Privacy Policy

This Privacy Policy describes how Everlong, Inc. (doing business as Everlong) (“Everlong,” “we,” “us,” or “our”) collects, uses, discloses, and protects information about you when you visit our website at https://geteverlong.com, use our telehealth nutrition counseling services, or otherwise interact with us.  

Important — Relationship to HIPAA: Everlong is a HIPAA-covered entity. When we provide telehealth nutrition counseling services, the health information we collect in the course of treatment is Protected Health Information (“PHI”) governed by our Everlong Policies, HIPAA, Consent, & Release Agreement (the “Agreement”), not this Privacy Policy. This Privacy Policy governs information collected through our website and general business operations. If there is a conflict between this Privacy Policy and the Agreement with respect to PHI, the Agreement controls.  

If you do not agree with this Privacy Policy, please do not use our website or services. Questions or concerns? Contact us at support@geteverlong.com.  

Summary of Key Points

What personal information do we collect? We collect information you provide when registering or using our services, as well as information collected automatically through your device and cookies and tracking technologies. We also collect health and clinical information as part of delivering telehealth nutrition counseling.  

Do we process sensitive personal information? Yes. As a telehealth company, we collect and process health data, gender, and financial information. This sensitive data is handled in accordance with HIPAA and applicable state law.  

Do we use marketing pixels? Yes. We use analytics and advertising pixels from third-party platforms on our marketing website and portions of our signup flow. We take steps to limit what data these tools can access. See Section 4 for details.  

Do we share your information? We share information with service providers — including our EHR platform, billing processor, and email marketing provider — under appropriate agreements. We do not sell your personal information.  

What are your rights? Depending on your state of residence, you may have rights to access, correct, delete, or opt out of certain uses of your personal information. California residents have additional rights under the CCPA.  

How do you exercise your rights? Email us at support@geteverlong.com. We will respond in accordance with applicable law.

‍

Table of Contents

1. What Information Do We Collect?
2. How Do We Process Your Information?
3. When and With Whom Do We Share Your Personal Information?
4. Do We Use Cookies and Other Tracking Technologies?
5. How Long Do We Keep Your Information?
6. How Do We Keep Your Information Safe?
7. What Are Your Privacy Rights?
8. Controls for Do-Not-Track Features
9. California Residents — CCPA Privacy Notice
10. State-Specific Privacy Rights
11. HIPAA and Your Health Information
12. Do We Make Updates to This Policy?
13. How Can You Contact Us?  

1. What Information Do We Collect?

A. Information You Provide to Us

We collect personal information that you voluntarily provide when registering, signing up for services, or contacting us. The personal information we collect includes:  

• Identifiers: Full name, date of birth, email address, phone number, mailing address, billing address
• Account credentials: Username, password, authentication data
• Demographic information: Gender
• Health and clinical information: Nutrition history, health goals, dietary needs, medical conditions relevant to nutrition counseling, and other information you share with your registered dietitian
• Financial information: Debit/credit card numbers, insurance information, billing details
• Emergency contact information
• Communications: Messages, emails, or other content you send us  
  

All information you provide must be true, complete, and accurate. Please notify us of any changes.

B. Information Automatically Collected

When you visit, use, or navigate our website, we automatically collect:  

• Log and Usage Data: IP address, browser type and version, operating system, pages viewed, timestamps, referring URLs, and other diagnostic information
• Device Data: Device type, device identifiers, screen resolution, language settings, and system configuration
• Location Data: Approximate location based on IP address. We do not collect precise GPS location without your explicit consent.
• Cookie and Tracking Data: Information collected through cookies and similar technologies (see Section 4)  

C. Information from Third Parties

We may receive limited information from third parties in the following contexts:  

• Insurance verification: We may receive eligibility and coverage information from insurance carriers or clearinghouses in connection with billing for services
• Referral sources: If a healthcare provider refers you to our services, we may receive basic referral information
• Analytics providers: We receive aggregated and behavioral data from analytics tools we use to understand how our website is used (see Section 4)  

2. How Do We Process Your Information?

We process your personal information for the following purposes:  

• Service delivery: To facilitate account creation, authenticate you, schedule and deliver telehealth nutrition counseling sessions, and coordinate care between you and your registered dietitian
• Clinical operations: To support the clinical supervision and oversight of your care, maintain accurate records, and ensure quality of service
• Billing and payment processing: To process payments, submit insurance claims, and manage billing-related communications
• Communications: To send you session reminders, administrative notices, and service-related updates
• Marketing (with your consent): To send newsletters and promotional communications if you have opted in. You may opt out at any time
• Analytics and improvement: To understand how our website and services are used, identify trends, and improve our platform
• Security and fraud prevention: To detect, investigate, and prevent fraudulent transactions, unauthorized access, and other harmful activities
• Legal compliance: To comply with applicable laws, respond to legal process, and establish or defend legal claims
• Business transfers: To evaluate or complete a merger, acquisition, or sale of all or part of our business (see Section 3)  

3. When and With Whom Do We Share Your Personal Information?

A. Service Providers and Business Associates

We work with third-party vendors who process data on our behalf. Where required by HIPAA, these vendors have signed Business Associate Agreements (“BAAs”) with us. Our current categories of service providers include:  

• Electronic Health Record (EHR) platform: We use an EHR system to manage patient records and clinical documentation. This vendor has signed a BAA with Everlong
• Billing and claims processing: We use an automated billing platform to process insurance claims and patient payments. This vendor has signed a BAA with Everlong
• Email communication (clinical): We use a HIPAA-compliant email platform for patient-related communications. This vendor has signed a BAA with Everlong
• Email marketing (general): We use an email marketing platform for general newsletters and marketing communications. This service is used only for non-PHI marketing content and does not have access to patient records or health information
• Analytics and advertising: We use third-party analytics and advertising tools on our marketing website, including but not limited to Meta (Facebook), Google, and TikTok. See Section 4 for important details about how these tools are configured

B. Business Transfers

If Everlong is involved in a merger, acquisition, financing, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website if such a transfer materially affects your rights under this Privacy Policy.  

C. Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of Everlong, our users, or the public.  

D. What We Do Not Do

Everlong does not sell, rent, or trade your personal information to third parties for their own marketing purposes. We do not share PHI for marketing purposes without your explicit written authorization, as required by HIPAA.  

4. Do We Use Cookies and Other Tracking Technologies?

A. Cookies

We use cookies — small data files stored on your device — to operate our website, remember your preferences, and analyze site traffic. You can control cookie settings through your browser. See our Cookie Policy for a full list of cookies we use.  

B. Third-Party Tracking Technologies — Important Disclosure

We use advertising and analytics pixels from third-party platforms, including but not limited to Meta (Facebook), Google, and TikTok, on our marketing website and portions of our patient signup flow.  

We take the following steps to limit data exposure through these tools:

• We do not place pixels inside our patient portal or EHR-connected interfaces
• We configure these pixels to avoid capturing form field content such as names, email addresses, or health information entered during signup
• We use server-side filtering and data minimization practices where technically feasible  
  

However, you should be aware that by visiting our website or beginning the signup process, certain technical information — such as your IP address and browser data — may be transmitted to third-party platforms as a result of these tools. This transmission occurs regardless of whether you complete registration.  

If you wish to limit this tracking, you may:

• Use your browser’s built-in privacy controls or a privacy-focused browser extension
• Opt out of individual platform advertising settings through each platform’s privacy controls
• Use the Digital Advertising Alliance opt-out tool at: https://optout.aboutads.info  

C. Do-Not-Track

Most web browsers include a Do-Not-Track (“DNT”) setting. Currently, no uniform technology standard exists for recognizing and implementing DNT signals, and we do not alter our data collection practices in response to DNT signals. If a binding standard is adopted that applies to us, we will update this policy accordingly.  

5. How Long Do We Keep Your Information?

Retention periods vary by category of information:  

• Clinical and health records (PHI): Retained for a minimum of six (6) years from the date of creation or the date last in effect, as required by HIPAA. State law may require longer retention periods in certain states
• Billing and financial records: Retained for seven (7) years from the date of the transaction to comply with tax and accounting requirements
• Account and registration data: Retained for the duration of your active account, plus three (3) years following account closure or last interaction, unless a longer period is required by law
• Website analytics and log data: Retained for up to twenty-four (24) months, after which it is deleted or anonymized
• Marketing communications data: Retained until you opt out or request deletion, subject to legal hold requirements  
  

When retention periods expire and no legal hold applies, we securely delete or anonymize your information. Where immediate deletion is not technically feasible — for example, in backup systems — we isolate the data from active processing until deletion is possible.  

Please note: Because Everlong is a HIPAA-covered entity, we cannot always fulfill requests to delete health information that we are legally required to retain. We will notify you if a deletion request cannot be honored due to applicable law.  

6. How Do We Keep Your Information Safe?

As a HIPAA-covered entity, we are required to implement and maintain a comprehensive security program. Our safeguards include:  

• Encryption of data in transit (TLS) and at rest
• Role-based access controls limiting who can view patient records
• Workforce training on privacy and security practices
• Business Associate Agreements with all vendors who access PHI
• Regular security assessments and risk analysis as required by HIPAA
• Incident response and breach notification procedures  
  

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee that unauthorized third parties will never defeat our security measures. You access our services at your own risk and should use a secure network connection when accessing your account.  

In the event of a data breach affecting your PHI, we will notify you as required under HIPAA’s Breach Notification Rule and applicable state law.  

7. What Are Your Privacy Rights?

The following rights apply to most users. State-specific rights are described in Sections 9 and 10. Rights with respect to your health information (PHI) are described in Section 11 and the Agreement.  

A. Right to Access

You may request a copy of the personal information we hold about you.  

B. Right to Correction

You may request that we correct inaccurate or incomplete personal information.  

C. Right to Deletion

You may request deletion of your personal information. Please note that we may be unable to delete certain information that we are required to retain by law, including health records subject to HIPAA.  

D. Right to Opt Out of Marketing

You may opt out of receiving marketing emails at any time by clicking the unsubscribe link in any marketing email or by contacting us at support@geteverlong.com. Opting out of marketing does not affect our ability to send you service-related communications necessary for your care.  

E. Right to Withdraw Consent

Where we rely on your consent to process personal information, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.  

To exercise any of these rights, contact us at support@geteverlong.com. We will respond to all verifiable requests within the timeframes required by applicable law.  

8. Controls for Do-Not-Track Features

As described in Section 4(C), we do not currently respond to Do-Not-Track signals. If a legally binding standard for DNT is adopted, we will update this policy. For information on opting out of specific tracking tools, see Section 4(B).  

9. California Residents — CCPA Privacy Notice

A. Your California Privacy Rights

California residents have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):  

• Right to Know: The right to know what personal information we collect, use, disclose, and sell about you
• Right to Delete: The right to request deletion of your personal information, subject to certain exceptions
• Right to Correct: The right to request correction of inaccurate personal information
• Right to Opt Out of Sale/Sharing: The right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising. Everlong does not sell personal information
• Right to Limit Use of Sensitive Personal Information: The right to limit use of sensitive personal information — including health data — to purposes reasonably necessary to provide our services
• Right to Non-Discrimination: The right not to receive discriminatory treatment for exercising your California privacy rights  

B. Categories of Personal Information We Collect

In the past twelve (12) months, we have collected the following categories of personal information from California residents:  

• Identifiers (Category A): Name, email, phone number, IP address, account name — Yes
• California Customer Records (Category B): Name, contact information, financial information — Yes
• Protected Classifications (Category C): Gender, date of birth — Yes
• Commercial Information (Category D): Transaction and payment history — Yes
• Internet/Network Activity (Category F): Website browsing behavior, interactions with our site — Yes (via cookies and pixels)
• Geolocation Data (Category G): Approximate location via IP address — Yes
• Sensitive Personal Information (Category L): Health data, credit/debit card numbers — Yes  
  

We retain this information for the periods described in Section 5.  

C. How We Use and Disclose Personal Information

We use and disclose personal information for the business purposes described in Sections 2 and 3. We do not sell personal information. We share personal information with service providers pursuant to written contracts requiring them to use it only for the specified business purpose. Sensitive personal information, including health data, is used only to the extent necessary to provide our telehealth nutrition counseling services and comply with legal obligations.  

D. Exercising Your California Rights

To exercise your rights, email support@geteverlong.com with the subject line “California Privacy Rights Request.” We will verify your identity before processing your request. We will respond within forty-five (45) days, with one possible forty-five (45) day extension when reasonably necessary. Authorized agents may submit requests on your behalf with written proof of authorization.  

E. California Shine the Light

Under California Civil Code Section 1798.83, California residents may request information about disclosures of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes.  

F. Minors

Our services are not directed to individuals under the age of 18. If you are a California resident under 18 with a registered account, you may request removal of content you have publicly posted by contacting us at support@geteverlong.com.  

10. State-Specific Privacy Rights

Because Everlong operates nationwide, we recognize the privacy rights of residents in states with comprehensive consumer data protection laws, including Virginia, Colorado, Connecticut, Texas, and others. In general, residents of these states have the right to:  

• Know whether we process their personal data
• Access their personal data
• Correct inaccuracies in their personal data
• Delete their personal data, subject to HIPAA and other legal retention requirements
• Obtain a portable copy of their personal data
• Opt out of targeted advertising, sale of personal data, or profiling  
  

Virginia (CDPA)

Virginia residents may exercise their rights by contacting us at support@geteverlong.com. We will respond within forty-five (45) days, with one possible forty-five (45) day extension. If we decline your request, you may appeal by emailing us with “CDPA Appeal” in the subject line. If your appeal is denied, you may contact the Virginia Attorney General.  

Other States

We honor privacy rights for residents of all states with applicable consumer data protection laws. Contact us at support@geteverlong.com to submit a request and we will respond in accordance with the law applicable to your state.  

Because Everlong is a HIPAA-covered entity, some information — particularly PHI — is governed by HIPAA rather than state consumer privacy law. Where HIPAA preem pts state law, HIPAA rights apply. Where state law provides greater protections, we apply the more protective standard.  

11. HIPAA and Your Health Information

Everlong is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Health information collected in the course of your nutrition counseling — including session notes, dietary assessments, diagnoses, and treatment records — constitutes Protected Health Information (“PHI”) governed by HIPAA.  

Under HIPAA, you have the right to:

• Access and receive a copy of your medical record
• Request amendments to your health information
• Receive an accounting of disclosures of your PHI
• Request restrictions on certain uses and disclosures of your PHI
• Request confidential communications
• File a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights if you believe your HIPAA rights have been violated  
  

The Agreement describes how we use and disclose your PHI in detail.  

To file a HIPAA complaint, contact the HHS Office for Civil Rights at https://www.hhs.gov/ocr/complaints or 1-800-368-1019. We will not retaliate against you for filing a complaint.  

12. Do We Make Updates to This Policy?

Yes. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. The “Last Revised” date at the top of this policy indicates when it was last updated. If we make material changes, we will notify you by posting a prominent notice on our website and/or sending a notification to the email address associated with your account. Continued use of our services after a material update constitutes your acceptance of the revised policy.  

13. How Can You Contact Us?

If you have questions, concerns, or requests regarding this Privacy Policy, please contact us at support@geteverlong.com.

For matters related to HIPAA or your health information rights, please reference “HIPAA Request” in your subject line. For California-specific requests, please reference “California Privacy Rights Request” in your subject line.