Pallas
Start your visit

Privacy Policy

Last updated: April 25, 2026

1. Introduction

Welcome to Pallas Health, a service of Brentmoor, Inc. ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our telehealth platform.

2. Data We Collect

We collect the following types of data to provide and improve our service:

  • Account Information: Your name, email address, date of birth, and login credentials collected during registration.
  • Health Information: Medical history, current medications, health conditions, and other information you provide in your health questionnaire and during provider consultations. This constitutes Protected Health Information (PHI) under HIPAA.
  • Shipping Information: Your mailing address for medication delivery.
  • Communication Data: Messages exchanged between you and your healthcare provider through our platform.
  • Usage Data: App interactions, feature usage, and device information.
  • Payment Data: Your subscription status and billing period dates. We do not collect or store payment card numbers or bank account details — all payment processing is handled directly by Stripe.

3. How We Use Your Data

We use your data for the following purposes:

  • Facilitating telehealth consultations between you and licensed healthcare providers.
  • Processing and fulfilling prescription orders through our pharmacy partners.
  • Communicating with you about your treatment plan, appointments, and account updates.
  • Processing subscriptions and managing billing.
  • Improving our platform and service quality.
  • Complying with legal and regulatory requirements.

4. HIPAA Compliance

We handle all Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA). We maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of your health information. We enter into Business Associate Agreements (BAAs) with all third-party service providers who handle PHI on our behalf.

5. Third-Party Service Providers

We share data with the following third-party service providers who process data on our behalf to deliver our service. We do not sell your data to third parties.

  • Clinical Partner Network: A contracted telehealth provider organization and its affiliated state-licensed professional corporations operate the electronic health record (EHR) and clinical workflow used by prescribing clinicians. The contracted clinical partner is the HIPAA Covered Entity for patient medical records; Pallas Health (Brentmoor, Inc.) acts as its HIPAA Business Associate under an executed Business Associate Addendum. The current clinical partner is disclosed on request to support@pallashealth.co.
  • Pharmacy Partners: Licensed US pharmacies (503A compounding pharmacies, 503B outsourcing facilities, and retail or specialty pharmacies for FDA-approved products) that fulfill and ship prescribed medications. Current partners are listed at /clinical.
  • Convex (Convex, Inc.): Application database and serverless backend, on the Convex Professional plan with HIPAA and SOC 2 Type II audit reports and daily backups. Account information, intake responses, and waitlist entries are stored on Convex under an executed Business Associate Agreement.
  • Twilio (Twilio, Inc.): SMS delivery for one-time authentication codes and marketing communications (subject to your opt-in consent and your right to opt out at any time by replying STOP).
  • Resend (Resend, Inc.): Transactional email delivery for account verification, login links, and generic non-PHI notifications. Pallas does not transmit PHI via email; clinical and treatment communications occur in-app through the authenticated patient portal.
  • Vercel (Vercel, Inc.): Web hosting and edge content delivery for the public Pallas website.
  • Stripe: Payment processing. We receive only your subscription status and billing period dates — never your payment card or bank details. Stripe's processing of your payment data is governed by the Stripe Privacy Policy.

A complete record of our data infrastructure and the entities that handle PHI on our behalf is maintained at /clinical.

6. Data Retention

We retain your data for as long as your account is active and as needed to provide the service. Health records are retained in accordance with applicable state and federal medical record retention requirements. You can request deletion of your account and non-medical personal data at any time by contacting us.

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including encrypted data transmission (TLS), secure authentication, access controls, and HIPAA-compliant data storage and handling procedures.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Deletion: Request deletion of your personal data by contacting us (subject to medical record retention requirements).
  • Correction: Request correction of inaccurate personal data.
  • Portability: Request your data in a portable format.

9. Children's Privacy

Pallas Health is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that information.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of Pallas Health after any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions about this privacy policy or our privacy practices, please contact us at: hello@pallashealth.co