Privacy Policy

Effective date: May 31, 2026

Introduction

Welcome to Legion Health, Inc.!

Legion Health, Inc., a Delaware corporation (“Company,” “we,” “our,” or “us”), respects your privacy and is committed to protecting it through our compliance with this policy.  This Privacy Policy explains how we collect, use, safeguard, and disclose information about you when you visit https://legionhealth.com (the “Website”) or use any mobile app that we make available to you (together with the Website, the “Platform”) through which we provide non-medical administrative and management services to you (the “Services”). 

Protected health information (“PHI”) collected or used by Legion Medical, PA and any other affiliated professional practices (collectively, the “Medical Group”) is governed by the Medical Group’s Notice of Privacy Practices (the “Notice”) (https://legionhealth.com/npp), not this Privacy Policy. Any conflict between this Privacy Policy and the Notice with respect to PHI shall be resolved in favor of the Notice. When Legion Health, Inc. handles PHI for or on behalf of the Medical Group, it does so solely as the Medical Group’s management services organization (“MSO”) and, where applicable, as a HIPAA Business Associate under a Business Associate Agreement.

Please read this Privacy Policy carefully to understand our policies and practices regarding your information and how we will treat it.  This Privacy Policy is part of, and is incorporated into, our Terms of Service. By accessing or using the Platform, you agree to this Privacy Policy and the Terms of Service. If you do not agree, do not use the Platform. Capitalized terms not defined here have the meanings given in the Terms of Service. 

We may change the terms of this Privacy Policy from time to time (see Changes to this Privacy Policy, below). Your continued use of the Platform after we make changes is deemed to be acceptance of those changes, so please check this Privacy Policy periodically for updates.

When does our Privacy Policy apply?

This Privacy Policy explains the types of information we may gather about you in connection with or as part of providing our Services in various circumstances, including:

  • When you access or use our Platform;

  • During e-mail, text, or other electronic communications between you and us, and

  • When we communicate in person or by phone for non‑clinical support or administrative purposes, any other information we may collect about you offline when you use our Services.

Personal Information — Definition & Scope

Throughout this Privacy Policy, the term “Personal Information” means any information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with an identified or identifiable individual or household. Examples include your name, email address, phone number, postal address, device identifiers, and IP address.  However, Personal Information does not include any deidentified or aggregated information. 

This Privacy Policy applies to Personal Information we collect via the Platform and our non‑clinical Services. As stated above, it does not apply to any PHI governed by the Notice. 

Categories of Personal Information We Collect

We may collect the following categories of Personal Information from or about you:

  • Identifiers (e.g., name, email address, phone number, postal address).

  • Device/Network Activity and Usage Data (e.g., IP address, browser type, pages viewed, timestamps, crash/diagnostic data).

  • Commercial/Transaction Data related to purchases with us (non-payment-card details).

  • Communications and Support Interactions (e.g., messages you send us and related metadata).

  • Inferences/Preferences (e.g., marketing preferences you select).

Outside of the consumer-facing Platform, we may collect the following categories of Personal Information for workforce and vendor-management purposes:

  • Government/Identity Data (e.g., Social Security number or other taxpayer IDs; driver’s license, passport, or other government ID; immigration/work authorization information).

  • Demographics & Date of Birth (where permitted by law and/or voluntarily provided for compliance reporting).

  • Employment/Candidate Data (e.g., resume/CV, employment and education history, professional licenses, interview notes, performance and training records, sanctions/exclusion screenings).

  • Payroll/Benefits & Financial Data (e.g., bank account details for direct deposit, tax withholding forms, benefits enrollment/eligibility data, emergency contacts).

  • Compliance & Security (e.g., I-9/E-Verify documentation, access logs to company systems, device identifiers for company-issued devices, facility access records).

  • Background Checks (where permitted by law) conducted by third-party providers, subject to separate disclosure and authorization.

This information is not collected through the consumer-facing Platform. It is collected directly from you or from sources such as recruiters, references you provide, third-party background-check vendors (with your authorization), educational institutions, licensing boards, benefits administrators, payroll providers, and government agencies.

Workforce/Vendor Notice. Workforce and vendor‑management data are not collected through the consumer‑facing platform and are handled under separate notices and authorizations as required by law (e.g., Fair Credit Reporting Act for background checks). Rights, purposes, and retention for workforce data may differ from those described for consumer Personal Information in this Privacy Policy.

Personal Information We Collect Through Cookies, Analytics & Tracking Technologies

A “cookie” is a small file placed on the hard drive of your computer. Our Platform may use session cookies, which expire when you close your browser, and persistent cookies, which stay on your device until you delete them or they expire, along with pixels, SDKs, local storage, APIs, and similar technologies. We use these technologies to operate and secure the Platform, remember preferences, understand how the Platform is used, and, on non-PHI pages only, measure or offer advertising where permitted by law. You can control cookies through your browser or device settings, and where required by law, we honor recognized browser-based opt-out signals such as Global Privacy Control (GPC). Disabling cookies may impair functionality or prevent you from using certain parts of the Platform.

We do not use tracking technologies on pages or in ways that would impermissibly disclose PHI to third parties, such as sending to analytics or advertising partners. Clinical portals and PHI-related workflows are segregated and governed by the Notice.

Cookie Categories. We group cookies/technologies into the following categories:

  • Strictly Necessary (required for core functionality and security);

  • Preferences (to remember choices);

  • Analytics/Performance (to measure usage and improve the Platform); and

  • Advertising/Remarketing (only on non-PHI pages and where permitted by law).

Controls. Unless you have adjusted your browser settings so that it will refuse cookies, our system will issue cookies when you direct your browser to our Platform. You can manage preferences via browser settings, platform controls, and recognized browser-based signals such as Global Privacy Control (GPC) where required by law. You can find more information about cookies at http://www.allaboutcookies.org. However, if you do not consent to our use of cookies or set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent, you may be unable to access certain parts of our Platform.

Third-Party Services and Tracking Technologies

We use third-party service providers and processors to operate, secure, maintain, improve, and measure the Platform and Services. These providers may include hosting and infrastructure providers, support tools, analytics and product measurement tools, CI/CD and developer tools such as GitHub, payment processors such as Stripe, communications providers, security vendors, and advertising or remarketing partners used only on non-PHI surfaces where permitted by law. These providers may process Personal Information only as described in this Privacy Policy and subject to contracts or other restrictions appropriate to the services they provide.

Analytics and product-measurement tools are used to understand reliability, quality, safety, performance, and user experience. Developer and CI/CD tools process developer-account information and code repositories and are not intended to collect consumer Personal Information from use of the Platform. Payment processors process payment information and limited transaction metadata. Where a tool receives PHI on behalf of the Medical Group or the Company in its MSO/Business Associate capacity, it must be used only for permitted HIPAA purposes and, where required, under a Business Associate Agreement.

We do not use PHI for advertising, do not sell or share PHI for cross-context behavioral advertising, and do not deploy advertising or remarketing tags on login, scheduling, patient portal, intake/symptom forms, clinical content pages, results pages, or telehealth session pages. To exercise opt-out rights where required by law, configure your browser with a valid Global Privacy Control (GPC) signal or email us at privacy@legionhealth.com.

How We Use Personal Information

We use Personal Information to:

  • provide, operate, secure, troubleshoot, and improve the Platform and non-clinical Services;

  • communicate with you (e.g., account notices, service messages, support);

  • personalize your experience and remember preferences;

  • measure and improve analytics, quality, and performance (on non-PHI pages);

  • detect, prevent, and investigate fraud, abuse, and security incidents;

  • comply with the law and enforce our Terms of Service; and

  • other purposes with your consent.

Marketing. Where permitted, we may send you marketing or promotional emails about our Services. You can opt out at any time using the unsubscribe link in those emails. Opting out of marketing does not affect transactional or legally required communications.

Targeted Advertising/“Sale”/“Sharing.” On non-PHI pages, we may work with partners to offer or measure advertising where allowed by law. Some states treat certain adtech disclosures as a “sale” or “sharing” of personal information. Where required, you can opt out by using a valid Global Privacy Control (GPC) signal. We do not use PHI for advertising. 

Retention of Data

We retain Personal Information for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, including to comply with legal, regulatory, tax, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. Where feasible, we will de‑identify or aggregate data or delete it when it is no longer needed for these purposes. Retention of PHI is governed by the Notice and applicable law.

Transfer of Data

Your information, including Personal Information, may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.

Your consent to this Privacy Policy, followed by your submission of such information, represents your agreement to that transfer.

We will take all the steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy, and no transfer of your Personal Information will take place to an organization or a country unless there are adequate controls in place, including the security of your data and other Personal Information.

Disclosure of Personal Information

We do not share, sell, or otherwise disclose your Personal Data for purposes other than those outlined in this Privacy Policy. However, we may disclose aggregated information about our users and information that does not identify any individual without restriction. We may disclose Personal Information that we collect or that you provide as described below:

Service Providers / Processors. We disclose Personal Information to vendors and other service providers that process data for us, including hosting, infrastructure, support, security, analytics, product measurement, developer/CI/CD, communications, payment processing, and similar operational services. These providers may use Personal Information only to provide services to us or as otherwise permitted by contract and applicable law. 

Affiliates. We may disclose Personal Information to our corporate affiliates for purposes consistent with this Privacy Policy. 

Disclosures for Protection. We may access, preserve, and disclose Personal Information if we or our service providers, in good faith, believe it is necessary to: comply with law, regulation, legal process, or governmental request; protect the rights, property, or safety of you, us, our users, or others; enforce our terms or policies; detect, prevent, or investigate fraud, security, or technical issues; collect fees; or pursue or defend legal claims.

Business Transfers. We may disclose or transfer information in connection with a merger, acquisition, reorganization, financing, asset sale, bankruptcy, or similar event. Recipients must honor the commitments described in this Privacy Policy or provide you with notice of material changes.

Security of Data

We use administrative, technical, and physical safeguards designed to protect Personal Information. The safety and security of your information also depends on you. If we have given you, or you have chosen, a password or other credentials to access certain parts of the Platform, you are responsible for keeping those credentials confidential, and we ask you not to share them with anyone. No method of transmission or storage is 100% secure. If we believe a security incident materially affects your information, we will notify you consistent with applicable law.

We do not respond to the “Do Not Track” (DNT) signal. Where required by law, we honor legally recognized browser-based opt-out signals (such as Global Privacy Control) for applicable activities (e.g., targeted advertising).

Children's Privacy

Our Platform and Services are not intended for individuals under 18. We do not knowingly collect Personal Information from anyone under 18. If you believe a child has provided Personal Information, contact us, and we will delete it.

State Privacy Notices

Texas (TDPSA). To the extent the Texas Data Privacy and Security Act applies to our non-PHI processing, Texas residents may have rights to confirm whether we process Personal Data, access Personal Data, correct inaccuracies, delete Personal Data, obtain a portable copy of Personal Data, and opt out of targeted advertising, sale of Personal Data, or profiling in furtherance of decisions that produce legal or similarly significant effects. You may submit a request by emailing us at privacy@legionhealth.com. If we deny your request, you may appeal by replying to our decision email or emailing privacy@legionhealth.com with “Privacy Appeal” in the subject line. We will not sell sensitive Personal Data without consent where required by applicable law.

PHI / Medical Records. PHI and medical-record information are governed by the Medical Group’s Notice of Privacy Practices and applicable patient consents. This Privacy Policy does not alter HIPAA, Texas medical-privacy, or patient-record rights regarding PHI.

Your Privacy Choices

To exercise opt‑out rights where required by law (e.g., targeted advertising/“sharing”), manage analytics/cookie preferences, or submit other privacy requests, email us at privacy@legionhealth.com. We honor legally recognized browser‑based opt‑out signals such as Global Privacy Control (GPC) for applicable activities.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the “effective date” at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Non-U.S. Users

The Platform and Services are intended for use in the United States only. If you are not located in the U.S., you may not use the Services. We do not target or knowingly collect Personal Information from individuals outside the U.S. Those who access the Platform or any of the Services from outside the U.S. do so on their own initiative and are responsible for compliance with local laws, rules, and regulations. 

Contact Us

If you have any questions about this Privacy Policy, please contact us:

  • By email: privacy@legionhealth.com

  • By mail at Legion Health, Inc., 1606 Headway Cir, STE #9779, Austin, TX 78754

Ready for Your Next Step?

We're here to support you, whenever you're ready.

Questions?
Text or call (737) 237-2900, or email support@legionhealth.com.

Proudly backed by Y Combinator for innovative, patient-first care. Committed to your privacy and well-being.

© 2026 Legion Health

Ready for Your Next Step?

We're here to support you, whenever you're ready.

Questions?
Text or call (737) 237-2900, or email support@legionhealth.com.

Proudly backed by Y Combinator for innovative, patient-first care. Committed to your privacy and well-being.

© 2026 Legion Health

Ready for Your Next Step?

We're here to support you, whenever you're ready.

Questions?
Text or call (737) 237-2900, or email support@legionhealth.com.

Proudly backed by Y Combinator for innovative, patient-first care. Committed to your privacy and well-being.

© 2026 Legion Health