Privacy Policy

Last Updated: October 29, 2025

For Patients For Physicians For Practices

CollagenDirect ("we," "us," "our," or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (collagendirect.health), use our Provider Portal, or interact with our services as a patient, healthcare provider, physician, practice manager, or medical facility.

Quick Summary:

  • Patients: Your healthcare provider shares your information with us to deliver wound care products. We protect your health information under HIPAA.
  • Physicians: We collect your credentials and practice information to verify your identity and process orders. Your patient data is protected as PHI.
  • Practices: We collect business and billing information to provide products and services to your practice and affiliated physicians.

1. Information We Collect

A. Information from Patients

When your healthcare provider orders products for you, we collect:

  • Personal Identifiers: Name, date of birth, address, phone number, email address
  • Health Information (Protected Health Information - PHI):
    • Diagnosis codes (ICD-10) and medical conditions
    • Wound assessments and treatment plans
    • Prescription and Standard Written Order information
    • Medical history relevant to wound care
    • Clinical photographs and wound documentation
  • Insurance Information: Insurance provider, policy number, Medicare/Medicaid number, coverage details
  • Delivery Information: Shipping address, delivery preferences, contact information
  • Communication Records: Interactions with customer support, delivery confirmations, satisfaction surveys

HIPAA Protection: Patient health information is Protected Health Information (PHI) under HIPAA. We handle your PHI according to strict federal privacy rules and our Business Associate Agreement with your healthcare provider.

B. Information from Physicians

When you register or use the Provider Portal, we collect:

  • Professional Credentials: NPI (National Provider Identifier), DEA number, medical license number and state, board certifications, specialty
  • Personal Information: Name, email address, phone number, business address
  • Account Information: Username, password (encrypted), security questions, account preferences
  • Practice Affiliations: Affiliated practices, group memberships, hospital privileges
  • Order History: Products ordered, quantities, frequencies, patient outcomes (de-identified for analytics)
  • Financial Information: Billing preferences, payment methods (if applicable)
  • Usage Data: Login activity, portal features used, pages visited, IP addresses, device information

C. Information from Practices

When your practice or facility registers, we collect:

  • Business Information: Practice name, tax ID (EIN), business address, phone number, website
  • Practice Manager Information: Name, title, email, phone number, role
  • Physician Roster: Names, credentials, and contact information for affiliated physicians
  • Licensure: DME supplier license (if applicable), state licenses, accreditation status
  • Financial Information: Bank account details, credit card information, billing address, credit references
  • Order and Billing Records: Invoices, payment history, credit limits, outstanding balances
  • Patient Data: PHI for patients receiving products through your practice

D. Automatically Collected Information

We automatically collect certain information when you visit our website or use our Platform:

  • Device Information: IP address, browser type and version, operating system, device identifiers
  • Usage Data: Pages viewed, time spent on pages, links clicked, referring URLs, access times
  • Cookies and Tracking: Session cookies, preference cookies, analytics cookies (see Section 9 for details)
  • Location Data: General location based on IP address (not precise GPS location)

E. Information from Third Parties

We may receive information from:

  • Credential Verification Services: NPPES database (NPI validation), state medical boards (license verification), Medicare/Medicaid enrollment status
  • Credit Services: Credit reports and scores for practices requesting payment terms
  • Insurance Verification: Payer eligibility systems for coverage verification
  • Public Records: Business registrations, professional sanctions or disciplinary actions

2. How We Use Your Information

A. For Patients

  • Product Fulfillment: Process and ship wound care products ordered by your healthcare provider
  • Delivery Coordination: Contact you to schedule deliveries, confirm addresses, and provide tracking information
  • Customer Support: Respond to inquiries, resolve issues, and provide product usage assistance
  • Insurance Billing: Submit claims to your insurance provider (when applicable) and verify coverage
  • Communications: Send order confirmations, shipping notifications, educational materials, and (with consent) marketing offers
  • Quality Improvement: Analyze outcomes data (de-identified) to improve products and services

B. For Physicians

  • Account Management: Create and maintain your Provider Portal account, authenticate your identity
  • Credential Verification: Verify your professional licenses and credentials to comply with healthcare regulations
  • Order Processing: Receive, process, and fulfill product orders for your patients
  • Clinical Support: Provide product training, clinical resources, and usage guidelines
  • Communications: Send account updates, product information, educational content, and (with consent) marketing communications
  • Analytics: Analyze prescribing patterns (anonymized) to improve product recommendations and platform features

C. For Practices

  • Business Operations: Process orders, manage accounts, generate invoices, and collect payments
  • Credit Management: Evaluate creditworthiness, establish payment terms, and manage outstanding balances
  • Physician Management: Facilitate access for affiliated physicians, manage user permissions
  • Reporting: Provide order reports, usage analytics, and spending summaries
  • Compliance: Maintain records for audits, payer inquiries, and regulatory requirements
  • Communications: Send billing statements, account alerts, product updates, and (with consent) marketing offers

D. General Business Purposes

  • Legal Compliance: Comply with HIPAA, Medicare/Medicaid regulations, state laws, and industry standards
  • Fraud Prevention: Detect and prevent unauthorized access, identity theft, and fraudulent orders
  • Platform Improvement: Analyze usage patterns to enhance website and portal functionality
  • Research: Conduct de-identified research on wound care outcomes and treatment effectiveness
  • Security: Maintain audit logs, monitor for security threats, and protect data integrity

3. How We Share Your Information

A. With Service Providers and Business Partners

We share information with third parties who perform services on our behalf:

  • MD DME LLC: Our fulfillment partner receives patient information, clinical documentation, and order details necessary to pick, pack, ship, and (when applicable) bill for products. MD DME is bound by a HIPAA Business Associate Agreement.
  • Shipping Carriers: UPS, FedEx, USPS receive delivery addresses and contact information to ship products
  • Payment Processors: Stripe, PayPal, or other payment gateways process billing information securely (we do not store full credit card numbers)
  • Cloud Hosting: AWS, Render.com, or similar providers host our infrastructure with HIPAA-compliant configurations
  • Communication Platforms: Twilio (SMS), SendGrid (email) deliver transactional and marketing messages
  • Analytics Providers: Google Analytics (with IP anonymization) helps us understand website usage
  • Customer Support Tools: Zendesk, Intercom, or similar platforms manage support tickets
  • AI Service Providers: OpenAI, Google Cloud AI, AWS AI services power chatbots and personalization features

All service providers handling PHI execute HIPAA Business Associate Agreements. All providers are contractually obligated to protect your information.

B. With Healthcare Providers and Practices

  • Physician-Patient Communication: We share patient order status, delivery confirmations, and product information with the ordering physician
  • Practice Coordination: Practice managers can access orders and patient information for physicians affiliated with their practice
  • Clinical Collaboration: Healthcare team members with authorized access can view patient treatment plans

C. With Insurance Payers

When products are billed to insurance:

  • We submit claims with patient PHI, diagnosis codes, and product information to Medicare, Medicaid, and private insurers
  • We respond to payer audits and documentation requests
  • We verify eligibility and coverage with insurance companies

D. For Legal and Safety Reasons

We may disclose information when required by law or to protect rights and safety:

  • In response to subpoenas, court orders, or legal process
  • To comply with government audits, investigations, or regulatory inquiries
  • To report suspected fraud, abuse, or illegal activity to authorities
  • To protect the rights, property, or safety of CollagenDirect, our users, or the public
  • In connection with suspected patient harm or abuse (as required by mandatory reporting laws)

E. Business Transfers

If CollagenDirect is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred to the successor entity. We will provide notice and obtain consent where required by law.

F. With Your Consent

We may share information with third parties when you explicitly authorize or direct us to do so.

G. De-Identified and Aggregated Data

We may share de-identified, aggregated data that cannot reasonably identify individuals for research, analytics, marketing, or business purposes (e.g., "85% of diabetic ulcer patients experience healing within 30 days").

4. Data Security

We implement comprehensive security measures to protect your information:

Technical Safeguards

  • Encryption: All data transmitted between your browser and our servers uses TLS 1.2+ encryption. PHI stored in databases is encrypted at rest using AES-256.
  • Access Controls: Role-based access controls (RBAC) ensure employees access only data necessary for their job functions
  • Authentication: Secure password requirements, multi-factor authentication (MFA) for administrative accounts, automatic session timeouts
  • Firewall Protection: Network firewalls and intrusion detection systems monitor for threats
  • Vulnerability Scanning: Regular security assessments and penetration testing

Administrative Safeguards

  • Employee Training: All staff complete HIPAA and data security training annually
  • Background Checks: Background screening for employees with access to sensitive data
  • Confidentiality Agreements: All employees and contractors sign confidentiality agreements
  • Audit Logs: We maintain comprehensive logs of all PHI access and modifications as required by HIPAA
  • Incident Response: We have procedures to detect, respond to, and report security incidents

Physical Safeguards

  • Secure Data Centers: Cloud infrastructure hosted in SOC 2 certified, HIPAA-compliant data centers
  • Controlled Access: Physical access to servers and systems is restricted and monitored

Important: While we implement industry-standard security, no system is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

5. Data Retention

We retain information as long as necessary to fulfill the purposes in this Policy, unless a longer period is required by law:

  • Patient PHI: 7 years from the date of last service (or longer if required by state law)
  • Provider Account Data: Duration of your account plus 7 years after termination
  • Financial Records: 7 years per IRS and Medicare requirements
  • Audit Logs: 7 years per HIPAA requirements
  • Marketing Data: Until you opt out or request deletion, then deleted within 30 days
  • De-identified Data: Retained indefinitely for research and analytics

After retention periods expire, we securely delete or permanently de-identify information.

6. Your Privacy Rights

A. Rights for Patients (HIPAA Rights)

Under HIPAA, you have the right to:

  • Access: Request and receive a copy of your Protected Health Information
  • Amendment: Request corrections to inaccurate or incomplete PHI
  • Accounting of Disclosures: Receive a list of certain disclosures of your PHI
  • Restrictions: Request restrictions on how we use or disclose your PHI (we are not always required to agree)
  • Confidential Communications: Request that we communicate with you in a specific way or at a specific location
  • Complaint: File a complaint with us or the U.S. Department of Health and Human Services if you believe your privacy rights have been violated

To exercise these rights, contact your healthcare provider (the Covered Entity) or our Privacy Officer at privacy@collagendirect.health.

B. Rights for Physicians and Practices

  • Access: Request a copy of the personal information we hold about you
  • Correction: Update your account information at any time through the Provider Portal or by contacting us
  • Deletion: Request deletion of your information (subject to legal retention requirements)
  • Opt-Out: Opt out of marketing communications (see Electronic Communications Policy)
  • Data Portability: Request a copy of your data in a portable format

C. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights:

  • Right to Know: Request disclosure of categories and specific pieces of personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information (subject to exceptions)
  • Right to Opt-Out of Sale: We do not sell personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Limit Use of Sensitive Information: Request that we limit use of sensitive personal information (PHI is exempt from CCPA under HIPAA)

To exercise CCPA rights, email privacy@collagendirect.health or call 1-800-XXX-XXXX. We will verify your identity before processing requests.

D. Other State Privacy Rights

Residents of other states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, etc.) have similar rights. Contact us to exercise your rights under applicable state laws.

7. Children's Privacy

Our Platform is not directed to children under 18. We do not knowingly collect personal information from minors for marketing purposes. However, patient information entered by healthcare providers may include minors, which is handled as PHI under HIPAA.

If you are a parent or guardian and believe your child's information has been collected inappropriately, contact us immediately.

8. International Users

Our services are intended for users in the United States. If you access our Platform from outside the U.S.:

  • Your information will be transferred to, stored, and processed in the United States
  • U.S. privacy laws may differ from those in your country
  • By using our services, you consent to the transfer and processing of your information in the U.S.

9. Cookies and Tracking Technologies

Types of Cookies We Use

  • Essential Cookies: Required for Platform functionality (authentication, session management, security). Cannot be disabled.
  • Preference Cookies: Remember your settings and preferences
  • Analytics Cookies: Google Analytics and similar tools track usage to improve the Platform (with IP anonymization)
  • Marketing Cookies: Track ad campaign effectiveness and conversions

Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may impair Platform functionality. To opt out of Google Analytics, install the Google Analytics Opt-Out Browser Add-on.

Do Not Track Signals

Our Platform does not currently respond to Do Not Track (DNT) browser signals.

10. Third-Party Links

Our Platform may contain links to third-party websites (e.g., payer portals, medical association sites, product manufacturer pages). We are not responsible for the privacy practices of these sites. Review their privacy policies before providing information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. When we make material changes:

  • We will post the updated Policy with a new "Last Updated" date
  • We will notify registered users via email or Platform notification
  • For material changes affecting PHI, we will obtain consent where required by HIPAA

Your continued use of our Platform after changes take effect constitutes acceptance of the updated Policy.

12. Contact Us

For questions, concerns, or to exercise your privacy rights:

CollagenDirect Privacy Officer
Email: privacy@collagendirect.health
Phone: 1-800-XXX-XXXX
Mail: 8080 N Central Expressway, Dallas, TX 75206
Business Hours: Monday–Friday, 9 AM – 5 PM Central Time

HIPAA Compliance Officer (for patient PHI concerns):
Email: hipaa@collagendirect.health

To File a HIPAA Complaint:
U.S. Department of Health and Human Services
Office for Civil Rights
www.hhs.gov/ocr/privacy/hipaa/complaints/

By using CollagenDirect services, you acknowledge that you have read, understood, and agree to this Privacy Policy.