Privacy Policy

SexyMD Privacy Policy
DRAFT — for internal and legal review only
Effective Date: [INSERT EFFECTIVE DATE]
Last Updated: [INSERT LAST UPDATED DATE]
How to read this draft. Red [FILL IN] and [LEGAL REVIEW] callouts and amber [DECISION] callouts must be removed before publishing. Use Find on each label to locate them.

[FILL IN] Effective Date and Last Updated Date: Insert the calendar date on which this Privacy Notice goes into effect (top of document and at the start of the CHD supplement). “Last Updated” should match unless this is a revision. Many state privacy laws (CCPA/CPRA, CPA, CTDPA, others) require these dates to be conspicuous and accurate.
[FILL IN] Privacy contact email: This draft uses privacy@sexymd.com for privacy-rights requests and hello@sexymd.com for patient support. Confirm both addresses are established and monitored, that the appropriate person/team responds within the statutory windows (e.g., 45 days under most State CHD Laws, extendable by 45 days with notice), and that responses are logged for audit purposes.
THIS PRIVACY POLICY DOES NOT APPLY TO PROTECTED HEALTH INFORMATION COLLECTED OR HELD BY THE AFFILIATED PROFESSIONAL ENTITIES (THE “PRACTICE”) IN CONNECTION WITH PROVIDING YOU HEALTHCARE SERVICES. THAT INFORMATION IS SUBJECT TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) AND IS GOVERNED BY THE PRACTICE’S HIPAA PRIVACY POLICY / NOTICE OF PRIVACY PRACTICES, NOT BY THIS PRIVACY POLICY.
This Privacy Policy (the “Privacy Notice”) describes how SexyMD LLC (“SexyMD,” “we,” “our,” or “us”) collects, uses, discloses, and protects personal information we collect through the SexyMD website at www.sexymd.com, our mobile applications, and related services (collectively, the “Services”).
Key Privacy Points
We hope you read this entire Privacy Notice for the full detail, but here are some key points up front:

  • SexyMD is a technology and administrative-services company. SexyMD does not itself practice medicine. We help you establish and maintain a relationship with licensed healthcare providers (the “Healthcare Providers”) who are employed by, contracted with, or otherwise affiliated with one or more independent professional entities (the “Practice”).
  • We collect initial qualifying information from you, which we pass to the Healthcare Providers for clinical assessment. If clinically appropriate, the Healthcare Provider may invite you to schedule a visit through the Practice.
  • The Healthcare Provider will request additional medical information and other personal information. Diagnosis, consultation, treatment, and prescribing are performed by the Healthcare Provider, not by SexyMD. SexyMD does not diagnose or treat any disease or medical condition.
  • Personal information collected by, or in the course of treatment by, the Healthcare Providers and the Practice is “protected health information” (“PHI”) governed by the HIPAA Privacy Rule, the Practice’s HIPAA Privacy Policy / Notice of Privacy Practices, and applicable state laws — not by this Privacy Notice. SexyMD acts as a HIPAA business associate to the Practice.
  • Your relationship with the partner pharmacies in the SexyMD Pharmacy Network, with third-party financing partners (such as Affirm, Klarna, and Afterpay), and with other third-party suppliers is governed by their own privacy policies and practices, not by this Privacy Notice.

[LEGAL REVIEW] STRUCTURAL: This Privacy Notice is issued by SexyMD LLC and governs non-PHI personal information. PHI is governed by the Practice’s NPP / HIPAA Privacy Policy. Confirm with counsel that both documents are consistent in describing where PHI ends and non-PHI begins, and that any boundary between them is operationally enforced (e.g., where pre-relationship intake data sits, where SMS marketing data sits, where cookie / tracking data sits).
Contents
1. Information We Collect
2. Use of Information
3. Disclosure of Information
4. Your Rights and Choices
5. Protection of Information
6. Children
7. Updates and Changes to This Policy
8. Contacting Us
Supplement: Consumer Health Data Privacy Policy
1. Information We Collect
Information You Provide to Us
You may provide the following types of information to us:

  • Identifiers and contact information, such as your name, date of birth, gender, email address, mailing address, phone number, and account credentials;
  • Demographic information, including state of residence and biometric measurements (such as height and weight);
  • Initial qualifying information and self-reported health information you provide before being connected to a Healthcare Provider (for example, your responses to the SexyMD intake questionnaire);
  • Payment information, such as credit/debit card data, HSA/FSA card data, and information you provide to our payment processors and financing partners;
  • Communications and content you submit to us, including messages, photos, voicemails, and customer-support inquiries; and
  • Any other information you choose to provide to us.

Audio and Video Recordings
We may collect and process audio and video recordings in connection with your use of the Services, including in connection with video or telephone visits with a Healthcare Provider, voice or audio submitted through the Site, and customer-support calls. We may use such recordings to provide, operate, maintain, and improve the Services, for quality assurance and training, and for compliance and dispute-resolution purposes. We may share recordings with our service providers and trusted partners for these purposes, who handle the recordings in accordance with applicable law and this Privacy Notice. Recordings of clinical interactions handled by the Practice are PHI and are governed by the Practice’s HIPAA Privacy Policy.
Information Collected Automatically
When you access or use the Services, we and our service providers and third parties may automatically collect information from your computer or mobile device, including unique browser and device identifiers, IP address, browser type, operating system, mobile-device information, advertising identifiers, internet-connection information, and details of your interactions with the Site (such as the pages you visit, links you click, search terms, referring URLs, and the dates and times of your visits).
Cookies and Similar Technologies
We and our service providers use cookies, web beacons, pixels, mobile-device functionality, JavaScript, local storage, and similar technologies to operate the Services and to understand how you use them. Cookies are small text files stored on your device when you visit a website. They help us recognize your device and remember information about your visit.
We may use the following categories of cookies:

  • Strictly necessary cookies — required for the Services to operate (for example, to authenticate you and to keep your shopping cart contents). These cannot be disabled.
  • Performance and analytics cookies — collect aggregated information about how visitors use the Services so we can improve them.
  • Functionality cookies — remember your choices (such as language or region) and provide enhanced, personalized features.
  • Targeting and advertising cookies — used by us and our advertising partners to deliver advertising relevant to you and to measure advertising effectiveness.

Most browsers allow you to control cookies through their settings. Disabling cookies may affect the functionality of the Services. To learn more, visit www.allaboutcookies.org.
Specific Tracking Tools We May Use

  • Google Analytics — a web-analytics service that uses cookies and similar technologies to help us understand how visitors use the Services. You may opt out by installing the Google Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/gaoptout.
  • Google reCAPTCHA / invisible reCAPTCHA — used to protect the Services from spam and automated abuse. The tool may collect IP address, date, time, language, screen size and resolution, and mouse movements. Use of reCAPTCHA is subject to Google’s Privacy Policy (https://policies.google.com/privacy) and Terms of Service (https://policies.google.com/terms).
  • Advertising and social-media partners — including Meta, Google Ads, TikTok, and similar platforms. To learn more or to opt out of advertising cookies on desktop and mobile browsers, visit http://optout.aboutads.info and http://optout.networkadvertising.org. You can also download the AppChoices app at www.aboutads.info/appchoices to opt out in mobile apps.

[LEGAL REVIEW] Tracking-tool inventory: Replace this list with the actual analytics, captcha, attribution, and advertising vendors SexyMD uses (e.g., Google Analytics 4, Meta Pixel, TikTok Pixel, Northbeam, Snowflake, Segment, Mixpanel, Klaviyo, etc.). Each named vendor must have a signed Data Processing Agreement, and the cookie banner / consent management platform must surface each by category. Listing vendors specifically is required by some state regs and increases CCPA / GDPR defensibility.
[LEGAL REVIEW] Cookie consent: California, Colorado, Connecticut, and a growing number of states require recognition of Global Privacy Control (“GPC”) signals as a valid opt-out of sale/share and targeted advertising. Counsel and engineering should confirm GPC is recognized site-wide, that the cookie banner offers a clear “Reject All / Manage Preferences” path, that non-essential cookies are not placed before consent in states that require pre-consent, and that the cookie banner technology vendor is configured for each state’s opt-out flavors.
Sensitive Personal Information
Some of the information we collect may be considered “sensitive personal information” under applicable state privacy laws. Depending on how you interact with the Services, sensitive personal information we may collect includes:

  • Government-issued identifiers, such as driver’s license, state ID card, passport number, or Social Security number;
  • Account-access information, including a username, account number, or password in combination with credentials that permit access to your account;
  • Information about your racial or ethnic origin (if voluntarily provided), citizenship or immigration status, or union membership;
  • Information that reveals your precise geolocation;
  • Information about your health, including conditions, symptoms, treatments, medications, biometric measurements, and your browsing activity on health-related pages of the Services;
  • Information about your sex life or sexual orientation;
  • Genetic data and biometric information processed for the purpose of uniquely identifying you (if applicable); and
  • The contents of your communications via the Services (e.g., messages with our care team or AI assistant), except as governed by applicable law.

We use and disclose sensitive personal information only as permitted by applicable law and as further described in this Privacy Notice. Where state law requires consent for the use of sensitive personal information for certain purposes, we will obtain that consent and, where required, offer you the ability to limit our use of your sensitive personal information.
[LEGAL REVIEW] Sensitive PI usage and opt-out: California (CPRA), Connecticut, Colorado, Maryland (MODPA), Oregon, Texas, Washington (MHMDA) and Nevada apply heightened protections to sensitive PI. Several states (notably MD, WA, NV) prohibit the use of certain sensitive PI for targeted advertising entirely. Counsel should confirm: (a) which sensitive-PI categories SexyMD actually collects, (b) which uses require opt-in vs. opt-out, (c) the “Limit Use of Sensitive Personal Information” flow in the product, and (d) whether SexyMD’s ad-tracking on health-related pages requires an opt-in in any state.
Information from Healthcare Providers and Partners
We may receive information about you from the Healthcare Providers, the Practice, our partner pharmacies in the SexyMD Pharmacy Network, payment processors, financing partners (Affirm, Klarna, Afterpay), shipping carriers, identity-verification vendors, marketing partners, and other third parties (such as referral or affiliate partners), in accordance with our agreements with them and applicable law.
2. Use of Information
We use personal information for the following purposes:

  • To operate, maintain, and improve the Services, and to provide services to you and to the Practice;
  • To facilitate your enrollment with the Practice, including by transmitting your initial qualifying information to a Healthcare Provider;
  • To process orders, payments, refunds, and replacements, and to coordinate fulfillment with the Pharmacy Network and shipping carriers;
  • To communicate with you, including by sending confirmations, updates, alerts, refill notifications, support messages, and administrative messages;
  • To personalize content, recommendations, and advertising on and off the Services;
  • For business operations such as marketing, auditing, security, fraud prevention, invoicing and accounting, analytics, and research and development;
  • To detect, investigate, and respond to misuse of the Services or other unlawful behavior;
  • To comply with legal obligations, court orders, and government requests;
  • To establish, exercise, or defend our legal rights; and
  • To create aggregated or de-identified information that does not identify you (which we may use and disclose for any purpose).

Use of Artificial Intelligence (AI) Tools
We may use software-based automation, machine-learning, and generative AI tools to support non-clinical operations of the Services, including organizing and summarizing the information you submit at intake, drafting messages for human review, supporting customer-service interactions, and personalizing your experience. Where you are directly interacting with an AI-supported chatbot, agent, or similar channel, you will be informed of that fact where required by applicable law. SexyMD does not use AI to make clinical decisions; clinical decisions are made or reviewed by a Healthcare Provider.
3. Disclosure of Information
We may disclose your personal information as follows:

  • To the Healthcare Providers and the Practice — for clinical evaluation, treatment, and ongoing care;
  • To the Pharmacy Network — including U.S.-licensed 503A pharmacies and 503B outsourcing facilities, to fill and ship prescriptions written by your Healthcare Provider;
  • To payment processors and installment-financing partners (Affirm, Klarna, Afterpay) — to process payments;
  • To service providers and vendors — that perform services for us, such as hosting, data storage, analytics, marketing, advertising, identity verification, fraud prevention, customer support, SMS and email delivery, AI tools, and other operational support. These service providers are contractually obligated to use your information only for the purposes we direct;
  • To current or future parent companies, subsidiaries, affiliates, and other companies under common control or ownership with SexyMD;
  • In response to subpoenas, court orders, and other legal process — where we believe in good faith that disclosure is required by law or appropriate to comply with legal obligations or government requests;
  • To protect rights, safety, and security — including to investigate, prevent, or respond to suspected fraud, illegal activity, or violations of our terms; to protect the rights, property, or safety of SexyMD, our patients, employees, or others; and to enforce our agreements;
  • In connection with a corporate transaction — such as a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, including in connection with due diligence; and
  • With your consent or at your direction — including when you participate in optional features that involve sharing information with third parties.

Do We “Sell” or “Share” Your Personal Information?
We do not sell your personal information for money. However, under California law and certain other state laws, the use of third-party advertising cookies and similar technologies to deliver cross-context behavioral advertising may be treated as a “sale” or “share” of personal information. Where applicable, you have the right to opt out of these practices, as further described in Section 4 and in the Consumer Health Data Privacy Policy supplement below.
[LEGAL REVIEW] Sale/Share disclosures (CCPA/CPRA, CPA, CTDPA, VCDPA, others): Counsel should confirm whether SexyMD’s use of advertising cookies and pixels (Meta, Google, TikTok, programmatic) constitutes a “sale” or “share” under each applicable state law and that the disclosure here matches operational reality. If SexyMD does “sell” or “share,” a “Do Not Sell or Share My Personal Information” link in the website footer is required in CA (and in some other states), and a confirmed opt-out flow must be in place.
4. Your Rights and Choices
Marketing Communications
We may use your information, including your email address and mailing address, to send you marketing communications about our services, promotions, and offers we believe may be of interest to you. You can opt out of receiving marketing emails by clicking the unsubscribe link in any marketing email or by contacting us at hello@sexymd.com. Even if you opt out of marketing emails, you may continue to receive non-marketing communications, such as those related to your account, your orders, or important safety information.
SMS / Text Message Communications
If you provide your mobile phone number to SexyMD, this information may be used to send you SMS messages, including transactional messages (such as appointment reminders, order updates, refill notifications, and shipping notifications) and, with your separate consent where required, marketing messages (such as promotions and product updates).
Messages may be sent using an automatic telephone dialing system. Message and data rates may apply. Message frequency may vary. You may opt out of marketing text messages at any time by replying STOP to any marketing message. You may continue to receive transactional and clinical messages after opting out of marketing messages because those messages are necessary for the operation of the Services.
We may use cookies, pixels, and similar technologies to monitor activity on the Services, including cart-abandonment activity, and may use your phone number (with consent where required) to send cart-reminder SMS messages.
[LEGAL REVIEW] TCPA / A2P 10DLC / state mini-TCPA: Confirm prior-express-consent capture (separate marketing consent checkbox at signup), A2P 10DLC registration with the carriers, STOP keyword wiring, and segmentation of transactional vs. marketing campaigns. Florida (Florida Telephone Solicitation Act), Washington (CEMA), and several other states have heightened SMS requirements that should be reviewed.
[LEGAL REVIEW] Originator opt-in data — TrimRx specifically calls out that SMS originator opt-in data and consent will not be shared with third parties (a CTIA / carrier-compliance disclosure). Consider whether to add an explicit equivalent statement, e.g., “Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes; all the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.” CTIA campaign reviewers increasingly look for this exact disclosure.
Cookies and Tracking Technologies
You may make certain choices regarding the use of cookies and similar technologies through the settings on each browser you use, and through our cookie consent banner where one is presented. You can set most browsers to refuse certain types of cookies, or to alert you when certain types of cookies are being used. If you block or otherwise reject all cookies, local storage, JavaScript, or other technologies, certain features of the Services may not function as expected. We recognize Global Privacy Control (GPC) signals where required by applicable law.
Marketing Information Sharing With Third Parties
We do not share your personal information with third parties for those third parties’ own marketing purposes without your explicit consent. Service providers we engage to send marketing communications on our behalf are contractually required to use your personal information only for that purpose.
Data Retention
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, to provide the Services to you, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Retention periods may vary by category of information and applicable law. After the retention period, we will delete or de-identify your personal information.
State-Specific Privacy Rights
Depending on the U.S. state in which you reside, you may have additional rights regarding your personal information. Detailed state-specific rights and instructions for how to exercise them are set forth in the Consumer Health Data Privacy Policy supplement at the end of this Privacy Notice.
Do Not Track Signals and Global Privacy Control
Some web browsers incorporate a “Do Not Track” (DNT) feature that signals to the websites you visit that you do not want to have your online activity tracked. There is no industry consensus on how to interpret DNT signals, and we do not currently respond to DNT browser-based signals. We do, however, recognize the Global Privacy Control (GPC) and similar widely recognized opt-out preference signals as a valid request to opt out of the “sale” or “sharing” of your personal information and from targeted advertising, in accordance with applicable law. For more information about GPC, visit https://globalprivacycontrol.org.
5. Protection of Information
To help protect personal information, we maintain physical, technical, and administrative safeguards designed to protect against unauthorized access, alteration, disclosure, or destruction. However, no system of physical, technical, or administrative safeguards can be guaranteed to be perfect, and we cannot assure you that personal information will never be used or disclosed in a manner that is inconsistent with this Privacy Notice.
In the event of a data security breach involving personal information, we will provide notice in accordance with applicable federal and state law, including California Civil Code section 1798.82 and the breach-notification statutes of other applicable states.
What You Should Do to Protect Your Information
Your cooperation is essential to safeguarding your information. Choose your account password carefully, do not reuse passwords across other websites or accounts, and do not share your password with anyone. Anyone with access to your account credentials may be able to view and modify your information, including your communications with your Healthcare Provider. If you suspect that your account has been compromised, contact us immediately at hello@sexymd.com.
De-Identified Information
We may create de-identified or aggregated information from the personal information we collect, including by removing information that makes the information personally identifiable. De-identified information is not subject to this Privacy Notice. Where we maintain or use de-identified information, we will continue to maintain and use it only in a de-identified form and will not attempt to re-identify it, except as permitted by applicable law (for example, to test or evaluate the efficacy of the de-identification process).
6. Children
The Services are intended for use only by adults who are at least eighteen (18) years of age. We do not knowingly collect personal information from children. By accessing or using the Services, you represent that you are at least eighteen (18) years old. If we become aware that we have collected personal information from a minor in violation of applicable law, we will take reasonable steps to delete that information.
7. Updates and Changes to This Policy
We may update this Privacy Notice from time to time to reflect changes in our practices, the law, or the features of the Services. Material changes will be reflected by updating the “Last Updated” date at the top of this Privacy Notice and, where required, by additional notice on the Site or by email. Your continued use of the Services after the effective date of any change constitutes your acceptance of the revised Privacy Notice.
8. Contacting Us
If you have any questions or comments about this Privacy Notice or SexyMD’s privacy practices, or to submit a privacy request or complaint, please contact us at:
SexyMD LLC
5725 S Valley View Blvd, Suite 7, Las Vegas, NV 89118
Privacy inquiries: privacy@sexymd.com
Patient support: hello@sexymd.com
Web: www.sexymd.com
You also have the right to make privacy requests directly to your Healthcare Provider or the Practice with respect to your protected health information, as described in the Practice’s HIPAA Privacy Policy / Notice of Privacy Practices.
[FILL IN] Customer-support phone number: TrimRx publishes a phone number (888-896-1612). Consider adding SexyMD’s customer-support phone here, particularly if SMS or cookie complaints require an alternative channel.

California Privacy Rights Notice
This California Privacy Rights Notice supplements the SexyMD Privacy Notice and applies only to California residents. It is provided pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”). Capitalized terms used but not defined in this section have the meanings given to them under the CCPA. If anything in this California Privacy Rights Notice conflicts with the main body of the Privacy Notice, this Notice controls for California residents.
Notice at Collection
At or before the time of collection, you have a right to receive notice of the categories of personal information and sensitive personal information we collect, the purposes for which we collect or use them, whether we sell or share them, and how long we retain them. This Notice provides those details in Sections 1 (Information We Collect), 2 (Use of Information), 3 (Disclosure of Information), and 4 (Your Rights and Choices) above, along with the categories below.
Categories of Personal Information Collected and Disclosed
In the past twelve (12) months, we may have collected the following categories of personal information from California residents. For more detail on the specific types of information within each category, see Section 1 above.

  • Identifiers (such as name, address, email, phone number, account name, IP address);
  • Personal information described in Cal. Civ. Code § 1798.80 (such as contact information, billing data, and demographic information);
  • Characteristics of protected classifications under California or federal law (such as sex, age, gender, race, marital status, and certain health information);
  • Commercial information (such as transaction history and purchasing tendencies);
  • Internet or other network activity information (such as browsing history, search history, interactions with the Site or advertisements, and information from cookies);
  • Geolocation data (such as approximate location derived from IP address);
  • Audio, electronic, visual, and similar information (such as photographs and video- or audio-call recordings);
  • Inferences drawn from any of the above to create a profile reflecting your preferences, characteristics, or behavior; and
  • Sensitive personal information, as further described in Section 1.3 (Sensitive Personal Information) above.

We disclose these categories of personal information for our business purposes to the categories of third parties described in Section 3 (Disclosure of Information) above, including our affiliates, service providers, the Healthcare Providers and Practice, the Pharmacy Network, payment processors and financing partners, analytics providers, advertising partners, and entities to which disclosure is made for legal or corporate-transaction purposes.
[LEGAL REVIEW] Category-by-third-party chart: Hims & Hers, Ro, Weight Watchers, and Remedy Meds all publish a more detailed table in their CCPA notices mapping each category of personal information to (1) categories of third parties disclosed to for operational purposes, (2) categories sold/shared, and (3) processing purposes. Counsel should decide whether to (a) keep the narrative-style listing above, or (b) expand into a full table. The table is more defensible under CCPA but operationally harder to maintain accurately.
“Sale” and “Sharing” of Personal Information
We do not sell personal information for monetary consideration. However, under the CCPA, our use of third-party advertising cookies, pixels, and similar technologies to deliver cross-context behavioral advertising may be treated as a “sale” or “sharing” of identifiers (such as cookie IDs, device identifiers, and IP address), internet activity (such as browsing history), general geolocation, commercial information, and inferences.
We do not knowingly sell or share the personal information of consumers under 16 years of age.
NOTICE: WE MAY USE OR SHARE SENSITIVE PERSONAL INFORMATION (INCLUDING HEALTH-RELATED BROWSING ACTIVITY) FOR PURPOSES OF TARGETED ADVERTISING TO THE EXTENT PERMITTED BY APPLICABLE STATE LAW. YOU HAVE THE RIGHT TO LIMIT OR OPT OUT OF THIS USE AS DESCRIBED BELOW.
[LEGAL REVIEW] Sale/share/sensitive PI in advertising: Hims & Hers, Ro, and Remedy each post an explicit notice that they may “sell” or use sensitive personal data for advertising. Confirm with counsel whether SexyMD’s ad pixels (Meta, Google, TikTok) actually constitute a CCPA “sale” / “sharing,” and whether SexyMD uses health-page browsing data for retargeting (a high-risk practice under CCPA, MHMDA, and increasing FTC scrutiny). If yes, the conspicuous notice above and the “Do Not Sell or Share My Personal Information” + “Limit Use of My Sensitive Personal Information” opt-out links must be on every page.
Your California Rights

  • Right to Know — request information about the categories and specific pieces of personal information we collect, use, and disclose.
  • Right of Access — request a copy of the personal information we have collected about you, in a portable and usable format.
  • Right to Correct — request correction of inaccurate personal information.
  • Right to Delete — request deletion of personal information, subject to certain exceptions.
  • Right to Opt Out of Sale or Sharing — opt out of our sale or sharing of your personal information for cross-context behavioral advertising.
  • Right to Limit Use and Disclosure of Sensitive Personal Information — limit our use of sensitive personal information to uses necessary to provide the goods or services you requested or as otherwise permitted by law.
  • Right to Non-Discrimination — exercise these rights without unlawful discrimination.

How to Exercise Your California Rights
You can submit a Right to Know, Right of Access, Right to Correct, or Right to Delete request by emailing privacy@sexymd.com or by using the “Your Privacy Choices” / “Do Not Sell or Share My Personal Information” / “Limit Use of My Sensitive Personal Information” links in the footer of the Site. Please include your full name, the email address associated with your account, and a clear description of your request. We may need to request additional information to verify your identity; we will only use that information for verification.
[FILL IN] Footer links: California requires conspicuous “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links in the website footer, and these links must operate even without a CCPA verification step. Engineering should confirm these footer links exist and are wired up to a working opt-out backend that propagates to all ad/analytics platforms via the IAB GPP framework or comparable mechanism.
Authorized Agents
California residents may designate an authorized agent to make requests on their behalf. If an agent submits a request, we may require (a) proof that you have authorized the agent (typically a signed permission or, where applicable, a power of attorney under California Probate Code §§ 4121–4130), and (b) that you verify your identity directly with us or directly confirm that you granted the agent authority. For opt-out and limit-use requests, only signed authorization is required.
Right to Appeal
If we deny your privacy request in whole or in part, you may appeal that decision by responding to our denial communication or by emailing privacy@sexymd.com within thirty (30) days. If your appeal is denied, you may contact the California Attorney General.
Shine the Light (Cal. Civ. Code § 1798.83)
California residents who have an established business relationship with us may request information once a year, free of charge, about the categories of personal information (if any) we disclosed to third parties for those third parties’ own direct marketing purposes during the immediately preceding calendar year, and the names and addresses of those third parties. To make such a request, please email privacy@sexymd.com with the subject line “Shine the Light Request.”
Retention Criteria
We retain personal information for as long as necessary in light of the purpose(s) for which it was collected. The criteria we use to determine retention periods include:

  • The length of time we have an ongoing relationship with you and provide Services to you;
  • Whether a legal obligation requires us to retain the information (for example, certain tax, accounting, or pharmacy-record requirements);
  • Whether retention is advisable in light of statutes of limitations, litigation, or regulatory investigations; and
  • Whether the information is sensitive personal information requiring shorter retention.

State Supplemental Privacy Notice
This State Supplemental Privacy Notice supplements the SexyMD Privacy Notice and applies to residents of the following U.S. states (collectively, the “State Privacy Laws”): Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA), Florida (Digital Bill of Rights), Indiana (ICDPA), Iowa (ICDPA), Kentucky (KCDPA), Maryland (MODPA), Minnesota (MCDPA), Montana (MCDPA), Nebraska Data Privacy Act, New Hampshire (NHPA), New Jersey (NJDPA), Nevada (SB 220 / SB 370), Oregon (OCPA), Rhode Island (RIDTPPA), Tennessee (TIPA), Texas (TDPSA), Utah (UCPA), and Virginia (VCDPA). If you reside in California, see the California Privacy Rights Notice above.
Your Rights
Depending on the state in which you reside and subject to certain exceptions, you may have the following rights:

  • Right to Confirm or Access — request confirmation that we are processing your personal information and access to that information.
  • Right to Correct — request correction of inaccurate personal information.
  • Right to Delete — request deletion of personal information.
  • Right to Data Portability — receive a copy of your personal information in a portable, readily usable format.
  • Right to Opt Out of Sale or Targeted Advertising — opt out of the sale of personal information and the processing of personal information for targeted advertising or profiling that produces legal or similarly significant effects.
  • Right to Categories of Third Parties — in some states (Oregon, Minnesota), request a list of the specific third parties to which we have disclosed your personal information.
  • Right to Non-Discrimination — exercise these rights without discriminatory treatment.

Sensitive Personal Information
Several State Privacy Laws apply heightened protections to sensitive personal information (including health-related information). Where state law requires consent before we use sensitive personal information for certain purposes, we will obtain that consent and offer you the ability to withdraw it. We do not use sensitive personal information for targeted advertising in Maryland, Washington, or Nevada, in accordance with those states’ privacy laws.
How to Exercise Your Rights
To submit a privacy request under a State Privacy Law, email us at privacy@sexymd.com, or use the “Your Privacy Choices” link in the footer of the Site. Please include your full name, email address, state of residence, and a clear description of your request. We may need to verify your identity before processing the request.
Right to Appeal
If we deny your request, you may appeal that decision within a reasonable period after our denial by replying to our denial communication or by emailing privacy@sexymd.com. If your appeal is denied, you may submit a complaint to your state Attorney General.
Texas-Specific Notice
NOTICE: WE MAY SELL YOUR SENSITIVE PERSONAL DATA (BY USING CERTAIN ONLINE ADVERTISING TECHNOLOGIES THAT MAY BE DEEMED A “SALE” UNDER TEXAS LAW). YOU MAY OPT OUT AS DESCRIBED ABOVE.
[LEGAL REVIEW] Texas Data Privacy and Security Act (TDPSA): Effective July 1, 2024, TDPSA requires merchants who sell sensitive data to display a specific notice with that exact statutory text. Counsel should confirm the wording matches the current TDPSA disclosure requirement and that the disclosure appears conspicuously on the Site at the point of collection where required.
Nevada-Specific Notice
Nevada residents have the right to opt out of the sale of their “personally identifiable information” (as defined by Nevada law) for monetary consideration. While we do not currently engage in such sales, Nevada residents may submit an opt-out request at privacy@sexymd.com; we will retain the request in the event our practices change. Nevada residents also have rights under the Nevada Consumer Health Data Privacy Law (SB 370), which are addressed in the Consumer Health Data Privacy Policy below.

Supplement: Consumer Health Data Privacy Policy
Last Updated: [INSERT LAST UPDATED DATE]
This Consumer Health Data Privacy Policy (this “CHD Policy”) supplements the SexyMD Privacy Notice above and applies to personal information that constitutes “consumer health data” (“CHD”) under the following state laws (collectively, the “State CHD Laws”):

  • Washington My Health My Data Act (MHMDA);
  • Nevada Consumer Health Data Privacy Law (SB 370);
  • California Consumer Privacy Act, as amended by the CPRA (CCPA/CPRA);
  • Colorado Privacy Act (CPA);
  • Connecticut Data Privacy Act (CTDPA);
  • Virginia Consumer Data Protection Act (VCDPA);
  • Utah Consumer Privacy Act (UCPA);
  • Oregon Consumer Privacy Act (OCPA);
  • Texas Data Privacy and Security Act (TDPSA);
  • Minnesota Consumer Data Privacy Act (MCDPA);
  • Tennessee Information Protection Act (TIPA);
  • Maryland Online Data Privacy Act (MODPA);
  • Indiana Consumer Data Protection Act (ICDPA);
  • Kentucky Consumer Data Protection Act (KCDPA);
  • Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA);
  • Montana Consumer Data Privacy Act (MCDPA);
  • Nebraska Data Privacy Act;
  • Iowa Consumer Data Protection Act (ICDPA);
  • Florida Digital Bill of Rights;
  • Delaware Personal Data Privacy Act (DPDPA);
  • New Hampshire Privacy Act (NHPA); and
  • New Jersey Data Protection Act (NJDPA).

Capitalized terms used but not defined in this CHD Policy have the meanings given to them in the Privacy Notice. Much of our processing of CHD is subject to the Health Insurance Portability and Accountability Act (“HIPAA”) and, to the extent HIPAA applies, SexyMD is exempt from MHMDA and the Nevada CHD Law. In the spirit of transparency, this CHD Policy also describes some of our HIPAA-regulated activities and other activities for which State CHD Laws do not require SexyMD to provide a privacy policy.
[LEGAL REVIEW] HIPAA exemption scope: MHMDA, Nevada CHD Law, and several other State CHD Laws contain HIPAA carve-outs of varying breadth (some exempt PHI only, some exempt the HIPAA covered entity entirely for any data processed in HIPAA-covered capacities). Counsel should map each State CHD Law against SexyMD’s data flows and confirm the scope of each exemption and the residual non-HIPAA CHD that this CHD Policy covers (e.g., pre-relationship intake data, cookie/tracking data, account-creation data tied to health interest).
Categories of CHD Collected
As further described in the Privacy Notice, and depending on applicable law and how you interact with SexyMD, we may collect the following categories of CHD (broadly defined under MHMDA and the Nevada CHD Law):

  • Individual health conditions, treatments, diseases, or diagnoses — e.g., in connection with you seeking healthcare services or medications through SexyMD;
  • Social, psychological, behavioral, and medical interventions — e.g., through the collection of your medical history as part of treatment services you seek through SexyMD;
  • Health-related surgeries or procedures — e.g., through your medical history as part of treatment services you seek through SexyMD;
  • Use or purchase of prescribed medication — e.g., through your purchase of medication through SexyMD or through the medical history you provide;
  • Bodily functions, vital signs, symptoms, or measurements of health information — e.g., as part of seeking healthcare services or medications through SexyMD;
  • Diagnoses or diagnostic testing, treatment, or medication — e.g., as part of medical history collected by SexyMD;
  • Gender-affirming care information — e.g., as part of medical history collected by SexyMD;
  • Reproductive or sexual health information — e.g., as part of medical history collected by SexyMD, or when you otherwise seek healthcare services or medications through SexyMD;
  • Genetic data — e.g., where such information is included in medical history collected by SexyMD;
  • Data that identifies a consumer seeking healthcare services; and
  • Other information that may be used to infer, derive, or extrapolate data related to the above or other health information.

[LEGAL REVIEW] Reproductive and gender-affirming care: MHMDA, Nevada CHD Law, MODPA, CTDPA, CPA, CCPA/CPRA, and other state laws impose heightened protections on reproductive-health and gender-affirming-care information. Counsel should confirm SexyMD’s data flows for these categories include the required protections — separate consent where required, no sale or sharing without consent, and a workable patient rights flow.
Sources of CHD
We collect CHD from the following sources: (1) directly from you; (2) automatically through your use of the Services; (3) social-media and other content platforms; and (4) other third-party sources, including marketing partners and identity-verification vendors.
Purposes for Collection of CHD
We collect and use CHD for the purposes described in Section 2 (Use of Information) of the Privacy Notice. Subject to applicable law (including, where required, your consent), we may collect and use CHD: (1) to provide our Services (including analyzing, managing, protecting, and improving the Services); (2) for advertising and marketing; and (3) to address legal matters, such as to comply with laws or to establish, exercise, or defend our legal rights. We may also use CHD for other purposes you authorize.
How and Why We Share CHD
We may share each of the categories of CHD described above with the categories of entities described in Section 3 (Disclosure of Information) of the Privacy Notice. Subject to applicable law (and, where required, your consent), we may share CHD:

  • To deliver products and services to you, including to complete transactions you initiate or to implement your use of our communications tools;
  • To ensure a consistent level of service across our products and services;
  • To enhance our products, services, and your customer experience;
  • To protect SexyMD and others, including to enforce our Terms and Conditions, this Privacy Notice, or other agreements with you, and to prevent fraud;
  • To comply with our legal obligations;
  • In connection with any negotiation or completed acquisition, merger, or sale involving our business assets;
  • To create aggregated or de-identified data; and
  • For other reasons at your direction or with your consent.

Subject to applicable law (and, where required, your consent), we may share CHD with the following categories of third parties and affiliates:

  • The Healthcare Providers, the Practice, and other healthcare practitioners, labs, or pharmacies;
  • Affiliates (parent companies, subsidiaries, sister companies, or others in our corporate family);
  • Vendors and service providers (including hosting, analytics, marketing, advertising, identity verification, fraud prevention, customer support, SMS and email delivery, and AI tools); and
  • Other entities to whom disclosure is made for protection, legal, corporate-transaction, or consented purposes, as described above.

Your Rights Regarding CHD and How To Exercise Them
Subject to exceptions, certain states extend rights relating to CHD. Depending on your jurisdiction and situation, you may have rights to: (a) confirm whether we are collecting, sharing, or selling your CHD; (b) access your CHD; (c) correct inaccurate CHD; (d) delete your CHD; (e) port your CHD; (f) opt out of the sale of CHD, of targeted advertising, and of certain profiling; and (g) withdraw any consent you previously provided to the collection or sharing of your CHD.
To exercise any of these rights, please email us at privacy@sexymd.com. Depending on the nature of your request, we may contact you for additional information to authenticate your identity. SexyMD will never ask you for sensitive personal or financial information when authenticating your identity, and no SexyMD employee will ask you to tell them your password.
If we deny your request in whole or in part and a State CHD Law applies to our handling of your CHD, you may appeal that decision by emailing privacy@sexymd.com. If your appeal is denied, you may contact the relevant State Attorney General.
[LEGAL REVIEW] Rights flows: Confirm operational implementation of: identity-verification procedure (cannot ask for SSN, passwords, etc.); appeals process; State Attorney General contact information for each operating state; the 45-day response window (with extension); and the universal opt-out mechanism (GPC recognition). Document each step for audit purposes.
Authorized Agents and Sensitive Data
Where permitted by applicable law, you may use an authorized agent to submit a privacy request on your behalf. We may require the agent to provide proof of authority and verify your identity directly. Certain CHD is treated as “sensitive personal information” under State CHD Laws and may require your consent before we use it for certain purposes.
Updates to This CHD Policy
We may update this CHD Policy from time to time to reflect changes in applicable law, our data-collection and -use practices, the features of the Services, or advances in technology. We will make any revised CHD Policy available on the Site, and the “Last Updated” date at the top of this CHD Policy indicates when it was last revised. Your continued use of the Services after such updates will be deemed your acknowledgment of these changes, and where required by law, we will obtain your consent before making material changes effective.
Contact
Privacy questions about CHD: privacy@sexymd.com
[DECISION] Two-document structure: This document includes both the main Privacy Notice and the CHD Policy supplement in a single Word file (with the supplement starting after Section 8). TrimRx publishes them as one continuous web page. You can: (a) keep them combined as a single web document (recommended for legal-text consistency), (b) publish two separate web pages with clear cross-links, or (c) keep a single Word file internally and split for the website. Confirm preferred publication approach with counsel and engineering.

© 2026 SexyMD LLC. All rights reserved.