Privacy Policy
Effective date: 2026-07-08 (beta draft)
Last updated: 2026-07-08 (beta draft)
Who we are
VytalpathMD (“VytalpathMD,” “we,” “us”) is operated by VytalpathMD, LLC (a Delaware limited liability company), with a principal place of business at corporate mailing address available on request. We provide software that lets a Direct Primary Care or longevity clinical practice deliver and track a daily care plan with its patients.
Important: PHI vs. site data
Your clinician practice (your care provider) is the covered entity under HIPAA that owns your patient relationship and your Protected Health Information (“PHI”). VytalpathMD acts as a HIPAA Business Associate of your provider under a signed Business Associate Agreement.
PHI you exchange through the VytalpathMD app and dashboard — care plans, labs, medications, adherence data, clinician notes — is governed primarily by your provider’s HIPAA Notice of Privacy Practices, not this policy. Ask your care team for a copy.
This policy covers the limited information VytalpathMD collects directly — for example, what happens when you visit vytalpathmd.com or create an account on the apps.
Information we collect
Account information
- Name, date of birth, sex at birth, height, and weight you or your care team enter.
- Email address (used for sign-in and for sending invite links).
- A password hash (we never store the password itself).
- Multi-factor authentication secret if you enroll in MFA.
Health information
All clinical data is created and controlled by your care team: tasks, diet guidance, habits, workouts, exercises, lab results, medications, supplements, clinician notes, and your adherence logs (task completions, hydration, habit check-offs, medication taken, workout completed).
Authentication and security metadata
- Session tokens, refresh tokens, and timestamps used to keep you signed in securely.
- Failed login attempts and lockout state.
- IP address and a coarse device fingerprint for each session, used to detect compromise.
- A complete audit log of every PHI read and write, with actor, timestamp, and the field-level diff.
Information from our website
Our marketing website (vytalpathmd.com) is intentionally minimal. We do not run third-party analytics, advertising trackers, or social-media pixels on the marketing pages. Web server logs may briefly record IP address and request information for security and operational purposes.
What we explicitly do not collect
- Social Security numbers.
- Full home address (we do not need it).
- Insurance details or claims information.
- Payment information (subscription is handled outside this system by your practice).
- Free-text messages between you and your clinician.
How we use information
- To provide the service: deliver your daily plan, sync your adherence to your care team, log clinician actions for audit.
- To authenticate you and protect your account (MFA, lockout, session management).
- To maintain a HIPAA audit trail your provider can review.
- To operate, secure, and improve the service (uptime monitoring, error tracking, capacity planning).
- To comply with legal obligations.
We do not sell, rent, or trade any information. We do not use PHI for advertising or marketing of any kind.
Who we share information with
- Your care team. Adherence, completions, and any data you enter is visible to the clinicians of the practice that invited you.
- HIPAA-eligible vendors under signed Business Associate Agreements: our managed Postgres + container host, our error monitoring vendor, our transactional email provider. A current list is available on request.
- Law enforcement or regulators if compelled by a valid subpoena, court order, or other legal process.
- No one else. No data brokers. No advertising networks. No ML training partners.
How we secure information
- TLS 1.2+ in transit and AES-256 encryption at rest.
- BAA-backed managed Postgres for storage.
- Single-tenant logical isolation within our database with row-level access enforced by the API.
- MFA mandatory for clinicians; optional but supported for patients.
- Mobile devices: tokens stored in iOS Keychain / Android Keystore, biometric unlock, screen-capture prevention while sensitive data is visible.
- Daily encrypted backups with quarterly restore drills.
- Comprehensive audit log capturing every PHI read and write with actor, timestamp, and field-level diff.
How long we keep information
We retain account and clinical information for as long as your care team needs it to provide care, and for the period required by applicable medical-record retention laws (which vary by state). Audit logs are retained for at least six (6) years.
You can request deletion of your account by contacting your care team and tylerspradlingdo@gmail.com. We will work with your provider to delete or de-identify data on the schedule your provider’s retention policy requires.
Your rights
Most rights you have over your health information — access, amendment, accounting of disclosures, restrictions, alternative means of communication — are exercised through your care provider under HIPAA. Ask your care team or see their Notice of Privacy Practices.
For the limited data VytalpathMD collects directly, you may request access, correction, or deletion by emailing tylerspradlingdo@gmail.com. We respond within thirty (30) days.
If you reside in a state with a comprehensive consumer-privacy law (California, Virginia, Colorado, Connecticut, Utah, and others), you may have additional rights including the right to opt out of sale or sharing of personal information — though we do not sell or share personal information for cross-context behavioral advertising, so there is nothing for you to opt out of in those categories.
Cookies and tracking
The marketing pages of vytalpathmd.com use no third-party cookies, no analytics scripts, and no advertising tags. The clinician dashboard and mobile app use first-party storage only (a session cookie or secure token store) strictly to keep you signed in.
Children
VytalpathMD is intended for use by adult patients of an enrolled clinical practice. We do not knowingly collect information from anyone under thirteen (13). If a pediatric practice extends use of the service to minors, that arrangement is governed by the provider’s BAA and consent flow, not by direct enrollment with VytalpathMD.
Changes to this policy
We may update this policy as the service evolves. If we make material changes we will update the effective date and, where appropriate, notify you in-app or by email before the change takes effect. Continued use of the service after the effective date means you accept the updated policy.
Contact us
For privacy questions, deletion requests, or to exercise your rights under this policy:
VytalpathMD, LLC (a Delaware limited liability company)corporate mailing address available on request
tylerspradlingdo@gmail.com
For questions specifically about your health information, contact your care team directly — they are the covered entity that holds your PHI.