Kaya

Privacy Policy

Effective date: 2026-04-28

Pre-launch placeholder. This document is a working draft. The final version will be reviewed by a healthcare-regulatory attorney before Kaya begins serving paying customers.

1. Who we are

Kayarx LLC ("KayaRx," "we," "our") operates kayarx.com. This Privacy Policy describes how KayaRx collects, uses, and shares information about you when you use the Service. Information that constitutes Protected Health Information ("PHI") under HIPAA is also covered by our Notice of Privacy Practices; where the two documents differ, the HIPAA notice controls for PHI.

2. Information we collect

  • Account information. Email address, password (stored only as a salted hash), and the timestamp at which you accepted these terms.
  • Profile information. Name, date of birth, biological sex, phone number, mailing address. Stored encrypted at rest.
  • Health intake. Your responses to the health questionnaire for each treatment, lab results when applicable, the prescribing physician's decision, and any clinical notes. Stored encrypted at rest. This is PHI.
  • Billing. Card details are handled by Stripe; KayaRx stores only a Stripe customer reference, not card numbers. We retain receipts of charges and invoices.
  • Communications. Messages exchanged with our support agent are retained encrypted for the duration of your account and are accessible to you in your portal inbox.
  • Technical data. IP address, user-agent string, and basic logs of which pages you visit. Used to operate the Service and detect abuse.

3. How we use your information

  • To deliver the Service: route your intake to a licensed physician, fulfill prescriptions, ship medication, process payment, and send notifications.
  • To comply with our legal obligations, including HIPAA, applicable state telehealth statutes, and FDA compounded-medication marketing rules.
  • To prevent fraud, abuse, and security incidents.

4. How we share your information

We share information only as needed to operate the Service or as required by law:

  • Clinical partner. Our clinical infrastructure partner routes intakes to licensed physicians, manages prescriptions, and orders lab kits. They are bound by a HIPAA Business Associate Agreement.
  • Compounding pharmacy. Receives the prescription and shipping address required to compound and deliver your medication.
  • Payment processor. Stripe handles payment. They receive billing details directly; KayaRx does not see your card.
  • Email provider. We use Azure Communication Services Email to deliver transactional emails (verification codes, password resets, account notifications, operator alerts). Email is covered under Microsoft's HIPAA Business Associate Agreement. By design, patient health information is stored in your in-portal secure inbox, not in the body of any email — outbound emails are content-free notifications that link you back to the portal to read the actual message. KayaRx does not send marketing email and does not send SMS.
  • Hosting and infrastructure. Microsoft Azure (database, application servers, encryption keys, monitoring), all bound by HIPAA Business Associate Agreements.
  • Legal compulsion. Subpoenas, court orders, or as required by law.

We do not sell your personal information. We do not share PHI with advertising networks.

5. Security

Health data is encrypted at rest. Access to your records is logged. Where we partner with vendors, we sign Business Associate Agreements before any PHI flows to them. No system is perfect — if a security incident affects your information, we will notify you in accordance with applicable law.

6. Your choices

  • You can update most profile fields from your account dashboard. Changes to your name or phone number that are used for identity verification require updating from /profile while signed in.
  • You can request a copy of, or deletion of, your account data by signing in and messaging our support team through the support chat in your account. Some records are retained as required by HIPAA, state board, or pharmacy regulations even after account closure.

7. State-specific rights

Residents of California, Colorado, Connecticut, Virginia, and other states with consumer-privacy statutes have additional rights including the right to know, to correct, to delete, and to opt out of certain processing. To exercise these rights, sign in and message our support team through the support chat in your account. We will not retaliate against you for exercising any privacy right.

8. Children

The Service is not directed to anyone under 18. If you believe we have inadvertently collected information from a minor, contact us and we will delete it.

9. Changes

We will notify you of material changes through the Service or by email. The effective date at the top of this page reflects the most recent update.

10. Contact

For privacy questions or requests, sign in and message our support team through the support chat in your account.

kayarx.com is operated by Kayarx LLC, a Massachusetts limited liability company.