Skip to content

Privacy Policy

Privacy Policy

Last updated: May 4, 2026

Introduction

Flow Wellness ("Flow," "we," "us," "our") is committed to protecting your privacy and your personal health information. This policy describes how we collect, use, store, share, and protect information when you visit our website (flowellness.org), use our mobile app, receive clinical care from Flow, or otherwise interact with us. This policy applies to information collected through all of these channels.

Where Flow provides clinical care, we are a "covered entity" under the Health Insurance Portability and Accountability Act (HIPAA), and our handling of Protected Health Information (PHI) is governed by HIPAA, our Notice of Privacy Practices, and applicable state law.

Information We Collect — Website

Inquiry Information. When you submit a contact form, request a consult, or take the peptide quiz, we collect your name, email, phone number, and the inquiry details you provide.

Usage Data. IP address, browser type, pages visited, time on page, referring URL, and similar analytics data, collected via Google Analytics 4 and PostHog.

Cookies and Similar Technologies. First-party analytics cookies. We do not use third-party advertising cookies, retargeting pixels (e.g., Meta, Google Ads conversion pixels), or cross-site tracking on the website.

Information We Collect — Mobile App

The Flow Wellness mobile app is a clinical companion app for active and prospective Flow patients. It is HIPAA-aligned and the data collected is treated as Protected Health Information where applicable.

  • Account & Contact Information. Name, email address, and phone number you provide when creating an account or starting a protocol.
  • Health Information. Information you log or that is recorded as part of your protocol — including dose logs, weight, body metrics, sleep and activity inputs, projected trajectory data, food-noise scores, and protocol/therapy details (e.g., tirzepatide, semaglutide, BPC-157, ipamorelin/CJC-1295, sermorelin, TB-500). If you grant the app permission, we may also read step count and activity data from Apple Health (HealthKit) or Apple's Motion & Fitness API to display in the Body Rings.
  • Secure Messages. Messages you send to and receive from your Flow clinical team within the app, including message content, timestamps, and read status. Messages are end-to-end encrypted in transit and stored as part of your chart.
  • Identifiers. Account user ID and device identifiers used for authentication, session management, crash attribution, and product analytics.
  • Usage and Diagnostic Data. Product interaction data (screen views, taps, scrolls, feature usage) via PostHog; crash reports and performance data via Sentry. These are linked to your account for engineering and clinical-quality purposes.
  • Purchase Information. If you initiate a purchase or subscription, we record purchase metadata (product, status, amount). Payment card information is collected and processed by Stripe directly; Flow does not see, store, or access your card numbers.

We do not collect: precise or coarse location, your iPhone Contacts list, photos or videos from your camera roll (unless you explicitly upload one), audio recordings, browsing history outside the app, search history outside the app, or sensitive demographic data such as race, sexual orientation, religion, or political opinion.

We do not use the app's data for tracking purposes as defined by Apple's App Tracking Transparency framework. We do not link your data with third-party data for advertising, share it with data brokers, or use it for cross-app or cross-site advertising measurement.

How We Use Your Information

  • Provide, operate, and improve the website, app, and clinical services
  • Deliver clinical care: review your protocol, respond to secure messages, schedule visits, send appointment reminders
  • Authenticate you and protect your account
  • Provide customer support and respond to inquiries
  • Analyze website and app usage to improve product quality (aggregated where feasible)
  • Diagnose and fix crashes and performance issues
  • Send you marketing communications about Flow services and educational content (you may opt out at any time using the unsubscribe link in any email)
  • Comply with legal, regulatory, and clinical record-keeping obligations

How We Share Your Information

We do not sell your personal information or your PHI. We share information only as described below:

  • Your Flow clinical team. Your assigned nurse practitioner, supervising medical director, and the clinical staff involved in your care.
  • Business associates under HIPAA-compliant Business Associate Agreements (BAAs). Service providers that handle PHI on our behalf, including our patient management platform, electronic health record vendor, secure messaging infrastructure, and HIPAA-aligned analytics providers, only to the extent needed to provide the service.
  • Compounding pharmacies and labs. Where required to fulfill a prescription written by your Flow clinician, or to coordinate lab work you have authorized.
  • Payment processor. Stripe, for purchases and subscriptions. Stripe receives your card information directly; Flow receives only purchase metadata.
  • Legal and safety. When required by law, subpoena, court order, or to protect the safety of our patients, staff, or others.
  • Business transfers. In connection with a merger, acquisition, or sale of assets, where the recipient is bound to honor this policy.

Third-Party Services

  • Jane App. HIPAA-compliant patient management and electronic health record. BAA-covered.
  • Stripe. Payment processing. PCI-DSS compliant.
  • Twilio. Transactional SMS (e.g., appointment reminders). BAA-covered for healthcare workflows.
  • Klaviyo. Email marketing for users who have opted in. Marketing-only data; not used for PHI.
  • Sentry. Crash reporting and performance monitoring. Linked to user account for triage.
  • PostHog. Product analytics. Linked to user account; not used for advertising.
  • Google Analytics 4. Website analytics only. No PHI.
  • Apple HealthKit / Motion & Fitness. Optional. Read access only, with your explicit permission, used solely to display step and activity data inside the app. Health data read from HealthKit is not stored on Flow servers without your consent.
  • Hosting infrastructure. Vercel and equivalent providers, under appropriate data-protection terms.

Data Security

We use industry-standard administrative, technical, and physical safeguards to protect your information, including TLS encryption in transit, encryption at rest for PHI, access controls, audit logging, secure-by-default device storage (Keychain on iOS, Keystore on Android), end-to-end encryption for in-app secure messages, and Face ID / biometric lock for the app. No system is perfectly secure; if we ever experience a breach affecting your information, we will notify you as required by law.

Children's Privacy (COPPA)

Flow Wellness services are intended for adults 18 and older. We do not knowingly collect personal information from children under 13. The Flow Wellness mobile app is rated 17+ in the App Store.

California Privacy Rights (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request access or deletion, opt out of sale (Flow does not sell personal information), and be free from discrimination for exercising your privacy rights.

Your Rights and Choices

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your account and associated data, subject to legal and clinical retention requirements
  • Opt out of marketing communications via the unsubscribe link in any email or by emailing us
  • Request a copy of your health records (right of access under HIPAA)
  • Withdraw any optional permissions you previously granted (e.g., Apple Health access) from your device settings at any time

To exercise any of these rights, contact us using the details below. We will respond within the timeframes required by applicable law.

Data Retention

We retain personal information only as long as necessary to provide services, comply with legal obligations, resolve disputes, and enforce our agreements. Patient clinical records are retained per state and federal medical record retention laws (typically at least 6 years for adults, longer for minors). Website inquiry data is retained up to 24 months unless earlier deletion is requested. Account and app data are retained while your account is active and for a reasonable period after closure to satisfy legal and clinical record-keeping requirements.

App Tracking Transparency

The Flow Wellness mobile app does not engage in "tracking" as defined by Apple — we do not link user data with data from other companies' apps or websites for advertising, and we do not share user data with data brokers. Accordingly, the app does not present an App Tracking Transparency permission prompt.

HIPAA Notice

For details on PHI handling under HIPAA, please see our separate HIPAA Notice of Privacy Practices.

Updates to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date reflects the most recent version.

Contact Us

Privacy-related questions or to exercise your rights:

Flow Wellness
4535 Southwestern Blvd, Suite 207
Hamburg, NY 14075
Email: info@flowellness.org
Phone: (716) 860-1875