Privacy Policy

We collect the following categories of personal information:

• Contact and identity information: name, email address, phone number, and physical addresses (billing, delivery, or mailing).
• Health and intake information: information you voluntarily provide in connection with consultations, such as symptoms, medical history, goals, and related details. This is sensitive personal data.
• Youth athletics information (minors): when a parent or legal guardian registers a minor for the HEXIS Youth Sports program, we collect the athlete's name and age, emergency contact information, and relevant medical notes. This collection occurs only with verifiable parental consent obtained at registration.
• Transaction and order information: details necessary to process Provisions orders (one-time or subscription), including pickup or delivery preferences and subscription status.
• Payment information: payment card details and related data are collected and processed directly by our third-party payment processor, Stripe. We do not collect, access, or store full credit or debit card numbers.
• Scheduling information: information you submit when booking consultations through Calendly.
• Communications data: information exchanged in transactional emails sent via Resend.
• Technical and usage information: IP address, browser type and version, device information, operating system, referring URLs, pages visited, and interaction data, collected automatically through cookies and similar technologies via Google Analytics 4 and Google Tag Manager.

We collect information directly from you, automatically through your use of the Site, and from service providers acting on our behalf.

We use personal information for the following purposes:

• To provide, operate, and manage the Services, including delivering consultations, administering the youth athletics program, and fulfilling Provisions orders (pickup or delivery).
• To process payments and manage recurring monthly subscriptions through Stripe.
• To schedule and confirm consultations via Calendly.
• To send transactional communications (order confirmations, subscription notices, appointment reminders, and service updates) via Resend.
• To analyze Site usage, improve the Site and Services, and understand visitor behavior through Google Analytics 4 and Google Tag Manager.
• To verify identity, prevent fraud, and enforce our agreements.
• To comply with legal obligations and respond to lawful requests.
• For the youth athletics program specifically: to register participants, contact guardians in case of emergency, accommodate disclosed medical needs, and maintain program safety records.

We do not use sensitive health information for targeted advertising or sell it to third parties.

The Site uses cookies and similar tracking technologies (such as pixels and local storage) for essential Site functions (e.g., cart or session management) and for analytics and performance measurement.

Google Analytics 4 and Google Tag Manager help us collect aggregated usage data, including device and browser information and pages viewed. These tools may set cookies or use other identifiers.

You can manage or disable cookies through your browser settings. Disabling certain cookies may affect Site functionality. For information on Google's data practices and opt-out options, please review Google's privacy policy and advertising settings.

We currently do not respond to "Do Not Track" browser signals.

We disclose personal information in the following circumstances:

• Service providers and processors: We share information with vendors that perform services on our behalf, including Stripe (payment processing), Calendly (scheduling), Resend (transactional email delivery), Google (analytics), and hosting or infrastructure providers. These parties are bound by contractual obligations to protect the data and to use it only for the purposes we specify.
• Legal and safety requirements: We may disclose information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect rights, safety, or property, or to investigate fraud or illegal activity.
• Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of the transaction, subject to appropriate protections and notice where required.
• With your consent: We may share information when you direct us to do so.

We do not sell personal information for monetary or other valuable consideration in the ordinary course of business. Health information is not shared for targeted advertising or cross-context behavioral advertising.

We implement and maintain reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, or destruction. These measures are appropriate to the sensitivity of the data, including health information and information about minors.

Payment processing is handled by Stripe, which is responsible for maintaining PCI DSS compliance for card data. We do not store full card details.

No method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, including providing the Services, complying with legal, tax, and accounting obligations, resolving disputes, and enforcing agreements.

• Transactional, order, and subscription records are retained as required by applicable law (typically several years for tax and financial records).
• Health intake information is retained for the duration of the active coaching relationship and a reasonable period thereafter to support continuity of service, unless you request deletion (subject to legal holds or exceptions).
• Youth athletics records (including emergency and medical notes) are retained for the duration of the program season plus a reasonable period for safety, insurance, liability, and recordkeeping purposes.
• Analytics data is retained in aggregated or pseudonymized form according to the settings of the analytics providers or deleted when no longer needed.

When information is no longer needed, we will delete it or anonymize it in accordance with our retention practices and applicable law.

If you are a resident of the State of Montana and the MCDPA applies to our processing of your personal data, you have the following rights, subject to verification of your identity and residency and to certain exceptions (such as trade secrets, legal obligations, or data necessary to complete a transaction):

• Right to know and access: Confirm whether we are processing your personal data and obtain access to the categories and specific pieces of personal data we hold about you.
• Right to correct: Request that we correct inaccurate personal data we maintain about you.
• Right to delete: Request deletion of personal data we hold about you.
• Right to portability: Obtain a copy of personal data you previously provided to us in a portable, readily usable format that allows you to transmit the data to another entity without hindrance.
• Right to opt out: Opt out of the processing of your personal data for (a) targeted advertising, (b) the sale of personal data, or (c) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning you.

How to exercise your rights: Submit a verifiable consumer request to support@hexishealthhq.org. Please include your full name, the email address associated with your interactions with us, confirmation that you are a Montana resident, and sufficient information to allow us to locate and verify the relevant data. We may require additional verification steps to protect your information and prevent unauthorized requests.

We will respond to verified requests within 45 days of receipt. If reasonably necessary, we may extend this period by an additional 45 days and will notify you of the extension. If we deny your request, you may appeal our decision by contacting us at the same email address with "APPEAL" in the subject line and a statement of the grounds for your appeal. We will respond to appeals within the timeframes required by the MCDPA.

We will not discriminate against you for exercising any of these rights.

If we process personal data for targeted advertising or sell personal data, we will provide a clear and conspicuous method to opt out in addition to the request process described above. At this time, we do not sell personal data or engage in targeted advertising using personal data for these purposes.

The Site and Services (other than the HEXIS Youth Sports program) are not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13 for general use of the Site or for consultations or Provisions orders.

HEXIS Youth Sports program: Registration for this program is initiated exclusively by a parent or legal guardian. We collect only the limited information necessary for safe participation: the minor athlete's name and age, an emergency contact, and relevant medical notes. This collection occurs solely with verifiable parental consent obtained during the registration process. A separate liability waiver and assumption-of-risk agreement is also presented and must be accepted by the parent or guardian at signup.

Parents and legal guardians may contact us at support@hexishealthhq.org to review the information we have collected about their child, request corrections or deletion (subject to ongoing program needs and legal retention requirements), or withdraw consent. We will take reasonable steps to honor such requests.

If you believe we have collected personal information from a child under 13 without proper parental consent, please contact us immediately at support@hexishealthhq.org so we can investigate and take appropriate action, including deletion of the information.

This section is designed to comply with the Children's Online Privacy Protection Act (COPPA) and applicable Montana requirements.

We use Resend to send transactional emails that are necessary to provide the Services you have requested, such as order confirmations, subscription billing notices, appointment reminders, and account or program updates. These transactional messages do not require prior opt-in consent under the CAN-SPAM Act.

If we send any promotional or marketing emails (separate from transactional messages), we will comply with the CAN-SPAM Act. This includes obtaining any required consent, including a clear and conspicuous unsubscribe link in every marketing email, and honoring opt-out requests within the timeframes required by law. You may also opt out of marketing communications by contacting support@hexishealthhq.org. Transactional and service-related emails necessary for your account, orders, or safety will continue regardless of marketing opt-out status.

We do not sell, rent, or share email addresses for marketing purposes with unaffiliated third parties.

The Site and Services integrate with or rely on third-party providers, including:

• Stripe for secure payment processing (we do not store full card details; review Stripe's privacy policy at stripe.com/privacy).
• Calendly for consultation scheduling.
• Resend for transactional email delivery.
• Google Analytics 4 and Google Tag Manager for usage analytics and Site performance.

These third parties collect and process information according to their own privacy policies and terms of service. We are not responsible for their privacy practices, security, or content. We encourage you to review their policies before providing information through those services.

The Site may contain links to external websites or resources. We are not responsible for the privacy practices, content, or availability of those third-party sites.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. The "Effective Date" at the top of this Policy indicates the date of the current version. For material changes, we will post a prominent notice on the Site and/or notify affected users by email where appropriate. Your continued use of the Site or Services after the Effective Date of an updated Policy constitutes acceptance of the changes.

If you have questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact: