Privacy Policy

Website Privacy Policy

Version 1.2

Last revised on: June 1, 2025

Winston Health (the “Company”) is committed to maintaining robust privacy protections for its users.  Our Privacy Policy (“Privacy Policy”) is designed to help you understand how we collect, use and safeguard the information you provide to us and to assist you in making informed decisions when using our Service. For purposes of this Agreement, “Site” refers to the Company’s website, which can be accessed at https://getwinstonhealth.com or through our mobile application.

“Service” refers to the Company’s services accessed via the Site, in which users can receive AI-powered health and financial advice, track daily activity goals & rewards, redeem employer-sponsored wellness credits to linked financial institutions, link third-party health portals, and shop for healthcare services and their associated costs.

The terms “we,” “us,” and “our” refer to the Company. “You” refers to you, as a user of our Site or our Service.

By accessing our Site or our Service, you accept our Privacy Policy and Terms of Use (found here: https://getwinstonhealth.com/terms-of-use), and you consent to our collection, storage, use and disclosure of your Personal Information as described in this Privacy Policy.

INFORMATION WE COLLECT

We collect “Non-Personal Information” and “Personal Information.” Non-Personal Information can include information that cannot be used to personally identify you, such as anonymous usage data, general demographic information we may collect, referring/exit pages and URLs, platform types, preferences you submit and preferences that are generated based on the data you submit and number of clicks. Personal Information can include your email, name, address, contact information, employer name, medical insurance plan name, and financial institution information which you submit to us through the registration process at the Site.

Information collected via Technology

To activate the Service you need to submit your first and last name, email address, and date of birth. To use the Service thereafter, you may need to submit further Personal Information, which may include your: address, medical insurance plan name, and financial institution information.

Information collected via Portal Information and Portal Credentials

In order to fully benefit from our Services, you also must provide your third-party health portal credentials ("Portal Credentials") to allow us to access your health data at those other healthcare providers' organizations ("Portal Information") for your use. We collect and keep your medical information through the personal health record and sync your medical record information from your healthcare provider or another third-party source using our HealthRecord feature.

Other information collected

In an effort to improve the quality of the Service, we track information provided to us by your browser or by our software application when you view or use the Service, such as the website you came from (known as the “referring URL”), the type of browser you use, the device from which you connected to the Service, the time and date of access, and other information that does not personally identify you. We track this information using cookies, or small text files which include an anonymous unique identifier. Cookies are sent to a user’s browser from our servers and are stored on the user’s computer hard drive. Sending a cookie to a user’s browser enables us to collect Non-Personal information about that user and keep a record of the user’s preferences when utilizing our services, both on an individual and aggregate basis. The Company may use both persistent and session cookies; persistent cookies remain on your computer after you close your session and until you delete them, while session cookies expire when you close your browser.

Information you provide us by registering for an account

In addition to the information provided automatically by your browser when you visit the Site, to become a subscriber to the Service you will need to create a personal profile. You can create a profile by registering with the Service and entering your email address, and creating a password. By registering, you are authorizing us to collect, store and use your email address in accordance with this Privacy Policy.

Consent for Use of Health Information

Your express consent is required before we access, process, or use your personal health information, including your electronic medical records (EMR) or patient portal data. This consent is obtained during the registration or linking process through a separate authorization form, which clearly explains what data will be accessed, how it will be used, and with whom it may be shared. You may revoke your consent at any time through your account settings or by contacting us at info@getwinstonhealth.com. You control the visibility and sharing of your health information and can restrict or disable access at any time. We commit to not sharing or selling your health information without your express consent, except as required by law or necessary for business transactions such as mergers or acquisitions.

Access to Information from Member's Device

We do not access any additional information from your device beyond what is necessary to provide our Service, unless explicitly authorized by you. If such authorization is given, we will clearly state what information is being accessed and for what purposes.

Stopping Access to Information and Disposal of Member's Information

You have the right to cease access to your information at any time by contacting us at info@getwinstonhealth.com. Upon receiving your request, we will promptly cease accessing your information. If you choose to delete your account, we will dispose of your personal and health information in accordance with our data retention policy. All personal information associated with your account will be deleted from active databases within 30 days and removed from backup storage within 90 days, unless otherwise required by law.

Children’s Privacy

The Site and the Service are not directed to anyone under the age of 13. The Site does not knowingly collect or solicit information from anyone under the age of 13, or allow anyone under the age of 13 to sign up for the Service. In the event that we learn that we have gathered personal information from anyone under the age of 13 without the consent of a parent or guardian, we will delete that information as soon as possible. If you believe we have collected such information, please contact us at info@getwinstonhealth.com. Minors under 18 years of age may have the personal information that they have provided to us through our website deleted by sending an email to info@getwinstonhealth.com requesting deletion. To ensure compliance with the Children’s Online Privacy Protection Act (COPPA), we require affirmative age verification during registration.

HOW WE USE AND SHARE INFORMATION

Personal Information

We may use the information we collect from you when you sign up, register, respond to a survey or marketing communication, surf our website, or use certain other features of the Services in the following ways:

  • To personalize your experience on the website and to allow us to deliver content and product offerings that interest you.
  • To allow us to better respond to your customer service requests.
  • To quickly process your requested transactions.
  • To administer a promotion, survey or other feature of our website.

We will not sell, rent, license, or trade your personal information with third parties for their own direct marketing use unless you expressly tell us it is okay to do so. Unless you give us your permission, we will not share your personal information other than as stated in this Privacy Policy. Your personal information, including your health information, will not be shared or sold in the future, unless you give us your explicit permission.

Use of Artificial Intelligence (AI)

As part of our Services, Winston Health may use generative AI technologies, including models provided by OpenAI and xAI, to analyze your health information and provide educational content, personalized health insights, or cost-saving recommendations related to your health plan. These AI-generated outputs are informational in nature and do not constitute medical advice. You should consult a qualified healthcare professional before making any decisions about your health or care based on AI suggestions. This disclaimer is prominently displayed wherever AI-generated recommendations appear in the Service.

Vendors and Data Processing

We share personal data only with vendors and processors necessary to operate our services, including cloud storage providers, analytics services, customer communication platforms, and AI model providers (e.g., OpenAI, xAI). These vendors are contractually obligated to use your information solely for providing services on our behalf and are required to implement strong security safeguards. We have disabled sharing of inputs and outputs with AI model providers for model training or improvement. Your identifiable health data is not used to train AI models. Any use of anonymized or aggregated data for service enhancement complies with applicable laws and requires your explicit consent, if needed.

HIPAA and Health Data Protection

Winston Health is not a Covered Entity under the Health Insurance Portability and Accountability Act (HIPAA). However, we may act as a Business Associate when working with Covered Entities, such as employer health plans or insurers. In such cases, we maintain appropriate safeguards and comply with applicable privacy and security requirements, including through execution of Business Associate Agreements (BAAs) where required. We use encryption, audit controls, and other security measures to protect your health data.

Non-Personal Information

In general, we use Non-Personal Information to help us improve the Service and customize the user experience. We also aggregate Non-Personal Information in order to track trends and analyze use patterns on the Site. This Privacy Policy does not limit in any way our use or disclosure of Non-Personal Information and we reserve the right to use and disclose such Non-Personal Information to our partners, advertisers and other third parties at our discretion.

Mergers & Acquisitions

In the event we undergo a business transaction such as a merger, acquisition by another company, or sale of all or a portion of our assets, your Personal Information may be among the assets transferred. You acknowledge and consent that such transfers may occur and are permitted by this Privacy Policy, and that any acquirer of our assets may continue to process your Personal Information as set forth in this Privacy Policy. If our information practices change at any time in the future, we will post the policy changes to the Site so that you may opt out of the new information practices. We suggest that you check the Site periodically if you are concerned about how your information is used.

HOW WE PROTECT INFORMATION

We implement industry-standard security measures, including encryption, firewalls, and secure access controls, to protect your data. In the unlikely event of a data breach affecting your personal or health information, we will notify you promptly in accordance with applicable laws, including providing details about what occurred, what information was involved, and steps you can take to protect yourself. Your account is protected by your password, and we urge you to keep it confidential and log out after each use. While we take robust measures, no system is completely secure, and you acknowledge the inherent risks of using our Service.

Your Rights Regarding the Use of Your Personal Information

You may prevent us from contacting you for marketing purposes by following unsubscribe instructions in promotional emails or opting out in the "Settings" section of the Site. We may continue to send administrative emails, such as Privacy Policy updates.

Your Rights Regarding Changing or Deleting Your Information

You may review and request changes to your personal information that we have collected. You may also request deletion of your personal information from our databases in order to close your account and prevent receipt of future communications. When you choose to delete your account, all personal information associated with your account will be deleted from active databases within 30 days and removed from backup storage within 90 days, unless otherwise required by law. You may submit requests to change or delete your personal information using either of the following options:

  • You can send your request via email to info@getwinstonhealth.com.
  • You can mail your request to the following postal address:

Winston Health LLC
410 Spring Drive,
Millersville, PA 17551

Data Localization

Our data storage is U.S.-based. We currently do not accept international users. If this changes, we will update this Privacy Policy to address compliance with international regulations, such as GDPR, as applicable.

Links to Other Websites

We may provide links to third-party websites or applications. We are not responsible for their privacy practices or content. This Privacy Policy applies solely to information we collect. Review the privacy policies of third-party websites before using them.

Changes to our Privacy Policy

The Company reserves the right to change this policy and our Terms of Use at any time.  We will notify you of significant changes to our Privacy Policy by sending a notice to the primary email address specified in your account or by placing a prominent notice on our site. Significant changes will go into effect 30 days following such notification. Non-material changes or clarifications will take effect immediately. You should periodically check the Site and this privacy page for updates.

Contact Us

If you have any questions regarding this Privacy Policy or the practices of this Site, please contact us by sending an email to info@getwinstonhealth.com.