Privacy Policy

Last updated: April 7, 2026

This Privacy Policy explains how Norm Health LLC (“Norm,” “we,” “our,” or “us”) collects, uses, and safeguards your information when you use our website and telehealth services. We operate in the United States and are based in California.

What we collect

• Account & contact info (e.g., name, email).
• Health information you provide for care (e.g., medical history, medications, allergies, goals, and age).
• Usage data (device/browser info, pages viewed) and cookies/analytics.
• Payment data processed by our payment partner (we don’t store full card numbers).

How we use information

• Deliver telehealth services, including clinical evaluation and care coordination.
• Operate, improve, and secure our website and services.
• Communicate with you about your account, care, and support.
• Comply with legal, regulatory, and security requirements.

HIPAA & PHI

When we receive or create health information in connection with your care, we treat it as Protected Health Information (“PHI”) subject to HIPAA. Please also review our Notice of Privacy Practices for details on how we use and disclose PHI for treatment, payment, and health care operations.

Sharing

• Service providers under agreements (including HIPAA Business Associate Agreements where applicable).
• Clinicians & pharmacies to deliver your care and fulfill prescriptions.
• Legal/Compliance if required by law, regulation, or to protect safety and security.

Cookies & analytics

We may use cookies and similar technologies to remember preferences and understand site usage. You can adjust browser settings to manage cookies; some features may be limited if disabled.

Data retention

We retain information as required by law and for legitimate business and clinical purposes. PHI may be retained consistent with medical record retention requirements.

Your choices

• Update your account information by contacting support.
• Opt out of non-essential emails using unsubscribe links or by contacting us.
• For PHI rights (access, amendments, restrictions), see our HIPAA Notice.

California disclosures (CCPA/CPRA)

For information covered by HIPAA, the CCPA/CPRA generally does not apply. For other personal information, you may have rights to know, delete, or correct certain data. To exercise CA rights, contact us at support@normwellness.com.

Age restrictions

Our services are intended for adults 18 years of age and older. We do not knowingly collect or maintain information from individuals under 18. If we learn that we have inadvertently received information from a person under 18, we will delete it promptly.

Security

We use administrative, technical, and physical safeguards to protect your information. Specifically:

• Encryption at rest: Sensitive health information (including names, medications, dosages, weight, and clinician notes) is encrypted with AES-256-GCM in our database.
• Encryption in transit: All connections to our website and APIs use TLS.
• Access controls: Patient-facing pages and clinician tools require authentication. Internal access to PHI is logged in an immutable audit trail.
• PHI minimization in communications: Our emails, error logs, and analytics never include patient names, medications, dosages, or other identifying health details. Clinician notifications contain only a secure link to the in-app dashboard.

No system is 100% secure, but we follow industry best practices and continually improve our safeguards.

Changes to this policy

We may update this policy. We will revise the “Last updated” date above and post the new version on this page.

Contact us

Email: support@normwellness.com