1. Introduction GF Health Services d/b/a Geviti ("Geviti", "Company", "we", "us", or "our") is committed to maintaining robust privacy protections for our users. This Privacy Policy is designed to help you understand how we collect, use, and safeguard the information you provide to us and to assist you in making informed decisions when using our Website (www.gogeviti.com) and the Geviti platform.

2. Information Collection, Use, and Purpose We collect a variety of information from our users, including personal identifiers such as names, email addresses, geographic locations, ages, and sexes. This data is obtained through direct interactions on our Website, as well as through cookies and third-party analytics tools. Our Platform additionally collects comprehensive medical and health-related information. All such data is collected for the purpose of providing our services, understanding user needs, and maintaining compliance with relevant health information privacy regulations. Third-party vendors comply with U.S. data protection laws, ensuring the security and confidentiality of your personal data.

3. Data Sharing, Disclosure, and Third-Party Relations Your personal data is a critical aspect of our operations, and we take the responsibility of handling it with the utmost care. We do not sell or lease user data to third parties for their marketing purposes. Third-party vendors and service providers engaged by us are contractually bound to respect the confidentiality of your information. Additionally, we may disclose personal information when legally required, or in situations where such disclosure is necessary to protect our rights or the rights of others. We conduct audits to ensure the accuracy and security of your personal data.

4. User Rights and Data Governance In accordance with data protection laws, you have the right to access, correct, or request the deletion of your personal data. You may also limit or object to the processing of your data. Requests regarding your data rights can be directed to our designated contact point, as detailed at the end of this policy. Our advanced security measures include end-to-end encryption and secure storage facilities, fully compliant with U.S. data protection laws.

5. Data Security Measures and Protocols The security of your personal data is paramount. We employ advanced security measures to protect against unauthorized access, alteration, disclosure, or destruction of your information. Compliance with industry-standard protocols and continuous monitoring ensures the integrity and security of your data.

6. Data Retention and Destruction Policies We retain personal data only as long as necessary to fulfill the purposes for which it was collected and is securely destroyed or anonymized upon the expiration of the retention period.

7. Cross-Border Data Transfers Our services are currently confined within the territorial bounds of the United States. We do not engage in international data transfers, ensuring that your data remains under the jurisdiction of U.S. privacy laws. We operate exclusively within the United States, adhering strictly to U.S. privacy laws.

8. Do Not Track Signals Our Website respects and responds to Do Not Track (DNT) signals. We modify our tracking practices in accordance with your browser's DNT settings, ensuring that your preferences in terms of tracking are honored.

9. Children’s Privacy We do not knowingly collect or solicit personal information from children under the age of 13. If we learn that we have collected personal information from a child under 13, we will delete that information as quickly as possible.

10. Opt-Out & Unsubscribe from Third Party Communications We provide users with the opportunity to opt-out of having their personal information used for certain purposes. This includes opting out of receiving communications from third-party partners and withdrawing consent for the disclosure of personal information.

11. Tracking User Behavior We monitor user behavior on our Website to enhance user experience, tailor our services, and conduct market research. This tracking is conducted in a manner that respects user privacy and preferences.

12. Use of Cookies and Web Beacons Cookies and web beacons are used on our Website to improve user experience, analyze trends, administer the site, and gather demographic information about our user base as a whole. Users can control the use of cookies at the individual browser level.

13. External Data Storage Sites We may store data on servers provided by third-party hosting vendors with whom we have contracted, ensuring that these vendors adhere to our strict data protection standards. Our third-party hosting vendors are based in the United States and comply with all relevant U.S. data protection standards.

14. Protected Health Information (PHI) We are committed to protecting your health information. This section describes how we treat Protected Health Information (PHI):

• Collection of PHI: We collect PHI to provide you with telehealth services, create health reports, and offer custom supplements. This includes information like medical history, test results, and treatment plans.
• Use of PHI: Your PHI is used only for purposes related to your care and treatment, including consultations, generating health reports, and coordinating with healthcare providers and pharmacies.
• Disclosure of PHI: We disclose PHI only to individuals and entities involved in your care, such as healthcare providers and pharmacies, and only as permitted by law. We do not sell your PHI.

15. Patient Rights Regarding PHI

Under HIPAA, you have several rights regarding your PHI:

• Right to Access: You can request copies of your PHI that we maintain.
• Right to Amend: If you believe your PHI is incorrect or incomplete, you can request an amendment.
• Right to an Accounting of Disclosures: You can request a list of disclosures we have made of your PHI.
• Right to Request Restrictions: You can request restrictions on how we use or disclose your PHI.
• Right to Confidential Communications: You can request that we communicate with you about medical matters in a certain way or at a certain location.
• Right to a Copy of this Notice: You can request a paper copy of this notice.

16. Contact Information of Privacy Official

If you have questions or concerns about this Privacy Policy or our privacy practices, or if you wish to exercise your rights regarding your PHI, please contact our Privacy Official:

Privacy Official:

Nathan Graville
CEO
(602) 341-3545

17. Legal and Governmental Use of PHI In compliance with legal and governmental requirements, we may use or disclose your Protected Health Information (PHI) as necessary and in accordance with applicable laws and regulations.

18. Communication Platforms We utilize various communication platforms to keep you informed about your care and treatment, send appointment reminders, and notify you about healthcare-related services or benefits that may be of interest to you.

19. Telehealth The laws that protect the privacy and confidentiality of PHI also apply to telehealth. Information obtained during telehealth that identifies me will not be given to anyone without my consent except for purposes of treatment, education, billing, and healthcare operations. By using telehealth services, I consent to Geviti sharing my PHI with certain third parties. 

20. Changes to this Policy This Privacy Policy may be updated from time to time to reflect changes in our practices, technology, legal requirements, and other factors. We encourage users to periodically review this policy for the latest information on our privacy practices.

21. Contact Information for Privacy Concerns Should you have any questions or concerns regarding this Privacy Policy or the handling of your data, you can reach us at . We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy.

22. Policy Review and Amendment Procedures This Privacy Policy is subject to periodic review and amendments. Any changes will be reflected on our website along with an updated effective date. We encourage you to review our Privacy Policy periodically.

23. Contact Information and Complaint Resolution For any inquiries, complaints, or if you believe your privacy rights have been violated, please contact us at . We will investigate and attempt to resolve any complaints and disputes regarding the use and disclosure of personal information in accordance with this Privacy Policy.

24. Acknowledgement and Consent By using our Website and Platform, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. You also consent to the collection, use, and disclosure of your information as outlined in this policy.

25. Additional Information for California Residents As part of our compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), we acknowledge the expanded rights of California residents concerning their personal data. These rights include:

Consumer Rights: California residents have the right to know about the personal information a business collects about them and how it is used and shared; the right to delete personal information collected; the right to opt-out of the sale of personal information; and the right to non-discrimination for exercising their CCPA rights. Additionally, the CPRA allows consumers to correct inaccuracies in their personal information, to limit use and disclosure of sensitive personal information, and to access information about automated decision-making.

Sensitive Personal Information (SPI): Under the CPRA, sensitive personal information includes Social Security numbers, driver's license numbers, account log-in details, geolocation data, racial or ethnic origin, religious beliefs, union membership, personal communications, genetic data, biometric information, health information, and information about sex life or sexual orientation.

Business Obligations: We are committed to providing clear and comprehensive notices regarding consumer rights, fulfilling disclosure and retention obligations, responding to consumer requests in a timely manner, and implementing robust security safeguards to protect consumer data.

California Confidentiality of Medical Information Act (CMIA): In accordance with the CMIA, we ensure that any disclosure of medical information requires a valid written authorization, except as otherwise permitted by law.

26. Colorado Privacy Act (CPA) Compliance When operating in Colorado, we adhere to the Colorado Privacy Act (CPA), effective July 1, 2023. This Act applies to our control and processing of personal data of more than 100,000 consumers annually or if we derive revenue from selling personal data of more than 25,000 consumers.

Consumer Rights: Residents of Colorado have the right to opt out of the processing of their personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. Additionally, effective July 1, 2024, we will comply with universal opt-out mechanisms for targeted advertising and the sale of personal data.

Data Processing and Consent: We commit to providing transparent privacy notices, obtaining explicit consent prior to data collection, and practicing data minimization and purpose specification. We refrain from secondary use of personal data without explicit consent and prioritize the security of the data we handle.

Data Processing Agreements (DPAs): Our relationships with data processors are governed by DPAs, which include detailed processing instructions, types of personal data involved, confidentiality obligations, and stringent security measures. These agreements also cover provisions for data return or deletion and enable audits, including the agreement of sub-processors.

Compliance with Complementary Laws: In alignment with Colorado’s information security law, we maintain reasonable security procedures to safeguard personally identifiable information and adhere to mandated breach notifications under specified conditions.

27. Connecticut Data Privacy Act (CTDPA) Compliance When operating in Connecticut, in compliance with the Connecticut Data Privacy Act (CTDPA), effective July 1, 2023, we recognize and adhere to the rights of Connecticut residents regarding their personal information. The CTDPA applies to our operations if we process the personal data of 100,000 or more consumers annually, or if we generate revenue from selling personal data.

Consumer Rights: Connecticut residents have the right to access, correct, and delete their personal data. They also have the right to opt-out of the processing of personal data for targeted advertising, the sale of personal data, and profiling in decisions that produce legal effects.

Data Processing and Transparency: We are committed to transparent data collection and processing practices, maintaining data security, and avoiding discrimination against consumers who exercise their CTDPA rights.

28. Utah Consumer Privacy Act (UCPA) Compliance When operating in Utah, in line with the Utah Consumer Privacy Act (UCPA), effective December 31, 2023, we recognize the privacy rights of Utah residents and comply with the provisions of the UCPA. Our obligations under this Act include:

Consumer Rights: Utah residents have the right to access their personal data, delete personal data they have provided, and obtain a portable copy of said data. They also have the right to opt out of the sale of their personal data and its use in targeted advertising.

Data Processing and Consent: We provide clear privacy notices and seek consent for data collection, ensuring data minimization and purpose specification. We avoid processing personal data for secondary purposes without consent and maintain strong data security.

Data Processing Agreements (DPAs): We have established DPAs with data processors, detailing processing instructions, data types, confidentiality, security measures, data return or deletion protocols, audit provisions, and agreements with sub-processors.

Non-Discrimination and Transparency: We do not discriminate against consumers exercising their UCPA rights. Our practices are transparent, and we provide consumers with options to exercise their rights effectively.

29. Virginia Consumer Data Protection Act (VCDPA) Compliance When operating in Virginia, in accordance with the Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023, we uphold the rights of Virginia residents regarding their personal data. The VCDPA applies to our processing of personal data of 100,000 or more Virginia consumers annually or if we derive more than 50% of our gross revenue from the sale of personal data.

Consumer Rights: Virginia residents have rights to access, correct, delete, and opt-out of the processing of personal data for targeted advertising, the sale of personal data, and profiling.

Data Processing and Consent: We provide clear privacy notices, obtain consent for data collection, practice data minimization, and ensure the purpose specificity of data processing. We maintain robust security for data protection.

Sensitive Personal Information: We require explicit consent for processing sensitive personal data, such as racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, and precise geolocation.

Non-Discrimination: We do not discriminate against consumers who exercise their VCDPA rights.

30. Washington My Health My Data Act (MHMD Act) Compliance When operating in Washington, in compliance with Washington's My Health My Data Act (MHMD Act), effective March 31, 2024, we recognize and protect the rights of individuals regarding their health data. This Act applies to our processing of consumer health data in Washington.

Consumer Rights: Washington residents have rights to access, correct, and delete their health data. We ensure transparency in data collection and sharing, obtaining explicit consent for such activities.

Health Data Protection: We maintain strict confidentiality of health data, prohibiting geofencing for healthcare data collection. Access to health data is restricted and managed carefully.

Vendor Management and Selling of Health Data: Any sale of health data requires valid authorization. We manage vendors through written contracts, ensuring they adhere to our privacy standards.

Private Right of Action: The MHMD Act allows for a private right of action for any violations of these regulations.

31. Illinois Personal Information Protection Act (PIPA) Compliance When operating in Illinois, in accordance with the Illinois Personal Information Protection Act (PIPA), we implement robust security measures to protect the personal information of Illinois residents, with an emphasis on biometric data.

Biometric Data: We obtain consent prior to collecting any biometric data, such as fingerprints, voiceprints, or facial recognition scans, in compliance with PIPA's specific requirements.

Security Measures and Breach Notification: We maintain reasonable security measures to safeguard personal information and comply with PIPA's breach notification requirements, promptly informing Illinois residents of any security breaches affecting their personal data.

32. Massachusetts Standards for the Protection of Personal Information Compliance When operating in Massachusetts, we adhere to the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth. Our comprehensive information security program includes:

Designated Security Personnel: We appoint responsible personnel to oversee our data security program.

Risk Management: Regularly monitoring and upgrading our systems to prevent security failures.

Employee Training and Policies: Implementing solid security policies and training staff in data protection practices.

Access Control: Ensuring control over data access during and post-employment.

Service Provider Oversight: Rigorously overseeing service providers handling personal information.

Data Encryption: Encrypting all transmitted and stored personal data.

Firewall and Authentication Protocols: Maintaining up-to-date firewall protection and secure user authentication practices.

33. Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) Compliance When operating in Nevada, we comply with the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA). This includes:

Privacy Policy Requirements: Maintaining a comprehensive Privacy Policy that details the types of information collected from Nevada consumers, the process of data collection, and the purposes for which it is used.

Consumer Opt-Out Rights: Providing Nevada consumers with the right to opt-out of the sale of their personal information.

Data Security Measures: Implementing and maintaining appropriate security measures to protect personal information from unauthorized access and use.