This Privacy Policy describes how Bidwell Health ("we," "us," or "our"), collects, uses, stores, and protects your information when you use our asynchronous telehealth platform at bidwellhealth.com. This Privacy Policy should be read together with our Terms of Service and HIPAA Notice of Privacy Practices.
Information We Collect
A. Information You Provide
Identity information: Full name, date of birth
Contact information: Email address, phone number
Location information: State of residence
Health information: Symptoms, medical history, current medications, known allergies, screening questionnaire responses
Pharmacy information: Pharmacy name and address
Payment information: Credit/debit card details processed securely via Stripe — we never store your card numbers directly
Consent records: Records of consents provided (e.g., informed consent, telehealth consent)
B. Information Collected Automatically
Device information: Browser type, operating system
Usage data: Pages visited, time spent on pages
Log data: IP address, access times
How We Use Your Information
Your information is used for the following purposes:
Healthcare services: To enable licensed providers to evaluate your symptoms, make clinical assessments, and prescribe appropriate treatment
Payment processing: To securely process your visit payment through Stripe
Communication: To send visit confirmations, provider responses, prescription updates, and important account notifications
Safety screening: To identify and respond to safety concerns disclosed during intake (e.g., mental health screening responses)
Legal compliance: To meet our obligations under federal, state, and local laws and regulations
Platform improvement: To improve our services using aggregated, de-identified data only
Security: To detect, prevent, and respond to fraud, abuse, or security incidents
How We Share Your Information
We do NOT sell, rent, or trade your personal or health information. Your data is shared only with the following parties, and only as necessary:
Pharmacies: Your selected pharmacy receives prescription information electronically for prescription fulfillment
Stripe: Payment details are transmitted directly to Stripe for secure transaction processing
Supabase: Our infrastructure provider for encrypted data storage
Google Places API: Receives zip code only for pharmacy search functionality — no patient health information is transmitted
Legal and regulatory authorities: As required by law, including mandatory reporting obligations, court orders, or subpoenas
Data Storage and Security
We employ industry-standard security measures to protect your information:
Encryption: All data is encrypted in transit using TLS and encrypted at rest using AES-256 encryption
Access controls: Access to patient data is restricted to authenticated, authorized providers only
Secure infrastructure: Our platform is built on Supabase with row-level security policies, secure database access controls, and SOC 2 Type II compliance
Payment security: Stripe handles all payment processing and is PCI DSS Level 1 compliant — the highest level of certification
Security headers: We implement HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP) headers to protect against common web vulnerabilities
While we implement robust safeguards, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data, but we are committed to maintaining and improving our security practices.
Data Retention
We retain your information according to the following schedule:
Medical records: Retained for a minimum of 7 years from the date of your last encounter, or longer if required by applicable state law
Payment records: Retained for 7 years in accordance with financial record-keeping requirements
Account information: Retained while your account remains active
You may request deletion of non-medical personal information by contacting us. Please note that we are legally required to retain medical records for the minimum retention period regardless of deletion requests.
Your Rights
You have the following rights regarding your personal and health information:
Access: You may request a copy of the personal and health information we hold about you
Correction: You may request corrections to any inaccurate or incomplete information
Deletion: You may request deletion of your account and associated non-medical data, subject to legal retention requirements
HIPAA rights: You have additional rights under HIPAA, including the right to access your medical records, request amendments, and obtain an accounting of disclosures. For full details, please see our HIPAA Notice of Privacy Practices
California Residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell your personal information. Please note that health information governed by HIPAA is exempt from CCPA/CPRA.
Other State Privacy Laws
If you reside in a state with comprehensive consumer privacy legislation, you may have additional rights. Please contact us at privacy@bidwellhealth.com to exercise any applicable rights.
Cookies
Bidwell Health uses essential session cookies only. These cookies are required for the platform to function properly (e.g., maintaining your session during a visit submission).
We do not use tracking cookies
We do not use advertising cookies
We do not use analytics cookies
Children's Privacy
Bidwell Health is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected information from a person under 18, we will take steps to delete that information promptly.
Third-Party Links
Our platform may contain links to third-party websites or services. We are not responsible for the privacy practices of those external sites. We encourage you to review the privacy policies of any third-party sites you visit.
Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. For significant changes, we may notify you by email. Your continued use of Bidwell Health after changes are posted constitutes your acceptance of the revised policy.
Contact
If you have any questions or concerns about this Privacy Policy or how your data is handled, please contact us: