PRIVACY POLICY

Journey Health, LLC Effective Date: April 16, 2026 | Last Updated: April 18, 2026 Journey Health, LLC (“Journey,” “we,” “our,” or “us”) respects your privacy. This Privacy Policy explains what information we collect, how we use and share it, how we protect it, and the choices you have when you visit journeywholecare.com (the “Site”), use our services, or communicate with us by phone, email, SMS, chat, web form, or through our AI-powered onboarding assistant. Please read this Policy carefully. If you do not agree with it, please do not use the Site or our services.

1. About Journey Health, LLC

Journey Health, LLC is a marketing and advisory company headquartered in Charlotte, North Carolina. We help individuals, families, and employers access alternatives to traditional health insurance, including:
  • Direct Primary Care (DPC) memberships through affiliated or third-party DPC physician practices;
  • Health cost-sharing programs administered by our partners (see Section 2); and
  • Employer benefits consulting and related services.
Important: Journey is not an insurance company, and the cost-sharing programs we market are not insurance and are not regulated as insurance.

2. Our Services and Partners

Several of the programs Journey markets are delivered in partnership with third parties. Although these programs may carry Journey branding, information you provide in connection with them is shared with, and administered by, those partners:
  • Sedera, Inc. is a medical cost-sharing community that administers the cost-sharing programs we offer. When you enroll, Sedera receives the information necessary to establish and administer your membership.
  • Health Access Solutions provides administrative services supporting our programs. Information is shared with Health Access Solutions as necessary to enroll and serve members.
  • Direct Primary Care (DPC) practices are independent physician practices you select (or bring to us) for your primary-care relationship. DPC practices are healthcare providers; information you share with them about your health is governed by their own privacy practices and, where applicable, by HIPAA.
Each of these partners has its own privacy practices. We encourage you to review their privacy notices, which are available upon request or from the partner directly. This Policy describes how Journey handles information; it does not replace the privacy practices of our partners.

3. Our Approach to Health Information and HIPAA

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies to “covered entities” (healthcare providers, health plans, and healthcare clearinghouses) and their Business Associates. Journey is generally not a HIPAA covered entity or Business Associate in the ordinary course of its marketing and advisory activities. We do not provide medical care, operate a health plan, or process healthcare claims. The cost-sharing programs we market are not health insurance, and DPC practices maintain their own patient records. In the ordinary course of business, Journey does not collect or store health data. However, during sales conversations, inquiries, and intake — by phone, email, SMS, chat, or through our AI onboarding assistant — you may voluntarily share information about your health (for example, asking whether a particular condition is addressed by a program). We refer to information of this type as Incidental Health Information. Although Journey is generally not subject to HIPAA, we have chosen to treat Incidental Health Information with HIPAA-aligned safeguards where it makes sense, including:
  • Limiting access to Incidental Health Information to personnel with a legitimate need to know;
  • Encrypting Incidental Health Information in transit and at rest;
  • Training personnel who may handle Incidental Health Information on privacy and security practices;
  • Not using Incidental Health Information for marketing or advertising purposes without your explicit consent;
  • Applying the “minimum necessary” principle — we ask only for information reasonably needed to help you, and we do not retain unnecessary health information;
  • Entering into confidentiality and, where appropriate, Business Associate Agreements with service providers who may encounter Incidental Health Information on our behalf.
Where Journey actually does act as a HIPAA Business Associate — for example, under a written Business Associate Agreement with a DPC practice or other covered entity — we comply with the HIPAA Privacy, Security, and Breach Notification Rules with respect to protected health information we handle under that agreement.

4. Information We Collect

Depending on how you interact with us, we may collect the following categories of information across all of our collection channels — including the Site, web forms, phone calls, voicemail, SMS/text, email, live chat, our AI-powered onboarding assistant, paper forms, in-person conversations, events, webinars, and referral or affiliate programs.

4.1 Information You Provide Directly

  • Contact information: first and last name, email address, phone number, mailing address, preferred contact method.
  • Account and enrollment information: date of birth, household size, employment status, state of residence, and information needed to evaluate program eligibility or match you with a DPC provider.
  • Incidental Health Information: health-related information you voluntarily share during inquiries, consultations, or enrollment conversations (see Section 3).
  • Payment information: when you enroll, payment card or bank details are collected and processed by our third-party payment processor. We do not store full card numbers on our systems.
  • Communications: messages, voicemails, chat transcripts, SMS/text exchanges, call recordings, AI assistant conversations, and webinar registrations.
  • Referral and testimonial information: information you share if you refer someone to us, are referred by someone, or participate in a testimonial or case study program.
  • Event and community information: registrations for broker/CPA breakfasts, webinars, employer consultations, or community events.

4.2 Information Collected Automatically

  • Site usage data: IP address, browser type, device identifiers, operating system, pages viewed, referring URLs, search terms, and time spent on pages.
  • Cookies and tracking technologies: we use cookies, pixels, SDKs, and similar technologies, including Google Analytics 4 and advertising pixels such as Google Ads and Meta Pixel, to measure traffic, understand use of the Site, and assess the effectiveness of our marketing.
  • Call recordings and transcripts: telephone communications with our teams may be recorded and transcribed through our Vonage-integrated customer relationship management (“CRM”) system for quality, training, compliance, and service purposes, where permitted by law. You are informed at the start of a recorded call.

4.3 Information From Third Parties

  • Our partners: Sedera, Health Access Solutions, and affiliated DPC practices may share information with us as needed to enroll or serve you.
  • Referral and affiliate partners: if you were referred to us by a creator affiliate, broker, CPA, existing member, or other referral partner, we receive information about that referral.
  • Service providers: analytics, advertising, CRM, AI, and marketing-automation vendors may provide information about your interactions with our advertisements or digital content.

5. How We Use Your Information

We use your information to:
  • Respond to your inquiries and requests;
  • Evaluate your eligibility for DPC membership, cost-sharing programs, or employer solutions;
  • Enroll you in, and administer, programs you select;
  • Communicate with you about your account, enrollment, programs, or inquiries via phone, email, SMS, or mail;
  • Send you marketing communications consistent with your preferences and applicable law (you may unsubscribe at any time);
  • Operate our referral program and, where applicable, our creator affiliate program;
  • Improve the Site, our services, and the member experience;
  • Train personnel and improve our internal processes, including quality assurance for AI-assisted workflows (see Section 7);
  • Detect and prevent fraud, abuse, or unauthorized access;
  • Comply with legal obligations and respond to lawful requests.

5.1 How We Use Incidental Health Information

We use Incidental Health Information only to help you understand whether a Journey program is appropriate for your situation and to route you to the right partner or resource. We do not use Incidental Health Information for marketing purposes, for targeted advertising, or for building member profiles for sale or sharing, at any time or under any circumstance, unless you provide explicit, written, program-specific consent.

6. How We Share Your Information

We do not sell your personal information. We share information only as described below.

6.1 With Our Program Partners

As described in Section 2, when you engage with a program we market, we share the information reasonably necessary to enroll you and deliver the program with Sedera, Health Access Solutions, and/or the DPC practice you select.

6.2 With Our Service Providers

We use trusted third-party service providers who need access to information to perform services on our behalf, including:
  • Our CRM and Vonage-based telephony, voice-recording, and transcription infrastructure;
  • Email and marketing-automation providers;
  • Website hosting providers;
  • Analytics and advertising platforms (see Section 9);
  • Payment processors;
  • AI and cloud providers, including Anthropic (Claude), for powering our conversational onboarding assistant and other AI-assisted workflows;
  • Referral-tracking platforms;
  • Legal, accounting, and compliance advisors.
These service providers are contractually obligated to protect your information and to use it only for the purposes we authorize. Where they may access Incidental Health Information on our behalf, we seek Business Associate Agreements or equivalent confidentiality commitments.

6.3 With Creator Affiliates and Referral Partners

If you were referred by a creator affiliate or an existing member, we share limited information (such as the fact of enrollment — not health information) with the referring party as needed to administer our referral and affiliate programs.

6.4 For Legal and Safety Reasons

  • To comply with applicable law, court orders, subpoenas, or other lawful government requests;
  • For public-health activities as permitted by law;
  • To prevent or address fraud, security, or technical issues;
  • To prevent or lessen a serious and imminent threat to the health or safety of any person;
  • To protect Journey’s rights, property, or safety, or that of our members, employees, or others.

6.5 In Connection With a Business Transaction

If Journey is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will require the receiving party to honor the commitments in this Policy or provide notice and choice where required by law.

7. AI-Powered Tools and Automated Processing

Journey uses artificial intelligence to support activities such as:
  • A conversational AI onboarding assistant on our Site that helps you explore our programs and collects intake information;
  • Summarization of recorded customer-service calls to improve follow-up and service quality;
  • Drafting marketing content, internal reports, and responses to common questions;
  • Analyzing aggregated, de-identified patterns to improve our services.
We do not permit our AI service providers to use your information to train their underlying models. We do not use Incidental Health Information for AI model training. Human oversight is maintained for any material decision affecting your enrollment, partner referral, or service experience. You can always request to speak with a human representative instead of interacting with our AI assistant.

8. How We Protect Your Information

We maintain administrative, technical, and physical safeguards designed to protect your information against unauthorized access, alteration, disclosure, or destruction, including:
  • Encryption of information in transit and at rest;
  • Role-based access controls limiting access to personnel with a legitimate need;
  • Multi-factor authentication on systems that handle sensitive information;
  • Privacy and security training for personnel;
  • Vendor due diligence and contractual privacy and security obligations for service providers;
  • Routine review of our security practices and incident-response procedures.
No method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

8.1 Data Breach Notification

Journey commits to notify affected individuals and, where required, regulators in the event of a data breach affecting personal information we hold about you. We will provide such notification in accordance with HIPAA (where applicable), the North Carolina Identity Theft Protection Act, and the breach-notification laws of your state of residence. Our notification will include, to the extent known: the nature of the incident, the categories of information affected, the steps we are taking in response, and the steps you can take to protect yourself. Where required by law, notification will be made without unreasonable delay and within statutorily mandated timeframes.

9. Cookies, Analytics, and Advertising

We and our service providers use cookies, pixels, SDKs, and similar technologies to:
  • Remember your preferences and keep the Site functioning properly;
  • Measure Site traffic, performance, and usage through Google Analytics 4;
  • Serve advertising on third-party platforms and measure its effectiveness (e.g., Google Ads, Meta/Facebook Pixel, YouTube);
  • Track conversions from our creator affiliate and referral programs.
You can control cookies through your browser settings and through any cookie-consent banner we display. Disabling certain cookies may affect Site functionality. Where required by applicable state law, we honor browser-based opt-out signals such as the Global Privacy Control (GPC).

9.1 Do Not Track

“Do Not Track” (DNT) is a browser setting that signals to websites that a user does not wish to be tracked. There is no industry or legal standard for how to interpret DNT signals, and Journey’s Site does not currently respond to DNT signals. However, you can exercise choices about analytics and advertising through the cookie-consent controls on our Site and through the opt-out mechanisms described in Section 10.

10. Your Privacy Rights

10.1 State Privacy Rights

Depending on where you live, you may have rights under state law — including under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act, and similar laws. These rights may include:
  • The right to know or access the personal information we collect about you;
  • The right to correct inaccurate personal information;
  • The right to request deletion of your personal information;
  • The right to opt out of the “sale” or “sharing” of personal information, or of targeted advertising;
  • The right to limit the use of sensitive personal information;
  • The right to non-discrimination for exercising privacy rights;
  • The right to appeal a denial of a privacy request.
We do not sell personal information for money. Some uses of advertising cookies and pixels may be considered “sharing” or “targeted advertising” under certain state laws. You can opt out of such activity as described in Section 9.

10.2 HIPAA Rights (Where Applicable)

If Journey is acting as a HIPAA Business Associate with respect to specific information we handle on behalf of a covered entity (such as a DPC practice), you have the HIPAA rights applicable to that information, including rights of access, amendment, restriction, accounting of disclosures, and revocation of prior authorization. Those rights are generally exercised through the covered entity; we will cooperate with the covered entity as required by HIPAA and our Business Associate Agreement.

10.3 How to Exercise Your Rights

To exercise any of these rights, contact our Privacy Officer using the information in Section 14. We will respond within the time frames required by applicable law (typically 30–45 days). We may need to verify your identity before fulfilling certain requests, and an authorized agent may submit a request on your behalf with proper authorization. We will not retaliate against you for exercising any privacy right.

11. Email, SMS, and Phone Communications

11.1 Email

If you receive marketing email from us, you can unsubscribe at any time using the link in any marketing message or by contacting us. Transactional messages about your account or services will continue as needed.

11.2 SMS / Text Messaging

Journey’s SMS program is provided in compliance with the Telephone Consumer Protection Act (“TCPA”), Federal Communications Commission (“FCC”) rules, the CTIA messaging guidelines, and applicable state telemarketing law.
  • Program name: Journey Health, LLC.
  • Prior express written consent. By providing your mobile number and opting in through one of our consent channels — such as checking a clearly labeled consent box on a web form, typing or stating your agreement in our AI onboarding assistant, signing a paper intake form, or otherwise taking an affirmative action to agree — you provide your prior express written consent under the TCPA to receive SMS messages, including messages sent using an automated texting system or similar automated technology, from Journey Health, LLC, its affiliates, our program partners (Sedera, Health Access Solutions, and affiliated DPC practices), and our authorized service providers. Messages may concern your inquiry, account, enrollment, scheduling, program updates, customer service, and — where separately indicated — marketing.
  • Consent is not a condition of purchase. You are not required to consent to receive text messages in order to purchase any Journey good or service, and declining consent will not affect your eligibility for any program.
  • Program description: account, enrollment, scheduling, customer-service, and — where you have separately opted in — marketing and program-update messages.
  • Message frequency: varies based on your interaction with us. Typical frequency is not more than several messages per week.
  • Message and data rates may apply. Check with your mobile carrier.
  • HELP: Reply HELP to any message for assistance, or contact us as described in Section 14.
  • STOP and other methods to revoke consent. Reply STOP to any message to opt out at any time. After opting out, you will receive one confirmation message and then no further SMS messages from that program. You may also revoke SMS consent by any other reasonable means, including emailing Privacy@JourneyHealthAdvisors.com with the subject line “Revoke SMS Consent” and the mobile number to remove, telling a Journey representative verbally, or contacting our Privacy Officer in writing (Section 14). We honor recognized opt-out keywords immediately upon receipt.
  • Phone numbers covered. Consent applies to the specific mobile number(s) you provide. Adding or changing a number requires a new opt-in from that number.
  • Carrier disclaimer: Carriers are not liable for delayed or undelivered messages. Journey is not responsible for outages or delays attributable to mobile carriers.
  • Eligible carriers: major U.S. carriers including AT&T, T-Mobile, Verizon Wireless, and others.
  • Record retention: We retain records of your SMS consent and any revocation for at least four (4) years, as required by FCC rules.
  • SMS is not for emergencies or sensitive health information. Do not send personally identifying or sensitive health information via SMS. For medical emergencies, dial 911.

11.3 Phone Calls

Call recording. Calls between you and Journey personnel may be recorded and transcribed for quality, training, and compliance purposes, in accordance with applicable state law. You are informed at the beginning of a recorded call. If you prefer not to be recorded, please tell the representative and we will accommodate your request to the extent possible. Prior express written consent for autodialed, prerecorded, and AI-voice calls. Journey’s outbound marketing calling program is conducted in compliance with the TCPA, FCC rules (including the FCC’s February 2024 Declaratory Ruling treating AI-generated voices as “artificial” voices for purposes of the TCPA), and applicable state telemarketing law. Under the TCPA and FCC rules, we obtain your prior express written consent before:
  • Placing marketing calls to your mobile number using an autodialer or any automatic telephone dialing system;
  • Placing marketing calls to any number (mobile or residential) using a prerecorded or artificial voice, including AI-generated voice; or
  • Sending marketing text messages (see Section 11.2).
By checking a clearly labeled consent box on a Journey web form, acknowledging consent in our AI onboarding assistant, signing a paper intake form, or otherwise taking an affirmative action to agree, you provide your prior express written consent to receive calls and text messages — including those using automated technology, autodialers, artificial voice, or prerecorded voice (including AI-generated voice) — from Journey Health, LLC, its affiliates, our program partners (Sedera, Health Access Solutions, and affiliated DPC practices), and our authorized service providers, at the telephone number(s) you provide. Calls and texts may concern your inquiry, account, enrollment, scheduling, program updates, customer service, and — where separately indicated — marketing. Consent is not a condition of purchase. You are not required to consent to receive marketing calls or texts in order to purchase any Journey good or service, and declining consent will not affect your eligibility for any program. Hours of contact. We make marketing calls only between 8:00 a.m. and 9:00 p.m. in the called party’s local time, consistent with the TCPA and applicable state law. Service calls related to an existing account or enrollment may occur outside these hours only where reasonably necessary and permitted by law. Identification and call-back information. When we place an outbound call, we identify ourselves as “Journey Health, LLC” (or the partner on whose behalf we are calling) and provide a telephone number at which a live agent can be reached during business hours. For prerecorded or artificial-voice calls (including AI-voice calls), we provide the opt-out mechanism required by FCC rules during the call itself. Revocation of consent. You may revoke any telephone or SMS consent at any time and by any reasonable means, including:
  • Replying STOP to any SMS (see Section 11.2);
  • Telling any Journey representative verbally that you wish to be placed on our internal Do Not Call list;
  • Emailing Privacy@JourneyHealthAdvisors.com with the subject line “Revoke Consent” and the telephone number(s) to remove;
  • Writing to our Privacy Officer at the address in Section 14.
We honor SMS opt-outs immediately upon receipt of a recognized keyword. For voice-channel revocation, we process the request promptly — typically within 24 hours — and in any event within the timeframe required by the TCPA and FCC rules. See Section 11.4 for our Do Not Call policy. Record retention. We retain records of your telephone consent and any revocation for at least four (4) years, as required by FCC rules.

11.4 Do Not Call Policy

Journey maintains an internal Do Not Call (“DNC”) list. On your request — verbal, written, by email, through our Privacy Officer, or by replying STOP to any text message — we add your telephone number(s) to our internal DNC list. Once added:
  • We stop further marketing calls and texts to that number. SMS opt-outs are honored immediately upon receipt of a recognized keyword. Voice-call opt-outs are honored promptly, and in any event within 30 days — the maximum permitted under FCC rules.
  • Transactional and service messages related to an existing account or enrollment (such as appointment reminders, billing confirmations, and enrollment status updates) are not considered marketing communications under the TCPA and may continue unless you terminate the underlying service.
  • We retain each DNC request for at least five (5) years, consistent with federal law.
Journey also respects the National Do Not Call Registry (donotcall.gov). If your number is listed on the National DNC Registry, we will not place telemarketing calls to it absent an established business relationship within the period permitted by law or your prior express written consent authorizing such calls. You may request a copy of our Do Not Call policy at any time by contacting our Privacy Officer (Section 14), and we will provide it at no cost.

12. Data Retention

We retain your information only as long as reasonably necessary to provide our services, meet legal obligations, resolve disputes, and enforce our agreements. The table below reflects our standard retention periods. Where law, a partner agreement, or an open legal matter requires a longer period, we follow that longer period. Where you exercise a valid deletion right under applicable law, we delete information as required by that law.

12.1 Standard Retention Periods

  • Website inquiry / contact form submissions (no enrollment): up to 24 months from your last interaction.
  • AI onboarding assistant conversations (no enrollment): up to 24 months from the conversation.
  • Marketing contact records: until you unsubscribe or request deletion, subject to suppression-list retention for compliance purposes.
  • Active member records: for the duration of your membership.
  • Former member records: up to 7 years after termination, consistent with general business-records and financial-audit standards.
  • Call recordings and transcripts: up to 24 months unless a longer period is required for compliance or a specific business or legal reason.
  • Payment and transaction records: up to 7 years, consistent with tax, accounting, and anti-fraud requirements.
  • Incidental Health Information: removed or minimized as soon as reasonably practicable after it is no longer needed, subject to overriding legal or business-records obligations.
  • Creator affiliate and referral records: for the duration of the partnership plus up to 4 years for audit and chargeback purposes.
  • Employer-program records: for the duration of the employer relationship plus up to 7 years.
  • Website and analytics data: retained consistent with our analytics provider defaults (Google Analytics 4 default: 14 months).
  • TCPA consent and revocation records: at least 4 years, as required by FCC rules (see Sections 11.2 and 11.3).
  • Do Not Call requests: at least 5 years from the date of the request (see Section 11.4).
  • Legal, compliance, and dispute records: retained for as long as necessary to address the matter and for the applicable statute of limitations.
When information is no longer needed, we securely delete or de-identify it. De-identified and aggregated information may be retained indefinitely.

13. Children’s Privacy

Our Site and services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. We comply with the Children’s Online Privacy Protection Act (COPPA). If you believe we have collected information from a child under 13, please contact our Privacy Officer (Section 14) and we will promptly delete it. When a parent or legal guardian enrolls a family in one of our programs, information about minor family members is provided by the parent or guardian and is handled consistent with this Policy and applicable law. Parents and guardians may review, update, or delete their child’s information by contacting us.

14. Contact Us

If you have questions, concerns, complaints, or requests regarding this Privacy Policy or our privacy practices, please contact: Privacy Officer Journey Health, LLC 8810 Blakeney Professional Drive, Suite 100 Charlotte, NC 28277 Email: Privacy@JourneyHealthAdvisors.com Phone: 704-412-1916 You may also file a complaint with the attorney general or privacy regulator of your state of residence, or — where HIPAA applies — with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr/privacy/hipaa/complaints/. You may also file a TCPA-related complaint with the Federal Communications Commission at fcc.gov/complaints. We will not retaliate against you for filing a complaint.

15. Jurisdiction and Service Availability

Journey’s services are offered in the United States. Our cost-sharing programs are not available in all states. If you access the Site from outside the United States, you acknowledge that your information will be processed in the United States, which may have privacy protections that differ from those in your country. By using our services, you consent to this transfer.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date at the top of this Policy and, where required by law or where changes are material, provide additional notice (such as a banner on the Site or an email to registered members). Your continued use of the Site or our services after the effective date of an updated Policy indicates your acceptance of the updated terms.

17. Your Acknowledgment and Consent

By checking the acknowledgment box on any Journey web form or intake flow, typing or stating your agreement in our AI onboarding assistant, clicking “I agree,” or otherwise enrolling in a Journey program, you affirm that:
  • You have read and understood this Privacy Policy;
  • You are at least 18 years of age (or the parent/legal guardian of any minor whose information you provide);
  • You consent to Journey’s collection, use, storage, and sharing of your information as described in this Policy;
  • TCPA consent. You provide your prior express written consent under the Telephone Consumer Protection Act (TCPA) and FCC rules to receive calls and text messages — including calls and messages placed using an autodialer, an automatic texting system, or an artificial or prerecorded voice (including AI-generated voice) — from Journey Health, LLC, its affiliates, our program partners (Sedera, Health Access Solutions, and affiliated DPC practices), and our authorized service providers, at the telephone number(s) you provide. You understand and acknowledge that: (a) this consent is not required to purchase any Journey good or service; (b) message and data rates may apply; (c) you have been informed of the message frequency, content, HELP/STOP instructions, and other program terms in Section 11.2; and (d) you may revoke this consent at any time by any reasonable means as described in Sections 11.2, 11.3, and 11.4;
  • You understand that some programs are administered by our partners (Sedera, Health Access Solutions, or DPC practices) and that information you provide in connection with those programs will be shared with them as described in Section 6; and
  • You understand you may withdraw your consent, request access to or deletion of your information, or exercise other rights as described in Section 10 by contacting our Privacy Officer.

If you do not agree with any part of this Policy, do not provide your information, check the acknowledgment box, or proceed with enrollment.

Scroll to Top