Privacy Policy
Last Updated: March 6, 2026
HDX Labs, Inc. dba HealthEx (“HealthEx”, “we”, “our”) provides a platform for individuals to access, manage, and share their health data and information with third parties (the “Platform”).
This Privacy Policy describes (1) how we handle personal information that we collect in connection with our Platform, our websites (including https://www.healthex.io/), and your other interactions with HealthEx, (2) how we use and share that information, and (3) the rights and choices you have.
Applicability of this Privacy Policy
We have developed relationships and built integrations with various health systems, networks and other data sources that may contain your health data and information (each, a “Third-Party Source”). Our Platform enables individuals to retrieve, manage and share their personal health data and information (collectively, “User Health Data”) with third party recipients, such as healthcare providers, third party applications, or other services (each a “Third-Party Recipient”).
With respect to personal information that we retrieve and access from a Third-Party Source on your behalf, we act as an independent “data controller” or “business”, rather than a “processor”, “service provider” or “business associate” of any subsequent Third-Party Recipient. If you have questions or concerns with respect to how a Third-Party Recipient is processing your personal information after you have chosen to share it with them, please contact the corresponding Third-Party Recipient. We are not responsible for any such subsequent use of your personal information by such Third-Party Recipient.
In limited circumstances, we may receive your personal information directly from a third-party business as a “processor”, “service provider” or “business associate” of such third-party. When we do so, this Privacy Policy will not apply. Instead the privacy notice provided at collection will apply to any processing of such personal information.
Additionally, we also act as an Individual Access Service Provider (“IAS Provider”) in connection with our Trusted Exchange Framework and Common Agreement (“TEFCA”) services. You may elect for our Platform to receive your User Health Data and other personal information through our TEFCA connection. Our HealthEx TEFCA Privacy and Security Notice Addendum (“TEFCA Notice”) applies to how we process your individually identifiable information through our TEFCA connection as an IAS Provider and your rights under TEFCA. To the extent the TEFCA Notice conflicts with our general HealthEx Privacy Policy, the TEFCA Notice controls with respect to the individually identifiable information we collect about you through our TEFCA connection.
Summary: Our platform connects to various health systems and data sources to help you access, manage, and share your User Health Data with healthcare providers, health plans, digital health apps, AI tools, or other third parties of your choosing. Once you choose to share your User Health Data with a third party, that party becomes responsible for how they use it, and separate privacy terms may apply depending on how your information is collected and shared.
Personal Information We Collect
Information you provide to us:
User Health Data: We may process your User Health Data that you provide to us or otherwise authorize us to access on your behalf from Third-Party Sources.
Account Registration Information, such as the information you provide to us in order to register an account on the Platform (e.g. name, email, etc.). This does not include your User Health Data.
Feedback or correspondence, such as information you provide when you contact us with questions, feedback, reviews, or otherwise correspond with us online.
Usage information, such as information about how you use the Platform and interact with us.
Communication preferences, such as your preferences for receiving communications about our activities, services, and publications, and details about how you engage with our communications.
Other information that we may collect which is not specifically listed here, but which we will use in accordance with this Privacy Policy or as otherwise disclosed at the time of collection.
Automatic data collection. We and our service providers may automatically log information about you, your computer or mobile device, and your interaction over time with our Platform, our communications and other online services, such as:
Device data, such as your computer’s or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., WiFi, LTE, 4G), and general location information such as city, state or geographic area.
Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, browsing history, navigation paths between pages or screens, information about your activity on a page or screen, access times, and duration of access, and whether you have opened our commercial emails or clicked links within them. We may use third party tools to assist with capturing online activity data.
Email Open/Click Information. We may use pixels in our email campaigns that allow us to collect your email and IP address as well as the date and time you open an email or click on any links in the email that we may send to you.
We use the following tools for automatic data collection:
Cookies, which are text files that websites store on a visitor’s device to uniquely identify the visitor’s browser or to store information or settings in the browser for the purpose of helping you navigate between pages efficiently, remembering your preferences, enabling functionality, helping us understand user activity and patterns, and facilitating online advertising.
Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data, including on your device outside of your browser in connection with specific applications.
Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.
Summary: We collect information you directly provide, such as your User Health Data, account details, and feedback, as well as information we automatically gather when you use our platform, such as your device details, browsing activity, and email interactions. We use standard tracking tools like cookies, local storage, and web beacons to help us understand how you use our platform.
How We Use Your Personal Information
User Health Data. We use your User Health Data solely to provide you with the Platform services you have requested. Specifically, we process your User Health Data for the following limited purposes:
Retrieve and import your health data from Third-Party Sources you authorize
Store and maintain your User Health Data securely on our servers
Enable you to view, access, and download your User Health Data through the Platform
Share your User Health Data with Third-Party Recipients at your explicit direction
Maintain connections with Third-Party Sources to ensure your data remains current and accurate
Provide you with more personalized support, information and recommendations regarding your use of the Platform
Provide you with customer service and technical support regarding your use of the Platform
To operate our Platform. We may use your personal information (other than your User Health Data) to:
Provide, operate, maintain, secure and improve our Platform.
Provide information about our Platform.
Communicate with you about our Platform, including by sending you announcements, updates, security alerts, and support and administrative messages.
Respond to your requests, questions and feedback.
Provide you with more personalized support, information and recommendations regarding your use of the Platform
Provide you with customer service and technical support regarding your use of the Platform
Our Communications. If you have provided us with your email or phone number, we may from time-to-time send you direct communications through email or phone number as permitted by law regarding the Platform, including, but not limited to, sending service-related notices or providing account-related notifications; sharing product updates and new feature announcements; delivering personalized recommendations based on your use of the Platform; and providing security alerts or notifications regarding your account or the Platform. We will not use your User Health Data to conduct any targeted marketing or advertising activities. In addition, we will not share your personal information with third parties for their marketing and advertising purposes, unless you have explicitly provided your consent for us to do so.
Internal business purposes. We may use your personal information (but excluding your User Health Data) for our internal business purposes, including to research, develop, analyze and improve our Platform and our business. As part of these activities, we may create aggregated, de-identified, or other anonymous data from personal information we collect. We make personal information into de-identified data by removing information that makes the data personally identifiable to you. We may use this de-identified data and share it with third parties (like our vendors and contractors) for our lawful business purposes, including to analyze and improve our Platform and promote our business. We use commercially reasonable efforts to secure contractual commitments from third parties to prohibit their re-identification of de-identified or anonymized data.
Compliance and protection. We may use personal information (including your User Health Data) to:
Comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities.
Protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims).
Audit our internal processes for compliance with legal and contractual requirements and internal policies.
Enforce the terms and conditions that govern our Platform.
Prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
Summary: Your User Health Data is used only to provide you with our services, such as accessing, managing, and sharing your health information with providers or other recipients you choose, and the other purposes described above. Other personal information (other than your identifiable health data) we collect, such as your account details and usage data, may be used for additional purposes as described above, like improving our platform, sending you relevant communications, and conducting internal research using de-identified data. All personal information, including your health data, may also be used when necessary to comply with legal requirements or to protect against fraud and other harmful activity.
Sharing of Your Personal Information
Your Sharing: When you use our Platform, you may choose to provide your User Health Data and other personal information to Third-Party Recipients. You will have discretion in determining the items of personal information that are shared with such Third-Party Recipients. You agree and acknowledge that the Third-Party Recipients are unaffiliated with HealthEx and that the Third-Party Recipients’ use and processing your personal information will be done in accordance with their respective Privacy Policies. If you have questions or concerns regarding a Third-Party Recipients’ processing of your information or would like to exercise any rights that you may have with respect to information processed by a Third-Party Recipients, please contact the corresponding Third-Party Recipients.
Our Sharing: We do not sell your personal information (including User Health Data). We may share your personal information in the following circumstances:
Service providers. We may share your personal information with third party companies and individuals that provide services on our behalf or help us operate our Platform (such as user support, hosting, analytics, email delivery, and database management services).
Professional advisors. We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.
For compliance, fraud prevention and safety. We may share your personal information for the compliance, fraud prevention and safety purposes described above.
Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, including your personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution. In such a case, we will make reasonable efforts to require the recipient to honor this Privacy Policy.
Our Commitments Regarding Service Providers and Professional Advisors: We contractually bind our service providers and professional advisors who may access your personal information, including User Health Data, to only use and disclose your personal information solely as necessary to provide services to us and for no other purpose. These contractual restrictions prohibit services providers and professional advisors from using or disclosing your personal information for their own purposes, except as required by law.
Summary: When you share your User Health Data or personal information with third-party recipients through our platform, those parties are responsible for how they handle your information according to their own privacy policies. We do not sell your personal information, and we only share it with trusted service providers, professional advisors, for compliance and fraud prevention and safety, as required by law, or in the event of a business transaction such as a merger or acquisition.
Privacy Choices
You have the following choices regarding our collection and use of your personal information:
Access or update your Account Information. You may review and update your HealthEx Account Information by logging into your account.
Unsubscribe from communications. You can unsubscribe from our emails by following the unsubscribe instructions at the bottom of the emails you receive from us. If you do so, you will continue to receive service-related and other non-commercial emails until you cease using our services linked to those service updates.
Privacy rights. Depending on your location and the nature of your interactions with our Platform, you may have the right to submit requests about your personal information:
Information about how we have collected and used your personal information. We have made this information available to you without having to request it by including it in this Privacy Policy.
Access to a copy of the personal information that we have collected about you. Where applicable, we will provide the information in a portable, machine-readable, readily usable format.
Correction of personal information created by HealthEx or within HealthEx’s ability to update that is inaccurate or out of date.
Deletion of personal information that we no longer need to provide our services or for other lawful purposes.
No automatic opt in to “sharing” (as defined under applicable privacy laws) of your personal information. By default, we do not “sell” or “share” your personal information without your consent.
Additional rights, such as to object to and request that we restrict our use of your personal information, and where applicable, to withdraw your consent.
To make a request, please email us as provided in the “How to Contact Us” section below. We may ask for specific information from you to help us confirm your identity. We will require authorized agents to confirm their identity and authority, in accordance with applicable laws. You are entitled to exercise the rights described above free from discrimination.
Online tracking opt-out. There are a number of ways to opt out of having your online activity and device data collected through our Platform, which we have summarized below:
Blocking cookies in your browser. Most browsers let you remove or reject cookies, including cookies used for interest-based advertising. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. For more information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit allaboutcookies.org.
Use the following links to learn more about how to control cookies and online tracking through your browser:Blocking advertising ID use in your mobile settings. Your mobile device settings may provide functionality to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.
Google Analytics. We use Google Analytics to help us better understand how people engage with the Platform by collecting information and creating reports about how users use our Platform. For more information on Google Analytics, click here. For more information about Google’s privacy practices, click here. You can opt out of Google Analytics by downloading and installing the browser plug-in available at: https://tools.google.com/dlpage/gaoptout.
Using privacy plug-ins or browsers. You can block our website from setting cookies used for interest-based ads by using a browser with privacy features, like Brave, or installing browser plugins like Privacy Badger, DuckDuckGo, Ghostery or uBlock Origin, and configuring them to block third party cookies/trackers.
Platform opt-outs. Some third-party ad networks, including third-party ad servers, ad agencies, ad technology vendors and research firms, allow you to opt-out directly by using their opt-out tools. Some of these providers, and links to their opt-out tools, are:
Advertising industry opt-out tools. You can also use these opt-out options to limit use of your information for interest-based advertising by participating companies:
Note that because these opt-out mechanisms are specific to the device or browser on which they are exercised, you will need to opt out on every browser and device that you use.
Limits on your choices. In some instances, your choices may be limited, such as where fulfilling your request would impair the rights of others, our ability to provide a service you have requested, or our ability to comply with our legal obligations and enforce our legal rights. If you are not satisfied with how we address your request, you may submit a complaint by contacting us as provided in the “How to Contact Us” section below.
Do Not Track. Some Internet browsers can be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
Summary: This section outlines your rights regarding your personal information and how you can exercise them. You have the ability to access, update, correct (to the extent HealthEx is reasonably able to do so), or delete your personal information, opt out of certain data collection practices, and unsubscribe from marketing communications, and you can do so by contacting us directly or adjusting your device and browser settings.
Data Retention
We may retain your personal information for as long as it is reasonably needed in order to maintain and expand our relationship and provide you with our services; in order to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of such information, the potential risk of harm from unauthorized use or disclosure of such information, the purposes for which we process it, and the applicable legal requirements.
We retain your User Health Data for a period of one (1) year from the date you provided your consent to our collection and use of such User Health Data. Upon expiration of this retention period, we will delete your User Health Data in accordance with our data destruction practices, unless: (i) we are required to retain such data for a longer period under applicable law or regulation; (ii) the data is necessary to resolve a dispute or enforce our agreements; or (iii) you have provided a separate, subsequent consent that extends the retention period.
We retain other personal information that does not constitute User Health Data (such as your account login information, user preferences, etc.) as long as you have an account with HealthEx, unless you request deletion of your personal information.
If you delete your account with HealthEx, we will delete your personal information (including User Health Data), within thirty (30) days.
Summary: We retain your personal information for as long as necessary to provide our services, meet legal obligations, and protect against potential disputes, taking into account the sensitivity of the information and the risks of unauthorized use. By default, we retain your User Health Data for one year from when you provided your consent, unless you request earlier deletion of your User Health Data. If you delete your account, we will delete your personal information, including your health data, within 30 days.
Consent Withdrawal and Account Deletion
You may withdraw your consent to our sharing of your User Health Data or delete your HealthEx account at any time by contacting us as described in the “How to Contact Us” section below or through your account settings. However, please be aware of the following important limitations:
Withdrawing your consent or deleting your HealthEx account will stop any future sharing of your User Health Data with Third-Party Recipients going forward. It will not, however, automatically delete or result in the retrieval of any User Health Data that was previously shared with your consent to a Third-Party Recipient prior to the effective date of your withdrawal or account deletion. Once your data has been shared with a Third-Party Recipient, that Third-Party Recipient controls such data independently and in accordance with their own privacy policies and applicable law. HealthEx does not have the ability to delete data that has already been transmitted to and received by a Third-Party Recipient.
If you wish to have your data deleted or otherwise modified by a Third-Party Recipient, you must contact that Third-Party Recipient directly. We encourage you to review the privacy policies of any Third-Party Recipients with whom you have shared your User Health Data to understand your rights and options with respect to that data.
Summary: You can withdraw your consent or delete your account at any time, which will stop any future sharing of your health data, but will not affect data that has already been shared with third parties prior to your withdrawal. To have previously shared data deleted or modified, you will need to contact those third parties directly, as we have no control over data that has already been transmitted to them.
Other sites, mobile applications and services
Our Platform may contain links to other websites, mobile applications, and other online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or in mobile applications or online services that are not associated with us. We do not control third party websites, mobile applications or online services, and we are not responsible for their actions. Other websites and services follow different rules regarding the collection, use and sharing of your personal information. We encourage you to read the privacy policies of the other websites and mobile applications and online services you use.
Security practices
We use reasonable organizational, technical and administrative measures designed to protect against unauthorized access, misuse, loss, disclosure, alteration and destruction of personal information we maintain. Unfortunately, data transmission over the Internet cannot be guaranteed as completely secure. Therefore, while we strive to protect your personal information, we cannot guarantee the security of personal information. In the event that we are required to notify you about a situation involving your data, we may do so by email or telephone to the extent permitted by law.
Children
Our Platform is not intended for children, and we do not collect personal information from them. We define “children” as anyone under 18 years old. If we learn we have collected or received personal information from a child without verification of parental consent, we will delete the information. If you believe we might have any information from or about a child, please contact us via the contract information noted below.
Changes to this Privacy Policy
We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on our website. We may also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via e-mail (if you have an account where we have your contact information) or another manner through our Platform.
Any modifications to this Privacy Policy will be effective upon our posting the new terms and/or upon implementation of the new changes on our Platform (or as otherwise indicated at the time of posting). In all cases, your continued use of the Platform after the posting of any modified Privacy Policy indicates your acceptance of the terms of the modified Privacy Policy.
How to contact us
If you have any questions or concerns, you can reach us by email at privacy@healthex.io.
Consumer Health Data Privacy Policy
Last Updated: February 24, 2026
This notice supplements the HealthEx Privacy Policy and applies to personal data defined as “consumer health data” subject to the Washington State My Health My Data Act (MHMDA), the Nevada Health Data Privacy Act (NHDPA), or other applicable state consumer health privacy law.
Consumer Health Data We Collect
As described in the “Personal Information We Collect” section of our Privacy Policy, the data we collect depends on the context of your interactions with HealthEx and the choices you make (including your privacy settings), the products and features you use, your location, and applicable law. Because consumer health data is defined very broadly, many of the categories of data we collect could also be considered consumer health data.
Examples of consumer health data may include:
Information about your health-related conditions, symptoms, status, diagnoses, testing, or treatments (including surgeries, procedures, medications, or other interventions).
Measurements of bodily functions, vital signs, or characteristics, including photographs, which may also be considered biometric information under the MHMDA, the NHDPA, or other applicable state consumer health privacy law.
Information that could identify your attempt to seek health care services or information, including services that allow you to assess, measure, improve, or learn about your or another person’s health.
Other information that may be used to infer or derive data related to the above or other health information.
Sources of Consumer Health Data
As described further in the “Personal Information We Collect” section of our Privacy Policy, we collect personal data (which may include consumer health data) directly from you, from your interactions with our products and services, and from Third-Party Sources.
Why We Collect and Use Consumer Health Data
We collect and use consumer health data for the purposes described in the “How We Use Your Personal Information” section of our Privacy Policy. Primarily, we collect and use consumer health data as reasonably necessary to support your access and use of the Platform.
We may use consumer health data for other purposes for which we give you choices and/or obtain your consent as required by law. See the “Privacy Choices” section of our Privacy Policy and the How to Exercise Your Rights section below for more details on the controls and choices you may have.
Our Sharing of Consumer Health Data
We may share each of the categories of consumer health data described above for the purposes described in the “Sharing of Your Personal Information” section of our Privacy Policy. In particular, we may share consumer health data with your consent. For example, we share your consumer health data at your direction with Third-Party Recipients.
Third Parties With Which We Share Consumer Health Data
As necessary for the purposes described above, we share consumer health data with the following categories of third parties:
Service providers. We may share your personal information with third party companies and individuals that provide services on our behalf or help us operate our Platform (such as user support, hosting, analytics, email delivery, and database management services).
Professional advisors. We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.
For compliance, fraud prevention and safety. We may share your personal information for the compliance, fraud prevention and safety purposes described above.
Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, including your personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution. In such a case, we will make reasonable efforts to require the recipient to honor this Privacy Policy.
How to Exercise Your Rights
If you are covered by the MHMDA, the NHDPA, or other applicable consumer health privacy law then you may have certain rights with respect to consumer health data, including rights to access, delete, or withdraw consent relating to such data, subject to certain exceptions. You can request to exercise such rights using the various tools and mechanisms described in “Privacy Choices” section of our Privacy Policy. In addition, you can always contact HealthEx at the contact information in the “How to contact us” section of our Privacy Policy.
If your request to exercise a right is denied, you may appeal that decision by us at support@healthex.io. If your appeal is unsuccessful, you can raise a concern or lodge a complaint with the Washington State Attorney General at www.atg.wa.gov/file-complaint, the Nevada State Attorney General at https://ag.nv.gov/complaints/file_complaint/, or other regulatory authority as applicable.
