Privacy Policy

1) Introduction & Scope

Craft Telemedicine, LLC (“Craft,” “we,” “us,” “our”) respects your privacy. This Privacy Policy (“Policy”) explains how we collect, use, disclose, and protect information when you access or use crafttelemed.com and any site that links to this Policy (collectively, the “Website”). This Policy does not apply to information collected offline or on unrelated Craft websites/apps that have their own privacy policies.

By using the Website, you agree to this Policy and our Terms & Conditions. If you do not agree, do not use the Website. This Website is intended for U.S. residents ages 18+ only.

2) Who We Are; Relationship to Medical Groups & Pharmacies

Craft is a technology platform and administrative services provider. Independent Medical Groups and licensed Providers deliver clinical services, and licensed Pharmacies dispense medications. Craft does not practice medicine or pharmacy.

HIPAA / PHI. Craft is not a HIPAA “covered entity.” In limited cases, Craft may act as a business associate to a Medical Group or Pharmacy under a business associate agreement (BAA) and handle protected health information (PHI) solely as permitted by HIPAA and the BAA. The Medical Group/Providers maintain their own Notice of Privacy Practices governing PHI. Information you provide to Craft that is not PHI is governed by this Policy and applicable state laws.

3) Children’s Privacy

The Website is not intended for anyone under 18. We do not knowingly collect personal information from anyone under 18. If you believe we have information about someone under 18, contact hello@crafttelemed.com and we will delete it.

4) Information We Collect

4.1 Information You Provide

We collect information you provide directly, such as:

• Identifiers & contact: name, email, phone, date of birth, address(es).
• Account & authentication: credentials, security settings, preferences.
• Clinical intake & communications: symptoms, questionnaires, messages, photos/videos uploaded for clinical review (when used for clinical services, this may be PHI managed by or for the Medical Group/Provider).
• Orders & subscriptions: product selections, shipping details, subscription status, cancellation/pause requests, support tickets.
• Payments: card type, last 4 digits, tokenized payment IDs (payment processors store full card data).

4.2 Information Collected Automatically

When you use the Website, we and our service providers may automatically collect:

• Usage data: pages viewed, links clicked, time on site, referring/exit pages, search terms.
• Device & network: IP address, device identifiers, OS, browser, mobile network, crash logs.
• Cookies & similar: cookies, pixels, web beacons, SDKs for analytics, performance, and (on marketing pages) advertising/retargeting.

4.3 Information from Third Parties

We may receive information from service providers (payments, delivery, identity verification), analytics partners, and (at your direction) from Pharmacies or other providers to facilitate your requests.

5) How We Use Information

We use information (including personal information) to:

• Provide the Website and services: account creation, authentication, customer support, secure access, fraud prevention.
• Clinical facilitation: route your submissions to Medical Groups/Providers; support telehealth communications; coordinate pharmacy fulfillment (where you elect).
• Orders & subscriptions: process purchases, auto-renew subscriptions, manage billing/dunning, ship products, handle returns where allowed, provide invoices/receipts.
• Operate, maintain, and improve: debugging, analytics, service quality, new features.
• Communicate: account notices, service updates, care instructions from Providers (which may be PHI when sent by or for the Medical Group), marketing (where permitted) with opt-out options.
• Security & legal: protect against fraud/abuse, enforce Terms, comply with law, respond to lawful requests.
• Advertising/measurement (Website marketing pages only): measure campaign performance and deliver more relevant ads without using PHI and without using sensitive personal information for advertising.

We do not use PHI for advertising.

6) Cookies, Analytics & Targeted Advertising (Website Marketing Pages)

We use cookies and similar technologies to run the Website and understand usage. On marketing pages, we may use analytics and targeted advertising technologies (e.g., to measure conversions or show ads for Craft to prospective users). You can control cookies in your browser; some features may not function without them.

• Opt-out of targeted advertising / sale or share: See Your U.S. State Privacy Rights below for opt-out choices.
• Do Not Track: We currently do not respond to browser DNT signals; use the opt-out mechanisms described below instead.
• Google Analytics: See Google’s “How Google uses data” page for details.

7) How We Disclose Information

We may disclose information:

• To Medical Groups/Providers (at your direction or to facilitate clinical services); where applicable, PHI is handled per HIPAA/BAA.
• To Pharmacies (at your direction or to facilitate fulfillment) with the minimum necessary information required to dispense and ship your medication; you may choose an external pharmacy.
• To service providers acting on our behalf (hosting, security, analytics, payments, messaging/SMS, customer support, identity verification, shipping, returns).
• For compliance and safety: to comply with laws, regulations, legal process, or governmental requests; to protect rights, safety, and security; to detect and prevent fraud or abuse.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets.
• With your consent or at your direction.

We may disclose aggregated or de-identified information that does not identify you.

We do not disclose PHI for advertising. We do not sell PHI.

8) Payments & Processors

We use third-party payment processors to process payments and manage subscription billing. They collect and process your payment data subject to their privacy policies. We receive tokenized identifiers and limited billing details (e.g., last 4 digits, expiration month/year) for records, dunning, and refunds where applicable.

9) SMS & Email Communications

• Transaction & service messages (e.g., account, clinical, subscription notices) are integral to service delivery.
• Marketing: We send marketing only where permitted; you can opt out via the message footer or account settings.
• SMS consent: We do not share your SMS opt-in/consent status with third parties for unrelated purposes. We may share with vendors who help deliver the messages.

10) Data Retention

We retain information as needed to provide services, comply with legal/regulatory obligations (including healthcare, tax, and bookkeeping), resolve disputes, and enforce agreements. Clinical records managed by Medical Groups/Providers may be retained per medical-record retention laws. We may retain minimal records (e.g., suppression lists, receipts) to honor opt-outs and defend against legal claims.

11) Data Security

We implement administrative, technical, and physical safeguards designed to protect information. No method of transmission or storage is 100% secure. If we discover a security incident affecting your information, we may notify you electronically consistent with law.

You are responsible for maintaining the confidentiality of your credentials and restricting access to your devices.

12) Your U.S. State Privacy Rights

Depending on your state (e.g., CA, CO, CT, UT, VA and others as laws evolve), you may have rights to:

• Access: know the categories and specific pieces of personal information we collected about you.
• Correct: request correction of inaccurate personal information.
• Delete: request deletion of personal information, subject to legal exceptions.
• Portability: obtain a portable copy of certain information.
• Opt-out of “sale” or “sharing” of personal information and targeted advertising (as defined by state laws) on our marketing pages.
• Limit use/disclosure of Sensitive Personal Information to permitted purposes.

Exclusions: These consumer privacy laws generally do not apply to PHI under HIPAA or to data when we act as a business associate; such data is governed by HIPAA and Medical Group/Provider Notices of Privacy Practices.

How to exercise your rights

Email hello@crafttelemed.com with your name, the right you wish to exercise, and a way for us to verify your identity. You may designate an authorized agent as permitted by law (we may require verification of both you and the agent).

Opt-out of sale/share/targeted advertising

To opt out of targeted advertising or “sale/share” on marketing pages, email hello@crafttelemed.com with subject “Do Not Sell or Share My Personal Information,” or use any posted “Your Privacy Choices” link where available. We honor opt-out preference signals where required by law.

Appeals

If we deny your request, you may appeal by replying to our response or emailing hello@crafttelemed.com within 60 days. We will respond within 60 days with our final decision.

We will not discriminate against you for exercising your rights.

13) Your Choices

• Cookies/Tracking: Use your browser settings to block or delete cookies. Some features may not work without cookies.
• Marketing: Opt out via email/SMS footer links or by emailing hello@crafttelemed.com.
• Account info: You may request access, correction, or deletion as described above.

14) Geographic Scope; U.S.-Only

The Website is intended for individuals in the United States. If you access from elsewhere, you do so at your own risk and consent to processing in the U.S.

15) Changes to this Policy

We may update this Policy from time to time. We will update the “Last Updated” date and, for material changes, provide additional notice (e.g., posting a prominent notice or emailing the address in your account). Your continued use of the Website after changes are effective means you accept the revised Policy.

16) Contact Us

Craft Telemedicine, LLC

5705 E. 71st Street, Suite 100

Tulsa, OK 74136

Email: hello@crafttelemed.com

‍