Privacy Policy

Last updated: June 19, 2026
Castle Health is not insurance and not a medical provider. Telehealth and pharmacy services are delivered by independent, licensed third parties, who maintain their own privacy practices. This Privacy Policy explains how we handle information for our website, member portal, and membership program.

1) Scope

This Privacy Policy applies to information processed by Castle Health in connection with our public website, member portal, membership checkout, referral/affiliate program, and customer support (collectively, the "Services"). It does not apply to third-party telehealth, medical groups, pharmacies, labs, or payment processors, which maintain their own privacy notices.

2) Information We Collect

  • Account & Profile. Name, email, address, phone, login credentials, preferences.
  • Membership & Dependents. Selected plan, enrollment dates, and information you provide to add dependents (e.g., name and date of birth per plan rules).
  • Payment & Billing. We use a payment processor to handle payments; we do not store full card numbers on our servers. We may receive limited billing metadata (e.g., last 4 digits, status, timestamps).
  • Referral/Affiliate. Codes you generate/use; basic metrics such as clicks, signups, and earned amounts associated with a referral code.
  • Support & Communications. Messages you send us (email, forms), and related metadata.
  • Usage & Device. Log data (IP address, browser, pages viewed, timestamps), device identifiers, and approximate location derived from IP.
  • Optional Health-Related Details You Share with Us. If you choose to share limited information (e.g., plan preferences or issues to coordinate with partners), we handle it as described here. Clinical details exchanged with licensed providers are governed by those providers' privacy policies and/or HIPAA, not this policy (see Section 9).

3) Cookies & Tracking

We use cookies and similar technologies to operate and improve the Services. These include:

  • Essential cookies. For login sessions, CSRF protection, load balancing, and security.
  • Referral cookie (ref). If you arrive with ?ref=CODE, we set a 30-day cookie to track valid referrals and improve signup attribution. We count at most one "click" per code per session to limit inflation.
  • Analytics. We may use basic analytics to understand feature usage and performance.

You can control cookies through your browser settings. Blocking some cookies may limit functionality (e.g., staying signed in).

4) How We Use Information

  • Provide, operate, and secure the Services (account creation, login, membership management).
  • Process and support memberships, including dependents and plan selections.
  • Facilitate referral/affiliate tracking, rewards, and reporting.
  • Respond to inquiries, provide support, and send service-related communications.
  • Analyze usage to improve performance, user experience, and features.
  • Enforce terms, prevent fraud/abuse, and comply with legal obligations.

5) How We Share Information

  • Telehealth & Pharmacy Partners. At your request or to fulfill your membership, we may share necessary information (e.g., your contact details, plan status) to coordinate services. Clinical care is provided by licensed third parties who maintain their own policies.
  • Service Providers. Vendors who help us run the Services (hosting, security, analytics, support, payment processing) under contracts that restrict their use of your information.
  • Referral/Affiliate. We generate and maintain referral codes and metrics (clicks, signups, earnings) and may display these to the referrer in their dashboard.
  • Legal & Safety. We may disclose information when we believe it's necessary to comply with law, protect rights and safety, or respond to lawful requests.
  • Business Transfers. In a merger, acquisition, or asset sale, your information may be transferred, subject to this Policy.

We do not sell your personal information as "sell" is defined under many state privacy laws. We also do not share your personal information for cross-context behavioral advertising.

6) Security

We implement administrative, technical, and physical safeguards designed to protect information. No system is 100% secure; you are responsible for maintaining the confidentiality of your login credentials.

7) Retention

We retain information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods may vary depending on the data type and applicable law.

8) Your Privacy Rights

Depending on your location (e.g., California, Colorado, Connecticut, Virginia, Utah), you may have rights to:

  • Access/know and obtain a copy of personal information.
  • Request correction or deletion.
  • Data portability where applicable.
  • Opt out of certain processing (e.g., sale/sharing, targeted advertising) — we do not engage in these practices.
  • Limit the use/disclosure of sensitive personal information where required by law.
  • Appeal our decision regarding a rights request.

To exercise rights, email privacy@castlehealthplans.com with "Privacy Request" in the subject and include your name, the email tied to your account, and what you're requesting. We will verify your identity before acting on requests. You may also authorize an agent where permitted by law.

9) HIPAA & Health Information

Castle Health is not a "covered entity" under HIPAA. Clinical services are provided by independent, licensed providers and partner pharmacies who may be covered by HIPAA. Their Notices of Privacy Practices govern Protected Health Information (PHI) in those contexts. This Policy covers information we process in operating our Services (membership, website, referrals, support). If we facilitate your coordination with a provider, the provider's policies apply to your clinical records and PHI.

10) International Transfers

We are based in the United States. If you access the Services from outside the U.S., you understand that your information may be transferred to, stored in, and processed in the U.S. where our and our providers' servers are located.

11) Do Not Track

Some browsers offer "Do Not Track" signals. We do not currently respond to DNT signals. We will update this Policy if our practices change.

12) Children's Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. Parents/guardians may add eligible dependents to a membership per plan rules.

13) Changes to This Policy

We may update this Policy from time to time. Material changes will be indicated by updating the "Last updated" date above and/or providing additional notice where appropriate. Your continued use of the Services after changes means you accept the updated Policy.

14) Contact Us

Questions about this Policy? Contact us: