Privacy Policy

Effective date: April 23, 2026

This Privacy Policy describes how Tides ("Tides", "we", "us", or "our") collects, uses, shares, and protects information when you visit our website, create an account, complete a health assessment, purchase a protocol, or otherwise interact with our services (together, the "Services").

Tides provides a telehealth platform that connects patients with licensed clinicians for review of peptide therapy protocols. Health information you provide to us in connection with a clinical encounter is also governed by our HIPAA Notice of Privacy Practices, which takes precedence over this Privacy Policy to the extent of any conflict for Protected Health Information (PHI).

Summary We collect the information we need to provide telehealth services, process your order, and comply with law. We never sell your personal information. We share your Protected Health Information only with your clinician, with vendors who help us deliver the service under strict contracts, and as required by law.

1. Information We Collect

Information you provide to us

Account information: your name, email address, password, date of birth, mailing address, and phone number.
Health information: your medical history, current medications, known allergies, goals, lifestyle factors, and responses to our clinical intake questionnaire. This information constitutes Protected Health Information under HIPAA.
Payment information: we do not directly store your full payment card number. Card data is transmitted to our payment processor (Stripe) using a tokenized, PCI-DSS-compliant flow. We retain only the last four digits of the card, the card brand, expiration, and billing ZIP for customer service purposes.
Communications: messages you send us or your clinician through the Services.

Information we collect automatically

Device and usage data: IP address, browser type, operating system, referring URL, pages viewed, time stamps, and similar diagnostic information.
Cookies and similar technologies: we use a small number of first-party cookies that are strictly necessary to keep you logged in and to operate the checkout. We do not use cross-site advertising cookies or third-party trackers.

2. How We Use Your Information

To provide the Services, including routing your intake to a licensed clinician for review and prescribing decisions.
To process orders, authorize payment, and arrange fulfillment of your prescribed medications.
To communicate with you about your account, orders, protocols, refills, safety information, and service updates.
To provide customer support.
To maintain the security, integrity, and availability of the Services and to detect, prevent, and respond to fraud or abuse.
To comply with legal obligations, including recordkeeping requirements that apply to prescribers, pharmacies, and telehealth providers.
To improve the Services, subject to the limitations in our HIPAA Notice. We do not use your identifiable health information to train machine learning models.

3. How We Share Your Information

We share your information only as described here.

With your clinician

Your health intake and related information is shared with the licensed clinician reviewing your case for the purpose of providing treatment.

With our service providers (subprocessors)

We engage vendors who process information on our behalf under written agreements, including Business Associate Agreements where required by HIPAA. Each vendor is limited to using your information solely for the services they provide to us.

Vendor	Purpose	Data processed
Stripe, Inc.	Payment processing	Card tokens, billing details, transaction records
Supabase, Inc.	Database and authentication	Account data, health intake, order records
Resend	Transactional email delivery	Email address, message content
Vercel, Inc.	Website hosting and delivery	Request logs, IP address
Licensed pharmacy partners	Prescription compounding and dispensing	Name, address, prescription details

We evaluate our vendors' privacy and security practices and require them to protect your information with at least the same level of care we do.

For legal and safety reasons

We may disclose information when we believe in good faith that disclosure is required to comply with law, a valid subpoena or court order, to protect the rights, property, or safety of Tides, our patients, or others, or as otherwise permitted by HIPAA.

In connection with a business transaction

If Tides is involved in a merger, acquisition, financing, reorganization, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. Any successor entity will continue to be bound by this Privacy Policy and our HIPAA Notice, or will give you the opportunity to opt out.

With your consent

We will share your information for purposes beyond those listed above only with your explicit consent.

What we do not do

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not use your health information for marketing by third parties.

4. Your Rights and Choices

All users

Access and correction: you may access and correct basic account information within your account settings. For health records, please see the HIPAA Notice.
Deletion: you may request deletion of your account. Some records — including prescribing records, dispensing records, and records required to be retained by licensing authorities — cannot be deleted and will be retained for the periods required by applicable law.
Communications: you may opt out of marketing email at any time using the unsubscribe link. Transactional communications about your account, orders, and protocol cannot be opted out of while you have an active account.

Residents of California

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you the right to know what personal information we collect, to request deletion, to correct inaccurate information, to opt out of sale or sharing (which we do not do), and to limit the use of sensitive personal information. To exercise these rights, contact us at privacy@gettides.com. We will not discriminate against you for exercising your rights. Health information that is also PHI is governed by HIPAA and the Confidentiality of Medical Information Act, not the CCPA.

Residents of other states

If you reside in a state with a comprehensive consumer privacy law (including Colorado, Connecticut, Delaware, Illinois, Texas, Tennessee, and others), you may have rights similar to those above. Contact us at the email address below to exercise them.

5. Data Retention

We retain your information for as long as your account is active and as needed to provide the Services. After account closure, we retain medical records for the longer of (a) the retention period required by the law of the state in which the prescribing clinician is licensed (typically seven to ten years, longer for minors) and (b) the period required by any applicable federal regulation. Non-medical records such as marketing preferences are retained only as long as needed for their purpose.

6. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect the information we hold. These include transport-layer encryption (TLS) for data in transit, encryption at rest for sensitive data, role-based access controls, least-privilege database policies (Row Level Security), vendor due diligence, and staff training. No method of electronic transmission or storage is perfectly secure, and we cannot guarantee absolute security.

7. Children

The Services are intended only for individuals aged 18 and over. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us and we will delete the information.

8. International Users

The Services are offered only to residents of the United States, and only in the states where our clinicians are licensed. If you access the Services from outside the United States, you do so at your own risk and are responsible for compliance with local law. Your information will be processed and stored in the United States.

9. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing information.

10. Do Not Track

Some browsers transmit a "Do Not Track" signal. Because there is no industry-standard way for websites to respond to these signals, we do not currently respond to them. We do not engage in cross-site tracking regardless.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or a prominent notice on the Services before the changes take effect. The "Effective date" at the top of this page reflects when the current version took effect.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise any of your rights, contact us at:

Tides — Privacy
Email: privacy@gettides.com
Attention: Privacy Officer