Privacy Policy

Last updated: September 16, 2025

This Privacy Policy explains how ZestLife, Inc. (“ZestLife,” “we,” “our,” or “us”) collects, uses, shares, and safeguards information when you access our professional‑only platform, websites, and related services (collectively, the “Platform”). This Policy is incorporated by reference into our Terms of Use. Capitalized terms not defined here have the meanings in the Terms of Use or, where applicable, in our Business Associate Agreement (“BAA”).

1) Scope & Audience

1.1 Professional‑only platform. ZestLife no longer offers consumer/member accounts. The Platform is limited to professional users (Facilitators and Organizations) and visitors who view public listings.

1.2 PHI pathway. PHI may only be collected/transmitted through Hipaatizerforms and tools embedded on the Platform. ZestLife is not a PHI system of record and does not host or store PHI, except for limited, temporary access for technical support as described in §3 and our BAA.

1.3 Relationship to other terms. Your use of the Platform is governed by our Terms of Use and, where applicable, our BAA and Service Agreement. If this Policy conflicts with those documents, the BAA (for PHI) and the Terms of Use control. Disputes related to this Policy are governed by the dispute‑resolution terms in our Terms of Use; this Policy does not create separate procedures.

2) Personal Data We Collect (Non‑PHI)

We collect the following categories of Personal Data (information relating to an identified or identifiable person) when you interact with the Platform outside of Hipaatizer:

2.1 Account & profile data (professionals only). Name, display photo, organization, role, specialty tags, biography, availability windows, business contact details, billing contact, plan tier.

2.2 Organization & listing data. Organization name, logo, business contact emails/phones you choose to publish, group titles/descriptions, non‑PHI scheduling metadata, tags/categories, and other public listing materials. Public profiles and listings may be indexed by search engines; where available, in‑product settings can limit indexing. Removal from third‑party caches may take time.

2.3 Commercial & payment data. Subscription plan, invoices, last 4 digits of card or masked payment instrument, transaction dates/amounts (full card data is handled by our payment processor).

2.4 Support & communications. Your messages to support, feedback, survey responses, and metadata (timestamps, channel, device info). See §3 for PHI rules.

2.5 Technical & usage data. Device/browser type, IP address, approximate location (city/region), identifiers, pages viewed, referral URLs, and engagement logs (via cookies, pixels, and similar technologies—see §10).

2.6 Applicants & workforce. If you apply for a role or work with us, your data is processed under our Applicant & Workforce Privacy Notice (available upon request at support@getzestlife.com). This Privacy Policy covers Platform users and visitors.

2.7 Prohibited/sensitive categories we do not collect. Government ID numbers, full payment card PAN/CVV, biometric templates, or children’s data under 13 via the Platform. We do not collect or store clinician insurance certificates or conduct background checks.

3) PHI, HIPAA & Role Clarity

3.1 PHI only through Hipaatizer. PHI is created, received, maintained, or transmitted solely through Hipaatizer’s embedded forms/tools. Do not include PHI in ZestLife profile fields, announcements, emails, message boards, or other non‑Hipaatizer surfaces. (See Terms of Use §5 and §6.11.)

3.2 ZestLife’s limited BA role. ZestLife acts as a Business Associate only to the limited extent described in the BAA and only for Covered Services. Hipaatizer is the primary PHI processor and system of record under its separate BAA with the Covered Entity.

3.3 No routine PHI access. ZestLife does not routinely access PHI. Any incidental access occurs temporarily and only to provide technical support, is limited to the minimum necessary, and ZestLife does not copy or retain PHI in its systems. (See BAA §§2–4 and §6.)

3.4 Not medical care. ZestLife is not a healthcare provider and does not provide medical advice or care.

4) Sources of Personal Data

• 4.1 Directly from you. Account creation, listing creation, settings, support requests.
• 4.2 Automatically. Cookies/pixels, server logs, SDKs—see §10.
• 4.3 From your Organization/admin. Role assignment and configuration of recipients for Hipaatizer contact surfaces.
• 4.4 From processors/service providers. Payments, analytics, security tools, and similar services that support our business operations.

5) How We Use Personal Data (Purposes)

• 5.1 Platform operation. Account provisioning, role/permissioning, listings, search/discovery, and feature delivery.
• 5.2 Billing & account management. Subscriptions, invoices, renewals, notices, fraud prevention.
• 5.3 Security & integrity. Authentication, logs, monitoring, incident response, abuse and spam prevention.
• 5.4 Support & service improvement. Responding to tickets, diagnostics, debugging, quality assurance, feature iteration.
• 5.5 Communications. Operational messages (onboarding, policy updates, billing). You may opt out of marketing emails; operational emails may still be required.
• 5.6 Legal compliance. Enforcing Terms, complying with law, and defending legal claims.
• 5.7 AI/ML. We may use automated systems to analyze non‑PHI service telemetry for security and product improvement. We do not use your content or any PHI to train generalized AI models. PHI is excluded from analytics and model training and is handled only through Hipaatizer per our BAA.

Note: We do not use PHI for marketing and do not combine PHI with advertising or analytics.

6) Legal Bases (EEA/UK/CH)

• 6.1 Contract (Art. 6(1)(b)). To provide the Platform and related services you request.
• 6.2 Legitimate interests (Art. 6(1)(f)). To secure and improve the Platform, prevent fraud/abuse, and communicate non‑marketing product updates.
• 6.3 Consent (Art. 6(1)(a)). Where required for certain cookies/analytics or optional communications. You may withdraw consent at any time.
• 6.4 Legal obligation (Art. 6(1)(c)). Where we must retain or disclose data.

6.5 Roles.

6.5.1 Controller. ZestLife is a controller of Professional Account, Organization admin, billing, and Platform usage data.

6.5.2 Business Associate. For PHI via Hipaatizer, ZestLife’s role is as described in the BAA (limited Business Associate). Hipaatizer is the primary processor and system of record under its BAA with the Covered Entity.

7) Disclosures of Personal Data (Non‑PHI)

• 7.1 Service providers/processors. We use hosting, payments, analytics, security, and communications vendors bound by contracts restricting use to our instructions. See §8 for subprocessor practices.
• 7.2 Your Organization/admin. Role management, billing, and visibility into Organization‑owned listings/materials consistent with the Terms of Use.
• 7.3 Professional public pages. Items you choose to publish (e.g., your name, photo, public contact buttons, group titles/descriptions). Avoid including sensitive data in public fields.
• 7.4 Corporate transactions. Merger, acquisition, financing, or asset sale, subject to confidentiality.
• 7.5 Legal/safety. To comply with law, lawful requests, enforce our rights, or protect users and the Platform.
• 7.6 No sale/share. We do not sell Personal Data and do not share Personal Data for cross‑context behavioral advertising as defined under California law.
• 7.7 PHI disclosures. PHI disclosures follow the BAA and HIPAA and are limited to Covered Services.

8) Subprocessors

This section summarizes our subprocessor practices; the canonical terms are in our Terms of Use §14.4.

8.1 Use of subprocessors. We engage vetted subprocessors (e.g., cloud hosting, payments, analytics, email delivery) and remain responsible for their performance.

8.2 HIPAA‑related subprocessors. Addressed in the applicable BAA.

8.3 List availability. An up‑to‑date list of material subprocessors is available upon request at support@getzestlife.com (subject: “Subprocessor List”).

8.4 Subprocessor updates and objections. We may add or replace subprocessors that support the Platform. We will post updates to our subprocessor list and, for customers under a data processing addendum, provide advance notice (e.g., 10 business days) via email or in‑product notice. If you reasonably object to a new subprocessor on data‑protection grounds, contact us and we will work in good faith to address the concern or propose an alternative.

9) Data Retention & Deletion

9.1 Professional data. Retained for the period necessary to provide the Platform and for legitimate business or legal purposes.

9.2 Upon termination. Organizations typically have 30 days to request export of Professional Data by writing to support@getzestlife.com. Thereafter, we may anonymize or delete residual data per the Terms of Use.

9.3 PHI. Stored and retained by Hipaatizer per its terms; ZestLife does not host PHI and does not control Hipaatizer’s retention schedules.

9.4 Aggregated/de‑identified data. We may retain and use for analytics and product improvement, provided it does not identify individuals or disclose PHI.

9.5 Backups. Encrypted system backups that may incidentally contain Personal Data are retained for a limited rolling period (typically ≤35 days) and are automatically purged on schedule. When you request deletion, we remove active copies promptly; remaining copies are removed when backups roll off the retention cycle.

9.6 De‑identified data commitment. When we create or use de‑identified data, we take reasonable measures to prevent re‑identification, commit to not re‑identify such data (except to test de‑identification), and require service providers to do the same where applicable.

10) Cookies, Analytics & Tracking

10.1 Use of cookies/pixels. We use first‑party and service‑provider cookies/pixels for authentication, security, performance, and analytics (e.g., to understand feature usage and improve the Platform).

10.2 Controls. You can control cookies via browser settings; disabling some cookies may impair functionality. In regions where consent is required for non‑essential cookies, we will obtain consent via a banner or in‑product controls.

10.3 No advertising cookies. We do not permit third parties to place advertising cookies for cross‑site behavioral ads on our properties.

10.4 Global Privacy Control (GPC). Where required by law, we honor browser‑level Global Privacy Control signals for applicable opt‑outs.

10.5 Do Not Track (DNT). Our services currently do not respond to DNT signals because no common standard exists.

11) Data Security

11.1 Safeguards. We implement administrative, technical, and physical safeguards appropriate to the nature of the Platform, including encryption in transit, access controls, logging, and monitoring. No system can be guaranteed 100% secure.

11.2 Incident notice (non‑PHI). If we learn of a security incident involving Personal Data in our possession, we will notify affected users without undue delay, consistent with law and law‑enforcement requests.

11.3 PHI incidents. PHI incidents within Hipaatizer are handled under the BAA and Hipaatizer’s terms.

12) Your Choices & Rights

12.1 Email preferences. Unsubscribe from marketing emails via the link in the email. Operational emails (e.g., billing, security alerts) are required for service.

12.2 Access, correction, deletion. Access/update certain information in your account settings, or email support@getzestlife.com with your request. We may verify your identity. Deleting your account may be required to delete certain data.

12.3 Regional rights. Depending on your location (e.g., EEA/UK/CH; certain U.S. states), you may have rights to access, correct, delete, obtain a portable copy, or object to/limit processing of your Personal Data. Contact support@getzestlife.com. If your data is controlled by your Organization, we may refer your request to the Organization.

12.4 Cookies. Manage cookies via browser settings and in‑product controls (where available).

13) California Privacy Notice (CPRA)

13.1 Notice at Collection — categories, sources, purposes, disclosures.

• 13.1.1 Identifiers & professional profile (incl. coarse geolocation). Sources: you/your Organization. Purposes: account provisioning, listings, communications. Disclosures: service providers; your public pages.
• 13.1.2 Commercial information. Sources: you/processor. Purposes: billing. Disclosures: payment processors, accounting tools.
• 13.1.3 Internet/technical activity. Sources: automatic. Purposes: security, analytics. Disclosures: hosting, analytics providers.
• 13.1.4 Inferences. High‑level usage segments for product improvement (not for advertising). Disclosures: none outside service providers.

13.2 Sensitive Personal Information. We do not use or disclose Sensitive Personal Information for purposes requiring a right to limit under CPRA.

13.3 Sale/share. We do not sell Personal Information and do not share Personal Information for cross‑context behavioral advertising. If that changes, we will provide required notices, a “Do Not Sell or Share” mechanism, and honor Global Privacy Control (GPC) signals.

13.4 Retention. We retain Personal Information only as long as reasonably necessary for the purposes disclosed in this Policy or as required by law.

13.5 Your CPRA rights. Access, deletion, correction, portability, and non‑discrimination. Submit requests to support@getzestlife.com. We may need to verify your identity and relationship to an Organization.

13.6 U.S. State Privacy Rights (CA/CO/CT/VA/UT). Depending on where you live, you may have rights to request access, correction, deletion, portability, and to opt out of targeted advertising or certain profiling. To exercise these rights, contact support@getzestlife.com. We may need to verify your identity (e.g., by confirming control of your account email or requesting limited additional information).

Authorized agents (CA). You may designate an authorized agent to submit requests on your behalf. We will require proof of authorization and may still require you to verify your identity directly.

Appeals (CO/CT/VA). If we deny your request, you may appeal by replying to our decision or emailing support@getzestlife.com with “Privacy Appeal” in the subject. We will respond within 45 days, stating the reasons for our decision and how you can contact your state Attorney General if you disagree.

13.7 Business‑to‑Business (B2B) data. We process professional contact information (e.g., work email, role) for account administration and communications. CPRA rights apply to this B2B data, and you may exercise them as described above.

14) Children’s Privacy

The Platform is not directed to children under 13, and we do not knowingly collect Personal Data from children under 13. If we learn that we have collected such data, we will delete it. If you believe a child under 13 has provided Personal Data to us, contact support@getzestlife.com.

15) International Transfers

Where applicable, we use appropriate safeguards for cross‑border transfers, such as the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), and may implement supplementary measures where required.

16) Third‑Party Sites & Services

The Platform may link to third‑party sites or services (including Hipaatizer and payment processors). Their privacy practices are governed by their own policies. We are not responsible for those practices. See §3 for PHI rules.

17) Changes to this Policy

We may update this Policy from time to time. Changes are effective upon posting. For material changes, we will provide advance notice by email or in‑product notice where reasonable. Your continued use after the effective date constitutes acceptance.

18) Contact Us

Email: support@getzestlife.com
Website: getzestlife.com

Note: For IP/DMCA notices, follow the instructions in our Terms of Use (§12). Do not submit PHI to these addresses.