top of page
VH_72ppi_Icon.png
VH_Login_2_edited.png

Privacy Policy Declaration

PRIVACY POLICY DECLARATION

UPDATED ON SEPTEMBER 20, 2025

The following data protection declaration applies to Virgil Health, www.virgilhealth.care and its sub-domains, affiliated sites, and Virgil Health’s pages and accounts on Facebook, Instagram, LinkedIn, Twitter, Whatsapp, and Youtube. (“Website”/”Site”/“Websites”/”Sites”).

 

It defines the principles under which we process all personal data that we collect from you or that you provide. We respect your privacy choices and understand your need to keep your personal information confidential. We are committed to safeguarding all information we collect from you when you use or access our content, services, and/or products.

 

Our commitment to protecting your privacy and ensuring transparent communication aligns with the principles of legal fluency that drive our business practices.

 

If you are a User, visitor, viewer, subscriber, client, and/or customer of our Sites (referred to collectively as “User,” “You,” or “Your”), please read this Privacy Policy in its entirety before using, viewing, downloading, purchasing from, or accessing our Site, content, services, and/or products.

 

By using our Sites, you acknowledge this Privacy Policy. We process personal data only on the legal bases described below (and seek your explicit consent where required, including for health data and non-essential cookies).

 

General Information about the collection of personal data and provider identification

  1. Personal data includes all information that relates to an identified or identifiable individual, such as names, addresses, email addresses, User behavior, and similar data.

  2. We use non-essential cookies and similar technologies only with your consent. You can grant, refuse, or withdraw consent at any time using our cookie preferences tool. Essential cookies run to operate the Site. See our Cookies Policy for details.

  3. Controller: Virgil Health LLC, 30 N Gould St, Ste R, Sheridan, WY 82801, USA; privacy contact: info@virgilhealth.care

  4. Swiss Representative (FADP Art. 14): Dr. Shirin Karimi Hund, Zelglisteig 2, 8127 Forch, Zürich, Switzerland; info@virgilhealth.care

  5. EU Representative (GDPR Art. 27): [Name/Company], [Address in EU], [email] (to be completed)

  6. UK Representative (UK GDPR Art. 27): [Name/Company], [Address in UK], [email] (to be completed)

 

These contacts may be used for all data-protection inquiries in the respective regions.

 

WHAT DO WE COLLECT?

We collect, store, and use the following personal data:

 

  1. Personal Identification Information (First Name, Last Name, E-mail Address, Physical Address, Telephone Number)

  2. Credit Card Information / Payment Information

  3. Billing and Shipping Address

  4. Location

  5. Birthdates

  6. Gender

  7. Ethnicity and Racial Features

  8. Medical History

  9. Family History

  10. Mobile Number

 

Health and medical data we collect are considered ‘special category data’ under the GDPR and sensitive data under the Swiss FADP. They are processed only (i) with your explicit consent for platform features you choose to use, or (ii) in connection with a separate clinical encounter governed by the applicable clinician/practice notices (and HIPAA in the U.S.), as described in this Policy.

 

We also collect, store, and use data regarding your behavior, such as purchase data and information from your computer, including your IP Address, Geographical Location, Browser Type, Time Zone, Operating System, Browser Version, Pages on our Site that you visit, the time and date of your visit, and the duration spent on those pages.

 

Additionally, we collect information from any communications you send to us via email or through our website, including the content and metadata of such communications.

 

 

HOW DO WE COLLECT YOUR PERSONAL DATA?

In most instances, you provide us with the data we collect. We collect and process data when you:

 

  1. Register with our Sites or create an account on our websites.

  2. Subscribe to our e-mail list or newsletter.

  3. Purchase anything from our Sites.

  4. Download anything from our Sites, including freebies, lead magnets, and the like.

  5. Contact us through e-mail or the contact button on our Sites.

  6. Enter our Sites to gain access to courses, membership areas, blogs, and private groups.

  7. Leave a review or feedback.

  8. Voluntarily complete a customer survey.

  9. Allow us to interview you.

  10. Engage our services.

 

We collect information about your computer, including your IP address, geographical location, browser type and version, and operating system through automated data collection technologies, including Facebook Pixels, Google Analytics, Cookies, and similar methods, as detailed below. This means we are already collecting this data when you browse our Site.

 

We collect communication content and metadata when you post it to our Sites or mobile application, and when our website generates metadata in connection with your communication.

 

Before disclosing another person’s personal data to us, ensure you have a lawful basis to do so (for example, that person’s consent where required by law).

 

 

OUR LEGAL BASIS FOR COLLECTING AND PROCESSING YOUR INFORMATION Personal data that you voluntarily submit to us through our Site or other means will be used for:

 

  1. Enabling your use of the services available on our sites.

  2. Allowing you to access our private groups.

  3. Processing your orders.

  4. Supplying services you purchased from us.

  5. Managing the account you created on our sites.

  6. Sending statements, invoices, payment reminders, and collecting payments.

  7. Sending newsletters if you subscribe; you may opt-out at any time if you no longer wish to receive them.

  8. Direct Marketing

  1. Email/SMS/app notifications to individuals in the EU/UK are sent only with your prior consent. You can withdraw consent at any time.

  2. Postal marketing may rely on legitimate interests where permitted and subject to your right to object.

  3. We do not provide your personal data to third parties for their own direct marketing without your explicit consent.

9.   Administering our sites and business operations.

10.  Personalizing our site for you.

11.  Providing third parties with statistical information about our Users; this data will not be used to identify any individual User.

12.  Sending non-marketing commercial communications.

13.  Sending you email notifications that you have specifically requested.

14.  Handling inquiries and complaints made by or about you relating to our site, products, or services.

15.  Keeping our sites secure and preventing fraud.

16.  Verifying compliance with the terms and conditions governing the use of our sites (including monitoring private messages sent through our site’s private messaging service).

17.  Complying with legal obligations.

18.  Protecting the life or physical safety of the data subject.

19.  Other uses consistent with this Privacy Policy.

 

If you submit personal information for publication on our site, we will publish and otherwise use that information in accordance with the license you grant us.

 

Without your express consent, we will not provide your personal information to any third party for their direct marketing, or for any other third party's marketing purposes.

 

Special Categories / Health Data

Where we process your health or medical information, or other special categories of data (including ethnicity and racial features), we rely on:

 

  1. a lawful basis under GDPR Art. 6(1) (e.g., contract performance, legal obligation, or legitimate interests such as fraud prevention); and

  2. a condition under GDPR Art. 9(2)—most commonly your explicit consent (Art. 9(2)(a)). Where a clinical encounter occurs, the condition in Art. 9(2)(h) (healthcare by professionals subject to confidentiality) applies to the independent clinician or affiliated practice.

  3. Under the Swiss FADP, processing of sensitive health or ethnicity-related data requires explicit consent (Art. 6) or another justification under Art. 31.

 

 

WE WILL DISCLOSE YOUR PERSONAL INFORMATION IN THE FOLLOWING INSTANCES:

We will never sell or trade your personal information.

 

We may disclose your personal information to any of our employees, insurers, professional advisers, agents, suppliers, or subcontractors as reasonably necessary for the purposes set out in this policy.

We will disclose your personal information under the following circumstances:

 

  1. As required by law.

  2. In connection with any ongoing or prospective legal proceedings.

  3. To establish, exercise, or defend our legal rights, including providing information to others for the purposes of fraud prevention and credit risk reduction.

  4. To the purchaser (or prospective purchaser) of any business or asset that we are selling or considering selling; and

  5. To any person whom we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would likely order disclosure of that personal information.

 

Except as provided in this policy, we will not provide your personal information to third parties.

 

 

DETAILS ABOUT OUR HOSTING AND MEDICAL RECORDS PROVIDERS

WIX (Website Hosting and Related Services)

Our website is hosted and operated using Wix.com Ltd. (Israel) and its U.S. affiliate Wix.com Inc. For hosting, analytics, and related services, Wix acts as our data processor under our instructions. Wix participates in the EU–U.S. Data Privacy Framework (DPF), its UK Extension, and the Swiss–U.S. DPF. Transfers of personal data to Wix therefore rely on adequacy decisions (GDPR Art. 45; FADP). Israel is also recognized by the European Commission as providing an adequate level of protection. If the DPF were invalidated, we would rely on the Standard Contractual Clauses (SCCs) (with the UK Addendum/IDTA and Swiss SCCs) and supplementary measures following a Transfer Impact Assessment (TIA).

 

HEALTHIE, INC. (Electronic Health Records / Practice Management)

We use Healthie, Inc. (United States) as an electronic health records and practice-management platform. For clinical encounters, the independent clinician or affiliated practice typically acts as the HIPAA covered entity and (for GDPR/FADP) the data controller. Virgil Health and Healthie act as business associates/processors under applicable agreements and instructions. Healthie participates in the EU–U.S. DPF, the UK Extension, and the Swiss–U.S. DPF. If the DPF were invalidated, we would rely on SCCs (with UK/Swiss addenda) and supplementary measures informed by a Transfer Impact Assessment (TIA). Healthie also maintains healthcare-grade compliance programs, including HIPAA, SOC 2, and HITRUST.

 

 

INTERNATIONAL DATA TRANSFERS

We transfer personal data to recipients outside your country, including to the United States and Israel, for the purposes described in this Policy.

 

  • Data Privacy Framework (EU/UK/Swiss): Where recipients in the U.S. are certified under the EU–U.S. Data Privacy Framework (DPF), its UK Extension, or the Swiss–U.S. DPF (including Healthie, Inc. and Wix.com Ltd./Inc.), we rely on those certifications as adequacy mechanisms (GDPR Art. 45; FADP).

  • Standard Contractual Clauses (SCCs): If a recipient is not DPF-certified, we use the European Commission’s SCCs (and, where applicable, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs, and the Swiss FDPIC-approved SCCs), together with supplementary measures informed by a Transfer Impact Assessment (TIA).

  • Other adequate countries: Where transfers are made to countries recognized by the European Commission or the Swiss Federal Council as providing an adequate level of protection (for example, Israel), those adequacy decisions serve as the transfer mechanism.

 

We maintain records of our transfer mechanisms and will update this Policy if the legal frameworks change (e.g., DPF invalidation or adoption of new SCCs).

 

 

WHAT ARE YOUR RIGHTS?

  1. Right to Access. You have the right to request copies of your personal information from us, subject to the following:
    • The supply of appropriate evidence of your identity, such as a photocopy of your passport.
    • We may withhold the personal information you request to the extent permitted by law.
    • You may instruct us at any time not to process your personal information for marketing purposes.
    • You also have the right to lodge a complaint with your local supervisory authority if you believe we have violated data protection laws (GDPR Art. 77; FADP Art. 32).

  2. Right to Erasure: You may request deletion of your personal data in the circumstances set out in GDPR Art. 17 / FADP.

  3. Right to Withdraw Consent: Where we rely on consent (including for health data or non-essential cookies), you may withdraw it at any time, without affecting the lawfulness of processing before withdrawal.

  4. Right to Restrict Processing. You have the right to request that we restrict the processing of your personal information under certain conditions.

  5. Right to Object to Processing. You may object at any time to our use of your personal data for direct marketing (we will stop immediately). You may also object to processing based on legitimate interests; in such cases, we will stop unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

  6. Right to Data Portability. You have the right to request that we transfer the data we have collected to another organization or directly to you, under certain conditions.

  7. Right to Rectification. You have the right to request that we correct any information you believe is inaccurate. You also have the right to request that we complete information you believe is incomplete.

  8. Right to Object / Opt-Out of Third-Party Sharing. We do not share personal data with third parties for their own direct marketing without your explicit consent. We may share personal data with service providers and other recipients as described in this Policy, under appropriate contracts and safeguards, where permitted by law.

 

If you decide to opt-in, you will always have the right to opt-out. All requests for information, disclosure requests, or objections to data processing should be sent by email to info@virgilhealth.care.

 

We will respond to verified requests within one month (extendable in limited circumstances). We do not use automated decision-making, including profiling, that produces legal or similarly significant effects. If this changes, we will inform you and explain the logic, significance, and consequences, and your rights related to such processing.

 

We may deny your requests in certain instances; for example, if we cannot verify that you are the owner of the information, or if we are legally required to retain a copy of the personal information. In such cases, we will communicate this fact to you in writing.

 

Legally, you may appeal our decision by responding to the communication denying your request.

 

 

YOU HAVE A RIGHT TO UNSUBSCRIBE

If you wish to unsubscribe from our email list at any time, please send an email to info@virgilhealth.care or follow the instructions provided at the bottom of every email we send.

 

Our email service provider allows us to segment and tag our leads. As a result, it is possible that you may be part of several segments or lists, particularly if you interact with us through different methods. For example, you might have sent an inquiry, downloaded a lead magnet, watched a specific presentation, or purchased a particular service or product. Consequently, when you unsubscribe using the link in an email, you may only be unsubscribing from a specific segment or list.

 

To completely unsubscribe from all of our lists, you may need to send an email to info@virgilhealth.care.

 

 

HOW DO WE RESPOND TO “DO NOT TRACK” REQUESTS?

We do not respond to legacy “Do Not Track” signals, as no industry standard exists. However, where required by law (e.g., California CPRA), we honor browser-based opt-out preference signals such as Global Privacy Control (GPC) for opting out of “sale” or “sharing” of personal information.

 

 

HOW LONG DO WE RETAIN YOUR DATA?

We retain data for as long as necessary to fulfill the purposes for which it was collected. We may keep your data even after a particular matter or exchange has concluded, solely for record-keeping purposes and to respond to queries.

 

Notwithstanding the other provisions herein, we will retain documents, including electronic documents, that contain personal data under the following conditions:

 

  1. To the extent required by law.

  2. If we believe the documents may be relevant to any ongoing or prospective legal proceedings.

  3. To establish, exercise, or defend our legal rights, including providing information to others for fraud prevention and credit risk reduction.

 

While specific periods vary by purpose and law, we do not retain personal data longer than necessary. For most business records, we retain up to 10 years, unless a longer period is required by law.  Records that qualify as medical or health records are retained for the statutory minimum periods required by healthcare or medical record laws in the relevant jurisdiction (for example, 10 years in Switzerland, or longer if required by local law).

 

If you request that we stop sending you marketing communications or unsubscribe from our email list, we will retain certain details, such as your name, to ensure that you are not contacted again.

 

 

SECURITY OF YOUR PERSONAL INFORMATION

  1. www.virgilhealth.care uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content. Third parties cannot read the data you transmit to us.

  2. We will take appropriate technical and organizational measures to protect your personal information against unauthorized access, loss, misuse, alteration, or disclosure, in line with GDPR Art. 32 and FADP Art. 8.

  3. As we use our Host’s platform for our website, we are subject to the processes used by our Host to protect your data, including the use of firewalls and encryption for payments.

  4. All physical documents in paper format are stored under lock and key and cannot be accessed outside our organization. We store them in accordance with our retention policy and shred and destroy them once they are no longer needed.

  5. You acknowledge that transmitting information over the Internet is inherently insecure, and we cannot guarantee the security of data sent over the Internet.

  6. You are responsible for keeping the password you use to access our Sites. We will not ask you for your password except when you log in to our website.

 

Data Breach Notification

Where we become aware of a personal data breach, we will assess its risks and notify the competent supervisory authority within the applicable legal timeframe (e.g., GDPR/UK GDPR) and notify affected individuals where required by law (including under FADP and applicable U.S./Australian laws).

 

 

COOKIES AND TRACKING TOOLS

Cookies

Our Site uses cookies. These small text files allow us to store specific, User-related information on your device while you are using our Site. Cookies enable us to determine the frequency of use and the number of Users of the pages on our Site, as well as to analyze the behavior of our Site Users. They make our offerings more User-friendly.

 

Cookies are stored beyond the end of a browser session and can be retrieved when you revisit the Site. If you prefer not to have cookies stored, you should adjust your internet browser settings to refuse cookies.

 

We have a separate cookies policy that explains what cookies we use and how you can choose to accept or reject them. You can read it in our Cookie Policy.

 

You can also delete cookies. If you are in Europe, you can learn more about how to delete cookies at www.youronlinechoices.com.

 

Note, however, that deleting cookies may negatively impact the usability of many websites.

 

Meta (Facebook/Instagram) Pixel
We load Meta Pixel only after your consent (EU/UK/CH) through our cookie banner. Pixel data may be transferred to the U.S. under the DPF (where applicable) or SCCs with supplementary measures. You can withdraw consent at any time via the banner settings.

 

We Use Google Analytics (GA4)
We use Google Analytics 4 to analyze Site usage. In the EU/UK/Switzerland, we deploy Analytics only after you give consent via our cookie banner. We enable IP anonymization and limit data retention where available. Where Google transfers data to the U.S., we rely on Google’s participation in the EU-U.S. DPF/UK Extension/Swiss-U.S. DPF (where applicable) or SCCs with supplementary measures. You may opt out using the Google Analytics opt-out add-on.

 

 

OPT-OUT OF TARGETED ADVERTISING

You can opt-out of targeted advertising by visiting the following websites:

Network Advertising Initiative (NAI): http://www.networkadvertising.org/choices/

Digital Advertising Alliance (DAA): http://www.aboutads.info/choices/

 

 

CHILDREN’S DATA

Our Services are intended for individuals 18+. Minors must not create their own accounts or use our Sites without their parent’s or legal guardian’s consent.


A parent or legal guardian may use the Services to book or manage a booking for a minor child (“Minor”) and, by doing so, confirms authority and consents to the processing of the Minor’s personal data for that purpose.

 

We do not knowingly collect personal data from children.

 

If we become aware that we have collected personal data from a child without the required parental consent, we will promptly delete it.

 

 

WE WILL NEVER SELL YOUR INFORMATION

We do not sell your personal information. We also do not “share” personal information for cross-context behavioral advertising or similar profiling, unless permitted by law and subject to your right to opt out.

 

Where required (for example, under the California Consumer Privacy Act as amended by the CPRA), we provide a “Do Not Sell or Share My Personal Information” mechanism and honor browser-based opt-out preference signals such as Global Privacy Control (GPC).

 

 

YOUR PERSONAL DATA WHEN YOU PURCHASE ANYTHING FROM OUR SITES

Payments are processed by our payment providers under their privacy notices. Our providers may store tokenized payment credentials on our behalf to enable authorized transactions (e.g., booking charges, no-show fees), and we may access limited payment identifiers (such as the last four digits and expiry month/year).

 

We utilize the following payment gateways:

 

Credit Card Payment Processed by Stripe

Payments on our Sites may be processed using Stripe, Inc. (U.S.). Stripe acts as an independent controller of payment data. Transfers of personal data to Stripe rely on its participation in the EU–U.S. DPF, UK Extension, and Swiss–U.S. DPF, or on the SCCs with supplementary measures if required. See Stripe’s privacy notice for details.

 

If you have questions about Stripe’s Privacy Policy, please contact privacy@stripe.com.

 

Payment through Bank Transfer

If you choose offline payment through Bank Transfer, we will have access to the following information:

 

  1. Your name

  2. Your Phone number

  3. E-mail address

  4. Your Bank Account Number

 

However, we do not have control, nor are we responsible for how Banking institutions handle these details. These providers act as independent controllers when processing payment data under their own privacy policies.

 

If you choose payment via Bank Transfer, you can read about our banks’ Privacy Policy here: https://wise.com/gb/legal/privacy-notice-personal-en. https://mercury.com/legal/privacy

 

 

Use of Wise (formerly TransferWise)

Cross-border payments may be processed using Wise Payments Ltd. (UK) and affiliates. Wise generally acts as an independent controller of payment data. Transfers of personal data to the UK rely on the EU’s adequacy decision (GDPR Art. 45). For more information on how Wise processes your data, please refer to their Privacy Policy: https://wise.com/us/privacy-policy

 

 

USE OF SOCIAL MEDIA PLUG-INS

We currently use the following social media plug-ins: Facebook, Instagram, LinkedIn, Twitter, and YouTube

 

We employ a '2-click' solution. This means that when you visit our site, no personal data is initially transmitted to the providers of these plugins. You can identify the plugin provider by the initial letter or symbol. Personal data is only transmitted when you activate one of the plugins. Upon activation, data is automatically sent to the respective plugin provider and stored by them. We do not control the data collected, the data processing procedures, nor are we aware of the full extent of data collection, the purposes of data collection, or the storage periods. As the plugin provider collects data through cookies, we recommend deleting all cookies via your browser's security settings before activating the symbols.

 

To understand how our social media plugin providers handle your data, please review their respective privacy policies here:

 

Meta Platforms, Inc (Facebook): https://www.facebook.com/privacy/policy

Meta Platforms, Inc (Instagram): https://privacycenter.instagram.com/policy

YouTube Inc.: https://policies.google.com/privacy?hl=en

LinkedIn, Inc.: https://www.linkedin.com/legal/privacy-policy

X Corp.: https://twitter.com/en/privacy

 

We enable plug-ins only after your activation (and, where required by law, your consent) via our user controls.

 

 

THIRD-PARTY LINKS

Our sites may contain links to websites not operated by us. If you click on a third-party link, you will be directed to that third-party's site. We strongly advise you to review the Privacy Policy of every site you visit.

 

We do not control, and are not responsible for, the content, privacy policies, or practices of any third-party sites or services.

 

 

OUR SOCIAL MEDIA ACCOUNTS AND THIRD-PARTY APPLICATIONS WE USE.

You may interact with us on social media and other third-party applications. To the extent practicable, this Privacy Policy applies to those interactions. Please note these platforms typically act as independent controllers and apply their own privacy notices and cookies.

 

International transfer basis (EU/UK/Switzerland to the U.S. and elsewhere).

Where a provider transfers personal data to the U.S., we rely on one of the following for that provider: an active certification under the EU–U.S. Data Privacy Framework (DPF), its UK Extension, or the Swiss–U.S. DPF; an EU/Swiss adequacy decision for the destination country; or the Standard Contractual Clauses (SCCs) (with the UK Addendum/IDTA and Swiss addenda) plus supplementary measures.

 

Facebook

Owner: Meta Platforms, Inc

Transfer basis: Certified under the EU–U.S. DPF, UK Extension, and Swiss–U.S. DPF.

Privacy Policy: https://www.facebook.com/privacy/policy

 

Instagram

Owner: Meta Platforms, Inc

Transfer basis: Certified under the EU–U.S. DPF, UK Extension, and Swiss–U.S. DPF.

Privacy Policy: https://privacycenter.instagram.com/policy

 

YouTube

Owner: Google LLC

Transfer basis: Certified under the EU–U.S. DPF, UK Extension, and Swiss–U.S. DPF.

Privacy Policy: https://policies.google.com/privacy?hl=en
 

LinkedIn
Owner: LinkedIn, Inc. with LinkedIn Ireland Unlimited Company as EU controller

Transfer basis: Certified under the EU–U.S. DPF, UK Extension, and Swiss–U.S. DPF.

Privacy Policy: https://www.linkedin.com/legal/privacy-policy

 

Twitter

Owner: X Corp.

Transfer basis: Listed under the EU–U.S. DPF, UK Extension, and Swiss–U.S. DPF. Where DPF does not apply, SCCs (with UK/Swiss addenda) are used.

Privacy Policy: https://twitter.com/en/privacy

 

Zoom

Owner: Zoom Video Communications, Inc.

Transfer basis: Active under the EU–U.S. DPF, UK Extension, and Swiss–U.S. DPF. Where DPF does not apply, SCCs (with UK/Swiss addenda) are used.

Privacy Policy: https://zoom.us/privacy

 

Google Workspace (Gmail, Google Calendar, Google Drive, etc.)

Owner: Google LLC

Transfer basis: Certified under the EU–U.S. DPF, UK Extension, and Swiss–U.S. DPF; where DPF does not apply, SCCs (with UK/Swiss addenda) are used.

Privacy Policy: https://policies.google.com/privacy

 

Evernote

Owner: Evernote Corporation

Transfer basis: Certified under the EU–U.S. DPF, UK Extension, and Swiss–U.S. DPF.

Privacy Policy: https://evernote.com/privacy/

 

 

OUR E-MAIL POLICY

If you choose to communicate with us via email, we may retain the content of your email communications, including your email address. These communications are protected under the provisions outlined in this Privacy Policy.

 

All emails sent to us are treated as confidential. We do not disclose, sell, transfer, or lease our email lists to any third parties, except as specified in this Privacy Policy.

 

In compliance with the U.S. CAN-SPAM Act, all emails from us will clearly identify the sender’s name and provide explicit instructions on how to contact us. Additionally, our emails will include detailed instructions on how to unsubscribe from our email list.

 

Each email we send will include a link to unsubscribe from our email list. You can use this link to stop receiving future communications.

 

Email, SMS, and other third-party channels are not fully secure. We use reasonable safeguards, but once messages leave our systems or transit over third-party networks/devices, confidentiality and delivery may be outside our control. Nothing in this Policy limits our obligations under applicable privacy and data-protection laws.

 

 

BASIS OF THIS DATA PROTECTION DECLARATION

This Privacy Policy is designed to meet transparency duties under: EU GDPR, UK GDPR & DPA 2018, Swiss FADP, U.S. laws including COPPA and (where applicable) CPRA, and the laws noted in the regional addenda (Australia; India).

 

 

COMPLAINTS

If you have complaints about how we process your data, or you feel that we did not address your concerns, you may contact the Data Protection Authority listed below or the relevant Data Protection Authority in your habitual residence, place of work, or the place of the alleged infringement.

 

Austrian Data Protection Authority (DSB)
Phone: +43 1 52152 0
Website: https://www.dsb.gv.at

 

Belgian Data Protection Authority (DPA)
Phone: +32 2 274 48 00
Website: https://www.gegevensbeschermingsautoriteit.be

 

Bulgarian Commission for Personal Data Protection
Phone: +359 2 915 35 18
Website: https://www.cpdp.bg

 

Croatian Personal Data Protection Agency (AZOP)
Phone: +385 1 4609 000
Website: https://azop.hr

 

Office of the Commissioner for Personal Data Protection (Cyprus)
Phone: +357 22 818 456
Website: http://www.dataprotection.gov.cy

 

The Office for Personal Data Protection (Czech Republic UOOU)
Phone: +420 234 665 111
Website: https://www.uoou.cz

 

Danish Data Protection Agency (Datatilsynet)
Phone: +45 33 19 32 00
Website: https://www.datatilsynet.dk

 

Estonian Data Protection Inspectorate
Phone: +372 627 4135
Website: https://www.aki.ee/en

 

Finnish Office of the Data Protection Ombudsman
Phone: +358 29 566 6700
Website: https://tietosuoja.fi/en

 

French Commission Nationale de l'Informatique et des Libertés (CNIL)
Phone: +33 1 53 73 22 22
Website: https://www.cnil.fr/en/home

 

Federal Commissioner for Data Protection and Freedom of Information (German BfDI)
Phone: +49 228 997799-0
Website: https://www.bfdi.bund.de

 

Hellenic Data Protection Authority (HDPA)
Phone: +30 210 647 5600
Website: https://www.dpa.gr

 

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Phone: +36 1 391 1400
Website: https://www.naih.hu

 

Icelandic Data Protection Authority (Persónuvernd)
Phone: +354 510 9600
Website: https://www.personuvernd.is

 

Data Protection Commission (Ireland - DPC)
Phone: +353 57 868 4800
Website: https://www.dataprotection.ie

 

Garante per la Protezione dei Dati Personali
Phone: +39 06 69677 1
Website: https://www.garanteprivacy.it

 

Data State Inspectorate of Latvia (DVI)
Phone: +371 67 22 31 31
Website: https://www.dvi.gov.lv/en

 

State Data Protection Inspectorate (Lithuania)
Phone: +370 5 271 2804
Website: https://vdai.lrv.lt/en/

 

National Commission for Data Protection (Luxembourg CNPD)
Phone: +352 26 10 60 -1
Website: https://cnpd.public.lu

 

Office of the Information and Data Protection Commissioner (Malta)
Phone: +356 2328 7100
Website: https://idpc.org.mt

 

Autoriteit Persoonsgegevens (AP)
Phone: +31 70 888 8500
Website: https://autoriteitpersoonsgegevens.nl

 

Norwegian Data Protection Authority (Datatilsynet)
Phone: +47 22 39 69 00
Website: https://www.datatilsynet.no

 

Personal Data Protection Office (Poland - UODO)
Phone: +48 22 531 03 00
Website: https://uodo.gov.pl

 

Comissão Nacional de Proteção de Dados (CNPD)
Phone: +351 213 928 400
Website: https://www.cnpd.pt

 

National Supervisory Authority for Personal Data Processing (ANSPDCP)
Phone: +40 21 252 5599
Website: https://www.dataprotection.ro

 

Office for Personal Data Protection of the Slovak Republic
Phone: +421 2 3231 3214
Website: https://dataprotection.gov.sk

 

Information Commissioner of the Republic of Slovenia
Phone: +386 1 230 97 30
Website: https://www.ip-rs.si

 

Spanish Agencia Española de Protección de Datos (AEPD)
Phone: +34 901 100 099
Website: https://www.aepd.es

 

Swedish Authority for Privacy Protection (IMY)
Phone: +46 8 657 61 00
Website: https://www.imy.se

 

Swiss Federal Data Protection and Information Commissioner (FDPIC)
Phone: +41 58 462 43 95
Website: https://www.edoeb.admin.ch

 

Federal Trade Commission (FTC) – Bureau of Consumer Protection (United States)

Phone: +1 202-326-2222

Website: https://www.ftc.gov

 

In the United States, in addition to the FTC, you may also raise privacy complaints with the Attorney General in your state of residence, depending on the applicable state law.

 

Office of the Australian Information Commissioner (OAIC)

Phone: +61 1300 363 992

Email: enquiries@oaic.gov.a

Website: https://www.oaic.gov.au

 

Office of the Privacy Commissioner (New Zealand)

Phone: +64 0800 803 909

Email: enquiries@privacy.org.nz

Website: https://www.privacy.org.nz

 

Information Commissioner's Office (ICO)

Phone: +44 0303 123 1113

Website: https://ico.org.uk

 

Office of the Privacy Commissioner of Canada (OPC)

Phone: +1 819-994-5444

Email: info@priv.gc.ca

Website: https://www.priv.gc.ca

 

 

AMENDMENTS TO THE DATA PROTECTION DECLARATION

We reserve the right to amend this Privacy Policy to reflect changes in legal requirements or modifications to our services and data processing practices. Amendments will apply solely to statements regarding data processing. Should changes to this Privacy Policy necessitate User consent or affect aspects of the contractual relationship with Users, such changes will be implemented only with the Users’ explicit consent.

 

Users are encouraged to regularly review this Privacy Policy.

 

If you have any questions or complaints regarding this Privacy Policy, please contact us at info@virgilhealth.care.

 

UNITED KINGDOM (UK GDPR & DATA PROTECTION ACT 2018) ADDENDUM

 

For UK residents, references to the GDPR in this Policy are to the UK GDPR and the Data Protection Act 2018. UK residents retain all rights described in “What are your rights?” in the main Policy and may also complain to the Information Commissioner’s Office (ICO) (Wycliffe House, Water Ln, Wilmslow SK9 5AF; ico.org.uk).

 

International transfers: Where we transfer personal data to the U.S., we rely on the UK Extension to the EU–U.S. Data Privacy Framework (DPF) for certified recipients. Where recipients are not certified, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, together with supplementary measures.

 

 

AUSTRALIA (PRIVACY ACT 1988; APPS; NOTIFIABLE DATA BREACHES) ADDENDUM

 

For Australian residents, we handle personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988. You have rights to access and correction of your personal information (APPs 12–13). You may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

 

Where we disclose personal information overseas, we take reasonable steps to ensure the recipient does not breach the APPs (APP 8). We will notify you and the OAIC of eligible data breaches under the Notifiable Data Breaches (NDB) scheme where required.

 

INDIA (DIGITAL PERSONAL DATA PROTECTION ACT, 2023) ADDENDUM

 

For Indian residents, we process your personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act). You have rights to:

  • access, correction, and erasure of your data,

  • grievance redressal, and

  • to nominate another person to exercise your rights on your behalf in case of death or incapacity.

 

Consent is our primary lawful basis for processing under the DPDP Act. Cross-border transfers are permitted unless the Central Government issues restrictions; we will update this Policy if restrictions are enacted.

 

Grievance Officer (DPDP):
Dr. Shirin Karimi Hund
Email: info@virgilhealth.care
Postal Address: 30 N Gould St, Ste R, Sheridan, WY 82801, USA
Available 9:00–17:00 IST, Monday–Friday

 

We aim to acknowledge and resolve grievances within 7 working days, in accordance with the DPDP Act, 2023.

 

UNITED STATES ADDENDUM


CCPA/CPRA AND OTHER STATE PRIVACY LAWS

For residents of California, Colorado, Connecticut, Utah, and Virginia, you may have rights under state privacy laws, including the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

 

  • The right to know what categories of personal information we collect, use, disclose, and “sell” or “share.”

  • The right to access, correct, and delete your personal information.

  • The right to opt out of the “sale” or “sharing” of your personal information for targeted advertising.

  • The right to limit the use of sensitive personal information (where applicable).

  • The right to designate an authorized agent to exercise rights on your behalf.

  • The right not to be discriminated against for exercising your privacy rights.

 

How to exercise your rights (U.S.): You may submit a verifiable request to us at info@virgilhealth.care.

 

 

Opt-Out Preference Signals

Where required by law (e.g., California CPRA), we honor browser-based opt-out signals such as Global Privacy Control (GPC) for opting out of “sale” or “sharing” of personal information.

 

 

HIPAA Notice of Privacy Practices (U.S. clinical encounters).

If you proceed to a clinical telemedicine or other healthcare encounter with an independent clinician or affiliated practice accessed via our platform, protected health information (“PHI”) related to that encounter is governed by the applicable HIPAA Notice of Privacy Practices (NPP) presented at the point of care. Where the clinician or practice is the HIPAA covered entity, their NPP applies. If -- and only to the extent -- Virgil Health acts as a covered entity or designated health-care component for a particular activity, Virgil Health’s NPP applies to that activity. For all personal information that is not PHI, this Privacy Policy and any applicable state privacy laws (e.g., CPRA) apply.

 

 

Retention of Records in the United States

Where a clinical encounter occurs, medical records and PHI are retained by the applicable covered entity (e.g., the independent clinician or affiliated practice) for the periods required by the laws of the state where services are provided. Under HIPAA (45 CFR § 164.530(j)(2)), covered entities (and their business associates, as applicable) retain required privacy documentation for at least six (6) years. If—and only to the extent—Virgil Health acts as a covered entity or business associate for a particular activity, Virgil retains related records for the periods required by HIPAA and applicable state law. For non-PHI personal data, the general retention rules in this Policy apply.

bottom of page