Skip to content

HSA / FSA Eligible

Legal

Privacy Policy

Your body. Your data. Your choice.

Effective Date: February 1, 2025 · Last Updated: February 1, 2025

1. Introduction

EllaDx (“Company,” “we,” “us,” or “our”) is committed to protecting your privacy and the security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our website at elladx.com, use our mobile applications, or access any of our services (collectively, the “Services”).

We are a HIPAA-covered entity and take our obligations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) seriously. This Privacy Policy should be read alongside our HIPAA Compliance page and our Terms of Service.

By using our Services, you consent to the practices described in this Privacy Policy. If you do not agree, please discontinue use of our Services.

2. Our Privacy Commitment

EllaDx was built as a direct-pay service specifically to keep your health data private.

Because we do not bill insurance companies, your lab results and health information never enter insurance databases. We will never sell your personal health information. We will never share your data with insurance companies, employers, or any third party without your explicit written consent, except as required by law.

You own your health data. You can access, download, share, or delete it at any time.

3. Information We Collect

3.1 Information You Provide Directly

  • Account information: Name, email address, date of birth, phone number, and mailing address when you create an account
  • Health assessment data: Responses to our health assessment quiz, including symptoms, health concerns, and medical history you choose to share
  • Payment information: Credit card, debit card, HSA/FSA card details, and billing address (processed by our PCI-compliant payment processor — we do not store full card numbers)
  • Appointment details: Preferred dates, times, and location for at-home blood draws
  • Communications: Information you provide when contacting our support team, submitting feedback, or responding to surveys

3.2 Protected Health Information (PHI)

  • Lab test results: Biomarker values, reference ranges, and panel results processed by Quest Diagnostics
  • Blood collection records: Date, time, and details of your phlebotomy appointment
  • Test order history: Records of which biomarkers and panels you have ordered

Your PHI is protected under HIPAA and handled with the highest level of security. See our HIPAA Compliance page for details on how we safeguard this data.

3.3 Information Collected Automatically

  • Device information: Browser type, operating system, device type, and unique device identifiers
  • Usage data: Pages visited, time spent on pages, click patterns, and navigation paths
  • Log data: IP address, access dates and times, referring URLs, and error logs
  • Location data: Approximate geographic location derived from your IP address (used to verify service availability in your area)

4. How We Use Your Information

We use the information we collect to:

  • Provide our Services: Process your test orders, coordinate blood draw appointments, deliver lab results, and manage your account
  • Personalize your experience: Recommend relevant biomarkers and health panels based on your quiz responses and health goals
  • Process payments: Charge for services, issue refunds, and verify HSA/FSA eligibility
  • Communicate with you: Send appointment confirmations, result notifications, service updates, and respond to your inquiries
  • Improve our Services: Analyze usage patterns and feedback to enhance the platform, develop new features, and improve user experience
  • Ensure security: Detect and prevent fraud, unauthorized access, and other security threats
  • Comply with legal obligations: Fulfill requirements under HIPAA, state laboratory reporting laws, and other applicable regulations

5. How We Share Your Information

We never sell your personal information or health data. Period.

We never share your information with insurance companies or employers.

We may share your information only in the following limited circumstances:

5.1 Service Providers (Business Associates)

We share information with trusted third parties who help us operate our Services, each bound by contractual obligations and, where applicable, HIPAA Business Associate Agreements:

  • Quest Diagnostics: Our CLIA-certified and CAP-accredited laboratory partner that processes your blood samples and produces test results
  • Phlebotomy providers: Licensed, certified phlebotomists who perform your at-home blood draws
  • Payment processors: PCI-compliant processors that handle payment transactions securely
  • Cloud infrastructure: HIPAA-compliant hosting providers that store your data with bank-level encryption

5.2 With Your Consent

We may share your information with third parties when you give us explicit written consent. For example, if you choose to share your results with a healthcare provider through our platform.

5.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request, including to comply with state mandatory laboratory reporting requirements, respond to valid subpoenas or court orders, or cooperate with law enforcement when legally compelled.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5.5 Aggregated and De-identified Data

We may use and share aggregated, de-identified data that cannot reasonably be used to identify you for research, analytics, and business purposes. This data is stripped of all personal identifiers in accordance with HIPAA de-identification standards.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our Services:

  • Essential cookies: Required for core functionality such as authentication, session management, and security. These cannot be disabled.
  • Analytics cookies: Help us understand how visitors use our website so we can improve the experience. These can be opted out of.
  • Functional cookies: Remember your preferences and settings to personalize your experience.

You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our Services. We do not use cookies to track your health data or lab results.

We honor Do Not Track (DNT) browser signals. When we detect a DNT signal, we disable non-essential analytics tracking.

7. Data Security

We implement comprehensive security measures to protect your personal information and PHI:

  • Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) on HIPAA-compliant servers
  • Access controls: Role-based access ensures only authorized personnel can access your data on a need-to-know basis
  • Audit logging: All access to PHI is logged and monitored for unauthorized activity
  • Secure authentication: Multi-factor authentication and automatic session timeouts protect your account
  • Regular assessments: We conduct periodic security risk assessments and penetration testing
  • Employee training: All team members complete HIPAA privacy and security training

While we use commercially reasonable measures to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

8. Data Retention

We retain your information for as long as necessary to provide our Services and comply with legal obligations:

  • Account data: Retained for as long as your account is active and for a reasonable period afterward to comply with legal obligations
  • Health records and PHI: Retained for a minimum of six (6) years as required by HIPAA, or longer if required by applicable state law
  • Payment records: Retained as required by tax and financial regulations
  • Analytics data: Retained in aggregated, de-identified form and may be kept indefinitely

When data is no longer needed, it is securely deleted or de-identified in accordance with our data disposal procedures and HIPAA requirements.

9. Your Rights and Choices

9.1 HIPAA Rights

As a patient of a HIPAA-covered entity, you have the right to:

  • Access: Request copies of your health information at any time
  • Amendment: Request corrections to inaccurate or incomplete health records
  • Accounting of disclosures: Receive a list of entities to whom we have disclosed your PHI
  • Restriction requests: Ask for limits on how we use or share your information
  • Confidential communications: Request that we contact you through your preferred channel
  • Complaint: File a complaint with us or the U.S. Department of Health and Human Services if you believe your privacy rights have been violated

9.2 General Privacy Rights

  • Data download: Export your complete health data from your dashboard at any time
  • Data deletion: Request deletion of your account and personal data (subject to legal retention requirements)
  • Marketing opt-out: Unsubscribe from promotional emails at any time using the link in any marketing email or by contacting us
  • Cookie preferences: Manage non-essential cookies through your browser settings

9.3 State-Specific Rights

Depending on your state of residence, you may have additional privacy rights under state laws such as the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), or similar legislation. These may include the right to know what personal information we collect and how it is used, the right to delete personal information, the right to opt out of the sale of personal information (we do not sell your data), and the right to non-discrimination for exercising your privacy rights. To exercise any state-specific right, please contact us at [email protected]. We will respond within the timeframe required by applicable law.

10. Children's Privacy

Our Services are not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe a child under 18 has provided us with personal information, please contact us at [email protected].

11. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not operated by us. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access. We are not responsible for the privacy practices or content of third-party websites or services.

12. Breach Notification

In the unlikely event of a breach of unsecured Protected Health Information, we will notify affected individuals, the U.S. Department of Health and Human Services, and, where required, the media, in accordance with the HIPAA Breach Notification Rule. Notifications will be made without unreasonable delay and no later than sixty (60) days after discovery of the breach.

For breaches involving non-PHI personal information, we will comply with applicable state breach notification laws.

13. International Users

Our Services are designed for and available only to users within the United States. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located. By using our Services, you consent to the transfer of your information to the United States.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (sent to the address associated with your account) or by posting a prominent notice on our website at least thirty (30) days before the changes take effect.

The “Last Updated” date at the top of this page indicates when this Privacy Policy was last revised. We encourage you to review this Privacy Policy periodically.

Contact our Privacy Officer

If you have questions about this Privacy Policy, wish to exercise your rights, or want to file a complaint, our Privacy Officer is here to help.

[email protected]View HIPAA Compliance

Last updated: February 1, 2025

EllaDx