Legal

Privacy Policy

Last updated: April 27, 2026

1. Introduction

Pru Health LLC ("Pru," "we," "us," or "our") operates the website joinpru.com and related telehealth services. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal and health information when you visit our website or use our services.

This Privacy Policy serves as our Notice of Privacy Practices (NOPP) under the Health Insurance Portability and Accountability Act (HIPAA), as required of HIPAA-covered entities and their business associates. By accessing or using our services, you acknowledge receipt of this Notice and agree to the collection and use of information as described.

2. Information We Collect

Information You Provide

We collect information you voluntarily provide, including:

  • Account & waitlist registration: First name, last name, email address, phone number, date of birth, state of residence, gender, and health-related quiz responses (health goals, activity level, prior experience, barriers).
  • Medical intake: Current medications, allergies, medical conditions, surgical history, supplements, exercise frequency, alcohol and tobacco use, stress level, sleep, diet, primary care physician, and pharmacy preferences.
  • Treatment data: Symptom journal entries, prescription data, protocol selections, consultation notes, and other information generated during care.
  • Payment information: Billing details processed by Stripe; full card numbers are never stored on our servers.
  • Newsletter subscription: Email address.
  • Communications: Any information you include when contacting us directly.
  • Consents: The age, telehealth, HIPAA NOPP, and Terms acknowledgments you provide at signup are recorded with timestamp, IP address, and user-agent for audit purposes.

Information Collected Automatically

When you visit our website, we may automatically collect:

  • IP address and approximate location
  • Browser type and version
  • Pages visited and time spent
  • Referring URL
  • Device information

3. How We Use Your Information

We use the information we collect to:

  • Operate the patient portal and your account
  • Match you with an independently licensed Pru-affiliated physician for consultation
  • Facilitate prescription, dispensing, and shipment of your treatment by partner pharmacies
  • Process payments and refunds
  • Communicate with you about your account, treatment, and our services
  • Send you newsletter content (only if you opted in)
  • Improve our website and services through aggregated analytics
  • Comply with legal, regulatory, and accreditation obligations

4. Health Information & HIPAA Notice of Privacy Practices

Pru handles protected health information (PHI) in accordance with HIPAA and applicable state privacy laws. As a HIPAA-covered entity (and on behalf of HIPAA-covered Pru-affiliated physicians), Pru may use and disclose PHI for treatment, payment, and healthcare operations without your additional authorization, including:

  • Treatment: Sharing PHI with physicians, pharmacies, and other providers involved in your care.
  • Payment: Processing your payments and verifying eligibility.
  • Healthcare operations: Quality improvement, accreditation, training, and platform administration.
  • As permitted or required by law: Including public health reporting, court orders, and specific legal mandates.

We will not use or disclose your PHI for marketing or sell your PHI without your explicit written authorization.

Your HIPAA rights include the right to:

  • Inspect and obtain a copy of your PHI
  • Request an amendment to PHI you believe is inaccurate
  • Request an accounting of disclosures of your PHI
  • Request restrictions on certain uses or disclosures
  • Request confidential communications by alternative means
  • Receive a paper copy of this Notice on request
  • File a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights without retaliation

To exercise any HIPAA right, or to receive a paper copy of this Notice, contact our Privacy Officer at team@joinpru.com.

5. Third-Party Service Providers

We share your information with the following service providers, each of which is contractually bound to protect your information and use it only for the purposes we specify. Where required, we maintain a Business Associate Agreement (BAA) with each provider that handles PHI.

  • Supabase — database hosting and management (data stored in the United States).
  • Vercel — website hosting, edge delivery, and infrastructure.
  • Stripe — payment processing (when our purchase functionality is active).
  • Loops — transactional and marketing email delivery.
  • PostHog — privacy-aware product analytics. We capture only de-identified event data; we do not transmit PHI or email addresses to PostHog.
  • Compounding pharmacies — FDA-regulated U.S. compounding pharmacies receive prescription orders from your treating physician.

6. Data Security

We implement industry-standard security measures to protect your information, including:

  • Encryption in transit (TLS 1.2+) and at rest
  • HTTP Strict Transport Security (HSTS) with preload
  • Row-level security on all database tables
  • Cross-Site Request Forgery (CSRF) protection on all state-changing endpoints
  • Strong Content Security Policy
  • HttpOnly and Secure session cookies
  • Rate limiting on API endpoints
  • Input validation and sanitization
  • Role-based access controls and audit logging
  • Vendor due-diligence review for any provider that may handle PHI

No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Breach Notification

If we discover a breach of unsecured PHI, we will notify affected individuals without unreasonable delay and no later than 60 days after discovery, in accordance with the HIPAA Breach Notification Rule. Notice will be provided by email or first-class mail (using the most recent contact information you have provided) and will include the information required by 45 C.F.R. § 164.404. We will also notify the U.S. Department of Health and Human Services and, where required, prominent media outlets.

8. Your Rights

In addition to your HIPAA rights described above, depending on your jurisdiction (including California under CCPA/CPRA), you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your information
  • Opt out of marketing communications
  • Opt out of any "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioral advertising)
  • Withdraw consent at any time

To exercise any of these rights, contact us at team@joinpru.com. We will respond within the timeframe required by applicable law.

9. Cookies & Tracking

Our website uses cookies and similar technologies for the following purposes:

  • Strictly necessary: Authentication session cookies that keep you signed in.
  • Analytics: Vercel Analytics and PostHog, both configured to collect aggregated usage data without exposing PHI or personally identifying information beyond what is required to maintain a session.

We do not use third-party advertising cookies or tracking pixels. We do not sell your personal information. Where you have enabled the Global Privacy Control or Do-Not-Track signal in your browser, our analytics tools respect those signals.

10. Data Retention

We retain personal information for as long as necessary to provide our services, comply with legal and regulatory recordkeeping requirements (including medical-record retention requirements that vary by state), and resolve disputes. PHI is retained for the minimum period required by applicable state law for medical records, generally six years from the date of creation or date last in effect. You may request deletion at any time, subject to those retention obligations.

11. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected information from a minor, we will delete it promptly.

12. International Visitors

Pru's services are intended for residents of the United States. If you access our services from outside the United States, your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your country of residence.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 30 days before they take effect, and the updated policy will be posted on this page with a new "Last updated" date. Your continued use of our services after the effective date constitutes acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy, our data practices, or to exercise any of your privacy or HIPAA rights, contact us at:

Pru Health LLC
Attn: Privacy Officer
131 Continental Dr, Suite 305
Newark, DE 19713
United States
Email: team@joinpru.com

To report a suspected security or privacy incident, email team@joinpru.com.