Join as a PractitionerLog In
Back to About

Data Protection and HIPAA Notice

Effective Date: December 1, 2025

Rooted Vitality, Inc. is committed to protecting the privacy and security of user information. This notice explains our data protection practices and clarifies our relationship to the Health Insurance Portability and Accountability Act (HIPAA).

1. HIPAA Compliance Status

1.1 Rooted Vitality Is NOT a HIPAA Covered Entity

IMPORTANT: Rooted Vitality is NOT a "Covered Entity" under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 C.F.R. Parts 160 and 164. We are not:

  • A healthcare provider or medical practice
  • A health plan or health insurance provider
  • A healthcare clearinghouse
  • A business associate of a covered entity

Because Rooted Vitality is not a HIPAA covered entity, HIPAA's Privacy Rule, Security Rule, and other regulatory requirements do not apply to our operations.

1.2 We Do Not Collect Protected Health Information (PHI)

Rooted Vitality does NOT collect, store, process, or transmit Protected Health Information (PHI) as defined by HIPAA. Specifically, we do NOT collect:

  • Medical records or health history information
  • Diagnoses, treatment plans, or medical recommendations
  • Prescriptions or medication information
  • Laboratory or test results
  • Medical imaging or radiological data
  • Health insurance information or policy numbers
  • Social Security numbers for healthcare purposes
  • Any other individually identifiable health information

1.3 HIPAA Does NOT Apply to You on This Platform

If you are a practitioner or healthcare provider, be aware that:

  • Your use of the Rooted Vitality platform is NOT covered by HIPAA
  • Communications on this platform should NOT be used for HIPAA-protected health information
  • You remain responsible for maintaining HIPAA compliance in your own practice
  • Any health information you exchange with clients should occur through HIPAA-compliant channels outside this platform

2. What Information We Do Collect and How We Protect It

2.1 Types of Information Collected

Rooted Vitality collects limited personal information necessary to operate the platform:

  • Account Information: Name, email address, password, phone number (optional), location/zip code
  • Profile Information: Professional credentials (for practitioners), bio, service descriptions, availability
  • Communication Data: Messages between users, support inquiries, feedback
  • Transaction Data: Payment information (processed through secure third-party providers), booking history
  • Technical Data: IP address, device information, usage analytics, cookies

2.2 Data Security Measures

Although we are not HIPAA-covered, we implement industry-standard security practices modeled after HIPAA's Security Rule as a best practice:

  • Encryption: Data in transit encrypted using SSL/TLS protocols; sensitive data encrypted at rest
  • Access Controls: Limited access to personal information based on need-to-know; role-based authentication
  • Authentication: Secure login credentials, password hashing, optional two-factor authentication
  • Monitoring: Continuous security monitoring and threat detection
  • Backups: Regular data backups with secure storage and disaster recovery procedures
  • Physical Security: Secure data centers with access controls
  • Employee Training: Staff training on data privacy and security best practices
  • Incident Response: Procedures in place for identifying and responding to security incidents

3. Data Sharing and Disclosure

3.1 Limited Disclosure

We share personal information only in limited circumstances:

  • Discovery and Connection: When you request to connect with a practitioner, we share your name and contact method to facilitate the connection
  • Service Providers: We share information with trusted service providers (hosting, payment processing, analytics) under confidentiality agreements
  • Legal Requirements: We may disclose information when required by law or court order
  • Business Transfers: Information may be transferred in case of merger, acquisition, or business sale
  • User Consent: We may share information when you explicitly authorize us to do so

3.2 What We Will NOT Do

Rooted Vitality will NOT:

  • Sell your personal information to third parties
  • Share health information with insurance companies or employers
  • Disclose your information for marketing purposes without consent
  • Share information between practitioners and clients unless you initiate the connection

4. Your Rights and Choices

4.1 Access Your Information

You have the right to:

  • Request a copy of the personal information we hold about you
  • Access your account and most information through your profile settings
  • Request information in a portable format

4.2 Correct or Update Information

You have the right to:

  • Update inaccurate or incomplete information in your profile
  • Request correction of information we hold
  • Update information through your account settings

4.3 Delete Your Information

You have the right to:

  • Request deletion of your personal information
  • Have your account closed and information removed (subject to legal retention requirements)
  • Contact us to submit a deletion request

4.4 Privacy Choices

You can:

  • Opt out of marketing communications
  • Manage cookie preferences
  • Control visibility of your profile information
  • Adjust privacy settings in your account

5. Data Retention

5.1 How Long We Keep Your Information

  • Active Accounts: Information retained while your account is active
  • Closed Accounts: Information retained for up to 7 years for legal, tax, and compliance purposes
  • Transaction Records: Payment and transaction records retained for 7 years
  • Communications: Support messages and correspondence retained for 3 years
  • Analytics Data: Aggregated, non-identifying analytics retained indefinitely

5.2 Data Deletion

When information is no longer needed or at your request, we will securely delete or anonymize your data in accordance with our retention policies.

6. International Data Transfers

Rooted Vitality operates in the United States. If you access our platform from outside the U.S., your information may be transferred to and processed in the United States, which may have different data protection laws.

For users in the European Union or UK, we implement Standard Contractual Clauses and other appropriate safeguards for international data transfers as required by GDPR.

7. Third-Party Service Providers

7.1 Service Providers We Use

We share information with trusted service providers, including:

  • Cloud Hosting: Amazon Web Services (AWS), Google Cloud, or similar providers
  • Payment Processing: Stripe, PayPal, or similar payment processors
  • Email Services: Email service providers for transactional and marketing communications
  • Analytics: Google Analytics and similar analytics platforms
  • Customer Support: Support and help desk platforms

7.2 Vendor Agreements

All service providers are contractually required to:

  • Use information only to provide services to us
  • Maintain confidentiality and security of your information
  • Comply with applicable privacy laws
  • Not use or disclose information for other purposes

8. Security Incident Response

8.1 What We Do If There's a Breach

In the unlikely event of a data breach:

  • We will investigate the incident immediately
  • We will notify affected users as required by law
  • We will work with authorities if necessary
  • We will take steps to prevent future incidents

8.2 Report Security Issues

If you discover a security vulnerability or suspect a breach, please contact us immediately at security@rootedvitality.health.

9. Compliance with Privacy Laws

9.1 GDPR (EU and UK)

If you are in the EU or UK, we comply with the General Data Protection Regulation (GDPR), including:

  • Legal basis for data processing
  • Data subject rights (access, correction, deletion, portability)
  • Data protection impact assessments
  • Data protection officer availability

9.2 CCPA (California)

If you are a California resident, we comply with the California Consumer Privacy Act (CCPA), including:

  • Right to know what information we collect
  • Right to delete your information
  • Right to opt out of data sales (we do not sell data)
  • Right to non-discrimination for exercising privacy rights

9.3 Other State Privacy Laws

We comply with applicable privacy laws in other states including Virginia, Colorado, Connecticut, and others.

10. Children's Information

Rooted Vitality does not knowingly collect information from children under 18 years of age. Our platform is intended for adults age 18 and older. If we become aware that we have collected information from a child under 18, we will delete that information promptly.

If you are a parent or guardian and believe your child has provided information to us, please contact us immediately.

11. Changes to This Notice

We may update this Data Protection and HIPAA Notice from time to time. When we make material changes:

  • We will update the effective date at the top of this notice
  • We will notify you via email at least 30 days in advance
  • We will post a notice on our platform

Your continued use of the platform after changes indicates acceptance of the updated notice.

12. Your Privacy Rights Summary

You have the right to:

  • Access: Know what information we collect and how we use it
  • Portability: Receive your information in a portable format
  • Correction: Correct inaccurate or incomplete information
  • Deletion: Request deletion of your information (subject to legal requirements)
  • Opt-out: Opt out of marketing communications and certain data uses
  • Grievance: File a complaint with your local data protection authority (if applicable)

13. Contact Us

If you have questions about this Data Protection and HIPAA Notice, our privacy practices, or your rights, please contact:

Rooted Vitality, Inc.
Attention: Privacy Officer
[Company Address]
Email: privacy@rootedvitality.health
Phone: [Phone Number]

Response Time: We will respond to privacy inquiries within 30 calendar days.

14. Practitioner-Specific Information

14.1 For Healthcare Providers and Practitioners

If you are a licensed healthcare provider:

  • YOU are responsible for maintaining HIPAA compliance in your own practice
  • DO NOT use this platform for HIPAA-protected communications
  • Maintain your own HIPAA-compliant systems for client health information
  • Use off-platform, HIPAA-compliant channels for health-related communications with clients
  • Understand that Rooted Vitality does not provide HIPAA business associate services

14.2 For Wellness Practitioners

If you are a non-licensed wellness practitioner:

  • You are not bound by HIPAA
  • You are responsible for your own privacy and data security practices
  • Comply with all applicable state and local laws
  • Maintain confidentiality of client information
  • Consider implementing your own data protection measures

Summary

Key Points to Remember:

  • ✓ Rooted Vitality is NOT a HIPAA covered entity
  • ✓ We do NOT collect Protected Health Information (PHI)
  • ✓ We implement industry-standard data protection practices
  • ✓ We do NOT sell your personal information
  • ✓ You have rights to access, correct, and delete your information
  • ✓ Healthcare providers remain responsible for HIPAA compliance in their own practice