Holism Logo

Privacy Policy

Holism Inc.

Effective Date: April 16, 2026

Last Updated: April 16, 2026

Introduction

Holism Inc. ("Holism," "Holism Health", "we," "us," or "our") operates a holistic health marketplace and practice management platform accessible at holism.health and related subdomains (the "Platform"). We connect patients ("Patients") with holistic, integrative, and complementary medicine practitioners ("Practitioners") and provide Practitioners with tools to manage their practice.

We are committed to protecting the privacy and security of all users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Platform, and describes your rights with respect to that information.

If you are a Patient or Practitioner using the clinical features of our Platform, please also review our Notice of Privacy Practices (NPP), which describes how we handle Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

By accessing or using the Platform, you agree to this Privacy Policy. If you do not agree, please do not use the Platform.

1. Who We Are and Our Role Under HIPAA

Holism Health operates as a Business Associate under HIPAA with respect to the Practitioners on our Platform, who are Covered Entities. In our capacity as a Business Associate, we handle PHI on behalf of Practitioners in accordance with executed Business Associate Agreements (BAAs).

Where Holism independently determines the purposes and means of processing patient data (for example, for platform operations and safety), we may also act as a Covered Entity in our own right.

Our designated HIPAA Privacy Officer can be contacted at: contact@holism.health

2. Information We Collect

2.1 Information You Provide Directly

For Patients:

  • Account registration information: name, email address, password, date of birth, gender, location
  • Health and wellness information you choose to share: health conditions, wellness goals, care preferences
  • Appointment and booking information
  • Communications with Practitioners through the Platform
  • Payment information (processed by Stripe; we do not store full card details)
  • Profile preferences and search history on the Platform

For Practitioners:

  • Account registration information: name, email address, password, professional credentials, license numbers, specialties, and practice location
  • Practice information: business name, address, services offered, availability, fees
  • Professional biography and profile content
  • Communications with Patients through the Platform
  • Payment and payout information
  • Documents uploaded to the Platform (practice forms, consult notes, care plans)

For All Users:

  • Customer support communications
  • Feedback, reviews, and survey responses

2.2 Information Collected Automatically

When you visit or use our Platform, we may automatically collect:

  • Device information: IP address, browser type and version, operating system
  • Usage data: pages visited, features used, clicks, session duration, referring URLs
  • Authentication tokens and session identifiers (stored as secure cookies)
  • Log data related to Platform performance and errors

2.3 Information from Third Parties

  • Identity verification data from verification service providers
  • Calendar and scheduling data if you connect a third-party calendar
  • Payment verification from Stripe

3. How We Use Your Information

We use the information we collect for the following purposes:

Platform Operations:

  • Creating and managing your account
  • Facilitating connections between Patients and Practitioners
  • Processing appointments, bookings, and payments
  • Enabling telehealth consultations via video (powered by Agora, under BAA)
  • Sending transactional communications (appointment confirmations, reminders, receipts) via AWS

Safety and Security:

  • Verifying the identity and credentials of Practitioners
  • Detecting and preventing fraud, abuse, and unauthorized access
  • Maintaining audit logs of PHI access as required by HIPAA
  • Monitoring for security threats and platform integrity

Platform Improvement:

  • Analyzing usage patterns to improve features and user experience
  • Diagnosing technical issues and bugs
  • Developing new features and services

Legal and Compliance:

  • Complying with HIPAA and other applicable laws and regulations
  • Responding to legal process, court orders, or regulatory requests
  • Enforcing our Terms of Use and other agreements
  • Resolving disputes

Communications:

  • Responding to your support requests
  • Sending you platform updates and policy changes
  • Sending optional marketing communications (only with your consent, and you may opt out at any time)

4. Protected Health Information (PHI)

We handle PHI with the highest standards of security and privacy. PHI includes any health information that can identify a Patient, including appointment records, clinical notes, care plans, diagnoses, and related communications.

  • PHI is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256)
  • Access to PHI is restricted on a strict need-to-know, role-based basis
  • All PHI access is logged and auditable
  • We do not sell, rent, or use PHI for advertising or marketing purposes
  • PHI is retained only as long as required by applicable law or the terms of our BAA with the relevant Practitioner

For full details on how we handle PHI, please review our Notice of Privacy Practices.

5. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

5.1 With Other Users of the Platform

  • Practitioner profiles (name, specialty, location, credentials, bio, and availability) are visible to Patients and the general public as part of the directory
  • Patient information is shared with Practitioners only to the extent necessary to facilitate the care relationship and appointments the Patient has booked

5.2 With Service Providers (Business Associates and Vendors)

We share information with trusted third-party service providers who process data on our behalf. Where required by HIPAA, we have executed BAAs with these providers:

ProviderPurposeBAA in Place
Amazon Web Services (AWS)Cloud infrastructure, hosting, storage, email/SMS (SES/SNS)Yes
AgoraTelehealth video consultationsYes
StripePayment processing (financial data only, no PHI)N/A (financial exemption)

5.3 For Legal Reasons

We may disclose information if we believe in good faith that disclosure is necessary to: comply with applicable law or legal process; protect the rights, property, or safety of Holism, our users, or others; investigate or prevent fraud or security issues; or respond to a government request.

5.4 Business Transfers

If Holism is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Platform before your information is transferred and becomes subject to a different privacy policy. Any acquiring entity will be required to maintain the same or greater level of privacy protection, including HIPAA compliance.

5.5 With Your Consent

We may share your information for any other purpose with your explicit consent.

6. Data Retention

We retain your information for as long as your account is active, as needed to provide our services, and as required by law.

  • Account data is retained while your account is active and for up to 7 years after closure, as required for healthcare-related records under applicable state and federal law
  • PHI is retained in accordance with applicable state medical records retention laws (typically 7–10 years for adult patients; longer for minors)
  • Audit logs of PHI access are retained for a minimum of 6 years as required by HIPAA
  • Payment records are retained for 7 years for financial and tax compliance purposes
  • Marketing data is retained until you opt out or withdraw consent

Upon account deletion, we will anonymize or delete your personal data within 90 days, except where retention is required by law.

7. Data Security

We implement administrative, technical, and physical safeguards to protect your information, including:

  • End-to-end TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for all data at rest
  • Multi-factor authentication (MFA) for all user accounts
  • Role-based access controls limiting PHI access to authorized personnel
  • Continuous security monitoring via AWS GuardDuty and Security Hub
  • Immutable audit logging via AWS CloudTrail
  • Regular vulnerability assessments and penetration testing
  • Employee HIPAA training and background checks

In the event of a data breach involving PHI, we will notify affected individuals and relevant authorities in accordance with the HIPAA Breach Notification Rule (within 60 days of discovery) and any applicable state breach notification laws.

8. Your Rights and Choices

8.1 Access and Portability

You may request a copy of the personal information we hold about you. For PHI specifically, you have the right to access and receive a copy of your health information held on the Platform.

8.2 Correction

You may update or correct inaccurate personal information through your account settings or by contacting us.

8.3 Deletion

You may request deletion of your account and personal data, subject to our legal retention obligations. To delete your account, contact us at privacy@holism.health.

8.4 Restriction and Objection

You may request that we restrict processing of your personal data in certain circumstances, or object to processing based on legitimate interests.

8.5 Marketing Opt-Out

You may opt out of marketing communications at any time by clicking "unsubscribe" in any marketing email or contacting us at privacy@holism.health. Transactional communications (appointment confirmations, security alerts) are not affected by marketing opt-outs.

8.6 California Residents (CCPA)

If you are a California resident, you have the right to: know what personal information is collected, used, shared, or sold; request deletion of personal information; opt out of the sale of personal information (we do not sell personal information); and not be discriminated against for exercising your rights. To submit a CCPA request, contact us at privacy@holism.health.

8.7 HIPAA Rights

Patients have additional rights with respect to PHI under HIPAA. Please review our Notice of Privacy Practices for full details.

9. Children's Privacy

Our Platform is not directed to children under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a child under 18, we will promptly delete it. If you believe a child under 18 has provided us with personal information, please contact us at privacy@holism.health.

10. Third-Party Links

Our Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you access through our Platform.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date, post the revised policy on the Platform, and notify you by email or in-app notice at least 30 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions, requests, or concerns:

Holism Inc.
Privacy Officer
Email: contact@holism.health
Website: holism.health

For HIPAA-specific concerns, please contact our HIPAA Privacy Officer directly at contact@holism.health.