Privacy Policy

Jaelion, Inc. ("Jaelion," "we," "us," or "our"), a Pennsylvania corporation, operates the website at jaelion.com (the "Site") and provides laboratory testing coordination, clinical reporting, and related professional services (collectively, the "Services") exclusively to licensed healthcare providers, licensed clinicians, and certified health professionals and their authorized practice representatives ("you" or "Partner").

This Privacy Policy describes how we collect, use, disclose, and protect information in connection with the Services and describes your rights under applicable law. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

1. Scope and Applicability

This Privacy Policy applies to all information collected through the Site, through our secure partner portal, through telephone or email communications with Jaelion, and through any other interaction you have with us in connection with the Services. It does not apply to the practices of third parties we do not own or control, including our laboratory partners, reference laboratories, or electronic health record vendors.

Jaelion is incorporated in the Commonwealth of Pennsylvania and maintains its principal place of business in Pennsylvania. We serve partners located in Pennsylvania, Michigan, and other states. Where applicable, this Policy specifically addresses rights and obligations under Pennsylvania law, Michigan law, and the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations.

2. Information We Collect

2.1 Information You Provide Directly

We collect information you voluntarily provide when you:

• Apply to become a Partner: Full name, email address, telephone number, professional license type, license number, National Provider Identifier (NPI) number (where applicable), practice or business name, practice address, state(s) of licensure or certification, and professional specialty;
• Create or manage an account: Username, password (stored in hashed form), and account preferences;
• Submit a contact or inquiry form: Name, email address, telephone number, practice information, and the content of your inquiry;
• Schedule a consultation or onboarding call: Contact information and scheduling preferences;
• Communicate with us: The content of those communications and any attachments you provide;
• Provide SMS consent: Mobile telephone number and consent to receive text messages as described in Section 5.

2.2 Information Collected Automatically

When you visit the Site or use the portal, we automatically collect log data (IP address, browser type, OS, referring URLs, pages visited, timestamps), device information, and cookies as described in Section 6.

2.3 Information from Third Parties

We may receive information about you from our CRM platform (LeadConnector / HighLevel) to the extent you have interacted with us through those platforms, and from state licensing boards or professional verification services.

2.4 What We Do Not Collect Through This Site

Jaelion does not collect patient or client PHI through this public-facing website. PHI submitted through our secure partner portal is handled exclusively under our HIPAA-compliant BAA and applicable law, not under this Privacy Policy.

3. How We Use Your Information

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. We may share your information in the following limited circumstances:

• Service providers and business associates: Vendors who provide services on our behalf are contractually required to protect your information and use it only for the purposes for which it was disclosed. Where applicable, we execute Business Associate Agreements with vendors who may access PHI.
• Laboratory and diagnostic partners: To fulfill testing orders, we share necessary identifying and ordering information with our CLIA-certified laboratory partners under applicable BAAs and HIPAA.
• Professional verification services: We may share your name and license information with third-party credential verification services to confirm your professional status.
• Legal and regulatory compliance: We may disclose information when required by law, subpoena, court order, or regulatory demand, or when necessary to protect our rights, your safety, or the safety of others.
• Business transfers: If Jaelion is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.
• With your consent: We may share information for any other purpose with your explicit consent.

5. SMS / Text Message Communications

By providing your mobile telephone number and affirmatively opting in, you consent to receive text messages from Jaelion regarding your account, service updates, appointment reminders, and, if separately consented, marketing communications. Message frequency varies. Message and data rates may apply.

To opt out: Reply STOP to any text message from Jaelion at any time. You will receive a single confirmation message and no further messages will be sent.

For help: Reply HELP to any text message or contact us at [email protected].

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. SMS opt-in data and consent will not be shared with any third parties.

Our messaging program complies with the Telephone Consumer Protection Act (TCPA), the CTIA Short Code Monitoring Handbook, and applicable carrier requirements for A2P 10DLC messaging.

6. Cookies and Tracking Technologies

• Strictly necessary cookies: Required for the Site to function, including session authentication cookies for the partner portal. These cannot be disabled.
• Analytics cookies: We use Umami Analytics, a self-hosted, privacy-respecting platform that does not use cross-site tracking or fingerprinting. No personally identifiable information is collected through our analytics platform.
• Preference cookies: Used to remember your preferences such as language or display settings.

You may disable non-essential cookies through your browser settings. We do not use cookies for targeted advertising.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect your personal information, including: encryption of data in transit (TLS 1.2+), encryption of sensitive data at rest, role-based access controls, regular security assessments, and employee training on data privacy and security practices.

No method of electronic transmission or storage is 100% secure. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

8. Data Retention

• Account information: Retained for the duration of your active partnership and for a minimum of seven (7) years following termination, consistent with Pennsylvania and federal business record-keeping requirements;
• Communications: Retained for a minimum of three (3) years;
• Analytics data: Retained in aggregated, anonymized form indefinitely;
• PHI handled under a BAA: Retained in accordance with HIPAA's six-year minimum retention requirement and applicable state law.

9. HIPAA Compliance

Jaelion operates as a Business Associate (as defined under HIPAA, 45 C.F.R. §§ 160, 164) with respect to licensed healthcare providers who are Covered Entities under HIPAA. In that capacity:

• We execute a Business Associate Agreement ("BAA") with each Covered Entity partner before receiving or accessing any PHI;
• We use and disclose PHI only as permitted by the applicable BAA and HIPAA;
• We implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C);
• We maintain policies and procedures for breach notification consistent with the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D);
• We apply the HIPAA minimum necessary standard when using or disclosing PHI;
• We do not sell PHI or use PHI for marketing without authorization as required by HIPAA.

Certified health professionals who are not Covered Entities under HIPAA but who share client health information with Jaelion should contact us to discuss appropriate data handling agreements. We apply equivalent safeguards to all client health data regardless of HIPAA applicability.

To request a copy of our BAA or to report a potential HIPAA violation, contact our Privacy Officer at [email protected].

10. Pennsylvania Residents

Jaelion is incorporated in and operates from the Commonwealth of Pennsylvania. Pennsylvania residents are protected by the following state laws:

• Pennsylvania Breach of Personal Information Notification Act (73 P.S. §§ 2301–2329): In the event of a security breach involving Pennsylvania residents' unencrypted personal information, we will provide notice to affected individuals without unreasonable delay and no later than required by applicable law.
• Pennsylvania Unfair Trade Practices and Consumer Protection Law (UTPCPL), 73 P.S. § 201-1 et seq.: We do not engage in unfair or deceptive acts or practices in connection with the collection or use of personal information.
• Pennsylvania wiretapping and electronic surveillance laws (18 Pa. C.S. § 5703): We do not intercept electronic communications without authorization.

11. Michigan Residents

We serve partners located in Michigan and take our obligations to Michigan residents seriously. Michigan residents are protected by the following state laws:

• Michigan Identity Theft Protection Act (MCL §§ 445.61–445.77): In the event of a security breach involving Michigan residents' personal information, we will provide notice to affected individuals without unreasonable delay and will notify the Michigan Attorney General as required.
• Michigan Consumer Protection Act (MCL § 445.901 et seq.): We do not engage in unfair, unconscionable, or deceptive methods, acts, or practices in trade or commerce.
• Michigan Mental Health Code (MCL § 330.1748): Mental health records and substance use disorder records shared with us through a BAA are handled with the heightened confidentiality protections required by Michigan law.
• Michigan Reproductive Health Data Privacy: We do not collect, process, or share reproductive health data except as required to fulfill a testing order placed by a licensed provider.

12. Your Rights and Choices

You have the following rights with respect to your personal information held by Jaelion:

• Access: Request a copy of the personal information we hold about you;
• Correction: Request correction of inaccurate or incomplete personal information;
• Deletion: Request deletion of your personal information, subject to our legal retention obligations and any applicable BAA;
• Portability: Request your personal information in a structured, commonly used, machine-readable format;
• Restriction: Request that we restrict processing of your personal information in certain circumstances;
• Objection: Object to our processing of your personal information for direct marketing purposes;
• Opt-out of email marketing: Click the unsubscribe link in any marketing email or contact us directly;
• Opt-out of SMS: Reply STOP to any text message from Jaelion;
• Non-discrimination: We will not discriminate against you for exercising any of these rights.

To exercise any of these rights, contact our Privacy Officer using the information in Section 14. We will respond to verified requests within 30 days.

13. Children's Privacy

The Services are directed exclusively to licensed healthcare professionals and certified health professionals who are at least 18 years of age. We do not knowingly collect personal information from individuals under the age of 18. If you believe we have collected information from a minor, please contact us immediately at [email protected].

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify registered partners by email at least 30 days before the changes take effect. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.