Legal

Privacy Policy

The Pep Club provides telehealth-mediated compounded-medication services. This policy describes how we collect, use, protect, and disclose your information. It also serves as the joint HIPAA Notice of Privacy Practices for the Medical Practice and as the consumer-privacy disclosure required by California, Washington, Texas, and Nevada law.

Effective:: 2026-05-14
Version:: 1.0
Last reviewed:: 2026-05-14

1.Introduction and scope

This Privacy Policy describes how The Pep Club LLC and the affiliated professional corporation that operates the Medical Practice (together, “The Pep Club,” “we,” or “us”) collect, use, protect, and disclose information about you in connection with the platform at thepepclub.com and its mobile and web applications (the “Platform”).

The Medical Practice is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Pep Club LLC, as the management-services organization, is a business associate of the Medical Practice under HIPAA and is bound by a Business Associate Agreement that mirrors the privacy and security duties imposed on the Medical Practice. This Privacy Policy is published jointly and is your combined Notice of Privacy Practices and consumer privacy disclosure.

By using the Platform, you agree to the practices described here and you acknowledge receipt of the HIPAA Notice of Privacy Practices set out in this document.

2.Information we collect

We collect information that you provide to us, information generated by your use of the Platform, and information we receive from third parties.

2.1Information you provide

This includes, depending on how you use the Platform:

Identity and contact information: name, date of birth, address, email, mobile phone number, photo identification;
Medical intake information: health history, symptoms, current medications, allergies, hormones and metabolic protocols you are following or have followed, family history, and other PHI required by the Medical Practice to provide care;
Biomarker and laboratory results returned to your account from the CLIA-validated reference laboratory or partner laboratory adapter;
Consultation content: messages between you and your physician, video and audio recordings if a telehealth visit is recorded with your consent, signed clinical notes (SOAP);
Consent and authorization records: signed consents (telehealth, compounded medication, HIPAA), with timestamp, IP address, and user-agent metadata; and
Payment information collected by our payment processor (we do not store full card numbers ourselves).

2.2Information collected automatically

When you use the Platform we may automatically collect device, connection, and usage information, including IP address, browser type and version, operating system, referring page, pages viewed, links clicked, and approximate geolocation derived from IP. We use this information for security (rate-limiting, abuse detection), accessibility and performance debugging, and product analytics. We do not sell this information.

2.3Information from third parties

We may receive information from the CLIA-validated reference laboratory or partner laboratory adapter that processes your biomarker samples; from the Affiliated Pharmacy regarding prescription status and shipment; from your physician of record outside the Platform if you elect to share results; and from public sources during identity-verification review.

3.How we use your information

We use your information for the following purposes:

To provide the Platform, including processing your medical intake, scheduling and recording consultations, returning your biomarker results, and routing flagged findings to a physician;
To enable the Medical Practice to provide treatment and to direct the Affiliated Pharmacy to fill prescriptions;
To bill for and collect payment for the Platform and to provide receipts for HSA, FSA, or insurer-reimbursement purposes;
To communicate with you about your account, appointments, prescriptions, kit shipments, and clinical messages from your care team;
To maintain audit logs, security monitoring, abuse detection, and operational integrity of the Platform;
To comply with our legal obligations, respond to lawful requests, defend our legal rights, and enforce our Terms;
To improve and develop the Platform; and
To send you, where you have opted in, optional educational or marketing communications.

We use AI-assisted summarization to generate educational interpretations of your biomarker results. These summaries are produced by Anthropic's Claude API under a Business Associate Agreement that prohibits the processor from using your data to train its underlying models. The AI pipeline is described in the Terms of Service.

4.HIPAA Notice of Privacy Practices

The Medical Practice is a covered entity under HIPAA. We are required by law to maintain the privacy and security of your Protected Health Information (“PHI”), to provide you with this Notice of our legal duties and privacy practices with respect to PHI, to notify you following a breach of unsecured PHI, and to abide by the terms of the Notice currently in effect.

4.1Permissible uses and disclosures without your written authorization

We may use and disclose your PHI without a separate written authorization for the following purposes:

Treatment: to provide, coordinate, or manage your healthcare, including disclosure to physicians of the Medical Practice, the Affiliated Pharmacy, and the CLIA-validated reference laboratory.
Payment: to bill for and collect payment for services rendered, including disclosure to your payment method, our payment processor, and, where you instruct, your insurer.
Healthcare operations: to run the Medical Practice and the Platform, including quality improvement, training, audit, accreditation, and managing customer service.
Public health activities: to public-health authorities authorized by law to collect information for preventing or controlling disease, injury, or disability; reporting adverse events to applicable regulatory authorities; and reporting child abuse or neglect to authorized agencies.
Victims of abuse, neglect, or domestic violence: to a governmental authority authorized by law to receive such reports, where we reasonably believe abuse has occurred.
Health-oversight activities: to agencies overseeing the healthcare system, government benefits, or regulatory programs (e.g., state pharmacy boards, state medical boards, the HHS Office for Civil Rights).
Judicial and administrative proceedings: in response to a valid subpoena, court order, or other lawful process.
Law enforcement: in limited circumstances permitted by HIPAA, including court orders, certain identification requests, and reports of crime victims.
Decedents: to coroners, medical examiners, and funeral directors as necessary.
Research: if approved by an Institutional Review Board (IRB) with appropriate privacy protections in place.
Health or safety threats: to prevent a serious and imminent threat to the health or safety of you or another person.
Specialized government functions: for military and veterans' activities, national security, protective services for the President, or correctional institutions as permitted by law.
Workers' compensation: as required by applicable state workers' compensation laws.
As required by law: any other use or disclosure required by federal, state, or local law.

4.2Uses and disclosures requiring your written authorization

For uses and disclosures of PHI not described in the section above, we will request your written authorization. Marketing communications that constitute “marketing” under HIPAA, the sale of PHI, and any use of psychotherapy notes will not occur without your express written authorization. You may revoke any authorization in writing at any time, except to the extent we have already acted in reliance on it.

4.3Authorization for outreach from the affiliated pharmacy

If you are a patient of the affiliated pharmacy that operates The Pep Club and you receive outreach about Pep Club services through that pharmacy relationship, you will be asked to authorize that outreach in writing in accordance with 45 CFR 164.508(a)(3). Outreach without this specific authorization is prohibited.

5.Your rights regarding your information

You have the following rights with respect to your PHI and other personal information. To exercise any right, contact us at privacy@thepepclub.com or use the in-portal data-request workflow.

5.1Right to request restrictions

You may request a restriction on how we use or disclose your PHI for treatment, payment, or healthcare operations. We are not required to agree to every requested restriction; if we do agree, we will comply except in an emergency.

5.2Right to confidential communications

You may request that we communicate with you about your PHI by alternative means or at alternative locations (for example, secure email, alternate phone, or a P.O. box). We will accommodate reasonable requests.

5.3Right to inspect and copy your records

You have the right to inspect and obtain a copy of your medical record and billing record that we maintain. We will respond to your written request within thirty (30) days. A reasonable, cost-based fee may apply for copies in accordance with HIPAA and applicable state law.

5.4Right to amend your records

If you believe information in your record is incorrect or incomplete, you may submit a written amendment request. If we deny the request, we will provide a written explanation, and you may submit a statement of disagreement to be filed with your record.

5.5Right to an accounting of disclosures

You may request an accounting of disclosures of your PHI made by us in the six (6) years prior to your request, except disclosures made for treatment, payment, or healthcare operations, disclosures made to you, and disclosures made pursuant to a valid authorization. The first accounting in any twelve-month period is free; we may charge a reasonable, cost-based fee for additional requests.

5.6Right to a paper copy of this Notice

You may request a paper copy of this Notice at any time, even if you have agreed to receive it electronically.

5.7Right to data portability, deletion, and correction (where applicable)

Where state privacy law applies and the data in question is not PHI subject to HIPAA, you may have additional rights to data portability, deletion, and correction. See the state-specific addenda below for details.

6.Breach notification

If we discover a breach of unsecured PHI, we will notify you without unreasonable delay and no later than sixty (60) calendar days after discovery, in accordance with 45 CFR 164.404. Notice will be sent to the email address or postal address on file with your account. The notice will include a description of what happened, the types of PHI involved, the steps you can take to protect yourself, what we are doing to mitigate the breach, and how to contact us for more information.

Where the breach involves the unsecured PHI of more than five hundred (500) individuals, we will also notify the Secretary of the U.S. Department of Health and Human Services and, where required by 45 CFR 164.406, prominent media. Where the breach involves fewer than five hundred (500) individuals, we will report it to the Secretary on the HHS Breach Portal at the close of the calendar year.

7.How we disclose your information

We disclose your information only as described in this Privacy Policy. We do not sell PHI. We do not share PHI with advertisers. We disclose PHI only to (a) you and your designees, (b) the Medical Practice and the Affiliated Pharmacy for treatment and dispensing, (c) Business Associates listed below under written BAA, (d) other parties with your written authorization, and (e) as required or permitted by law.

8.Named Business Associates and subprocessors

The following service providers may process PHI or other personal information on our behalf. Each is under a written Business Associate Agreement (BAA) with us where required by HIPAA, or under an equivalent data-processing agreement where the relationship is not a BAA-eligible one. We publish this list so you can see exactly which vendors are in our information supply chain.

Provider	Purpose	BAA in place
Neon	Managed PostgreSQL database (PHI at rest)	Yes
Clerk	Identity, authentication, session management	Yes
Vercel	Application hosting and edge delivery	Yes
Amazon Web Services (SES)	Transactional and clinical email delivery	Yes
Anthropic (Claude API)	AI-assisted educational summarization of biomarker results (model training is prohibited under BAA)	Yes
Sinch	SMS notifications (kit shipment, prescription status)	Yes
Daily.co	Telehealth video sessions	Yes
Upstash	Redis-based rate limiting and webhook idempotency	Yes
Sentry	Error monitoring (PHI-scrubbed payloads)	Yes
Stripe	Payment processing (no PHI; payment-card and billing data only)	Yes (data processing agreement; HIPAA-BAA not applicable to scope)

If our list of Business Associates or subprocessors changes materially, we will update this Privacy Policy and update the Last reviewed date. For changes that affect how PHI is processed in a way that would require new authorization under HIPAA, we will notify you and obtain authorization where required.

9.Data retention

We retain information for the following minimum periods:

PHI in the designated record set: at least six (6) years from the date of creation or the date last in effect, in accordance with 45 CFR 164.530(j);
Billing and tax records: at least seven (7) years to meet IRS recordkeeping rules;
Consent and authorization records: for the duration of the consent plus six (6) years thereafter;
Security audit logs (including the chain-hash tamper-evident PHI access log): at least six (6) years; and
State-mandated retention periods that exceed the above, where applicable to your state of residence.

When the applicable retention period expires, we will delete or de-identify the information unless we are required by law to retain it longer (for example, in connection with an ongoing legal matter).

10.Children

The Platform is not intended for individuals under twenty-one (21) years of age and we do not knowingly collect information from anyone under twenty-one. If we learn that we have collected information from a person under twenty-one, we will delete it promptly. If you believe a person under twenty-one has provided information to us, please contact privacy@thepepclub.com.

11.California residents (CCPA / CPRA)

Where the California Consumer Privacy Act applies and the data in question is not PHI subject to HIPAA, you have the right to:

Know what personal information we collect, use, disclose, and sell;
Delete personal information collected from you, subject to legal-retention exceptions;
Correct inaccurate personal information;
Opt out of any “sale” or “sharing” of personal information for cross-context behavioral advertising (we do not sell or share for these purposes);
Limit the use and disclosure of sensitive personal information;
Receive a copy of your personal information in a portable format; and
Non-discrimination for exercising your rights.

To exercise a CCPA right, email privacy@thepepclub.com from the address associated with your account or use the in-portal data-request workflow. We will verify your identity before fulfilling any request. We will respond within forty-five (45) days; if more time is needed, we will notify you of the extension.

California residents may also designate an authorized agent to make requests on their behalf in accordance with CCPA regulations. We may contact you to confirm the agent's authority before processing the request.

12.Washington residents (My Health My Data Act / MHMDA)

The Washington My Health My Data Act (RCW 19.373) imposes additional requirements on the collection of “consumer health data” (“CHD”) by entities operating in Washington or serving Washington residents. CHD includes information that identifies a consumer's past, present, or future physical or mental health status, including health condition, treatment, diagnoses, medications, biometric data, gender-affirming care, reproductive health, and precise location related to health services.

Categories of CHD collected. For Washington residents, the categories include all information described in the Information We Collect section above to the extent it relates to your health status, plus IP-derived approximate location.

Purposes of collection. All purposes described in the How We Use Your Information section above.

Sources. Directly from you; automatically through Platform use; from the CLIA-validated reference laboratory or partner laboratory adapter; from the Affiliated Pharmacy; from third parties you instruct to provide records.

Disclosure to third parties. CHD is shared only with the Business Associates and subprocessors named above in this Privacy Policy, and only as required to deliver the Platform.

Your rights under MHMDA. Washington residents may (a) confirm whether we are processing CHD about them, (b) access CHD, (c) request deletion of CHD, (d) withdraw any previously granted consent, and (e) appeal any denied request. To exercise these rights or to file an appeal, email privacy@thepepclub.com. If an appeal is denied, you may also contact the Washington State Office of the Attorney General.

13.Texas and Nevada residents

Texas (TDPSA). Texas residents have rights similar to those described under CCPA, including the right to confirm processing, access, correction, deletion, portability, and to opt out of targeted advertising, sale of personal data, or certain profiling. We do not sell personal data for monetary or other valuable consideration.

Nevada (SB220). Nevada residents may submit a request to opt out of any future sale of their “covered information” as defined in NRS 603A. We do not currently sell covered information.

To exercise a Texas or Nevada right, email privacy@thepepclub.com from the address associated with your account. We will verify your identity before fulfilling any request.

14.Cookies and tracking technologies

The Platform uses strictly necessary cookies for authentication, session management, and security (CSRF protection, rate limiting). We use a limited set of first-party analytics cookies to understand aggregate Platform usage and to debug performance. We do not use third-party advertising cookies and do not participate in cross-context behavioral advertising. Your browser may allow you to disable non-essential cookies; doing so will not impair the core functionality of the Platform.

15.How we protect your information

We maintain administrative, physical, and technical safeguards designed to protect your information against unauthorized access, use, alteration, or disclosure. Safeguards include encryption in transit (TLS) and at rest, role-based access control with explicit per-procedure authorization, tenant isolation enforced at the database row-security layer, audit logging with a chain-hash tamper-evident chain for every PHI read and mutation, automated tests that block authorization regressions in continuous integration, and signed-webhook verification for every external integration.

No system is perfectly secure. While we strive to protect your information, we cannot guarantee its absolute security. If you suspect your account has been accessed by someone else, contact us immediately at security@thepepclub.com.

16.Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make a material change, we will post the revised policy here and update the Last reviewed date. For changes that materially affect how we handle PHI, we will notify you by email at least thirty (30) days before the change takes effect. Continued use of the Platform after that date constitutes acceptance of the revised Privacy Policy.

17.How to contact us; complaint procedure

Privacy questions, data-subject requests, and HIPAA-rights requests: privacy@thepepclub.com.

Security incidents: security@thepepclub.com.

General support: hello@thepepclub.com. The mailing address and toll-free phone for patient support are published on the Contact page.

You may also file a HIPAA complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at 200 Independence Avenue SW, Washington, DC 20201, by phone at 1-877-696-6775, or online at www.hhs.gov/ocr/privacy/hipaa/complaints. We will not retaliate against you for filing a complaint.