Legal

Privacy Policy

Effective Date: March 11, 2026 | Last Updated: March 11, 2026

Sublime Vitality Inc. (“Sublime Vitality,” “we,” “us,” or “our”) is a California corporation that operates a physician platform for compounded wellness products and educational resources at dr.sublimevital.comand related subdomains (the “Platform”).

This Privacy Policy describes how we collect, use, disclose, and protect information when you use the Platform. It also describes your rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

This Platform is intended exclusively for licensed healthcare providers. If you are a patient or consumer, please contact your healthcare provider directly. Do not submit personal health information through this Platform.

1. Information We Collect

A. Information You Provide Directly

Physician Application (sublimevital.com/apply)

National Provider Identifier (NPI)
Full name and professional credentials (e.g., MD, DO, NP, PA)
Email address and phone number
Practice name, medical specialty, and state of licensure
Practice address (street, city, zip — optional)
Referral source (how you heard about us)

Account Login

Google account email address (via Google OAuth)
Session authentication tokens (stored in secure, httpOnly cookies)

NPI Verification

NPI number you submit
Provider name, specialty, and credential data retrieved from the publicly available National Plan & Provider Enumeration System (NPPES) registry — this data originates from the federal database, not directly from you

Digital Sales Room (DSR) Access — sublimevital.com/r/[token]

NPI number and email address
Name, specialty, organization, and state (populated from NPPES based on submitted NPI)

Educational Content and Media Kit Downloads

Email address (provided to receive downloadable materials)

B. Information Collected Automatically

Usage and Engagement Data

Products viewed, pricing pages accessed, and documents downloaded within DSR sessions
Session duration and engagement activity within the physician portal
Features used and pages visited on the Platform
AI assistant conversation content (logged for platform improvement and compliance auditing)

Technical Data

IP address, browser type and version, device type and operating system
Referring URL and session identifiers

C. Information from Third Parties

NPPES (National Plan & Provider Enumeration System): Public federal registry data associated with NPI numbers you submit, including provider name, specialty, credential, and practice information.
Google: Email address and basic profile information provided when you sign in using Google OAuth.

2. How We Use Your Information

We use the information we collect for the following purposes:

Credential Verification: Verify that users are licensed healthcare providers by validating NPI numbers against the NPPES registry.
Account Management: Create and maintain your physician account, authenticate your identity, and provide access to Platform features.
Order Processing and Fulfillment: Process product orders, coordinate with fulfillment partners, and communicate order status and updates.
Sales and Account Support: Assign you to an appropriate sales representative, enable follow-up on product and educational inquiries, and track engagement for account management purposes.
Platform Operations and Improvement: Monitor and improve Platform functionality, detect and prevent fraud and unauthorized access, and maintain security audit trails.
AI Assistant: Log AI assistant interactions for compliance auditing, quality improvement, and regulatory record-keeping.
Marketing and Communications: Send informational updates about products, educational content, platform features, and promotions relevant to your practice. You may opt out at any time (see Section 5).
Legal Compliance: Retain records as required by applicable healthcare, tax, and regulatory requirements.

3. How We Share Your Information

We do not sell your personal information.

We share your information only in the following circumstances:

Assigned Sales Representatives

Your account information, NPI, contact details, and Platform engagement data are shared with the Sublime Vitality sales representative assigned to your territory or through your referral source. Your representative uses this information to support your account, follow up on inquiries, and coordinate orders.

Order Fulfillment Partner

Order information — including your NPI, practice name, product selections, and shipping address — is shared with our fulfillment partner for the purpose of processing and shipping product orders. Your payment information is not shared with Sublime Vitality; payments are processed directly through your assigned representative’s billing system.

Service Providers

We share information with third-party service providers who assist in operating the Platform:

Provider	Purpose	Data Shared
Vercel	Platform hosting and infrastructure	Request logs, usage data
Neon	Database (accounts, orders)	Account and order data
Langfuse	AI interaction logging and compliance	AI chat conversations
Google	Authentication (OAuth)	Email address
Credit Key	Physician financing (when applicable)	Order totals, account reference
Resend	Transactional and marketing email	Email address, name
Sanity	Content management	None (content delivery only)

All service providers are contractually required to process your information only as directed by Sublime Vitality and in accordance with applicable law. They are prohibited from using your information for their own independent purposes.

Legal Requirements

We may disclose your information if required by applicable law, legal process, court order, or governmental authority, or if we reasonably believe disclosure is necessary to protect the rights, property, or safety of Sublime Vitality, our users, or others.

Business Transfers

If Sublime Vitality is acquired, merges with another entity, or undergoes a change of control or sale of assets, your information may be transferred as part of that transaction. We will notify you via Platform notice or email prior to any such transfer and your information becoming subject to a different privacy policy.

4. Data Retention

We retain your information for the periods set out below, after which data is securely deleted or irreversibly anonymized:

Data Category	Retention Period	Basis
Physician account and profile data	7 years from account closure	Healthcare record retention requirements
Order records	7 years from order date	Tax and regulatory compliance
NPI verification records	7 years from verification date	Credential audit trail
AI assistant conversations	2 years from conversation date	Compliance monitoring
DSR engagement data	2 years from session date	Analytics and sales records
System and webhook logs	90 days	Operational security
Marketing consent records	Duration of relationship + 5 years	TCPA/CAN-SPAM compliance

5. Your Choices

Marketing Communications

You may opt out of marketing emails at any time by clicking the “Unsubscribe” link in any marketing email or by contacting us at privacy@sublimevital.com. Opting out of marketing communications does not affect transactional or account-related communications, which will continue as necessary to service your account.

Phone and SMS Communications

If you provided your phone number and consented to calls or SMS messages, you may revoke that consent at any time by replying STOP to any SMS message or by contacting us at privacy@sublimevital.com.

Account Information

You may update your account information by logging into your portal account or contacting us at privacy@sublimevital.com.

6. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) (California Civil Code §§ 1798.100 et seq.) grants you specific rights regarding your personal information.

Categories of Personal Information We Collect

Identifiers: Name, email address, phone number, IP address, NPI, account identifiers, session identifiers
Professional or Employment Information: Medical specialty, professional credentials, practice name, practice address
Internet or Other Electronic Network Activity: Platform usage data, DSR engagement data, session information, AI assistant interactions
Commercial Information: Order history, product interests, purchasing activity
Inferences: Engagement scores derived from DSR session behavior and account activity patterns

Your Rights

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purposes for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of personal information we have collected about you. Note that we are required to retain certain records under applicable law (e.g., 7-year retention for order records) and will inform you of any such limitation when responding to your request.
Right to Correct: You may request correction of inaccurate personal information we maintain about you.
Right to Opt-Out of Sale or Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those permitted by CPRA without your consent.
Right to Non-Discrimination: We will not discriminate against you — including by denying services, charging different prices, or providing a different level of service — for exercising any of your privacy rights.

How to Submit a Request

To exercise any of the rights above:

Email: privacy@sublimevital.com
Subject line: CCPA Privacy Request

We will verify your identity before processing your request, typically by confirming your NPI and email address on file. We will respond within 45 calendar days. If we require an extension (up to an additional 45 days), we will notify you within the initial 45-day period.

You may designate an authorized agent to submit a request on your behalf. We will require written authorization signed by you and may verify your identity directly before honoring the agent’s request.

California residents may also contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov if you believe your rights have not been honored.

7. Digital Sales Room Sessions

When you access a Sublime Vitality Digital Sales Room (a unique URL shared by a sales representative), your session engagement is tracked, including:

Products viewed and time spent on each
Pricing pages accessed
Documents and certificates of analysis downloaded
Whether you initiated contact with your representative
Session duration and overall engagement activity

This data is shared with the sales representative who provided the DSR link and is used to tailor follow-up communications and account management. Engagement records are retained for 2 years.

A notice is displayed within the DSR interface informing you that your session is being tracked.

8. Security

We implement industry-standard technical and organizational measures to protect your information, including:

HTTPS/TLS encryption for all data in transit
Parameterized database queries to prevent injection attacks
HTTP-only, secure session cookies with CSRF protection
Rate limiting on all public-facing forms and API endpoints
Role-based access controls limiting data access to authorized personnel
Webhook signature verification (HMAC-SHA-256) for third-party integrations
Regular security monitoring and audit logging

No method of electronic transmission or storage is completely secure. While we use commercially reasonable measures to protect your information, we cannot guarantee its absolute security. If you believe your account has been compromised, contact us immediately at privacy@sublimevital.com.

9. HIPAA Notice

Sublime Vitality does not collect, process, or store patient Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), 45 CFR Parts 160 and 164.

The Platform collects and processes only physician professional information — NPI, credentials, practice data, and order history. None of this information constitutes PHI under 45 CFR § 160.103, which defines PHI as individually identifiable health information relating to a patient’s health condition, provision of care, or payment for care.

Accordingly, a Business Associate Agreement (BAA) between Sublime Vitality and physicians using the Platform is not applicable. If you have questions about this determination, contact privacy@sublimevital.com.

10. Third-Party Links and Services

The Platform may contain links to third-party websites or embed third-party services (such as financing tools). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you interact with through the Platform. Sublime Vitality is not responsible for the privacy practices of third parties.

11. Children's Privacy

This Platform is not directed to individuals under 18 years of age and is accessible only to licensed healthcare providers. We do not knowingly collect personal information from minors. If we learn that we have inadvertently collected information from a person under 18, we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the “Last Updated” date at the top of this page and, where appropriate, by email or in-Platform notice. Your continued use of the Platform after we post the updated Privacy Policy constitutes your acceptance of the changes. We encourage you to review this page periodically.

13. Contact Us

For privacy-related questions, requests, or complaints:

Sublime Vitality Inc.
Privacy Officer
privacy@sublimevital.com

For general platform support, visit the help center.