Privacy Policy

This document is a template and should be reviewed by legal counsel before use.

Last updated: January 1, 2026

Elm Tree Health (“Elm Tree,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our telehealth services, or otherwise interact with us. Please read this policy carefully. By accessing or using our services, you agree to the terms described herein.

1. Information We Collect

a. Information You Provide Directly

• Personal identifiers: name, date of birth, mailing address, email address, phone number, Medicare Beneficiary Identifier (MBI).
• Health information: medical history, current medications, allergies, symptoms, and other information you share during your Annual Wellness Visit.
• Insurance and billing information: Medicare plan details and related billing information.
• Communication records: emails, phone calls, and messages you send to us.

b. Information Collected Automatically

• Device and usage data: IP address, browser type, operating system, device identifiers, pages visited, time spent on pages, and referring URLs.
• Cookies and similar technologies: we use cookies, pixel tags, and similar technologies to recognize your browser and collect usage information (see Section 5).
• Telehealth session metadata: connection timestamps, session duration, and technical quality data to ensure a reliable visit experience.

c. Information from Third Parties

We may receive information about you from healthcare partners, Medicare, analytics providers, and marketing partners to verify eligibility, improve services, and communicate with you.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our telehealth services, including scheduling and conducting Medicare Annual Wellness Visits.
• Verify your Medicare eligibility and process claims.
• Send appointment reminders, service updates, and wellness tips.
• Process and deliver the $75 wellness reward.
• Respond to your inquiries and provide customer support.
• Comply with legal and regulatory obligations, including HIPAA.
• Detect, prevent, and address fraud, abuse, and security issues.
• Conduct internal research and analytics to improve our programs.

3. Sharing and Disclosure of Your Information

We do not sell your personal information. We may share your information in the following circumstances:

• Healthcare operations: with licensed providers, pharmacies, laboratories, and other entities involved in your care as permitted or required by HIPAA.
• Service providers: with third-party vendors who assist us with technology, analytics, payment processing, mailing, and customer support, subject to contractual confidentiality obligations.
• Legal compliance: when required by law, regulation, legal process, or governmental request.
• Business transfers: in connection with a merger, acquisition, sale of assets, or similar transaction, your information may be transferred as part of that transaction.
• With your consent: we may share your information for purposes you have specifically authorized.

4. Telehealth Data

When you participate in a telehealth visit with Elm Tree Health, we collect and process health information in accordance with HIPAA and applicable state telehealth laws. Your telehealth session data—including audio and video streams—is encrypted in transit and at rest. We do not record telehealth sessions unless you provide explicit consent. Session metadata (timestamps, duration, connection quality) is retained for quality assurance and regulatory compliance.

5. Cookies and Tracking Technologies

We use the following types of cookies:

• Essential cookies: necessary for the website to function, such as session management and security.
• Analytics cookies: help us understand how visitors interact with our site so we can improve the experience.
• Marketing cookies: used to deliver relevant advertisements and track campaign effectiveness.

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect site functionality. We honor Do Not Track (DNT) browser signals where technically feasible.

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements. Medical records are retained in accordance with HIPAA and applicable state retention requirements (typically a minimum of six years from the date of last service). When information is no longer needed, we securely delete or de-identify it.

7. Your Rights

a. HIPAA Rights

Under HIPAA, you have the right to access, amend, and receive an accounting of disclosures of your protected health information. You may also request restrictions on how your health information is used or disclosed. To exercise these rights, contact us using the information below.

b. California Residents (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, request deletion, opt out of the sale or sharing of personal information, and not be discriminated against for exercising your rights. Note that health information governed by HIPAA is exempt from the CCPA/CPRA.

c. Other State Privacy Laws

Residents of Virginia, Colorado, Connecticut, Utah, and other states with consumer privacy laws may have similar rights to access, correct, delete, and opt out of certain data processing. We will comply with applicable state laws and respond to verified requests within the timeframes required by law.

8. Children's Privacy

Our services are designed for Medicare-eligible adults aged 65 and older. We do not knowingly collect personal information from individuals under the age of 18. If we learn that we have collected information from a child, we will promptly delete it. If you believe a child has provided us with personal information, please contact us immediately.

9. Security

We implement administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These measures include encryption, access controls, regular security assessments, and employee training. However, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make material changes, we will post the revised policy on this page and update the “Last updated” date. We encourage you to review this policy periodically. Your continued use of our services after any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise any of your rights, please contact us:

• Email: privacy@elmtreehealth.com
• Phone: (800) 555-0142
• Mail: Elm Tree Health, 1234 Wellness Ave, Suite 200, Arlington, VA 22201