing HIPAA-mandated privacy and security safeguards. For details on how your PHI is handled in the clinical relationship, please consult your provider’s Notice of Privacy Practices.

3. The Personal Information We Collect and Process

3.1 Information We Collect as a Data Controller

Account and Contact Information. Identity and contact details such as your first and last name, email address, phone number, and mailing address.

Financial and Transactional Information. Payment card information, billing address, and transaction history. Payments are processed through our PCI-compliant payment processor (Stripe); we do not store full payment card numbers.

Communications. Records of your email, phone, and website contact-form interactions, including support and sales inquiries.

Website Usage and Marketing Data. Technical and device data (IP address, browser type and version, operating system, device identifiers, time zone, and language preferences via server logs); usage and interaction data (page views, link clicks, time spent, and referral sources via analytics tools such as Google Analytics and Vercel Analytics); and marketing/advertising data (ads viewed or clicked, conversions, and audience data via technologies such as the Meta Pixel and Google Ads cookies). Marketing data is often pseudonymous and tied to a browser or device identifier.

3.2 Health and Sensitive Information

To facilitate care with our licensed providers, the following categories of sensitive personal information and PHI may be collected and processed:

  • Profile data: name, date of birth, gender, physical address, email, and phone number, along with account credentials (usernames and hashed, salted passwords).
  • Health and medical information: patient-reported symptoms, medical history, diagnoses, mental-health information, treatment plans, prescriptions, lab results, and provider notes.
  • Telehealth session data: chat logs, consultation transcripts, and (where applicable) video or audio recordings.
  • Insurance and billing: carrier, policy or group numbers, and related billing information.
  • Other sensitive data: precise geolocation and racial or ethnic origin data, as defined under the DPDPA.

3.3 Transactional and Scheduling Data

  • Appointment data: scheduled, past, and upcoming dates and times, and your assigned provider.
  • Payment data: co-pays, deductibles, and service fees, processed through Stripe for PCI DSS compliance.

4. How and Why We Use Your Personal Information

We use the personal information we control for the following purposes, each supported by a lawful basis such as performance of a contract, our legitimate interests, your consent, or compliance with a legal obligation:

  • Provide, manage, and deliver our wellness and telehealth services;
  • Process payments and manage your account;
  • Communicate with you about your care, applications, and inquiries;
  • Operate marketing and advertising, where permitted, using non-essential cookies subject to your consent;
  • Analyze and improve our website and services;
  • Secure our systems and prevent fraud; and
  • Comply with our legal and regulatory obligations.

We do not use sensitive health information collected to facilitate your care for our own marketing or advertising. The purposes for which your clinical information is used in the treatment relationship are determined by your licensed provider.

5. How We Disclose or “Share” Your Personal Information

We do not sell your personal information for money. We may disclose information as described below.

5.1 To Service Providers (Sub-processors)

We share information with trusted vendors who are contractually bound by Data Processing Agreements to protect your data and use it only to perform services for us, including cloud hosting and infrastructure (e.g., AWS, Vercel), payment processing (e.g., Stripe), analytics (e.g., Google Analytics), and authentication and commerce tooling.

5.2 To Advertising Partners

We may share pseudonymous technical and usage data with advertising partners such as Meta and Google through tracking technologies to measure campaigns and deliver relevant advertising. You can opt out as described in Section 6.

5.3 In Connection with a Business Transaction

If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred subject to standard confidentiality protections.

5.4 As Required by Law

We may disclose information where necessary to comply with a legal obligation, subpoena, court order, or lawful request by a public authority.

5.5 To Your Care Team

Information you provide to obtain care is made available to the independent, licensed providers responsible for your treatment. Clinical data is stored within HIPAA-compliant, BAA-secured infrastructure.

5.6 Mobile Information

We do not share your mobile information with third parties or affiliates for their marketing or promotional purposes. Text messaging originator opt-in data and consent are not shared with any third party for any purpose.

6. Your Privacy Rights and How to Exercise Them

6.1 Your Rights

Depending on where you live, you may have the right to:

  • Know and access the personal information we have collected, including categories, sources, purposes, and the recipients of any disclosures;
  • Correct inaccurate personal information;
  • Delete personal information, subject to legal exceptions (for example, completing a transaction, complying with law, or maintaining security);
  • Port your data by receiving it in a portable, readily usable format;
  • Opt out of the sale or sharing of personal information and of targeted (cross-context behavioral) advertising;
  • Limit the use of sensitive personal information to what is reasonably expected to provide our services (in certain jurisdictions, such as California); and
  • Non-discrimination for exercising your privacy rights.

6.2 How to Exercise Your Rights

To submit a request regarding information we control, email us at privacy@oriahwellness.com. To opt out of the sale or sharing of personal information, you may use our “Do Not Sell or Share My Personal Information” mechanism and enable a universal opt-out preference signal (such as Global Privacy Control) in your browser; we honor recognized signals. For requests concerning health information held in your clinical relationship, please contact your licensed provider, whom we will assist as needed.

Verification. To protect your privacy, we verify your identity before fulfilling a request by matching information you provide (such as your name and email) against our records.

7. Our Commitment to Data Security and Integrity

We maintain administrative, technical, and physical safeguards designed to protect your information:

  • Administrative: a formal information security program led by a designated Data Protection Officer, mandatory employee privacy and security training, regular risk assessments, and a tested incident-response plan.
  • Technical: encryption in transit (strong TLS) and at rest (AES-256 or equivalent), strict role-based access controls under the principle of least privilege with access logging, and network protections including firewalls, intrusion detection/prevention, vulnerability scanning, and penetration testing.
  • Physical: data is hosted in facilities (such as AWS data centers) that provide world-class physical security, including biometric access controls, 24/7 surveillance, and environmental controls.

8. Data Retention and Deletion

We retain personal information only as long as necessary for the purposes for which it was collected or as required for legal, accounting, or reporting obligations. Account, contract, and financial records are generally retained for the duration of the relationship plus the period required by tax and corporate law (typically up to seven years). Marketing data is retained until you opt out or become inactive. Health information is retained in accordance with the requirements applicable to your provider, including HIPAA. When information is no longer needed, it is securely returned, deleted, or destroyed.

9. International Data Transfers

While our services are directed to the United States, some of our service providers operate globally, which may result in cross-border transfers of data. Where this occurs, we rely on appropriate legal mechanisms to protect your information, such as the EU-U.S. Data Privacy Framework (where applicable) and Standard Contractual Clauses approved by the European Commission.

10. Children’s Privacy

Our services are not directed to, or intended for, individuals under the age of 16, and we do not knowingly collect personal information from children under 16. If we learn that we have inadvertently collected such information without verifiable parental consent, we will take steps to delete it promptly.

11. Cookies, Tracking Technologies, and Analytics

Cookies are small text files placed on your device, and pixels are tiny images used to track activity. We use strictly necessary cookies for core site functions and security; performance and analytics cookies to understand usage and improve our site; functional cookies to remember your preferences; and targeting/advertising cookies to show relevant Oriah ads on other websites. You can accept or reject non-essential cookies through our cookie banner and manage cookies further through your browser settings and the opt-out tools described in Section 6.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for operational, legal, or regulatory reasons. When we make material changes, we will post the updated policy here with a revised “Last updated” date, and we may provide additional notice (for example, by email) where appropriate.

13. How to Contact Us

For questions, concerns, complaints, or to exercise your rights, please contact:

Oriah Wellness LLC

Attn: Data Protection Officer

901 N Market Street, Suite 100

Wilmington, DE 19801

Email: privacy@oriahwellness.com

A note on medical care

Oriah Wellness LLC does not provide medical advice and does not practice medicine. All consultations, diagnoses, prescriptions, and medical decisions are made by independent, state-licensed healthcare providers. This website and our services do not replace a consultation with a licensed clinician.