Consumer Health Data Privacy Policy

Company: CareCore, Inc. ("CareCore," "we," "us," or "our") Last updated: July 2, 2026 Contact: legal@carecore.io

This Consumer Health Data Privacy Policy describes how CareCore collects, uses, shares, and protects Consumer Health Data in connection with our websites, applications, creator storefronts, products, services, health-related intake flows, checkout flows, communications, and related online or offline services (collectively, the “Service”).

This Policy supplements our general Privacy Policy. If this Policy conflicts with our general Privacy Policy with respect to Consumer Health Data, this Policy controls to the extent required by applicable law.

For purposes of this Policy, “Consumer Health Data” means personal information that is linked or reasonably linkable to you and that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be used to infer your past, present, or future physical or mental health status, where applicable law treats that information as consumer health data or similar health-related information.

Certain medical, pharmacy, laboratory, or clinical services may be provided by independent licensed clinicians, professional medical corporations, pharmacies, laboratories, or other regulated entities (“Clinical Partners”), not by CareCore. Clinical Partners, pharmacies, laboratories, and other regulated healthcare parties may provide their own notices and may be subject to HIPAA or other healthcare privacy laws. CareCore’s role and applicable privacy obligations may vary depending on the workflow and data relationship.

  1. When this Policy applies

This Policy may apply when you:

  • Visit or interact with a CareCore website, app, landing page, checkout flow, creator storefront, condition-specific page, or health-related product page.
  • Create an account or complete a health-related profile, questionnaire, eligibility screen, or intake flow.
  • Purchase, request, or consider a health-related product or service, including products or services that may involve supplements, wellness protocols, prescription medications, laboratory or diagnostic testing, or clinical consultations.
  • Communicate with CareCore, a creator, a Clinical Partner, a pharmacy, a laboratory, or support personnel through the Service.
  • Use CareCore tools that generate health-related recommendations, content, personalization, routing, reminders, or other health-related outputs.
  1. Categories of Consumer Health Data we may collect

Depending on your interaction with the Service, we may collect the following categories of Consumer Health Data:

  • Health goals, interests, preferences, and requested outcomes.
  • Health conditions, symptoms, diagnoses, medical history, family history, and risk factors that you choose to provide.
  • Prescription medication, supplement, treatment, protocol, allergy, contraindication, adverse-event, side-effect, and medication-history information.
  • Laboratory, diagnostic, biomarker, genetic, biometric, wearable, physiologic, or test-result information that you provide or authorize us to receive.
  • AI feature information, including prompts, messages, uploaded files or records, lab reports, source information selected for an AI workflow, AI outputs, summaries, explanations, personalization outputs, and related metadata when you use or authorize AI-assisted features.
  • Lifestyle and wellness information, such as nutrition, exercise, sleep, stress, recovery, reproductive health, sexual health, gender-affirming care, weight, body composition, or similar information, if collected through the Service.
  • Information about health-related purchases, subscriptions, reorder history, product interests, storefront interactions, abandoned health-related checkout flows, payment authorization status, refund status, chargebacks, and support status.
  • Prescription, pharmacy, and fulfillment workflow information, such as treatment requests, prescription or fulfillment status, pharmacy channel, shipment or delivery status, refill or renewal status, adverse-event or side-effect support communications, and related care-coordination information.
  • Communications with CareCore, creators, support teams, Clinical Partners, pharmacies, laboratories, or fulfillment vendors that reveal health status, health goals, symptoms, treatments, or care needs.
  • Technical, device, online-activity, interaction, precise or approximate location, cookie, pixel, SDK, log, or inference data when that information reveals or is used to infer health status, health interests, care-seeking behavior, or interaction with health-related pages or services.
  • Derived or inferred health data, such as inferred protocol interests, product categories, eligibility signals, personalization outputs, or health-related segmentation, where applicable law treats those inferences as Consumer Health Data.

We do not intend to collect more Consumer Health Data than is reasonably necessary for the Service you request or authorize.

  1. Sources of Consumer Health Data

We may collect Consumer Health Data from:

  • You, including through accounts, forms, questionnaires, purchases, uploads, messages, support requests, consent flows, checkout flows, and intake flows.
  • Creators, when they use CareCore to operate storefronts or provide content, only to the extent permitted by law, our contracts, and the applicable user-consent flow.
  • Clinical Partners, pharmacies, laboratories, fulfillment partners, or other healthcare-related vendors, where you have requested or authorized a workflow involving those parties and applicable law permits the exchange.
  • Independent licensed clinicians, professional entities, pharmacies, pharmacy networks, electronic prescribing or pharmacy-fulfillment vendors, laboratories, diagnostics providers, fulfillment vendors, and other healthcare or operational vendors to support workflows you request or authorize. Pharmacy partners may include retail, mail-order, specialty, or compounding pharmacies depending on the treatment, location, availability, and applicable clinical or pharmacy determination.
  • Service providers or processors that support hosting, security, customer support, analytics, payments, communications, identity verification, scheduling, fulfillment, audit, or compliance.
  • Devices, browsers, cookies, pixels, SDKs, logs, and similar technologies, subject to the restrictions in this Policy and applicable consent choices.
  • Information we create, derive, infer, or generate from your use of the Service, such as personalization outputs or eligibility/routing information.
  1. How we use Consumer Health Data

We may use Consumer Health Data for the following purposes:

  • To provide, operate, maintain, secure, and improve the Service.
  • To create and manage your account, profile, preferences, orders, subscriptions, communications, and support requests.
  • To process purchases, payment authorizations, payments, refunds, chargebacks, shipping, fulfillment, tax, fraud-prevention, and dispute workflows.
  • To support health-related intake, routing, eligibility, scheduling, prescription, pharmacy, laboratory, diagnostic, Clinical Partner, fulfillment, shipping, safety, and support workflows that you request or authorize.
  • To provide AI-assisted features you request or authorize, such as organizing, summarizing, explaining, personalizing, or helping you navigate health-related information, lab results, records, messages, orders, and care context.
  • To personalize your experience, recommend content or products, and display creator storefronts or health-related information, where permitted by law and consistent with your choices.
  • To conduct internal or external research, scientific, clinical, health-outcomes, public-health, safety, quality, operational, product, model-development, model-evaluation, machine-learning, artificial-intelligence, measurement, analytics, market, business, user-experience, and commercial research and development; develop, test, evaluate, validate, improve, commercialize, and support CareCore Services, AI-assisted features, products, protocols, care-navigation workflows, content, and business operations; prepare aggregated, de-identified, anonymized, pseudonymized, or derived datasets and outputs; and support publications, collaborations, regulatory, quality, safety, product, and business activities, in each case where permitted by law and consistent with applicable notices, consents, authorizations, contracts, and choices.
  • To communicate with you about your account, orders, Service updates, safety notices, product changes, and support issues.
  • To conduct quality, safety, security, fraud-prevention, debugging, analytics, compliance, audit, incident-response, and operational-reliability activities.
  • To comply with legal, regulatory, tax, accounting, recordkeeping, safety, law-enforcement, professional, pharmacy, laboratory, payment, or dispute-resolution obligations.
  • To create aggregated, de-identified, or anonymized information that does not identify you and is not reasonably linkable to you, subject to applicable law.

Where applicable law requires consent for collection, use, or sharing of Consumer Health Data, we will obtain the required consent unless the collection, use, or sharing is permitted without consent, such as where reasonably necessary to provide a product or service you requested, or otherwise permitted by law. Where applicable law requires separate and distinct consent for sharing, we will ask for that consent separately.

  1. Tracking technologies, advertising, and health-event data

Cookies, pixels, SDKs, log files, and similar technologies may collect technical data that can be Consumer Health Data when it reveals or can be used to infer health status, health interests, care-seeking behavior, or interaction with health-related pages or services.

We do not use or disclose Consumer Health Data for interest-based advertising, retargeting, lookalike audiences, custom-audience matching, ad optimization, cross-context behavioral advertising, resale, or unrelated health profiling. If CareCore ever proposes an activity that applicable law treats as a sale or targeted-advertising disclosure of Consumer Health Data, we will obtain any separate consent or written authorization required by law before doing so.

Where we use analytics or measurement tools on health-related surfaces, we configure them to minimize Consumer Health Data collection and to avoid sending medication names, diagnoses, symptoms, lab values, treatment eligibility, adverse events, or other health-event details as analytics or advertising parameters unless a specific workflow is legally approved and supported by any required consent or authorization. We use service-provider/processor restrictions and consent controls where required by law.

  1. Geofencing

We do not use geofencing around in-person healthcare facilities to identify or track consumers seeking healthcare services, collect Consumer Health Data, or send health-related notifications, messages, or advertisements based on a consumer’s presence at or near such facilities.

  1. When we may share Consumer Health Data

We may share Consumer Health Data only as described in this Policy, as directed or authorized by you, or as otherwise permitted by applicable law.

Recipient categories may include:

  • Clinical Partners, pharmacies, laboratories, and healthcare vendors: independent licensed clinicians, professional entities, pharmacies, pharmacy networks, electronic prescribing or pharmacy-fulfillment vendors, laboratories, diagnostics providers, and other healthcare vendors to support clinical, prescription, pharmacy, laboratory, diagnostic, eligibility, scheduling, fulfillment, shipping, safety, support, payment reconciliation, audit, or related workflows that you request or authorize. Pharmacy partners may include retail, mail-order, specialty, or compounding pharmacies depending on the treatment, location, availability, and applicable clinical or pharmacy determination.
  • Service providers and processors: to host, secure, operate, support, analyze, communicate, process payments, prevent fraud, fulfill orders, conduct research, support AI-assisted features, and maintain the Service, subject to appropriate contractual restrictions.
  • AI service providers, analytics providers, infrastructure providers, research vendors, and other service providers: to provide, secure, evaluate, test, develop, research, improve, and support the Service, AI-assisted features, products, workflows, research programs, analytics, and business operations, subject to appropriate contractual restrictions, privacy/security controls, and any consent, authorization, or other legal basis required by applicable law.
  • Research collaborators, academic or scientific collaborators, data partners, product-development partners, quality/safety partners, and other approved recipients: where the disclosure is permitted by law and supported by any required notice, consent, authorization, contract, or other legal basis.
  • Creators: only when the sharing is minimum necessary for the creator to provide a requested non-clinical Service function, when information is aggregated/de-identified, or when you have given explicit consent for identifiable Consumer Health Data sharing for a documented purpose. We do not share clinical notes, prescription details, lab results, contraindications, medical history, or other clinical, prescription, or laboratory details with creators by default.
  • Professional advisors and legal/compliance recipients: such as lawyers, auditors, insurers, banks, tax advisors, and compliance consultants, where necessary for business, legal, accounting, insurance, or compliance purposes.
  • Business transaction recipients: in connection with an actual or prospective merger, financing, acquisition, reorganization, bankruptcy, or sale of assets, subject to applicable law and appropriate protections.
  • Authorities or required recipients: where we believe disclosure is necessary to comply with law, legal process, professional obligations, safety obligations, or to protect rights, safety, security, and integrity.
  • Third parties you designate or authorize.
  1. Creators

Creators are not Clinical Partners merely because they operate storefronts or create content on CareCore. Creator access to information is limited by role, purpose, and need.

By default, we limit creator-facing information to what is reasonably necessary for storefront operation, support, attribution, payout, or other approved non-clinical Service functions. If you join or purchase from a creator's Healthspace, that creator may see your name, membership status, join date, and the offerings you purchased there so they can support, follow up with, and educate you. Creators do not receive prescription details, dosing, pharmacy information, clinical review status, payment details, or support case details by default.

Creator access to identifiable Consumer Health Data requires:

  • Explicit consumer consent or another legally appropriate basis.
  • A documented purpose tied to a requested Service function.
  • Role-based access controls.
  • Audit logging.
  • Contractual restrictions on reuse, export, targeting, downstream disclosure, sale, and independent health profiling.
  • Prohibitions on using Consumer Health Data for clinical referral fees, prescribing incentives, patient steering, or health-condition targeting outside the approved workflow.
  1. AI, personalization, routing, eligibility, and inferences

We may use automated systems and AI-assisted tools to support personalization, routing, eligibility, safety, quality, support, care-navigation, coaching, summarization, explanation, research, product development, model evaluation, model development, analytics, and operational workflows that you request or authorize or that support the Services and Company business. These tools may process Consumer Health Data you provide or authorize us to receive, including lab results, medications, symptoms, health goals, health history, orders, messages, uploaded records, care context, AI prompts, AI outputs, and related metadata. We may use Consumer Health Data and AI feature information to provide, secure, support, evaluate, test, develop, research, improve, and commercialize CareCore Services, AI-assisted features, products, protocols, workflows, research programs, analytics, and business operations; conduct internal or external research, scientific, clinical, health-outcomes, public-health, safety, quality, operational, product, market, business, commercial, and model-related research; prepare aggregated, de-identified, anonymized, pseudonymized, or derived datasets and outputs; and support publications, collaborations, regulatory, quality, safety, product, and business activities, where permitted by law and consistent with applicable notices, consents, authorizations, contracts, and choices. We do not use Consumer Health Data, health-intake responses, Clinical Partner communications, product or medication names, laboratory results, AI prompts or outputs, or other health-derived information to train third-party provider models, for unrelated general-purpose model-development purposes, for targeted advertising, sale, or unrelated secondary purposes unless the information has been de-identified so it is no longer reasonably linkable to you, or unless you provide separate consent or authorization where legally permitted and required.

  1. Sale of Consumer Health Data

We do not sell Consumer Health Data unless CareCore first obtains a separate written authorization that satisfies applicable law. “Sale” may be defined broadly under some laws and may include exchanges of Consumer Health Data for monetary or other valuable consideration. Where required by law, a sale authorization must be separate from other consents, must identify the relevant data and parties, must describe the purpose and intended use of the sale, must explain revocation rights, and must satisfy any expiration, signature, copy-retention, or other requirements imposed by law.

  1. Your Consumer Health Data rights

Depending on where you live and how you interact with the Service, you may have the right to:

  • Confirm whether we collect, share, or sell your Consumer Health Data.
  • Access or receive a copy of your Consumer Health Data.
  • Receive a list of categories of third parties or specific third parties with whom Consumer Health Data has been shared or sold, where required by law.
  • Withdraw consent for certain collection, use, or sharing of Consumer Health Data.
  • Request deletion or correction of Consumer Health Data, subject to legal, safety, transactional, clinical, pharmacy, laboratory, tax, accounting, dispute, regulatory, audit, professional-record, or compliance exceptions.
  • Appeal a denial of a rights request, where required by law.

To exercise rights, contact legal@carecore.io. We may need to verify your request before fulfilling it. We will respond within the time required by applicable law.

If we are required to provide information about third parties or affiliates with whom Consumer Health Data has been shared or sold, we will provide the information required by applicable law. Some requests may be limited by legal, security, clinical, pharmacy, laboratory, tax, accounting, fraud-prevention, dispute, regulatory, audit, professional-record, or safety exceptions.

  1. Declining to provide Consumer Health Data

Certain Consumer Health Data may be necessary to provide products or services you request. If you decline to provide required information, withdraw consent for required processing, or request deletion of information needed for a requested workflow, CareCore or the applicable Clinical Partner, pharmacy, laboratory, or service provider may be unable to provide or continue that workflow.

  1. Deletion, withdrawal, correction, and propagation

If you request deletion, correction, or withdrawal of consent, CareCore will evaluate the request and, where required, take reasonable steps to delete, correct, restrict, or stop applicable processing of Consumer Health Data in active systems and instruct relevant service providers/processors to do the same, subject to legal exceptions.

Some data may be retained where necessary for:

  • Completing transactions you requested.
  • Clinical, pharmacy, laboratory, or professional obligations handled by Clinical Partners or other regulated healthcare parties.
  • Legal, tax, accounting, fraud-prevention, security, safety, dispute, regulatory, audit, or professional-record obligations.
  • Exercising or defending legal claims.
  • Maintaining de-identified, aggregated, anonymized, pseudonymized, or derived information, and continuing research, analytics, product-development, model-evaluation, safety, quality, compliance, or business records where permitted by applicable law and consistent with applicable notices, consents, authorizations, contracts, and choices.
  1. Retention

We retain Consumer Health Data for as long as reasonably necessary for the purposes described in this Policy, including to provide the Service, complete transactions, maintain security, satisfy clinical, pharmacy, laboratory, safety, legal, tax, accounting, fraud-prevention, dispute, regulatory, audit, or professional-record obligations, and exercise or defend legal claims.

Temporary operational logs, webhook payloads, and similar technical records from clinical, pharmacy, laboratory, fulfillment, payment, or other operational partners are retained only as long as reasonably necessary for operational support, security, audit, compliance, fraud prevention, dispute handling, safety, and legal purposes. CareCore may retain sanitized event metadata, identifiers, status timestamps, reconciliation records, and support notes needed for security, audit, support, compliance, fraud prevention, dispute handling, and operational reliability.

  1. Security and incident notification

We use administrative, technical, and organizational measures designed to protect Consumer Health Data. No system is perfectly secure. Access to Consumer Health Data is limited to authorized personnel, service providers, processors, Clinical Partners, creators where approved for a documented Service function, research collaborators, professional advisors, or other approved recipients with a legitimate business, operational, research, legal, safety, support, or Service-related need and appropriate restrictions. Where a privacy or security incident triggers notification obligations under applicable law, including HIPAA, state breach-notification laws, state consumer health data laws, or the FTC Health Breach Notification Rule, we will provide notices as required by law and contract.

  1. Children and minors

CareCore is not intended for children under 18 years old. CareCore does not knowingly collect Consumer Health Data from children without any consent required by law.

  1. Changes to this Policy

We may update this Policy from time to time. The updated Policy will be posted with a new effective date. If required by law, we will provide additional notice, obtain additional consent, or request re-acceptance.

  1. Contact

CareCore, Inc. Email: legal@carecore.io Mail: 6704 Myrtle Ave, #1514, Glendale, NY 11385