IVÉ Wellness — Privacy Policy
July 1, 2025
Legal entity: IVÉ Wellness LLC ("IVÉ Wellness," "we," "our," or "us")
Website & App (the “Platform”):https://ivewellness.com/
Mailing: PO Box 187, Highlands, NC 28741
Physical address (no in person drop off):43 Dillard Rd, Highlands, NC 28741
Privacy email:[email protected]Effective: July 1, 2025
Legal entity: IVÉ Wellness LLC ("IVÉ Wellness," "we," "our," or "us")
Website & App (the “Platform”):
Mailing: PO Box 187, Highlands, NC 28741
Physical address (no in-person drop-off): 43 Dillard Rd, Highlands, NC 28741
Privacy email:
Notice at Collection (Summary)
- We collect personal information such as identifiers, account and commercial data, device/Internet activity, approximate geolocation, communications, and information you choose to submit about your health for coordination with independent Medical Groups/Providers.
- party independent sales organizations (ISOs), gateways, and acquiring banks, secure our services, communicate with you, comply with law, and improve the experience.We use this information to operate the Platform and booking/membership services, process payments through third-party independent sales organizations (ISOs), gateways, and acquiring banks, secure our services, communicate with you, comply with law, and improve the experience.
- not sell personal information for money. If we enable advertising/retargeting cookies, some states may treat that as a “sale” or “sharing.” You may opt out via our cookie settings and the “Do Not Sell or Share” link (where available). We honor Global Privacy Control (GPC) as required by law.We do not sell personal information for money. If we enable advertising/retargeting cookies, some states may treat that as a “sale” or “sharing.” You may opt out via our cookie settings and the “Do Not Sell or Share” link (where available). We honor Global Privacy Control (GPC)as required by law.
- For medical care, independent Medical Groups/Providers handle protected health information (PHI) under their Notices of Privacy Practices (NPPs). This policy explains IVÉ Wellness’s role as platform operator and, where applicable, HIPAA business associate.
- U.S. state privacy rights (e.g., access, delete, correct, opt out of sale/share/targeted advertising) are described below and in Appendix C..
1. Scope & Relationship to Other Terms
This Privacy Policy explains how IVÉ Wellness collects, uses, discloses, and protects information when you use the Platform and related booking and membership services (the Service ). Capitalized terms not defined here have the meanings in our Terms of Use.
Medical services are provided by independent Medical Groups and Providers. Those entities—and, where applicable, their Pharmacies and Labs—are responsible for medical care, prescriptions, and laboratory services. Their handling of PHI is governed by their Notices of Privacy Practices (NPPs) and applicable law. IVÉ Wellness operates the Platform and bills on behalf of Medical Groups/Providers as their agent; we do not practice medicine.
IVÉ Wellness is not a HIPAA “covered entity.” In some contexts we act as a business associate to a Medical Group. Where HIPAA applies, we handle PHI only as permitted by our Business Associate Agreements (BAAs)and applicable law. This Privacy Policy covers our practices as Platform operator and controller of non PHI.HIPAA alignment. IVÉ Wellness is not a HIPAA “covered entity.” In some contexts we act as a business associate to a Medical Group. Where HIPAA applies, we handle PHI only as permitted by our Business Associate Agreements (BAAs) and applicable law. This Privacy Policy covers our practices as Platform operator and controller of non-PHI.
2. Age Limits & Minor Use
The Service is intended for adults 18+ (or the age of majority in your jurisdiction). Individuals 13–17 may use the Service only with a parent/guardian who (i) gives required consents and (ii) is the account holder responsible for payments. We do not direct the Service to children under 13. If we learn we collected information from a child under 13, we will delete it where appropriate.
3. Information We Collect
We collect the information you provide, information from others (e.g., Medical Groups/Providers and vendors), and information collected automatically when you use the Service.
A. Information you provide to us
- Account & identity. Name, email, phone, date of birth, shipping/billing addresses; parent/guardian data for minor use; electronic signatures and consents.
- Orders & memberships. Products/services purchased; totals; membership status; appointment details and preferences.
- Payment related. Tokenized card data, last four digits, card brand, and expiration from our payment partners; we do not store full card numbers.
- Communications. Messages to us; support tickets; survey responses; email/SMS interaction metadata (opens, delivery).
- Health information you choose to submit through the Platform for coordination with Medical Groups/Providers (e.g., intake forms, symptoms, images/videos you upload for triage)
B. Information from others
- Medical Groups/Providers, Labs, Pharmacies. Scheduling details, order/fulfillment status, limited clinical documentation required to coordinate billing and support; PHI remains governed by their NPPs and HIPAA where applicable.
- Identity verification, fraud prevention, security, analytics/measurement, hosting, customer support, email/SMS delivery, and payment processing (ISOs, gateways, acquirers).Service providers & partners. Identity verification, fraud prevention, security, analytics/measurement, hosting, customer support, email/SMS delivery, and payment processing (independent sales organizations (ISOs), payment gateways, and acquiring banks).
- party service. With your permission we may receive data from those services (e.g., contact info to pre fill forms).If you connect a third-party service. With your permission we may receive data from those services (e.g., contact info to prefill forms).
C. Information collected automatically
- Device & usage. IP address, device and browser type, operating system, referring/exit pages, pages viewed, links clicked, time stamps, error logs, and approximate location (derived from IP).
- Cookies/SDKs. For operations, security, analytics/measurement, and—if enabled—advertising/retargeting. See Appendix D for details and controls.
D. Identity verification & biometrics
For fraud prevention and compliance, we may ask you to verify your identity. IVÉ Wellness does not create or store biometric templates . If you submit a government ID and a selfie, our specialized verification service provider may generate biometric identifiers to compare your selfie to your ID solely for verification. The provider returns a match result and parsed ID fields (e.g., name, DOB) to us and deletes biometric data after verificationaccording to its policies and applicable law. We receive the verification result and extracted ID data—not the biometric template.
4. Cookies, Tracking Technologies & Ad Signals
(i) operate the Service (authentication, consent logging, security); (ii) measure performance and usage; and (iii) only if enabled, support advertising/retargeting and cross context measurement.We use cookies, pixels, tags, SDKs, and similar tools to: (i) operate the Service (authentication, consent logging, security); (ii) measure performance and usage; and (iii) only if enabled, support advertising/retargeting and cross-context measurement.
You can manage preferences via our cookie banner and your browser/device settings. Where required by law, we honor Global Privacy Control (GPC) signals. Because there is no industry standard for Do Not Track (DNT), we do not respond to DNT signals. See Appendix D (cookie matrix, glossary, and controls).Controls & signals. You can manage preferences via our cookie banner and your browser/device settings. Where required by law, we honor Global Privacy Control (GPC)signals. Because there is no industry standard for Do Not Track (DNT), we do not respond to DNT signals. See Appendix D (cookie matrix, glossary, and controls).
5. How We Use Information
Subject to the PHI limitations above, we and our vendors use information to:
- Provide and maintain the Platform and Service; schedule appointments; operate memberships and subscriptions; coordinate with Medical Groups/Providers, Labs, and Pharmacies.
- through third party ISOs, gateways, and acquiring banks; prevent, detect, and investigate fraud.Process payments through third-party ISOs, gateways, and acquiring banks; prevent, detect, and investigate fraud.
- with you (emails, SMS, phone, in product messages) about orders, appointments, membership, legal notices, and support.Communicate with you (emails, SMS, phone, in-product messages) about orders, appointments, membership, legal notices, and support.
- Secure the Service; debug, monitor, and audit systems; enforce terms and policies.
- Improve and develop the Service, including analytics, testing, and research.
- Comply with legal, tax, accounting, and regulatory obligations.
- Provide health related communications about benefits or services that may interest you; you can opt out of non transactional messages.
de identified or aggregated information for any lawful purpose and will not re identify it except as permitted by law.We may use de-identified or aggregated information for any lawful purpose and will not reidentify it except as permitted by law.
6. How We Disclose Information
We disclose information as follows:
- Medical Groups/Providers, Labs, Pharmacies – to coordinate services and bill on their behalf.
- Service providers – hosting, security, fraud tools, analytics/measurement, email/SMS delivery, customer support, and payment partners (ISO/gateway/acquirer) bound by contract to protect information and use it only for us.
- Legal/Compliance – to comply with law, lawful requests, and to protect rights, safety, and property.
- Corporate events – in connection with a merger, acquisition, financing, or sale of assets.
- With your direction or consent.
- identified/Aggregated information that does not identify you.De-identified/Aggregated information that does not identify you.
Where we enable advertising/retargeting or cross context measurement, some states may deem those disclosures a “sale” or “sharing.” See Appendix C for rights and opt out mechanisms.No monetary sale of personal information. Where we enable advertising/retargeting or cross-context measurement, some states may deem those disclosures a “sale” or “sharing.” See Appendix C for rights and optout mechanisms.
7. Payments, PCI & ISO/Acquirer Disclosures
party payment processing partners (including independent sales organizations (ISOs), payment gateways, and acquiring banks) that are responsible for PCI DSS compliance. We do not store full PANs (card numbers) on IVÉ Wellness systems. We receive limited payment metadata (e.g., token, last four digits, brand, expiration) to complete orders, manage refunds, and prevent fraud. Your card issuer or bank may provide us and our processors with updated credentials (e.g., new expiration dates) to reduce failed charges; you may opt out through your issuer.All card transactions occur via third-party payment processing partners (including independent sales organizations (ISOs), payment gateways, and acquiring banks) that are responsible for PCI DSS compliance. We do not store full PANs (card numbers) on IVÉ Wellness systems. We receive limited payment metadata (e.g., token, last four digits, brand, expiration) to complete orders, manage refunds, and prevent fraud. Your card issuer or bank may provide us and our processors with updated credentials (e.g., new expiration dates) to reduce failed charges; you may opt out through your issuer.
8. Data Retention
We retain personal information only as long as necessary for the purposes described or as required by law, including tax/audit obligations and to maintain security records. Where we handle PHI for Medical Groups as a business associate, retention follows law and contract (often 6–7 years, subject to state rules). Details appear in Appendix F (Retention Schedule).
9. Security
We implement administrative, technical, and physical safeguards appropriate to the nature of the data, including role based access controls, encryption in transit, secrets management, logging/monitoring, vendor due diligence, and incident response. No system is 100% secure; please protect your credentials and devices. See Appendix E for a high level overview of our security program.
10. International Use
The Platform is controlled from the United States. If you access it from outside the U.S., you do so on your own initiative and your data may be processed in the U.S.
11. Your Privacy Rights (U.S.)
Depending on your state, you may have rights to know/access, delete, correct, data portability, opt out of sale/share/targeted advertising, limit certain sensitive uses, and appeal denials. We will not discriminate against you for exercising rights.
Submit a request:
Email [email protected]
(subject: “Privacy Rights Request”) or mail IVÉ Wellness LLC –
Privacy, PO Box 187, Highlands, NC 28741. We will verify your identity (and authorized
agent authority, if applicable) and respond within the required timeframe. See Appendix G
for
procedures.
12. Communications Preferences & SMS Terms
You may opt out of marketing emails via unsubscribe links. Transactional/service messages (e.g., receipts, legal notices) will continue. For SMS, reply STOP to opt out and HELP for help. Message/data rates may apply; message frequency varies; carriers are not liable for delayed or undelivered messages.
Party Links & Services 13. Third-Party Links & Services
Third party sites/services (including those of Medical Groups/Providers) are governed by their own terms and privacy policies. We are not responsible for their practices.
14. Changes to This Policy
We may update this Policy; changes take effect upon posting unless the law requires otherwise. Material changes will be highlighted on the Platform. See Appendix J for version history.
15. Contact Us
[email protected]
Mail: IVÉ Wellness LLC – Privacy, PO Box 187, Highlands, NC 28741
Physical address (no in person drop off): 43 Dillard Rd, Highlands, NC 28741Email:
Mail: IVÉ Wellness LLC – Privacy, PO Box 187, Highlands, NC 28741
Physical address (no in-person drop-off): 43 Dillard Rd, Highlands, NC 28741
Appendices
Appendix A — Definitions
means information that identifies, relates to,
describes, or could reasonably be linked with a particular consumer or household.
Sensitive personal information includes precise geolocation, account log ins with
credentials, health information you submit, and government IDs.
Sell / Share follow state law definitions and include disclosing for cross context
behavioral advertising.
Business associate (HIPAA) means a person or entity that performs functions or activities
on behalf of a covered entity involving PHI, subject to a Business Associate Agreement.
De identified information cannot reasonably be used to infer information about, or be
linked to, a particular consumer.Personal information means information that identifies, relates
to, describes, or could reasonably be linked with a particular consumer or household.
Sensitive personal information includes precise geolocation, account logins with credentials,
health information you submit, and government IDs.
Sell / Share follow state-law definitions and include disclosing for cross-context behavioral
advertising.
Business associate (HIPAA) means a person or entity that performs functions or activities on
behalf of a covered entity involving PHI, subject to a Business Associate Agreement.
De-identified information cannot reasonably be used to infer information about, or be linked to,
a particular consumer.
Appendix B — Data Mapping Tables (Categories • Sources • Purposes • Recipients)
B1. Categories of personal information
| Category | Examples |
|---|---|
| Identifiers | Name, email, phone, device IDs, account ID |
| Customer records | Shipping/billing addresses, order history, membership status |
| Protected classifications (optional/if provided) | Age range (13–17/18+), sex, pronouns |
| Commercial information | Products/services purchased, totals, refunds |
| Internet/network activity | Log data, IP address, pages viewed, links clicked, error reports |
| Approximate location | Derived from IP, shipping city/state |
| In product communications | Messages to support, survey responses, appointment notes you submit |
| Sensitive personal information | Health information you submit; login credentials (hashed); government ID for IDV |
B2. Sources of personal information
| Source | Examples |
|---|---|
| You | Account creation, forms, uploads, messages |
| Devices/browsers | Logs, diagnostics, security analytics |
| Medical Groups/Providers/Labs/Pharmacies | Scheduling, order/fulfillment status, limited clinical coordination |
| Service providers | Hosting, analytics, fraud, identity verification, email/SMS, payment partners (ISO/gateway/acquirer) |
B3. Business purposes for use
| Purpose | Illustrative activities |
|---|---|
| Provide the Service | Accounts, bookings, memberships, telehealth intake |
| Payments & fraud prevention | Process via ISO/gateway/acquirer; prevent unauthorized use |
| Communications | Transactional notices, support responses, appointment reminders |
| Security | Detect/prevent abuse, spam, and attacks; investigate incidents |
| Analytics & improvement | Product performance, error monitoring, A/B testing |
| Compliance | Legal, tax, accounting, audits, law enforcement requests |
B4. Recipients of disclosures
| Recipient | Role |
|---|---|
| Medical Groups/Providers | Care coordination, scheduling/billing agent |
| Pharmacies/Labs | Rx fulfillment and lab services |
| Payment partners (ISO/gateway/acquirer) | Payment processing and refunds |
| Hosting/Support/Analytics/Security vendors | Operate and improve the Service |
| Government/law enforcement | Where required by law |
| Successors/assignees | Corporate transactions |
Appendix C — U.S. State Privacy Addendum (Comprehensive)
This Addendum supplements the Policy for residents of states with comprehensive privacy laws, including California (CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), and others as they become effective. Where laws differ, we will honor the most protective applicable right.
C1. California (CPRA) — Notice at Collection & Disclosures
- Identifiers; customer records; commercial information; Internet/network activity; approximate location; in product communications; sensitive personal information you submit (e.g., health information).Categories collected (last 12 months): Identifiers; customer records; commercial information; Internet/network activity; approximate location; in-product communications; sensitive personal information you submit (e.g., health information).
- Purposes: See Appendix B3.
- Retention: See Appendix F.
- We do not sell PI for money. If we use advertising/retargeting or cross context measurement cookies, those disclosures may be deemed a “sale” or “sharing.” You can opt out via our cookie controls, the Do Not Sell or Share link, or a valid GPC signal.“Selling” or “sharing”: We do not sell PI for money. If we use advertising/retargeting or cross-context measurement cookies, those disclosures may be deemed a “sale” or “sharing.” You can opt out via our cookie controls, the Do Not Sell or Share link, or a valid GPC signal.
- Disclosures for business purposes: We disclose to service providers and contractors (hosting, security, analytics, email/SMS, support, payment partners) and to Medical Groups/Providers, Pharmacies, and Labs for coordination.
- Sensitive personal information: Used only to provide requested services or as permitted by law; we do not use SPI to infer characteristics.
- Your rights: Know/access, delete, correct, portability, opt out of sale/share, limit certain uses of SPI, non discrimination, and appeal.
- How to exercise: [email protected]; or mail IVÉ Wellness LLC – Privacy, PO Box 187, Highlands, NC 28741.
C2. Colorado, Connecticut, Virginia, Utah
- Rights include access, correction, deletion, portability, and opt out of targeted advertising, sale, and profiling in furtherance of decisions that produce legal or similarly significant effects.
- Submit requests via [email protected] or mail (above). We will authenticate requests and respond within
- You may appeal a denial; we will explain our reasons and how to contact your Attorney General if you disagree.
C3. Nevada; Washington; Other States
- Nevada: We do not sell covered information as defined by Nevada law; inquiries: [email protected]
- Washington (consumer health law): To the extent state health data laws apply to non HIPAA data, we process such data solely to provide the requested services, with privacy and security controls described in this Policy.
- As additional state laws become effective, we will update this Addendum.
Appendix D — Cookie & Tracking Technology Matrix
D1. Categories & representative examples
| Category | Examples | Purpose | Typical Lifetimes | Controls |
|---|---|---|---|---|
| Essential | __Host-session, sessionid, consent_uuid | Login sessions; security; consent storage | Session to 1 year | Browser settings may impair site functions |
| Analytics/Measurement | _ga, _gid, _gcl_au, error_beacon | Usage analytics; performance; troubleshooting | 1 day to 25 months | Cookie banner; browser settings |
| Advertising/Retargeting* | _fbp, _tt_enable_cookie, _uetsid, _clsk | context advertisingAd measurement; cross-context advertising | Session to 13 months | Cookie banner; Do Not Sell/Share; GPC |
*Advertising/Retargeting cookies are off by default and only enabled if/when we implement advertising programs.
D2. Glossary of tracking tools
- Cookies: Small text files stored on your browser or device to remember settings, authenticate sessions, and log consent.
- Flash cookies: Legacy Adobe Flash storage objects that may persist separately from browser cookies.
- Web beacons/pixels: Tiny code snippets in webpages/emails that record page views, opens, and related metadata (IP address, URL, user agent).
- Scripts/SDKs: Code that enables site/app behavior, analytics, measurement, fraud prevention, and communications.
- Local Storage: Browser storage for settings and consent preferences.
D3. Managing preferences
Use our cookie banner, your browser settings, and (where supported) GPC to control tracking relevant to sale/share and targeted advertising. Disabling essential cookies can impair functionality.
Appendix E — Security Program Overview
- Governance & Access Control: Role based access; least privilege; periodic access reviews; secure administrative procedures.
- Encryption & Key Management: TLS in transit; strict secrets handling; hardened cipher suites.
- Application Security: Secure SDLC; code review; dependency scanning; vulnerability management; logging and monitoring.
- Infrastructure: Segmentation; firewalls; baseline hardening; OS and patch management; backup integrity checks.
- Vendor Risk Management: Due diligence; DPAs/BAAs; ongoing monitoring; incident reporting obligations.
- Incident Response: Triage, containment, eradication, recovery; notification where required by law.
- Training & Awareness: Security and privacy training for workforce members with annual refreshers.
Appendix F — Data Retention Schedule (Illustrative)
| Data Category | Typical Retention | Rationale |
|---|---|---|
| Account & identity | While account active + 3 years | Contract, fraud prevention, customer service |
| card payment dataOrders, invoices & non-card payment data | 7 years | Tax/audit, accounting standards |
| Membership/Subscription records | Life of membership + 3 years | Chargebacks, disputes |
| Support tickets & call logs | 2–3 years | Quality assurance, dispute resolution |
| Marketing preferences & unsubscribes | 4 years | Compliance evidence |
| Cookie/analytics data | Per cookie lifetime (see Appendix D) | Analytics windows |
| Security logs | 12–24 months | Security investigations |
| PHI handled as BA | Per law/contract (often 6–7 years) | HIPAA/state retention laws |
| Backups | Rotating cycles (e.g., 30–180 days) | Disaster recovery |
We may retain data longer where necessary to comply with law, resolve disputes, or enforce agreements.
Appendix G — Requests, Verification & Authorized Agents
- Verification. We may ask you to verify via the email/phone on file and provide limited information to match our records. Higher risk requests (access, deletion, correction) may require stronger verification.
- Two step deletion. For online deletion requests, we may send a second confirmation (email/SMS/portal) before processing.
- Authorized agents. Agents must present proof of authority; we may also ask the consumer to verify identity or confirm the request.
- Appeals. Email privacy@ivewellness.com with subject “Appeal” if you disagree with our decision; we’ll explain our reasoning and how to contact your Attorney General.
Appendix H — Identity Verification & Biometrics (Detailed)
- Purpose. Prevent fraud and confirm identities for clinical and pharmacy requirements.
- Process. If you submit an ID and selfie, a specialized verification provider may generate biometric identifiers to compare your selfie to your ID.
- Data we receive. Match confidence, verification status, and parsed ID fields (e.g., name, DOB); not the biometric template.
- Retention & deletion. The provider deletes biometric data after verification according to its retention schedule and applicable law.
- Your choices. If you cannot or do not wish to complete biometric verification, contact support for alternatives where permitted.
Appendix I — Metrics (Transparency)
If required by law, we will publish annual statistics about the requests we received, granted/denied, and average response times. (Not currently applicable.)
Appendix J — Version History
- v2025 07 01: Initial full extended version aligned to ISO/gateway/acquirer payments; added biometrics disclosure; added GPC and DNT statements; expanded state addendum; added cookie matrix, security overview, and retention schedule.