Privacy Policy — Regenerative Medicine

Effective date: February 2025 · Last updated: February 2025

ExaVeyra Sciences ("ExaVeyra," "we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our website (exaveyra.com), telehealth services, partner applications, and related services. By using our services, you agree to the practices described in this policy. If you do not agree, please do not use our services.

This policy applies to information we collect through our website, forms, telehealth platform, email, and phone. It does not apply to information collected by third parties or through links to external sites. For information about how we handle Protected Health Information (PHI) under HIPAA, see our HIPAA Compliance page.

1. Information We Collect

Information You Provide

  • Contact & identity: Name, email address, phone number, mailing address.
  • Professional & clinic: Practice name, license number, specialty, patient volume (for wholesale applications).
  • Health information: Medical history, treatment goals, lab results, or other health-related information you share for telehealth or concierge consultations (PHI).
  • Communications: Message content, consultation notes, and correspondence.
  • Accessibility preferences: Settings you choose in our accessibility widget (stored locally or, if you opt in, in association with your session).

Information Collected Automatically

  • Usage data: IP address, browser type, device information, pages visited, referring URL, and timestamp.
  • Cookies & similar technologies: We use cookies, session storage, and local storage for functionality (e.g., session management, accessibility settings), analytics (to improve our site), and security (e.g., CSRF protection). You can adjust cookie settings in your browser.

Information from Third Parties

We may receive information from partners (e.g., covered entities with whom we have BAAs), payment processors, or publicly available sources when necessary for our services or compliance.

2. How We Use Your Information

We use your information to:

  • Respond to inquiries, process applications, and provide customer support
  • Conduct telehealth consultations and coordinate concierge care
  • Process wholesale applications and manage partner relationships
  • Send transactional messages (e.g., appointment confirmations, shipping updates)
  • Send marketing communications where you have opted in
  • Improve our website, services, and user experience
  • Comply with legal obligations, enforce our terms, and protect our rights
  • Prevent fraud and ensure security
  • Conduct analytics (aggregated or anonymized where possible)

When we use PHI, we do so in accordance with HIPAA, our Business Associate Agreements, and your consent where required.

3. Legal Basis for Processing (GDPR)

For individuals in the European Economic Area (EEA), UK, or other jurisdictions with similar laws, we process personal data based on:

  • Contract: To perform our agreement with you
  • Legitimate interests: To operate our business, improve services, and ensure security
  • Consent: Where you have given explicit consent (e.g., marketing)
  • Legal obligation: To comply with applicable laws

You may withdraw consent where we rely on it, without affecting the lawfulness of processing before withdrawal.

4. Sharing and Disclosure

We may share your information with:

  • Service providers: Hosting (Vercel), database (Supabase), email, analytics, telehealth platforms—under contracts that require them to protect your data
  • Covered entities & partners: When we act as a Business Associate, we may disclose PHI as permitted by the BAA and HIPAA
  • Legal & regulatory: When required by law, court order, or to protect our rights, safety, or property
  • Business transfers: In connection with a merger, acquisition, or sale of assets, subject to this policy

We do not sell your personal information. We do not share your information with third parties for their marketing purposes.

5. Data Retention

We retain your information for as long as necessary to fulfill the purposes in this policy, comply with legal obligations (e.g., tax, healthcare record retention), resolve disputes, and enforce our agreements. PHI is retained in accordance with HIPAA requirements and applicable state law. When we no longer need your information, we securely delete or anonymize it where feasible.

6. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data, subject to legal exceptions
  • Portability: Request your data in a structured, machine-readable format (where applicable)
  • Opt-out of marketing: Unsubscribe from marketing emails at any time
  • Object or restrict: Object to processing or request restriction (GDPR)
  • Withdraw consent: Where we rely on consent, you may withdraw it
  • Lodge a complaint: Submit a complaint to a supervisory authority (e.g., your data protection authority)

To exercise these rights, contact us via our Contact page. We will respond within the timeframes required by applicable law. For PHI held on behalf of a covered entity, certain requests may need to be directed to that covered entity.

7. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide additional rights:

  • Right to know what personal information we collect, use, and disclose
  • Right to delete personal information (subject to exceptions)
  • Right to correct inaccurate personal information
  • Right to opt out of the "sale" or "sharing" of personal information—we do not sell or share for cross-context behavioral advertising
  • Right to limit use of sensitive personal information (we use it only as permitted)
  • Right to non-discrimination for exercising your rights

To submit a verifiable request, contact us via our Contact page. We may need to verify your identity before processing your request.

8. Security

We use administrative, physical, and technical safeguards to protect your information, including encryption in transit (TLS) and at rest, access controls, and secure development practices. See our HIPAA Compliance page for details on how we protect health information. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

9. Children

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will take steps to delete it.

10. International Transfers

We are headquartered in the United States (Miami, FL). If you access our services from outside the U.S., your information may be transferred to and processed in the United States, which may have different data protection laws. By using our services, you consent to such transfer. For transfers from the EEA/UK, we rely on appropriate safeguards (e.g., standard contractual clauses) where required.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. For material changes, we may provide additional notice (e.g., email or a prominent notice on our site). Your continued use after the effective date constitutes acceptance of the updated policy.

12. Contact Us

For questions about this Privacy Policy, your personal data, or to exercise your rights, please contact us:

HIPAA ComplianceTerms of ServiceContact Us