Privacy Policy







1. Introduction
Welcome to Legion Health, Inc.
​
Legion Health, Inc., a corporation organized and existing under the laws of Delaware (“us”, “we”, or “our”), operates https://legion.health (“Platform”) and provides or makes accessible various services via our Platform (“Services”).
We are not a medical group or a health care provider. We offer individuals the option to receive telemedicine consultations from independent medical professionals, including—though not limited to—Legion Health, PA, a professional association organized and existing under the laws of Texas, and its affiliated covered entity (“Medical Group”), an independent medical group composed of U.S.-based providers (each, a “Provider”). The Medical Group consists of separate and independent organizations from us. The Medical Group (or your personal health care provider if you do not use a Medical Group Provider) is responsible for giving you a Notice of Privacy Practices that details the collection and use of your health information. We are not responsible for giving you any such notice.
​
2. When does our Privacy Policy apply?
This Privacy Policy explains the types of information we may gather about you in various circumstances, including:
​
-
When you access or use our Platform (which includes our Website);
-
During e-mail, text, or other electronic communications between you and us; and
-
When we communicate in person, such as by phone or through a telehealth session.
​​
3. When does our Privacy Policy not apply?
Our Privacy Policy governs your visit to https://legion.health and explains how we collect, safeguard, and disclose information that results from your use of our Platform.
​
However, this Privacy Policy does not apply to information collected by any other website operated either by us or by a third party, unless the website is listed above or links to this Privacy Policy. It also does not apply to any website that we may provide a link to or that is accessible from our Platform.
​
Moreover, this Privacy Policy does not apply to information collected via the password-protected and secure portions of our Platform (“Secure Platform”) from users once they log in to the Secure Platform. The Secure Platform allows users who order the Services (“Customers”) to perform certain tasks or to receive certain information or to access the Services.
​
Information collected and stored by us or added by Customers into such Secure Platform that is considered Protected Health Information ("PHI") and/or medical information is governed by applicable state and federal laws, for example, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). How we use and disclose such PHI is in accordance with the Medical Group’s Notice of Privacy Practices [hyperlink] under HIPPA. We will not use or disclose information collected from the Secure Platform or received from Medical Group or your Provider for advertising, marketing, or other use-based data mining purposes except as otherwise permitted by HIPAA and other applicable law and outlined in the HIPAA Notice of Privacy Practices. For example, we may perform internal data analytics or otherwise review information collected from the Secure Platform or received from the Medical Group to improve our Services or the services of the Medical Group to the extent permitted by HIPAA and other applicable laws. We will not sell any PHI in violation of HIPAA.
​​
4. Our Privacy Policy and Terms of Use.
This Privacy Policy is incorporated into our Terms of Use, which also apply when you use our Platform.
​
We use your data to provide and improve the Platform and/or the Services. By using the Platform, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, the terms used in this Privacy Policy have the same meanings as in our Terms and Conditions.
​
Our Terms and Conditions (“Terms”) govern all use of our Services and together with the Privacy Policy constitute your agreement with us (“Agreement”).
​
5. Information Collection and Use
We collect several different types of information for various purposes to provide and improve our Services to you.​​
​
6. What is Personal Information?
Personal information is information from and about you that may be able to personally identify you (hereinafter, collectively referred to as “Personal Information”). We treat any information that may identify you as Personal Information. For example, your name and e-mail address are Personal Information.
​
7. What types of Personal Information do we collect?
We may collect and use the following Personal Information:
​
-
Email address
-
First name and last name
-
Phone number
-
Address, State, Province, ZIP/Postal code, City
-
Cookies and Usage Data (described below)
We may use your Personal Information to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link.
​​
8. What is Medical Data?
Some Personal Information we collect may constitute PHI under HIPAA. As set forth above, the Notice of Privacy Practices describes their collection and use of your health information. We will only collect and use PHI for the purposes of providing the Services and we only collect the minimum amount necessary to fully perform and provide the Services on our Platform. We may combine your PHI with Personal Information that we have either obtained from you or through a third-party, health insurer, employee benefits program, or other health care providers. PHI will only be used and disclosed as outlined in the HIPAA Notice of Privacy Practices and as permitted by HIPAA and other applicable laws.
Medical data includes but is not limited to:
-
Phone calls and texts with the front desk
-
Intake documentation
-
Faxes from primary care providers
-
Chart notes
-
Visit transcripts and video recordings
-
Portal messages between patients and providers
-
Health information exchange data
-
Personal Identifiable Information (PII) and Protected Health Information (PHI)
​
9. Types of Data Collected
-
Personal Information
While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you (“Personal Information”). Personally identifiable information may include, but is not limited to:-
Email address
-
First name and last name
-
Phone number
-
Address, State, Province, ZIP/Postal code, City
-
Cookies and Usage Data
-
-
We may use your Personal Information to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link.
-
Usage Data
We may also collect information that your browser sends whenever you visit our Service or when you access the Service by or through a mobile device (“Usage Data”).
This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data
When you access Service with a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device's unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.
​
-
Tracking Cookies Data
We use cookies and similar tracking technologies to track the activity on our Service and we hold certain information.
Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies are also used such as beacons, tags, and scripts to collect and track information and to improve and analyze our Service.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
Examples of Cookies we use:-
Session Cookies: We use Session Cookies to operate our Service.
-
Preference Cookies: We use Preference Cookies to remember your preferences and various settings.
-
Security Cookies: We use Security Cookies for security purposes.
-
Advertising Cookies: Advertising Cookies are used to serve you with advertisements that may be relevant to you and your interests.
-
-
Other Data
While using our Service, we may also collect the following information: sex, age, date of birth, place of birth, passport details, citizenship, registration at a place of residence and actual address, telephone number (work, mobile), details of documents on education, qualification, professional training, employment agreements, non-disclosure agreements, information on bonuses and compensation, information on marital status, family members, social security (or other taxpayer identification) number, office location, and other data.
​
10. Use of Data
We use the collected data for various purposes:
-
to provide and maintain our Service;
-
to notify you about changes to our Service;
-
to allow you to participate in interactive features of our Service when you choose to do so;
-
to provide customer support;
-
to gather analysis or valuable information so that we can improve our Service;
-
to monitor the usage of our Service;
-
to detect, prevent, and address technical issues;
-
to fulfill any other purpose for which you provide it;
-
to carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection;
-
to provide you with notices about your account and/or subscription, including expiration and renewal notices, email instructions, etc.;
-
to provide you with news, special offers, and general information about other goods, services and events that we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information;
-
in any other way we may describe when you provide the information;
-
for any other purpose with your consent.
​
11. Retention of Data
We will retain your Personal Information only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
​
We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.
​
12. Transfer of Data
Your information, including Personal Information, may be transferred to – and maintained on – computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.
​
Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.
​
We will take all the steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Information will take place to an organization or a country unless there are adequate controls in place including the security of your data and other Personal Information.
​
13. Disclosure of Data
We may disclose your Personal Information to the following categories of third parties:
​
-
Healthcare-Related Purposes. We may share your Personal Information with other covered entities that participate in your treatment, handle payment, or provide services related to healthcare operations. We may facilitate and assist in the preparation, submission, management, processing, and collection of claims for payment or reimbursement by the Medical Group, which may involve accessing and disclosing your Personal Information or Protected Health Information (PHI).
-
Business Associates. We may provide Personal Information or Protected Health Information (PHI) to business associates engaged to assist with healthcare operations or to jointly offer products or services. These associates are obligated to follow the privacy and security requirements set forth under HIPAA.
-
Advertising Partners. On our Platform, we may permit third-party advertising partners to use tracking technologies (e.g., to collect your IP address, mobile identifiers, pages visited, location, time of day) in order to enhance advertising. This practice is often referred to as “interest-based advertising” or “online behavioral advertising.” We may also permit access to certain other data gathered through these technologies to share content that may be useful, relevant, or otherwise of interest to you. If you are a California resident and prefer not to share your Personal Information with third-party advertising partners, you can request to opt out by contacting us as described in Section 16 of this Policy.
-
Disclosures for Protection. We may access, retain, and reveal any information associated with you to external parties if we or our service providers, acting in good faith, believe it is necessary or appropriate to comply with law enforcement, national security requests, court orders, or subpoenas; protect your rights, our rights, or the rights of others (including property and safety); enforce our policies or agreements; collect fees owed to us; or assist in investigations or prosecutions of actual or suspected illegal acts. This list is not exhaustive, and we may disclose information in other circumstances when it is legally permissible or necessary.
-
Disclosure in the Event of Business Transactions. If we become involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or a similar transaction, your information may be sold or transferred as a permitted part of the process.
​
14. Security of Data
The security of your data is important to us but remember that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.
​​
15. Your Data Protection Rights under the California Privacy Protection Act (CalOPPA)
CalOPPA is the first state law in the nation to require commercial websites and online services to post a privacy policy. The law’s reach stretches well beyond California to require a person or company in the United States (and conceivable the world) that operates websites collecting personally identifiable information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals with whom it is being shared and to comply with this policy. – See more at:
​
According to CalOPPA, we agree to the following:
​
-
users can visit our site anonymously;
-
our Privacy Policy link includes the word “Privacy”, and can easily be found on the page specified above on the home page of our website;
-
users will be notified of any privacy policy changes on our Privacy Policy Page;
-
users are able to change their Personal Information by emailing us at hello@legion.health.
Our Policy on “Do Not Track” Signals:
We honor Do Not Track signals and do not track, plant cookies, or use advertising when a Do Not Track browser mechanism is in place. Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked.
You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.
​
16. Your Data Protection Rights under the California Consumer Privacy Act (CCPA)
If you are a California resident, you are entitled to learn what data we collect about you, ask to delete your data, and not to sell (share) it. To exercise your data protection rights, you can make certain requests and ask us:
​
-
What Personal Information we have about you. If you make this request, we will return to you:
-
The categories of Personal Information we have collected about you.
-
The categories of sources from which we collect your Personal Information.
-
The business or commercial purpose for collecting or selling your Personal Information.
-
The categories of third parties with whom we share Personal Information.
-
The specific pieces of Personal Information we have collected about you.
-
A list of categories of Personal Information that we have sold, along with the category of any other company we sold it to. If we have not sold your Personal Information, we will inform you of that fact.
-
A list of categories of Personal Information that we have disclosed for a business purpose, along with the category of any other company we shared it with.
-
Please note, you are entitled to ask us to provide you with this information up to two times in a rolling twelve-month period. When you make this request, the information provided may be limited to the Personal Information we collected about you in the previous 12 months.
-
To delete your Personal Information. If you make this request, we will delete the Personal Information we hold about you as of the date of your request from our records and direct any service providers to do the same. In some cases, deletion may be accomplished through de-identification of the information. If you choose to delete your Personal Information, you may not be able to use certain functions that require your Personal Information to operate.
-
To stop selling your Personal Information. If you submit a request to stop selling your Personal Information, we will stop selling it. If you are a California resident, to opt-out of the sale of your Personal Information, click “Do Not Sell My Personal Information” at the bottom of our home page to submit your request.
Please note, if you ask us to delete or stop selling your data, it may impact your experience with us, and you may not be able to participate in certain programs or membership services which require the usage of your Personal Information to function. But in no circumstances, we will discriminate against you for exercising your rights.
To exercise your California data protection rights described above, please send your request(s) by one of the following means:
-
By email: hello@legion.health
-
By visiting this page on our website: https://legion.health
Your data protection rights, described above, are covered by the CCPA, short for the California Consumer Privacy Act. To find out more, visit the official California Legislative Information website. The CCPA took effect on 01/01/2020.
​
17. Analytics
We may use third-party Service Providers to monitor and analyze the use of our Service.
-
Google Analytics
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.
For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://policies.google.com/privacy?hl=en
We also encourage you to review Google's policy for safeguarding your data: https://support.google.com/analytics/answer/6004245. -
Segment.io
Segment.io is a web traffic analysis tool. You can read the Privacy Policy for Segment.io here: https://segment.com/legal/privacy/. -
Mixpanel
Mixpanel is provided by Mixpanel Inc.
You can prevent Mixpanel from using your information for analytics purposes by opting-out. To opt-out of Mixpanel service, please visit this page: https://mixpanel.com/optout/
For more information on what type of information Mixpanel collects, please visit the Terms of Use page of Mixpanel: https://mixpanel.com/terms/ -
PostHog
PostHog is a product analytics platform built for the modern enterprise, with the differentiators of being open source and having a broader view of the tools needed to make a product successful.
For more information about PostHog, please visit their Privacy Policy: https://posthog.com/privacy
​
18. CI/CD tools
We may use third-party Service Providers to automate the development process of our Service.
-
GitHub
GitHub is provided by GitHub, Inc.
GitHub is a development platform to host and review code, manage projects, and build software.
For more information on what data GitHub collects for what purpose and how the protection of the data is ensured, please visit the GitHub Privacy Policy page: https://help.github.com/en/articles/github-privacy-statement.
​
19. Behavioral Remarketing
We use remarketing services to advertise on third-party websites to you after you visit our Service. We and our third-party vendors use cookies to inform, optimize, and serve ads based on your past visits to our Service.
-
Google Ads (AdWords)
Google Ads (AdWords) remarketing service is provided by Google Inc.
You can opt out of Google Analytics for Display Advertising and customize the Google Display Network ads by visiting the Google Ads Settings page: http://www.google.com/settings/ads
Google also recommends installing the Google Analytics Opt-out Browser Add-on – https://tools.google.com/dlpage/gaoptout – for your web browser. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics.
For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://policies.google.com/privacy?hl=en -
Bing Ads Remarketing
Bing Ads remarketing service is provided by Microsoft Inc.
You can opt out of Bing Ads interest-based ads by following their instructions: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads
You can learn more about the privacy practices and policies of Microsoft by visiting their Privacy Policy page: https://privacy.microsoft.com/en-us/PrivacyStatement. -
X
X remarketing service is provided by X Corp.
You can opt out of X’s interest-based ads by following their instructions: https://help.x.com/en/safety-and-security/privacy-controls-for-tailored-ads
You can learn more about the privacy practices and policies of Twitter by visiting their Privacy Policy page: https://x.com/en/privacy -
Facebook
Facebook remarketing service is provided by Facebook Inc.
You can learn more about interest-based advertising from Facebook by visiting this page: https://www.facebook.com/help/164968693837950
To opt out from Facebook's interest-based ads, follow these instructions from Facebook: https://www.facebook.com/help/568137493302217
Facebook adheres to the Self-Regulatory Principles for Online Behavioural Advertising established by the Digital Advertising Alliance. You can also opt-out from Facebook and other participating companies through the Digital Advertising Alliance in the USA http://www.aboutads.info/choices/, the Digital Advertising Alliance of Canada in Canada http://youradchoices.ca/ or the European Interactive Digital Advertising Alliance in Europe http://www.youronlinechoices.eu/, or opt-out using your mobile device settings.
For more information on the privacy practices of Facebook, please visit Facebook's Data Policy: https://www.facebook.com/privacy/explanation.
​
20. Payments
We may provide paid products and/or services within Service. In that case, we use third-party services for payment processing (e.g. payment processors).
We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your Personal Information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express, and Discover. PCI-DSS requirements help ensure the secure handling of payment information.
The payment processors we work with are:
-
Stripe:
Their Privacy Policy can be viewed at: https://stripe.com/us/privacy.
​​
21. Links to Other Sites
Our Service may contain links to other sites that are not operated by us. If you click a third-party link, you will be directed to that third-party's site. We strongly advise you to review the Privacy Policy of every site you visit.
​
We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
​
22. Children's Privacy
Our Services are not intended for use by children under the age of 18 (“Child” or “Children”).
We do not knowingly collect personally identifiable information from Children under 18. If you become aware that a Child has provided us with Personal Information, please contact us. If we become aware that we have collected Personal Information from Children without verification of parental consent, we take steps to remove that information from our servers.
​
23. Changes to This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.
We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective, and update the “effective date” at the top of this Privacy Policy.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
24. Non-U.S. Users
We only offer services to U.S. residents. If you are not a U.S. resident you may not use our services.
​
25. Contact Us
If you have any questions about this Privacy Policy, please contact us:
​
-
By email: hello@legion.health
-
By mail at 801 Barton Springs, 9th Floor, Austin, TX 78704
-
By visiting this page on our website: https://legion.health