Privacy Policy

Effective Date: [Date] · Last Updated: March 2026 · Applies to California residents

melts.la ("we," "us," "our") respects your privacy and is committed to protecting the personal and health information you share with us. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our platform.

1. Who Handles Your Data

Different entities handle different types of your data:

melts.la (Platform Operator / MSO)

Collects account info, intake responses, payment data, and website analytics. Acts as a Business Associate under HIPAA where it handles Protected Health Information (PHI) on behalf of the Clinical Provider.

Clinical Provider (Independent Medical Practice)

The Covered Entity under HIPAA. Receives your health information for clinical review, diagnosis, and prescribing. Maintains its own Notice of Privacy Practices (NPP) as required by 45 CFR §164.520.

Compounding Pharmacy

Receives prescription and shipping information necessary to compound and deliver your medication. Also a HIPAA Covered Entity with its own privacy practices.

2. Information We Collect

Category	Examples	Purpose
Identity & Contact	Name, email, phone number, date of birth, shipping address	Account creation, delivery, age verification, communications
Health Information (PHI)	Intake questionnaire responses, medical history, medications, SHIM/FSFI scores, dimension scores (D1-D6), safety gate results, provider notes, prescriptions	Clinical assessment, product recommendation, prescribing, safety screening
Payment Information	Credit/debit card number (processed by Stripe; we do not store full card numbers), billing address	Subscription billing, refunds
Device & Usage Data	IP address, browser type, device type, operating system, pages visited, time on page, referral source (UTM parameters)	Platform improvement, analytics, persona routing, A/B testing
Cookies & Tracking	See Section 9 (Cookie Disclosure) for specific cookies used	Site functionality, A/B testing, user experience personalization
Communication Records	Emails, support chat transcripts, SMS opt-in/opt-out records	Customer support, regulatory compliance, consent documentation

We do not collect: Social Security numbers, immigration status, biometric data (fingerprints, facial scans), or financial account numbers beyond payment processing.

3. How We Use Your Information

Provide Services: Process your intake, facilitate clinical review, compound your medication, deliver your order, manage your subscription.
Safety Screening: Evaluate medication interactions, contraindications, and safety gates to protect your health.
Personalization: Match you with the most appropriate intake experience and product recommendation based on your responses and preferences.
Communications: Send order confirmations, shipping updates, appointment reminders, and (with your consent) marketing messages.
Platform Improvement: Analyze aggregate, de-identified usage data to improve our intake flow, product recommendations, and user experience.
Legal Compliance: Fulfill legal obligations, respond to lawful requests, and protect our rights.

4. How We Share Your Information

We share your information only as necessary to provide our services:

Recipient	What We Share	Why
Clinical Provider	Health information, intake responses, safety screening results	Clinical review, prescribing
Compounding Pharmacy	Prescription details, shipping address	Medication compounding and delivery
Courier / Shipping Partner	Name, shipping address, package details	Order delivery
Payment Processor (Stripe)	Payment card information, billing address	Transaction processing (BAA in place)
Analytics (Google Analytics)	De-identified usage data, page views, A/B test variants	Platform improvement (no PHI shared)
Hosting (Cloudflare)	Website traffic data, IP addresses	Content delivery, DDoS protection

We do not sell your personal information. We do not share your health information for advertising or marketing purposes. We do not use your PHI for targeted advertising.

5. HIPAA & Protected Health Information

Your health information (PHI) is protected under the Health Insurance Portability and Accountability Act (HIPAA):

The Clinical Provider is the HIPAA Covered Entity responsible for your PHI.
melts.la operates as a Business Associate and has executed a Business Associate Agreement (BAA) with the Clinical Provider.
All vendors that handle PHI (payment processor, hosting, etc.) are required to execute BAAs and maintain HIPAA-compliant safeguards.
The Clinical Provider maintains a separate Notice of Privacy Practices (NPP) that describes how your PHI is used and your rights under HIPAA. You will receive this notice during your clinical onboarding.

For HIPAA-related inquiries or to exercise your rights regarding PHI, contact the Clinical Provider directly at [Clinical Provider Contact].

6. Your California Privacy Rights (CPRA/CCPA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA) gives you the following rights:

6a. Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.

6b. Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., we may retain information necessary to complete a transaction, comply with legal obligations, or maintain medical records as required by law).

6c. Right to Correct

You have the right to request that we correct inaccurate personal information we maintain about you.

6d. Right to Opt-Out of Sale/Sharing

We do not sell your personal information. We do not "share" personal information for cross-context behavioral advertising as defined under the CPRA. If this changes in the future, we will provide a "Do Not Sell or Share My Personal Information" link and honor Global Privacy Control (GPC) signals.

6e. Right to Limit Use of Sensitive Personal Information

Health information is classified as "sensitive personal information" under the CPRA. We use your health information only for the purposes described in this policy (providing medical services). You have the right to limit our use of sensitive personal information to what is necessary to provide the services you requested.

6f. Non-Discrimination

We will not discriminate against you for exercising any of your CPRA rights. You will not receive different pricing, quality, or service levels for exercising your privacy rights.

6g. How to Exercise Your Rights

To submit a request, email privacy@melts.la with the subject line "CPRA Request." We will verify your identity before fulfilling requests. We will respond within 45 days (extendable by an additional 45 days with notice). You may also designate an authorized agent to make requests on your behalf.

7. California Medical Information (CMIA)

Under the California Confidential Medical Information Act (CMIA) and SB 81 (effective October 2025):

We do not collect immigration status information.
We will not disclose medical information for immigration enforcement purposes unless expressly required by law or authorized by you.
All medical information is treated as confidential and subject to CMIA protections in addition to HIPAA.

8. Text Messaging (SMS/MMS) Terms

  By providing your phone number and opting in, you consent to receive text messages from melts.la as described below.

8a. Types of Messages

Transactional messages (no opt-in required by law, but we request consent): Order confirmations, shipping updates, prescription ready notifications, appointment reminders.
Marketing messages (separate opt-in required): Promotions, product announcements, wellness tips. You will be asked to provide separate, explicit consent for marketing texts.

8b. Frequency & Costs

Message frequency varies based on your activity and preferences. Message and data rates may apply depending on your carrier and plan. We estimate 2-8 transactional messages per month per active subscription.

8c. Opt-Out

You may opt out of text messages at any time:

Reply STOP to any message to unsubscribe from all texts.
Reply STOP PROMO to unsubscribe from marketing texts only (transactional texts continue).
Email hello@melts.la with "Unsubscribe SMS" in the subject line.
Manage preferences in your account settings.

After opting out, you will receive one confirmation message. No further messages will be sent unless you re-opt-in.

8d. Help

Reply HELP to any message for support information.

8e. Carrier Compliance (SHAFT)

Due to carrier restrictions on health-related messaging content (SHAFT guidelines), some text messages may use general wellness language rather than specific medical terminology. Full clinical details are always available in your secure account portal.

8f. California Electronic Communications

We comply with the California Invasion of Privacy Act (Penal Code §631) regarding electronic communications. We do not intercept, monitor, or record communications without proper consent.

8g. Consent Records

We maintain records of your SMS opt-in consent, including the date, time, method of consent, and the specific messaging programs you consented to, as required by TCPA regulations.

9. Cookies & Tracking Technologies

We use a limited number of cookies to operate our platform. We do not use third-party advertising cookies or sell data collected through cookies.

Cookie Name	Type	Duration	Purpose
`melts_cta`	Functional	30 days	Stores your A/B test variant for CTA button styling. Ensures you see a consistent experience across visits. Contains no personal information.
`melts_archetype`	Functional	Persistent	Stores your detected persona/archetype for personalized site routing (landing page variant, intake modality). Contains no health or identity data.
`melts_exit`	Session	Session only	Prevents the exit-intent overlay from showing more than once per visit. Cleared when you close your browser.
`_ga` / `_gid`	Analytics	2 years / 24 hours	Google Analytics cookies for aggregate site usage statistics. We use IP anonymization. No PHI is sent to Google Analytics.

9a. Managing Cookies

You can disable cookies through your browser settings. Note that disabling functional cookies may affect your experience (e.g., you may see different A/B test variants on each visit).

9b. Do Not Track / GPC

We honor Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we will treat it as a request to opt out of any future sale or sharing of personal information, consistent with California law.

10. Local Storage

Our intake assessment stores session data in your browser's localStorage to enable:

Continuity if you navigate away and return to the intake
Handoff of your assessment results to the provider review dashboard
Couples invite linking (no medical data is shared between partners)

This data remains on your device and is not transmitted to our servers until you explicitly submit your intake. You can clear this data at any time through your browser settings.

11. Data Retention

Medical records: Retained for a minimum of 7 years after your last interaction, as required by California law (CCP §340.5) and HIPAA.
Account information: Retained while your account is active, plus 3 years after closure for legal compliance.
Payment records: Retained for 7 years for tax and accounting purposes.
Analytics data: Aggregated and de-identified data may be retained indefinitely. Individual-level usage data is retained for 26 months.
SMS consent records: Retained for 5 years from the date of consent, as recommended by TCPA guidelines.

12. Security

We implement administrative, technical, and physical safeguards to protect your information:

Encryption in transit (TLS 1.2+) and at rest (AES-256)
Access controls with role-based permissions
Regular security assessments
Vendor security reviews and BAA enforcement
Incident response procedures with breach notification within 60 days as required by HIPAA and California Civil Code §1798.82

No system is 100% secure. If you become aware of any unauthorized access to your account, contact us immediately at security@melts.la.

13. Children & Minors

Our services are not intended for anyone under the age of 18. We do not knowingly collect personal information from minors. If we learn that we have collected information from someone under 18, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or a prominent notice on the platform at least 30 days before changes take effect. The "Last Updated" date at the top reflects the most recent revision.

15. Contact Us

Privacy inquiries: privacy@melts.la
CPRA rights requests: privacy@melts.la (subject: "CPRA Request")
Security concerns: security@melts.la
General support: hello@melts.la
HIPAA / PHI inquiries: Contact the Clinical Provider directly at [Clinical Provider Contact]