Legal

Privacy Policy

Effective Date: July 1, 2026
Last Updated: July 1, 2026

This Privacy Policy explains how Life Vitality LLC, doing business as SurpassMD (“SurpassMD,” “we,” “us,” or “our”), collects, uses, and discloses information about you when you visit surpassmd.com, use our websites and applications, or otherwise use our services (collectively, the “Services”). It also describes your privacy rights and the choices available to you.

1. Our Role and Scope; HIPAA

SurpassMD is a technology and administrative platform. We are not a healthcare provider or a pharmacy, and we are not a “covered entity” under the Health Insurance Portability and Accountability Act (HIPAA). The independent, licensed professional medical corporation and its providers (the “Providers”) and the pharmacies (the “Pharmacies”) that treat you create and control your medical record. Protected health information they hold is governed by the Provider’s Notice of Privacy Practices, available here, and not by this Privacy Policy.

Your information falls into three categories. First, the information you provide to, and that we collect through, our platform for our own purposes, such as your account and contact details and how you use the Services, is governed by this Privacy Policy. Second, the health and intake information you submit is collected through our interface and transmitted to the Provider, who incorporates it into the medical record the Provider controls; to the extent we handle that protected health information on the Provider’s behalf, we do so as the Provider’s business associate under a written agreement and applicable HIPAA safeguards. Third, information the Provider returns to us for billing, support, or operations is handled under that same arrangement. We access protected health information only as needed to provide our services and as permitted by our agreement with the Provider.

Consumer health data. If you are a resident of Washington, Nevada, or Connecticut, please also review our separate Consumer Health Data Privacy Policy, which supplements this Privacy Policy and controls with respect to “consumer health data” as defined by the laws of those states.

2. Information We Collect

Information you provide to us

This includes your name, email address, telephone number, mailing and shipping address, date of birth, account credentials, and demographic information; the health-related information you submit through intake and eligibility questionnaires, which we make available to Providers; photographs you choose to upload; payment information (processed by our third-party payment processors, who handle your full card number); and the contents of your communications with us.

Information we collect automatically

When you use the Services, we automatically collect device and usage information, including your IP address, device identifiers, browser type, operating system, referring URLs, pages and content viewed, links clicked, and dates and times of access, using cookies and similar technologies described below.

Information from third parties

We may receive information about you from the Providers and Pharmacies (such as order and fulfillment status), payment processors, analytics and advertising partners, identity-verification and fraud-prevention services, and other service providers.

3. Cookies and Tracking Technologies

We and our partners use cookies, pixels, tags, and software development kits to operate the Services, remember your preferences, measure and improve performance, and deliver and measure advertising. These technologies fall into four general categories: strictly necessary, performance and analytics, functional, and targeting and advertising. You can manage cookies through your browser settings, though disabling some cookies may affect how the Services function.

Global Privacy Control. We honor the Global Privacy Control (GPC) browser signal as a valid request to opt out of the “sale” or “sharing” of personal information for the browser or device on which it is enabled. We do not currently respond to other “Do Not Track” signals because no common standard for them has been adopted.

4. How We Use Information

We use the information we collect to: operate, provide, and maintain the Services; connect you with Providers and Pharmacies and facilitate your orders; process payments and manage subscriptions and renewals; communicate with you about your account, orders, and customer support; send marketing and promotional communications consistent with your choices and applicable law; personalize and improve the Services; conduct analytics and research; detect, prevent, and respond to fraud, abuse, and security incidents; and comply with legal obligations and enforce our agreements.

5. How We Disclose Information

We disclose information:

To service providers and vendors that perform functions on our behalf, such as hosting, payment processing, analytics, communications, shipping, and customer support, under contracts that restrict their use of the information.
To the Providers and Pharmacies as necessary to evaluate your eligibility, provide care, and dispense and ship medications.
To advertising and analytics partners to deliver and measure advertising, as described below.
In connection with a corporate transaction, such as a merger, financing, acquisition, reorganization, or sale of assets.
For legal and safety reasons, including to comply with law, respond to legal process, protect our rights and the rights and safety of others, and enforce our Terms of Use.
With your direction or consent, or as otherwise disclosed to you at the time of collection.

6. “Sale” and “Sharing” of Personal Information; Targeted Advertising

We disclose certain identifiers, internet and device activity, and inferences to advertising and analytics partners to deliver and measure advertising. Under some state privacy laws, these disclosures may be considered a “sale” or a “sharing” of personal information for cross-context behavioral advertising, or “targeted advertising.” You can opt out as described in “Your Privacy Choices.”

We do not use health information for advertising. We do not use or disclose your health or medical information, the responses you provide in intake or eligibility questionnaires, information that identifies you as seeking or receiving treatment, or your prescription or purchase details, for targeted or cross-context behavioral advertising, and we do not permit that information to be shared with advertising platforms for those purposes. We do not sell or share sensitive personal information for advertising without your consent, and we do not knowingly sell or share the personal information of consumers we know to be under 16.

7. Your Privacy Rights

Depending on where you live, you may have some or all of the following rights, subject to legal exceptions: to know or access the personal information we hold about you; to correct inaccurate information; to delete your information; to obtain a portable copy; to opt out of the sale or sharing of your information and of targeted advertising; to opt out of certain profiling; to limit the use of sensitive personal information; and to not be discriminated against for exercising your rights.

California (CCPA/CPRA)

California residents have the rights described above, including the right to know the categories and specific pieces of personal information collected, the categories of sources, the business purposes for collection, and the categories of third parties to whom information is disclosed. We collect the following categories of personal information: identifiers; customer records; characteristics of protected classifications (such as age); commercial information; internet or other electronic network activity; geolocation data; audio or electronic information; health-related information you provide; and inferences. California residents may also request information under California’s “Shine the Light” law. We do not offer financial incentives in exchange for personal information.

Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states

If you are a resident of a state with a comprehensive privacy law, you have the rights granted by that law, which generally include the rights to access, correct, delete, and obtain a copy of your personal data, and to opt out of targeted advertising, sale, and certain profiling. Where required, we obtain your consent before processing sensitive data.

How to exercise your rights

You may submit a request by emailing privacy@surpassmd.com. We will verify your request using the information associated with your account and may ask for additional information to confirm your identity. You may use an authorized agent to submit a request on your behalf with proper authorization. We will respond within the time required by applicable law, generally within 45 days, and may extend that period where permitted.

Appeals

If we decline your request, you may appeal by emailing privacy@surpassmd.com with the subject line “Privacy Appeal.” If you have concerns about the outcome of your appeal, you may contact the attorney general in your state.

8. Your Privacy Choices

To opt out of the sale or sharing of your personal information and of targeted advertising, you may (a) enable the Global Privacy Control in your browser, or (b) email privacy@surpassmd.com with the subject line “Do Not Sell or Share My Personal Information.” You may opt out of marketing emails using the unsubscribe link in those messages and out of marketing texts by replying STOP.

9. Data Retention

We retain personal information for as long as your account is active and as needed to provide the Services, and afterward only as long as necessary to comply with our legal, tax, and recordkeeping obligations, resolve disputes, enforce our agreements, and maintain security and backups, after which we delete or de-identify it. Medical records are retained by the Provider in accordance with the Provider’s Notice of Privacy Practices and applicable law.

10. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security. If a breach affecting your information occurs, we will notify you and any regulators as required by applicable law, including any applicable health-data breach-notification requirements.

11. Children’s Privacy

The Services are intended for adults 18 and older. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected such information, we will delete it.

12. Third-Party Links

The Services may link to third-party websites and services that we do not control. This Privacy Policy does not apply to those third parties, and we encourage you to review their privacy policies.

13. U.S. Only

The Services are intended for users located in the United States. We do not offer the Services to, or knowingly collect information from, individuals outside the United States.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the “Last Updated” date and provide notice as required by law. Your continued use of the Services after changes take effect constitutes your acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at privacy@surpassmd.com, or by mail at Life Vitality LLC dba SurpassMD, 16192 Coastal Highway, Lewes, DE 19958.