Privacy Policy

We collect information in three ways: information you give us directly, information we collect automatically when you use the Service, and information we receive from service providers and laboratory partners acting on our behalf.

2.1 Information you give us directly

• Account and contact information: name, email address, mailing address (for at-home kits), phone number (if provided), and account credentials.
• Health information: responses to our symptom quiz, including information about your cycle, reproductive history, symptoms, family history, medications, and lifestyle; the biomarker panel you order; and intake information you provide before a blood draw.
• Payment information: we do not store full payment card numbers. Payment is processed by Stripe, Inc., which collects and stores your card details under its own privacy terms. We retain only a tokenized reference, the amount, the last four digits, and the card brand, along with flags indicating whether HSA/FSA funds were used.
• Communications: messages you send us via the contact form, careers form, email, or customer support.

2.2 Information we collect automatically

• Device and usage data: IP address (which we hash before storing for rate-limit purposes on public endpoints), browser type and version, device type, pages viewed, referring URL, and timestamps.
• Cookies and similar technologies: we use session cookies for essential functionality (authentication, cart state, CSRF protection) and measurement cookies for analytics. See “Cookies and tracking” below for details.

2.3 Information we receive from third parties

• Laboratory results: Quest Diagnostics (our primary laboratory partner) returns your biomarker results to us through Junction (our lab-orchestration provider).
• Address verification and autocomplete: Google Places may assist in address entry during intake.
• Email validation: SendGrid may validate the deliverability of an email address you submit.

We use your information to:

• Provide, maintain, and improve the Service, including matching your quiz responses to the biomarker panels most likely to be relevant to your symptoms.
• Process your order, schedule your blood draw, generate lab requisitions, and deliver your results report.
• Communicate with you about your account, your order, changes to the Service, and — only if you opt in — marketing content about EllaDx.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.
• Produce aggregated, de-identified statistics about how the Service is used. De-identified data does not identify you and is not subject to this Policy.

We do not sell your personal information. We share information only as described below.

4.1 Service providers (processors and business associates)

We use trusted service providers to operate the Service. Each receives only the minimum information needed to perform its function and is contractually required to protect that information.

• Supabase — database, authentication, and file storage. Operates under a Business Associate Agreement (BAA) for protected health information.
• Cloudflare — website hosting, content delivery, DDoS protection, and video hosting.
• Stripe — payment processing.
• Quest Diagnostics — CLIA- and CAP-accredited laboratory processing.
• Junction — lab-order orchestration between EllaDx and Quest Diagnostics.
• Klaviyo — marketing email delivery to users who have opted in. We do not send protected health information to Klaviyo.
• SendGrid — transactional email and email validation.
• Google Places — address autocomplete during intake.

4.2 Legal and safety

We may disclose information when we reasonably believe disclosure is required or permitted by law — for example, to respond to a subpoena, court order, or other legal process; to enforce our Terms of Service; to protect the rights, property, or safety of EllaDx, our users, or the public; or to comply with regulatory obligations.

4.3 Business transfers

If EllaDx is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to the receiving party's commitment to honor this Policy (or give notice and an opportunity to opt out before any materially different use).

4.4 With your consent

We may share your information for other purposes disclosed at the time of collection or with your explicit consent.

Laboratory test results and the intake information directly supporting a lab order are Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended. We treat this information accordingly.

• Our laboratory partners (Quest Diagnostics) are covered entities under HIPAA.
• EllaDx operates as a Business Associate with respect to PHI processed on behalf of those covered entities, and operates under BAAs with its own downstream subprocessors (including Supabase) who handle PHI.
• We do not disclose PHI to Klaviyo, SendGrid, Google Places, or any other non-BAA processor. Marketing systems receive only non-health identifiers (name, email, whether you completed the onboarding quiz).
• Because EllaDx is an educational and wellness service and not a covered healthcare provider, we do not generate the HIPAA “Notice of Privacy Practices” that a clinician would issue. Your rights with respect to PHI held by Quest Diagnostics and other covered entities are governed by their notices.

6.1 Access, correction, and deletion

You may access, correct, or delete account information through your account dashboard. To request deletion of a full account, contact us at [email protected]. Some information — for example, records we are required to retain for lab, tax, or legal-compliance purposes — may be retained after account deletion.

6.2 Marketing communications

Every marketing email includes an unsubscribe link. You may also contact us to opt out of marketing communications. Transactional messages (order receipts, results notifications, account security) will continue because they are required to deliver the Service.

6.3 California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act, including the right to know what personal information we collect about you, the right to delete personal information, the right to correct inaccurate information, the right to limit use of sensitive personal information, and the right to opt out of sale or sharing of personal information (we do not sell or share personal information as those terms are defined in the CCPA/CPRA). To exercise these rights, email us at [email protected] with subject line “California Privacy Request.” We will verify your identity before acting on your request.

6.4 Other U.S. state residents

Residents of states with comprehensive consumer privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as they come into effect) may have similar rights. Use the same contact path as above to exercise them.

6.5 Authorized agents

You may designate an authorized agent to submit requests on your behalf. We may require proof of the agent's authority and independent verification of your identity.

We use essential cookies for authentication, cart state, and security. We use privacy-respecting analytics to understand aggregate usage. We do not participate in third-party advertising networks that track individual users across the web.

You can control cookies through your browser settings. Disabling essential cookies will break core Service functionality, such as signing in and placing an order.

We use administrative, technical, and physical safeguards designed to protect your information. These include encrypted transport (TLS 1.2+), encrypted storage for sensitive fields, access controls and audit logging on production systems, and vendor security assessments. No system is perfectly secure, so we cannot guarantee absolute security.

We retain your information for as long as your account is active and for a reasonable period afterwards to support legal, regulatory, accounting, and dispute-resolution obligations. Specifically:

• Lab-test records and supporting intake data are retained in accordance with applicable state laboratory retention rules (typically a minimum of two years; some states require longer).
• Financial records (invoices, payment receipts) are retained for at least seven years for tax and audit purposes.
• Marketing records are retained until you opt out or request deletion.
• De-identified, aggregated data may be retained indefinitely.

The Service is not directed to individuals under 18, and we do not knowingly collect information from anyone under 18. If you believe a child has provided us personal information, please contact us and we will delete the information.

The Service is offered only in the United States. If you access the Service from outside the U.S., you understand your information is processed in the U.S. under U.S. law.

We may update this Policy from time to time. If we make material changes, we will notify you by email (if we have your email) or by posting a prominent notice on the Service before the change takes effect. The “Last updated” date at the top of this Policy reflects the current version.

Questions, requests, or concerns about this Policy or our information practices:

EllaDx, Inc.
Attn: Privacy
1630 W Prosper Trail, #620
Prosper, Texas 75078
[email protected]