Consumer Health Data Privacy Policy
Last Updated: March 26, 2026
Luminous Medical Solutions LLC, doing business as Priveya
Introduction and Scope
This Consumer Health Data Privacy Policy (“CHD Policy”) supplements the Priveya Privacy Policy (the “Privacy Policy”) and applies specifically to personal data that qualifies as “Consumer Health Data” (“CHD”) under the Washington State My Health MY Data Act (“MHMDA”), Nevada’s Consumer Health Data Privacy Law (“Nevada CHD Law”), Connecticut’s Data Privacy Act (“CTDPA”), and any other applicable state consumer health data privacy laws (collectively, the “CHD Laws”). Undefined capitalized terms in this CHD Policy have the meanings assigned to them in the Privacy Policy.
This CHD Policy is intended to provide you with clear, detailed information about how Luminous Medical Solutions LLC, doing business as Priveya (“Priveya,” “we,” “us,” or “our”), collects, uses, shares, and protects your Consumer Health Data, and to explain the rights available to you under the CHD Laws. For general information about how we handle your personal information, please review our full Privacy Policy at www.priveya.com.
This CHD Policy applies to residents of Washington State, Nevada, Connecticut, and any other state that enacts a consumer health data privacy law that applies to Priveya’s operations, to the extent required by those laws. Residents of other states should refer to the applicable state-specific sections of our Privacy Policy for information about their data rights.
This Policy Contains the Following Sections:
Definition of Consumer Health Data
“Consumer Health Data” or “CHD” means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. As defined under the MHMDA and similar laws, CHD is broadly construed and includes the categories described in Section 2 below.
CHD does not include protected health information (“PHI”) that is collected, maintained, or used by Priveya in its capacity as a HIPAA-covered entity or business associate, to the extent that HIPAA governs such data. To the extent any data is subject to both HIPAA and a CHD Law, we will apply the more protective standard where applicable.
Categories of Consumer Health Data We Collect
Depending on how you interact with the Services and the applicable law in your jurisdiction, we may collect the following categories of CHD:
Your Relationship with Priveya
Priveya does not provide medical services. Priveya is a technology platform that facilitates your access to independent, licensed healthcare Providers who are contracted with or employed by Priveya’s affiliated physician practices. Priveya does not employ Providers in their clinical capacity, does not supervise or direct clinical decision-making, and does not practice medicine. All clinical decisions, diagnoses, treatment recommendations, and prescribing are made exclusively by independent licensed Providers exercising their own professional judgment.
The health, wellness, and educational resources available through the Services are for informational purposes only and are not a substitute for in-person care in all cases, nor are they an indicator of specific results. The decision to pursue a diagnosis or a particular treatment rests with you and your Provider. By consulting with a Provider through the Services, you are not entering into a provider-patient relationship with Priveya itself.
Except for specific clinical communications received from a Provider through the platform, nothing you receive through the Services constitutes medical advice. Priveya expressly disclaims any responsibility for the accuracy, completeness, or appropriateness of information you access through the Services other than information that is the direct output of an affiliated Provider’s clinical consultation with you.
- Individual health conditions, treatments, diseases, or diagnoses: Health conditions, symptoms, diagnoses, and treatment information you provide when seeking healthcare consultations or services through Priveya, including conditions related to weight management, reproductive health, and sexual health.
- Social, psychological, behavioral, and medical interventions: Information about your medical history, behavioral health background, lifestyle factors (such as diet, exercise habits, and substance use history), and any behavioral or medical interventions you disclose as part of your clinical intake.
- Health-related surgeries or procedures: Information about prior or planned health-related surgeries or procedures that you include in your medical history as part of the treatment services you seek through Priveya.
- Use or purchase of prescribed medication: Information about medications prescribed to you through the Services, medications you currently take that you disclose in your health intake, and any prescription history you provide. This includes GLP-1 receptor agonist medications, hormonal medications, contraceptives, STI/STD treatment medications, and other non-narcotic prescription medications.
- Bodily functions, vital signs, symptoms, or measurements: Physical measurements and health metrics you provide, such as your height, weight, body mass index (BMI), blood pressure readings, and other vital signs or physical characteristics relevant to your care.
- Diagnoses or diagnostic testing, treatment, or medication: Information about diagnostic tests you have taken or been ordered, including at-home and outpatient laboratory test results processed through the Services, and any diagnoses received in connection with such testing.
- Reproductive or sexual health information: Information about your reproductive health, menstrual cycle, hormonal health, contraception use (including emergency contraception), pregnancy history, fertility status, sexual activity, and sexual health, including STI/STD status, history, screening results, and treatment.
- Gender-affirming care information: Information related to gender-affirming care, to the extent included in your medical history or provided in connection with services you seek through Priveya.
- Data identifying a consumer seeking healthcare services: Information that, in combination with other data, identifies you as an individual seeking healthcare services, including account registration information, intake form submissions, and appointment or consultation records.
- Inferences derived from health information: Information derived or inferred from the above categories to assess, evaluate, or predict your health status, healthcare needs, or treatment suitability used only as necessary to provide the Services or as otherwise permitted by law.
- Laboratory test results: Results from at-home laboratory testing kits and outpatient laboratory tests facilitated through the Services, including but not limited to STI/STD panels, hormone panels, metabolic panels, and other diagnostic tests ordered by your Provider.
The categories above are broadly defined under the CHD Laws and are intended to be construed expansively. If you have questions about whether a specific type of information you provide qualifies as CHD, please contact us at privacy@priveya.com.
Sources of Consumer Health Data
As further described in our Privacy Policy, we collect CHD from the following sources:
- Directly from you: Information you provide when you register for an account, complete health intake questionnaires, submit symptom descriptions, upload clinical photographs, engage in consultations with Providers, request laboratory testing, or otherwise interact with the Services.
- Automatically through your use of the Services: Certain technical information collected automatically through cookies, tracking technologies, and usage analytics that may, in combination with other data, constitute CHD under applicable law.
- From independent licensed healthcare Providers: Clinical notes, treatment records, prescription information, and other health-related data generated by Providers in connection with your consultations through the Services.
- From laboratory partners: Laboratory test results returned to us from licensed third-party laboratory partners following at-home or outpatient testing facilitated through the Services.
- From third-party sources: Health-related information received from other third-party sources, such as identity verification providers or other healthcare organizations, to the extent such information constitutes CHD and its receipt is permitted by law.
Purposes for Collecting and Using Consumer Health Data
We collect and use CHD only for the following purposes, and only to the extent permitted by applicable law:
- To provide and manage the Services: Facilitating telehealth consultations between you and independent licensed Providers; coordinating at-home and outpatient laboratory testing and delivering results; supporting prescription management and refill services; operating and maintaining the platform; and verifying your identity.
- At your direction or with your consent: Sharing your CHD with third parties as you direct, or processing your CHD for purposes for which you have given explicit, informed consent, such as sharing your records with another healthcare provider or consenting to participate in health research.
- To analyze and improve the Services: Conducting internal research and quality improvement activities. Any research results shared externally will be in de-identified or aggregate form only, such that you cannot be individually identified.
- For legal and compliance purposes: Complying with applicable laws and regulations, including HIPAA, the CHD Laws, state telehealth regulations, and DEA requirements; responding to valid legal process; establishing, exercising, or defending Priveya’s legal rights; and detecting, investigating, and preventing fraud or security incidents.
- For advertising and marketing, subject to your consent: To the extent we use CHD for advertising or marketing purposes, we will do so only with your explicit, informed consent where required by applicable law. You may withdraw such consent at any time by contacting us at privacy@priveya.com.
We do not use your Consumer Health Data to infer or derive sensitive characteristics unrelated to the health services you have requested. We do not use CHD to discriminate against you in pricing, service availability, or quality of care.
How and Why We Share Consumer Health Data
We may share each of the categories of CHD described in Section 2 above. Any sharing of CHD is subject to applicable law, including applicable consent requirements. We share CHD only in the following circumstances and with the following categories of recipients:
| Category of Recipient | Purpose of Sharing | Consent Required? |
| Independent licensed healthcare Providers affiliated with Priveya | To facilitate your clinical consultations, treatment, and care coordination | Your consent to receive telehealth services constitutes consent; no separate consent required for treatment purposes |
| Licensed third-party laboratory partners | To process your at-home or outpatient lab tests and return results to your Provider | Your request for lab testing constitutes consent; no separate consent required |
| Service providers (e.g., cloud hosting, IT security, payment processing, customer support) | To operate and maintain the platform and deliver Services to you; service providers are contractually prohibited from using your CHD for any other purpose | No separate consent required; processing is limited to service delivery |
| Advertising networks and marketing partners | To deliver relevant advertising or marketing about Priveya’s services | Your explicit, affirmative consent is required before sharing CHD with advertising networks. We do not share PHI or identifiable health data for advertising without consent. |
| Governmental or regulatory authorities | To comply with applicable law, valid legal process (e.g., court orders, subpoenas), or regulatory obligations | No separate consent required where legally compelled; we will notify you of legal process to the extent permitted by law |
| Successor entities in a business transfer | In connection with a merger, acquisition, or sale of all or substantially all of Priveya’s assets | We will provide notice of any change in data handling and obtain consent where required by applicable law |
| Other healthcare providers, at your direction | To transfer your health records to another healthcare provider of your choosing | Your explicit, written direction and consent is required |
| Other users or the public, at your direction | If you choose to share information publicly through any community or forum features of the Services | Your voluntary disclosure constitutes consent; once shared publicly, Priveya cannot control further use |
As described in our Privacy Policy, we reserve the right to create Aggregate/De-Identified Data from CHD collected through the Services and to use or disclose such data at our discretion. We maintain a policy of not attempting to re-identify de-identified information, and we contractually prohibit third parties from doing so.
Consumer Health Data We Do Not Sell or Share for Advertising
Priveya does not sell your Consumer Health Data to third parties. Priveya does not share Consumer Health Data for cross-context behavioral advertising or targeted advertising without your explicit, affirmative consent.
Specifically:
- We do not sell CHD including reproductive health data, STI/STD information, hormone health data, weight management records, or laboratory results to any third party for monetary or other valuable consideration.
- We do not share CHD with advertising networks, data brokers, or data aggregators for the purpose of targeting advertising to you based on your health status or healthcare-seeking behavior, without your explicit prior consent.
- We do not use geofencing or location-based tracking technologies to identify individuals seeking healthcare services at specific locations (see Section 7 below).
- We do not use your CHD to build profiles about you for the purpose of selling those profiles or sharing them with data brokers.
- We do not knowingly sell or share the CHD of individuals under the age of 18.
To the extent our use of third-party analytics or advertising tools results in the sharing of online identifiers (such as cookie data or IP addresses) that could be considered CHD under applicable law, we will obtain your consent before enabling such sharing, or we will apply technical measures to exclude health-related data from such sharing.
Geofencing Prohibition
In accordance with the MHMDA and similar laws, Priveya does not use geofencing technology to establish a virtual boundary around any healthcare facility or location including clinics, hospitals, pharmacies, reproductive health centers, or any other medical facility for the purpose of identifying, tracking, or collecting CHD from individuals who enter or are near such locations.
We also do not contract with or direct any third party to engage in geofencing of healthcare facilities on our behalf for the purpose of collecting or using CHD.
Security of Consumer Health Data
Priveya implements administrative, technical, and physical security measures specifically designed to protect CHD against unauthorized access, use, disclosure, alteration, or destruction. These measures include:
- Encryption of CHD in transit and at rest using industry-standard protocols;
- Role-based access controls limiting access to CHD to personnel with a documented need to access such data;
- Audit logging of access to and modifications of CHD;
- Contractual data protection obligations imposed on all service providers and laboratory partners who access CHD on our behalf;
- Regular security assessments and vulnerability testing; and
- Incident response procedures designed to detect, contain, and remediate security incidents promptly.
Despite these measures, no electronic system is completely immune to security incidents. In the event of a breach affecting your CHD, Priveya will notify affected individuals and applicable regulatory authorities as required by applicable law, including the breach notification requirements of the MHMDA, HIPAA, and applicable state breach notification statutes.
Retention of Consumer Health Data
We retain CHD for no longer than is necessary for the purposes for which it was collected, subject to applicable legal retention requirements. Factors we consider in determining retention periods include:
- The purpose for which the CHD was collected and whether that purpose has been fulfilled;
- Applicable medical record retention requirements under federal and state law, including HIPAA and state telehealth and medical records statutes;
- Our legitimate interests in maintaining complete records to support ongoing care, respond to legal claims, or comply with regulatory obligations; and
- Any applicable statute of limitations for potential legal claims.
When CHD is no longer required for any of the above purposes, we will securely delete, destroy, or de-identify it in accordance with our data retention policies and applicable law. Requests for deletion of CHD prior to the end of our standard retention period will be honored to the extent required by applicable law and consistent with our legal obligations, including our obligations to retain medical records.
Your Rights Under the CHD Laws
Subject to applicable exceptions, the CHD Laws extend certain rights to individuals with respect to their Consumer Health Data. Your available rights depend on your state of residence. The following table summarizes key rights by state:
Right | Washington (MHMDA) | Nevada (CHD Law) | Connecticut (CTDPA) |
Confirm collection / sharing / selling | ✓ Yes | ✓ Yes | ✓ Yes |
Access your CHD | ✓ Yes | ✓ Yes | ✓ Yes |
Correct inaccuracies in your CHD | ✓ Yes | Limited | ✓ Yes |
Delete your CHD | ✓ Yes | ✓ Yes | ✓ Yes |
Withdraw consent to collection or sharing | ✓ Yes | ✓ Yes | ✓ Yes |
Opt out of sale of CHD | ✓ Yes | ✓ Yes | ✓ Yes |
Data portability (copy in portable format) | ✓ Yes | Limited | ✓ Yes |
Appeal a denial of your request | ✓ Yes | ✓ Yes | ✓ Yes |
Exceptions to These Rights
Your rights under the CHD Laws may be subject to exceptions under applicable law. For example, we may decline a deletion request if retention of the CHD is required:
- To comply with applicable federal or state law, including HIPAA medical record retention requirements;
- To complete a transaction you have initiated or to fulfill a service you have requested;
- To detect, investigate, or prevent security incidents, fraud, or illegal activity;
- To protect the vital interests of you or another individual; or
- To establish, exercise, or defend legal claims.
Where we deny a request in whole or in part, we will explain the basis for the denial and inform you of your right to appeal.
How to Exercise Your Rights
To submit a request to exercise any of the rights described in Section 10, please contact us at:
Email: privacy@priveya.com
Subject line: “Consumer Health Data Rights Request”
Your request must include:
- Your full name and the email address associated with your Priveya account;
- The specific right(s) you wish to exercise; and
- Any additional information reasonably necessary to verify your identity and process your request.
We will respond to verified requests within the timeframe required by applicable law generally 45 days from receipt of a complete, verified request, with the possibility of a single 45-day extension where permitted and where we provide timely notice of the extension.
Identity Verification
Before processing your request, we must verify your identity to ensure that CHD is not disclosed to, modified by, or deleted at the direction of an unauthorized party. We will use reasonable means to verify your identity, which may include confirming information associated with your account. We will never ask you to provide your password, full Social Security number, or full financial account number during this process.
If you use an authorized agent to submit a request on your behalf, we may require written proof of the agent’s authorization before processing the request.
Priveya will not discriminate against you for exercising your rights under the CHD Laws. We will not deny you services, charge you different prices, or provide you with a different level of service quality because you exercised your privacy rights.
Appeals
If we deny your request in whole or in part, you may appeal our decision by contacting us at privacy@priveya.com with the subject line “Consumer Health Data Rights Appeal.” Your appeal must include:
- Your full name and account email address;
- A copy of the denial notice you received from us; and
- A description of why you believe the denial was incorrect.
We will respond to your appeal within the timeframe required by applicable law. If your appeal is denied, you may contact the appropriate regulatory authority in your state:
State | Regulatory Authority |
Washington | Washington State Attorney General — www.atg.wa.gov/file-complaint |
Nevada | Nevada Attorney General — ag.nv.gov/Complaints/File_Complaint |
Connecticut | Connecticut Attorney General — www.dir.ct.gov/ag/complaint/e-complaint.aspx |
State-Specific Provisions
Washington State My Health MY Data Act (MHMDA)
The MHMDA provides Washington residents with the most comprehensive state-level consumer health data protections currently in effect. In addition to the rights described in Section 10, Washington residents have the following additional protections:
- Consent requirement: Priveya will obtain your explicit, written consent before collecting or sharing CHD for any purpose other than providing the healthcare services you requested or as otherwise required by law.
- Geofencing prohibition: As described in Section 7, we do not use geofencing around healthcare facilities to identify or track individuals seeking care.
- No secondary use without consent: We will not use your CHD for purposes materially different from those for which it was originally collected without obtaining your separate consent.
- Small entity provisions: Priveya is committed to compliance with the MHMDA regardless of revenue or data volume thresholds.
Nevada Consumer Health Data Privacy Law
Nevada’s Consumer Health Data Privacy Law applies to entities that conduct business in Nevada or target Nevada consumers and that collect CHD. Nevada residents have the rights described in Section 10 above. In addition:
- Consent is required before Priveya sells CHD or shares CHD for targeted advertising.
- Nevada residents may submit opt-out requests at any time, even if no active sale of CHD is occurring, and we will maintain the request in the event our practices change.
Connecticut Data Privacy Act (CTDPA)
The CTDPA extends privacy rights to Connecticut residents with respect to personal data, including CHD. Connecticut residents have the rights described in Section 10 above. In addition:
- Consent is required before processing CHD for targeted advertising, sale, or certain other secondary purposes.
- Connecticut residents have the right to opt out of the processing of their CHD for targeted advertising or profiling purposes that produce legal or similarly significant effects.
Other States
Additional state consumer health data privacy laws may be enacted or become effective after the date of this CHD Policy. Priveya is committed to monitoring developments in applicable law and updating our practices and policies as necessary to comply with new requirements. If you reside in a state that enacts a consumer health data privacy law applicable to Priveya’s operations, the protections and rights described in that law will apply to you to the extent required.
Updates to This CHD Policy
We reserve the right to update or modify this CHD Policy at any time to reflect changes in applicable law, our data practices, the features of the Services, or advances in technology. We will make the revised CHD Policy accessible through the Services and update the “Last Updated” date at the top of this document. Where required by applicable law, we will provide you with prior notice of material changes by email or through a prominent in-platform notification.
Your continued use of the Services after a revised CHD Policy becomes effective constitutes your acknowledgment of the changes. If you do not agree to the revised CHD Policy, you must discontinue your use of the Services. You are responsible for reviewing this CHD Policy periodically.
Contact Us
If you have questions, concerns, or requests regarding this CHD Policy or Priveya’s consumer health data practices, please contact us:
Priveya / Luminous Medical Solutions LLC
Privacy inquiries: privacy@priveya.com
General support: support@priveya.com
Website: www.priveya.com
For requests specifically related to your Consumer Health Data rights, please use the subject line “Consumer Health Data Rights Request” when emailing us, to ensure your request is routed appropriately and handled within the required timeframe.