Privacy Policy

Last revised: August 5, 2025

The purpose of this Privacy Policy is to describe how Rupa, Inc. (“Rupa”, “we” or “us”) collects, uses and shares information about you through our website located at www.rupahealth.com, content.rupahealth.com, labs.rupahealth.com, and any other online services that link to this Privacy Policy (collectively this “Site”) and in email, text, and other electronic messages between you and this Site and written documents, phone calls, and other offline activities between you and Rupa.

For certain information provided to us through the Site, we have entered into the Rupa Terms of Use and Sale (“Terms”) with physicians or other health care practitioners (or their entities) that use Rupa services (collectively, “practitioners”), and the Terms govern our use of that information. This Privacy Policy supplements the Terms. Our use of Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is governed by applicable law and the Business Associate Terms for Practitioners (“BA Terms”) included in the Terms with your practitioner.

This Privacy Policy applies to our websites, mobile applications, Services, or any other applications or features that link to or reference this Privacy Statement, including when you engage with us on social media, interact with our advertising or marketing materials, as well as offline interactions. This Privacy Policy describes how we handle your personal information and the choices available to you regarding the collection, use, access, and how to update and correct your personal information. Our privacy practices are subject to the applicable laws of the places in which we operate, so you may see additional region-specific terms that only apply to individuals located in those geographic regions, or as required by applicable laws.

Please read this notice carefully to understand how we handle your information. If you do not understand any aspect of our Privacy Policy, please feel free to contact us (our contact information is at the end of this document). This Privacy Policy is not a contract and does not create any contractual rights or obligations. Your use of this Site is governed by our Terms.

What Information does Rupa Collect?

Information You Provide to Us:

We collect information you provide to us through the Site and offline, for example, when you create or modify your account, register to use our Site, purchase products or services from us, request information from us, contact customer support, fill out any form on the Site, or otherwise communicate with us.  We may collect the following categories of personal information from you, depending upon the device you are using and how you interact with us or use or interact with our Services:

  • Identifiers: name, alias, address, phone number, email address, social security number/social insurance number, account name, and IP address;
  • Protected classification information: Personal information categories as defined in applicable laws, including age, sex, payment or other financial information, signature, and employment;
  • Commercial information: records of Products or Services sold, purchased, obtained, or considered, including purchasing or consuming history and tendencies;
  • Internet or other similar network activity information: search history and information on interactions with our website, application, or advertisement;
  • Geolocation data: approximate location based on relevant IP address;
  • Audio and visual information: phone calls and other communications with our customer service team, as well as photos or videos uploaded by you;
  • Professional information: business or professional qualifications, as well as National Provider Identification numbers;
  • Education information: education-related information provided by you and directly related to Practitioner Accounts that is maintained by an educational institution or party acting on its behalf; and
  • Sensitive personal information: account log-in information (if you make an account with us), approximate geolocation, information concerning your health, or information concerning your sex life (such as your purchases of sexual health products using our Services).
         

Please note if you are a practitioner and sign up to use our Services, we will handle your patients’ lab work. We will use and disclose patients’ Protected Health Information in accordance with HIPAA. If you are a practitioner who is not subject to HIPAA, this Privacy Policy governs our use of medical testing information and other health information provided to us through the Site.

Information Collected Automatically:

Whenever you interact with our Services, we automatically receive and record information on our server logs from your browser or device, which may include your IP address, geolocation data, device identification, “cookie” information, the type of browser and/or device you’re using to access our Services, and the page or feature you requested. “Cookies” are a text file that we, or an included third party service, embed within the Site, and that may be transferred to your browser or device to allow us or the third-party service to recognize your browser or device and tell us or the third-party service how and when pages and features in our Services are visited and by how many people. The third-party service providers may aggregate that information across their sites and other sites that have the same services installed. You may be able to change the preferences on your browser or device to prevent or limit your device’s acceptance of cookies, but this may prevent you from taking advantage of some of our Site’s features. 

We use several third-party services, which may include features that track you across websites, such as Google Tag Manager, HubSpot, Facebook Connect, Segment, LinkedIn Analytics and other third-party services. We may update our third-party embedded services from time to time and based on which links in our Site you click.  Each of these services are governed by their own privacy policy found on the associated third-party website. 

The information we collect automatically may include personal information, or we may maintain it or associate it with personal information we collect in other ways or receive from third parties. It helps us to improve the Site and to deliver a better and more personalized service, including by enabling us to:

  • Estimate our audience size and usage patterns.
  • Store information about your preferences, allowing us to customize our Site according to your individual interests.
  • Speed up your searches.
  • Recognize you when you return to our Site.
  • We may use this data to customize content for you that we think you might like, based on your usage patterns. We may also use it to improve the Services – for example, this data can tell us how often users use a particular feature of the Services, and we can use that knowledge to make the Services more helpful to as many users as possible. 

If you click on a link to a third-party website or service, a third party may also transmit cookies to you. Again, this Privacy Policy does not cover the use of cookies by any third parties, and we aren’t responsible for their privacy policies and practices. Be aware that cookies or other third-party tracking technologies may be placed by third parties and may continue to track your activities online even after you have left our Services, and those third parties may not honor “Do Not Track” requests you have set using your browser or device. We do not control these third parties' tracking technologies or how they may be used by the third parties. If you have any questions about an advertisement or other targeted content, you should contact the responsible party directly.

No Information from Individuals Under the Age of 18

If you are under the age of 18, please do not attempt to register with us at this Site or provide any personal information about yourself to us. If we learn that we have collected personal information from someone under 18, we will promptly delete that information. If you believe we have collected personal information from someone under the age of 18, please email us at hello@rupahealth.com.

How does Rupa Share or Use the Personal Information it Receives?

To Provide Products, Services, and Information.

We collect information from you and use the information to:

  • present our Services, Site and its contents to you;
  • provide you with information, products, or services that you request from us;
  • improve our Services, Site and its contents;
  • develop new features, functionality and content for our Services and Site;
  • fulfill any other purpose for which you provide it;
  • communicate with lab companies to order and track lab-work either ordered for you or your patients;
  • register and service your online account;
  • provide information that you request from us;
  • contact you about your lab statuses and lab orders;
  • process credit card and debit card transactions;
  • get products shipped to you from lab companies;
  • send you promotional materials or advertisements about our products and services, as well as new features and offerings;
  • enforce our Terms or other legal rights and remedies;
  • provide interest-based targeted advertising to you;
  • notify you about changes to our Site or any products or Services we offer or provide through it; and
  • any other purposes disclosed to you at the time we collect your information or pursuant to your consent.
     

Sharing among Patients, Healthcare Practitioners and Labs. Rupa acts as a third-party between patients and practitioners to get lab work ordered effectively. We share patients’ personal information with the doctor and relevant medical staff, as well as the lab company performing the tests and relevant lab personnel, in connection with getting orders and lab results in.

Vendors and Service Providers. We may provide information to third-party vendors and service providers that help us operate and manage our Site, process orders, and fulfill and deliver products and Services that you purchase through us. These vendors and service providers will have access to your personal information in order to provide these services, but when this occurs, we implement reasonable contractual and technical protections to limit their use of that information to help us provide the service. We primarily share personal information with these third parties to help us with the uses described above, including for the purposes of operating our business, delivering, improving, providing, and customizing our Services, fulfilling orders, analyzing data, sending promotional and other communications related to our business, and for other legitimate purposes permitted by applicable law or otherwise with your consent.

Your Consent. In addition to the sharing described elsewhere in this Privacy Policy, we will share personal information with companies, organizations, or individuals outside of Rupa when we have your consent to do so.

Legal Responsibilities and Proceedings. We will share personal information with third-party companies, organizations, or individuals outside of Rupa if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation, subpoena, legal process, or enforceable governmental request;
  • enforce applicable Terms, including investigation of potential violations;
  • detect, prevent, or otherwise address fraud, security, or technical issues; or
  • protect against harm to the rights, property or safety of Rupa, our users, customers or the public as required or permitted by law.

Transfer in the Event of Sale or Change of Control. If the ownership of all or substantially all of our business changes or we otherwise transfer assets relating to our business or the Site to a third party, such as by merger, acquisition, bankruptcy proceeding or otherwise, we may transfer or sell your personal information to the new owner. In such a case, unless permitted otherwise by applicable law, your information would remain subject to the promises made in the applicable privacy policy.

To Create De-Identified Data. We may use your information to create data that is de-identified in accordance with the de-identification standards under HIPAA and other laws. We will use de-identified data only as permitted by applicable law. We will not sell de-identified data.

To Provide Analysis to Health Care Providers. Rupa may combine your information with information from other users of the Site to provide analysis in de-identified form to practitioners and lab companies.  

Do I have access to my information?

You can access and update certain information we have relating to your online account by signing in to your account and going to the Account section of our Site. If you have questions about personal information we have about you or need to update your information, you can Contact Us or call us at (669) 294-2703.

Other Sites

This Privacy Policy does not apply to information collected by Rupa through other means, including other websites operated by Rupa or any third-party (including third-party websites that the Site may link to). 

Your Rights and Choices

In accordance with applicable law, you may exercise certain choices and rights in connection with our products, services, and features as described in this section. Some of the rights may vary depending on your state or province of residence. To submit a privacy request, please see the instructions provided below.

Right to Opt-out of Profiling, Targeted Advertising, and Sharing. You may have the right to opt out of profiling, targeted advertising, and sharing of your personal information for cross-context behavioral advertising. In addition to the methods described below, you may opt out of targeted advertising and the sharing of your personal information for cross-context behavioral advertising by declining advertising cookies through the banner on our Platform. 

Right to Know. You may have the right to request we disclose the following information:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or sharing that personal information.
  • The categories of third parties with whom we share personal information.
  • The specific pieces of personal information we collected about you.
  • The categories of personal information disclosed for a business purpose, and for each category identified, the categories of third parties to whom we disclosed it.

The information requested will be provided in a portable, transferable, and usable format, such as PDF.

Right to Delete. You may have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your request, we will delete your personal information from our records unless an exception applies. We may deny your deletion request if an exception applies, such as if the information is necessary to complete the transaction for which the information was collected, detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, identify and repair errors and for various other reasons available under applicable law.

Right to Correct. You may have the right to request that we correct inaccurate personal information that we maintain, subject to relevant exceptions. You can review and edit your personal information at any time by logging into your Rupa account.

Right of Non-Discrimination. We will not discriminate against you in any way if you choose to exercise your rights under applicable law.

How to Contact Us

You can submit a request to us by either:

  • Calling us at (669) 294-2703
  • Sending us an email at hello@rupahealth.com
  • US postal mail at the following address:
    Rupa, Inc.
    2nd Floor 1750 Elm St., Floor 12
    Manchester, NH 03104

Verification. In order to protect your personal information and prevent fraud, some of the requests must be verified. We may contact you by phone, email, or chat to complete the verification process. This process may require matching the information provided in your request with the information we have on file about you, and depending on the sensitivity of information requested utilizing more stringent verification methods, including but not limited to requesting additional information from you and/or requiring you to sign a declaration under penalty of perjury. In certain circumstances, we may decline a request to exercise a privacy right, particularly where we are unable to verify your identity.

Authorized Agent. You may designate an authorized agent to submit a request on your behalf. To do so, you must (1) verify your own identity directly with us; and (2) provide the authorized agent with written documentation of their authority to act on your behalf, such as: (a) a power of attorney; or (b) sufficient evidence to show that you have provided the authorized agent signed permission to act on your behalf and directly confirmed with us that you provided the authorized agent permission to submit the request on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been authorized by you to act on your behalf.

Response Timing and Format. Once you have submitted a request, we will respond within the time frame permitted by the applicable law.

Appeals. You may appeal our decision to your request regarding your personal information. To do so, please contact us by emailing hello@rupahealth.com. We respond to all appeal requests as soon as we reasonably can, and no later than legally required. 

Security of Personal Information

We endeavor to protect the personal information you entrust to us. We have reasonable and appropriate technical, physical, and administrative security measures in place to protect the confidentiality of personal information and protect against accidental or unlawful destruction, or accidental loss, alteration, or unauthorized disclosure or access. These measures are designed to provide a level of security appropriate to the risk represented by the processing and the nature of the data. In the event we share personal information with service providers or other restricted third parties, we require such service providers to have appropriate security measures and we restrict the ways in which they may use or disclose personal information. 

Transmitting personal information is at your own risk (for example, the internet and mobile networks cannot be guaranteed to be secure). While we attempt to protect and safeguard your personal information in our possession, no system or network is perfect and can be guaranteed to be 100% secure, and we cannot promise that information about you will remain secure in all circumstances. The safety and security of your personal information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Services, you are responsible for keeping this password confidential. You are solely responsible for all uses of your password, even if such uses were not authorized by you. If you suspect an unauthorized use or security breach of your personal information, please contact us immediately.

Retention of Personal Information 

We typically retain personal information for the period necessary to fulfill the purposes for which it was collected and any other permissible or related purpose, unless a longer retention period is required or permitted by law. In many situations, we must retain some or all of your personal information to: comply with our legal obligations; resolve disputes; enforce our agreements; protect against fraudulent, deceptive, or illegal activity; or for other legitimate business purposes, such as for auditing, accounting, or tax purposes. Once personal information is no longer needed, we ensure its secure disposal in accordance with applicable laws and our data retention policies.

Your California Privacy Rights

California Civil Code Section 1798.83 (also known as the “Shine the Light” law) permits individual California residents to request certain information regarding our disclosure of certain categories of personal information to third parties for those third parties’ direct marketing purposes. To make such a request, please contact us using the information in the “How to Contact Us” section. This request may be made no more than once per calendar year, and we reserve our right not to respond to requests submitted other than to the email or mailing addresses specified below. Note that we do not currently share personal information with third parties for those third parties’ direct marketing purposes.

Consent to Processing of Personal Data in the U.S.

This Site is intended for use only in the United States. If you use this Site or contact us from outside of the United States, please be advised that (i) any information you provide to us or that we automatically collect will be transferred to the United States; and (ii) by using this Site or submitting information, you explicitly authorize its transfer to and subsequent processing in the United States in accordance with this Privacy Policy.

Changes to our Privacy Policy

We reserve the right to amend this Privacy Policy from time to time. If we amend this Privacy Policy, we will post the updated Privacy Statement on the website and update the Privacy Policy’s effective date. You acknowledge and understand that you should visit this page periodically to be aware of and review any such revisions. By continuing to use our Services after such revisions are in effect, you are acknowledging that you have read and understand the revisions.  We engage in ongoing monitoring of our privacy practices to ensure compliance with this Privacy Policy and applicable laws, making updates as necessary to reflect changes in our data practices or legal requirements.