1. Introduction

Welcome to DexaStrong. DexaStrong is operated by DexaFit Health, LLC, a subsidiary of DexaFit, Inc. (collectively referred to as "DexaFit," "DexaStrong," "DexaFit Entities," "we," "us," or "our"). We prioritize your privacy and are committed to protecting your personal information.

This Privacy Policy outlines our practices regarding the collection, use, protection, and disclosure of information across our website, digital content, and related services (collectively, the "Platform"). This Privacy Policy should be read together with our Terms of Service.

Important Health Disclaimer: DexaStrong is a marketing and information platform that connects users with independent third-party providers. It is not designed to diagnose, treat, mitigate, or prevent any disease or medical condition. Our Platform is meant to provide educational information and facilitate access to wellness services, but it is not a substitute for medical advice or care from healthcare providers.

Emergency Notice: IF YOU ARE EXPERIENCING A MEDICAL EMERGENCY, DIAL "911" IMMEDIATELY. Our Platform is not for medical emergencies or urgent situations.

Key Definitions

• "Personal Information" refers to any data that can directly or indirectly identify you, such as your name, email address, phone number, and health-related information.

• "De-Identified Information" refers to information that has been anonymized and cannot be linked back to you individually.

• "Third-Party Providers" refers to independent providers who perform services such as DEXA scans, VO2 Max testing, and wellness consultations.

• "DexaFit Entities" refers to DexaFit, Inc., DexaFit Health, LLC, and their respective subsidiaries, affiliates, and successors.

Geographic Scope

Our Platform is intended for users in the United States. If you are accessing our Platform from outside the United States, your information may be transferred to, processed, and stored in the U.S., where privacy laws may differ from those in your country. By using our Platform, you consent to this transfer, processing, and storage as outlined in this Privacy Policy.

We encourage you to read this Privacy Policy carefully to understand our practices and your rights regarding your personal information.

2. Information We Collect

We collect various types of information to provide and improve our services:

Personal Identifiers

We may collect:

• Name, email address, postal address, phone number

• Account credentials (username and password)

• Date of birth and gender (when provided)

• Payment information (collected by third-party payment processors; we do not store complete credit card numbers)

We may collect these for account creation, communication, transaction processing, and providing the services you request.

Health and Wellness Information

When you use services through our Third-Party Providers, we may receive:

• Body composition data from DEXA scans

• Bone density evaluations

• VO2 Max and cardiorespiratory fitness test results

• Metabolic wellness test data (RMR)

• Health histories and assessment questionnaires

• Laboratory test results

• Other health-related information you choose to provide

Important: This health-related data is not considered an Electronic Health Record (EHR) or Electronic Medical Record (EMR) for any purposes, including HIPAA compliance. Our use of this information is strictly for facilitating wellness services and providing educational insights through the Platform.

Demographic and Lifestyle Information

We may collect:

• Age range and ethnicity (when voluntarily provided)

• Lifestyle choices and preferences

• Fitness and wellness goals

• Dietary preferences and restrictions

• Other demographic data you choose to share

This information helps us personalize your experience and connect you with appropriate Third-Party Providers.

Third-Party Integrations

You may choose to connect:

• Fitness tracking devices (e.g., Apple Health, Google Fit, Fitbit)

• Wearable technology data

• Other wellness platforms

This data helps provide a comprehensive view of your wellness journey and enables better service recommendations.

Usage and Technical Data

Our Platform automatically collects:

• Device information (type, operating system, browser)

• IP address and general location data

• Pages visited and time spent on pages

• Referring websites and search terms

• Platform interaction data and clickstream information

• Cookies and similar tracking technologies (see Section 5)

Communication Data

We maintain records of:

• Your communications with us (emails, chat messages, support requests)

• Feedback and survey responses

• Marketing interaction history

• Communications with Third-Party Providers facilitated through our Platform

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Provision and Facilitation

• Connect you with appropriate Third-Party Providers

• Schedule appointments and coordinate services

• Process transactions and manage billing

• Provide customer support and respond to inquiries

• Authenticate your identity and secure your account

• Deliver educational content and wellness insights

Communication and Marketing

• Send service updates, appointment reminders, and test result notifications

• Provide customer support and technical assistance

• Send marketing communications about our services and Third-Party Provider offerings (with your consent)

• Facilitate communications between you and Third-Party Providers when requested

• Personalize promotional content based on your preferences and interactions

You may opt out of marketing communications at any time by using the unsubscribe link in emails or by contacting us at support@dexafit.com.

Personalization and Platform Improvement

• Customize content, features, and provider recommendations to your preferences

• Analyze usage patterns to improve our Platform and user experience

• Develop new features, products, and offerings

• Conduct research and analytics to enhance service quality

• Optimize Platform performance and functionality

• A/B test features and content

AI and Technology Enhancement

• Generate AI-powered wellness insights and recommendations

• Test and improve experimental features and functionalities

• Train and improve our algorithms using de-identified data

• Develop predictive models for wellness trends and outcomes

• Enhance matching algorithms for connecting users with providers

De-Identified Data Uses

Critical Privacy Protection: Personally identifiable information will never be sold, shared, or disclosed to third parties without your explicit consent, except as required by law or as described in this Privacy Policy.

We may use de-identified, aggregated, or anonymized data (that cannot be traced back to you individually) for:

• Product development and algorithm training

• Research and service enhancement

• Supporting clinical studies and academic research

• Developing future products and services

• Creating anonymized datasets for research, analytics, and licensed health technology development

• Internal analytics and business insights

• Statistical analysis and trend identification

• Contributing to health and wellness research advancements

Important Note: Once data is de-identified, it is no longer considered Personal Information under this Privacy Policy. De-identified data may be retained indefinitely for research, analytics, and commercial purposes.

Security, Compliance, and Legal

• Maintain Platform security and prevent fraud

• Comply with legal obligations and regulatory requirements

• Enforce our Terms of Service and protect user safety

• Respond to legal requests and protect rights

• Investigate and prevent violations of our policies

• Detect and prevent security threats

4. How We Share Your Information

We do not sell your personal information. However, we may share your data in specific circumstances:

Third-Party Providers

When you schedule or purchase services through DexaStrong:

• We share necessary information (name, contact information, appointment details, health history) with the Third-Party Provider you select

• These providers are independent entities not owned, operated, controlled, or supervised by DexaFit Entities

• Each provider has their own privacy policies, terms of service, and data handling practices

• Providers are solely responsible for their own regulatory compliance and data security

• Any issues with Third-Party Providers' data practices must be addressed directly with them

Important: We recommend reviewing each Third-Party Provider's privacy policy before scheduling services.

Service Providers and Vendors

We work with trusted third-party service providers who assist with:

• Payment processing (e.g., Stripe, PayPal)

• Cloud hosting and data storage (e.g., AWS, Google Cloud)

• Email and communication services (e.g., SendGrid, Twilio)

• Analytics and marketing tools (e.g., Google Analytics, Facebook Pixel)

• Customer support platforms

• Security and fraud prevention services

These service providers are bound by confidentiality agreements and are only permitted to use your data for specified purposes on our behalf.

Wellness Provider Coordination

When you use services involving wellness consultations or educational guidance, we may share relevant information with licensed wellness professionals to facilitate your care, always in accordance with applicable privacy laws and your consent.

Business Operations and Corporate Transactions

• Affiliates: We may share information with DexaFit, Inc., DexaFit Health, LLC, and other subsidiaries and affiliates for internal operations, service delivery, and the purposes described in this Privacy Policy

• Business Transactions: In case of merger, acquisition, restructuring, sale of assets, or bankruptcy, your information may be transferred as part of the transaction, subject to applicable laws and your rights

• Legal Compliance: We may disclose information to comply with legal obligations, court orders, government requests, subpoenas, or to protect rights, safety, and security

Research, Analytics, and Commercial Partnerships

• Research Partners: We may share de-identified data with academic institutions, clinical study collaborators, or research organizations for health and wellness advancement

• Commercial Licensing: We may license de-identified data to third parties (such as medical device manufacturers, pharmaceutical companies, or research institutions) for research, analysis, technology development, or product creation that advances health and wellness knowledge

• Analytics Partners: We may share aggregated, non-personal data with analytics and business intelligence partners

• Dataset Partners: We may contribute de-identified data to larger health and wellness datasets or research consortiums

Marketing and Promotional Partners

With your explicit consent, we may share certain information with carefully selected marketing partners for relevant offers, services, or promotional opportunities that may interest you. We do not share health or wellness data for marketing purposes.

Legal and Emergency Situations

We may share information when we believe in good faith that disclosure is necessary to:

• Protect the vital interests of users or the public

• Prevent fraud or illegal activity

• Address urgent safety concerns

• Comply with valid legal process

• Enforce our Terms of Service

5. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience and improve our services.

Types of Technologies We Use

Essential Cookies: Required for Platform functionality, security, and authentication. These cannot be disabled without impacting core Platform features.

Performance Cookies: Help us analyze usage patterns, understand how users navigate the Platform, and improve Platform performance and speed.

Functional Cookies: Remember your preferences and settings (e.g., language preferences, location) for a personalized experience.

Marketing and Advertising Cookies: Enable targeted advertising, retargeting campaigns, and promotional content (only with your consent). These help us show you relevant offers and track the effectiveness of marketing campaigns.

Purposes of Cookies

• Maintain session functionality and remember login status

• Remember your preferences and customization settings

• Analyze Platform usage and user behavior patterns

• Provide relevant content and promotional offers

• Ensure Platform security and prevent fraudulent activity

• Optimize Platform performance and loading times

• Measure effectiveness of marketing campaigns

Your Cookie Controls

Browser Settings: You can manage cookie preferences through your browser settings. Most browsers allow you to:

• Block all cookies

• Block third-party cookies only

• Delete cookies after your browsing session

• Receive notifications before cookies are set

Cookie Preference Center: When available, you can manage your cookie preferences through our cookie management tools on the Platform.

Note: Disabling certain cookies may impact Platform functionality and limit your ability to use certain features.

Do Not Track (DNT)

We do not currently respond to browser "Do Not Track" signals, as there is no industry standard for how DNT should be interpreted. We continue to review new technologies and may adopt a DNT standard if one is established in the future.

Third-Party Tracking

We may work with third-party analytics and advertising partners (e.g., Google Analytics, Facebook Pixel, LinkedIn Insight Tag) who use tracking technologies. These partners are subject to their own privacy policies. For more information:

• Google Analytics: policies.google.com/privacy

• Facebook: facebook.com/privacy

• To opt out of interest-based advertising: aboutads.info/choices or youronlinechoices.eu

6. Your Privacy Rights

You have several important rights regarding your personal information:

Access and Information Rights

• Right to Know: Request information about what personal data we collect, use, and share

• Access: Request a copy of your personal information in our possession

• Categories of Data: Learn about the categories of personal information we collect and process

• Data Sources: Understand the sources from which we collect your data

Control and Correction Rights

• Correction: Request correction of inaccurate or outdated information

• Update: Modify your account information and preferences through your account settings

• Completion: Request that incomplete personal information be completed

Deletion and Portability Rights

• Deletion: Request deletion of your personal information (subject to legal retention requirements and business needs)

• Data Portability: Request transfer of your data in a structured, commonly used, machine-readable format

• Account Closure: Delete your account and associated data

Important Notes on Deletion:

• De-identified data used in research or product development cannot be re-identified and deleted once anonymized

• We may retain certain transaction and legal compliance data as required by law

• Deletion requests do not apply to data held by Third-Party Providers; you must contact them directly

Consent and Communication Rights

• Withdraw Consent: Withdraw consent for data processing based on consent at any time

• Opt-Out of Marketing: Unsubscribe from marketing communications via email links, account settings, or by emailing support@dexafit.com with "OPT OUT" in the subject line

• Opt-Out of Targeted Advertising: Control personalized advertising through cookie settings or privacy settings

• Communication Preferences: Manage how and when we contact you

Note: You cannot opt out of essential service-related communications (e.g., appointment confirmations, test results, security alerts, Terms of Service updates).

State-Specific Privacy Rights

Residents of certain U.S. states have additional rights under their respective privacy laws:

California (CCPA/CPRA):

• Right to know what personal information we collect and how it's used and shared

• Right to opt-out of "sale" or "sharing" of personal information for targeted advertising

• Right to limit use and disclosure of sensitive personal information

• Right to non-discrimination for exercising privacy rights

• Right to correct inaccurate information

• Right to data portability

Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Virginia (VCDPA):

• Right to confirm whether we process your personal data

• Right to access your personal data

• Right to correct inaccuracies in your personal data

• Right to delete personal data

• Right to obtain a copy of personal data in a portable format

• Right to opt-out of targeted advertising, sale of personal data, and certain profiling

Nevada:

• Right to opt-out of the sale of personal information

California Residents: You can exercise your "Do Not Sell My Personal Information" rights by visiting our Privacy Settings or contacting us at privacy@dexafit.com.

How to Exercise Your Rights

To exercise these rights, please contact us at:

Email: privacy@dexafit.com
Subject Line: "Privacy Rights Request"

Include:

• Your full name and email address associated with your account

• Specific details about your request

• Verification information to confirm your identity

Response Timeframes:

• We will respond to valid requests within the timeframes required by applicable laws (typically 30-45 days)

• We may require additional verification for security purposes

• We will notify you if we need to extend the response time

Authorized Agents:

• You may designate an authorized agent to make requests on your behalf

• We may require proof of authorization and verification of your identity

No Discrimination

We will not discriminate against you for exercising any of your privacy rights, including by:

• Denying services

• Charging different prices or rates

• Providing different quality of services

• Suggesting you will receive different prices, rates, or quality of services

7. Data Security

We implement industry-standard security measures to protect your personal information:

Technical Safeguards

• Encryption: Data encrypted in transit using TLS/SSL protocols and at rest using AES-256 encryption

• Secure Data Storage: Data stored on secure servers with access controls and authentication requirements

• Regular Security Assessments: Penetration testing, vulnerability assessments, and security audits

• Multi-Factor Authentication: Available for user accounts and required for administrative access

• Secure APIs: API security protocols for data transmission with Third-Party Providers

• Firewall Protection: Network security and intrusion detection systems

Administrative Safeguards

• Employee Training: Regular privacy and security training for all employees

• Confidentiality Agreements: All staff and vendors sign confidentiality agreements

• Access Controls: Role-based access controls limiting data access to authorized personnel only

• Privacy and Security Policy Reviews: Regular reviews and updates to policies and procedures

• Incident Response Procedures: Documented procedures for responding to security incidents

• Background Checks: Background checks for employees with access to sensitive data

Physical Safeguards

• Secure Facilities: Physical security measures at data center locations

• Controlled Access: Restricted access to servers and equipment

• Environmental Protections: Climate control, fire suppression, and backup power systems

Important Limitations

No Absolute Security: While we implement robust security measures, no method of internet transmission or electronic storage is completely secure. We cannot guarantee absolute security of your information.

Your Responsibility: You are responsible for:

• Using strong, unique passwords

• Keeping your password confidential

• Not sharing your account credentials

• Reporting any suspicious activity immediately

• Logging out of your account when finished

Report Security Issues: If you discover a security vulnerability or suspect unauthorized access to your account, immediately contact us at security@dexafit.com.

Breach Notification

In the event of a data breach affecting your personal information:

• We will notify affected individuals as required by applicable laws

• Notification will typically occur within 60 days of discovery

• We will describe the nature of the breach, the data affected, and steps we're taking to address it

• We will provide guidance on steps you can take to protect yourself

• We will notify relevant regulatory authorities as required by law

8. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy and comply with legal obligations.

Retention Periods by Data Type

Account Information:

• Active accounts: For the lifetime of your account

• Closed accounts: 3-7 years after closure for backup, audit, and legal purposes

• Login credentials: Immediately upon account deletion (securely hashed)

Health and Wellness Information:

• Active users: Duration of service relationship plus 7-10 years

• Stored in compliance with legal and professional standards for health-related data

• As required by applicable regulations and professional retention standards

Communication Records:

• Customer service interactions: 3-7 years

• Marketing communications: Until you opt out or 3-5 years

• Support tickets: 7 years for dispute resolution and legal compliance

Transaction Data:

• 7 years to fulfill contractual obligations and comply with tax and accounting laws

• Payment information: Not stored by us; retained by payment processors per their policies

Marketing Data:

• Until you opt out or for reasonable business purposes (typically 3-5 years)

• Analytics and aggregated marketing performance data: Retained indefinitely

De-Identified Information:

• May be retained indefinitely for research, analytics, and business purposes

• Cannot be re-identified once properly anonymized

Secure Deletion Process

When retention periods expire or when you request deletion:

• Personal information is securely deleted or anonymized using industry-standard methods (e.g., cryptographic erasure, secure overwriting)

• Data may remain in backup systems for a limited time (typically 30-90 days) before final deletion

• De-identified or aggregated data may be retained for ongoing research and business purposes

• Some information may be retained longer if required by legal obligations, pending legal proceedings, or to enforce our rights

Factors Affecting Retention

Retention periods may be extended when necessary for:

• Legal, regulatory, or compliance requirements (e.g., tax laws, health record retention laws)

• Pending litigation, investigations, audits, or disputes

• Protection of rights, safety, or security

• Fraud prevention and detection

• Technical requirements for secure deletion

• Active enforcement of Terms of Service violations

9. Children's Privacy

Our services are intended for users aged 18 and older. We do not knowingly collect personal information from children under 18 without verifiable parental consent.

If we discover that we have inadvertently collected information from a child under 18, we will delete it immediately. If you believe we have collected information from a child under 18, please contact us at privacy@dexafit.com.

Parents and Guardians: If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately so we can delete the information.

10. International Users and Data Transfers

DexaFit Entities are headquartered in the United States, and our Platform is hosted in the U.S. If you access our services from outside the United States:

• Your data will be transferred to, processed, and stored in the U.S.

• U.S. data protection laws may differ from those in your country

• We maintain high standards for data protection regardless of location

• By using our services, you consent to this transfer, processing, and storage

For European Union Users:

• We comply with applicable data transfer mechanisms (e.g., Standard Contractual Clauses) when required

• You have rights under the General Data Protection Regulation (GDPR) as described in Section 11

For Users in Other Jurisdictions:

• We process data in accordance with this Privacy Policy and applicable U.S. laws

• Your use of the Platform constitutes consent to data transfer to the United States

11. Regulatory Compliance

DexaFit Entities are committed to compliance with applicable privacy and healthcare regulations:

HIPAA Compliance

General Wellness Exception: Most of our services do not fall under the Health Insurance Portability and Accountability Act (HIPAA) because:

• We are not a covered entity (healthcare provider, health plan, or healthcare clearinghouse)

• We are not directly providing medical services

• The Platform provides general wellness information and facilitates access to third-party services

Business Associate Relationships: When Third-Party Providers are HIPAA-covered entities:

• The provider is responsible for HIPAA compliance

• Providers may execute Business Associate Agreements (BAAs) with us if required

• We maintain HIPAA-compliant infrastructure and practices when acting as a Business Associate

HIPAA-Compliant Practices: We maintain appropriate safeguards including:

• Technical safeguards for Protected Health Information (PHI)

• Administrative safeguards and workforce training

• Physical safeguards for data centers

• Breach notification procedures for PHI when applicable

Important Distinction: The health and wellness data collected through our Platform is not an Electronic Health Record (EHR) or Electronic Medical Record (EMR) for purposes of HIPAA compliance.

GDPR Compliance

For users in the European Union and European Economic Area, we comply with the General Data Protection Regulation (GDPR):

Lawful Bases for Processing:

• Consent: For marketing communications and optional data uses

• Contract Performance: To provide services you've requested

• Legitimate Interests: For analytics, fraud prevention, and service improvement

• Legal Obligations: To comply with applicable laws

GDPR Rights:

• Right to access your personal data

• Right to rectification of inaccurate data

• Right to erasure ("right to be forgotten")

• Right to restrict processing

• Right to data portability

• Right to object to processing

• Right not to be subject to automated decision-making

Data Protection Measures:

• Data protection by design and default

• Privacy impact assessments for high-risk processing

• Data breach notification within 72 hours where required

• Appointment of Data Protection Officer when required

International Data Transfers:

• We use Standard Contractual Clauses or other approved mechanisms for EU data transfers

U.S. State Privacy Laws

We comply with applicable state privacy laws, including:

California (CCPA/CPRA):

• Consumer rights to know, delete, correct, and opt-out

• Right to limit use of sensitive personal information

• Non-discrimination for exercising rights

• Annual privacy metrics reporting (when applicable)

Colorado Privacy Act (CPA):

• Consumer rights regarding personal data processing

• Opt-out rights for targeted advertising and profiling

• Data protection assessment requirements

Connecticut Data Privacy Act (CTDPA):

• Data subject rights and consent requirements for sensitive data

• Purpose limitation and data minimization principles

Utah Consumer Privacy Act (UCPA):

• Consumer privacy rights and opt-out mechanisms

• Sensitive data processing restrictions

Virginia Consumer Data Protection Act (VCDPA):

• Consumer rights and data processing transparency

• Purpose specification and data minimization

Nevada Privacy Law:

• Right to opt-out of the sale of personal information

Other Regulatory Considerations

FDA Guidelines:

• Compliance with FDA regulations for general wellness products

• Our Platform does not diagnose, treat, or prevent disease

FTC Guidelines:

• Adherence to Federal Trade Commission guidelines for:

• Data security and consumer protection

• Truth in advertising

• Clear and conspicuous disclosures

State Health Information Laws:

• Compliance with applicable state health information privacy laws

• State-specific breach notification requirements

Professional Standards:

• Adherence to relevant professional and industry standards for wellness data

• Alignment with best practices for health data stewardship

12. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs.

Notification of Changes:

• The "Last Updated" date at the top indicates when this policy was last revised

• Material changes will be communicated through:

• Email notification to your registered email address

• Prominent notice on the Platform

• Pop-up notification upon login (for significant changes)

• We will provide at least 30 days' notice for material changes

Your Acceptance:

• Continued use of the Platform after updates constitutes acceptance of the revised Privacy Policy

• If you do not agree with changes, you may close your account as described in Section 6

Version History:

• We maintain previous versions of this Privacy Policy for your reference

• View past versions: Privacy Policy Archive

• Contact us to request specific previous versions

We encourage you to review this policy regularly to stay informed about how we protect your personal information.

13. Summary of Key Privacy Commitments

• We do not sell your personal information to third parties

• Health data is kept confidential and used only for the purposes described in this policy

• You have control over your data with rights to access, correct, and delete

• We use industry-standard security to protect your information

• De-identified data may be used for research and product development without identifying you

• Third-Party Providers have their own privacy policies; we recommend reviewing them

• You can opt out of marketing communications at any time

• We comply with applicable laws including CCPA, VCDPA, HIPAA (when applicable), and other regulations

14. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:

Privacy Department
DexaFit Health, LLC
(a subsidiary of DexaFit, Inc.)
3601 Minnesota Drive, Suite 515
Edina, MN 55435

Email: privacy@dexafit.com
General Support: support@dexastrong.com
Billing: billing@dexafit.com
Website: https://www.dexastrong.com

Response Time: We will respond to privacy inquiries within 30 days of receipt.

By using the DexaStrong Platform, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your information as described herein.

For more information about our services and terms, please review our Terms of Service.