Jurisdiction: State of Colorado, USA (Primary); Province of British Columbia, Canada (Corporate Domicile)
Regulatory Framework: HIPAA (45 C.F.R. Parts 160, 162, 164); Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.); BC PIPA (SBC 2003, c. 63); COPPA; CAN-SPAM Act
Controller: Vitelize Health Inc., incorporated under the Business Corporations Act (British Columbia)
Contact: privacy@vitelizehealth.com
Vitelize Health Inc. (“Vitelize,” “we,” “us,” or “our”) is incorporated under the Business Corporations Act (S.B.C. 2002, c. 57, British Columbia, Canada) and operates its metabolic wellness coordination platform in the State of Colorado, United States. Vitelize provides wellness coordination, fitness programming, nutritional support, and technology integration services. Vitelize does not deliver medical care, prescribe medications, or constitute a healthcare provider under applicable state or federal law.
This Privacy Policy governs the collection, use, disclosure, retention, and protection of personal information and health-related data obtained through the Vitelize website, mobile application, platform, and associated program services (collectively, the “Platform”). It applies to all users, including prospective participants, enrolled participants, and website visitors. This Policy satisfies disclosure obligations under: HIPAA and its implementing regulations at 45 C.F.R. Parts 160, 162, and 164 (to the extent Vitelize functions as a Business Associate); the Colorado Privacy Act (“CPA”), C.R.S. § 6-1-1301 et seq.; the Colorado Consumer Protection Act, C.R.S. Title 6, Art. 1; the Personal Information Protection Act of British Columbia (“BC PIPA”), SBC 2003, c. 63; and, where applicable, PIPEDA (S.C. 2000, c. 5).
Vitelize is the data controller with respect to personal information collected for wellness coordination and administrative purposes. Vitelize is not a HIPAA-covered entity; however, to the extent Vitelize receives, processes, maintains, or transmits PHI on behalf of CareValidate Inc. or other independent licensed healthcare providers, Vitelize operates as a Business Associate under 45 C.F.R. § 160.103, governed by executed Business Associate Agreements. CareValidate Inc. operates as an independent covered entity responsible for all clinical data governance. ABC Fitness Solutions, LLC (operating Trainerize) operates as a technology subprocessor to Vitelize under an executed Business Associate Agreement governing the handling of PHI-linked fitness data within the Vitelize-Trainerize integration.
Upon creating a Platform account, Vitelize collects full legal name, date of birth, email address, mailing address, telephone number, account credentials, and billing and payment information.
In the course of Program participation, Vitelize may collect or receive data relating to body weight, body composition metrics (including body fat percentage and lean mass estimates from BIA scanning), fitness activity logs, resistance training progression records, nutritional intake, subjective wellness assessments, and program adherence data. This data is submitted directly by participants through the Platform and through integration with Trainerize (ABC Fitness Solutions, LLC). A portion of this data is shared with CareValidate for clinical oversight purposes as described in Section 5 below.
Pursuant to a participant-executed HIPAA Authorization (VIT-HIPAA-001), Vitelize may receive limited PHI from CareValidate Inc. and independent CLIA-certified Laboratory Providers. PHI received from CareValidate is limited to: treatment participation status, medication titration status relevant to exercise programming, general health indicators relevant to safe fitness delivery, and laboratory result data from enrollment and six-month milestone blood panels. The laboratory panels include standard metabolic markers, lipid panel, insulin, HbA1c, CBC, thyroid markers, and inflammatory markers as ordered by Independent Medical Providers. Laboratory results are initially transmitted to CareValidate and, pursuant to participant authorization and the Vitelize-CareValidate BAA, shared with Vitelize for program coordination and dataset purposes.
The Vitelize-Trainerize integration operates bidirectionally. Vitelize transmits participant enrollment and program parameters to Trainerize to enable trainer delivery of the fitness component of the Program. Trainerize transmits fitness platform data back to Vitelize, including workout session records, training progression metrics, body composition data entered by trainers (including BIA-derived values), nutrition adherence logs, and fitness assessment data. Where this return-leg data constitutes PHI, it is governed by participant HIPAA Authorization (VIT-HIPAA-001) and the Vitelize-ABC Fitness Solutions, LLC Business Associate Agreement.
Participants are advised that Trainerize is an independent platform operated by ABC Fitness Solutions, LLC, which has its own Terms of Service and Privacy Policy (available at www.trainerize.com and www.abcfitness.com). ABC Fitness Solutions independently collects certain data from participants who interact with the Trainerize interface, subject to its own policies. Vitelize’s obligations extend to PHI-linked data flowing between the platforms under the BAA but do not govern ABC Fitness Solutions’ independent data practices within the Trainerize platform.
The Platform automatically collects IP addresses, device identifiers, operating system and browser type, session data, navigation pathways, geographic location (general), and cookie identifiers for Platform security, performance monitoring, and aggregate analytics.
Records of communications between participants and Vitelize personnel through the Platform, including in-app messaging and wellness coordination interactions, are retained for quality assurance and compliance.
Personal information is used exclusively for the following purposes. All five data flows in the Vitelize program architecture are described:
Receiving PHI from CareValidate and Laboratory Providers pursuant to participant HIPAA Authorization, for wellness program coordination and safe fitness programming delivery.
Sharing BIA body composition results, training session logs, program adherence data, and subjective wellness assessments with CareValidate and Independent Medical Providers for clinical oversight, GLP-1 dosing review, and integrated program management. This flow is governed by the Vitelize-CareValidate BAA and participant HIPAA Authorization.
Transmitting participant program parameters to Trainerize for trainer delivery; receiving fitness platform data back from Trainerize for program coordination. Governed by the Vitelize-ABC Fitness Solutions BAA.
Receiving blood panel results from independent Laboratory Providers (via CareValidate) pursuant to participant HIPAA Authorization. Laboratory data is used for program coordination and, in de-identified form, incorporated into the longitudinal dataset.
Aggregating Trainerize-sourced fitness and adherence data within Vitelize’s platform and providing relevant fitness outcome data to CareValidate for clinical oversight. Governed by the Vitelize-CareValidate BAA.
Building a longitudinal metabolic performance dataset from de-identified BIA, training, adherence, and laboratory data per 45 C.F.R. § 164.514(b). De-identified data is not PHI and may be retained and used without restriction.
Account management, subscription processing, communications, program scheduling, and participant support.
Vitelize does not sell personal information to third parties and does not use personal information for purposes materially incompatible with those described in this Policy without fresh participant consent.
Vitelize shares wellness coordination data (Flow 2) with CareValidate for clinical oversight as described in Section 5. Vitelize receives PHI from CareValidate (Flow 1) pursuant to participant HIPAA Authorization and the Vitelize-CareValidate BAA.
Vitelize shares participant scheduling and enrollment information with Laboratory Providers engaged to conduct Program blood panels. Each Laboratory Provider has executed a BAA. Laboratory Providers receive only the information necessary to conduct laboratory services and are prohibited from using participant data for other purposes.
Vitelize shares participant program parameters, fitness programming, and trainer coordination data with ABC Fitness Solutions, LLC (Trainerize) in its capacity as a technology subprocessor. A Business Associate Agreement is executed between Vitelize and ABC Fitness Solutions, LLC, governing all PHI-linked data exchanges in both directions between the platforms (Flows 3 and 5). Participants are advised that ABC Fitness Solutions, LLC independently operates the Trainerize platform under its own Terms of Service and Privacy Policy; participants who access the Trainerize interface within the Vitelize Program are subject to those independent policies for data collected by Trainerize outside the scope of the BAA. Participants should review ABC Fitness Solutions’ privacy practices at www.abcfitness.com.
Vitelize shares participant scheduling information, fitness program parameters, and wellness status data with Core Progression and other Gym Partner Facilities to the extent necessary to deliver fitness programming. Gym partners are contractually prohibited from using participant information for purposes outside the Program.
Vitelize may disclose personal information in response to valid legal process from competent authorities including the Colorado Medical Board, HHS Office for Civil Rights, and the British Columbia Information and Privacy Commissioner. Vitelize will notify affected participants of such disclosures unless prohibited by law.
In a merger, acquisition, or restructuring, personal information may be transferred to a successor entity assuming obligations consistent with this Policy, with notice to participants.
The Colorado Privacy Act (CPA), C.R.S. § 6-1-1301 et seq., confers the following rights on Colorado residents:
Submit CPA rights requests to privacy@vitelizehealth.com. Vitelize will respond within 45 days. Note: PHI access requests relating to medical records must be directed to CareValidate Inc. directly. De-identified data incorporated into the longitudinal dataset cannot be retrieved or deleted in identified form.
As a Business Associate to CareValidate Inc. and Laboratory Providers, Vitelize is obligated to: use and disclose PHI only as permitted under applicable BAAs and HIPAA regulations; implement administrative, physical, and technical safeguards per the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C); report any unauthorized PHI use or disclosure to the applicable covered entity; and ensure that subcontractors handling PHI (including ABC Fitness Solutions, LLC) execute HIPAA-compliant BAAs. These obligations apply to all five data flows described in Section 5.
Vitelize is incorporated in British Columbia, Canada, and acknowledges the applicability of BC PIPA (SBC 2003, c. 63) to its personal information practices. Cross-border transfers between Canada and the United States are subject to BC PIPA accountability requirements. Vitelize implements contractual safeguards ensuring equivalent protection regardless of processing jurisdiction. The Vitelize Privacy Officer may be contacted at privacy@vitelizehealth.com. British Columbia residents may file complaints with the BC Office of the Information and Privacy Commissioner (www.oipc.bc.ca).
Vitelize maintains an information security program incorporating TLS 1.2+ encryption in transit, encryption at rest for PHI, role-based access controls, multi-factor authentication for administrative systems, audit logging of PHI access, vendor security assessments (including for ABC Fitness Solutions, LLC and Laboratory Providers), and an incident response and breach notification program compliant with 45 C.F.R. §§ 164.400-164.414 and C.R.S. § 6-1-716.
Account and enrollment records: minimum seven (7) years after Program conclusion. PHI in Business Associate capacity: per applicable BAAs and HIPAA standards. Technical and usage data: up to 24 months. Communications records: minimum three (3) years. De-identified longitudinal dataset data: indefinitely for research and program development purposes.
The Platform is not directed to individuals under 18. Vitelize does not knowingly collect personal information from minors. If discovered, such information will be promptly deleted in accordance with COPPA (15 U.S.C. § 6501 et seq.).
Vitelize may modify this Policy at any time. Material changes will be communicated via Platform notification or email no fewer than 30 days before the effective date. Continued Platform use after the effective date constitutes acceptance of the revised Policy.
Privacy Officer: Vitelize Health Inc.
Email: privacy@vitelizehealth.com
BC OIPC: www.oipc.bc.ca
Colorado AG: coag.gov
HHS OCR: hhs.gov/ocr