Legal

Privacy Policy

Last Updated: March 2026

1. Introduction

One Life Medicine ("we," "us," "our") is a concierge, membership-based functional medicine practice. This Privacy Policy describes how we collect, use, disclose, and protect your personal information and Protected Health Information ("PHI") when you visit our website at onelifemedicine.com, use our patient portal, or receive our services.

We are committed to protecting your privacy in accordance with the Health Insurance Portability and Accountability Act ("HIPAA"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable federal and state privacy laws.

2. Information We Collect

2.1 Information You Provide Directly

Contact Information: Name, email address, phone number, mailing address when you contact us, book a discovery call, or enroll as a member.

Account Information: Email address, password (encrypted), and date of birth when you create a patient portal account.

Health Information (PHI): When you enroll as a patient, we collect Protected Health Information including but not limited to:

  • Medical history, current diagnoses, and past conditions
  • Current medications and supplements with dosages
  • Allergies (medication, food, environmental)
  • Family health history
  • Health concerns, goals, and symptom descriptions
  • Lifestyle information (diet, sleep, exercise, stress levels, environmental exposures)
  • Medical Symptom Questionnaire (MSQ) responses and scores
  • Lab results and diagnostic test data
  • Clinical notes from consultations with Dr. Jennifer Park
  • Treatment plans and supplement protocols
  • Secure messages between you and your care team

Financial Information: Payment card information is collected and processed by Stripe, Inc., our third-party payment processor. We do not store your full credit card number on our servers. We retain your Stripe customer ID, membership tier, billing cycle, and payment history.

Referral Information: How you found us (physician referral, search engine, word of mouth, etc.) and the name of any referring physician.

2.2 Information Collected Automatically

Usage Data: When you visit our website, we automatically collect standard web analytics data including IP address, browser type, device type, pages visited, time spent on pages, and referring URLs.

Cookies: We use essential cookies required for website functionality and authentication. See Section 7 for details.

2.3 Information from Third Parties

Lab Companies: We receive lab results and diagnostic test data from laboratory partners (such as Quest Diagnostics, Labcorp, Vibrant Wellness, Genova Diagnostics, and DUTCH) when Dr. Park orders tests on your behalf.

Referring Physicians: If you are referred by another healthcare provider, they may share relevant medical information with us to support your care.

3. How We Use Your Information

3.1 For Healthcare Services

  • To provide functional medicine consultations and ongoing care
  • To review your health history and prepare for appointments
  • To order, receive, and interpret laboratory tests
  • To develop and manage your personalized treatment plan
  • To track your health progress over time (including MSQ scores and lab biomarkers)
  • To communicate with you about your care through secure messaging

3.2 For Practice Operations

  • To manage your membership and billing
  • To schedule and confirm appointments
  • To send appointment reminders and follow-up communications
  • To respond to your inquiries and support requests
  • To maintain HIPAA-required audit logs of access to your health records

3.3 For Business Purposes

  • To improve our website and patient portal
  • To analyze aggregate, de-identified usage patterns
  • To comply with legal and regulatory obligations
  • To enforce our Terms of Service and Membership Agreement

4. How We Share Your Information

We do not sell your personal information or PHI. We never have and never will.

We may share your information only in the following circumstances:

4.1 Service Providers (Business Associates)

We share information with third-party service providers who assist in operating our practice and technology platform. Each provider with access to PHI has signed a HIPAA Business Associate Agreement (BAA). These providers include:

  • Supabase, Inc. — Secure database hosting, user authentication, and file storage (lab results, documents)
  • Stripe, Inc. — Payment processing and subscription billing
  • Vercel, Inc. — Website and application hosting
  • Resend — Transactional email delivery (appointment confirmations, account notifications)
  • Sentry — Application error monitoring (no PHI is transmitted)

4.2 Other Healthcare Providers

With your written authorization, we may share relevant health information with other healthcare providers involved in your care, including referring physicians.

4.3 As Required by Law

We may disclose your information when required by federal, state, or local law, including but not limited to court orders, subpoenas, or public health reporting requirements.

4.4 To Prevent Harm

We may disclose information if we believe in good faith that disclosure is necessary to prevent a serious and imminent threat to the health or safety of a person or the public.

5. How We Protect Your Information

We implement administrative, technical, and physical safeguards to protect your information:

  • Encryption: All data is encrypted at rest (AES-256) and in transit (TLS/SSL). All connections to our platform use HTTPS.
  • Access Controls: Our patient portal uses row-level security, ensuring patients can only access their own records. Role-based access controls restrict who within our practice can view patient data.
  • Audit Logging: Every access to patient health records is logged, including who accessed the record, what was accessed, and when.
  • Authentication: Patient and provider accounts use secure authentication with session management and automatic timeout after 30 minutes of inactivity.
  • Secure File Storage: Lab results and medical documents are stored in a private, encrypted storage bucket with time-limited signed URLs (5-minute expiry).
  • Infrastructure: Our technology partners maintain SOC 2 compliance and we have executed HIPAA Business Associate Agreements with all vendors who handle PHI.

6. Data Retention

We retain your personal information and PHI for as long as your membership is active and for a minimum of 10 years following the end of your patient relationship, consistent with California medical records retention requirements (Health & Safety Code § 123145) and HIPAA requirements.

Financial records are retained for 7 years for tax and accounting purposes.

You may request deletion of non-medical personal information at any time. Medical records may be subject to mandatory retention periods under state and federal law.

7. Cookies

Essential Cookies: We use cookies necessary for website and portal functionality, including authentication session cookies. These cannot be disabled without breaking the site.

Analytics Cookies: We may use analytics tools to understand how visitors interact with our website. These do not collect PHI.

We do not use:

  • Advertising or tracking cookies
  • Third-party marketing cookies
  • Cross-site tracking technologies

You can control cookie preferences through your browser settings.

8. Your Rights

8.1 HIPAA Rights

As a patient, you have the following rights under HIPAA:

  • Access: Request a copy of your PHI that we maintain
  • Amendment: Request corrections to your PHI if you believe it is inaccurate
  • Accounting of Disclosures: Request a list of certain disclosures we have made of your PHI
  • Restrictions: Request restrictions on certain uses and disclosures of your PHI
  • Confidential Communications: Request that we communicate with you through specific channels
  • Breach Notification: Receive notification if your PHI is involved in a data breach

8.2 California Privacy Rights (CCPA/CPRA)

As a California resident, you have the following rights:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we collect
  • Right to Delete: Request deletion of personal information we hold about you (subject to medical records retention requirements)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale: We do not sell personal information, but you have the right to opt-out if we ever did
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • Right to Limit Use of Sensitive Personal Information: You may limit the use of sensitive personal information, including health data, to purposes necessary for providing our services

To exercise any of these rights, contact us at thrive@onelifemedicine.com. We will verify your identity before processing any request and respond within 45 days.

9. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a minor, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a revised "Last Updated" date. For significant changes affecting how we use PHI, we will provide direct notice via email or through the patient portal.

11. Contact Us

For privacy-related questions, requests, or complaints:

One Life Medicine
Email: thrive@onelifemedicine.com

If you believe your privacy rights have been violated, you may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr/complaints.

This document is a draft prepared for attorney review. Do not rely on as final legal advice.