Skip to main content

Privacy Policy

Last Updated: March 18, 2026

1. Introduction

ASSURNA, Inc. (“ASSURNA,” “we,” “us,” or “our”) is a Delaware C-Corporation that operates a longevity intelligence platform (the “Platform”), including our website at assurna.com (the “Site”), mobile applications (the “App”), and related services (collectively, the “Services”).

Our Platform integrates wearable device data, laboratory results, genetic information, epigenetic biomarkers, and other health-related data to deliver personalized longevity optimization protocols for our members.

This Privacy Policy (“Policy”) describes how we collect, use, disclose, store, and protect your personal information, including Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations (collectively, the “HIPAA Rules”).

This Policy also serves as our Notice of Privacy Practices (“NPP”) required under 45 C.F.R. § 164.520, and addresses our obligations under applicable state privacy laws, including but not limited to the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), the Washington My Health My Data Act, and other state consumer health data privacy statutes.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with the practices described herein, please do not use our Services.

2. Key Definitions

Protected Health Information (PHI)

Individually identifiable health information that is created, received, maintained, or transmitted by ASSURNA in connection with the provision of health-related services, payment for healthcare, or healthcare operations. PHI includes information in any form or medium, whether electronic, paper, or oral.

Electronic Protected Health Information (ePHI)

PHI that is created, received, maintained, or transmitted in electronic form.

Personal Information

Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.

Biometric Data

Data generated by automatic measurements of an individual's biological characteristics, including but not limited to heart rate variability, sleep patterns, blood oxygen levels, body composition, and other physiological metrics collected through wearable devices and health monitoring equipment.

Genetic Information

Information about an individual's genetic tests, the genetic tests of family members, the manifestation of a disease or disorder in an individual's family members, and any request for or receipt of genetic services by an individual or family member.

Epigenetic Data

Data derived from epigenetic testing, including but not limited to DNA methylation patterns, biological age estimates (e.g., DunedinPACE, SYMPHONYAge, Horvath clock, PhenoAge, GrimAge), and other epigenetic biomarkers.

De-Identified Information

Health information that has been stripped of all identifiers as specified under 45 C.F.R. § 164.514(b) or determined by a qualified statistical expert to have a very small risk of re-identification pursuant to 45 C.F.R. § 164.514(a).

Business Associate

A person or entity that performs certain functions or activities on behalf of, or provides certain services to, ASSURNA that involve the use or disclosure of PHI.

3. Information We Collect

3.1 Information You Provide Directly

  • Account registration information: name, email address, phone number, date of birth, mailing address, and billing information
  • Profile information: gender, height, weight, health goals, and preferences
  • Communications: messages, feedback, support requests, and other correspondence with ASSURNA
  • Consent and authorization forms you submit
  • Payment information processed through our third-party payment processors

3.2 Health and Medical Information

  • Laboratory results: Blood panels, metabolic panels, lipid panels, hormone panels, inflammatory markers, micronutrient levels, and other clinical laboratory data from providers including Quest Diagnostics, Labcorp, and other laboratory partners
  • Wearable device data: Heart rate, heart rate variability (HRV), sleep stages and duration, respiratory rate, blood oxygen saturation (SpO2), skin temperature, strain/activity metrics, step counts, caloric expenditure, and recovery scores from devices including but not limited to Whoop, Oura Ring, Apple Watch, Garmin, Withings, Eight Sleep, Fitbit, and Polar
  • Continuous glucose monitoring (CGM) data: Real-time and historical glucose readings from Dexcom, FreeStyle Libre, Levels, and Nutrisense integrations
  • Genetic data: Single nucleotide polymorphism (SNP) data, whole genome sequencing data, pharmacogenomic profiles, and genetic risk assessments from providers including 23andMe, Nebula Genomics, and SelfDecode
  • Epigenetic data: DNA methylation profiles, biological age scores, pace of aging metrics, and epigenetic clock data from providers including TruDiagnostic
  • Body composition data: DEXA scan results, InBody analysis, visceral fat measurements, skeletal muscle mass, and body water percentage
  • Hormone and metabolic data: DUTCH test results (cortisol rhythm, sex hormones, melatonin metabolites), thyroid panels, and metabolic rate assessments
  • Nutrition data: Dietary intake, macronutrient and micronutrient tracking, supplement usage, and food sensitivity results from Cronometer and other integrations
  • Self-reported health information: Medical history, current medications, supplements, allergies, family health history, lifestyle factors, and subjective wellness assessments

3.3 Information Collected Automatically

  • Device information: device type, operating system, unique device identifiers, browser type, and mobile network information
  • Usage data: pages visited, features used, time spent on the Platform, click patterns, and interaction data
  • Log data: IP address, access times, referring URLs, and error logs
  • Location data: general geographic location derived from IP address (we do not collect precise GPS location without explicit consent)
  • Cookies and similar technologies: session cookies, persistent cookies, web beacons, and pixel tags as described in our Cookie Policy

3.4 Information from Third Parties

  • Data from wearable device APIs and health platform integrations authorized by you
  • Laboratory and diagnostic results transmitted directly from healthcare providers or laboratories at your direction
  • Genetic and epigenetic testing results from testing providers at your direction
  • Information from Apple HealthKit, Google Health Connect, or similar health data aggregation frameworks, only with your explicit permission
  • Information from our business partners and service providers necessary to deliver our Services

4. Apple HealthKit, Google Health Connect & Health Data Integrations

If you choose to connect your Apple Health, Google Health Connect, or similar health data aggregation service to ASSURNA, the following specific protections apply:

4.1 HealthKit Data Use Restrictions

  • We will only read from and write to HealthKit with your explicit permission for each data type
  • We will NOT use HealthKit data for advertising, data mining, or any purpose other than improving your health management and providing our longevity optimization Services
  • We will NOT sell HealthKit data to third parties, including advertising platforms, data brokers, or information resellers
  • We will NOT share HealthKit data with third parties without your express written consent, except as required to provide core functionality of our Services
  • HealthKit data will NOT be disclosed to any third party for purposes unrelated to health management or health research
  • We will NOT use HealthKit data to determine insurance eligibility, underwriting, or lending decisions

4.2 On-Device Processing

Where technically feasible, we process health data locally on your device before transmitting aggregated or de-identified results to our servers.

Data transmitted from your device to our servers is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 encryption.

4.3 Data Minimization

We collect only the specific HealthKit data categories necessary to provide our longevity intelligence Services. You may revoke access to any data category at any time through your device's Health app settings or through the ASSURNA App settings.

5. How We Use Your Information

5.1 Treatment, Services & Longevity Optimization

  • Analyzing your biomarkers, wearable data, genetic information, and epigenetic data to generate personalized longevity protocols
  • Calculating and tracking your biological age and pace of aging
  • Generating AI-powered health insights, supplement recommendations, and lifestyle optimization suggestions
  • Coordinating with healthcare providers, laboratories, and other health professionals at your direction
  • Providing real-time health monitoring and alerting based on wearable data trends

5.2 Payment and Operations

  • Processing membership payments and billing
  • Maintaining and improving our Platform, Services, and infrastructure
  • Providing customer support and responding to inquiries
  • Conducting quality assurance and internal auditing

5.3 Communications

  • Sending you health insights, protocol updates, and biomarker alerts
  • Providing account notifications and service updates
  • Responding to your requests and communications
  • With your consent, sending educational content related to longevity and health optimization

5.4 Research and Development

With your express, informed consent and subject to Institutional Review Board (IRB) approval where required, we may use de-identified or aggregated health data for:

  • Improving our AI-powered health analysis algorithms
  • Conducting longevity and healthspan research
  • Developing new features and services
  • Publishing aggregated, de-identified research findings

Important: You will always be given a clear, separate choice to opt in to any research use of your data. Your decision will not affect your access to our Services.

5.5 Legal and Compliance

  • Complying with applicable laws, regulations, and legal processes
  • Responding to lawful requests from public authorities, including national security or law enforcement requirements
  • Protecting our rights, privacy, safety, or property, and that of our members and the public
  • Enforcing our Terms of Service

6. HIPAA: Uses and Disclosures of Protected Health Information

Under the HIPAA Rules, we are permitted or required to use and disclose your PHI in certain circumstances without your written authorization. The following describes these circumstances:

6.1 Uses and Disclosures That Do Not Require Your Authorization

6.1.1 Treatment

We may use and disclose your PHI to provide, coordinate, or manage your health-related services and protocols. This includes sharing your information with healthcare providers, laboratory partners, and other health professionals involved in your care at your direction.

6.1.2 Payment

We may use and disclose your PHI to obtain payment for our Services, including billing, collections, and utilization review activities.

6.1.3 Healthcare Operations

We may use and disclose your PHI for our healthcare operations, including quality assessment and improvement, protocol optimization, credentialing, business planning, and general administrative activities.

6.1.4 As Required by Law

We will disclose your PHI when required to do so by federal, state, or local law, including but not limited to public health reporting, abuse or neglect reporting, and FDA-related disclosures.

6.1.5 Public Health Activities

We may disclose your PHI to authorized public health authorities for preventing or controlling disease, injury, or disability.

6.1.6 Health Oversight Activities

We may disclose your PHI to health oversight agencies for activities authorized by law, including audits, investigations, inspections, and licensure.

6.1.7 Judicial and Administrative Proceedings

We may disclose your PHI in response to a court order, subpoena, discovery request, or other lawful process, subject to applicable legal requirements.

6.1.8 Law Enforcement

We may disclose your PHI to law enforcement officials for limited law enforcement purposes as permitted by HIPAA.

6.1.9 Coroners, Medical Examiners, and Funeral Directors

We may disclose your PHI to coroners, medical examiners, and funeral directors as permitted by law.

6.1.10 Research

We may use or disclose your PHI for research purposes when approved by an IRB or Privacy Board, or when the information has been de-identified.

6.1.11 To Avert a Serious Threat to Health or Safety

We may disclose your PHI when necessary to prevent or lessen a serious and imminent threat to your health or safety or that of the public or another person.

6.1.12 Specialized Government Functions

We may disclose your PHI to authorized federal officials for national security and intelligence activities.

6.1.13 Workers' Compensation

We may disclose your PHI as authorized by workers' compensation or similar laws.

6.2 Uses and Disclosures That Require Your Written Authorization

Except as described above, we will not use or disclose your PHI without your written authorization. You may revoke any authorization at any time in writing, except to the extent we have already acted in reliance on your authorization.

Uses and disclosures requiring authorization include: marketing communications (unless face-to-face or involving only promotional gifts of nominal value), sale of PHI, psychotherapy notes (if applicable), and uses or disclosures not described in this Policy.

7. Your Rights Under HIPAA

Under HIPAA, you have the following rights regarding your PHI:

7.1 Right to Access

You have the right to inspect and obtain a copy of your PHI maintained in our designated record set. We will provide copies in the format you request if readily producible, or in an alternative agreed-upon format. We may charge a reasonable, cost-based fee for copying, mailing, and related supplies.

7.2 Right to Amend

You have the right to request amendments to your PHI if you believe it is inaccurate or incomplete. We may deny your request under certain circumstances as permitted by HIPAA, but we will provide you with a written explanation of any denial.

7.3 Right to an Accounting of Disclosures

You have the right to receive an accounting of certain disclosures of your PHI made by us during the six years prior to your request. This accounting does not include disclosures made for treatment, payment, or healthcare operations, among other exceptions.

7.4 Right to Request Restrictions

You have the right to request restrictions on certain uses and disclosures of your PHI. We are not required to agree to your request, except that we must honor your request to restrict disclosure to a health plan for payment or healthcare operations purposes if the disclosure pertains to services for which you have paid out of pocket in full.

7.5 Right to Request Confidential Communications

You have the right to request that we communicate with you about your PHI in a certain way or at a certain location. For example, you may request that we contact you only by email or at a specific address. We will accommodate reasonable requests.

7.6 Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Privacy Policy upon request, even if you have agreed to receive this notice electronically.

7.7 Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint.

To exercise any of these rights, please contact our Privacy Officer at the contact information provided at the end of this Policy.

8. Data Security

We implement comprehensive administrative, physical, and technical safeguards to protect your personal information and PHI, including:

8.1 Technical Safeguards

  • Encryption: All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption
  • Access Controls: Role-based access controls (RBAC) limit access to PHI to authorized personnel with a need-to-know
  • Audit Logs: Comprehensive audit logging tracks all access to and modifications of PHI
  • Authentication: Multi-factor authentication (MFA) is required for access to systems containing PHI
  • Automatic Session Timeout: Sessions are automatically terminated after periods of inactivity

8.2 Administrative Safeguards

  • Workforce Training: All personnel receive HIPAA and security awareness training upon hiring and annually thereafter
  • Risk Assessments: We conduct regular risk assessments to identify and mitigate potential vulnerabilities
  • Incident Response: We maintain incident response procedures to address potential security incidents promptly
  • Business Associate Agreements: We require BAAs with all service providers that access PHI
  • Security Officer: We have designated a Security Officer responsible for overseeing our security program

8.3 Physical Safeguards

  • Data Center Security: Our data is hosted in SOC 2 Type II certified facilities with physical access controls, environmental monitoring, and redundant systems
  • Workstation Security: Access to workstations that process PHI is restricted and monitored
  • Device and Media Controls: Policies govern the disposal, reuse, and movement of electronic media containing PHI

9. Data Sharing and Third-Party Service Providers

9.1 Business Associates and Service Providers

We share personal information and PHI with third-party service providers who perform services on our behalf, including:

  • Cloud hosting and infrastructure providers (e.g., Amazon Web Services)
  • Laboratory and diagnostic partners (e.g., Quest Diagnostics, Labcorp, TruDiagnostic)
  • Genetic and epigenetic testing providers
  • Payment processors
  • Customer support platforms
  • Analytics and data processing services

All service providers that access PHI are required to enter into Business Associate Agreements obligating them to protect PHI in accordance with HIPAA.

9.2 No Sale of Personal Information or PHI

We do NOT sell your personal information or PHI to third parties. We do NOT share your information with advertisers or data brokers.

9.3 Corporate Transactions

In the event of a merger, acquisition, reorganization, bankruptcy, or other corporate transaction, your information may be transferred to the surviving entity or acquiring party. We will notify you of any such transfer and any choices you may have regarding your information.

10. Data Retention

We retain your personal information and PHI for as long as necessary to provide our Services and comply with our legal obligations. Our standard retention periods are:

  • Active Accounts: We retain your data for as long as your account is active
  • Medical Records: In accordance with HIPAA and applicable state law, we retain PHI for a minimum of six (6) years from the date of creation or the date when the record was last in effect, whichever is later
  • Genetic Information: Genetic data is retained according to our genetic data retention policies and applicable state laws, which may require longer retention periods
  • Billing Records: We retain billing and payment records for at least seven (7) years for tax and audit purposes

Upon account deletion, we will delete or de-identify your personal information within 30 days, except as required to be retained by law or for legitimate business purposes.

11. State-Specific Privacy Rights

11.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collecting it, and the categories of third parties with whom we share it
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
  • Right to Correct: You have the right to request correction of inaccurate personal information
  • Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising
  • Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information to certain purposes
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

Note: HIPAA-covered health information is generally exempt from CCPA/CPRA. However, we extend these rights to you for all personal information we maintain.

11.2 Washington Residents (My Health My Data Act)

If you are a Washington resident, you have additional rights under the Washington My Health My Data Act regarding consumer health data:

  • Right to Confirm and Access: You may confirm whether we are processing your consumer health data and access such data
  • Right to Delete: You may request deletion of consumer health data
  • Right to Withdraw Consent: You may withdraw your consent to the collection or sharing of consumer health data at any time

11.3 Other State Privacy Laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, or other states with comprehensive privacy laws, please contact us to learn about your rights under your state's law.

12. AI and Automated Processing

ASSURNA uses artificial intelligence and machine learning algorithms to provide personalized health insights and longevity optimization recommendations. You should understand:

  • AI-Generated Insights: Our AI analyzes your biomarkers, wearable data, and other health information to generate personalized insights. These insights are for informational purposes only and do not constitute medical advice
  • Human Oversight: Critical health recommendations are reviewed by qualified health professionals before delivery
  • No Fully Automated Decisions: We do not make decisions that produce legal or similarly significant effects based solely on automated processing without human involvement
  • Explainability: You may request a human explanation of any AI-generated insight or recommendation
  • Data Training: We may use de-identified and aggregated data to improve our AI models. We will obtain your explicit consent before using identifiable data for AI training purposes

13. International Data Transfers

ASSURNA is based in the United States, and your information is processed and stored in the United States. If you access our Services from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country of residence.

By using our Services, you consent to the transfer of your information to the United States and the processing of your information in accordance with this Policy.

14. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@assurna.com, and we will take steps to delete such information.

15. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our Platform. These include:

  • Essential Cookies: Required for basic Platform functionality, authentication, and security
  • Analytics Cookies: Help us understand how users interact with our Platform to improve our Services
  • Preference Cookies: Remember your settings and preferences

We do NOT use advertising or marketing cookies. We do NOT allow third-party advertising networks to place cookies on our Platform.

You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect Platform functionality.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons.

When we make material changes to this Policy, we will:

  • Update the “Last Updated” date at the top of this Policy
  • Provide prominent notice on our Platform or via email before the changes take effect
  • Obtain your consent where required by applicable law

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the revised Policy.

17. Breach Notification

In the event of a breach of unsecured PHI, we will comply with HIPAA breach notification requirements, including:

  • Notifying affected individuals without unreasonable delay and no later than 60 days following discovery of the breach
  • Notifying the Secretary of the U.S. Department of Health and Human Services
  • For breaches affecting 500 or more individuals in a state, notifying prominent media outlets

We will also comply with applicable state data breach notification laws, which may require additional or more expedited notifications.

18. Contact Information

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about our privacy practices, please contact us:

ASSURNA, Inc.

Attn: Privacy Officer

Email: privacy@assurna.com

Phone: 877-ASSURNA (877-277-8762)

Address: 100 Park Ave, New York, NY 10017