Privacy Policy
Effective date: June 24, 2026 • Last updated: June 24, 2026
This Privacy Policy explains how Bonus Health LLC (“Bonus Health,” “we,” “us,” or “our”) collects, uses, protects, and discloses information about you when you visit bonus-health.com, enroll in our weight-management program, or interact with our human and AI dietitians. It also describes the choices and rights available to you.
1. Who this policy covers
This policy applies to individuals who interact with Bonus Health, including: prospective and enrolled program participants (“patients” or “members”); visitors to our websites and portals; and people who contact us. It applies to our website, our patient and administrative portals, our scheduling and messaging tools, and our AI and human dietitian sessions delivered by phone.
Bonus Health offers a structured behavioral weight-management program built on a multi-lesson intensive behavioral therapy (IBT) curriculum. Lessons are delivered either by a live registered dietitian or by our AI dietitian over the phone. This policy does not cover the separate privacy practices of health plans, employers, providers, or other organizations that may refer you to us or pay for your care; their own privacy notices govern their handling of your information.
2. Information we collect
The information we collect depends on how you interact with us. It falls into the following categories.
Identifiers & contact details
- Name, date of birth, postal address, email address, and telephone number.
- Account credentials and identifiers used to access our portals.
- Demographic information (for example, age, sex, and similar characteristics) you provide at signup.
Health & clinical information (PHI)
- Medical history and existing conditions you share during signup or sessions.
- Weight, measurements, dietary information, physical activity, environment, and related lifestyle inputs used to deliver and track your program.
- Audio recordings of your dietitian sessions (AI and human), AI-generated transcripts, session summaries, clinical insights, and structured clinical documentation (such as ADIME nutrition-care notes).
- Safety-related information you disclose during a session, and notes generated by our clinical, quality, and safety review processes.
- Secure messages exchanged with our care team for therapeutic follow-up.
Insurance & payment information
- Health plan, Medicare or other coverage details, member or subscriber identifiers, and eligibility information used to verify benefits and bill for covered services.
- Billing records. Where payment is processed by a third-party processor, card details are handled by that processor and are not stored by us.
Device, usage & technical information
- Call metadata such as phone number, call time, duration, and connection quality.
- Device and log information when you use our websites or portals, such as IP address, browser type, pages viewed, and timestamps.
- Cookies and similar technologies (see Section 10).
Communications
- Information you provide when you contact support, request information, or respond to surveys, and our records of those communications.
3. Where we get information
We collect information directly from you (at signup, during sessions, and through our portals and messaging); automatically from your devices and our calling systems; and, where applicable, from third parties such as your referring provider, health plan, or a Medicare or eligibility data source, and from our service providers who help operate the program.
4. How we use information
We use information to:
- Provide, schedule, and deliver your dietitian sessions and the lesson curriculum.
- Create and maintain your clinical record, compute program metrics (such as weight progress), and generate session summaries and clinical documentation.
- Operate quality assurance, clinical evaluation, and safety review of sessions, including escalating sessions to a qualified human reviewer when our checks flag a quality or safety concern.
- Verify insurance eligibility and bill your health plan, Medicare, or other payer for covered services.
- Communicate with you about your care, appointments, and program, and respond to your requests.
- Maintain, secure, troubleshoot, and improve our systems and services.
- Train, evaluate, and improve our clinical and AI systems, using de-identified information wherever practicable. We do not use your information to build advertising profiles.
- Comply with legal, regulatory, accreditation, and contractual obligations, and protect the rights, safety, and security of our patients, workforce, and company.
Our use and disclosure of PHI for treatment, payment, and health care operations is described in, and limited by, our Notice of Privacy Practices and applicable law.
5. AI dietitian & automated processing
Some lessons are delivered by an AI dietitian rather than a human. You are told when you are interacting with our AI system. During an AI session, the system may end the call, ask for additional context about your diet, activity, weight, health constraints, environment, or safety history, and draw on lesson reference material to answer nutrition questions.
Every session — whether AI or human — is subject to automated and, where warranted, human review for quality, clinical appropriateness, and safety. AI processing supports the delivery of care but does not replace the clinical oversight built into our program. If you would prefer to receive lessons from a human dietitian, contact us at the address in Section 20.
6. Call recording & consent
We record and transcribe dietitian sessions to deliver care, document your nutrition plan, support quality and safety review, and meet clinical and legal recordkeeping requirements. Before or at the start of a session, we provide notice of recording and, where required by law, obtain your consent. If you do not consent to being recorded, we may be unable to provide certain services. Recordings are encrypted and stored as described in Section 11.
8. Service providers & Business Associate Agreements
We rely on a limited set of vetted service providers to operate the program. Where these providers handle PHI, we maintain HIPAA Business Associate Agreements and require appropriate security and confidentiality safeguards. Categories include:
| Category | Purpose |
|---|---|
| Cloud infrastructure & storage | Hosting, databases, and encrypted storage of records, recordings, and documentation. |
| Telephony & communications | Placing and receiving session calls and delivering secure messages and email. |
| Data & search infrastructure | Indexing and retrieving clinical and lesson content to support sessions. |
| Clinical, quality & safety tooling | Evaluating sessions for quality, clinical accuracy, and safety. |
| Billing & eligibility | Verifying coverage and processing claims and payments. |
A current list of subprocessors that handle personal information is available on request at the contact in Section 20.
9. No sale of personal information
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We do not use information collected in the course of providing care to target advertising to you. We do not disclose health information to third parties for their own marketing.
11. How we protect information
We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, use, alteration, and destruction, consistent with the HIPAA Security Rule. These include:
- Encryption of data in transit and at rest, including managed-key encryption for stored recordings and records.
- Role-based access controls under a minimum-necessary principle, with access logging, monitoring, and periodic access reviews.
- Network and database security controls, patching, object versioning, and time-limited retention of temporary session data.
- Workforce security training, secure-workstation and device policies, and facility access controls.
- A security management program with risk analysis, vulnerability assessment, contingency planning, and backup and disaster recovery.
- An incident response and breach notification process, including notifications to affected individuals and regulators as required by law.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we learn of a breach affecting your information, we will notify you and regulators as required by HIPAA and applicable state law.
12. Data retention
We retain personal information and PHI for as long as needed to provide your care, operate our program, and meet our legal, regulatory, clinical recordkeeping, accreditation, billing, and audit obligations, after which it is securely deleted or de-identified. Medical and billing records are retained for the periods required by applicable federal and state law. Temporary session data is automatically expired on a short schedule.
13. Your HIPAA rights
If you are a patient, our Notice of Privacy Practices describes how we may use and disclose your PHI and your rights regarding it. Subject to applicable law, you have the right to:
- Access and obtain a copy of your medical record.
- Request a correction or amendment to your record.
- Request an accounting of certain disclosures of your PHI.
- Request restrictions on certain uses and disclosures.
- Request confidential communications (for example, by an alternative means or location).
- Receive a paper copy of the Notice of Privacy Practices.
- File a complaint with us or with the U.S. Department of Health and Human Services, Office for Civil Rights, without fear of retaliation.
To exercise these rights, contact us using the details in Section 20.
14. Your state privacy rights
Information that is regulated as PHI under HIPAA or as part of a medical or health record is generally exempt from state consumer-privacy laws. For other personal information we hold, residents of states with comprehensive privacy laws (including California, Virginia, Colorado, Connecticut, Texas, Florida, and others) may, subject to the applicable law and exemptions, have rights to:
- Know and access the personal information we hold about them.
- Request correction of inaccurate personal information.
- Request deletion of personal information.
- Obtain a portable copy of certain information.
- Opt out of any sale or sharing for targeted advertising and of certain profiling (note: we do not sell personal information or use it for cross-context behavioral advertising).
- Be free from discrimination for exercising these rights.
California residents. Under the CCPA/CPRA, you have the rights described above. We do not sell or share personal information as those terms are defined under the CPRA, and we do not use or disclose sensitive personal information for purposes that would trigger a right to limit its use. We do not knowingly process the personal information of consumers we know to be under 16 for sale or sharing.
Florida residents. Consistent with the Florida Information Protection Act and the Florida Digital Bill of Rights, we maintain reasonable data security and provide the rights described above to the extent they apply.
Deletion requests. You may request deletion of your personal information by contacting us at the details in Section 20. We will honor deletion requests to the extent permitted by applicable law and our legal, clinical, and regulatory obligations — including our obligation to retain certain clinical and billing records for the periods required by law.
To submit a request, contact us using the details in Section 20. We will verify your identity before responding and, where you use an authorized agent, may require proof of authorization. We will respond within the timeframes required by applicable law and will not discriminate against you for exercising your rights. If we decline a request, you may appeal by replying to our response. We log all privacy rights requests, including the date received, the nature of the request, and our response, and retain those records in accordance with applicable legal requirements.
15. Consumer health data
Some states (such as Washington and Nevada) regulate “consumer health data” held outside of HIPAA. Where these laws apply, we collect and use consumer health data only to provide the services you request and as described in this policy, we do not sell consumer health data, and we obtain consent where the law requires it. Residents covered by these laws may contact us to access or delete their consumer health data.
16. Children’s privacy
Our services are intended for adults. We do not knowingly collect personal information from children under 18 except as part of clinical care expressly arranged for an eligible individual. If you believe a child has provided us information without authorization, contact us and we will take appropriate steps to delete it.
17. Third-party links
Our website and communications may link to third-party sites and services we do not control. This policy does not apply to those third parties, and we encourage you to review their privacy notices.
18. Where information is processed
Bonus Health operates in the United States, and we and our service providers process and store information in the United States. Our services are directed to individuals in the United States and are not intended for individuals located in the European Union, the United Kingdom, or other regions whose laws would govern this processing.
19. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above and, for material changes, provide additional notice as required by law. Your continued use of our services after an update takes effect means you acknowledge the revised policy.
20. How to contact us
For questions about this policy, to exercise your rights, or to reach our Privacy Officer:
Bonus Health LLC — Privacy Officer
Email: hi@bonushealth.co
Mailing address: 429 Lenox Ave., Miami, FL 33139
Phone: +1 (386) 261-6474
You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at hhs.gov/ocr. We will not retaliate against you for filing a complaint.