Privacy Policy
Website Privacy Policy
Version 1.3
Last revised on: December 2, 2025
Winston Health (the “Company”) is committed to maintaining robust privacy protections for its users. Our Privacy Policy (“Privacy Policy”) is designed to help you understand how we collect, use and safeguard the information you provide to us and to assist you in making informed decisions when using our Service. For purposes of this Agreement, “Site” refers to the Company’s website, which can be accessed at https://getwinstonhealth.com or through our mobile application.
“Service” refers to the Company’s services accessed via the Site, in which users can receive AI-powered health and financial advice, track daily activity goals & rewards, redeem employer-sponsored wellness credits to linked financial institutions, link third-party health portals, and shop for healthcare services and their associated costs.
The terms “we,” “us,” and “our” refer to the Company. “You” refers to you, as a user of our Site or our Service.
By accessing our Site or our Service, you accept our Privacy Policy and Terms of Use (found here: https://getwinstonhealth.com/terms-of-use), and you consent to our collection, storage, use and disclosure of your Personal Information as described in this Privacy Policy.
INFORMATION WE COLLECT
We collect “Non-Personal Information” and “Personal Information.” Non-Personal Information can include information that cannot be used to personally identify you, such as anonymous usage data, general demographic information we may collect, referring/exit pages and URLs, platform types, preferences you submit and preferences that are generated based on the data you submit and number of clicks. Personal Information can include your name, mobile phone number, email address, mailing address, other contact information, employer name, medical insurance plan name, and financial institution information which you submit to us through the registration process at the Site or mobile application.
Information collected via Technology
To activate the Service you need to submit your first and last name, email address, and date of birth. To use the Service thereafter, you may need to submit further Personal Information, which may include your: address, medical insurance plan name, and financial institution information.
Information collected via Portal Information and Portal Credentials
In order to fully benefit from our Services, you also must provide your third-party health portal credentials ("Portal Credentials") to allow us to access your health data at those other healthcare providers' organizations ("Portal Information") for your use. We collect and keep your medical information through the personal health record and sync your medical record information from your healthcare provider or another third-party source using our HealthRecord feature.
Other information collected
In an effort to improve the quality of the Service, we track information provided to us by your browser or by our software application when you view or use the Service, such as the website you came from (known as the “referring URL”), the type of browser you use, the device from which you connected to the Service, the time and date of access, and other information that does not personally identify you. We track this information using cookies, or small text files which include an anonymous unique identifier. Cookies are sent to a user’s browser from our servers and are stored on the user’s computer hard drive. Sending a cookie to a user’s browser enables us to collect Non-Personal information about that user and keep a record of the user’s preferences when utilizing our services, both on an individual and aggregate basis. The Company may use both persistent and session cookies; persistent cookies remain on your computer after you close your session and until you delete them, while session cookies expire when you close your browser.
Information you provide us by registering for an account
In addition to the information provided automatically by your browser when you visit the Site, to become a subscriber to the Service you will need to create a personal profile. You can create a profile by registering with the Service and entering your email address, and, if you choose to enable SMS communications, your mobile phone number, and creating a password. By registering, you are authorizing us to collect, store and use your email address and, where provided, your mobile phone number in accordance with this Privacy Policy.
Mobile Phone Number and SMS Communications
If you choose to enable text message (SMS) communications, we will collect your mobile phone number. We use this number to send:
- Security and authentication messages, such as two-factor authentication (2FA) codes, login verifications, or alerts related to the security of your account; and
- Service and benefits-related messages, such as reminders, notifications, and suggestions to help you better utilize your employer-sponsored benefits, wellness rewards, or other features of the Service.
Message frequency will vary based on your use of the Service and your communication preferences. Message and data rates may apply, depending on your mobile carrier and plan.
You may opt out of receiving non-essential SMS communications at any time by replying STOP to any message or by adjusting your communication preferences in your account settings. We may continue sending you SMS messages related to security, authentication, or other transactional purposes where permitted by law. Reply HELP for help.
We do not guarantee the delivery of SMS messages. SMS messaging should not be relied upon for emergency or urgent communications.
Your enrollment in SMS communications may also be subject to any additional SMS-specific terms or disclosures presented to you at the time you sign up for text messages, which will supplement this Privacy Policy.
Consent for Use of Health Information
Your express consent is required before we access, process, or use your personal health information, including your electronic medical records (EMR) or patient portal data. This consent is obtained during the registration or linking process through a separate authorization form, which clearly explains what data will be accessed, how it will be used, and with whom it may be shared. You may revoke your consent at any time through your account settings or by contacting us at info@getwinstonhealth.com. You control the visibility and sharing of your health information and can restrict or disable access at any time. We commit to not sharing or selling your health information without your express consent, except as required by law or necessary for business transactions such as mergers or acquisitions.
Access to Information from Member's Device
We do not access any additional information from your device beyond what is necessary to provide our Service, unless explicitly authorized by you. If such authorization is given, we will clearly state what information is being accessed and for what purposes.
Stopping Access to Information and Disposal of Member's Information
You have the right to cease access to your information at any time by contacting us at info@getwinstonhealth.com. Upon receiving your request, we will promptly cease accessing your information. If you choose to delete your account, we will dispose of your personal and health information in accordance with our data retention policy. All personal information associated with your account will be deleted from active databases within 30 days and removed from backup storage within 90 days, unless otherwise required by law.
Children’s Privacy
The Site and the Service are not directed to anyone under the age of 13. The Site does not knowingly collect or solicit information from anyone under the age of 13, or allow anyone under the age of 13 to sign up for the Service. In the event that we learn that we have gathered personal information from anyone under the age of 13 without the consent of a parent or guardian, we will delete that information as soon as possible. If you believe we have collected such information, please contact us at info@getwinstonhealth.com. Minors under 18 years of age may have the personal information that they have provided to us through our website deleted by sending an email to info@getwinstonhealth.com requesting deletion. To ensure compliance with the Children’s Online Privacy Protection Act (COPPA), we require affirmative age verification during registration.
HOW WE USE AND SHARE INFORMATION
Personal Information
We may use the information we collect from you when you sign up, register, respond to a survey or marketing communication, surf our website, or use certain other features of the Services in the following ways:
- To personalize your experience on the website and to allow us to deliver content and product offerings that interest you.
- To allow us to better respond to your customer service requests.
- To quickly process your requested transactions.
- To administer a promotion, survey or other feature of our website.
- To send you text messages (SMS) related to account security - including two-factor authentication codes and login alerts - and, where you have provided appropriate consent, messages regarding benefit utilization, wellness rewards, plan reminders, and other service-related notifications.
We will not sell, rent, license, or trade your personal information with third parties for their own direct marketing use unless you expressly tell us it is okay to do so. Unless you give us your permission, we will not share your personal information other than as stated in this Privacy Policy. Your personal information, including your health information, will not be shared or sold in the future, unless you give us your explicit permission.
Use of Artificial Intelligence (AI)
As part of our Services, Winston Health may use generative AI technologies, including models provided by OpenAI and xAI, to analyze your health information and provide educational content, personalized health insights, or cost-saving recommendations related to your health plan. These AI-generated outputs are informational in nature and do not constitute medical advice. You should consult a qualified healthcare professional before making any decisions about your health or care based on AI suggestions. This disclaimer is prominently displayed wherever AI-generated recommendations appear in the Service.
Vendors and Data Processing
We share personal data only with vendors and processors necessary to operate our services, including cloud storage providers, analytics services, customer communication platforms, and AI model providers (e.g., OpenAI, xAI). These vendors are contractually obligated to use your information solely for providing services on our behalf and are required to implement strong security safeguards. We have disabled sharing of inputs and outputs with AI model providers for model training or improvement. Your identifiable health data is not used to train AI models. Any use of anonymized or aggregated data for service enhancement complies with applicable laws and requires your explicit consent, if needed.
HIPAA and Health Data Protection
Winston Health is not a Covered Entity under the Health Insurance Portability and Accountability Act (HIPAA). However, we may act as a Business Associate when working with Covered Entities, such as employer health plans or insurers. In such cases, we maintain appropriate safeguards and comply with applicable privacy and security requirements, including through execution of Business Associate Agreements (BAAs) where required. We use encryption, audit controls, and other security measures to protect your health data.
Non-Personal Information
In general, we use Non-Personal Information to help us improve the Service and customize the user experience. We also aggregate Non-Personal Information in order to track trends and analyze use patterns on the Site. This Privacy Policy does not limit in any way our use or disclosure of Non-Personal Information and we reserve the right to use and disclose such Non-Personal Information to our partners, advertisers and other third parties at our discretion.
Mergers & Acquisitions
In the event we undergo a business transaction such as a merger, acquisition by another company, or sale of all or a portion of our assets, your Personal Information may be among the assets transferred. You acknowledge and consent that such transfers may occur and are permitted by this Privacy Policy, and that any acquirer of our assets may continue to process your Personal Information as set forth in this Privacy Policy. If our information practices change at any time in the future, we will post the policy changes to the Site so that you may opt out of the new information practices. We suggest that you check the Site periodically if you are concerned about how your information is used.
HOW WE PROTECT INFORMATION
We implement industry-standard security measures, including encryption, firewalls, and secure access controls, to protect your data. In the unlikely event of a data breach affecting your personal or health information, we will notify you promptly in accordance with applicable laws, including providing details about what occurred, what information was involved, and steps you can take to protect yourself. Your account is protected by your password, and we urge you to keep it confidential and log out after each use. While we take robust measures, no system is completely secure, and you acknowledge the inherent risks of using our Service.
Your Rights Regarding the Use of Your Personal Information
You may prevent us from contacting you for marketing purposes by following unsubscribe instructions in promotional emails or opting out in the "Settings" section of the Site. We may continue to send administrative emails, such as Privacy Policy updates.You may opt out of receiving marketing or non-essential SMS messages by replying STOP to any text message from us or by updating your communication preferences in your account settings. We may still send you transactional SMS messages related to account security (such as verification codes) or your use of the Service, where permitted by law. Replies of HELP will provide additional assistance.
Your Rights Regarding Changing or Deleting Your Information
You may review and request changes to your personal information that we have collected. You may also request deletion of your personal information from our databases in order to close your account and prevent receipt of future communications. When you choose to delete your account, all personal information associated with your account will be deleted from active databases within 30 days and removed from backup storage within 90 days, unless otherwise required by law. You may submit requests to change or delete your personal information using either of the following options:
- You can send your request via email to info@getwinstonhealth.com.
- You can mail your request to the following postal address:
Winston Health LLC
129 E Charlotte Street,
Millersville, PA 17551
Data Localization
Our data storage is U.S.-based. We currently do not accept international users. If this changes, we will update this Privacy Policy to address compliance with international regulations, such as GDPR, as applicable.
Links to Other Websites
We may provide links to third-party websites or applications. We are not responsible for their privacy practices or content. This Privacy Policy applies solely to information we collect. Review the privacy policies of third-party websites before using them.
Changes to our Privacy Policy
The Company reserves the right to change this policy and our Terms of Use at any time. We will notify you of significant changes to our Privacy Policy by sending a notice to the primary email address specified in your account or by placing a prominent notice on our site. Significant changes will go into effect 30 days following such notification. Non-material changes or clarifications will take effect immediately. You should periodically check the Site and this privacy page for updates.
Contact Us
If you have any questions regarding this Privacy Policy or the practices of this Site, please contact us by sending an email to info@getwinstonhealth.com.