Legal

Privacy Policy

Last Updated: April 10, 2026

At Healthspan Group LLC ("Protocol," "we," "us," or "our"), we are committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you visit our website, use our services, or interact with us.

1. Information We Collect

We collect personal information in the following categories:

Information you provide directly:

  • Name, email address, and phone number
  • Health assessment responses (such as age range, health concerns, and medical history)
  • Lab results, body composition data (DEXA), cardiovascular fitness data (VO2 max), bloodwork panels, and other health information you submit as part of our services
  • Payment and billing information (processed by our third-party payment processor)

Information collected automatically:

  • Pages visited on our website, time spent on pages, and scroll depth
  • Referring URL, page URL, and browsing session history
  • Device type, browser type, operating system, and screen resolution
  • IP address and approximate geographic location
  • Advertising identifiers (such as Google click IDs and Meta click IDs)
  • UTM campaign parameters and traffic source data
  • Interactions with page elements (clicks, form submissions, FAQ expansions)

2. How We Use Your Information

We use the information collected to:

  • Provide, administer, and improve our services, including the Foundation Assessment, health coaching, and membership programs
  • Respond to your inquiries and provide customer support
  • Schedule appointments and coordinate care with partner healthcare providers
  • Send you updates, news, or information related to our services (you may opt out at any time)
  • Analyze website usage and improve our content and user experience
  • Measure the effectiveness of our advertising and marketing campaigns
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

3. How We Protect Your Information

We implement administrative, technical, and physical safeguards designed to protect your personal information, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Access controls limiting data access to authorized personnel
  • Secure cloud infrastructure with industry-standard certifications
  • Regular review of our data handling practices

No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

4. Cookies and Tracking Technologies

Protocol uses cookies and similar tracking technologies to understand how visitors use our website, measure the effectiveness of our advertising, and improve your experience. These include:

  • Google Tag Manager, Google Analytics 4, and Google Ads conversion tracking
  • Meta (Facebook) Pixel and Meta Conversions API (server-side)
  • PostHog analytics (page views, interactions, and session analysis)
  • GoHighLevel CRM tracking

These technologies may collect information about your browsing activity across websites. Some of this data sharing with advertising platforms may constitute "sharing" of personal information under certain state privacy laws (see Section 10).

You can control cookies through your browser settings or by using the cookie preferences on our website. Disabling cookies may affect certain features of our website.

5. Third-Party Disclosure

We do not sell your personal information for monetary consideration. We share personal information with the following categories of third parties:

  • Customer relationship management platforms (GoHighLevel) — to manage communications, scheduling, and lead information
  • Analytics and advertising platforms (Google, Meta, PostHog) — to measure website usage and advertising effectiveness. Hashed identifiers may be shared for advertising targeting and measurement
  • Cloud infrastructure providers (Vercel, Supabase) — to securely host our website and store data
  • Partner healthcare providers — when you engage in clinical services coordinated through Protocol
  • Payment processors — to process payments securely (we do not store full payment card details)
  • Communication tools — for call recording, transcription, and quality assurance purposes

We may also disclose information when required by law, to protect our rights, or in connection with a merger, acquisition, or sale of assets.

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law. Specifically:

  • Account and service data — retained for the duration of your membership or service engagement, plus 3 years after termination
  • Health information — retained in accordance with applicable healthcare record retention requirements (typically 6-10 years)
  • Website analytics data — retained for up to 26 months
  • Call recordings — retained for up to 12 months for quality assurance
  • Payment records — retained as required for tax and accounting purposes

You may request deletion of your personal data at any time (see Section 7).

7. Your Rights

You have the right to:

  • Access the personal information we hold about you
  • Request corrections to any inaccurate information
  • Request deletion of your personal data (subject to legal retention requirements)
  • Opt out of marketing communications at any time
  • Opt out of the sharing of your personal information for targeted advertising purposes

To exercise any of these rights, please contact us at info@protocol.us. We will respond to verified requests within 45 days.

For additional rights that may apply based on your state of residence, see Section 10.

8. Health Information

Certain Protocol services involve the collection and use of health-related information, including lab results, body composition data, and health assessment responses.

When Protocol acts as a Business Associate under a Business Associate Agreement with a partner healthcare provider, the use and disclosure of Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA) is governed by the applicable Notice of Privacy Practices provided by the clinical provider.

Health information submitted directly to Protocol through our website or services (outside of a covered clinical relationship) is handled in accordance with this Privacy Policy.

To request a copy of any applicable Notice of Privacy Practices, contact us at info@protocol.us.

9. Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify affected individuals in accordance with applicable federal and state laws, including:

  • Notification within 60 days of discovery, or sooner as required by applicable state law
  • Description of the information involved and steps you can take to protect yourself
  • Notification to relevant regulatory authorities as required

10. State-Specific Privacy Rights

California Residents (CCPA/CPRA): If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including:

  • The right to know what personal information we collect, use, and disclose
  • The right to delete your personal information
  • The right to opt out of the "sale" or "sharing" of personal information (our use of advertising pixels may constitute "sharing" under the CPRA)
  • The right to non-discrimination for exercising your privacy rights
  • The right to correct inaccurate personal information
  • The right to limit use of sensitive personal information

To exercise your right to opt out of sharing for targeted advertising, click "Do Not Sell or Share My Personal Information" in our website footer or contact us at info@protocol.us.

Virginia, Colorado, Connecticut, and Other States: Residents of states with comprehensive privacy laws may have similar rights to access, correct, delete, and opt out of targeted advertising. Please contact us at info@protocol.us to exercise these rights.

11. Communications and Recording

By providing your phone number, you consent to receiving calls, text messages, and other communications from Protocol related to scheduling and service delivery. Message and data rates may apply. You may opt out of text messages at any time by replying STOP.

Certain calls or sessions may be recorded for quality assurance, training, or documentation purposes. You will be notified at the start of any recorded call and may decline recording. Recordings are stored securely and retained for up to 12 months.

12. Children's Privacy

Protocol services are intended for adults aged 18 and older. We do not knowingly collect or solicit personal information from anyone under the age of 18. If we learn that we have collected personal information from a person under 18, we will delete that information as quickly as possible.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. If we make material changes, we will provide notice through our website or by email.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:

Email: info@protocol.us
Website: protocol.us