Privacy Policy

OUR PRIVACY COMMITMENT TO YOU

Last update of the Policy: [May12, 2026] 

We highly respect your privacy, trust and health. Therefore:

We collect the minimum possible personal information needed to perform a high-quality holistic analysis of your health. We do not store data unnecessarily, and keep it only as long as it fulfills the purposes for which we collected it or as required by law. 

We do not share your health data without your consent. We disclose your health information only to service providers that are necessary for Luria’s operation.

You have control over the personal information you provide through Luria’s application and Website. And we are transparent about our data practices, which are reflected in our Privacy Policy. 

PRIVACY POLICY 

(hereinafter referred to as “the Policy”)

of Luria Health (hereinafter referred to as the “Company”)

This Policy describes the Company's policies and procedures for collecting, processing, transferring, and storing information when you use the Services and the Software. It also tells you about privacy rights and how the law protects your Personal Data.

The Website uses your Personal Data to provide and improve the Company’s Website and buy the Products. By using the Website, you agree to collect and use information following this Policy. 

The Policy is in compliance with Articles 12,13 and 14 of the GDPR and with the CCPA terms and conditions.

I. INTERPRETATION AND DEFINITIONS

Interpretation

The words in which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or plural.

Definitions

For the purposes of this Policy:

“Device” shall mean any device that can access the Website, such as a computer, a telephone, or a digital tablet.

DPA” shall mean Data Processing Agreement for data processing purposes of the Users.

“The Company”, “we”, “our”, and “us” shall mean the company that is an owner of this Website. The Company details are the following Luria Health, E. California Blvd., Pasadena, CA, United States of America.

“GDPR” shall mean general data protection rules relating to the protection of natural persons about the processing of personal data and rules relating to the free movement of Personal Data.

“Personal Data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, location data, an online identifier, etc.

“Processing” shall mean any operation or set of operations that are performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Products” shall mean any Goods and Services on the Platform or Platform Services that are health-related or under any other approved product categories over the Platform.

Platform” shall mean the overarching digital space that resides on top of the software or the technology provided by the Company, which is accessed by the Users and is interconnected with various services, including the ones provided and activated by the Company, its affiliates, associates, partners, distributors, service providers, or third parties.

“Usage Data” shall mean the data collected automatically and generated when the User(s) are using the Website infrastructure (for example, the duration of a visit, website usage, and the number of users).

User”, “you”, and “your” shall mean any individual or legal entity who is using the Website.

Website” shall mean the domain - luria.health its subdomains, and/or any affiliates, distributors, service providers, or third-party services and/or integrated domains and subdomains, and mobile applications.

II. COLLECTING AND USING YOUR PERSONAL DATA

Personal Data:

While using the Platform and the Website, you may provide certain personally identifiable information that can be used to contact or identify you. Personal Data that we collect may include, but is not limited to:

  • Full legal name;

  • Email;

  • Contact phone number;

  • Country of residence;

  • Mailing address and legal address;

  • Shipping address; and

  • Billing address.

The Company has the right, at any time, at its sole discretion, to request you to confirm your personal information or any other information related to providing Services.

III. USAGE DATA

Usage Data is collected automatically when using the Website and the Platform, buying the Products and visiting the Website.

Usage Data may include information, type of the Device, your visit pages, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When you visit the Website, the Company has the right to collect, process and transfer the following data:

  • The type of Device that is used to visit the Website.

  • The type of internet browser that is used to visit the Website.

  • The time at which you visit the Website.

  • The frequency with which you visit the Website.

  • The time spent at each section of the Website.

  • The URLs accessed from the Website

IV. TRACKING TECHNOLOGIES AND COOKIES

The Company uses Cookies and similar tracking technologies to track the activity on the Website and store certain information. Tracking technologies are beacons, tags, and scripts to collect and track information and improve and analyze the Website. 

The technologies that the Company uses may include (but are not limited):

  • Cookies or Browser Cookies. A cookie is a small file placed on your Device. You can instruct the browser to refuse all Cookies or to indicate when Cookies are being sent. However, if you do not accept Cookies, you may not be able to use some parts of the Website.

  • Flash Cookies. Certain features of the Website may use locally stored objects (or Flash Cookies) to collect and store information about your preferences or activity on the Website. Flash Cookies are not managed by the same browser settings as those used for Browser Cookies.

  • Web Beacon. Certain sections of the Website emails may contain small electronic files known as Web Beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count guests who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).

Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on your personal Devices when you go offline, while Session Cookies are deleted as soon as you close the web browser.

The Company uses both Sessions and Persistent Cookies for the purposes set out below:

Necessary/Essential Cookies

Type: Session Cookies

Administered by the Company

Purpose: These Cookies are essential for providing you with services available through the Website and the Platform and enabling you to use some of its features. They help to authenticate users and prevent fraudulent use of your accounts. Without these Cookies, the services that you have asked for cannot be provided, and the Company only uses these Cookies to provide you with those services.

Cookies Policy/Notice Acceptance Cookies

Type: Persistent Cookies

Administered by the Company

Purpose: These Cookies identify if you have accepted the use of cookies on the Website.

Functionality Cookies

Type: Persistent Cookies

Administered by the Company

Purpose: These Cookies allow the Website to remember the choices you make when using the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide you with a more personal experience and to avoid having to re-enter preferences every time you use the Website.

Advertising Cookies

Administered by the Company

Purpose: Those cookies can be turned on and off by the Website to deliver our potential Users the best advertising experience. They do not contain personal information and are based on your actions over the Website.

GOOGLE ANALYTICS: personal data and information obtained by way of such cookies concern the use that you make of the Website and will be transmitted from your browser to Google Inc., with registered office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States of America, and stored on Google’s servers. Google’s norms on privacy, which we kindly invite you to read, are available at the following URL: https://policies.google.com/privacy?hl=en.

The information on personal data concerning Google Analytics services is available at the following URL: https://support.google.com/analytics/topic/2919631?hl=en.

BROWSING DATA: computer systems and procedures responsible for the correct functioning of the Website automatically acquire, whilst operating, some Personal Data concerning the User's browsing history. For instance, within this category, the Company may find:

• IP addresses;

• Number of accesses to the Website;

• Visited pages;

• Date and time of access;

• Browser type;

• Adopted operating system.

Data voluntarily provided by you

Data freely and optionally provided by you via the Website and email to one of the email addresses indicated on the Website or in this Information may be acquired for purposes communicated to you occasionally. Besides email addresses required to answer you, additional Personal Data included within the same communication received by the Company may be processed. Personal Data collected as such will be retained and processed solely to preserve them and send correspondence and for no further purpose.

V. USE OF YOUR PERSONAL DATA

The Company may use Personal Data for the following purposes:

To provide and maintain the Website and the Software, including monitoring the usage of the Website,

For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items, or services you have purchased or any other contract with the Company through the Website.

To provide you with news, special offers and general information about services and events that the Company offers, like those you have already used unless you have opted not to receive such information.

To manage your requests: To attend to and manage your requests to the Website.

To sell to third parties: We are able to do so, and you agree that we have the right to sell the data and information to third parties without additional consent from you or your additional consent.

For business transfers: the Company may use your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or another sale or transfer of some or all the Company assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by the Company about the Website and the Software users is among the assets transferred.

For other purposes: the Company may use your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of the Website’s promotional campaigns, evaluating and improving the Website, products, and services, marketing, and your experience.

The Company may share your Personal Data in the following situations:

  • With service providers: the Company has the right to share your Personal Data with service providers to monitor and analyse the use of the Website and to contact you.

  • For business transfers: the Company may share or transfer your Personal Data in connection with, or during negotiations of, any merger, sale of the Company’s assets, financing, or acquisition of all or a portion of the Company’s business to another owner.

  • With Affiliates: the Company has the right to share your Personal Data with the Company’s affiliates, in which case the Company will require those affiliates to honour this Privacy Policy. Affiliates include the Company’s parent company and any other subsidiaries, joint venture partners or other companies that the Company controls or are under common control with the Company.

  • With business partners: the Company has the right to share your Personal Data with business partners to offer you certain products, services, or promotions.

  • With your Consent: the Company has the right to disclose your Personal Data for any other purpose only with your advance consent.

VI. RETENTION OF YOUR PERSONAL DATA

The Company will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. 

The Company will retain and use your Personal Data to the extent necessary to comply with the Company’s legal obligations (for example, if we are required to retain the Company’s Personal Data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period, except when this Personal Data is used to strengthen the security or improve the Website's functionality, or the Company is legally obligated to retain this data for longer periods. 

The Company will retain your personal data with Firebase database service that will provide the safest and most stable data protection.

VII. TRANSFER OF YOUR PERSONAL DATA

Your information, including Personal Data, is processed by the Company’s operating offices and in any other places where the parties involved in the processing are located. This information may be transferred to — and maintained on — computers outside your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.

Your consent to this Privacy Policy, followed by submission of such information, represents your agreement to that transfer.

The Company will take all steps reasonably necessary to ensure that your Personal Data is treated securely and following this Privacy Policy, and no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place, including the security of your Personal Data and other personal information.

We are Processing the User's Personal Data under the provisions of DPA.

VIII. DISCLOSURE OF YOUR PERSONAL DATA 

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. The Company will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under certain circumstances, the Company may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

The Company may disclose your Personal Data in the good faith belief that such action is necessary to:

  • Comply with legal obligations.

  • Protect and defend the rights or property of the Company.

  • Prevent or investigate possible wrongdoing in connection with the Company.

  • Protect the personal safety of you, the Website, or the public.

  • Protect against legal liability.

IX. CHILDREN’S PRIVACY DATA

The Company’s Website and Platform does not address anyone under 18 (eighteen). The Company does not knowingly collect personally identifiable information from anyone under 18 (eighteen). If you are a parent or guardian and are aware that the child has provided the Company with Personal Data, please get in touch with us immediately.

If the Company becomes aware that we have collected Personal Data from anyone under 18 (eighteen) without verification of parental consent, the Company takes steps to remove that Personal Data from our servers or/and any storage used by the Company.

If the Company needs to rely on consent as a legal basis for processing your information and your country requires consent from a parent, the Company may require your parent’s consent before the Company collects and uses that information.

X. SECURITY OF YOUR PERSONAL DATA 

The Company takes all reasonable steps to protect information that is received from you from accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access. The Company has put in place appropriate physical, technical and administrative measures to safeguard and secure your information, and the Company makes use of privacy-enhancing technologies such as encryption. If you have any questions about the security of your personal information, you can contact us at aolsen@caltech.edu. 

XI. LINKS TO OTHER WEBSITES

The Company’s Website may contain links to other websites not operated by us. You will be directed to that third party's website if you click on a third-party link. The Company strongly advises you to review every site's privacy policy.

The Company has no control over and assumes no responsibility for any third-party sites or services' content, privacy policies or practices.

XII. GDPR NOTICE

The legal basis for processing your  Personal Data is Art. 6 sec. 1 a) b), f) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals about the processing of personal data and the free movement of such data and repealing Directive 95/46 / MI Laws UE.L.2016.119.1) (GDPR), where the legitimate interest of the Company is related to providing the Software for you.

Personal Data will be processed until an objection to data processing or termination is made, but no longer than 10 (ten) years.

You have the right to access, correct, delete, or restrict his or her Personal Data or object to the processing, as well as the right to transfer the Personal Data and complain to the supervisory authority.

In the case of obtaining data and processing them based on Art. 6 sec. 1-year a) GDPR – you have the right to withdraw consent at any time, without prejudice to the lawfulness of the processing carried out based on consent to its withdrawal.

Under the GDPR, the Company is a data controller for the Personal Data collected from all categories of data subjects listed above, with the following exceptions: the Company is a data processor of user logs, administrative user logs, and some account settings information. In addition, the Company is a data processor for any of the information provided by you through the Website that transit. Where the Company is a data processor, the Company processes data on your behalf under your data processing instructions.

XIII. INFORMATION FOR CALIFORNIA RESIDENTS

This section provides additional disclosures required by the California Consumer Privacy Act (or “CCPA”).

Please see Chart “Categories of personal information we collect” below in this Policy for a list of the personal information the Company has the right to collect about California consumers in the last 12 (twelve) months, along with the Company business and commercial purposes and categories of third parties with whom this information may be shared. For more details about the personal information the Company collects, including the categories of sources, please see “Collecting and using Personal Data”.

Categories of personal information we collect

Internets or other electronic network activity, such as browsing behaviour, information about your usage, and interactions with the Website and/or the Software.

Parties with whom the information may be shared

The third parties that provide services to the Company, such as those that assist us with User support, subscription and order fulfilment, advertising measurement, communications and surveys, data analytics, fraud prevention, cloud storage, bug fix management and logging, and payment processing. The Company advertisers and marketing partners, such as partners, help determine the popularity of the content, deliver advertising and content targeted to your interests and assist in better understanding your online activity.

Subject to certain limitations and exceptions, the CCPA provides California users with the right to request to know more details about the categories and specific pieces of personal information, to delete their personal information, to opt-out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights.

The Company does not “sell” the personal information we collect (and will not sell it in the future without providing a right to opt-out). The Company does allow our advertising partners to collect certain device identifiers and electronic network activity via the Company Website to show ads that are targeted to your interests on other platforms. To opt-out, you can adjust Device settings to limit ad tracking via the Website.

California users may make a rights request by emailing us at support@luria.health. The Company will verify your request by asking you to provide information that matches the information the Company has on file about you. You can also designate an authorized agent to exercise these rights on your behalf. Authorized agents should submit requests through the same channels, but the Company will require proof that the person is authorized to act on your behalf and may also still ask you to verify his/her identity with the Company directly.

XIV. HIPAA PRIVACY RULES

How We May Use or Disclose Your Health Information

Platform and the Users collect health information about you and store it in an electronic health record. The medical record is directly the User’s property, but the information in the medical record belongs to you. The law permits us to use or disclose your health information for the following purposes:

1. Treatment. The User uses medical information about you to provide your medical care or use it to provide the Services as best as possible. The User discloses medical information to our employees and others who are involved in providing the care you need.

2. Payment. We use and disclose medical information about you to obtain payment for the services we provide. Only the User is responsible for the protection of your medical information and shall act in accordance with HIPAA rules and regulations.

3. Health Care Operations. The User may use and disclose medical information about you to operate this medical practice. We may use and disclose this information to review and improve the quality of care we provide or the competence and qualifications of our professional staff.  Or we may use and disclose this information to get your health plan to authorize services or referrals.  The User may also use and disclose this information as necessary for medical reviews, legal services and audits, including fraud and abuse detection and compliance programs and business planning and management.  The User may also share your medical information with our "business associates," such as our billing service, who perform administrative services for us. We have a written contract with each of these business associates that contains terms requiring them and their subcontractors to protect the confidentiality and security of your protected health information. We may also share your information with other healthcare providers, healthcare clearinghouses or health plans that have a relationship with you when they request this information to help them with their quality assessment and improvement activities, their patient-safety activities, their population-based efforts to improve health or reduce health care costs, their protocol development, case management or care-coordination activities, their review of competence, qualifications and performance of health care professionals, their training programs, their accreditation, certification or licensing activities, or their health care fraud and abuse detection and compliance efforts. 

4. Marketing. Provided we do not receive any payment for making these communications, we may contact you to give you information about products or services related to our Services, case management or care coordination or to direct or recommend other providers or settings of care that may be of interest to you. 

5. Sale of Health Information. We will not sell your health information without your prior written authorization. The authorization will disclose that we will receive compensation for your health information if you authorize us to sell it, and we will stop any future sales of your information to the extent that you revoke that authorization.

6. Required by Law.  As required by law, the User will use and disclose your health information, but we will limit our use or disclosure to the relevant requirements of the law. When the law requires us to report abuse, neglect or domestic violence, or respond to judicial or administrative proceedings, or to law enforcement officials, we will further comply with the requirement set forth below concerning those activities.

7. Judicial and Administrative Proceedings. We may, and are sometimes required by law, to disclose your health information in the course of any administrative or judicial proceeding to the extent expressly authorized by a court or administrative order.  We may also disclose information about you in response to a subpoena, discovery request or other lawful process if reasonable efforts have been made to notify you of the request and you have not objected or if a court or administrative order has resolved your objections.

8. Law Enforcement. We may, and are sometimes required by law, to disclose your health information to a law enforcement official for purposes such as identifying or locating a suspect, fugitive, material witness or missing person, complying with a court order, warrant, grand jury subpoena and other law enforcement purposes.

9. Public Safety. We may, and are sometimes required by law, to disclose your health information to appropriate persons in order to prevent or lessen a serious and imminent threat to the health or safety of a particular person or the general public.

10. Specialized Government Functions. We may disclose your health information for military or national security purposes or to correctional institutions or law enforcement officers who have you in their lawful custody.

11. Change of Ownership.  In the event that our business is sold or merged with another organization, your health information/record will become the property of the new owner, although you will maintain the right to request that copies of your health information be transferred to another data processor.

12. Breach Notification. In the case of a breach of unsecured protected health information, we will notify you as required by law. If you have provided us with a current e-mail address, we may use e-mail to communicate information related to the breach. In some circumstances, our business associate may provide the notification. We may also provide notification by other methods as appropriate.

13. Fundraising.  We may use or disclose your demographic information in order to contact you for our fundraising activities. 

When We May Not Use or Disclose Your Health Information

Except as described in these Privacy Practices, we will, consistent with our legal obligations, not use or disclose health information that identifies you without your written authorization. If you do authorize us to use or disclose your health information for another purpose, you may revoke your authorization in writing at any time.

Your Health Information Rights

1. Right to Request Special Privacy Protections. You have the right to request restrictions on certain uses and disclosures of your health information by a written request specifying what information you want to limit and what limitations on our use or disclosure of that information you wish to have imposed.  If you tell us not to disclose information to your commercial health plan concerning healthcare items or services for which you paid in full out-of-pocket, we will abide by your request unless we must disclose the information for treatment or legal reasons. We reserve the right to accept or reject any other request and will notify you of our decision.

2. Right to Request Confidential Communications. You have the right to request that you receive your health information in a specific way or at a specific location. For example, you may ask that we send information to a particular e-mail account or to your work address. We will comply with all reasonable requests submitted in writing, which specify how or where you wish to receive these communications.

3. Right to Inspect and Copy.  You have the right to inspect and copy your health information, with limited exceptions.  To access your medical information, you must submit a written request detailing what information you want access to, whether you want to inspect it or get a copy of it, and if you want a copy, your preferred form and format.  We will provide copies in your requested form and format if it is readily producible, or we will provide you with an alternative format you find acceptable, or if we can’t agree and we maintain the record in an electronic format, your choice of a readable electronic or hardcopy format. We will also send a copy to any other person you designate in writing. We will charge a reasonable fee which covers our costs for labor, supplies, postage, and, if requested and agreed to in advance, the cost of preparing an explanation or summary. 

4. Right to Amend or Supplement.  You have a right to request that we amend the health information that you believe is incorrect or incomplete.  You must make a request to amend in writing and include the reasons you believe the information is inaccurate or incomplete.  We are not required to change your health information and will provide you with information about our denial and how you can disagree with the denial. We may deny your request if we do not have the information if we did not create the information (unless the person or entity that created the information is no longer available to make the amendment), if you would not be permitted to inspect or copy the information at issue, or if the information is accurate and complete as is.  If we deny your request, you may submit a written statement of your disagreement with that decision, and we may, in turn, prepare a written rebuttal. All information related to any request to amend will be maintained and disclosed in conjunction with any subsequent disclosure of the disputed information.

5. Right to a Paper or Electronic Copy of this Notice. You have a right to notice of our legal duties and privacy practices with respect to your health information, including a right to a paper copy of this Notice of Privacy Practices, even if you have previously requested its receipt by e-mail.

If you would like to have a more detailed explanation of these rights or if you would like to exercise one or more of these rights, contact our Privacy Officer listed at the top of this Notice of Privacy Practices.

Changes to this Notice

We reserve the right to amend this Notice of HIPAA at any time in the future. Until such amendment is made, we are required by law to comply with the terms of this Notice currently in effect. After an amendment is made, the revised Notice of HIPAA will apply to all protected health information that we maintain, regardless of when it was created or received. We will keep a copy of the current notice posted in our reception area, and a copy will be available at each appointment. 

Complaints

Complaints about this Notice of HIPAA or how this medical practice handles your health information should be directed to our Privacy Officer at support@luria.health.

If you are not satisfied with the manner in which this office handles a complaint, you may submit a formal complaint to the local DHHS Office of Civil Rights at OCRMail@hhs.gov

The complaint form may be found at www.hhs.gov/ocr/privacy/hipaa/complaints/hipcomplaint.pdf.  

You will not be penalized in any way for filing a complaint.

HIPAA Disclaimer

Only the User is responsible for Processing and using your medical records according to this Privacy Policy and the DPA.

XV. DISPUTE RESOLUTION

If you have an unresolved privacy or data use concern that the Company has not addressed satisfactorily, please contact us via support@luria.health

XVI. CONTACTS

If you have any questions about this Policy, you can contact us: