Privacy policy

This Privacy Policy explains how Cultivated Formulations, Inc. ("Hair Cultivated," "we," "us") collects, uses, discloses, and safeguards Personal Information when you:

• visit our public marketing website haircultivated.com (the "Marketing Site"), and/or

• create an account on our patient portal portal.haircultivated.com (the "Patient Portal").

PLEASE READ THIS POLICY CAREFULLY. By using the Marketing Site or Patient Portal you acknowledge that you have read and understood the practices described below.

1. Who we are

Hair Cultivated is a telehealth platform focused on women's hair loss. Hair Cultivated is not a medical group or a health care provider. Hair Cultivated provides its users with the ability to obtain a telemedicine consultation. All clinical decisions, diagnoses, and treatments are provided by licensed medical professionals employed or contracted by Beluga Health ("Beluga Health"), an independent medical group.

Hair Cultivated offers customer experience, support, and secure digital tools that allow users to interact with Beluga Health's medical services. We do not provide medical advice, and nothing on our site should be construed as such.

• Hair Cultivated at 1560 Lenox Ave, Miami Beach FL 33139 and 323-892-1746 is a "business associate" under HIPAA and only accesses PHI that Beluga Health authorizes to operate the Patient Portal (e.g., appointment scheduling, secure messaging).

• Beluga Health is the "covered entity" responsible for your medical record.

2. How We Treat Your PHI

As a HIPAA business associate, Hair Cultivated is contractually and legally bound to maintain the privacy and security of your Protected Health Information. Hair Cultivated operates under a formal Business Associate Agreement (BAA) with Beluga Health in accordance with HIPAA regulations.

Hair Cultivated does not store, retain, or archive PHI on its own infrastructure. Instead, we transmit PHI securely to Beluga Health, and temporarily display PHI via secure interfaces to enable patient-provider interaction (e.g., questionnaires, appointment viewing). PHI is transmitted using encrypted channels and accessed through HIPAA-compliant systems with strict access controls.

Hair Cultivated limits PHI access to staff who require it for operational purposes such as support, appointment coordination, or messaging, and only to the minimum necessary extent.

All use of PHI by Hair Cultivated falls under HIPAA's "treatment" or "health care operations" purposes, in accordance with HIPAA's TPO (Treatment, Payment, Operations) provisions.

In the event of a data breach involving PHI, Hair Cultivated will notify Beluga Health promptly and cooperate fully to meet HIPAA breach notification requirements.

3. Your Rights Under HIPAA

As a patient receiving care through Beluga Health, you have the following rights under HIPAA:

• Right to access your medical records and PHI.

• Right to request amendments to your medical records if you believe they are incorrect or incomplete.

• Right to an accounting of disclosures of your PHI made by the covered entity.

• Right to request restrictions on the use or disclosure of your PHI (though not all requests must be granted).

• Right to request confidential communications (e.g., use of a different address or contact method).

• Right to file a complaint with the U.S. Department of Health and Human Services (HHS) if you believe your privacy rights have been violated.

You may exercise these rights by contacting Beluga Health directly through your Patient Portal or by using their published contact details.

4. Personal Information we collect

A. Information you give us

(Patient Portal)Name, date of birth, phone, email, passwordTo create and secure your accountMedical intakeHealth questionnaires, photos of scalp, medication historyUsed solely by Beluga Health to provide medical carePaymentsBilling address, card details, transaction IDs (processed by Stripe, Inc.)To process subscription feesMarketing inquiriesEmail, first name, message contentTo respond to questions about our service

• Account creation (patient portal) examples: Name, date of birth, phone, email, password. To create and secure your account.

• Medical intake examples: Health questionnaires, photos of scalp, medication history. Used solely by Beluga Health to provide medical care.

• Payments examples: Billing address, card details, transaction IDs (processed by Stripe, Inc.). To process subscription fees.

• Marketing inquiries examples: Email, first name, message content. To respond to questions about our service

B. Information we collect automatically

Marketing Site only: We use essential cookies to function and limited analytics for performance and security monitoring.

We use Google Analytics on our Marketing Site to understand aggregate user behavior. Google may set its own cookies. We have configured Google Analytics to anonymize IP addresses and do not use Google Analytics for personalized ads or cross-site tracking.

C. Information we receive from Beluga Health

Beluga Health shares appointment status and prescription fulfillment events with us so we can update your Patient Portal dashboard. We do not receive your medical chart or lab results.

5. Legal bases for processing (GDPR)

• Contract – to deliver telehealth services you request.

• Legitimate interests – fraud prevention, service security.

• Legal obligation – HIPAA, state pharmacy laws, tax rules.

• Consent – email marketing (you may withdraw any time).

6. How we use Personal Information

1. Provide, maintain, and improve the Patient Portal.

2. Authenticate log-ins and secure your account.

3. Send transactional messages (appointment reminders, refill notices).

4. [If applicable] Send marketing newsletters with your consent.

5. Comply with legal obligations and enforce our Terms of Service.

7. How we share Personal Information

• Beluga Health – to deliver clinical care.

• Service providers – hosting, email, payment processors. All are bound by written agreements that restrict them from using data for any other purpose.

• Legal/Protective – when required by law or to protect rights, safety, or property.

• Business transfers – if we undergo a merger, we will give 30 days' notice before data is transferred.

• We do not sell or "share" Personal Information for cross-context behavioral advertising as defined by CPRA.

• We may share your Personal Information to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of a bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us about our users are among the assets transferred.

8. Your privacy rights

California (CCPA/CPRA)

• Right to know categories and specific pieces of Personal Information we collect.

• Right to delete Personal Information, subject to HIPAA retention rules.

• Right to correct inaccurate Personal Information.

• Right to opt out of sale or sharing (we do not engage in either).

• Right to limit use of Sensitive Personal Information (we use it only to provide the service).

EU/EEA & UK (GDPR/UK GDPR)

• Access, rectify, erase, or port your data.

• Object to or restrict our processing.

• Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email hello@haircultivated.com.

9. Cookies & tracking technologies

We use: (i) essential session cookies for authentication, and (ii) first-party analytics tools including Google Analytics and Matomo (IP anonymized). You can manage cookies via our Cookie Settings banner at any time.

10. Data retention

• PHI – retained by Beluga Health.

• Account data – kept while your account is active.

• Server logs – kept for a maximum of 1 year.

11. International data transfers

We host all services in the United States. For EU/UK users, transfers rely on the EU-U.S. Data Privacy Framework or standard contractual clauses.

12. Security measures

• 256-bit TLS encryption in transit; AES-256 at rest.

• HIPAA-compliant cloud infrastructure.

• Role-based access controls and MFA for staff.

13. Children's privacy

We do not knowingly collect information from anyone under 18. If you are a parent and believe your child has provided us data, contact us for deletion.

14. Changes to this policy

We will post any changes here and notify registered users by email at least 15 days in advance. If you disagree with the changes, you may close your account before the effective date.

15. Contact us

• Email: hello@haircultivated.com

• Privacy Official: Kira Mengistu, Chief Compliance & Privacy Officer – privacy@haircultivated.com