Privacy Policy
Last updated: 10/13/2025
Introduction
Welcome to Legion Health, Inc.
Legion Health, Inc., a corporation organized and existing under the laws of Delaware (“us”, “we”, or “our”), operates https://legion.health (“Platform”) and provides or makes accessible various services via our Platform (“Services”).
We are not a medical group or a health care provider. We offer individuals the option to receive telemedicine consultations from independent medical professionals, including—though not limited to—Legion Health, PA, a professional association organized and existing under the laws of Texas, and its affiliated covered entity (“Medical Group”), an independent medical group composed of U.S.-based providers (each, a “Provider”). The Medical Group consists of separate and independent organizations from us. The Medical Group (or your personal health care provider if you do not use a Medical Group Provider) is responsible for giving you a Notice of Privacy Practices that details the collection and use of your health information. We are not responsible for giving you any such notice.
Please note that this Privacy Policy does not apply to the collection and use of protected health information (“PHI”) by our affiliated professional practices, including Legion Health, PA (collectively, the “Medical Group”), which is instead covered by the Medical Group’s Notice of Privacy Practices (the “Notice”) (https://legionhealth.com/n[3] otice). Any conflict between this Privacy Policy and the Notice with respect to such PHI shall be resolved in favor of the Notice. When Legion Health, Inc. handles PHI for or on behalf of the Medical Group, it does so solely as a HIPAA Business Associate under a Business Associate Agreement.
When does our Privacy Policy apply?
This Privacy Policy explains the types of information we may gather about you in connection with or as part of providing our Services in various circumstances, including:
When you access or use our Platform (which includes our Website);
During e-mail, text, or other electronic communications between you and us, and
When we communicate in person or by phone for non‑clinical support or administrative purposes.
When does our Privacy Policy not apply?
In addition to the PHI exclusion above, this Privacy Policy does not apply to: (i) any other website or service operated by us unless this Policy is posted there; or (ii) medical services furnished by the Medical Group, which are governed by the Notice.
Third-Party Websites and Services
Our Platform may contain links to or integrations with third-party websites, mobile applications, and services (for example, embedded content, social media widgets, single-sign-on providers, maps/video hosting, analytics/advertising partners, and payment processors). Any information you provide to those third parties is subject to their privacy policies, terms, and settings—not this Privacy Policy. We are not responsible for the privacy or security practices of those third parties.
These third parties may collect information directly from you or your device via cookies, pixels, SDKs, APIs, or similar technologies when you interact with their features. See the “Cookies, Analytics & Usage Data” and “Behavioral Remarketing” sections for controls and opt-out options.
For clarity, this Privacy Policy also does not apply to the Medical Group’s clinical portals or tools used to furnish medical services; those are governed by the Medical Group’s Notice of Privacy Practices (the Notice).
Our Privacy Policy and Terms of Use
This Privacy Policy is incorporated into, and should be read together with, our Terms of Service.
Personal Information — Definition & Scope
“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with an identified or identifiable individual or household. Examples include your name, email address, phone number, postal address, device identifiers, and IP address.
This Privacy Policy applies to Personal Information we collect via the Platform and our non‑clinical Services. It does not apply to protected health information (“PHI”) created or received by Legion Health, PA when furnishing medical services; PHI is governed by the Medical Group’s Notice of Privacy Practices (the Notice). When Legion Health, Inc. handles PHI for or on behalf of the Medical Group, it does so solely as a HIPAA Business Associate under a Business Associate Agreement. We do not use PHI for advertising.
Categories of Personal Information We Collect
We may collect the following categories of Personal Information from or about you:
Identifiers (e.g., name, email address, phone number, postal address).
Device/Network Activity and Usage Data (e.g., IP address, browser type, pages viewed, timestamps, crash/diagnostic data).
Commercial/Transaction Data related to purchases with us (non-payment-card details).
Communications and Support Interactions (e.g., messages you send us and related metadata).
Inferences/Preferences (e.g., marketing preferences you select).
Outside of the consumer-facing Platform, we may collect the following categories of Personal Information for workforce and vendor-management purposes:
Government/Identity Data (e.g., Social Security number or other taxpayer IDs; driver’s license, passport, or other government ID; immigration/work authorization information).
Demographics & Date of Birth (where permitted by law and/or voluntarily provided for compliance reporting).
Employment/Candidate Data (e.g., resume/CV, employment and education history, professional licenses, interview notes, performance and training records, sanctions/exclusion screenings).
Payroll/Benefits & Financial Data (e.g., bank account details for direct deposit, tax withholding forms, benefits enrollment/eligibility data, emergency contacts).
Compliance & Security (e.g., I-9/E-Verify documentation, access logs to company systems, device identifiers for company-issued devices, facility access records).
Background Checks (where permitted by law) conducted by third-party providers, subject to separate disclosure and authorization.
This information is not collected through the consumer-facing Platform. It is collected directly from you or from sources such as recruiters, references you provide, third-party background-check vendors (with your authorization), educational institutions, licensing boards, benefits administrators, payroll providers, and government agencies.
Workforce/Vendor Notice. Workforce and vendor‑management data is not collected through the consumer‑facing Platform and is handled under separate notices and authorizations as required by law (e.g., Fair Credit Reporting Act for background checks). Rights, purposes, and retention for workforce data may differ from those described for consumer Personal Information in this Privacy Policy.
Cookies, Analytics & Tracking Technologies
We use cookies, pixels, SDKs, and similar technologies to operate and secure the Platform, remember preferences, and understand how the Platform is used. You can control cookies in your browser/device. Disabling certain cookies may affect site functionality.
HIPAA/PHI Safeguards. We do not use tracking technologies on pages or in ways that would disclose PHI to third parties. We do not send PHI to analytics or advertising partners. Clinical portals and PHI-related workflows are segregated and governed by the Medical Group’s Notice.
Cookie Categories. We group cookies/technologies into the following categories:
Strictly Necessary (required for core functionality and security);
Preferences (to remember choices);
Analytics/Performance (to measure usage and improve the Platform); and
Advertising/Remarketing (only on non-PHI pages and where permitted by law).
Controls. You can manage preferences via browser settings, platform controls and recognized browser-based signals such as Global Privacy Control (GPC) where required by law.
How We Use Personal Information
We use Personal Information to:
provide, operate, secure, troubleshoot, and improve the Platform and non-clinical Services;
communicate with you (e.g., account notices, service messages, support);
personalize your experience and remember preferences;
measure and improve analytics, quality, and performance (on non-PHI pages);
detect, prevent, and investigate fraud, abuse, and security incidents;
comply with law and enforce our Terms of Service; and
other purposes with your consent.
Marketing. Where permitted, we may send you marketing or promotional emails about our Services. You can opt out at any time using the unsubscribe link in those emails. Opting out of marketing does not affect transactional or legally required communications.
Targeted Advertising/“Sale”/“Sharing.” On non-PHI pages, we may work with partners to offer or measure advertising where allowed by law. Some states treat certain adtech disclosures as a “sale” or “sharing” of personal information. Where required, you can opt out by using a valid Global Privacy Control (GPC) signal. We do not use PHI for advertising.
Retention of Data
We retain Personal Information for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, including to comply with legal, regulatory, tax, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. Where feasible, we will de‑identify or aggregate data or delete it when it is no longer needed for these purposes. Retention of PHI is governed by the Medical Group’s Notice and applicable law.
Transfer of Data
Your information, including Personal Information, may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.
Your consent to this Privacy Policy, followed by your submission of such information, represents your agreement to that transfer.
We will take all the steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy, and no transfer of your Personal Information will take place to an organization or a country unless there are adequate controls in place, including the security of your data and other Personal Information.
Handling of PHI by Legion Health, Inc., where applicable, occurs under a Business Associate Agreement with the Medical Group.
Disclosure of Data
Service Providers / Business Associates. We disclose Personal Information to vendors that process data for us (e.g., hosting, support, security, analytics) under contracts that limit their use of the data. When Legion Health, Inc. handles PHI for or on behalf of the Medical Group, we do so as its HIPAA Business Associate under a Business Associate Agreement.
Affiliates. We may disclose Personal Information to our corporate affiliates for purposes consistent with this Privacy Policy. For clarity, PHI handled by the Medical Group is governed by the Notice, not this Privacy Policy.
Advertising / Analytics Partners. On non‑PHI pages of our Platform, we and selected partners may use cookies, pixels, SDKs, or similar technologies to measure and improve the site and, where permitted by law, to provide or measure advertising. We do not use tracking technologies on pages or in ways that would disclose PHI to third parties, and we do not send PHI to analytics or advertising partners. Some states treat certain adtech disclosures as a “sale” or “sharing” of personal information. Where required, you can opt out by using a valid Global Privacy Control (GPC) signal. We do not sell or share PHI for advertising.
Disclosures for Protection. We may access, preserve, and disclose information if we or our service providers, in good faith, believe it is necessary to: comply with law, regulation, legal process, or governmental request; protect the rights, property, or safety of you, us, our users, or others; enforce our terms or policies; detect, prevent, or investigate fraud, security, or technical issues; collect fees; or pursue or defend legal claims.
Business Transfers. We may disclose or transfer information in connection with a merger, acquisition, reorganization, financing, asset sale, bankruptcy, or similar event. Recipients must honor the commitments described in this Privacy Policy or provide you with notice of material changes.
Online Tracking Guardrails
PHI Silo. We segregate PHI workflows (e.g., clinical portals or forms used to obtain care) and do not deploy third‑party advertising or analytics tags on those surfaces in ways that would disclose PHI.
Configuration / Minimization. We configure analytics in a privacy‑protective manner (e.g., limiting retention; disabling unnecessary data collection; using IP truncation/anonymization where supported; prohibiting collection of precise location on PHI pages; and avoiding transmission of full URLs or query strings that could contain health‑related terms).
No PHI to Ad Partners. We do not send PHI to advertising partners and do not use PHI for targeted advertising, cross‑context behavioral advertising, or profiling for marketing purposes.
State Opt‑Outs. Where required by law, we honor consumer opt‑out choices for targeted advertising/“sharing” and certain profiling, including recognized browser signals such as Global Privacy Control (GPC).
Internal Reviews. We periodically review tagging configurations and vendor contracts to confirm compliance with this section and with HIPAA and applicable state privacy laws.
Security of Data
We use administrative, technical, and physical safeguards designed to protect Personal Information. No method of transmission or storage is 100% secure. If we believe a security incident materially affects your information, we will notify you consistent with applicable law.
We do not respond to the “Do Not Track” (DNT) signal. Where required by law, we honor legally recognized browser-based opt-out signals (such as Global Privacy Control) for applicable activities (e.g., targeted advertising).
Product Measurement
We use analytics tools to operate, secure, and improve the Platform. These tools act as our processors and may not use data for their own advertising purposes under our agreements.
PostHog. If enabled, PostHog acts as our HIPAA Business Associate under a Business Associate Agreement (BAA) and may receive PHI only to perform services for health care operations (e.g., reliability, quality, safety, user experience). We configure PostHog with privacy‑protective controls (e.g., minimizing event properties; avoiding free‑text fields; suppressing URL/query parameters; restricting access). PostHog data is not “sold” or “shared” for cross‑context behavioral advertising.
Google Analytics. If enabled, Google Analytics is used only on non‑PHI pages to measure site usage. We configure privacy‑protective controls (e.g., IP truncation/anonymization where supported; disabling Google Signals/Ads features; filtering query‑string parameters; limiting retention). We do not send PHI to Google. Where required by law, you can opt out of targeted advertising/“sharing” via recognized browser signals such as Global Privacy Control (GPC).
For more information about how these providers handle data, refer to their published privacy notices. To exercise choices with respect to cookies and analytics, use your browser settings. These analytics tools operate as our processors and may not use data for their own advertising purposes under our agreements.
CI/CD & Developer Tools
We use developer tools (e.g., GitHub) to build and maintain the Platform. These tools process developer-account information and code repositories; they do not collect consumer Personal Information from your use of the Platform. For GitHub’s privacy practices, see: https://help.github.com/en/articles/github-privacy-statement.
Behavioral Remarketing
On non-PHI pages of our Platform, we and selected partners may use cookies, pixels, SDKs, or similar technologies to offer or measure advertising (sometimes called “targeted,” “interest-based,” or “remarketing”) where permitted by law. We do not deploy tracking technologies on pages or in ways that would disclose protected health information (PHI) to third parties, and we do not send PHI to advertising partners. We do not “sell” or “share” PHI for cross-context behavioral advertising. To exercise opt‑out rights where required by law, configure your browser with a valid Global Privacy Control (GPC) signal.
Opt-Outs & Browser Signals. Where required by law, you can opt out of targeted advertising/“sharing” by using a valid Global Privacy Control (GPC) signal. You may also adjust cookie settings in your browser/device; disabling certain cookies may affect site functionality.
Scope & Guardrails. Targeted advertising is limited to non-PHI surfaces (for example, general marketing pages). We do not place advertising or remarketing tags on login, scheduling, patient portal, intake/symptom forms, clinical content pages, results pages, or telehealth session pages. For our configuration standards, see Online Tracking Guardrails (§12).
We may work with advertising partners such as Google, Microsoft, X, and Meta; their collection and use are subject to their privacy notices.
Payments
Payments for non-clinical Services are processed by Stripe. We do not store full payment card numbers; Stripe processes them under PCI-DSS. We may receive limited transaction metadata (e.g., last four digits, expiration month/year, billing zip) for records, fraud prevention, and support. Payments related to Medical Services are subject to the Medical Group’s Financial Agreement and the Notice.
Children's Privacy
Our Services are not intended for individuals under 18. We do not knowingly collect Personal Information from anyone under 18. If you believe a child provided Personal Information, contact us and we will delete it.
State Privacy Notices
Texas (TDPSA). If the Texas Data Privacy and Security Act applies to our processing, Texas consumers may have rights to confirm, access, correct, and delete Personal Data, and to opt out of targeted advertising, certain profiling, or any sale of Personal Data. You can exercise these rights by emailing privacy@legionhealth.com. We will not process sensitive data about Texas residents without providing the notices required by law.
Texas Electronic Disclosures (HB 300 / Health & Safety Code §181.154). PHI may be electronically disclosed as permitted by law; the Medical Group’s Notice provides the required notices and, where applicable, authorizations. This Privacy Policy does not alter your HIPAA/HB 300 rights regarding PHI.
Your Privacy Choices
To exercise opt‑out rights where required by law (e.g., targeted advertising/“sharing”), manage analytics/cookie preferences, or submit other privacy requests, privacy@legionhealth.com. We honor legally recognized browser‑based opt‑out signals such as Global Privacy Control (GPC) for applicable activities.
Changes to This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.
We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective, and update the “effective date” at the top of this Privacy Policy.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
State Privacy Notices
Texas (TDPSA). If the Texas Data Privacy and Security Act applies to our processing, Texas consumers may have rights to confirm, access, correct, and delete Personal Data, and to opt out of targeted advertising, certain profiling, or any sale of Personal Data. You can exercise these rights by emailing privacy@legionhealth.com. We will not process sensitive data about Texas residents without providing the notices required by law.
Texas Electronic Disclosures (HB 300 / Health & Safety Code §181.154). PHI may be electronically disclosed as permitted by law; the Medical Group’s Notice provides the required notices and, where applicable, authorizations. This Privacy Policy does not alter your HIPAA/HB 300 rights regarding PHI.
Non-U.S. Users
The Platform and Services are intended for use in the United States. If you are not located in the U.S., you may not use the Services. We do not target or knowingly collect Personal Information from individuals outside the U.S.
Contact Us
If you have any questions about this Privacy Policy, please contact us:
By email: privacy@legionhealth.com
By mail at Legion Health, Inc., 1606 Headway Cir, STE #9779, Austin, TX 78754
We use Personal Information to:
provide, operate, secure, troubleshoot, and improve the Platform and non-clinical Services;
communicate with you (e.g., account notices, service messages, support);
personalize your experience and remember preferences;
measure and improve analytics, quality, and performance (on non-PHI pages);
detect, prevent, and investigate fraud, abuse, and security incidents;
comply with law and enforce our Terms of Service; and
other purposes with your consent.
Marketing. Where permitted, we may send you marketing or promotional emails about our Services. You can opt out at any time using the unsubscribe link in those emails. Opting out of marketing does not affect transactional or legally required communications.
Targeted Advertising/“Sale”/“Sharing.” On non-PHI pages, we may work with partners to offer or measure advertising where allowed by law. Some states treat certain adtech disclosures as a “sale” or “sharing” of personal information. Where required, you can opt out by using a valid Global Privacy Control (GPC) signal. We do not use PHI for advertising.
We use administrative, technical, and physical safeguards designed to protect Personal Information. No method of transmission or storage is 100% secure. If we believe a security incident materially affects your information, we will notify you consistent with applicable law.
We do not respond to the “Do Not Track” (DNT) signal. Where required by law, we honor legally recognized browser-based opt-out signals (such as Global Privacy Control) for applicable activities (e.g., targeted advertising).