Sheba Health

Get Started

Privacy Policy

Effective Date: May, 2023
Last modified: May, 2025

1. Introduction

Sheba Health (“Sheba Health,” “we,” “our,” or “us”) is a virtual health coordination platform that connects individuals seeking medication-based weight loss treatment with board-certified physicians and licensed dietitians who can provide personalized medical care, nutrition, and mental health-informed recommendations. Sheba Health itself is not a medical provider, nor does it practice medicine. All clinical services are provided by independently owned and operated professional entities (e.g., Lilac Health PLLC, which is licensed to provide telehealth services in Illinois and Oregon) and by licensed healthcare providers who may be authorized to practice in other U.S. states.

This Privacy Policy explains how Sheba Health collects, uses, shares, and protects your personal information in compliance with state and federal laws, including applicable telehealth privacy and consumer protection regulations, such as:

  • HIPAA (Health Insurance Portability and Accountability Act)

  • Illinois Personal Information Protection Act (PIPA)

  • Oregon Consumer Information Protection Act (OCIPA)

  • State-specific laws in jurisdictions where our partner clinics or providers are licensed

By using Sheba Health’s services, you agree to the practices described in this Privacy Policy.

2. Scope of this Policy

This Privacy Policy applies to all users of the Sheba Health website and services, including but not limited to residents of Illinois, Oregon, and any other U.S. state where licensed providers deliver care through our platform.

Where required by state law (such as California, Virginia, Colorado, etc.), we will comply with additional consumer rights and disclosures, including opt-out rights and access requests, as outlined in Section 10.

3. Information We Collect

We may collect the following categories of information when you interact with our platform:

a. Personal Identifiable Information (PII)

  • Name, date of birth, address, phone number, and email address

  • Identification numbers (e.g., driver’s license or government ID if applicable)

b. Protected Health Information (PHI)

  • Medical history, mental health background, current prescriptions

  • Health assessments and treatment preferences

  • Communication with providers about your health

c. Payment and Transaction Information

  • Payment card details (processed via PCI-DSS compliant third-party processors)

  • Insurance information, if applicable

d. Technical and Usage Data

  • Device data (IP address, browser, operating system)

  • Site usage logs, session times, page views, referral sources

e. Cookies and Tracking Technologies

  • Web beacons, pixels, cookies, and analytics tags for platform functionality and marketing

4. How We Use Your Information

Your data is used for the following purposes:

  • To connect you with licensed healthcare professionals via our affiliated clinics

  • To support clinical assessments and personalized treatment planning

  • To send communications related to your account, services, or health updates

  • To ensure regulatory compliance with healthcare, consumer, and telehealth laws

  • To improve the quality and security of our platform and services

We only collect and process data for legitimate business or legal reasons. Where required by law, we will obtain your explicit consent before processing your health information.

5. How We Share Your Information

Sheba Health may share your information as follows:

a. With Affiliated Clinics and Providers

Your PHI and personal data may be shared with licensed providers operating through independently owned clinics, such as Lilac Health PLLC, or others who are authorized to provide care in your state of residence.

b. With Service Providers

We use HIPAA-compliant vendors to host data, deliver telehealth infrastructure, analyze analytics, process payments, and support communications. These providers are contractually bound to protect your data and use it solely for the services they provide.

c. With Legal or Regulatory Authorities

We may disclose your information to law enforcement or government agencies if required by law, regulation, subpoena, or court order.

d. Business Transfers

If Sheba Health is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. You will be notified as required under applicable law.

6. Multi-State and Cross-Jurisdictional Compliance

Because our clinical partners and providers are licensed in multiple states, and Sheba Health facilitates services across state lines, we maintain compliance with applicable state-specific privacy and health laws, including but not limited to:

  • Illinois: PIPA, Mental Health and Developmental Disabilities Confidentiality Act

  • Oregon: OCIPA and relevant telehealth statutes

  • Other States: State-specific consumer rights laws (e.g., California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), etc.)

Users in any state where our services are available have a right to privacy and confidentiality, and Sheba Health applies unified data protection standards regardless of location.

7. Your Rights

Depending on your state of residence, you may have the following rights:

  • Access – You may request a copy of the personal information we hold about you.

  • Correction – You may ask us to correct inaccurate or incomplete data.

  • Deletion – You may request deletion of your data, subject to healthcare record retention laws.

  • Portability – You may request a copy of your data in a machine-readable format.

  • Objection – You may object to our use of your data for certain purposes, such as marketing.

  • Non-Discrimination – You will not be penalized or discriminated against for exercising your rights.

To exercise any of these rights, email us at privacy@shebahealth.com. We will respond within the timeframes required by law (typically 30–45 days).

8. Data Security

We implement robust administrative, physical, and technical safeguards, including:

  • Encryption of data at rest and in transit

  • Role-based access controls and audit logging

  • Secure hosting with HIPAA-compliant infrastructure

  • Regular security assessments and staff training

Despite our efforts, no system is completely secure. Use of our platform is at your own risk.

9. Data Retention

We retain your data:

  • For as long as necessary to provide services and comply with applicable laws

  • For periods required by state and federal medical record retention requirements (e.g., 7–10 years)

When retention is no longer required, we securely delete or de-identify data.

10. State-Specific Disclosures

California (CCPA/CPRA):

While Sheba Health does not “sell” your personal data, California residents have specific rights regarding data access, deletion, and opt-outs.

Virginia, Colorado, Connecticut, Utah:

Residents have rights to access, correct, delete, and opt out of certain processing under their state privacy laws.

We will extend these rights to all U.S. users to the extent feasible.

11. Children’s Privacy

Our services are not intended for children under 18 without parental or guardian consent. If we learn we have collected information from a child without proper authorization, we will delete it as required by law.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent notice on our website. Your continued use of our platform after changes constitutes your acceptance of the revised policy.

13. Contact Us

If you have any questions about this Privacy Policy or would like to exercise your privacy rights, contact:

Sheba Health
[Insert Mailing Address]
Email: privacy@shebahealth.com
Phone: [Insert Number]

How to Contact Us:

Sheba Health, LLC. 
Attn: Privacy Officer
992 Brook Forest Ave, #1039
Shorewood, IL 60404
Telephone: (617)-505-1520
Email: privacy@shebahealth.co