Privacy Policy

This Privacy Policy describes how Vektor Health (referenced as “Vektor Health,” “we,” “our,” or “us”) collects, uses, shares, and protects information when you visit vektor.health (the “Site”) or interact with our concierge telehealth practice.

The Site itself is a marketing and waitlist front door. We do not collect Protected Health Information (PHI) on the Site. Once you activate clinical care with Vektor Health, your PHI is handled under the separate HIPAA Notice of Privacy Practices governing the clinical relationship.

Information you provide

• Waitlist details: full name, email address, and ZIP code (collected when you reserve a founding-100 spot)
• Referral information: if you arrived via another member's referral code, that code is associated with your signup
• Contact correspondence: any email or message you send us through hello@vektor.health
• Deposit information (future): if you choose to place a $49 founding-member deposit, payment information is processed by Stripe — Vektor Health never sees or stores card numbers

Information collected automatically

• IP address and rough geography: recorded for security, abuse prevention, and aggregate-only country tracking
• Browser user-agent: stored with each waitlist signup for support and abuse-pattern detection
• Cloudflare Web Analytics: we use Cloudflare's privacy-preserving analytics. It does not set cookies, does not fingerprint visitors, and does not share data with advertising networks

Information we do NOT collect on the Site

• We do not collect health information, medical history, symptoms, or any data that would qualify as PHI under HIPAA on the Site
• We do not run third-party advertising trackers (Meta Pixel, Google Ads, TikTok, etc.) on the Site
• We do not sell information about you to anyone, ever

• Operate the waitlist: confirm your reservation, assign your founding-member position, track founding-100 cohort capacity
• Communicate with you: send the welcome email, occasional product updates about the practice launching in your state, and (if you opt in) clinical content from the journal
• Activate care when ready: when launch goes live in your state and you choose to activate care, we use your contact information to onboard you onto the clinical platform (where the HIPAA NPP takes over)
• Security and fraud prevention: detect and prevent abuse, signup fraud, and bot activity using IP, user-agent, and standard request metadata
• Legal compliance: respond to lawful requests from regulators, courts, and law enforcement where legally required

We rely on a small number of named service providers to operate the Site and clinical platform. We share with each only the data necessary for them to do their job. None of them sell or use your information for their own marketing.

• Cloudflare — hosting, edge CDN, security, and privacy-preserving analytics. Data: HTTP requests and signup data passing through the edge
• Supabase — Postgres database for the waitlist. Data: name, email, ZIP, IP country, referral code, deposit status. Hosted in the U.S. with HIPAA- ready Business Associate Agreement (BAA) when clinical features activate
• Resend — transactional email (welcome message, deposit confirmation). Data: email address and message content
• Stripe — payment processing for the founding-member deposit. Data: payment-method details, billing address. Vektor Health never sees raw card numbers
• Bask Health (clinical platform — activates after launch in your state) — telehealth visits, EHR, e-prescription, clinical messaging. Operates under its own HIPAA BAA with Vektor Health
• Ola MD (pharmacy partner — activates when your physician prescribes) — 503A pharmacy and laboratory services. Operates under its own HIPAA BAA

Depending on where you reside, you may have specific rights under state privacy laws (California CPRA, Virginia VCDPA, Colorado CPA, and others). Vektor Health honors the following rights for all U.S. residents, regardless of state:

• Access: request a copy of the information we hold about you
• Deletion: request that we delete your information from the waitlist and our records (note: once clinical care has begun, certain medical records must be retained under state law for the required retention period)
• Correction: ask us to fix inaccurate information
• Portability: receive your information in a structured, machine-readable format
• Opt out of marketing: unsubscribe from any non-transactional email at any time using the unsubscribe link in any message we send
• Non-discrimination: we will never refuse service, charge a different price, or provide a different level of service because you exercised one of these rights

To exercise any of these rights, email us at hello@vektor.health with the subject “Privacy Rights Request”. We respond within 45 days. If you are a California resident, you may also designate an authorized agent to make a request on your behalf.

The Site does not use cookies for advertising, tracking, or cross-site profiling. We do not run Meta Pixel, Google Ads conversion tags, TikTok Pixel, or any similar third-party tracker on the Site.

The only client-side script we run is Cloudflare Web Analytics, which is privacy-preserving by design — it does not set cookies, does not fingerprint visitors, and does not share data with third-party advertising networks.

Cloudflare may set short-lived security cookies (e.g. __cf_bm) to detect and block bot traffic. These are essential for security and do not track you across sites.

• Waitlist data: kept for as long as you remain on the waitlist or are an active member, plus up to 24 months after you cancel or unsubscribe, then deleted
• Email correspondence: kept for up to 36 months for support continuity, then deleted unless we are legally required to retain it
• Payment records (deposits): retained per IRS and state requirements, typically 7 years from the transaction date
• Clinical records: retained per applicable state law (typically 6–10 years from last contact for adult records). See the HIPAA Notice of Privacy Practices for details
• Server logs: standard access logs retained for 90 days then aggregated or deleted

• All Site traffic is served over TLS 1.3 with HSTS preload
• Database access is restricted via Row-Level Security; the public ingress to the waitlist is a security-definer Postgres function that returns aggregate counts only (no raw row access from the public anon key)
• Vendor relationships (Supabase, Bask, Ola, Stripe, Resend) are governed by data processing addenda; HIPAA-applicable vendors have signed Business Associate Agreements
• Marketing-site infrastructure is HIPAA-compliant by design (no PHI is ever processed on the marketing site)

No system is perfectly secure. If we detect a security event that materially affects your information, we will notify you in accordance with applicable state breach-notification laws.

The Site is not directed to children. You must be at least 18 years old to join the waitlist or receive care from Vektor Health. We do not knowingly collect information from anyone under 18. If you believe a minor has provided information to us, contact us at hello@vektor.health and we will delete it.

The Site is operated in the United States. Vektor Health currently provides clinical services only to residents of U.S. states where our physicians are licensed. If you visit the Site from outside the U.S., your information will be transferred to and processed in the U.S., which may not provide the same level of data protection as your home jurisdiction.

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. If we make material changes, we will notify you by email (if we have your address) or through a prominent notice on the Site before the change takes effect.

For privacy questions, requests, or concerns, contact us at:

• Email: hello@vektor.health
• Mail (placeholder pending entity formation): [Sage Solutions LLC / future Vektor Health MSO entity], Attn: Privacy, [Street Address], [City, State, ZIP]
• Data Protection Officer (placeholder): contact via email above with subject “Attn: DPO”

California residents may also contact the California Privacy Protection Agency.