Privacy Policy

Last Updated: 07/03/26     Effective Date: 07/03/26

Summary at a Glance

Who we are. Precision Health Systems, Inc. (“PHS,” “Metabolic Code,” “we,” “us,” “our”), a Delaware corporation headquartered in Cincinnati, Ohio. PHS is the successor entity to Metabolic Code Enterprises, Inc. (“MCE”).

What we do. We provide a precision-health technology platform, including the TRIAD™ scoring methodology, wellness reports, subscription products, and administrative and technology infrastructure that supports clinical services delivered by independent licensed clinicians of separate professional entities (each, a “Professional Entity”).

Two data tracks. (1) Where you receive services from a Professional Entity, your Protected Health Information (“PHI”) is governed by HIPAA and the Professional Entity’s Notice of Privacy Practices; PHS handles that PHI as a Business Associate. (2) Where you use PHS’s direct-to-consumer wellness products, your information is governed by this Privacy Policy and applicable state privacy laws.

Consumer health data. If you reside in Washington, Nevada, or Connecticut, additional protections apply to your “consumer health data” under state health-data privacy laws. See Section 10.

Your rights. Depending on where you live, you may have rights to access, correct, delete, port, opt out of sale/sharing/targeted advertising, limit use of sensitive information, appeal, and withdraw consent. See Sections 8–11.

Not for children under 13. The Services are not directed to children under 13. See Section 13.

Contact. privacy@metaboliccode.com  |  712 Neave St., Cincinnati, OH 45204  |  Attn: Privacy Officer.

1. Scope of This Policy

This Privacy Policy describes how PHS collects, uses, discloses, and safeguards personal information in connection with our websites, mobile applications, algorithms, reports, subscriptions, laboratory-ordering interfaces, and related services (collectively, the “Services”), whether accessed directly through PHS or indirectly through a white-label, co-branded, affiliate, or practitioner channel (each, a “Channel Partner”).

This Policy is incorporated into, and works with, our Terms and Conditions. Terms used but not defined here have the meanings given in the Terms and Conditions.

1.1  What This Policy Does Not Cover

This Policy does not cover:

  • PHI held by a Professional Entity — that PHI is governed by HIPAA and the Professional Entity’s Notice of Privacy Practices.
  • Channel Partner websites and apps — those are governed by the Channel Partner’s own privacy policy, even where PHS technology is embedded.
  • Third-party websites, laboratories, or wearables you connect to, which are governed by their own privacy policies.
  • Employment or contractor data — covered by separate notices provided to workforce members.

2. Categories of Personal Information We Collect

Depending on how you interact with the Services, we collect the following categories of personal information. This table also serves as our Notice at Collection under the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”).

Category (CCPA)

Examples We Collect

Sources

Business Purposes

Disclosed To

A. Identifiers

Name, email, mailing address, phone number, account ID, IP address, device identifier

Directly from you; automatically via Site use; from Channel Partners

Account creation; order fulfillment; communications; security; fraud prevention

Service providers; Channel Partners; Professional Entities; labs; payment processors

B. Customer records (Cal. Civ. Code § 1798.80(e))

Name, address, phone, credit/debit card, billing information

Directly from you at purchase

Payment processing; billing; customer support

Payment processors; accounting providers

C. Protected characteristics

Age, sex, date of birth (where required for lab ordering or clinical context)

Directly from you

Clinical eligibility; state-required disclosures

Professional Entities; labs (as required)

D. Commercial information

Purchase history, subscription status, transactions

Automatically at purchase

Order fulfillment; account management; analytics

Service providers; Channel Partners

F. Internet / network activity

Site interactions, log data, cookies, session data, referral URLs

Automatically via Site use

Analytics; security; personalization; service improvement

Analytics vendors; hosting providers

G. Geolocation (approximate)

IP-derived city/state (used to determine state-licensure eligibility for telehealth)

Automatically via Site use

State-licensure gating; fraud prevention

Professional Entities; service providers

I. Professional / employment (if provided)

Practitioner license number, NPI (Channel Partners only)

Directly from Channel Partner

Partner onboarding; compliance verification

Compliance vendors

K. Inferences

Preferences, wellness profile, algorithm-derived scores based on inputs you provide

Derived from data you provide

Providing the Services; report generation

Professional Entities (where clinically relevant)

Sensitive Personal Information (CPRA § 1798.140(ae))

Health-related information you provide (questionnaires, biometric inputs, lab results); precise geolocation (only if you enable it)

Directly from you; from labs; from Channel Partners

Providing the Services; report generation; clinical care (via Professional Entity)

Professional Entities; labs; service providers under BAA or DPA

2.1  Sensitive Personal Information / Health-Related Data

We collect information about your health, wellness, and biological state that is considered sensitive personal information under CCPA/CPRA, sensitive data under most other state privacy laws, and consumer health data under Washington’s My Health My Data Act (“MHMDA”), Nevada SB 370, and analogous laws. Examples include: questionnaire responses about symptoms, diet, sleep, medications, and family history; biometric data you enter (weight, blood pressure, glucose, etc.); laboratory results ordered through the Services; algorithm outputs derived from those inputs; and, if you enable it, precise geolocation.

We use sensitive information only to provide, maintain, and improve the Services you request; to enable a Professional Entity to provide clinical care to you; to comply with law; and for other purposes consistent with your expectations. We do not use sensitive information for cross-context behavioral advertising or profiling, and we do not sell sensitive information.

3. Sources of Personal Information

  • Directly from you — account registration, questionnaires, orders, uploads, and communications.
  • Automatically — from your device and browser when you use the Services (cookies, log data, session data, approximate location).
  • From Channel Partners — when you engage the Services through a partner-branded interface, that Partner may share account, order, or wellness data with us to enable the Services.
  • From Professional Entities — where clinical services are provided, the Professional Entity may share clinically relevant PHI with us under a Business Associate Agreement.
  • From labs and diagnostic vendors — results and QC data from ordered tests.
  • From service providers — payment processors, fraud-prevention vendors, identity-verification vendors, shipping carriers.
  • From publicly available sources — professional license databases (for Channel Partner practitioners).

4. How We Use Personal Information

We use personal information for the following purposes:

  • Providing the Services — account setup, running the Metabolic Code algorithm and TRIAD scoring, generating reports, fulfilling orders, arranging lab kit shipment, presenting lab results.
  • Enabling clinical care by a Professional Entity — routing your information (as Business Associate) to the applicable Professional Entity where you have engaged clinical services, so licensed clinicians can review, communicate with, and where appropriate treat you.
  • Communications — transactional emails, appointment reminders, shipping updates, lab-result notifications, security alerts, and, with your consent, marketing communications, including text messages under the terms of Section 13 of our Terms and Conditions.
  • Billing, payment, and financial recordkeeping — processing payments, invoicing, chargeback and refund handling, tax reporting.
  • Improving and developing the Services — analytics on aggregated and, where consistent with law and consent, individual usage; product research; algorithm refinement (using de-identified data where feasible).
  • Safety, security, and fraud prevention — detecting, investigating, and responding to unauthorized access, fraud, malware, and abuse.
  • Compliance and legal purposes — complying with HIPAA, state consumer-health-data laws, tax law, subpoenas, court orders, and other legal obligations; enforcing our Terms; protecting our rights and the rights of others.
  • Business transactions — evaluating, negotiating, and completing mergers, acquisitions, financings, and reorganizations.

We do not sell personal information for money, and we do not share personal information for cross-context behavioral advertising involving sensitive personal information or consumer health data. Where CCPA/CPRA defines certain analytics or ad-tech cookies as “sale” or “sharing,” we describe those practices and how to opt out in Section 6.

5. How We Disclose Personal Information

We disclose personal information only as described below:

  • Service providers and processors — hosting, cloud storage, analytics, telecommunications, email/SMS delivery, payment processing, shipping, customer support. These providers act on our documented instructions and are contractually bound to protect your information (and, where applicable, sign a Business Associate Agreement or Data Processing Agreement).
  • Professional Entities and clinicians — where you have engaged clinical services, we disclose PHI to the Professional Entity as your Business Associate.
  • Laboratories and diagnostic vendors — to order, process, and return laboratory tests you have requested.
  • Channel Partners — where you access the Services through a Channel Partner, we may share account and order information with the Partner as necessary to support your relationship with them.
  • Telehealth infrastructure providers — vendors that operate the underlying video, messaging, and scheduling systems for clinical encounters.
  • Affiliates and successors — PHS’s corporate parents, subsidiaries, and affiliates, and any successor entity in a merger, acquisition, financing, or sale of assets, subject to protections consistent with this Policy.
  • Legal and safety — to comply with law, respond to lawful requests from public authorities, enforce our Terms, protect our rights or the safety of any person, and prevent fraud.
  • With your consent — for any other purpose disclosed to you at the time we collect the information or with your subsequent consent.

We do not authorize service providers to use personal information for their own purposes, and we require them to delete or return personal information at the end of the relationship.

6. Cookies, Tracking, and Advertising

We and our service providers use cookies, SDKs, pixels, and similar technologies (“Trackers”) to operate the Services, remember your preferences, understand usage, and support security. Categories:

  • Strictly necessary — required for the Services to function (session, authentication, security).
  • Preferences — remember your choices (language, display).
  • Analytics — aggregate usage measurement to improve the Services.
  • Marketing — measure and, where you consent, personalize marketing communications.

6.1  Your Choices

You can manage cookies through the “Privacy Choices” or “Cookie Preferences” link on the Services, or through your browser settings. Certain cookies are strictly necessary and cannot be disabled without breaking the Services.

6.2  Global Privacy Control

We recognize the Global Privacy Control (“GPC”) signal transmitted by supported browsers as a valid request to opt out of “sale” or “sharing” of personal information under CCPA/CPRA and similar state laws. If you activate GPC while browsing the Services, we will treat it as an opt-out for the browser you use.

6.3  Do Not Track

Because there is no industry consensus about how to interpret “Do Not Track” browser signals, we do not currently respond to them. We do honor GPC as described above.

6.4  No Use of Health Data for Advertising

We do not use health-related information, laboratory results, algorithm outputs, or other consumer health data to target advertising to you, and we do not permit our advertising partners to do so.

7. Data Retention

We retain personal information only for as long as necessary for the purposes described in this Policy, or as required or permitted by law. Illustrative retention periods:

  • Account records — for the duration of your account plus a reasonable period after closure for legal, audit, and fraud-prevention purposes.
  • Order and billing records — as required by tax and commercial law (generally 7 years).
  • Medical, laboratory, and telehealth records held on behalf of a Professional Entity — for the period required by state medical-records-retention law (commonly 7–10 years for adults, longer for minors), as directed by the Professional Entity.
  • Marketing consents — until withdrawn, plus a reasonable period to document the withdrawal.
  • Consumer health data under MHMDA — no longer than reasonably necessary for the purpose for which it was collected, and only for the purposes described in our MHMDA notice (Section 10).
  • Backups and logs — until overwritten in the normal course of system operations.

When personal information is no longer needed, we delete, anonymize, or de-identify it in accordance with our data-retention procedures. De-identified data may be retained and used for research, quality improvement, and model refinement.

8. Your Privacy Rights Under U.S. State Laws

If you reside in a U.S. state with a comprehensive privacy law, you have rights described below. Rights vary by state; where they overlap, the higher standard applies to the extent required by law.

8.1  Common Rights

Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, and Montana generally have the right to:

  • Confirm whether we process personal information about you and access that information;
  • Correct inaccurate personal information;
  • Delete personal information about you;
  • Obtain a portable copy of your personal information in a machine-readable format;
  • Opt out of the “sale” of personal information, targeted advertising, and profiling in furtherance of decisions producing legal or similarly significant effects; and
  • Be free from discrimination for exercising these rights.

8.2  Additional California Rights (CCPA/CPRA)

  • Right to opt out of the “sharing” of personal information for cross-context behavioral advertising;
  • Right to limit the use and disclosure of Sensitive Personal Information to purposes reasonably necessary to provide the Services;
  • Right to know the categories of sources, purposes, and recipients of your personal information;
  • Right to designate an authorized agent to make requests on your behalf.

8.3  Additional Virginia, Colorado, Connecticut, Texas, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Tennessee, Maryland, Indiana, Kentucky, Rhode Island, Montana, Minnesota, and Nevada Rights

  • Right to opt in (or freely give, deny, or withdraw consent) for processing of sensitive data;
  • Right to appeal a denial of a rights request. If we deny your request, we will explain your right to appeal and, in most states, your right to contact your state Attorney General if you disagree with the outcome of the appeal;
  • In Minnesota and Maryland, the right to obtain a list of specific third parties to which we have disclosed your personal data; and, in Maryland, additional restrictions apply to processing of sensitive data (limited to what is strictly necessary to provide or maintain a requested product or service).

8.4  Profiling

We use the Metabolic Code algorithm and TRIAD scoring methodology to generate wellness reports based on inputs you provide. These outputs are educational tools that inform, but do not by themselves make, decisions producing legal or similarly significant effects. Where a Professional Entity uses algorithm outputs to inform clinical decisions, the Professional Entity remains responsible for the clinical decision under its independent clinician-patient relationship with you.

If you reside in Minnesota and are subject to profiling in furtherance of decisions producing legal or similarly significant effects, you have the right to (i) question the result of the profiling, (ii) be informed of the reason it produced the decision, (iii) be informed of what actions you might take to secure a different decision, (iv) review the personal data used, and (v) have inaccurate data corrected and the profiling decision reevaluated.

8.5  Utah and Iowa

  • Right to opt out of targeted advertising;
  • Right to opt out of the processing of sensitive personal information.

8.6  Exercising Your Rights

You can exercise your rights by:

  • Emailprivacy@metaboliccode.com;
  • Toll-free phone (California) — [insert toll-free number];
  • Mail — Precision Health Systems, Inc., 712 Neave St., Cincinnati, OH 45204, Attn: Privacy Officer.

We will verify your request using information already in our possession, which may include confirming your account details, email address of record, or, for sensitive requests, a signed declaration under penalty of perjury. An authorized agent may make requests on your behalf if you provide written authorization and (for California) a verifiable Power of Attorney where required.

We will respond within the timeframe required by applicable law (generally 45 days, extendable by 45 additional days where reasonably necessary, with notice to you). There is no fee unless a request is manifestly unfounded, excessive, or repetitive.

8.7  Appeals

If we decline your rights request, you may appeal by responding to our decision email or by writing to privacy@precisionhealthsystems.com with the word “APPEAL” in the subject line. We will respond within 60 days (or the shorter period required by your state). If your appeal is denied, you may contact your state Attorney General’s office.

9. HIPAA, Clinical Data, and the Business Associate Role

9.1  When HIPAA Applies

Where you receive clinical services from a Professional Entity through the Services, that Professional Entity is a HIPAA “covered entity” and PHS acts as its “Business Associate” under a written Business Associate Agreement (“BAA”). In that role, PHS is bound by the HIPAA Privacy, Security, and Breach Notification Rules with respect to your PHI, and PHS may use and disclose PHI only as permitted by HIPAA, the BAA, and applicable law.

9.2  Notice of Privacy Practices

The Professional Entity’s Notice of Privacy Practices (“NPP”) governs the collection, use, and disclosure of your PHI by the Professional Entity, including its rights to use PHI for treatment, payment, and healthcare operations. That NPP is delivered to you at clinical enrollment and is available from the Professional Entity on request. Where any provision of this Privacy Policy conflicts with the NPP with respect to PHI, the NPP controls.

9.3  When HIPAA Does Not Apply

Information you provide to PHS’s direct-to-consumer wellness Services outside of a clinician-patient relationship is generally not HIPAA-covered PHI. That information is nevertheless protected under this Privacy Policy and applicable state privacy and consumer-health-data laws.

9.4  Breach Notification

If we discover a breach of unsecured PHI, we will notify the applicable Professional Entity in accordance with the BAA and applicable law, and the Professional Entity will notify affected individuals. For non-HIPAA data, we will notify you in accordance with applicable state breach-notification laws.

10. Consumer Health Data — Washington, Nevada, and Connecticut

Residents of Washington, Nevada, and Connecticut have additional rights and protections under state consumer-health-data laws, including Washington’s My Health My Data Act (“MHMDA”), Nevada SB 370, and Connecticut Public Act 23-56.

10.1  What Is Consumer Health Data

For purposes of these laws, “consumer health data” broadly includes any information linked or reasonably linkable to you that identifies your past, present, or future physical or mental health status. Under our Services, this includes: questionnaire responses; biometric inputs; laboratory results; algorithm outputs; medications; symptoms; and precise geolocation (where relevant to health status).

10.2  How We Collect, Use, and Share Consumer Health Data

We collect consumer health data directly from you and, where applicable, from Channel Partners, Professional Entities, and laboratories. We use consumer health data only to (a) provide, maintain, and improve the Services you have requested, (b) enable a Professional Entity to provide you with clinical care, (c) fulfill our legal and contractual obligations, and (d) protect the integrity, security, and lawful use of the Services. We share consumer health data only with the categories of recipients listed in Section 5, and only as reasonably necessary to accomplish those purposes.

10.3  Consent

We collect and process consumer health data only with your consent (or, in Washington, based on the more limited grounds permitted by MHMDA). Before we collect consumer health data for any purpose other than one that is strictly necessary to provide a product or service you have requested, we will obtain your affirmative opt-in consent. We will obtain a separate authorization before selling any consumer health data, but we do not sell consumer health data.

10.4  Your Rights

  • Right to confirm whether we collect, share, or sell your consumer health data;
  • Right to access your consumer health data;
  • Right to withdraw consent to our collection or sharing of your consumer health data;
  • Right to have your consumer health data deleted, including from our archived and backup systems (subject to reasonable technical limitations and legal-retention obligations);
  • Right to a list of third parties and affiliates with which we have shared consumer health data;
  • Right to appeal a denial of any of these requests.

10.5  Geofencing

Consistent with MHMDA, we do not implement a geofence around any entity that provides in-person healthcare services for the purposes of (a) identifying or tracking consumers seeking healthcare services, (b) collecting consumer health data from consumers, or (c) sending notifications, messages, or advertisements to consumers related to their consumer health data or healthcare services.

10.6  How to Exercise Consumer Health Data Rights

Contact us at privacy@metaboliccode.com with the subject line “Consumer Health Data Request” or use the “Privacy Choices” link on the Services. We will verify and respond within the timeframe required by law.

11. Other State-Specific Notices

11.1  California “Shine the Light”

California Civil Code § 1798.83 permits California residents to request certain information about our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their own direct marketing purposes.

11.2  New Jersey

New Jersey residents have the rights described in Section 8. To the extent any provision of this Policy or our Terms limits liability in a manner not permitted under New Jersey law, that provision does not apply to New Jersey residents.

11.3  Illinois Biometric Information

Some Services may allow you to upload photographs or record biometric measurements. We do not collect “biometric identifiers” or “biometric information” as defined by the Illinois Biometric Information Privacy Act (“BIPA”) for the purpose of identifying an individual. If we ever offer a feature that would involve BIPA-covered biometrics, we will obtain your prior written consent as required by BIPA.

11.4  Nevada Do-Not-Sell (SB 220)

Under Nevada SB 220, Nevada residents may direct us not to sell certain covered information. We do not sell such information. To confirm this or exercise this right, contact us at privacy@metaboliccode.com.

11.5  Vermont, Maine, and Others

If you reside in a state not listed above and are protected by a specific state privacy or health-data law, please contact us and we will accommodate your request to the extent required by that law.

12. International Users

The Services are intended for U.S. residents. If you access the Services from outside the United States, you understand that your personal information will be processed in the United States, which may not offer the same level of data protection as your home country. We take reasonable steps to protect your information in accordance with this Policy and applicable law.

If you are subject to the European Union or United Kingdom General Data Protection Regulation, please contact us before using the Services so we can determine whether we can lawfully provide the Services to you. We do not currently market the Services in the EU/EEA or UK.

13. Children’s Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 in violation of the Children’s Online Privacy Protection Act (“COPPA”). Users must be at least 18 (or the age of majority in their state) to create an account. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete it promptly. If you believe a child has provided us personal information, contact us at privacy@metaboliccode.com.

For users between 13 and 17, additional restrictions apply under state “Age-Appropriate Design Code” laws (including California and Maryland). Where a minor is permitted to use the Services with parental consent, we apply heightened privacy protections consistent with those laws.

14. Security

We maintain administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of personal information. Measures include encryption of PHI in transit and at rest, access controls, workforce training, vendor due diligence and BAAs/DPAs, logging and monitoring, and incident response processes.

No system is completely secure. You are responsible for keeping your account credentials confidential and for notifying us promptly if you suspect unauthorized access. Notify us at security@metaboliccode.com.

15. Marketing Communications

With your consent (where required), we may send you marketing communications by email, SMS, push notifications, or postal mail.

15.1  SMS and Text Messaging

SMS and text communications are governed by the terms in Section 13 of our Terms and Conditions. You may opt out at any time by replying STOP to any message. We will honor a revocation of consent using any reasonable method within 10 business days consistent with FCC rules.

15.2  Email

You may unsubscribe from marketing emails at any time using the unsubscribe link in the email or by contacting us. We will continue to send you transactional and service-related emails as necessary.

16. Deceased Users

If you are a personal representative, executor, or next of kin of a deceased user, you may contact us to request closure of the account and, where permitted by law and the applicable HIPAA/state rules, access to the deceased’s records. Provide a certified copy of the death certificate and proof of your authority.

17. Changes to This Policy

We may amend this Policy from time to time. We will update the “Last Updated” date at the top and, for material changes, provide additional notice by email, in-Service notification, or another reasonable means at least 30 days before the change takes effect where feasible. Where required by law, we will obtain your renewed consent. Your continued use of the Services after the effective date means you accept the updated Policy.

18. Contact Us

Precision Health Systems, Inc.

Attn: Privacy Officer

712 Neave St., Cincinnati, OH 45204

privacy@metaboliccode.com

Toll-free: [insert]

For HIPAA-related requests concerning PHI held on behalf of a Professional Entity, contact the Professional Entity directly using the information on its Notice of Privacy Practices.

Book Demo

See Precision Health in Action

Get a firsthand look at how MetabolicCode turns data into clear, personalized health plans. In just a few minutes, you’ll see how practitioners deliver better outcomes and how patients stay engaged every step of the way.

You’re all set.
We’ll be in touch soon to schedule your demo and walk you through the platform.

We couldn’t process your submission. Please retry

Join Waitlist

Be First to Experience Precision Health

Join the waitlist to get early access to MetabolicCode, plus updates on launch, new features, and how to start delivering smarter, more personalized care from day one.

You’re on the list.
We’ll keep you in the loop with early access, launch updates, and what you need to get started with Metabolic Code.

We couldn’t process your submission. Please retry

Book Demo

See Precision Health in Action

Get a firsthand look at how MetabolicCode turns data into clear, personalized health plans. In just a few minutes, you’ll see how practitioners deliver better outcomes and how patients stay engaged every step of the way.