Privacy Policy

MOVEO HEALTH DATA PRIVACY POLICY
Effective Date: March 1, 2025

1. Introduction
This Data Privacy Policy (“Policy”) explains how Moveo Health, PLLC (“Moveo Health,” “we,” or “us”) – a healthcare company based in Tucson, Arizona (United States) – collects, uses, transfers, and protects personal data of individuals enrolled in our executive health programs. We are a U.S.-based provider that operates globally, and we handle all personal information in compliance with applicable laws in every jurisdiction where we operate. Moveo Health adheres to the highest international standards for data privacy and security, including strict compliance with U.S. regulations (such as HIPAA) and international frameworks like the EU’s GDPR, Canada’s PIPEDA, Brazil’s LGPD, China’s PIPL, and other relevant data protection laws​

​We ensure that any transfers of personal data from other countries to the U.S. are performed lawfully and with robust safeguards in place. Our commitment is not only to meet legal requirements but to exceed them, fostering trust through rigorous privacy practices, secure technologies, and transparent operations. It applies to all personal information we process in the context of Moveo Health’s programs, across all regions (United States, European Union, Canada, Latin America, Asia-Pacific, etc.), and it will withstand scrutiny by global partners and regulatory authorities.

2. About Moveo Health, PLLC
Moveo Health, PLLC is a professional healthcare services company founded in 2021 and based in Tucson, Arizona. We specialize in comprehensive executive health programs that prioritize proactive, optimized health and preventive care. Our services include in-depth annual medical examinations, precision diagnostics (such as advanced metabolic and cardiovascular testing, genetic analysis, and biometric screenings), and personalized health consultations. We cater to high-performing professionals and individuals seeking cutting-edge health solutions, delivered through both in-person clinics and secure telehealth platforms. In all aspects of our operations, we maintain the highest levels of confidentiality, security, and trust. Moveo Health is fully compliant with global privacy and medical data regulations, including the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the EU General Data Protection Regulation (GDPR), among others​.

Our compliance program allow for strict data security measures (encryption, access controls, etc.) and privacy-by-design principles to ensure that every individual’s personal health data is handled with the utmost care and integrity. As a U.S.-based company serving an international clientele, we ensure that cross-border data handling is lawful and protected, using approved legal mechanisms for international transfers and adhering to all regional requirements. We are dedicated to not just following the rules but exceeding them, reflecting our mission to deliver world-class, innovative healthcare with uncompromising respect for privacy.

3. Data Collection and Use
Scope of Data Collection: We collect personal data only as necessary to deliver our executive health program services and improve your healthcare experience. This Policy covers all personal information that we obtain from program participants (“you” or “participants”), whether you interact with us online, via telehealth, or in person. Our data collection is proportionate and relevant to the purposes described below, and we do not collect any data that is not required for those purposes. This program is intended for adults; we do not knowingly collect personal information from individuals under the age of 16, and any such data will be deleted if discovered.

Sources of Personal Data: Personal data is collected directly from you and from devices or services used in the program. For example, we collect data directly when you enroll in the program, fill out health questionnaires, sign consent forms, or undergo in-person evaluations. We also receive data from medical diagnostics and devices that you use as part of the program – such as laboratory test results, genetic test reports, imaging studies, and readings from wearable health monitors. These third-party diagnostic services and devices report data back to Moveo Health under our direction. In some cases, with your authorization, we may obtain relevant health information from your other healthcare providers to have a comprehensive view of your health. All such collection is done with your knowledge and (where required) explicit consent, and in compliance with applicable laws on health data and biometric data protections. We recognize that many data points we collect (e.g. genetic information, biometrics like heart rate or glucose levels) are highly sensitive personal data. Therefore, we apply special safeguards to these data elements – for instance, by obtaining explicit consent for their collection and use and by handling them with enhanced security measures, since laws in many jurisdictions (e.g. GDPR and China’s PIPL) classify biometric and genetic data as sensitive personal information requiring extra protection​.

Types of Data Collected: The categories of personal data we collect may include: identification and contact information (e.g. name, date of birth, contact details), basic personal and lifestyle information (e.g. occupation, health history, exercise habits), medical information and test results (laboratory analyses, genetic test outcomes, imaging results, vital signs, and other clinical measurements), biometric data (such as blood biomarkers, genomic data, or other physiological indicators), and health device data (e.g. continuous glucose monitor readings, sleep tracker data). We limit our collection to what is needed for the purposes of the program and as permitted by law. We do not collect certain sensitive personal information unrelated to the program (such as social security numbers, financial account passwords, or information about race, religion, or political opinions) unless required for compliance and with appropriate safeguards; and we do not collect any data from your use of our services for marketing profiling or unrelated purposes.

Purpose of Data Use: Moveo Health uses the personal data we collect strictly for defined purposes in support of your health program. The primary purposes for which we process your data include:

  • Providing Health Insights and Services: We analyze your test results, biometric data, and health information to generate personalized health insights, recommendations, and reports. This enables us to deliver tailored medical advice, preventive strategies, and wellness plans. All recommendations provided are for your informational benefit and to guide preventive healthcare; they do not constitute a formal medical diagnosis or treatment without further consultation.
  • Program Administration: We use your information to coordinate and administer the program logistics. This includes scheduling medical appointments and diagnostic tests, sending you reminders or notifications about appointments and results, facilitating referrals or follow-ups, and managing billing or insurance matters if applicable. We may also use contact information to communicate program updates or changes.
  • Participant Support and Feedback: Your data helps us support you throughout the program. For instance, we may review your information when answering your questions, clarifying your test results, or providing health coaching. We might also contact you to gather feedback or satisfaction surveys to improve our services. All such communications will be conducted in a privacy-conscious manner.
  • Compliance and Legal Obligations: We process and retain certain data to fulfill our legal and regulatory requirements. For example, as a healthcare provider, we must maintain accurate medical records, comply with reporting obligations under public health laws, and adhere to professional standards. We may use your information to satisfy obligations under laws such as HIPAA (for safeguarding and auditing protected health information) or to report anonymized health statistics as required by regulators. If a law or regulation compels us to use or disclose your data (for instance, a court order or mandatory public health reporting), we will only do so in strict accordance with the applicable legal requirements.
  • Internal Operations and Data Quality: We may use personal data for our internal operational purposes, such as system maintenance, quality control, training of staff (under confidentiality), and to ensure the reliability and accuracy of our data processing. This can include activities like data validation, backup maintenance, cybersecurity monitoring, and improving our data collection methods. When using data for internal analytics or service improvement, we will, wherever feasible, use aggregated or de-identified data that does not identify you personally. Any reporting of overall program outcomes or health trends will be in anonymized form.

We will not use your personal data for any purposes that are incompatible with those described above without first obtaining your consent. In particular, we do not sell, rent, or exchange your personal information to third parties for their marketing or commercial uses. We also do not use your health data for automated decision-making that could negatively affect you without human involvement (see Section 9 on AI governance). If we ever need to process your data for a new purpose not covered by this Policy, we will notify you and obtain any required consent or legal authorization.

4. Legal Basis for Processing
Moveo Health processes personal data only when we have a valid legal basis to do so. Given our global operations, we ensure that each processing activity has a justification under the relevant data protection laws (such as Article 6 of the GDPR, which enumerates lawful bases for processing​ dataprotection.ie). Depending on the context, one or more of the following legal grounds apply to our processing of your personal information:

  • Consent: We rely on your explicit consent to collect and use your personal data, especially for sensitive health and biometric information. By enrolling in our program, you will review and sign a detailed consent form authorizing Moveo Health to process your data for the purposes outlined in this Policy. In jurisdictions like the EU, your consent provides a lawful basis for processing special categories of data (e.g. health or genetic data) in compliance with GDPR Article 9. You have the right to withdraw consent at any time (see Section 9), and we will cease processing your data going forward if you do so.
  • Performance of a Contract: When you join our executive health program, a service agreement (contract) is formed between you (or your sponsoring employer) and Moveo Health. We must process certain personal data to fulfill our obligations under that contract – for example, to provide medical exams, deliver test results, and offer personalized health guidance as promised. This contractual necessity is a legal basis for processing your data to the extent such processing is required to deliver the services you have signed up for.
  • Legal Obligations: We process personal data as needed to comply with our legal and regulatory obligations. For instance, healthcare regulations and professional standards mandate that we maintain medical records for a certain period, ensure data accuracy, and report certain information to authorities when required (such as communicable disease reporting or satisfying subpoenas/court orders). In these cases, the law itself constitutes the basis for processing, and we will only process the minimum data necessary to meet our obligations. We also abide by international data protection laws, which may require specific measures (e.g. conducting a Data Protection Impact Assessment or honoring data subject rights), and such compliance may involve processing your data as legally required.
  • Legitimate Interests: We may process personal data to pursue the legitimate interests of our organization in maintaining and improving our services, provided such interests are not overridden by your fundamental rights and freedoms. For example, it is in our legitimate interest to secure our IT systems and prevent unauthorized access to data, to ensure the quality and safety of our medical services, and to develop new health program features or research insights. When we rely on legitimate interests, we will only do so after careful assessment and, where required, after implementing additional safeguards or pseudonymization. You have the right to object to processing based on legitimate interests in certain cases (see Section 9), and we will honor such objections as required by law.

These bases enable us to lawfully handle your data. In many situations, multiple bases may apply (for example, we ask for consent but also have contractual and legal duties). We do not rely on “public task” or “vital interests” as routine bases, except in the rare event of a medical emergency where vital interests (imminent risk of serious harm) could justify certain data use or disclosure without consent. Regardless of the basis, we are committed to transparency and will provide information about our processing activities as required. If you have questions about the legal basis for any specific processing, you may contact us (see Section 10).

5. Data Sharing and Third-Party Partners
We value your privacy and do not sell, trade, or disclose your personal data to unrelated third parties for commercial purposes. However, in order to deliver our health program services and fulfill the purposes described above, we share personal data with certain trusted third-party service providers and partners who operate under our instructions. All such third parties are bound by strict confidentiality obligations and data protection agreements, ensuring that they only use your data for the purposes we specify and in compliance with this Policy and applicable laws. The main categories of third parties with whom we may share your personal data include:

  • Diagnostic Laboratories: We partner with accredited medical laboratories to perform tests on samples (blood, saliva, etc.) collected during the program. For example, we may share necessary identifying information and sample data with labs such as Quest Diagnostics or Cleveland HeartLab for advanced blood testing, 3X4 Genetics for lifestyle genetic analysis, or other specialized labs for processing your samples. These laboratories return test results to Moveo Health for our analysis. All lab partners are subject to healthcare privacy laws (e.g. they are HIPAA-covered entities or GDPR-compliant processors) and have contracts with us that ensure your data is protected.
  • Medical Imaging Providers: If your program includes imaging studies (such as carotid artery ultrasound for cardiovascular assessment or abdominal ultrasound for liver health), we will coordinate with licensed imaging centers or radiology providers. We share the minimum necessary information (like your name, demographics, and the required imaging order) so that these providers can perform the scans. After the imaging is done, the results and images are shared back with Moveo Health. These imaging partners are bound by confidentiality and legal requirements to safeguard your data just as we do.
  • Sleep and Wearable Device Services: For certain health metrics, we utilize specialized devices or studies. For example, if you undergo a sleep assessment, we may use a device/service like Itamar Medical’s WatchPAT to monitor sleep patterns. Similarly, for continuous glucose monitoring, we might deploy a Dexcom device that tracks glucose levels. Data from these devices are collected and processed on the device manufacturers’ secure platforms and then made available to Moveo Health. We ensure that any such device partner is under contractual obligation to protect your data and comply with privacy standards. Any raw data collected by these devices is used solely for your health analysis and is not used by the device provider for other purposes except as allowed by law and our agreement.
  • Genetic Testing Services: If you opt to include genomic or genetic testing as part of your health program, we will facilitate that through a reputable genetic testing service (such as 3X4 Genetics or another lab). This involves sending your DNA sample (e.g. saliva) to the genetic lab, along with a pseudonymous identifier or minimal personal details needed for the lab’s analysis. The genetic testing service will analyze your sample and send the results to Moveo Health (often through a secure online portal). We treat genetic data with heightened sensitivity, and our agreements with these services mandate compliance with applicable genetic privacy laws and that results are used only for your benefit.
  • On-Site Medical Professionals: In some cases, your employer or organization may host on-site health evaluation events as part of the Moveo program. When health assessments are conducted at third-party locations (for instance, at your workplace or a local clinic abroad), qualified healthcare professionals (doctors, nurses, phlebotomists, etc.) might collect data on our behalf. These professionals are typically engaged through partner clinics or services in that locale. Any local practitioner involved is required to uphold confidentiality (often through a Business Associate Agreement or equivalent) and will share the collected data exclusively with Moveo Health’s core medical team. They will not independently retain or use your data beyond providing it to us, except as required for their compliance (such as their own record-keeping obligations under local law).

Aside from the categories above, Moveo Health will not disclose your personal data to any other third party unless: (i) it is required by law or a valid legal process (for example, a court order, regulatory requirement, or subpoena – in which case we will only disclose what is legally mandated and, when possible, will inform you of such disclosure); (ii) we have obtained your explicit consent to do so (for instance, if you request us to share your results with your personal physician or family member, we will do so with your written authorization); or (iii) there is a medical emergency posing an immediate threat to your life or health, and sharing information is necessary to ensure you receive proper care (in such rare cases, we may share relevant information with emergency medical personnel or facilities, consistent with “vital interest” exceptions in privacy laws). We do not use or share personal data for any form of advertising. We also do not allow any third-party tracking on our patient portals or communications that would collect your data for others’ independent use.

All third-party partners that process personal data on our behalf are carefully vetted for their security and privacy practices. We enter into formal agreements with each of them to ensure they provide at least the same level of data protection that we do. These agreements include, where applicable, Standard Contractual Clauses or similar international data transfer safeguards if the partner will access data from outside the country of origin, thereby maintaining legal compliance for cross-border data flows (see Section 6 on International Transfers)​.

Each partner must comply with the privacy laws relevant to the data we share with them (for example, laboratories and medical providers are often independently bound by laws like HIPAA, GDPR, or equivalent). We require that third parties: use the data only for specified purposes, keep it confidential, implement robust security controls, and return or delete the data once the service is completed or upon our instruction. Moveo Health remains accountable for the protection of your data throughout these engagements. If you have questions about whether a particular service provider has been used with your data, you may contact us for more information.

Finally, Moveo Health complies with the data privacy and security requirements of every country in which we operate or from which we receive data. This includes adherence to nation-specific laws such as Germany’s Bundesdatenschutzgesetz (BDSG), the UK Data Protection Act (and UK GDPR), South Africa’s POPIA, Japan’s APPI, Australia’s Privacy Act/APPs, and others alongside the broader regulations like GDPR, PIPEDA, LGPD, and PIPL​.

We ensure that any data shared with partners in these or other jurisdictions meets the stringent requirements of local law. In summary, when we share your data with others to serve you, we do so carefully and lawfully, and we remain committed to its protection every step of the way.

6. International Data Transfers
Moveo Health uses Standard Contractual Clauses (SCCs) and encryption safeguards for international data transfers. However, participants should be aware that data stored in the United States may be subject to U.S. surveillance laws, such as the CLOUD Act, which may differ from EU/EEA protections. We take all reasonable steps to mitigate such risks through contractual safeguards and encryption practices.

 We are committed to handling international data transfers in a legal, transparent, and secure manner. Any transfer of personal data from its country of origin to another country (including to the U.S.) will be conducted in compliance with all applicable data transfer restrictions and using approved safeguards. In practical terms, this means the following:

  • Legal Mechanisms for Data Transfer: When we transfer personal data from jurisdictions with data export regulations (such as the EU/EEA, UK, or China) to the United States or any other country, we ensure that appropriate legal mechanisms are in place to lawfully authorize that transfer. For example, for data originating from the EU/EEA or the UK, we rely on the European Commission’s and UK’s approved contractual safeguards in our agreements. These are equivalent to the Standard Contractual Clauses (SCCs) under GDPR – standardized data protection clauses that contractually bind the recipient of the data (Moveo Health in the U.S. and any sub processors) to protect the data to EU privacy standards​.

By incorporating these clauses into our contracts with international partners or within our organization, we ensure that personal data transferred out of the EU continues to benefit from a high level of protection abroad​.

For Canada, we comply with PIPEDA’s requirements for transferring data outside of Canada, which include obtaining consent or using comparable safeguards as needed. For Brazil, we adhere to LGPD’s provisions by implementing necessary contractual clauses and, if required, supplementary measures for international transfers. In cases of data from China, we follow the Personal Information Protection Law (PIPL) requirements, which may include conducting a security assessment, signing a government-approved standard contract for export of personal information, or obtaining separate consent for the cross-border transfer, depending on the volume and sensitivity of data. Similarly, for transfers from other regions (e.g. Australia, Japan, South Africa), we ensure compliance with any local transfer conditions (such as requiring that the recipient has adequate data protection or that the individual has been informed and consented). In summary, we will not transfer your personal data internationally unless we have ensured there is a lawful basis and adequate protection in place for that transfer.

  • Explicit Participant Consent: In addition to legal transfer mechanisms, Moveo Health’s policy is to obtain your explicit consent for transferring your personal data across national borders when required by law or when the transfer is outside the scope of the original consent. For example, if you are an EU-based participant, we will explicitly inform you that your personal data will be transferred to our secure systems in the United States for processing, and we will obtain your written consent for this transfer as part of the program enrollment (this goes above and beyond relying on SCCs alone). Likewise, if we ever need to send your data to a third country not recognized as having adequate data protection laws, we will seek your consent unless another legal exception applies. We believe in transparency about where your data is going; thus, you will be informed of any cross-border data transfer involving your personal information and, where applicable, given the choice to consent or object. Please note that if you choose not to consent to an international transfer that is essential to the program (for instance, declining to allow us to send your sample to an overseas lab), it may affect our ability to provide certain services, but we will discuss alternatives with you or your sponsor in that event.
  • Additional Safeguards for International Data: Regardless of the legal basis or consent, Moveo Health applies additional technical and organizational measures to protect data that is transferred internationally. These supplementary safeguards include strong encryption of data in transit (so that when data travels over networks across borders, it remains unreadable to any unauthorized parties), encryption of data at rest in the destination country, access controls to ensure only authorized personnel in the destination have access on a need-to-know basis, and continuous monitoring of data flows. We also perform periodic audits and assessments of our international transfer processes to ensure that the level of protection is effectively equivalent to that required by stringent laws like the GDPR. If we become aware of any issue (legal or practical) that could impact the protection of transferred data, we will take prompt remedial action – this could include suspending transfers, enhancing safeguards, or as a last resort, halting the processing if adequate protection cannot be ensured.
  • Regional Privacy Compliance: Moveo Health’s global operations mean we must comply with a patchwork of national privacy laws in addition to the well-known international standards. We are committed to meeting those local requirements. For instance, in jurisdictions that require data localization or special permits (such as certain sectors under China’s PIPL or Russia’s data laws), we will store data locally or obtain the necessary governmental clearances when applicable for our activities. In the EU/EEA, we have appointed a Data Protection Officer and, if needed, an EU representative in accordance with GDPR to liaise with regulators and participants. In Brazil, we adhere to LGPD’s rules and have a named person to address LGPD inquiries. We also respect frameworks like the APEC Cross-Border Privacy Rules system for transfers in and out of certain Asia-Pacific countries, if applicable. Whenever we engage in cross-border telemedicine services (providing health consultations to a participant in one country from a doctor in another), we ensure that both healthcare regulations (e.g. professional licensing requirements) and data privacy regulations in each affected country are complied with. This may involve, for example, storing a copy of certain records in the participant’s home country if required, or using only approved telehealth platforms that meet encryption and privacy standards.

In summary, international data transfers are handled with great care and legality. We ensure that anyone accessing personal data outside of the country of origin is contractually and legally bound to protect it to the standards of this Policy. If you have questions about the mechanisms in place for a specific transfer of your data, we will provide further information upon request. Your privacy rights travel with your data – no matter where in the world your data is processed, Moveo Health will safeguard it and uphold your rights as described in this Policy. Should global privacy laws change (for example, the adoption of new EU-U.S. agreements or updated SCCs), we will adapt our practices promptly to remain in compliance and maintain the seamless protection of your information.

7. Data Retention and Disposal
Moveo Health retains identifiable personal health data for a minimum of seven (7) years from the date of last interaction, rather than the date of data collection. This ensures that past records remain available for longitudinal health tracking and baseline comparisons. Some data, such as genetic reports or diagnostic images, may be retained longer if beneficial for future analysis. Moveo Health complies with jurisdictional retention laws, ensuring adherence to any stricter retention mandates (e.g., 10-year storage in some regions).

Moveo Health retains personal data only for as long as necessary to fulfill the purposes for which it was collected and to satisfy applicable legal, accounting, or reporting requirements. Retention periods are based on the strictest requirement among applicable jurisdictions and industry best practices for medical recordkeeping. We do not hold personal data indefinitely unless a compelling reason exists and ensure secure disposal once retention periods are met or upon valid requests for deletion.

Retention Period Based on Last Interaction
By default, Moveo Health retains identifiable personal health data for a minimum of seven (7) years from the date of last interaction with the participant, not the original collection date. This retention period aligns with healthcare industry standards and global regulations, including HIPAA (U.S.), GDPR (EU), and other international data protection laws. Retaining data for at least seven years allows for continuity of care, ensuring participants and healthcare providers can reference prior health history, compare test results, and track long-term trends.

Extended Retention for Certain Data
In some cases, health data may be retained beyond seven years when necessary for medical, legal, or research purposes:

  • Longitudinal Comparisons: Diagnostic images, laboratory results, and genetic data may be retained indefinitely for continuity of care and comparison to baseline health markers, provided retention is legally permissible.
  • Legal Compliance: If a jurisdiction mandates a longer retention period (e.g., 10 years), Moveo Health will comply with the stricter standard.
  • Ongoing Legal Proceedings or Investigations: If data is relevant to an active legal matter, it will be preserved until no longer necessary.

Data Deletion and Anonymization

  • Participant-Initiated Deletion Requests: Participants may request deletion of their personal data at any time. Unless legally required to retain it, Moveo Health will erase or anonymize the data within the legally mandated timeframe.
  • Secure Disposal: Data that has exceeded its retention period will be securely disposed of using industry best practices, including cryptographic erasure for digital records and certified document destruction for physical records.
  • Anonymized and Aggregated Data: Moveo Health may retain anonymized or aggregated data beyond the retention period for statistical research and service improvement. Anonymization ensures that the data can no longer be linked to an individual.

These practices align with global privacy principles, emphasizing data minimization and controlled storage limitations. If you have concerns about retention policies or wish to request deletion, contact Moveo Health as outlined in Section 10 (Contact Information).

8. Data Security and Risk Management
Protecting the confidentiality, integrity, and availability of your personal data is a top priority for Moveo Health. We employ a comprehensive information security program that incorporates administrative, technical, and physical safeguards to secure personal data against unauthorized access, use, alteration, and destruction. We also actively manage privacy and security risks through continuous assessment and improvement of our controls. Our security measures are designed to meet or exceed the requirements of laws like HIPAA (which sets standards for protecting health information) and GDPR (which mandates “appropriate” security) in all relevant aspects. Below is an outline of key security and risk management measures we have in place:

Security MeasureDescription and Implementation
EncryptionWe use strong encryption protocols (such as TLS 1.2/1.3) for data in transit over networks (e.g., when you upload data to our portal or we send data to labs) to prevent eavesdropping. Data stored on our servers, databases, and portable devices is encrypted (using AES-256 or equivalent industry-standard encryption) so that it remains protected even if the storage media were accessed without authorization. Encryption keys are securely managed and stored separately from the data. By rendering data unreadable to unauthorized parties, encryption provides a fundamental layer of defense for all sensitive information.
Access ControlsWe enforce strict access controls on all systems handling personal data. This means that only authorized Moveo Health personnel and contractors who need to access your information to perform their duties can do so. We implement role-based access, ensuring individuals can only see the minimum data necessary for their role. For example, medical staff can view health data, but billing staff might only see contact and payment-related information. All user accounts are protected by strong authentication (password policies and, where possible, multi-factor authentication). Access privileges are reviewed regularly and revoked promptly when no longer needed. We also maintain detailed logs of who accesses patient data and when, enabling audits and detection of any inappropriate access.
Network & System SecurityOur IT infrastructure is secured against external threats and vulnerabilities. We employ firewalls, intrusion detection and prevention systems, and anti-malware solutions to protect our networks and servers. Security patches and updates are applied routinely to all software and systems to address vulnerabilities in a timely manner. We segregate networks so that sensitive data flows are isolated. Regular vulnerability assessments and penetration tests are conducted (often by independent experts) to evaluate our systems’ defenses. Any identified weaknesses are remediated promptly as part of our risk management process.
Monitoring and AuditingMoveo Health engages in continuous monitoring of systems and activities to detect and respond to unusual events. We have automated systems that monitor for suspicious logins, large data transfers, or other indicators of a potential security incident. Additionally, we perform periodic audits of data access logs and data handling practices to ensure compliance with our policies. Our Data Protection Officer and security team conduct risk assessments and privacy impact assessments for new projects or significant changes in data processing (in line with GDPR’s accountability requirements). These assessments help us identify and mitigate risks before they can lead to problems.
Employee Training & PoliciesAll staff and contractors at Moveo Health who handle personal data are trained on our data privacy and security policies. We provide regular training on topics like patient confidentiality, phishing awareness, proper data disposal, and incident reporting. Employees must agree to confidentiality obligations and follow our internal procedures designed to protect data. We maintain and enforce policies on portable device use, remote access, and telehealth communications to ensure secure handling of data in all contexts (especially with the increase in telemedicine). Misconduct or violations of data protection policies can result in disciplinary action. By fostering a culture of privacy and security, we reduce human error and insider risks.
Vendor and Partner SecurityWe extend our security requirements to any third-party vendors or partners who process data on our behalf. As noted in Section 5, we use contracts to ensure they implement adequate safeguards. We also review their security practices (asking for certifications like ISO 27001 or SOC 2 reports where available or conducting assessments) to verify they meet our standards. We limit the data shared with partners to only what is necessary and ensure it is transferred securely (e.g. via encrypted channels). Ongoing oversight of third parties is part of our risk management (including requiring breach notifications from them and rights to audit if needed).
Incident Response and Breach NotificationDespite preventative measures, we prepare for the possibility of security incidents. Moveo Health has a documented Incident Response Plan that outlines steps to take in the event of a data breach or security incident. This includes procedures for containment, investigation, notifying affected individuals and authorities, and preventing recurrence. If a data breach occurs that affects your personal data, we will notify you and any required regulatory bodies in accordance with applicable breach notification laws. Under GDPR, for example, we will report qualifying breaches to data protection authorities within 72 hours of becoming aware of them​. Under U.S. law (HIPAA), we will notify affected individuals without unreasonable delay and no later than 60 days from discovery of a breach​. We will also take immediate action to mitigate any harm. Our incident response team includes privacy and security officers who will keep you informed of the nature of the incident, the data involved, and recommendations to protect yourself (if relevant). We treat even minor incidents seriously as an opportunity to strengthen our defenses.

Moveo Health’s security program is continually reviewed and updated to address emerging threats and incorporate best practices. We also consider emerging privacy-enhancing technologies (like advanced encryption methods, pseudonymization techniques, and secure cloud architectures) to further improve our protection of personal data. By employing these rigorous security controls and maintaining a proactive risk management process, we aim to ensure that your personal information remains safe with us. However, if you have reason to believe that your data has been compromised or have any security-related concerns, please notify us immediately using the contact information in Section 10. We appreciate your cooperation (such as keeping your portal credentials confidential) in maintaining security as well.

9. Participant Rights and Consent
We respect your rights regarding your personal data. As a participant in our health program, you retain full control over your information, and we are committed to facilitating the exercise of your rights in accordance with applicable data protection laws (such as GDPR, which provides extensive data subject rights, and similar rights under HIPAA, CCPA, PIPEDA, LGPD, etc.). We also operate on the basis of informed consent – meaning we will explain our data practices to you clearly and obtain your agreement – and you have choices in what data you provide and how it is used. There will be no retaliation, denial of services, or any negative impact on your program participation for exercising any of your privacy rights. The key rights and choices you have include:

  • Right to Refuse or Opt-Out of Specific Tests: Your involvement in each component of the executive health program is entirely voluntary. You have the right to decline any particular assessment or test that we propose. For example, if you do not wish to undergo a genetic test, a sleep study, or any other specific procedure in the program, you may refuse that test and still continue with the rest of the program. We will respect your decision without penalty. We will document your preference so that we do not inadvertently offer or ask you to undergo that test again. This ensures that you can tailor the program to your comfort level. (Do note that skipping certain tests may limit some aspects of the personalized insights we can provide, but we will work with what data is available to still give you the best guidance possible.)
  • Right to Withdraw from the Program at Any Time: Participation in Moveo Health’s program is voluntary and you are free to withdraw consent and discontinue participation at any point. You do not need to provide a reason for withdrawing (though we would appreciate feedback). If you choose to withdraw, we will promptly stop collecting any new data from you and cease any ongoing analyses. Any scheduled tests or appointments will be canceled (or not initiated). Withdrawing will not affect your ability to access the results or reports that were already generated during your participation – we will provide you with any pending results and can even summarize your progress if helpful. Also, withdrawing from the health program will not affect your relationship with the entity that sponsored your participation (for example, your employer). We will make sure there are no repercussions in terms of employment or eligibility for other benefits – withdrawal is your personal choice. After withdrawal, as described in Section 7, we will retain previously collected data only for the time needed for legal/administrative purposes, or delete it if you request immediate deletion.
  • Right of Access to Your Data: You have the right to know whether we are processing personal data about you, and to access that data. This is sometimes called a Subject Access Request or Data Access Request. Upon your request, we will provide you with a copy of the personal information we hold about you, in a common electronic format or hard copy. This includes all the data you provided to us and data generated through the program (test results, doctor’s notes, etc.), to the extent required by law. For example, you can request copies of your lab reports, genetic test results, imaging studies, or any notes and recommendations we have recorded. We will also include supplemental information such as the purposes of processing, the types of data, and the third parties to whom data was disclosed (as required under GDPR). We aim to fulfill access requests in a timely manner – typically within one month under GDPR, and for HIPAA, within 30 days (with a possible brief extension if necessary)​.

We will inform you if, for some reason, there will be a delay. Access to your own data is generally provided free of charge, though if you request additional copies or the request is manifestly unfounded or excessive, we may charge a reasonable fee or, in rare cases, legally refuse the request (but we would provide an explanation in that case).

  • Right to Rectification (Correction): It is important that the personal data we have is accurate and up to date. If you discover any error or inaccuracy in your personal information, you have the right to request that we correct it. For instance, if your contact information was recorded incorrectly, or if you notice an error in a report (say, a misspelled name, wrong date of birth, or a transcription mistake in a medical note), you can ask us to rectify it. In the case of subjective data like test results, if you believe a result is incorrect, we would verify it (potentially with the lab) and correct any confirmed error or at least note your dispute. We may sometimes need to keep a record of the original data (especially in healthcare, original records are often preserved with an addendum for legal integrity), but we will ensure that any subsequently viewed records clearly reflect the corrected information or include your noted correction. We will respond to correction requests as quickly as possible, typically within a month. If for some reason we cannot act on the request (e.g., if we believe the data is actually correct as is), we will explain why and inform you of further options.
  • Right to Deletion (Erasure): You have the right to request that we delete your personal data. As noted in Section 7 on retention, our standard practice is to retain data for up to 7 years from our last interaction, but we will erase your data sooner if you ask, provided there is no overriding legal requirement for us to keep it. When you submit a deletion request, we will evaluate whether any exception applies (for example, certain health records might need to be retained for patient safety or legal defense). If no exception prevents deletion, we will securely delete your personal data from our systems and instruct our service providers to do the same. We will confirm to you once this is completed. Deletion is permanent – we will not be able to recover your data later. If we are required to retain certain information (say, for a legal obligation), we will inform you of that and, if allowed, isolate that data from active use. Keep in mind that after deletion, you may no longer have access to program-related information, so be sure to save any reports you might want before requesting full erasure.
  • Right to Restrict Processing: You have the right to request that we limit or pause the processing of your data in certain circumstances. This is distinct from deletion – the data isn’t removed, but we hold off using it. You might exercise this right if you have some uncertainty or dispute regarding your data. For example, if you contest the accuracy of a particular data point, you can ask us to restrict processing of that specific data until we verify its accuracy. During the restriction period, we will mark the data in our systems to ensure it is not used for any purpose except storing it and, if necessary, using it only in ways that are exempt under law (like to protect the rights of another person or for important legal reasons). Another scenario: if you need your data preserved for a legal claim but you don’t want us actively processing it otherwise, we can restrict it upon request. We will notify you when the restriction is lifted (e.g. after we have corrected any inaccuracies or resolved the dispute).
  • Right to Object to Processing: In certain situations, you have the right to object to our processing of your personal data. This primarily applies to processing based on legitimate interests or public interest/exercise of official authority (neither of which heavily apply in our context, as we rely mostly on consent/contract). If we were, for example, processing some of your data under a legitimate interest basis (such as improving our services), you can object to that use and we would then be obligated to stop processing unless we have compelling legitimate grounds that override your interests or it’s needed for legal claims. As another example, if we ever were to use your data for any direct marketing (which we do not, per this Policy), you could object and we would immediately stop such use. While objections in a healthcare service context are rare, we will treat any objection seriously and honor it if required by law. If you object to processing that is necessary for the service (like objecting to processing of any health data at all while still in the program), we may have to discuss terminating or altering the service, as we might not be able to provide it without processing data. In any case, we will never continue processing after an objection unless legally permitted and after we’ve communicated with you about it.
  • Data Portability
    Participants may request their health data in structured, interoperable formats such as CSV, XML, or JSON. Where applicable, Moveo Health will ensure compatibility with FHIR (Fast Healthcare Interoperability Resources) standards to facilitate seamless data transfer between healthcare providers.
  • Right Not to Be Subject to Automated Decision-Making: Moveo Health does not make any significant decisions about you using purely automated processes, without human review. As noted in Section 9 below on AI, all critical analyses and health recommendations involve qualified medical professionals. Nevertheless, it is your right under laws like the GDPR to not be subjected to a decision which produces legal or similarly significant effects on you, if it is based solely on automated processing (with no human involvement)​.

Examples of such automated decisions could include computer-only determinations of eligibility for insurance or automated diagnostics without a doctor’s input. We do not engage in such practices. If you ever feel that a decision or recommendation has been made about you by an algorithm alone, you can request human intervention and we will have a clinician or appropriate staff member review the case and listen to your perspective​.

We design our systems to ensure human oversight, thus protecting you from any unintended consequences of automation.

  • Right to Withdraw Consent: As our program operates largely on the basis of your consent, you have the unconditional right to withdraw that consent at any time. This right is emphasized: you may withdraw your consent for data processing (in whole or in part) whenever you choose, and we will stop the processing that was based on consent. Withdrawal of consent will not affect the lawfulness of any processing we conducted prior to your withdrawal (in other words, processing we already did remains valid), but we will not continue processing after withdrawal. If you withdraw consent for certain aspects (for example, you let us know you no longer consent to us using your data for internal research), we will honor that and cease those specific uses. If you withdraw consent entirely and thereby exit the program, we will act as described under withdrawal rights: no new data collection, option to delete existing data, etc. We will also inform any third parties who were relying on your consent (processing data on our behalf) that your consent has been withdrawn so that they cease processing your data as well (unless another legal ground applies for them, which is unlikely in our scenario).
  • Right to Lodge a Complaint: If you believe that we have infringed your data protection rights or violated privacy laws in processing your personal data, you have the right to lodge a complaint with the appropriate supervisory authority. The appropriate authority depends on your location. For participants in the European Union or EEA, you can contact your country’s Data Protection Authority (DPA). For example, a participant in Germany could complain to the Bavarian DPA if they feel we’re not complying with GDPR. We will provide contact details for DPAs upon request, or you can find them publicly listed. For participants in the UK, you can contact the Information Commissioner’s Office (ICO). In Canada, it would be the Office of the Privacy Commissioner (for PIPEDA issues). Brazilian participants can reach out to the National Data Protection Authority (ANPD). If you’re in China, you might approach the Cyberspace Administration or a related regulator under PIPL. For participants in the United States, different oversight applies: for health privacy (HIPAA-related complaints), you may contact the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which oversees HIPAA compliance​.

Also, if CCPA or other state privacy laws apply, you can reach out to your state Attorney General’s office. We encourage you to let us address your concerns first, but you are fully within your rights to seek regulatory help. We will cooperate fully with any investigations by authorities to resolve any issues.

  • How to Exercise Your Rights: To exercise any of the rights described above or to make any requests regarding your personal data, you should contact us through the channels listed in Section 10 (Contact Information). For efficiency, you may direct your request to our Data Protection Officer (DPO) or Privacy Office. In your request, please clearly state your identity and which right you wish to exercise (for example, “I want to access my records” or “Please delete my data”). We may need to verify your identity before proceeding – this is to ensure that we do not disclose or delete data at the request of an imposter. Verification might involve confirming some personal details we have on file, or asking for identification in a secure manner. We will respond to your request within the timeframe required by law – generally within one month for most rights under GDPR​ and within 30 days for access requests under HIPAA (we will inform you if an extension is needed). There is no cost for exercising your rights, except in exceptional cases allowed by law (we would inform you in advance if a fee were necessary for, say, repetitive requests).

We are committed to honoring your choices and rights. Our systems and processes are designed to facilitate these rights, and we continuously review and improve how we respond to such requests. When you enrolled in the program, you provided written consent for Moveo Health to collect and process your data – but that consent and this Policy give you the control: you decide what tests to take, what data to provide, and what we can do with it. We want you to feel informed and comfortable with every aspect of how your data is handled. If anything in this Policy is unclear, or if you have questions at any stage, please do not hesitate to ask. Empowering you with knowledge and control over your personal information is fundamental to our approach.

10. Integration of Emerging Privacy Technologies
Moveo Health stays at the forefront of privacy and security practices, continuously adapting to new technologies and regulatory developments to protect our participants’ data. In an age of rapid digital innovation – including artificial intelligence, telehealth expansion, and advanced biometric identification – we proactively incorporate safeguards and governance measures to address emerging privacy challenges. This section describes how we integrate certain emerging trends and technologies in a privacy-conscious manner:

  • AI and Automated Decision-Making Governance: Moveo Health utilizes technology, including algorithmic analysis, to enhance our services (for example, software that can flag abnormal lab results or predict health risk trends). However, we do not rely on AI or automated systems to make medical decisions about your health without human oversight. Any AI-powered tools we use are strictly assistive – they may help our clinicians by organizing data or suggesting insights, but a qualified medical professional reviews all outputs. In compliance with principles like GDPR Article 22, we ensure that no decision with legal or significant impact on you is made solely by an algorithm​.

If we introduce more advanced AI analytics in the future (say, machine learning models to identify health patterns), we will do so under a framework of transparency and fairness: we will inform you if AI significantly contributes to an insight about your health, and you will have the option to request a human review of any AI-informed assessment​.

We have an AI governance committee that evaluates the ethics and privacy implications of any such technology, and we adhere to emerging guidelines (such as proposed EU AI regulations and FDA software guidelines) to ensure any AI tools are bias-tested, secure, and used in a manner consistent with medical standards. In summary, we embrace useful innovations but keep a human in the loop for critical judgments, and we fully respect your right to understand and contest how any automated process influences your care.

  • Telehealth and Cross-Border Services: A core part of Moveo Health’s offering is the availability of telemedicine consultations and remote monitoring, allowing participants around the world to access our expertise. We recognize that telehealth introduces unique privacy considerations, especially when these services cross international borders (for example, if you are in the EU having a virtual consultation with a U.S. doctor). We address these by using secure, encrypted communication platforms for all telehealth sessions – ensuring that video calls, chats, or data transmitted during virtual visits are protected against interception. We also ensure that telehealth providers on our side conduct sessions in private settings to maintain confidentiality. Regarding cross-border regulatory compliance, as noted in Section 6, we treat data from telehealth encounters with the same care as any other data transfer: abiding by both the patient’s country privacy laws and our country’s laws. For instance, if an EU participant does a telehealth session, we consider the data covered by GDPR and U.S. HIPAA simultaneously, and we meet the higher standard in any given aspect. We also obtain any required consents specifically for telehealth where laws demand it (some regions require patients to consent to telehealth treatment itself). Furthermore, we ensure our telehealth practitioners are properly licensed in the jurisdiction of the patient where required by law – this is more of a medical regulation than data privacy, but it also protects your data by ensuring the practitioner is subject to the appropriate professional oversight and confidentiality duties locally. As telemedicine regulations evolve globally, we remain vigilant and update our practices so that your privacy and the quality of care remain consistently excellent, whether you see us in person or online.
  • Biometric Data Protections: Our program may involve the collection and analysis of biometric data – for example, your fingerprints (for identity verification), facial images (if used in a video consultation or ID photo), or physiological measurements that qualify as biometric identifiers. Biometric data is considered highly sensitive, as it is unique to you and often immutable. Many jurisdictions have enacted special laws to govern biometric information (for instance, Illinois’ BIPA in the U.S. requires informed consent for collecting biometric identifiers, and GDPR treats biometric data as a special category requiring explicit consent). Moveo Health is committed to heightened protections for all biometric data we handle. This means we will only collect biometric identifiers when necessary (such as using a fingerprint to unlock a device during an examination, or capturing a facial image if needed for a specific medical app) and always with your prior knowledge and consent. Such data will be stored securely with encryption and, where possible, kept separate from other personal identifiers to reduce the risk of misuse. We will not use biometric data for any purpose other than the specific purpose for which it was collected (for example, we won’t use a facial image for any sort of facial recognition outside of your medical context without asking you). If we partner with any service that processes biometric data (like a device that uses your voice or eye scan), we will ensure that service complies with biometric privacy requirements and that you are informed. In addition, if any new form of biometric technology is introduced into our program, we will conduct a privacy impact assessment and implement any required safeguards (like offering an opt-out or alternative). Simply put, we treat biometric and genetic information as sensitive personal information of the highest category and handle it accordingly​.
  • Privacy-Enhancing Technologies and Innovation: We continuously explore and implement modern privacy-enhancing technologies (PETs) to strengthen data protection. This includes techniques like pseudonymization, where we replace identifying fields in your records with codes so that, within our analytical systems, your data can be used without readily identifying you (unless linked back with a key kept securely). We also use anonymization and aggregation, as discussed, to utilize data for research without personal identifiers. In our analytics environment, we apply principles of data minimization (only using the data points needed for a given analysis) and purpose limitation (datasets are compartmentalized by purpose). We review new tools that can allow us to gain insights while preserving privacy – for example, exploring federated learning (where an AI model learns from data without raw data leaving its source) or differential privacy methods (which add controlled noise to data sets to prevent re-identification in aggregated statistics). Any adoption of such technologies will be to add layers of privacy protection. We also pay close attention to emerging privacy regulations and standards. For instance, if new laws require data localization (storing data within country borders) for certain data types, we can utilize cloud infrastructure in those regions to comply. If standards like ISO/IEC 27701 (privacy information management) or others can enhance our governance, we strive to align with them. Our privacy team stays informed through memberships in industry groups and by monitoring guidance from authorities (like the European Data Protection Board, U.S. HHS/OCR, etc.). By integrating cutting-edge privacy techniques and keeping pace with trends, we aim to future-proof your data’s security and privacy.

In conclusion, Moveo Health embraces innovation in healthcare, but we do so with privacy in mind from the outset (privacy by design). Each new technology or method is evaluated for privacy risks, and we implement appropriate controls to mitigate those risks. We believe that advancements such as AI and telehealth can greatly improve healthcare delivery, but only if deployed responsibly. We are dedicated to maintaining that balance – leveraging technology to benefit your health while steadfastly protecting your personal information. Our ongoing commitment is that as technology and privacy landscapes evolve, so will our Policy and practices, always aiming for the highest standard of privacy protection.

11. Contact Information and Policy Updates
If you have any questions, concerns, or requests regarding this Data Privacy Policy or any aspect of how your personal data is handled, please contact us using the information below. We have designated a Data Protection Officer (DPO) who oversees our privacy compliance and serves as a point of contact for participants and regulators.

Contact Details for Privacy Inquiries:

  • Data Protection Officer (DPO): [Michael Vander]
  • Email: [info@moveo.health] (Please use a descriptive subject line such as “Privacy Inquiry” or “Data Subject Request” for prompt assistance. Do not include highly sensitive information like passwords in email.)
  • Phone: [+1-520-382-1222] (Please ask for the Privacy Office or DPO when calling.)
  • Mailing Address: Moveo Health, PLLC – Privacy Office/DPO, [5200 E Farness Drive, Suite 100, Tucson, AZ 85712, USA]

We will respond to inquiries or requests as soon as possible, and within any timeframes required by law. If you are contacting us to exercise a specific right, please see Section 9 for the process, but in any case, our DPO will guide you through it. For security reasons, we might need to verify your identity before releasing or modifying any personal data, especially for access or deletion requests.

Updates to This Policy: Moveo Health may update or revise this Data Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will update the “Effective Date” at the top of the Policy. If there are significant or material changes that affect your rights or how we use your data, we will take appropriate measures to inform you in advance. This may include sending a notice to your email address on file, posting a prominent announcement on our website or portal, or even obtaining your consent again if required by law (for example, if a new purpose for data use is introduced). We encourage you to review this Policy periodically to stay informed about how we protect your information. Historical versions of the Policy can be requested from us if needed. Your continued participation in the program or use of our services after a Policy update signifies your acceptance of the revised terms, to the extent permitted by law.

This Policy, as updated, represents the authoritative statement of Moveo Health’s data privacy practices. It supersedes any prior privacy communications or summaries you may have received. We stand by the commitments made in this Policy and will not engage in any handling of your personal data that is inconsistent with it without notifying you and obtaining necessary permissions. Thank you for entrusting Moveo Health with your sensitive personal information – we take that trust seriously and are devoted to maintaining it through unwavering compliance and care.