Privacy Policy
Your Privacy Matters to Us
We’re committed to protecting your personal information and being transparent about how we use it.
Last updated: May 2026
Privacy Summary
What We Collect
- Information you provide (contact details, account details, identifiers you supply to submit privacy requests)
- Identity verification information (documents, photos, and verification results from our identity verification provider)
- Information generated through your use of the Services (request history, recipient responses, statuses, logs)
- Device and usage data (cookies, analytics, IP address, browser/device information)
How We Use It
- To provide and operate the Services (including preparing and submitting privacy requests you direct)
- To verify your identity and prevent fraud
- To communicate with you and provide support
- To improve, secure, and maintain the Services
- To comply with legal obligations and enforce our terms
How We Share It
- With service providers that help us run the Services (e.g., payment processing, email delivery, hosting, identity verification, AI processing)
- With recipients you choose (providers, pharmacies, PBMs, insurers, labs, HIEs, data brokers, etc.) to process your requests
- For legal/safety reasons (as required by law, to prevent fraud/abuse, to protect rights)
We do not sell your personal information. We do not “share” personal information for cross-context behavioral advertising as that term is defined under certain state laws.
1. Who We Are
This Privacy Policy describes how Healthnode Inc., a corporation doing business as HealthConsent® (“HealthConsent,” “we,” “us,” “our”) collects, uses, discloses, and protects information when you use our website at myhealthconsent.org and our services (the “Services”). For purposes of applicable state privacy laws (including the CCPA/CPRA), Healthnode Inc. is the “business” or “controller” with respect to the personal information described in this Policy.
Important note about HIPAA: Healthnode Inc. is a privacy technology company. We are not a healthcare provider and do not provide medical care. Healthnode Inc. is not a HIPAA “covered entity” in that capacity. This Privacy Policy (and not HIPAA) governs Healthnode Inc.’s handling of information in connection with the Services.
2. Scope
This Policy applies to:
- Visitors to our Site
- Users of our Services
It does not apply to information processed by third parties (including recipients of your privacy requests) under their own privacy policies and practices.
3. Information We Collect
3.1 Information You Provide to Us
We collect information you provide directly, which may include:
- Contact information: name, email address, phone number, mailing address
- Account information: login credentials (or authentication tokens), preferences, settings
- Service information: the recipients you select and details about the privacy requests you want us to submit
- Identity and matching information (at your direction): date of birth, prior addresses, plan/member IDs, patient/account identifiers, and other identifiers you provide so recipients can locate your records
- Identity verification information: as part of onboarding, we use a third-party identity verification service (Plaid) to verify your identity. This may include government-issued ID documents, selfie photos, and related verification results. Your identity verification information is processed by our identity verification provider and is retained as needed to comply with legal obligations and prevent fraud.
- Signature and authorization artifacts: your signature, authorizations/consents you provide, and related metadata (e.g., timestamp, request ID) used to execute and submit requests on your behalf
- Support communications: messages, emails, and feedback you send to us
- Payment and billing: billing details and subscription status. Payment card information is processed by our payment processor (e.g., Stripe) and is not stored by us except as needed for receipts, invoicing, and reconciliation.
- Family plan information: if you invite family members to your subscription, we collect their name and email address. Family members create their own accounts with their own data, separate from the primary subscriber.
3.2 Information We Collect Automatically
When you use the Site or Services, we may collect:
- Usage data: pages/screens visited, features used, clicks, referring URLs, timestamps, error logs
- Device and network data: IP address, browser type, device type, OS, approximate location (derived from IP)
- Cookies and similar technologies: for authentication, security, preferences, analytics, and performance (see “Cookies” below)
- Address autocomplete data: when you enter addresses, we use Google Maps for address validation and autocomplete. Google may receive address-related information you type.
- Bot protection data: we use hCaptcha to protect against bots and abuse. hCaptcha may collect device and interaction data as described in their privacy policy.
3.3 Information We Generate or Receive While Providing Services
To operate the Services, we may collect or generate:
- Request lifecycle data: which recipients you selected, request types submitted, dates sent, and status tracking
- Recipient communications: acknowledgements, denials, completion confirmations, forms, and other messages received from recipients (including via unique email addresses created for routing)
- Operational metadata: delivery confirmations, bounce logs, portal submission logs, fax/mail tracking (if used), and internal audit logs
- AI-generated research data: we use AI-powered web search tools to find contact information (such as privacy office email addresses) for recipients you select. This research data is used to facilitate your privacy requests.
- In-app notifications and inbox messages: system-generated messages informing you of request status, recipient responses, and other service-related updates
3.4 Sensitive Information / Consumer Health Data
Depending on what you provide and what recipients return, information processed through the Services may include sensitive personal information and/or consumer health data as defined by certain state privacy laws. We use this information only to provide the Services and as otherwise described in this Policy.
4. How We Use Your Information
4.1 To Provide the Services
- Create and manage your account
- Prepare, execute (including by applying your stored signature where authorized), and submit privacy requests you direct us to submit
- Communicate with recipients and track outcomes
- Provide you with updates, statuses, and confirmations
- Provide customer support
4.2 To Secure, Maintain, and Improve the Services
- Authenticate users and prevent unauthorized access
- Detect, prevent, and investigate fraud, abuse, and security incidents
- Debug, monitor, and improve performance
- Develop and improve features (including improving workflows and request handling)
4.3 Communications
- Send administrative communications (e.g., confirmations, billing notices, security alerts)
- Respond to your inquiries
- Send marketing communications where permitted by law (you can opt out of marketing emails at any time)
4.4 Legal, Compliance, and Enforcement
- Comply with legal obligations and lawful requests
- Enforce our Terms of Service and protect our rights and the rights of others
5. How We Share Your Information
We do not sell your personal information. We disclose information only as described below:
5.1 Service Providers (“Processors”)
We use vetted third-party service providers to help operate the Services. These providers are authorized to process information only to provide services to us and are required to protect it. Categories of service providers we use include:
- Cloud hosting and infrastructure providers
- Database and storage providers
- Payment processors
- Identity verification services
- Email delivery services (inbound and outbound)
- AI and machine learning service providers
- Address validation services
- Bot protection and fraud prevention services
- Analytics and error monitoring tools
5.2 Recipients You Select (Privacy Request Processing)
When you choose a provider/entity and instruct us to submit requests, we share the information reasonably necessary to submit and manage those requests—such as identifiers needed for matching and the request directives themselves.
5.3 Legal and Safety
We may disclose information if we believe disclosure is reasonably necessary to:
- comply with law, regulation, subpoena, court order, or lawful governmental request;
- protect the safety, rights, or property of HealthConsent, our users, or others; or
- detect, prevent, or address fraud, abuse, security, or technical issues.
5.4 Business Transfers
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. We will take steps to ensure the receiving party honors commitments consistent with this Policy.
6. Cookies and Similar Technologies
We use cookies and similar technologies for:
- Essential functions: authentication, session management, security, fraud prevention
- Preferences: saving settings
- Analytics/performance: understanding site usage and improving the Services
Where required by law, we provide cookie choices and honor applicable opt-out preferences.
7. AI / Automated Processing
To provide the Services at scale, HealthConsent uses automated systems, including machine learning and other AI-enabled tools (“Automated Processing”), to process information associated with your account and with privacy requests.
Automated Processing may be used to read, extract, interpret, classify, summarize, and generate content from materials connected to your use of the Services, including recipient replies and request history, and to support actions you direct us to take through the Services.
7.1 AI Service Providers
We use third-party AI service providers to power Automated Processing for tasks such as text analysis, classification, summarization, content generation, and web search to research recipient contact information. These providers process information under contract with us and are required to protect it. Information processed by AI providers may include recipient names, contact information found through research, and the content of communications to and from recipients.
7.2 How Automated Processing Is Used
Without limiting the foregoing, Automated Processing may be used to:
- read and analyze messages and attachments received from recipients;
- classify those communications (e.g., acknowledgement, denial, request for more information, completion);
- summarize request history and current status across recipients;
- generate suggested next steps and draft responses or follow-up communications;
- populate and generate request documents and other operational artifacts;
- research and identify contact information (email addresses, fax numbers, privacy officer details) for recipients you select; and
- improve and maintain the Services (including quality, security, and fraud prevention).
7.3 Your Acknowledgment
You acknowledge and agree that recipient communications routed through the Service may be processed by Automated Processing to deliver the Service features described above. Recipients and third parties ultimately control their own actions and decisions regarding compliance.
If you believe Automated Processing has produced an incorrect classification or recommendation, you may contact us and we will review.
8. Data Retention
We retain personal information only as long as necessary to provide the Services and for legitimate business and legal purposes, including security, dispute resolution, enforcement, and compliance.
Typical retention (may vary by context):
- Account information: retained until you delete your account, plus a limited period for backup, security, and compliance
- Request lifecycle and recipient response data: retained to provide ongoing service, support, auditing, and proof of submission, plus a limited period thereafter
- Marketing communications data: retained until you opt out (or as otherwise required)
- Legal/compliance logs: retained as required by law or as needed to protect our rights
You can request deletion as described in Section 10, subject to legal exceptions.
9. Data Security
We use administrative, technical, and physical safeguards designed to protect information, including:
- encryption in transit and at rest (where appropriate),
- access controls and least-privilege access,
- logging and monitoring,
- security reviews and patching practices.
No method of transmission or storage is 100% secure. We cannot guarantee absolute security.
10. Your Privacy Rights
Depending on where you live, you may have rights under state, federal, or international laws.
10.1 General Rights (Where Applicable)
You may have the right to:
- Access information we hold about you
- Correct inaccurate information
- Delete information (subject to exceptions)
- Opt out of marketing emails
- Obtain a copy of certain information in a portable format (where required)
10.2 California and Other U.S. State Privacy Rights (Where Applicable)
Residents of certain U.S. states may have additional rights (e.g., to opt out of certain processing such as targeted advertising, or to limit use of sensitive information, where applicable).
Do Not Sell / Share: HealthConsent does not sell personal information and does not share personal information for cross-context behavioral advertising.
10.3 How to Exercise Rights
Email us at privacy[at]myhealthconsent.org (or use our contact form) with your request. We may need to verify your identity before responding, depending on the request and applicable law. We will respond within the timeframe required by applicable law.
11. International Data Transfers
If you access the Services from outside the United States, your information may be transferred to and processed in the United States and other jurisdictions where we or our service providers operate. We take steps designed to protect information in accordance with this Policy and applicable law.
12. Children’s Privacy
The Services are generally not intended for individuals under 18. We do not knowingly collect personal information from children under 13. Family Plan subscribers may invite family members ages 13 and older to use the Services with their own separate accounts. If you believe a child under 13 has provided us personal information, contact us and we will take appropriate steps.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated version on our Site and update the “Last updated” date. If changes are material, we may also notify you via email or in-app notification.
14. Contact Us
If you have questions or requests related to privacy, contact us:
Email: privacy[at]myhealthconsent.org
Phone: (949) 990-3800
Address: HealthConsent Attn: Privacy Officer 4343 Von Karman Ave Newport Beach, CA 92660