Privacy Policy

---

Privacy Policy

Last updated: 18 July 2025

Dr. IV MD (“we,” “us,” “our,” or the “Clinic”) respects your privacy and is committed to protecting the personal information you share with us through www.drivmd.com (the “Site”), our scheduling widgets, patient portal, electronic communications, and any related digital services (collectively, the “Services”).

This Privacy Policy explains what information we collect, how we use it, with whom we share it, and the rights and choices you have. It also describes the safeguards we maintain to protect your data and how you can contact us with questions.

Important: This policy is intended for website and marketing data. If you are a patient who has received medical care from Dr. IV MD, your medical information is further protected under our separate HIPAA Notice of Privacy Practices, which governs how we handle “protected health information” (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and Florida state law.

This policy applies to information we collect:

• When you visit, interact with, or use the Site or Services.
• When you schedule an appointment, purchase a membership or package, join our email newsletter, or engage with our social media channels.
• When you communicate with us by phone, text, email, chat, or in person regarding the Services.

It does not apply to third‑party websites, apps, or services that may link to or from our Site. Please review their privacy statements separately.

CategoryExamplesSourceIdentifiers & Contact DataName, postal address, email, phone number, social media handle.Directly from you via forms, chats, scheduling tools.Demographic DataAge, gender, wellness goals.Directly from you (optional fields).Health‑Related InformationSymptoms, medications, treatment interests, insurance information.Direct intake forms; classified as PHI when tied to an encounter.Commercial DataServices purchased, membership status, payment tokens (via Stripe).Transaction partners; our POS.Internet / Device DataIP address, browser type, device ID, referring URL, pages visited, clicks, session duration.Automatic collection via cookies, pixels (Google Analytics 4), and log files.Geolocation (coarse)Approximate city/state (derived from IP).Automatic via analytics.User‑Generated ContentReviews, testimonials, social media comments.Directly from you.

We do not knowingly collect data from children under 13. If we learn we have done so inadvertently, we will delete it promptly.

We use personal information to:

1. Deliver & manage Services – schedule appointments, process payments, send confirmations, and maintain your patient portal account.
2. Provide medical care – review submitted health data to determine eligibility or tailor a treatment plan (handled as PHI under HIPAA).
3. Communicate – respond to inquiries, send appointment reminders, clinical follow‑ups, newsletters, or promotional offers (with opt‑out).
4. Improve & secure the Site – monitor usage, debug, analyze performance, and protect against fraud or abuse.
5. Comply with legal obligations – maintain records required by HIPAA, CMS, IRS, state boards, or respond to lawful requests.
6. Conduct marketing & analytics – measure campaign effectiveness, create custom audiences (using privacy‑safe hashing where required), and show you relevant ads.
7. Facilitate business operations – audit, accounting, or corporate events such as mergers or asset transfers, subject to confidentiality protections.

We will not sell or rent your personal information.

Where the EU GDPR or UK GDPR applies, we rely on:

• Performance of a contract – to provide requested Services.
• Legal obligation – to meet regulatory requirements.
• Legitimate interests – Site security, analytics, direct marketing (where permissible), provided these interests are not overridden by your rights.
• Consent – for email marketing (when required), cookies, or processing special‑category data you voluntarily share.

You may withdraw consent at any time.

We disclose information only as necessary:

Recipient TypePurposeSafeguardsService providersHosting (Vercel/AWS), payment (Stripe), scheduling (Calendly), email & SMS (SendGrid/Twilio), EHR integrations.HIPAA Business Associate Agreements (BAAs) where PHI is involved; least‑privilege access.Marketing & analytics partnersGoogle Analytics 4, Meta Ads, LinkedIn, TikTok.IP anonymization, hashed audiences, opt‑out links.Professional advisorsAccountants, auditors, legal counsel.Confidentiality duties.Government / regulatorsTo comply with subpoenas, court orders, CMS audits, or public‑health reporting.As legally required.Successor entitiesIn business restructurings.Continued privacy obligations.

We do not allow third‑party ad networks to use your health information for targeted ads.

We use:

• Essential cookies – enable Site functionality.
• Performance cookies – measure traffic and errors.
• Marketing cookies / pixels – remarketing, A/B testing.

You can manage cookies through your browser settings or the Site’s Cookie Preferences banner. Turning off cookies may impair some functionalities.

• TLS 1.3 encryption in transit; AES‑256 at rest.
• OWASP Top 10–hardened code reviews & annual penetration tests.
• HIPAA‑compliant cloud infrastructure with role‑based access, audit logging, multi‑factor authentication.
• Daily backups stored in an encrypted, geographically separate environment.

No system is 100 % secure, but we follow industry standards to protect your data.

• Website & marketing records – kept no longer than 24 months after last interaction, unless required for ongoing legal obligations.
• PHI / medical records – retained for at least 6 years (federal) or longer if Florida law requires.

When data is no longer necessary, we delete or de‑identify it in accordance with NIST SP 800‑88 guidelines.

Depending on your location, you may have rights to:

• Access the personal information we hold about you.
• Correct inaccuracies.
• Delete or anonymize certain data.
• Opt out of marketing emails or SMS (unsubscribe link or STOP reply).
• Object / restrict certain processing.
• Data portability (GDPR).
• Nondiscrimination for exercising CCPA/CPRA rights (California residents).

To exercise rights, email privacy@drivmd.com or call 1‑888‑Dr‑IV‑MD. We will verify your identity before responding.

We do not respond to browser Do‑Not‑Track signals at this time. Under the California Consumer Privacy Act (CCPA), as amended by the CPRA, California residents may request:

• Categories of personal information collected and disclosed.
• Specific pieces of personal information.
• Deletion or correction of personal information.
• Limitation of use of sensitive personal information (we only use sensitive data to provide the Services).

We do not sell or “share” personal information as those terms are defined under CCPA/CPRA.

The Site is not directed to children under 13, and we do not knowingly collect their personal information without verifiable parental consent. If you believe we collected such data, contact us and we will delete it.

We are based in the United States. If you access the Site from outside the U.S., your information will be transferred to, stored, and processed in the U.S. We rely on adequacy decisions or Standard Contractual Clauses (SCCs) where applicable.

We may update this Privacy Policy from time to time. We will post the revised version with a new “Last updated” date at the top. Material changes will be notified via email or prominent banner. Continued use of the Site after such changes constitutes acceptance.

This Privacy Policy is provided for informational purposes and does not constitute legal advice. For specific guidance, consult qualified counsel familiar with HIPAA, FTC, CCPA/CPRA, GDPR, and applicable state privacy laws.