Privacy Policy

Your data. Your rights. Our obligations.

We collect only what we need, use it only for what we say, and never sell it. This policy explains exactly what that means.

Last updated: May 2026 Effective: May 2026 Jurisdiction: United States (CCPA) · EU/UK (GDPR)
Section 01

Overview

This Privacy Policy describes how Upgrade Health, Inc. ("Upgrade Health," "we," "us," or "our"), located at 123 Science Drive, Suite 100, San Diego, CA 92101, collects, uses, and shares information about you when you visit our website, place an order, create an account, contact our support team, or otherwise interact with us.

By using our website or purchasing our products, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. Full stop.

Section 02

Information We Collect

Information you provide directly

Account & orders

Name, email address, shipping and billing address, phone number, payment information (processed by Shopify Payments — we never store full card numbers), order history, and account credentials.

Communications

Messages you send via our contact form, email, or customer support channels, including any health or protocol information you choose to share when seeking clinical guidance.

Newsletter & marketing

Email address and preferences when you subscribe to our newsletter, promotional communications, or early access programs.

Customer results

Protocol details, health outcomes, and supporting data (bloodwork, wearable exports) that you voluntarily submit to our results program — only with your explicit written consent.

Information collected automatically

Device and browser data: IP address, browser type and version, operating system, device identifiers, and time zone.
Usage data: Pages visited, time spent on pages, links clicked, referring URLs, and search terms used on our site.
Transaction data: Purchase history, cart contents, discount codes used, and subscription status — processed and stored via Shopify.
Cookies and tracking technologies: See Section 04 for full detail on what we place on your device and why.

Information from third parties

We may receive limited information about you from payment processors (Shopify Payments, PayPal, Shop Pay), shipping carriers (for delivery confirmation), and analytics providers (Google Analytics). We do not purchase or receive personal data from data brokers.

Section 03

How We Use Your Information

We use the information we collect for the following purposes, each with a specific lawful basis under GDPR where applicable:

Fulfilling orders and managing your account — processing payments, shipping orders, issuing refunds, and maintaining your account. Lawful basis: contractual necessity.
Customer support — responding to enquiries, resolving complaints, and providing clinical protocol guidance. Lawful basis: contractual necessity and legitimate interest.
Marketing communications — sending promotional emails, new product announcements, and protocol content — only with your consent, and only while you remain subscribed. Lawful basis: consent.
Improving our products and website — analyzing usage patterns, A/B testing, and measuring the effectiveness of our content. Lawful basis: legitimate interest.
Legal and compliance obligations — maintaining records required by tax law, fraud prevention, and responding to lawful requests from authorities. Lawful basis: legal obligation.
Fraud detection and security — monitoring for unusual activity, verifying payment details, and protecting against unauthorized access. Lawful basis: legitimate interest.

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

Section 04

Cookies & Tracking Technologies

We use cookies and similar tracking technologies to operate our website, understand how visitors use it, and improve your experience. Here is what we use and why:

Essential cookies

Required for the site to function: shopping cart, checkout session, account login, and fraud prevention. Cannot be disabled without breaking core functionality. No consent required.

Analytics cookies

Google Analytics (anonymized IP) and Shopify Analytics track page visits, traffic sources, and conversion paths. Used to improve our website and understand which content is useful. Consent required in the EU/UK.

Marketing cookies

Set by Meta Pixel and Google Ads to measure ad performance and enable retargeting. We use these to show relevant ads to people who have visited our site. Consent required — opt out via our cookie banner or your browser settings.

Preference cookies

Remember your currency, language, and region preferences across sessions. Helps deliver a consistent experience on return visits. Consent required in the EU/UK.

You can manage cookie preferences at any time via the cookie banner on our site, your browser settings, or by emailing privacy@upgradehealth.com. Withdrawing consent does not affect the lawfulness of prior processing.

Section 05

Sharing Your Information

We do not sell your personal information. We share data only in the following limited circumstances:

Service providers: Shopify (ecommerce platform and payment processing), shipping carriers (USPS, UPS, FedEx, DHL — to fulfill your order), email service providers (transactional and marketing email delivery), and cloud hosting providers. These parties process data on our behalf under strict data processing agreements.
Payment processors: Payment information is processed directly by Shopify Payments, PayPal, and Shop Pay. We do not store, access, or handle raw payment card data at any point.
Legal obligations: We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such action is necessary to prevent fraud, protect our rights, or ensure the safety of others.
Business transfers: In the event of a merger, acquisition, or sale of all or part of our assets, your information may be transferred to the acquiring entity, subject to the same privacy protections described in this policy.
With your consent: Customer results and testimonials are only shared publicly with your explicit prior written consent, which you may withdraw at any time.
Section 06

Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations. Specific retention periods by data type:

Account & order data

Retained for 7 years after your last order to comply with tax and financial record-keeping requirements. Account data is deleted within 30 days of a verified account deletion request, subject to legal retention minimums.

Support communications

Retained for 3 years from the date of the last interaction. Clinical enquiries involving health data are retained for the same period unless you request earlier deletion.

Marketing preferences

Email marketing consent records are retained while you are subscribed and for 3 years after unsubscription, as required for consent record-keeping under GDPR.

Analytics data

Aggregate, anonymized analytics data may be retained indefinitely. Individual-level analytics data is retained for 26 months in Google Analytics in accordance with their data retention policy.

Section 07

Your Rights

Depending on where you are located, you have the following rights over your personal data. EU and UK residents have rights under GDPR; California residents have additional rights under the CCPA (see Section 08). We honor all verified requests regardless of your location.

Access
Right to access

Request a copy of the personal data we hold about you.

Rectification
Right to correct

Request correction of inaccurate or incomplete personal data.

Erasure
Right to delete

Request deletion of your personal data, subject to legal retention requirements.

Portability
Right to portability

Receive your personal data in a structured, machine-readable format.

Objection
Right to object

Object to processing based on legitimate interests, including direct marketing.

Restriction
Right to restrict

Request that we limit how we use your data in certain circumstances.

To exercise any of these rights, email privacy@upgradehealth.com with your request and sufficient information to verify your identity. We will respond within 30 days (EU/UK: within 1 month). If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

EU & UK residents

Our legal basis for processing is described in Section 03. You have the right to withdraw consent at any time without affecting the lawfulness of prior processing. You may also lodge a complaint with your national supervisory authority — in the EU via edpb.europa.eu, in the UK via the ICO at ico.org.uk.

Section 08

California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you specific rights regarding your personal information.

Categories of personal information collected

In the past 12 months we have collected: identifiers (name, email, IP address); commercial information (purchase history, subscription status); internet or network activity (browsing behavior on our site); and inferences drawn from the above (product preferences). We have not collected sensitive personal information as defined by the CPRA beyond health-related communications you voluntarily submit for clinical support.

Your California rights

Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
Right to delete: Request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, detecting security incidents, complying with legal obligations).
Right to correct: Request correction of inaccurate personal information we maintain about you.
Right to opt out of sale or sharing: We do not sell or share personal information with third parties for cross-context behavioral advertising. No opt-out is required, but you may confirm this at any time.
Right to non-discrimination: We will not discriminate against you for exercising any CCPA rights. You will not receive a different quality of service or price as a result of making a CCPA request.

To submit a CCPA request, email privacy@upgradehealth.com with the subject "CCPA Request." We will verify your identity and respond within 45 days (extendable by an additional 45 days with notice).

Section 09

International Data Transfers

Upgrade Health is based in the United States. If you access our website from outside the US, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

For transfers from the EU and UK to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the lawful transfer mechanism, where applicable. Our primary data processor, Shopify Inc., is certified under appropriate transfer mechanisms and operates under a Data Processing Agreement.

By using our website, you acknowledge and consent to the transfer of your information to the United States as described in this policy.

Section 10

Security

We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, loss, destruction, or alteration. These include:

TLS/SSL encryption for all data transmitted between your browser and our website (HTTPS).
Payment card data is processed and stored by PCI-DSS compliant processors (Shopify Payments). We never store raw card numbers on our systems.
Access to customer data within our organization is restricted to personnel who require it to perform their job functions.
Regular security reviews and access control audits.

No method of electronic transmission or storage is 100% secure. If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities as required by applicable law.

Section 11

Children's Privacy

Our website and products are not directed to children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@upgradehealth.com and we will delete the information promptly.

Section 12

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this page and, where required by law, by sending you an email notification or displaying a prominent notice on our website.

We encourage you to review this policy periodically. Your continued use of our website after any changes constitutes your acceptance of the revised policy.

Section 13

Contact & Data Controller

Upgrade Health, Inc. is the data controller for personal information collected through our website. For any privacy-related questions, requests, or complaints, please contact our Privacy team:

Privacy enquiries

privacy@upgradehealth.com
Response time: within 30 days (EU/UK) or 45 days (CCPA)

Postal address

Upgrade Health, Inc.
123 Science Drive, Suite 100
San Diego, CA 92101
United States

Privacy questions?

Our privacy team responds within 30 days.

For data access, deletion, or correction requests, email privacy@upgradehealth.com with your name and the nature of your request.

Email privacy team