Privacy Policy

Last Updated: April 1, 2025
Effective Date: April 1, 2025

1. Scope and Applicability

This Privacy Policy applies to all users of Testosterone.tools regardless of geographic location and governs our collection, processing, and protection of personal information, including Protected Health Information (PHI) under HIPAA.

Testosterone.tools is not a Covered Entity under HIPAA and does not act as a Business Associate except in cases where a formal agreement is executed. Where required, HIPAA-compliant standards are applied voluntarily or contractually (e.g., under Business Associate Agreements).

2. Information Collection

2.1 Personal Information Categories

  • Account Data: Name, email, payment information, authentication credentials
  • Health Data/PHI: Blood work results, symptoms, medication protocols, body measurements
  • Usage Data: Device information, IP addresses, feature interactions, session data
  • Communication Data: Support inquiries, feedback, correspondence
  • Biometric Information: User-entered health metrics and physiological data
  • Personal Information: We do not collect government identifiers (e.g., Social Security Numbers, driver's license numbers) unless explicitly required for identity verification or legal compliance.

2.2 Automatic Collection

We automatically collect technical data through cookies, analytics tools, and similar technologies as detailed in our Cookie Policy.

2.3 Age Verification

We implement reasonable age verification measures, including requiring date of birth during registration, to prevent collection from individuals under 18.

3. Lawful Basis for Processing

3.1 Processing Grounds

We process personal information based on:

  • Consent: For marketing communications, optional features, and sensitive health data processing
  • Contract Performance: To provide App services the User has requested
  • Legitimate Interests: For fraud prevention, security, and service improvement
  • Legal Compliance: To satisfy regulatory requirements including HIPAA, FDA, and DEA regulations

3.2 Sensitive Data

Health data processing is based on explicit consent under GDPR Article 9(2)(a), HIPAA authorization, and similar provisions in other privacy laws.

Where consent is not required by law, we may rely on legitimate interest or contract necessity as the lawful basis for processing.

Where consent is relied upon, users may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

4. Data Use and Purpose Limitation

4.1 Primary Uses

  • Providing and maintaining App functionality
  • Processing payments and managing accounts
  • Communicating service updates and support
  • Ensuring security and preventing fraud
  • Complying with healthcare regulations

4.2 Secondary Uses

  • Analytics and Improvement: Analyzing usage patterns to enhance user experience
  • Research and Development: Developing new features using anonymized data
  • AI/ML Training: Training models on anonymized datasets for predictive features. Anonymized data may be used to train machine learning models. No identifiable or linkable data is used for this purpose unless explicit user consent is obtained. Anonymized data is stripped of all direct and indirect identifiers, aggregated, and tested for re-identification risk before inclusion in any training dataset.

4.3 Purpose Limitation

We do not use personal data for purposes incompatible with those disclosed at collection without obtaining additional consent. We do not use identifiable health data for targeted advertising or cross-context behavioral profiling.

5. Data Sharing and Disclosure

5.1 Service Providers

We share data with vetted third-party processors under strict Business Associate Agreements (BAAs) and data processing agreements ensuring equivalent protection standards. All third-party recipients of PHI or sensitive health data are contractually prohibited from re-identification, secondary use, or sale of such data.

5.2 Legal Requirements

Disclosure may occur when required by valid legal process, court orders, or to protect legal rights. We contest overly broad, vague, or inappropriate legal demands to the fullest extent permitted by law.

5.3 Anonymized Data

Properly anonymized data (processed through NIST-compliant anonymization techniques) may be shared for research, benchmarking, or commercial purposes without restriction. De-identification follows standards set forth by NIST and, where applicable, the HIPAA Safe Harbor or Expert Determination methods.

5.4 No Health Data Sales

We do not sell, rent, or license user generated identified health data or PHI to third parties for marketing purposes.

6. International Transfers

6.1 Transfer Mechanisms

International transfers rely on adequacy decisions, Standard Contractual Clauses, or other mechanisms approved under applicable laws, including GDPR, UK GDPR, Canada's PIPEDA, and Australia's Privacy Act. We conduct transfer impact assessments to ensure equivalent protection. We maintain data processing records and conduct transfer impact assessments (TIAs) where required by the European Data Protection Board's recommendations.

6.2 Safeguards

All international transfers include appropriate technical and organizational safeguards to protect personal data. Where adequacy decisions or SCCs are invalidated or in flux, we will rely on user consent or other lawful alternatives permitted by applicable law.

7. Data Security

7.1 Technical Measures

  • AES-256 encryption for data at rest
  • TLS 1.3 for data in transit
  • Multi-factor authentication options
  • Regular security audits and penetration testing
  • Access controls and monitoring systems
  • HIPAA-compliant security safeguards are implemented where PHI is collected or processed under a valid legal basis or BAA.

7.2 Organizational Measures

  • Employee privacy training and confidentiality agreements
  • Incident response procedures
  • Regular security policy updates
  • Third-party security assessments
  • Business Associate Agreements for PHI handling

8. Data Retention

8.1 Retention Periods

  • Account Data: Retained while account is active plus 7 years for legal compliance
  • Health Data/PHI: Health Data/PHI is retained as directed by the User, or in accordance with HIPAA retention standards, if applicable.
  • Usage Data: Retained for 2 years unless longer retention is legally required
  • Anonymized Data: May be retained indefinitely

8.2 Deletion Procedures

Upon account deletion or user request, personal data is securely deleted within specified time frames unless legal retention is required under HIPAA or other applicable laws.

9. Individual Rights

9.1 Universal Rights

All users may:

  • Access their personal data
  • Correct inaccurate information
  • Request data deletion (subject to legal exceptions)
  • Data portability in structured formats

9.2 EU/UK Rights (GDPR/UK GDPR)

  • Right to object to processing
  • Right to restrict processing
  • Right to withdraw consent
  • Right to lodge complaints with supervisory authorities

9.3 California Rights (CCPA/CPRA)

  • Right to know categories and sources of personal information
  • Right to delete personal information
  • Right to opt-out of sales/sharing
  • Right to non-discrimination
  • Right to correct inaccurate information

9.4 Rights Exercise

Contact support@testosterone.tools to exercise rights. We may request identification documents or use secure identity verification tools to authenticate rights requests. We will verify identity and respond to verifiable requests within the timeframes required by applicable data protection laws. If we are unable to verify a requester's identity with reasonable certainty, we will deny the request and notify the requester of the basis for denial.

10. California Consumer Privacy Notice

10.1 Information Categories Collected

We collect: (a) Identifiers (e.g., name, email, IP address); (b) Personal information categories listed in Cal. Civ. Code § 1798.80(e) (e.g., payment information); (c) Biometric information (e.g., user-entered health metrics); (d) Internet activity (e.g., usage logs); (e) Sensitive personal information (e.g., health data, medication protocols).

10.2 Business Purposes

Collected data is used for: (a) providing App services; (b) ensuring security; (c) improving functionality; (d) complying with legal obligations; (e) conducting anonymized research.

10.3 Third-Party Sharing

We share data only with service providers under contract, for legal compliance, or as anonymized data for research purposes. We do not sell personal information.

11. Cookies and Tracking

11.1 Cookie Types

  • Essential: Required for basic functionality
  • Analytics: Understanding usage patterns (opt-out available)
  • Functional: Enhancing user experience
  • Marketing: Delivering relevant communications (consent-based)

11.2 Cookie Management

Users can manage cookie preferences through browser settings or our cookie preference center. Essential cookies cannot be disabled, as they are required for App functionality.

12. Minors' Privacy

We do not knowingly collect data from individuals under 18. If we become aware of such collection, we will delete the information and, if required, notify the parent or legal guardian. We implement reasonable age verification measures and delete any underage data upon discovery. For jurisdictions requiring parental consent (e.g., COPPA), we obtain verifiable consent before processing. If you believe we have unintentionally collected data from a minor, please contact us immediately and we will take prompt steps to delete the information and notify any required authorities.

13. Breach Notification

13.1 User Notification

Breach notifications will describe the nature of the breach, affected data types, mitigation steps taken, and user remediation options. In the event of a data breach, we will notify affected Users via email as soon as practicable, in compliance with applicable laws, including GDPR's 72-hour requirement where feasible and HIPAA breach notification requirements.

13.2 Regulatory Notification

We comply with all breach notification requirements under applicable privacy laws, including HIPAA, GDPR, CCPA, and state breach notification laws.

14. HIPAA Compliance

14.1 Protected Health Information

Where applicable, we implement administrative, technical, and physical safeguards that align with HIPAA standards for security and privacy.

14.2 Business Associate Agreements

All third-party processors handling PHI are bound by HIPAA-compliant Business Associate Agreements.

15. Contact Information

  • Privacy Officer: support@testosterone.tools
  • DPO (EU matters): support@testosterone.tools
  • HIPAA Privacy Officer: support@testosterone.tools
  • General Privacy Inquiries: support@testosterone.tools