Privacy Policy

About This Privacy Policy

This Privacy Policy explains how your health information is handled when you use our prescription weight loss services.

IMPORTANT: Glow (Endo Health, Inc.) acts as a technology platform that connects you with licensed healthcare providers and pharmacies. While Endo Health does not directly provide medical care, certain health-related information you voluntarily share through the Glow platform (such as weight data, medication adherence logs, and wellness coaching context) may be processed by our technology systems to facilitate your care.

Clinical Protected Health Information (PHI), including medical history, prescriptions, and clinical communications, is collected and managed directly by our healthcare partners:

• Licensed physicians (via our telehealth partner)
• Partner pharmacies: Epiq Scripts and CraftedRx

These partners are independently responsible for HIPAA compliance and maintaining the security of your health information. Their privacy practices are governed by their own HIPAA-compliant privacy policies.

For information about how we handle data related to our general AI coaching services, please see our General Privacy Policy.

What Glow Collects

What Glow DOES collect:

• Account information (name, email, phone number)
• Payment information for service fees
• Non-clinical preferences and app usage data
• Health-related data you voluntarily share (weight, wellness goals, medication adherence notes)
• Voice coaching session content processed by our AI systems
• Apple Health data you choose to integrate

What Glow does NOT collect or store:

• Clinical medical records, lab results, or diagnostic information
• Prescription information
• Communications with healthcare providers

For information about how our healthcare partners handle your PHI, please contact them directly or review their privacy policies.

How Your PHI is Used

Your PHI is handled by our healthcare partners (not Glow) for the following purposes:

• Treatment: To provide, coordinate, and manage your healthcare and prescriptions
• Payment: To bill and collect payment for medications and healthcare services
• Healthcare Operations: To support quality improvement and regulatory compliance
• As Required by Law: To comply with federal, state, or local laws

Our healthcare partners maintain their own privacy policies that govern how they use and disclose your PHI. Glow does not have access to or control over your PHI.

Your Rights Regarding Your PHI

Under HIPAA, you have rights regarding your PHI. Since your PHI is held by our healthcare partners (not Glow), please contact them directly to exercise these rights:

• Right to Access: Request copies of your PHI from the healthcare provider or pharmacy
• Right to Amend: Request corrections to your PHI
• Right to Accounting: Request a list of disclosures
• Right to Restrict: Request restrictions on certain uses
• Right to Breach Notification: You have the right to be notified if your unsecured PHI is breached

For your Glow account information (non-PHI), you may request access, correction, or deletion by contacting us at the email below.

How Your Information is Protected

For PHI (handled by healthcare partners): Our healthcare partners implement appropriate HIPAA-compliant safeguards to protect your PHI, including encryption, access controls, and security audits.

For non-PHI data (handled by Glow): We protect your account and payment information using industry-standard security measures, including:

• Encryption of data in transit and at rest
• Secure payment processing (PCI-DSS compliant)
• Access controls and authentication

Breach Notification

In the event of a breach of unsecured Protected Health Information, we will notify affected individuals in accordance with the HIPAA Breach Notification Rule (45 CFR 164.400-414).

Notification will be provided without unreasonable delay and no later than 60 calendar days from discovery of the breach. Notification will include:

• A description of the breach and the date(s) it occurred
• The types of information involved
• Steps you should take to protect yourself
• What we are doing in response to the breach
• Contact information for further questions

If a breach affects 500 or more individuals, we will also notify the U.S. Department of Health and Human Services and prominent media outlets as required by law.

Healthcare Partners

Your prescription services are provided by independent, licensed healthcare partners who maintain their own HIPAA compliance:

Telehealth Services: Provided by licensed physicians who make all prescribing decisions. Your health assessments and medical consultations are conducted through our telehealth partner's HIPAA-compliant platform.

Pharmacy Services:

• Epiq Scripts (Richardson, TX) — compounds and dispenses your prescriptions
• CraftedRx (Warrenton, MO) — compounds and dispenses your prescriptions

These partners collect and manage your PHI under their own privacy policies. Glow does not have access to your PHI stored by these partners.

Business Associates

Endo Health engages certain third-party service providers ("Business Associates") who may access, process, or store health-related information on our behalf in connection with the Services.

We maintain Business Associate Agreements (BAAs) with these partners to ensure they handle health information in compliance with HIPAA requirements. Our Business Associates include infrastructure, database, AI processing, and voice technology providers.

Business Associates are contractually required to:

• Implement appropriate safeguards for PHI
• Report any security incidents or breaches
• Ensure their subcontractors comply with the same requirements
• Return or destroy PHI when the agreement ends

Data Retention

PHI (held by healthcare partners): Our healthcare partners retain your PHI for as long as required by applicable laws and regulations, which may be up to 7 years or longer depending on your state of residence.

Account information (held by Glow): We retain your account and payment information for as long as your account is active and as required for legal and business purposes. You may request deletion of your account at any time.

Changes to This Policy

We reserve the right to change this privacy policy and make the new provisions effective for all PHI we maintain. If we make material changes, we will notify you via email or through our services.