1. Overview
HeyZoe ("HeyZoe," "we," "us," or "our") respects your privacy. This Policy applies to information we process through the HeyZoe website, applications, marketplace, and related services (the "Platform"). It should be read together with our Terms & Conditions. By using the Platform, you acknowledge the practices described here.
2. Our Role & Your Role
Depending on the activity, HeyZoe acts in one of two roles:
- As a controller for information we determine the purposes of — for example, account registration, billing, platform analytics, security, and our own communications with you.
- As a processor or service provider on behalf of our business customers (Clinics and Suppliers) for information they upload and control — for example, a Clinic's CRM records, patient data a Clinic manages, or a Supplier's product and order data. In these cases, the Clinic or Supplier is the controller, their own privacy notices apply to their patients and contacts, and we act on their instructions.
Because HeyZoe is a venue connecting independent parties, some information you provide is shared with the other party to a transaction (for example, a Clinic's order details are shared with the relevant Supplier to fulfill the order). Each party is responsible for its own handling of information it receives.
3. Information We Collect
Information you provide
- Account & profile: name, business/clinic name, role, email, phone, credentials or licensing details (including National Provider Identifier (NPI) numbers where applicable), and account type (Clinic, Supplier, or Patient). Where you provide an NPI, we may verify it against available registries to support Supplier due diligence and market transparency.
- Transactional: orders, listings, pricing, carts, dosing/bill-of-materials inputs, fulfillment and shipping details, and communications with other users.
- Content: CRM and pipeline records, educational engagement, messages, documents, and anything else you upload.
- Billing: billing contact and subscription details. Payment card data is collected and processed directly by our payment processor — we do not store full card numbers.
- Patient and health-related data that a Clinic chooses to enter or manage (for example, biomarker tracking or treatment-related details), processed on the Clinic's behalf.
Information collected automatically
- Device and usage data such as IP address, browser type, pages viewed, and interactions.
- Cookies and similar technologies (see Cookies & Tracking).
Information from third parties
- Authentication, payment, messaging, carrier, and pharmacy-fulfillment providers may share information needed to operate features you use.
4. How We Use Information
- To provide, operate, maintain, and secure the Platform;
- To facilitate transactions and connections between Clinics and Suppliers;
- To capture and, where available, verify credentials such as NPI numbers, supporting Supplier due diligence and market transparency;
- To process subscriptions, billing, and payments;
- To enable communications, education, CRM, and supply-chain features;
- To provide support and respond to requests;
- To monitor, detect, and prevent fraud, abuse, and security incidents;
- To analyze and improve the Platform and develop new features;
- To comply with legal obligations and enforce our Terms.
We do not sell personal information. We use information we control for our legitimate business purposes and, where required, with your consent.
5. How We Share Information
- With the other party to a transaction. To complete an order or connection, we share necessary information between the relevant Clinic and Supplier (for example, order, fulfillment, and contact details).
- With service providers/processors who help us run the Platform under contractual confidentiality and security obligations (see below).
- For legal reasons — to comply with law, respond to lawful requests, or protect the rights, safety, and security of HeyZoe, our users, or the public.
- In a business transfer — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
- With your direction or consent.
6. Third-Party Processors
We rely on reputable third-party providers to deliver the Platform. These providers process information only as needed to perform their services and under appropriate safeguards. Categories include:
| Function | Purpose |
|---|---|
| Cloud hosting & infrastructure | Hosting the application, databases, and storage |
| Authentication | Secure login and identity management |
| Payments | Subscription billing and payment processing |
| Messaging | In-platform chat and communications |
| Shipping carriers | Label generation and shipment tracking |
| Pharmacy fulfillment | Prescription routing and fulfillment where applicable |
| Analytics & monitoring | Usage analytics, performance, and error monitoring |
Where any provider processes personal information on our behalf, we put data-processing terms in place requiring confidentiality and appropriate security.
7. Calendar Integration & Scheduling
HeyZoe offers an optional Calendar Integration feature that allows you to connect a third-party calendar service (currently Google Calendar) to your HeyZoe account to enable two-way synchronization of appointments, bookings, and related scheduling information. Use of the Calendar Integration is entirely optional. This section describes how HeyZoe handles data exchanged through it; the full operational and liability terms are set out in the Calendar Integration & Scheduling section of our Terms & Conditions.
7.1 Authorization. When you connect a third-party calendar, you authorize HeyZoe to access, read, create, modify, and delete calendar events and related data within the connected calendar account, solely to the extent necessary to provide the integration. You may revoke this authorization at any time through your HeyZoe account settings or directly through your third-party calendar provider's permission controls. Revoking access will disable synchronization but will not retroactively remove data already exchanged.
7.2 Scope of Use; Google API Services. HeyZoe accesses and uses data obtained through the Calendar Integration only to provide and improve the scheduling and synchronization features you have requested. HeyZoe's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. HeyZoe does not use calendar data for advertising, does not sell calendar data, and does not transfer such data except as necessary to provide the feature, comply with applicable law, or as part of a merger or acquisition with appropriate notice.
7.3 Data Synchronization and Storage. To provide synchronization, HeyZoe may store a limited copy of, or references to, calendar event data on its systems. Such data is handled in accordance with this Privacy Policy, including the security and retention practices described below. You acknowledge that information synchronized to a connected calendar may become visible to other individuals with whom that calendar is shared, and you are responsible for managing the sharing settings of your own calendar.
7.4 Third-Party Service Dependency. The Calendar Integration depends on services provided by third parties, including Google. Those services are governed by the third party's own terms of service and privacy policy, and HeyZoe does not control how the third party processes data within its own systems.
7.5 Termination. Upon termination of your account or the Calendar Integration, HeyZoe will cease synchronization and will handle any retained calendar data in accordance with this Privacy Policy and applicable law.
8. How We Secure Data
We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, alteration, and loss. These measures include:
- Encryption in transit using TLS, and encryption at rest for stored data;
- Access controls based on least-privilege principles, with role-based permissions across account types;
- Multi-tenant isolation designed to keep each customer's data logically separated;
- Authentication safeguards through a dedicated identity provider, supporting strong credential and session management;
- Network and infrastructure security through our cloud hosting provider, including firewalls and isolation.
No system is perfectly secure, and we cannot guarantee absolute security. You are responsible for safeguarding your credentials and for the security of data you upload. If we become aware of a security incident affecting your information, we will notify affected parties as required by applicable law.
9. Data Retention
We retain information for as long as your account is active, as needed to provide the Platform, and as required to comply with legal, tax, accounting, and regulatory obligations or to resolve disputes and enforce agreements. When we no longer need information, we delete or de-identify it. Where we act as a processor for a Clinic or Supplier, retention and deletion follow that customer's instructions and agreement.
10. Your Choices & Rights
Depending on your location, you may have rights to access, correct, delete, or port your personal information, to object to or restrict certain processing, and to withdraw consent. You can update much of your account information directly in the Platform. To exercise other rights, contact us using the details below.
If your information is managed by a Clinic or Supplier (where we act as a processor), please direct your request to that organization; we will assist them as required. We will not discriminate against you for exercising your rights.
11. Health Information
Some Clinics may use the Platform to manage patient or health-related information. Where HeyZoe processes such information on a Clinic's behalf, we do so as a service provider under the Clinic's direction and applicable agreements, including any data-processing or business-associate arrangements where required by law. Clinics are responsible for obtaining any necessary consents from their patients and for their own lawful handling of health information.
12. Cookies & Tracking
We use cookies and similar technologies for essential functionality (such as keeping you logged in), to remember preferences, and to understand usage so we can improve the Platform. You can control non-essential cookies through your browser settings or any consent controls we provide. Disabling some cookies may affect functionality.
13. International Transfers
HeyZoe is based in the United States, and information may be processed in the U.S. and other countries where we or our providers operate. Where required, we use appropriate safeguards for cross-border transfers.
14. Children's Privacy
The Platform is intended for business and professional use and is not directed to children under 18. We do not knowingly collect personal information directly from children. Where a Clinic manages information relating to a patient who is a minor, the Clinic is responsible for the lawful basis and any required consents.
15. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will provide notice through the Platform or by other reasonable means and update the "Last updated" date above. Your continued use of the Platform after changes take effect constitutes acceptance of the revised Policy.
16. Contact
Questions or requests regarding this Policy or your information can be directed to HeyZoe at privacy@heyzoe.com.