Privacy Policy

1. Introduction

Hayling LLC, doing business as Hayling Health (“Hayling Health,” “we,” “us,” or “our”), operates the website located at haylinghealth.com and related services (collectively, the “Service”). Hayling Health is a technology and services platform incorporated in the State of Washington. We are not a medical provider, pharmacy, or insurance company. Clinical evaluations and prescriptions are provided by independently licensed healthcare professionals. Medications are compounded and dispensed by independently licensed pharmacies.

This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you visit our website, submit forms, communicate with us, or use any part of our Service. It also explains your rights regarding your information and how to exercise those rights.

By accessing or using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Service.

2. Scope of This Policy

This Privacy Policy applies to information collected through:

• our website at haylinghealth.com and all subdomains and microsites (including haylinghealth.com/m/cognitive-performance);
• forms submitted through our website (including evaluation requests and waitlist signups);
• communications with us via email, chat, or other channels; and
• interactions with our advertising and marketing communications.

This Privacy Policy does not apply to:

• information collected directly by our clinical partners, including but not limited to CareValidate, independently licensed healthcare providers, or compounding pharmacies, each of which maintains its own privacy practices and, where applicable, HIPAA-compliant Notice of Privacy Practices;
• third-party websites linked from our Service; or
• information collected by third-party advertising platforms prior to your arrival at our website.

If you proceed to a clinical evaluation or receive medical services through our platform, your health information will be governed by the Notice of Privacy Practices provided by the clinical entity delivering your care. We encourage you to review that notice carefully.

3. Information We Collect

3.1 Information You Provide Directly

When you interact with our Service, you may provide:

• contact information such as first name and email address (submitted through our evaluation request forms);
• information you include in emails, chat messages, or other communications you send to us; and
• responses to intake questionnaires or interest surveys, if offered.

3.2 Information Collected Automatically

When you visit our website, we automatically collect certain technical information, including:

• device type, operating system, browser type and version, screen resolution, and language preferences;
• pages visited, time spent on pages, click patterns, scroll depth, referring URLs, and exit pages;
• IP address (which may indicate approximate geographic location) and internet service provider; and
• information collected through cookies, pixels, and similar tracking technologies as described in Section 9.

3.3 Information from Third Parties

We may receive information about you from:

• Analytics Providers: PostHog provides usage data about how visitors interact with our website. PostHog is not an advertising platform and does not share data with ad networks.
• Vercel, our hosting provider, which processes server logs that may include IP addresses and request metadata; and
• advertising platforms, which may share limited information such as the campaign or ad that directed you to our site.

3.4 Information We Do Not Collect on This Website

Our marketing website (haylinghealth.com) does not collect:

• Social Security numbers, government-issued identification numbers, or financial account information;
• Protected Health Information (PHI) as defined by HIPAA;
• biometric data; or
• precise geolocation data.

If you proceed to a clinical evaluation, health-related information will be collected by our clinical partners in accordance with HIPAA and their own privacy practices — not through this website.

4. How We Use Your Information

Legal Bases for Processing:

We use the information we collect for the following purposes:

To Provide and Operate Our Service

• To process your evaluation request and connect you with licensed clinical providers;
• to communicate with you about your request, including confirmations and follow-ups;
• to respond to your inquiries and provide customer support.

To Improve Our Service

• To analyze website usage patterns and optimize our content, layout, and user experience;
• to diagnose and fix technical issues;
• to conduct internal research and analytics.

To Market Our Service

• To send you marketing communications if you have opted in or if permitted by applicable law;
• to deliver targeted advertising through third-party platforms;
• to measure the effectiveness of our marketing campaigns.

To Comply with Legal Obligations

• To comply with applicable laws, regulations, and legal processes;
• to respond to lawful requests from government authorities;
• to protect our rights, property, or safety, or the rights, property, or safety of others.

To Enforce Our Policies

• To enforce our Terms of Service and other agreements;
• to detect, prevent, and address fraud, security issues, or technical problems.

5. How We Share Your Information

We do not sell your personal information. We do not sell consumer health data. We share your information only in the following circumstances:

5.1 Service Providers and Business Partners

Each service provider is contractually obligated to use your information only for the purposes for which it was shared and to maintain appropriate security measures. Where applicable, we maintain Data Processing Agreements or Business Associate Agreements with these providers.

As we finalize our CRM and email marketing vendor selections, this table will be updated with the specific provider names. We will not share your data with a CRM or email provider without updating this disclosure.

5.2 Clinical Partners

If you proceed beyond the initial evaluation request, your information will be shared with independently licensed healthcare providers and compounding pharmacies for the purpose of clinical evaluation, treatment, and medication fulfillment. At that point, your information becomes subject to the clinical entity's Notice of Privacy Practices under HIPAA.

5.3 Legal Requirements

We may disclose your information if required to do so by law or if we believe in good faith that such disclosure is necessary to:

• comply with a legal obligation, subpoena, court order, or other legal process;
• protect and defend the rights or property of Hayling LLC;
• prevent or investigate possible wrongdoing in connection with the Service; or
• protect the personal safety of users of the Service or the public.

5.4 Business Transfers

If Hayling LLC is involved in a merger, acquisition, asset sale, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information.

5.5 With Your Consent

We may share your information with other third parties when we have your explicit consent to do so.

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

• Evaluation request data (name, email): Retained for up to 24 months from the date of submission, unless you request earlier deletion.
• Website analytics data:Retained in accordance with our analytics provider's default retention settings (PostHog).
• Marketing communications data: Retained until you unsubscribe or request deletion.
• Server logs: Retained by our hosting provider (Vercel) in accordance with their data retention policies.

Upon receiving a verified deletion request, we will delete the requested data from our active systems and, within a commercially reasonable timeframe, from archives and backups. We will also notify all third-party service providers and processors who received your data and direct them to honor the deletion request in accordance with applicable law, including the Washington My Health My Data Act where applicable.

7. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These measures include:

• encryption of data in transit using TLS/SSL;
• access controls limiting who within our organization can access personal information;
• regular review of our data collection, storage, and processing practices; and
• selection of service providers that maintain appropriate security certifications (e.g., SOC 2 compliance).

However, no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security.

8. Breach Notification

In the event of a breach of unsecured personally identifiable information, we will notify affected individuals in accordance with applicable federal and state laws, including:

• FTC Health Breach Notification Rule (HBNR): If we experience an unauthorized acquisition or disclosure of individually identifiable health information that is not secured, we will notify affected individuals, the Federal Trade Commission, and, if more than 500 individuals are affected, prominent media outlets, within 60 calendar days of discovering the breach.
• Washington State (RCW 19.255.010): We will notify affected Washington residents without unreasonable delay, and in no event later than 30 days after discovery of a breach involving personal information.
• California (Cal. Civ. Code § 1798.82): We will notify affected California residents in the most expedient time possible and without unreasonable delay.

Breach notifications will describe the nature of the breach, the types of information involved, steps we are taking in response, and contact information for further inquiries.

9. Cookies and Tracking Technologies

9.1 What We Use

Our website uses the following cookies and tracking technologies:

Strictly Necessary Cookies: These cookies are essential for the website to function and cannot be switched off. They are typically set in response to actions you take, such as setting your privacy preferences or filling in forms.

Analytics Cookies (PostHog):We use PostHog to understand how visitors interact with our website. PostHog may use cookies or similar technologies to collect information about your use of our website, including pages visited, click patterns, scroll depth, time on site, and referring URL. PostHog is a product analytics platform — it is not an advertising network and does not use your data for advertising purposes.

Notice regarding health-related pages: When you visit pages on our website that relate to specific health topics (such as our cognitive performance or peptide therapy pages), the URL of that page is recorded by our analytics platform as part of standard usage tracking. Unlike advertising-network-based analytics tools, PostHog does not share this data with third-party advertisers. We use this data solely to improve our website and services. If you prefer not to be tracked, you can disable cookies in your browser settings. We honor Do Not Track browser signals where technically supported by our analytics configuration.

Advertising Conversion Tracking:If you arrive at our website through a Google search advertisement, a Google click identifier (gclid) may be stored as a first-party cookie on your device. This identifier is used solely to measure whether our advertising led to a form submission. We transmit only the click identifier and a conversion signal to Google — we do not transmit page URLs, health-related information, your name, your email address, or any other personal information to Google for advertising purposes. We do not use Google remarketing, retargeting, or audience-building tools on our health-related pages.

Similarly, if you arrive at our website through a Meta (Facebook or Instagram) advertisement, a Meta click identifier (fbclid) may be stored as a first-party cookie on your device. This identifier is used solely to measure whether our advertising led to a form submission. We transmit only the click identifier and a conversion signal to Meta — we do not transmit page URLs, health-related information, your name, your email address, or any other personal information to Meta for advertising purposes. We do not use Meta Pixel, Meta remarketing, or Meta audience-building tools on our health-related pages. We do not upload customer email lists to Meta for Custom Audience creation.

Performance Cookies (Vercel Analytics): Vercel, our hosting provider, may collect anonymized performance and usage metrics (such as page load times and web vitals) to help us monitor site performance.

9.2 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all cookies, accept only certain cookies, or notify you when a cookie is set. Note that disabling cookies may affect the functionality of our website.

9.3 Do Not Track

Some browsers offer a “Do Not Track” (DNT) signal. We honor DNT signals where technically supported by our analytics configuration. You may also opt out of analytics tracking by disabling cookies in your browser settings.

10. Use of Artificial Intelligence

Hayling Health utilizes artificial intelligence (AI) technologies in certain administrative and operational functions, including but not limited to:

• generation and optimization of marketing content and website copy;
• administrative workflow automation; and
• customer communications support.

In compliance with California Assembly Bill 489 (effective January 1, 2026):

AI systems used by Hayling Health do not provide medical advice, clinical diagnoses, or treatment recommendations. All clinical decisions — including patient evaluations, prescribing, and treatment plan design — are made by independently licensed healthcare providers. Our AI systems do not represent themselves as, or imply that they are, licensed healthcare professionals.

If you interact with an automated system on our platform (such as a chatbot or automated email), the system will identify itself as automated. No AI system on our platform uses titles, credentials, or language that implies human medical licensure.

11. Your Privacy Rights

11.1 Rights for All Users

Regardless of where you are located, you may:

• request access to the personal information we hold about you;
• request correction of inaccurate personal information;
• request deletion of your personal information, subject to certain legal exceptions;
• opt out of marketing communications by clicking the “unsubscribe” link in any marketing email or by contacting us at privacy@haylinghealth.com; and
• withdraw consent where we rely on consent as the basis for processing your information.

To exercise any of these rights, contact us at privacy@haylinghealth.com. We will respond to verifiable requests within the following timeframes:

• Washington residents (MHMDA): within 45 days of receipt;
• California residents (CCPA/CPRA): within 45 days of receipt, with a possible 45-day extension upon notice;
• All other users: within 30 days of receipt.

Authorized Agents: You may designate an authorized agent to submit a privacy request on your behalf. To do so, provide us with written authorization signed by you or a power of attorney. We may contact you directly to verify your identity and confirm the request. Authorized agent requests should be sent to privacy@haylinghealth.comwith the subject line “Authorized Agent Request.”

11.2 California Residents — CCPA/CPRA Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which your information was collected, our business purpose for collecting your information, and the categories of third parties with whom we share your information.
• Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
• Right to Opt Out of Sale or Sharing: We do not sell your personal information. If we share personal information with third parties for cross-context behavioral advertising, you have the right to opt out.
• Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA on our marketing website.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, contact us at privacy@haylinghealth.com or submit a request through our website. We may need to verify your identity before fulfilling your request.

California “Shine the Light” Law: California Civil Code Section 1798.83 permits California residents to request information regarding the disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

11.3 Washington State Residents — My Health My Data Act

If you are a Washington state resident, you have additional rights under the Washington My Health My Data Act (RCW 19.373), effective March 31, 2024:

• Right to Consent: We will obtain your consent before collecting, sharing, or selling consumer health data, unless an exemption applies.
• Right to Access: You have the right to confirm whether we are collecting, sharing, or selling consumer health data concerning you and to access such data, including a list of all third parties and affiliates who have received your individual data with their contact information.
• Right to Withdrawal: You have the right to withdraw your consent to the collection and sharing of consumer health data at any time.
• Right to Deletion: You have the right to request deletion of consumer health data concerning you. Upon receiving a verified request, we will delete the data from our active systems and, within a commercially reasonable timeframe, from archives and backups, and will notify all third parties who received your data to honor the deletion.

Consumer Health Data and Our Website:While our marketing website does not collect traditional health records, we recognize that information about your visit to health-specific pages (such as pages about peptide therapy or cognitive performance), combined with form submissions expressing interest in medical treatment, may constitute consumer health data under the MHMDA's broad definition. We treat this data with the care required by the Act.

We do not sell consumer health data. We do not share consumer health data for advertising purposes. If we ever change this practice, we will obtain a separate, signed authorization from you before any sale occurs, as required by the MHMDA.

Geofencing: We do not use geofencing technology around healthcare providers, clinics, hospitals, or other medical facilities to identify, track, collect data from, or send notifications to consumers. This prohibition applies to all of our marketing and advertising activities.

For a complete description of our consumer health data practices, please see our Consumer Health Data Privacy Policy.

11.4 Other State Privacy Rights

Residents of states with comprehensive privacy laws (including but not limited to Colorado, Connecticut, Virginia, Montana, Oregon, Texas, and other states with laws effective in 2025–2026) may have similar rights to access, delete, and correct personal information, and to opt out of certain processing activities. To exercise any applicable rights, contact us at privacy@haylinghealth.com.

12. HIPAA and Protected Health Information

Hayling Health operates as a Management Services Organization (MSO). We provide technology, marketing, and administrative services. We are not a HIPAA-covered entity and do not directly collect, store, or process Protected Health Information (PHI) through our marketing website.

If you proceed to a clinical evaluation or receive medical services through our platform, your Protected Health Information will be collected and maintained by our clinical partners — independently licensed healthcare providers and compounding pharmacies — who are HIPAA-covered entities. These entities are required to provide you with their own Notice of Privacy Practices that describes how they use and disclose your PHI.

Our clinical infrastructure partner, CareValidate, maintains HIPAA-compliant systems, including SOC 2 certification and appropriate Business Associate Agreements with all entities in the care delivery chain.

If you have questions about how your health information is handled during clinical care, please contact the clinical provider directly or reach out to us at privacy@haylinghealth.com and we will direct you to the appropriate entity.

13. Children's Privacy

Our Service is intended for adults aged 18 and older. Peptide therapy requires a physician's prescription and is not appropriate for minors. We do not knowingly collect personal information from anyone under the age of 18.

If you are a parent or guardian and you believe your child under 18 has provided us with personal information, please contact us at privacy@haylinghealth.com. If we become aware that we have collected personal information from a person under 18 without verification of parental consent, we will take steps to delete that information promptly.

14. Third-Party Links

Our Service may contain links to third-party websites or services that are not operated by us, including but not limited to our clinical partners' platforms, social media pages, and educational resources. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policies of every site you visit.

15. International Users

Our Service is operated in the United States and is intended for users located in the United States. If you are accessing our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your country of residence.

By using our Service, you consent to the transfer of your information to the United States. We do not currently offer services to individuals in the European Economic Area (EEA), the United Kingdom, or other jurisdictions subject to the General Data Protection Regulation (GDPR). If this changes, we will update this policy accordingly.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• update the “Last Updated” date at the top of this policy;
• post a notice on our website; and
• where required by applicable law, notify you by email.

We encourage you to review this Privacy Policy periodically. Your continued use of our Service after any changes constitutes your acceptance of the updated policy.

17. Contact Us

If you have any questions about this Privacy Policy, your privacy rights, or our data practices, please contact us:

Hayling LLC (d/b/a Hayling Health)
Email: privacy@haylinghealth.com
Website: haylinghealth.com
State of Incorporation: Washington, United States

For requests related to your clinical care or Protected Health Information, we will direct you to the appropriate clinical partner.

This Privacy Policy was last reviewed and updated on April 15, 2026.