Overview
This Privacy Policy explains how Ody Health, a Wyoming corporation (“Ody Health,” “Ody,” “we,” “us,” or “our”), collects, uses, discloses, and protects information when you visit odyhealth.co, use our intake flow, communicate with us, or access services made available through our platform.
Ody Health is a technology and administrative platform that helps adults connect with independent licensed medical providers and third-party pharmacies, laboratories, and related health service providers. Ody Health does not practice medicine, prescribe medication, dispense medication, operate a pharmacy, or make clinical decisions. Medical services are provided only by independent licensed clinicians, including clinicians affiliated with OpenLoop or similar provider networks.
By using Ody Health, you acknowledge that you have read this Privacy Policy and understand how we handle information as described below.
Information we collect
We collect information that you provide directly, information generated through your use of our platform, and information we receive from service providers, clinical partners, pharmacies, laboratories, payment processors, and other third parties involved in making services available to you.
This may include your name, email address, phone number, date of birth, sex, shipping address, billing details, account credentials, identity verification information, health goals, symptoms, medical history, medications, allergies, lab information, clinician communications, order status, customer support communications, and other information you choose to submit through the platform.
We also collect technical and usage information, including IP address, device identifiers, browser type, operating system, pages viewed, referring URLs, session activity, approximate location derived from IP address, and other analytics or log data used to operate, secure, improve, and measure the performance of the platform.
How we use information
We use information to operate Ody Health, maintain your account, support the intake and eligibility process, coordinate with independent licensed providers, facilitate lab testing and pharmacy fulfillment where ordered by a provider, process payments, provide customer support, communicate with you, maintain records, prevent fraud, improve the platform, and comply with legal, regulatory, contractual, and safety obligations.
We may also use non-health contact information to send service updates, renewal notices, administrative messages, educational content, and marketing communications. You may opt out of marketing emails at any time by using the unsubscribe link in the email or contacting us. Even if you opt out of marketing, we may still send transactional or service-related messages.
Health information and protected health information
Some information you provide may be health-related information and, in some circumstances, may be protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”). HIPAA may apply to certain information when it is created, received, maintained, or transmitted by or on behalf of a covered health care provider or another HIPAA-regulated entity.
Ody Health may receive, maintain, or transmit health information in order to help facilitate services between you and independent licensed providers, laboratories, pharmacies, and related service providers. We use and disclose health information only as permitted by applicable law, contractual obligations, provider instructions, your authorizations, and operational needs related to providing and supporting the platform.
We do not sell PHI. We do not use PHI for advertising targeting where prohibited by law. We do not make clinical decisions or determine whether a medication, lab test, or treatment is medically appropriate for you.
Independent providers, pharmacies, and laboratories
Ody Health works with independent licensed providers, provider networks (such as Ola Digital Health), pharmacies, and laboratories. These partners are separate legal entities from Ody Health and maintain their own governance, compliance obligations, privacy practices, and legal responsibilities.
Vetting and Compliance Standards: Before engaging any clinical partner, pharmacy, or laboratory, Ody Health conducts due diligence to verify licensure, credentials, regulatory compliance, data security practices, and service quality standards. For full details about Ody Health’s partner vetting standards, compliance requirements, and ongoing monitoring procedures, please see the Partner and Affiliate Vetting and Compliance Policy at odyhealth.co/partner-vetting.
Business Associate Agreements: All partners that handle protected health information are required to sign Business Associate Agreements (“BAAs”) that impose HIPAA Security Rule and privacy obligations. BAAs establish contractual requirements for data security, safeguards, incident notification, and audit rights.
Clinical Relationships: When you receive clinical services through Ody Health, the clinical relationship is between you and the independent licensed provider. The provider is responsible for clinical decision-making, prescription issuance, medical judgment, and compliance with state medical board regulations and telehealth laws. Ody Health does not make clinical decisions or direct clinical care.
Prescription and Pharmacy Services: When a provider issues a prescription, the prescription is sent to an independent pharmacy for dispensing and fulfillment. The pharmacy is responsible for validating the prescription, checking for drug interactions and contraindications, preparing medication, providing pharmacy labeling and instructions, and shipping medication directly to you. The pharmacy is separate from Ody Health. Ody Health does not possess, compound, dispense, or ship medications.
Laboratory Services: Laboratory testing is provided by independent laboratory facilities. The laboratory is responsible for conducting tests, ensuring test quality, and providing accurate results. The laboratory is separate from Ody Health.
Privacy Practices of Partners: Partners maintain their own privacy practices and may collect, use, and disclose your information in accordance with their own privacy policies and legal obligations. You may have separate privacy relationships with providers, pharmacies, and laboratories, and they may maintain separate patient records and notices of privacy practices. Ody Health is not responsible for the privacy practices of independent partners, but all partners that handle PHI are contractually required to comply with HIPAA or equivalent privacy safeguards through Business Associate Agreements.
Service providers and subprocessors
Ody Health uses third-party service providers to operate the platform and support service delivery. Service providers include cloud infrastructure providers, payment processors, email and communication providers, analytics and logging providers, job queue systems, and other vendors that provide hosting, infrastructure, operational, compliance, or support services.
Current Service Providers: Service providers engaged by Ody Health include Fly.io (cloud infrastructure and Postgres database hosting), Stripe (payment processing), Resend (email delivery), Anthropic (AI-powered intake assessment), Inngest (job queue), Axiom (log management and analysis), and other vendors as listed in Ody Health’s current vendor roster.
Vetting and Security Standards: Before engaging a service provider that processes personal information or health information, Ody Health conducts security due diligence, including review of security practices, available security certifications (such as SOC 2 Type II or ISO 27001), completion of security questionnaires, and assessment of data handling practices. For full details about Ody Health’s vendor vetting standards, see the Partner and Affiliate Vetting and Compliance Policy at odyhealth.co/partner-vetting.
Business Associate Agreements: Service providers that handle protected health information are required to sign Business Associate Agreements (“BAAs”) that impose HIPAA-compliant security, privacy, and incident notification obligations. BAAs establish that vendors will use information only for purposes specified by Ody Health, maintain appropriate safeguards, maintain audit logs, report security incidents, and allow audits of compliance.
De-Identified Information: For Anthropic Claude (recommendation engine), Ody Health implements HIPAA Safe Harbor de-identification (45 CFR § 164.514(b)(2)) before transmitting information. Only de-identified information—such as age, sex, clinical measurements, symptoms from structured lists, and medication names—is transmitted. Personal identifiers (name, address, contact information, payment information) are never transmitted. Because the information is de-identified under HIPAA Safe Harbor, a BAA is not required for this vendor.
Contractual Requirements: All service provider agreements include provisions requiring vendors to maintain administrative, technical, and physical safeguards appropriate to the nature of information processed, implement and maintain access controls, maintain audit logs of information access and use, notify Ody Health of security incidents, return or securely delete information upon termination, and allow Ody Health to audit compliance as permitted by law and contract.
Vendor Changes: Ody Health’s vendor roster may change as the business evolves. When Ody Health adds new service providers that will process personal information or health information, appropriate security vetting and contractual protections (including BAAs where applicable) are implemented before the vendor begins processing information.
Your privacy rights
Depending on where you live and the type of information involved, you may have rights to access, correct, delete, restrict, or receive a copy of certain personal information. You may also have the right to opt out of certain uses or disclosures, including some marketing communications.
If information is PHI maintained by or on behalf of a covered health care provider, your HIPAA rights may include the right to request access, amendments, restrictions, confidential communications, an accounting of disclosures, and a copy of the applicable Notice of Privacy Practices.
To exercise privacy rights, contact us at info@odyhealth.co. We may need to verify your identity before fulfilling a request. We may deny or limit requests where permitted by law, including where information must be retained for legal, clinical, safety, fraud prevention, tax, accounting, or compliance purposes.
California privacy rights
California residents may have additional rights under California privacy laws, including rights to know, access, correct, delete, and receive information about certain categories of personal information collected, used, disclosed, or shared. California residents may also have the right to opt out of certain sharing or selling of personal information, where applicable.
Ody Health does not sell PHI. We do not sell personal information for money. We may use analytics, advertising, or marketing technologies that could be considered a “share” of personal information under some privacy laws. Where required, we will provide an appropriate opt-out mechanism.
We will not discriminate against you for exercising privacy rights. To submit a California privacy request, contact info@odyhealth.co.
Data retention
We retain information for as long as reasonably necessary to provide the platform, maintain your account, support clinical coordination, comply with legal and regulatory obligations, resolve disputes, prevent fraud, enforce agreements, maintain business records, and satisfy tax, accounting, security, and operational needs.
Clinical records, prescription records, laboratory records, payment records, and related service records may be retained by independent providers, pharmacies, laboratories, and other third parties according to their own legal and professional obligations.
Security
We use reasonable administrative, technical, and physical safeguards designed to protect information against unauthorized access, loss, misuse, alteration, and disclosure. These safeguards may include encryption, access controls, logging, vendor review, network security, secure hosting, and internal policies appropriate to the nature of the information.
No method of transmission or storage is completely secure. You are responsible for maintaining the confidentiality of your account credentials and for notifying us promptly if you believe your account has been accessed without authorization.
Children
Ody Health is intended only for adults who are at least 18 years old. We do not knowingly collect personal information from children under 18. If you believe a minor has provided information to us, contact info@odyhealth.co so we can review and take appropriate action.
U.S. use only
Ody Health is intended for use only in the United States. If you access the platform from outside the United States, you understand that information may be processed and stored in the United States, where privacy laws may differ from those in your jurisdiction.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and provide notice as required by law, which may include posting the revised policy on odyhealth.co or sending a notice to the email address associated with your account.
How we use AI to support your care
Ody Health uses an AI recommendation engine during portions of the intake process to generate a preliminary clinical assessment for physician review.
Information transmitted to the AI recommendation engine is limited to de-identified clinical information, which may include age, sex, body measurements, symptoms selected from structured intake lists, self-assessment scores, and current medications identified by name.
Personal identifiers, including your name, address, contact information, date of birth, and payment information, are not transmitted to the AI recommendation engine.
Any AI-generated recommendation is advisory only and is reviewed by a licensed physician before any treatment decision, prescription, or clinical recommendation is made.
Ody Health’s de-identification process is designed to follow the HIPAA Safe Harbor standard described in 45 CFR 164.514(b)(2).
Contact us
If you have questions about this Privacy Policy or our privacy practices, contact us at info@odyhealth.co or by mail at:
Ody Health
Attn: Privacy
1309 Coffeen Avenue STE 1200
Sheridan, Wyoming 82801