Heidi Snyder Flagg MD PLLC d/b/a FLUXX

Privacy Policy

Last updated June 5, 2026

FLUXX is an educational menopause-care platform operated by Heidi Snyder Flagg MD PLLC (d/b/a FLUXX). This policy explains how we collect, use, and protect your information. If we handle Protected Health Information (PHI) as defined by HIPAA, such use is governed by HIPAA and this policy supplements those requirements. For our full Notice of Privacy Practices, see our HIPAA Notice.

01

Scope & HIPAA Statement

This Privacy Policy applies to information collected through the FLUXX website, applications, and related services. FLUXX is intended as an educational tool to help you understand the menopause transition and, where you choose, to support a wellness consultation.

If we handle Protected Health Information (PHI) as defined by HIPAA, such use is governed by HIPAA and this policy supplements those requirements. Where HIPAA applies, its protections control over any conflicting term in this policy.

02

HIPAA-Specific Definitions

Protected Health Information (PHI)
Individually identifiable health information that we create, receive, maintain, or transmit in connection with providing health care or health-care operations — including your symptom check-ins, Menopause Rating Scale (MRS) entries, cycle and last-menstrual-period data, survey answers, and any information that relates to your past, present, or future physical or mental health, the provision of care to you, or payment for that care, and that identifies you or could reasonably be used to identify you.
De-identified data
Information from which identifiers have been removed in accordance with HIPAA 45 C.F.R. § 164.514(b) so that it no longer identifies, and cannot reasonably be used to identify, an individual. De-identified data is not PHI.

03

Information We Collect

We collect only what we need to provide the service:

  • Account details — your name and email address when you create an account or sign in.
  • Survey & quiz answers — the responses you provide so we can generate your personalized educational report.
  • Symptom & MRS self-reports — check-ins or Menopause Rating Scale entries you log to track how you feel over time.
  • Cycle information — last menstrual period (LMP) and related data you choose to share.
  • Basic technical data — limited device and usage information (for example, browser type and pages viewed) that helps us keep the service secure and working.

04

How We Use Your Information

  • To create and maintain your account.
  • To generate and show your educational report and symptom trends.
  • To support a consultation with a clinician when you request one.
  • To improve the clarity and accuracy of our educational content.
  • To keep the service safe, secure, and reliable.

We do not sell your personal information, and we do not use your symptom or health-related entries for advertising.

05

Permitted Uses of PHI

We use and disclose PHI only for Treatment, Payment, and Healthcare Operations (collectively, “TPO”) as permitted by HIPAA, or as otherwise required by law.

  • Treatment — coordinating or providing care, including sharing PHI with the clinician you choose to consult.
  • Payment — billing and obtaining payment for services you request.
  • Healthcare Operations — quality, administrative, and operational activities that support care.

Any use or disclosure beyond TPO — including any use of PHI for marketing — requires your prior signed authorization, which you may revoke in writing at any time. We will not use PHI for marketing without your signed authorization.

06

Business Associates

We work with third-party vendors (“Business Associates”) who perform services on our behalf and may handle PHI — for example, hosting, email delivery, and analytics providers. Before any Business Associate handles PHI, we require a written Business Associate Agreement (BAA) that contractually obligates them to safeguard PHI, use it only as permitted, and report any breach to us. We do not disclose PHI to a third party for processing without a BAA in place.

07

Your HIPAA Rights

With respect to PHI we maintain about you, you have the right to:

  • Request a copy of your PHI.
  • Request amendments to PHI you believe is inaccurate or incomplete.
  • Request restrictions on certain uses and disclosures of your PHI.
  • Request an accounting of certain disclosures of your PHI.
  • Request confidential communications by alternative means or at an alternative location.
  • File a complaint with us or with the U.S. Department of Health and Human Services (HHS) if you believe your privacy rights have been violated.

We will not retaliate against you for exercising any of these rights. To exercise a HIPAA right, contact drheidiflagg@fluxx-it.com. See our Notice of Privacy Practices for step-by-step instructions.

08

Breach Notification

If a breach of unsecured PHI occurs, we will notify affected individuals without unreasonable delay and in no case later than 60 days from discovery of the breach. We will also report the breach to the U.S. Department of Health and Human Services (HHS). For a breach affecting 500 or more individuals, we will notify HHS and prominent media outlets serving the affected area as required by law.

09

Security Safeguards

We protect your information with administrative, physical, and technical safeguards, including:

  • Encryption in transit using TLS 1.2 or higher.
  • Encryption at rest using AES-256.
  • Role-based access controls with unique user IDs, so PHI is accessible only to authorized personnel on a need-to-know basis.
  • Annual risk assessments and ongoing monitoring.
  • Workforce HIPAA training conducted at least annually.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10

Data Retention

We retain PHI for six (6) years from the date of its creation or last use, or longer where a state law requires a longer retention period. Information that is not PHI is deleted upon closure of your account, except where we must retain it for legal, security, or fraud-prevention reasons.

11

Analytics & Advertising

Where we use analytics tools such as Google Analytics, we configure them to receive only de-identified data in accordance with HIPAA 45 C.F.R. § 164.514(b). We do not transmit PHI to third parties without a Business Associate Agreement, and we do not use PHI for targeted advertising.

12

Sharing & Disclosure

We share information only in limited circumstances: with service providers and Business Associates who help us operate the platform (under confidentiality obligations and, where PHI is involved, a BAA); with the clinician you choose to consult, to support that consultation; and where required by law. We do not sell your personal information.

13

U.S. State Privacy Rights

Depending on your state of residence — including California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws — you may have the right to:

  • Know what personal information we collect and how we use it.
  • Access a copy of your personal information.
  • Correct inaccurate personal information.
  • Delete personal information we hold about you.
  • Opt out of any sale or sharing of personal information and of targeted advertising. We do not sell personal information.

To exercise these rights, or to appeal a decision regarding a request, contact drheidiflagg@fluxx-it.com. We will respond within the timeframe required by applicable law and will not discriminate against you for exercising your rights.

California “Shine the Light.” California residents may request information about disclosures of personal information to third parties for their direct marketing purposes. We do not share personal information for third-party direct marketing.

Do Not Track. Some browsers transmit “Do Not Track” (DNT) signals. There is no industry consensus on how to respond to DNT signals, and we do not currently respond to them.

14

International Users

EEA & UK (GDPR / UK GDPR). If you are in the European Economic Area or the United Kingdom, we process personal data on lawful bases such as consent, contract, and legitimate interests. You have rights of access, rectification, erasure, restriction, portability, and objection, and may lodge a complaint with your supervisory authority.

Switzerland. Swiss residents have comparable rights under the Swiss Federal Act on Data Protection (FADP) and may contact the Federal Data Protection and Information Commissioner.

Canada. Canadian residents have rights of access and correction under PIPEDA and applicable provincial privacy laws.

To exercise any international right, contact drheidiflagg@fluxx-it.com.

15

Children & Minors

FLUXX is intended for adults and is not directed to anyone under 18. We do not knowingly serve or collect information from minors. If you believe a minor has provided us information, contact kate@fluxx-it.com and we will delete it.

16

Changes to This Policy

We may update this policy from time to time. When we do, we will revise the “Last updated” date above and, where required, provide additional notice.

17

Contact Us

Privacy questions & appeals
drheidiflagg@fluxx-it.com
General questions, complaints & minors
kate@fluxx-it.com
Account support
support@fluxx.health
Mailing address
Heidi Snyder Flagg MD PLLC
135 Spring Street, 2nd Floor
New York, NY 10012