Privacy Policy

3.1 Service Providers

We share information with third parties who perform services on our behalf, including:

• Laboratory Partners: CLIA-certified laboratories (such as Quest Diagnostics and Labcorp) that perform your lab tests.
• Physician Network: Independent licensed physicians who review and authorize your lab orders and results.
• Payment Processors: Companies that process your payment transactions.
• Cloud Hosting Providers: Companies that host and store our data.
• Customer Support Tools: Platforms that help us respond to your inquiries.
• Analytics Providers: Services that help us understand how users interact with our Service.

All service providers are contractually obligated to use your information only for the purposes of providing services to us and to maintain appropriate security measures.

3.2 Legal and Safety Disclosures

We may disclose your information when we believe it is necessary to:

• Comply with applicable law, regulation, legal process, or governmental request.
• Enforce our Terms of Service and other agreements.
• Protect the rights, property, or safety of Rite Aid, our users, or others.
• Detect, prevent, or address fraud, security, or technical issues.

3.3 Business Transfers

If Rite Aid is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

3.4 With Your Consent

We may share your information for other purposes with your explicit consent.

4.1 Our Role and Your Health Information

Important Clarification: Rite Aid LLC operates as a technology platform that facilitates access to laboratory testing services. We are not a healthcare provider, and we are not a “Covered Entity” under the Health Insurance Portability and Accountability Act (HIPAA).

However, we work exclusively with partners who are subject to HIPAA and maintain HIPAA-compliant practices:

• Our laboratory partners (Quest Diagnostics, Labcorp, and others) are HIPAA-covered clinical laboratories.
• Our physician network consists of independent licensed physicians who are HIPAA-covered healthcare providers.

Because we are not a HIPAA Covered Entity, your health information in our possession is protected by other laws, including the Federal Trade Commission (FTC) Act, the FTC Health Breach Notification Rule, and state laws such as the Washington My Health My Data Act. We take these obligations seriously.

4.2 Special Protections for Health Information

We understand that your lab results and health screening information are highly sensitive. We apply enhanced protections to this data:

• Access Controls: Health information is accessible only to authorized personnel with a legitimate need.
• Encryption: All health data is encrypted in transit and at rest using industry-standard encryption (TLS 1.3, AES-256).
• Audit Logging: We maintain logs of all access to health information.
• No Sale: We never sell your health information, lab results, or health screening data.
• No Advertising Use: We do not share your health information, lab results, test selections, or any data from your secure account dashboard with advertising platforms. Advertising pixels are completely disabled on all authenticated pages.
• Breach Notification: In the event of a breach involving your health information, we will notify you and applicable regulators as required by the FTC Health Breach Notification Rule and applicable state laws.

4.3 Physician Authorization

All lab tests ordered through our Service are reviewed and authorized by independent licensed physicians. These physicians may access your health questionnaire responses and lab results to provide appropriate medical oversight.

4.4 Consent to Collect Consumer Health Data

By creating an account and using our Service to order lab tests, you expressly consent to our collection, use, storage, and sharing of your consumer health data as described in this Privacy Policy. This consent is required to provide the Service.

You may withdraw your consent at any time by closing your account, but this will prevent you from using the Service and ordering future lab tests. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

For residents of Washington State, please see Section 9.5 for additional information about your rights under the Washington My Health My Data Act, and review our dedicated Consumer Health Data Privacy Policy.

5.1 Cookies We Use

We use cookies and similar technologies to:

• Essential Cookies: Enable core functionality, such as authentication and security. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors use our Service (e.g., Google Analytics).
• Preference Cookies: Remember your settings and preferences.
• Marketing Cookies: With your consent, track your activity on our public marketing pages for advertising purposes.

5.2 Advertising Pixels and Health Data Protection

We use advertising pixels (such as Meta Pixel, Google Ads, and similar technologies) to measure the effectiveness of our marketing campaigns. However, to protect your privacy:

• Advertising pixels are completely disabled on your account dashboard, checkout pages, lab result pages, and any page where you select specific lab tests or view health information.
• We never transmit your lab results, test selections, health questionnaire responses, or any health-related data to advertising platforms.
• Pixels are only active on public marketing pages (such as our homepage and general information pages) where no health information is displayed or collected.

This means advertising platforms cannot see which tests you order or what your results are.

5.3 Your Cookie Choices

You can manage your cookie preferences through:

• The “Cookie Settings” link in the footer of our website.
• Your browser settings to block or delete cookies.
• For Google Analytics, you may opt out at tools.google.com/dlpage/gaoptout.

Note that blocking certain cookies may affect the functionality of the Service.

5.4 Do Not Track

Our Service does not currently respond to “Do Not Track” browser signals. However, we honor Global Privacy Control (GPC) signals where required by law.

No system is perfectly secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

If we become aware of a security breach affecting your personal information, we will notify you in accordance with applicable law.

Upon account deletion, we will delete or anonymize your personal information within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or legal claims).

8.1 Access and Portability

You may request a copy of the personal information we hold about you. Much of this information is available directly in your account dashboard.

8.2 Correction

You may request that we correct inaccurate personal information. You can update most account information directly in your account settings.

8.3 Deletion

You may request that we delete your personal information. Note that we may retain certain information as required by law or for legitimate business purposes.

8.4 Opt-Out of Marketing

You may opt out of marketing communications at any time by:

• Clicking the “unsubscribe” link in any marketing email.
• Replying “STOP” to any marketing text message.
• Adjusting your communication preferences in your account settings.
• Contacting us at the information provided in Section 12.

Opting out of marketing will not affect transactional communications (such as order confirmations and lab result notifications).

8.5 Withdraw Consent

Where we process your information based on consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

To exercise any of these rights, please contact us using the information in Section 12. We will respond within the timeframe required by applicable law.

9.1 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collection, and the categories of third parties with whom we share your information.

Right to Delete: You may request deletion of your personal information, subject to certain exceptions.

Right to Correct: You may request correction of inaccurate personal information.

Right to Opt Out of Sale/Sharing: We do not sell your personal information for monetary value. However, we use certain advertising cookies and pixels (such as Meta Pixel and Google Ads) on our public-facing marketing pages to help us deliver relevant advertisements, which may constitute “sharing” for cross-context behavioral advertising under the CCPA/CPRA. We never share your lab results, health questionnaire responses, specific test selections, or any information from your secure account dashboard with advertising platforms. Advertising pixels are disabled on all authenticated pages, checkout pages, and any page where health information is displayed or selected. You have the right to opt out of this sharing by clicking the “Do Not Sell or Share My Personal Information” link in our website footer.

Right to Limit Use of Sensitive Personal Information: We only use sensitive personal information (including health information) for purposes necessary to provide the Service and as otherwise permitted under the CCPA. We do not use or disclose sensitive personal information for advertising or profiling purposes.

Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of Information Collected: In the preceding 12 months, we have collected: Identifiers, commercial information, internet/network activity, geolocation data (non-precise), and health-related information.

To Submit a Request: Contact us at [email protected] or 863-270-9911. You may designate an authorized agent to make a request on your behalf.

9.2 Virginia Residents (VCDPA)

Virginia residents have rights to access, correct, delete, and obtain a copy of their personal data, as well as the right to opt out of targeted advertising, sale of personal data, and profiling. To exercise these rights, contact us at the information in Section 12. You may appeal our decision by contacting us within a reasonable time.

9.3 Colorado Residents (CPA)

Colorado residents have rights to access, correct, delete, and obtain a portable copy of their personal data, as well as the right to opt out of targeted advertising, sale of personal data, and profiling. To exercise these rights or to appeal a decision, contact us at the information in Section 12.

9.4 Other State Privacy Laws

Residents of Connecticut, Utah, Oregon, Texas, Montana, and other states with comprehensive privacy laws have similar rights. We will honor valid requests from residents of any state with applicable privacy legislation. Contact us at the information in Section 12 to exercise your rights.

9.5 Washington Residents (My Health My Data Act)

If you are a Washington State resident, the Washington My Health My Data Act (MHMDA) provides you with specific rights regarding your “consumer health data,” which includes information about your lab test orders and results.

For complete information required by Washington law, please review our dedicated Consumer Health Data Privacy Policy.

Consent: We obtain your affirmative consent before collecting your consumer health data. You provided this consent when you created your account and agreed to this Privacy Policy.

Right to Know: You may request that we confirm whether we are collecting, sharing, or selling your consumer health data, and request access to such data.

Right to Delete: You may request deletion of your consumer health data.

Right to Withdraw Consent: You may withdraw your consent to the collection of consumer health data at any time by contacting us or closing your account. Withdrawal will prevent you from using the Service.

No Sale: We do not sell your consumer health data.

To Exercise Your Rights: Contact us at [email protected] or 863-270-9911. We will respond within 45 days as required by law.

9.6 Nevada Residents

We do not sell your personal information as defined under Nevada Revised Statutes Chapter 603A. You may submit a request to opt out of any future sale by contacting us at the information in Section 12.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy.