Qwitly Privacy Policy

Effective Date: May 3, 2025
Last Updated: May 3, 2025
Applies to: Qwitly (“Qwitly,” “we,” “us,” “our”) including the qwitly.com website, mobile experiences, tele‑medical platform, and related services.

1. At‑a‑Glance

We collect only the information we need to prescribe evidence‑based smoking‑cessation treatment, ship medication, bill for services, and improve our program. We never sell or rent your data, and we share it only with partners who help us deliver care—pharmacies, payment processors, analytics providers bound by strict contracts, or when the law requires it. You have rights to know, access, correct, delete, or limit use of your information, and exercising those rights will never affect the quality of care you receive.

2. Scope & Audience

This Policy covers all visitors to qwitly.com and all patients who use our telemedicine service in the United States. Separate regional addenda describe additional rights for residents of California, Virginia, Colorado, Connecticut, and Utah, and a GDPR notice applies to incidental EEA/UK visitors.

3. Information We Collect

Information you provide when you create an account, complete the online assessment, communicate with clinicians, or upload documents: name, date of birth, mailing address, phone, email, medical history, smoking history, and payment details.

Information we generate such as treatment plans, prescriptions, progress notes, and clinical metrics.

Information we collect automatically: device type, browser, IP address, pages visited, time on site, and diagnostic logs. We use first‑party cookies for site functionality and third‑party analytics cookies (Google Analytics, Hotjar) to understand usage. See Section 11 for details.

Information from third parties: identity verification vendors, pharmacies, insurers, and payment processors.

4. How We Use Information

• To provide, coordinate, and improve clinical care.
• To verify identity, process payments, and prevent fraud.
• To communicate appointment reminders, program updates, and educational content.
• To comply with legal, regulatory, and audit requirements.
• With your additional consent, to send promotional materials (you may opt out at any time).

5. Legal Bases (GDPR / International Visitors)

For individuals located in the European Economic Area or the United Kingdom who reach our site incidentally, we process personal data on the bases of legitimate interest (running a secure medical platform), contract (providing requested services), and legal obligation (medical record retention). Where required we rely on your explicit consent—for example, before setting non‑essential cookies.

6. How We Share Information

We disclose personal information only:

1. With service providers who perform functions on our behalf (compounding pharmacies, mail services, cloud hosting, analytics). Each is bound by a Business Associate Agreement or equivalent data‑processing agreement.
2. For legal reasons when required by court order, subpoena, or to protect the rights, property, or safety of Qwitly or others.
3. With your explicit authorization for uses beyond treatment, payment, or healthcare operations (e.g., research studies).We do not sell or share personal information for cross‑context behavioral advertising as defined by the California Consumer Privacy Act as amended by the CPRA.

7. Your Privacy Rights

7.1 United States (Federal & HIPAA)

You may request access to, correction of, or deletion of your medical record; obtain an accounting of disclosures; request restrictions on certain uses; or receive information by alternate means. See HIPAA Notice of Privacy Practices (Appendix A) for procedures.

7.2 California, Virginia, Colorado, Connecticut & Utah

Residents of these states have the right to know, correct, delete, and opt out of sale/share of personal information. We honor Global Privacy Control (GPC) signals. To exercise any right, email privacy@qwitly.com or visit our Data Choices page in the footer. We will verify your identity and respond within 45 days.

7.3 European Economic Area / United Kingdom

EEA/UK visitors may have the right to access, rectify, erase, restrict, or port personal data, and to object to processing. Contact privacy@qwitly.com. Qwitly’s lead supervisory authority is the Irish Data Protection Commission.

8. Data Retention

• Medical records: 7 years after last treatment (or longer if required by state law).
• Billing records: 10 years.
• Support tickets & emails: 3 years.
• Analytics data: 26 months (Google Analytics standard).
  After the retention period we securely delete or de‑identify data.

9. Children’s Privacy

Our services are intended for adults 18 years and older. We do not knowingly collect information from children under 13. If we learn that we have inadvertently collected such information, we will delete it.

10. Security Measures

We follow industry standards to protect information, including encryption at rest and in transit (TLS 1.3), role‑based access controls, annual penetration testing, and HIPAA‑compliant cloud hosting. No method of transmission is 100 % secure; we encourage you to use unique passwords and enable multi‑factor authentication.

11. Cookies & Tracking Technologies

We use:

• Strictly Necessary Cookies – Site login, session management.
• Performance Cookies – Google Analytics (_ga) to measure page views; retention 26 months.
• Functional Cookies – Remember form preferences.
• Marketing Cookies – None at this time.You can adjust cookie preferences via the Cookie Settings link in the footer or by enabling GPC.

12. International Transfers

Data is stored and processed in the United States. For EU/UK visitors we rely on Standard Contractual Clauses and HIPAA‑level security measures to protect data transferred across borders.

13. Changes to This Policy

We may update this Policy to reflect changes in law or our practices. If changes are material we will post a prominent notice and email account holders. The “Last Updated” date at the top shows when the latest changes took effect.

14. Contact Us

Qwitly — Brain Metrics Lab, dba Safa Rubaye LLC
Attn: Privacy Officer
7800 I‑10, Suite I 624
San Antonio, TX 78230, USA
Phone: +1 (210) 555‑0123
Email: privacy@qwitly.com

Appendix A — HIPAA Notice of Privacy Practices

1. Purpose of This Notice

This Notice explains how we may use and disclose your Protected Health Information (PHI) and your rights under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

2. Our Legal Duties

We are required to maintain the privacy of PHI, provide this Notice, and follow its terms. We will notify you if a breach compromises your PHI.

3. Permitted Uses & Disclosures

• Treatment: Sharing PHI with physicians, pharmacists, or labs involved in your care.
• Payment: Billing you or your health plan for services rendered.
• Healthcare Operations: Quality improvement, accreditation, auditing.
• As Required by Law: Public‑health reporting, law‑enforcement requests, court orders.
• Business Associates: Vendors who perform services for us under contract.We will obtain your written authorization for any other use, including marketing unrelated products or the sale of PHI.

4. Your HIPAA Rights

You may:

1. Inspect or receive a copy of your PHI (paper or electronic).
2. Request an amendment if information is incomplete or incorrect.
3. Receive an accounting of disclosures made in the past six years (excluding disclosures for treatment, payment, and operations).
4. Request restrictions on certain uses (we are not required to agree but will if feasible).
5. Request confidential communications (alternate address, phone).
6. Obtain a paper copy of this Notice.

5. Exercising Your Rights

Submit written requests to the Privacy Officer at the address above or email hipaa@qwitly.com. We will respond within 30 days.

6. Complaints

If you believe your privacy rights have been violated, contact our Privacy Officer. You may also file a complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights. We will not retaliate for complaints.

Appendix B — State Privacy Addendum

California, Virginia, Colorado, Connecticut, Utah

Residents of these states may exercise additional rights described in Section 7.2. To make a request, call +1 (210) 555‑0123, email privacy@qwitly.com, or click “Do Not Sell/Share My Info” in our footer. Authorized agents must provide written permission and may be required to verify identity.

If we deny your request you may appeal by emailing privacyappeal@qwitly.com. We will respond within 60 days.