Last Updated: 07/03/26 Effective Date: 07/03/26
Who we are. Precision Health Systems, Inc. (“PHS,” “Metabolic Code,” “we,” “us,” “our”), a Delaware corporation headquartered in Cincinnati, Ohio. PHS is the successor entity to Metabolic Code Enterprises, Inc. (“MCE”).
What we do. We provide a precision-health technology platform, including the TRIAD™ scoring methodology, wellness reports, subscription products, and administrative and technology infrastructure that supports clinical services delivered by independent licensed clinicians of separate professional entities (each, a “Professional Entity”).
Two data tracks. (1) Where you receive services from a Professional Entity, your Protected Health Information (“PHI”) is governed by HIPAA and the Professional Entity’s Notice of Privacy Practices; PHS handles that PHI as a Business Associate. (2) Where you use PHS’s direct-to-consumer wellness products, your information is governed by this Privacy Policy and applicable state privacy laws.
Consumer health data. If you reside in Washington, Nevada, or Connecticut, additional protections apply to your “consumer health data” under state health-data privacy laws. See Section 10.
Your rights. Depending on where you live, you may have rights to access, correct, delete, port, opt out of sale/sharing/targeted advertising, limit use of sensitive information, appeal, and withdraw consent. See Sections 8–11.
Not for children under 13. The Services are not directed to children under 13. See Section 13.
Contact. privacy@metaboliccode.com | 712 Neave St., Cincinnati, OH 45204 | Attn: Privacy Officer.
This Privacy Policy describes how PHS collects, uses, discloses, and safeguards personal information in connection with our websites, mobile applications, algorithms, reports, subscriptions, laboratory-ordering interfaces, and related services (collectively, the “Services”), whether accessed directly through PHS or indirectly through a white-label, co-branded, affiliate, or practitioner channel (each, a “Channel Partner”).
This Policy is incorporated into, and works with, our Terms and Conditions. Terms used but not defined here have the meanings given in the Terms and Conditions.
This Policy does not cover:
Depending on how you interact with the Services, we collect the following categories of personal information. This table also serves as our Notice at Collection under the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”).
Category (CCPA) | Examples We Collect | Sources | Business Purposes | Disclosed To |
|---|---|---|---|---|
A. Identifiers | Name, email, mailing address, phone number, account ID, IP address, device identifier | Directly from you; automatically via Site use; from Channel Partners | Account creation; order fulfillment; communications; security; fraud prevention | Service providers; Channel Partners; Professional Entities; labs; payment processors |
B. Customer records (Cal. Civ. Code § 1798.80(e)) | Name, address, phone, credit/debit card, billing information | Directly from you at purchase | Payment processing; billing; customer support | Payment processors; accounting providers |
C. Protected characteristics | Age, sex, date of birth (where required for lab ordering or clinical context) | Directly from you | Clinical eligibility; state-required disclosures | Professional Entities; labs (as required) |
D. Commercial information | Purchase history, subscription status, transactions | Automatically at purchase | Order fulfillment; account management; analytics | Service providers; Channel Partners |
F. Internet / network activity | Site interactions, log data, cookies, session data, referral URLs | Automatically via Site use | Analytics; security; personalization; service improvement | Analytics vendors; hosting providers |
G. Geolocation (approximate) | IP-derived city/state (used to determine state-licensure eligibility for telehealth) | Automatically via Site use | State-licensure gating; fraud prevention | Professional Entities; service providers |
I. Professional / employment (if provided) | Practitioner license number, NPI (Channel Partners only) | Directly from Channel Partner | Partner onboarding; compliance verification | Compliance vendors |
K. Inferences | Preferences, wellness profile, algorithm-derived scores based on inputs you provide | Derived from data you provide | Providing the Services; report generation | Professional Entities (where clinically relevant) |
Sensitive Personal Information (CPRA § 1798.140(ae)) | Health-related information you provide (questionnaires, biometric inputs, lab results); precise geolocation (only if you enable it) | Directly from you; from labs; from Channel Partners | Providing the Services; report generation; clinical care (via Professional Entity) | Professional Entities; labs; service providers under BAA or DPA |
We collect information about your health, wellness, and biological state that is considered sensitive personal information under CCPA/CPRA, sensitive data under most other state privacy laws, and consumer health data under Washington’s My Health My Data Act (“MHMDA”), Nevada SB 370, and analogous laws. Examples include: questionnaire responses about symptoms, diet, sleep, medications, and family history; biometric data you enter (weight, blood pressure, glucose, etc.); laboratory results ordered through the Services; algorithm outputs derived from those inputs; and, if you enable it, precise geolocation.
We use sensitive information only to provide, maintain, and improve the Services you request; to enable a Professional Entity to provide clinical care to you; to comply with law; and for other purposes consistent with your expectations. We do not use sensitive information for cross-context behavioral advertising or profiling, and we do not sell sensitive information.
We use personal information for the following purposes:
We do not sell personal information for money, and we do not share personal information for cross-context behavioral advertising involving sensitive personal information or consumer health data. Where CCPA/CPRA defines certain analytics or ad-tech cookies as “sale” or “sharing,” we describe those practices and how to opt out in Section 6.
We disclose personal information only as described below:
We do not authorize service providers to use personal information for their own purposes, and we require them to delete or return personal information at the end of the relationship.
We and our service providers use cookies, SDKs, pixels, and similar technologies (“Trackers”) to operate the Services, remember your preferences, understand usage, and support security. Categories:
You can manage cookies through the “Privacy Choices” or “Cookie Preferences” link on the Services, or through your browser settings. Certain cookies are strictly necessary and cannot be disabled without breaking the Services.
We recognize the Global Privacy Control (“GPC”) signal transmitted by supported browsers as a valid request to opt out of “sale” or “sharing” of personal information under CCPA/CPRA and similar state laws. If you activate GPC while browsing the Services, we will treat it as an opt-out for the browser you use.
Because there is no industry consensus about how to interpret “Do Not Track” browser signals, we do not currently respond to them. We do honor GPC as described above.
We do not use health-related information, laboratory results, algorithm outputs, or other consumer health data to target advertising to you, and we do not permit our advertising partners to do so.
We retain personal information only for as long as necessary for the purposes described in this Policy, or as required or permitted by law. Illustrative retention periods:
When personal information is no longer needed, we delete, anonymize, or de-identify it in accordance with our data-retention procedures. De-identified data may be retained and used for research, quality improvement, and model refinement.
If you reside in a U.S. state with a comprehensive privacy law, you have rights described below. Rights vary by state; where they overlap, the higher standard applies to the extent required by law.
Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, and Montana generally have the right to:
We use the Metabolic Code algorithm and TRIAD scoring methodology to generate wellness reports based on inputs you provide. These outputs are educational tools that inform, but do not by themselves make, decisions producing legal or similarly significant effects. Where a Professional Entity uses algorithm outputs to inform clinical decisions, the Professional Entity remains responsible for the clinical decision under its independent clinician-patient relationship with you.
If you reside in Minnesota and are subject to profiling in furtherance of decisions producing legal or similarly significant effects, you have the right to (i) question the result of the profiling, (ii) be informed of the reason it produced the decision, (iii) be informed of what actions you might take to secure a different decision, (iv) review the personal data used, and (v) have inaccurate data corrected and the profiling decision reevaluated.
You can exercise your rights by:
We will verify your request using information already in our possession, which may include confirming your account details, email address of record, or, for sensitive requests, a signed declaration under penalty of perjury. An authorized agent may make requests on your behalf if you provide written authorization and (for California) a verifiable Power of Attorney where required.
We will respond within the timeframe required by applicable law (generally 45 days, extendable by 45 additional days where reasonably necessary, with notice to you). There is no fee unless a request is manifestly unfounded, excessive, or repetitive.
If we decline your rights request, you may appeal by responding to our decision email or by writing to privacy@precisionhealthsystems.com with the word “APPEAL” in the subject line. We will respond within 60 days (or the shorter period required by your state). If your appeal is denied, you may contact your state Attorney General’s office.
Where you receive clinical services from a Professional Entity through the Services, that Professional Entity is a HIPAA “covered entity” and PHS acts as its “Business Associate” under a written Business Associate Agreement (“BAA”). In that role, PHS is bound by the HIPAA Privacy, Security, and Breach Notification Rules with respect to your PHI, and PHS may use and disclose PHI only as permitted by HIPAA, the BAA, and applicable law.
The Professional Entity’s Notice of Privacy Practices (“NPP”) governs the collection, use, and disclosure of your PHI by the Professional Entity, including its rights to use PHI for treatment, payment, and healthcare operations. That NPP is delivered to you at clinical enrollment and is available from the Professional Entity on request. Where any provision of this Privacy Policy conflicts with the NPP with respect to PHI, the NPP controls.
Information you provide to PHS’s direct-to-consumer wellness Services outside of a clinician-patient relationship is generally not HIPAA-covered PHI. That information is nevertheless protected under this Privacy Policy and applicable state privacy and consumer-health-data laws.
If we discover a breach of unsecured PHI, we will notify the applicable Professional Entity in accordance with the BAA and applicable law, and the Professional Entity will notify affected individuals. For non-HIPAA data, we will notify you in accordance with applicable state breach-notification laws.
Residents of Washington, Nevada, and Connecticut have additional rights and protections under state consumer-health-data laws, including Washington’s My Health My Data Act (“MHMDA”), Nevada SB 370, and Connecticut Public Act 23-56.
For purposes of these laws, “consumer health data” broadly includes any information linked or reasonably linkable to you that identifies your past, present, or future physical or mental health status. Under our Services, this includes: questionnaire responses; biometric inputs; laboratory results; algorithm outputs; medications; symptoms; and precise geolocation (where relevant to health status).
We collect consumer health data directly from you and, where applicable, from Channel Partners, Professional Entities, and laboratories. We use consumer health data only to (a) provide, maintain, and improve the Services you have requested, (b) enable a Professional Entity to provide you with clinical care, (c) fulfill our legal and contractual obligations, and (d) protect the integrity, security, and lawful use of the Services. We share consumer health data only with the categories of recipients listed in Section 5, and only as reasonably necessary to accomplish those purposes.
We collect and process consumer health data only with your consent (or, in Washington, based on the more limited grounds permitted by MHMDA). Before we collect consumer health data for any purpose other than one that is strictly necessary to provide a product or service you have requested, we will obtain your affirmative opt-in consent. We will obtain a separate authorization before selling any consumer health data, but we do not sell consumer health data.
Consistent with MHMDA, we do not implement a geofence around any entity that provides in-person healthcare services for the purposes of (a) identifying or tracking consumers seeking healthcare services, (b) collecting consumer health data from consumers, or (c) sending notifications, messages, or advertisements to consumers related to their consumer health data or healthcare services.
Contact us at privacy@metaboliccode.com with the subject line “Consumer Health Data Request” or use the “Privacy Choices” link on the Services. We will verify and respond within the timeframe required by law.
California Civil Code § 1798.83 permits California residents to request certain information about our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their own direct marketing purposes.
New Jersey residents have the rights described in Section 8. To the extent any provision of this Policy or our Terms limits liability in a manner not permitted under New Jersey law, that provision does not apply to New Jersey residents.
Some Services may allow you to upload photographs or record biometric measurements. We do not collect “biometric identifiers” or “biometric information” as defined by the Illinois Biometric Information Privacy Act (“BIPA”) for the purpose of identifying an individual. If we ever offer a feature that would involve BIPA-covered biometrics, we will obtain your prior written consent as required by BIPA.
Under Nevada SB 220, Nevada residents may direct us not to sell certain covered information. We do not sell such information. To confirm this or exercise this right, contact us at privacy@metaboliccode.com.
If you reside in a state not listed above and are protected by a specific state privacy or health-data law, please contact us and we will accommodate your request to the extent required by that law.
The Services are intended for U.S. residents. If you access the Services from outside the United States, you understand that your personal information will be processed in the United States, which may not offer the same level of data protection as your home country. We take reasonable steps to protect your information in accordance with this Policy and applicable law.
If you are subject to the European Union or United Kingdom General Data Protection Regulation, please contact us before using the Services so we can determine whether we can lawfully provide the Services to you. We do not currently market the Services in the EU/EEA or UK.
The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 in violation of the Children’s Online Privacy Protection Act (“COPPA”). Users must be at least 18 (or the age of majority in their state) to create an account. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete it promptly. If you believe a child has provided us personal information, contact us at privacy@metaboliccode.com.
For users between 13 and 17, additional restrictions apply under state “Age-Appropriate Design Code” laws (including California and Maryland). Where a minor is permitted to use the Services with parental consent, we apply heightened privacy protections consistent with those laws.
We maintain administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of personal information. Measures include encryption of PHI in transit and at rest, access controls, workforce training, vendor due diligence and BAAs/DPAs, logging and monitoring, and incident response processes.
No system is completely secure. You are responsible for keeping your account credentials confidential and for notifying us promptly if you suspect unauthorized access. Notify us at security@metaboliccode.com.
With your consent (where required), we may send you marketing communications by email, SMS, push notifications, or postal mail.
SMS and text communications are governed by the terms in Section 13 of our Terms and Conditions. You may opt out at any time by replying STOP to any message. We will honor a revocation of consent using any reasonable method within 10 business days consistent with FCC rules.
You may unsubscribe from marketing emails at any time using the unsubscribe link in the email or by contacting us. We will continue to send you transactional and service-related emails as necessary.
If you are a personal representative, executor, or next of kin of a deceased user, you may contact us to request closure of the account and, where permitted by law and the applicable HIPAA/state rules, access to the deceased’s records. Provide a certified copy of the death certificate and proof of your authority.
We may amend this Policy from time to time. We will update the “Last Updated” date at the top and, for material changes, provide additional notice by email, in-Service notification, or another reasonable means at least 30 days before the change takes effect where feasible. Where required by law, we will obtain your renewed consent. Your continued use of the Services after the effective date means you accept the updated Policy.
Precision Health Systems, Inc.
Attn: Privacy Officer
712 Neave St., Cincinnati, OH 45204
Toll-free: [insert]
For HIPAA-related requests concerning PHI held on behalf of a Professional Entity, contact the Professional Entity directly using the information on its Notice of Privacy Practices.
Get a firsthand look at how MetabolicCode turns data into clear, personalized health plans. In just a few minutes, you’ll see how practitioners deliver better outcomes and how patients stay engaged every step of the way.
Join the waitlist to get early access to MetabolicCode, plus updates on launch, new features, and how to start delivering smarter, more personalized care from day one.
Get a firsthand look at how MetabolicCode turns data into clear, personalized health plans. In just a few minutes, you’ll see how practitioners deliver better outcomes and how patients stay engaged every step of the way.