Who we are and our roles
neolife provides fulfillment infrastructure for telehealth. Clinics use our software to send compounded-prescription orders to their own compounding pharmacy, a licensed provider approves every order, the pharmacy fills it, and tracking flows back. We sit on top of the systems clinics and pharmacies already use. We do not prescribe, we do not dispense, and we do not operate a pharmacy.
For data privacy purposes we wear two different hats, and it matters which one applies to a given piece of information:
- Controller / business. For information about our website visitors and the people at the clinics and pharmacies who hold neolife accounts, we decide why and how the data is processed. We are the controller (GDPR) and a business (California law). That information is the subject of this policy.
- Business Associate / processor. When our platform handles protected health information (PHI) on behalf of a clinic or pharmacy, we act as a HIPAA Business Associate and, under GDPR, as a processor following the customer’s instructions. That handling is governed by our Business Associate Agreement (BAA) and Data Processing Agreement (DPA) with the customer, not by this policy.
The legal entity responsible for the website and account data described here is NeoLife Inc., a Wyoming corporation operating the neolife platform. References to “neolife,” “we,” “us,” and “our” mean that entity.
What this policy covers
This policy applies to neolife.health and our other marketing pages, to demo requests and sales conversations, and to the business and account data we hold about customers and prospects. It is the policy for people who run, evaluate, or buy our infrastructure.
This policy does not cover patient health information processed inside the fulfillment platform. If you are a patient of a clinic that uses neolife, your information is handled under that clinic’s privacy practices and our BAA with them. See Patient health information below, and our HIPAA Notice.
Data we collect
We try to collect as little as we can. On the marketing site specifically, we do not collect patient PHI — there is no patient intake, no diagnosis, and no prescription data on this website.
Account and business contact information
- Name, work email, phone number, job title, and the organization you represent.
- Account credentials and authentication details for users of our platform.
- Records of demo requests, sales correspondence, support tickets, and contract and billing details with customers.
Usage and device information
- Pages viewed, links followed, referring URL, approximate location derived from IP address, and timestamps.
- Browser type, operating system, device type, and similar technical details sent automatically by your browser.
- Server logs and security telemetry used to keep the site and platform safe.
Cookies and similar technologies
We use a small set of cookies and local storage. We explain these in Cookies and in our Cookie Policy.
What we do not collect here
We do not collect patient names, conditions, medications, or any other PHI on the marketing site. We do not ask website visitors for health information, and we do not want it. If you send us health details unprompted (for example, in a contact form), please don’t — and we will delete it.
How and why we use data
We use the information above to:
- Run, secure, and improve this website and our platform.
- Respond to demo requests, questions, and support tickets.
- Provision and administer customer accounts, billing, and contracts.
- Send service messages and, where permitted, relevant updates about neolife. You can opt out of marketing email at any time.
- Understand which pages are useful in aggregate, so we can write clearer copy and fix what’s broken.
- Detect, prevent, and investigate fraud, abuse, and security incidents.
- Comply with our legal, tax, and regulatory obligations.
We do not use website or account data to make automated decisions that produce legal or similarly significant effects about you, and we do not sell personal information.
Legal bases (GDPR)
For people in the EEA and the UK, we rely on the following legal bases under Article 6 of the GDPR:
| Purpose | Legal basis |
|---|---|
| Providing the platform and account management to customers | Performance of a contract (Art. 6(1)(b)) |
| Responding to demo requests and inquiries | Steps before a contract / legitimate interests (Art. 6(1)(b), 6(1)(f)) |
| Securing the site, preventing fraud, and aggregate analytics | Legitimate interests (Art. 6(1)(f)) |
| Non-essential cookies and marketing email | Consent (Art. 6(1)(a)) |
| Meeting legal, tax, and regulatory duties | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms. Where we rely on consent, you can withdraw it at any time without affecting processing that already happened.
Patient health information
PHI is handled under HIPAA, not under this policy. When a clinic or pharmacy uses neolife to fulfill orders, that organization is the HIPAA covered entity and we are its Business Associate. Our handling of PHI is defined by the BAA we sign with that organization, which limits how we may use and disclose PHI, requires safeguards, and obligates us to report incidents.
A licensed provider approves every order. Always. We are infrastructure between a clinic and its compounding pharmacy; we do not make clinical decisions and we do not dispense medication.
For details on how PHI is protected, see our HIPAA Notice. If you are a patient with a question about your own records, please contact the clinic that treats you — they are the controller of that information.
Tracking technologies
We are deliberately conservative about tracking, because the U.S. Department of Health and Human Services Office for Civil Rights made clear in its December 2022 guidance (and the updated guidance that followed) that third-party tracking technologies on health-related pages can disclose protected health information to ad-tech vendors and create HIPAA liability.
Our position, in plain terms:
- No analytics or marketing tags on health-context pages. Any page or surface that touches a patient’s relationship with a clinic or pharmacy runs without third-party advertising pixels, marketing tags, or behavioral analytics.
- No selling or sharing for cross-context advertising. We do not send identifiers to ad networks to build profiles for targeted advertising.
- Limited, first-party measurement on the marketing site only. Where we measure traffic on these public pages, we favor privacy-preserving, first-party methods and avoid sending data to third parties for their own purposes.
We honor recognized opt-out signals such as Global Privacy Control (GPC) where our systems can detect them.
International transfers
neolife operates in the United States, and our service providers may process data there and in other countries. When we transfer personal data out of the EEA, the UK, or Switzerland, we use appropriate safeguards — principally the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and supplementary measures where needed — so the data keeps an equivalent level of protection. You can request a copy of the relevant safeguard by emailing the address below.
Retention
We keep personal information only as long as we need it for the purposes in this policy, then delete or anonymize it. In practice:
- Demo and inquiry records: kept while we follow up, then for a limited period.
- Account and contract data: kept for the life of the relationship plus the period required by law, tax, and audit obligations.
- Server and security logs: kept on a short, rolling basis.
Retention of PHI is governed by the applicable BAA and the customer’s instructions, not by this section.
Security
We protect information with administrative, technical, and physical safeguards appropriate to its sensitivity — including encryption in transit and at rest, access controls and least-privilege permissions, logging and monitoring, and regular review of our vendors. No system is perfectly secure, but security is a standing part of how we build and operate, not an afterthought.
Your rights
Depending on where you live, you have rights over your personal information. For people in the EEA and the UK, these include the rights to:
- Access the personal data we hold about you and get a copy.
- Correct inaccurate or incomplete data.
- Erase data in certain circumstances.
- Restrict or object to certain processing, including direct marketing.
- Portability — receive certain data in a structured, machine-readable format and have it transmitted to another controller.
- Withdraw consent at any time where we rely on it.
- Lodge a complaint with your local supervisory authority.
To exercise any of these, email [email protected]. We will verify your identity before acting and respond within the time the law requires. If your request concerns PHI held on a customer’s behalf, we will direct it to that customer, who is the controller.
California (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you the rights to know what personal information we collect and how we use it, to access and delete it, to correct inaccuracies, and to limit the use of sensitive personal information.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under California law. Because we do not sell or share, there is nothing to opt out of on that basis — but we still honor Global Privacy Control signals as a do-not-sell/share request. We will not discriminate against you for exercising any right.
To make a request, email [email protected]. You may use an authorized agent, and we will verify the request before acting.
Children
This website and our services are for businesses and their staff. They are not directed to children, and we do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us information, contact us and we will delete it.
Changes to this policy
We may update this policy as our practices, technology, or the law change. When we do, we will revise the date at the top and, for material changes, give a more prominent notice. This policy is provided for transparency and may be updated from time to time.
Contact
Questions, requests, or complaints about privacy go to our Data Protection Officer at [email protected]. If you are in the EEA or the UK, you may also reach our EU/UK representative at the same address; ask for the representative and we will route your message accordingly.