Privacy Policy

MOCEAN Health is a healthcare and wellness platform operated by MOCEAN Therapy, LLC, a physical therapy and wellness practice headquartered at 315 Madison Avenue, New York, NY 10017. We provide physical therapy, acupuncture, wellness programs, and digital health tracking services to individuals seeking to optimize their health and longevity.

Your privacy is not merely a compliance obligation for us — it is a foundational commitment. The information you share with us, including your protected health information (PHI) as defined under HIPAA, is handled with the highest degree of care, discretion, and legal rigor.

This Policy applies to all users of the MOCEAN Health web platform, mobile applications, and any associated services (collectively, the “Services”). By accessing or using our Services, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please discontinue use of our Services immediately.

This Policy does not govern information collected by third-party websites, applications, or services that may link to or be linked from our Services. We encourage you to review the privacy policies of any third-party services you use in connection with MOCEAN Health.

We collect information necessary to provide you with safe, effective, and personalized healthcare and wellness services. The categories of information we collect are described below.

2.1 Personal Identification Information

When you create an account or engage with our Services, we collect information that identifies you as an individual, including:

• Full legal name
• Email address
• Phone number
• Date of birth
• Home and billing address
• Emergency contact information (name, relationship, phone number)
• Government-issued identification (only where required by applicable law or for insurance verification)

2.2 Protected Health Information (PHI)

As a covered entity under HIPAA, we collect and maintain protected health information in connection with the healthcare services we provide. This includes:

• Physical assessment results, including InBody body composition analyses (muscle mass, body fat percentage, BMI, visceral fat level, segmental lean and fat analysis)
• Clinical session notes, treatment plans, and progress documentation
• Health history, current conditions, medications, and allergies
• Functional movement assessments and rehabilitation outcomes
• Health goals, lifestyle factors, and wellness program participation data
• Video session recordings (where applicable and consented)
• Communications between you and your healthcare providers within our platform

2.3 Wearable Device & Biometric Data

With your explicit authorization, we integrate with wearable health devices to provide comprehensive health insights. When you connect an Oura Ring or similar device, we receive the following data categories (subject to the permissions you grant):

• Sleep: Sleep stages (REM, deep, light), total sleep duration, sleep efficiency, sleep latency, sleep timing, and sleep score
• Activity: Daily activity score, steps, active calories, equivalent walking distance, non-wear time, and movement data
• Readiness: Daily readiness score, recovery index, and resting heart rate
• Cardiovascular: Heart rate (resting and continuous), heart rate variability (HRV), and cardiovascular age
• Respiratory & Metabolic: SpO2 (blood oxygen saturation), respiratory rate, body temperature deviation, and skin temperature
• Workout & Stress: Workout sessions, workout heart rate, stress scores, and resilience metrics

You may revoke wearable device access at any time through your account settings or the device manufacturer's application.

2.4 Payment Information

Payment transactions are processed exclusively through Stripe, a PCI-DSS Level 1 certified payment processor. MOCEAN Health does not store, process, or transmit your full payment card numbers, CVV codes, or full bank account numbers on our systems. We retain only tokenized payment identifiers (Stripe customer and payment method IDs), transaction amounts, dates, and statuses, which are necessary for billing management, refund processing, and financial record-keeping.

2.5 Usage and Technical Data

We automatically collect certain technical information when you access our Services, including:

• Log data: IP address, browser type and version, operating system, referring URLs, pages visited, and access timestamps
• Device identifiers and hardware model information
• Session duration and user interaction patterns (used solely for improving service functionality)
• Crash reports and error logs (stripped of PHI before processing)

2.6 Communications Data

We collect and store the content of communications you send through our platform, including:

• In-platform messages between you and your care providers, encrypted at rest using AES-256-GCM
• Support requests and correspondence submitted to our team
• Feedback, surveys, and testimonials you voluntarily provide

We use your information only for purposes that are necessary, proportionate, and consistent with the expectations you have when you engage with a healthcare provider. Specifically:

3.1 Providing and Improving Our Services

• Authenticating your identity and maintaining the security of your account
• Delivering physical therapy, acupuncture, and wellness services, including in-person and virtual sessions
• Enabling your care team to access and document clinical information necessary for your treatment
• Personalizing your health dashboard, insights, and program recommendations based on your health data
• Improving platform functionality, identifying technical issues, and developing new features (using de-identified or aggregated data only)

3.2 Booking and Payment Processing

• Scheduling and confirming appointments, including managing reschedules and cancellations
• Processing membership fees, session charges, and applicable late cancellation or no-show fees in accordance with our Cancellation Policy
• Issuing invoices, receipts, and refunds
• Managing subscription billing cycles and renewal notifications

3.3 Health Tracking and Insights

• Aggregating data from wearable devices and clinical assessments to generate personalized health scores and trend analyses
• Tracking progress toward your stated health and wellness goals
• Providing your care team with longitudinal health data to inform clinical decision-making

3.4 Communications

• Sending appointment reminders and confirmations via email (SendGrid) and SMS (Twilio)
• Delivering health updates, program milestones, and relevant wellness content
• Responding to your inquiries and support requests
• Notifying you of material changes to this Privacy Policy or our Terms of Service

3.5 Legal and Regulatory Compliance

• Fulfilling our obligations as a HIPAA covered entity, including maintaining medical records in compliance with New York State Education Law § 6530(24) and applicable Department of Health regulations
• Responding to lawful requests from government authorities, courts, or law enforcement agencies where required by law
• Defending against legal claims and protecting the rights and safety of our patients, staff, and organization
• Conducting internal audits and compliance assessments as required under HIPAA and HITECH

MOCEAN Therapy, LLC is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations at 45 C.F.R. Parts 160 and 164. We are fully committed to compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

4.1 Treatment of Protected Health Information

Protected health information (PHI) is any individually identifiable health information that we create, receive, maintain, or transmit in connection with providing healthcare services. We use and disclose PHI only as permitted or required by the HIPAA Privacy Rule, and only to the extent necessary to accomplish the intended purpose of such use or disclosure.

You have the right to receive a separate Notice of Privacy Practices (NPP) as required by 45 C.F.R. § 164.520, which describes your rights and our obligations in greater detail. A copy of our NPP is available upon request by contacting our Privacy Officer at hello@moceanpt.com.

4.2 Business Associate Agreements

We require all third-party service providers who handle PHI on our behalf to execute Business Associate Agreements (BAAs) that comply with 45 C.F.R. § 164.504(e). This includes, but is not limited to, our cloud infrastructure providers, video session providers (Daily.co), and any analytics or monitoring tools that may process PHI. We conduct due diligence on business associates prior to engagement and monitor their compliance on an ongoing basis.

4.3 Minimum Necessary Standard

Consistent with 45 C.F.R. § 164.514(d), we apply the Minimum Necessary Standard to all uses and disclosures of PHI. This means we take reasonable steps to limit the PHI we use, disclose, or request to the minimum amount necessary to accomplish the intended purpose. Role-based access controls (RBAC) are implemented throughout our platform to ensure that each member of our team can access only the PHI required for their specific job functions.

4.4 Breach Notification

In the event of a breach of unsecured PHI, we will comply with the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D) and HITECH § 13402. Specifically:

• Individual Notification: We will notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach, via first-class mail (or email where prior consent has been obtained).
• HHS Notification: We will notify the U.S. Department of Health and Human Services (HHS) of all breaches. Breaches affecting 500 or more individuals in a state will be reported immediately; smaller breaches will be reported annually via the HHS web portal.
• Media Notification: For breaches affecting 500 or more residents of a single state or jurisdiction, we will provide notice to prominent media outlets in that jurisdiction.
• Content of Notice: Breach notifications will include a description of the breach, the types of PHI involved, steps individuals should take to protect themselves, a brief description of our investigation and mitigation measures, and contact information for questions.

We do not sell your personal information or protected health information to any third party, for any purpose, under any circumstances. We share information only as described below and only to the extent necessary for the stated purpose.

5.1 Your Care Team

Your PHI is shared with licensed healthcare providers within the MOCEAN network (physical therapists, acupuncturists, and wellness specialists) who are involved in your care. Such sharing is a treatment use of PHI and is permissible under HIPAA without your additional written authorization (45 C.F.R. § 164.506).

5.2 Payment Processors

Financial transaction data (limited to the minimum necessary for billing purposes) is shared with Stripe, Inc. under a Business Associate Agreement where applicable. Stripe processes all payment card transactions and manages subscription billing on our behalf. Stripe's privacy practices are governed by its own Privacy Policy, available at stripe.com/privacy.

5.3 Communication Service Providers

We use Twilio, Inc. to deliver SMS appointment reminders and notifications, and Sendgrid (a Twilio company) to deliver transactional and health-related emails. These providers receive only the minimum data necessary (e.g., phone number or email address and message content) to deliver communications on our behalf, under appropriate data processing agreements.

5.4 Video Session Providers

Virtual physical therapy sessions are conducted via Daily.co, a HIPAA-compliant video infrastructure provider. Daily.co operates under a Business Associate Agreement with MOCEAN Health. Video session data is encrypted end-to-end and is not retained by Daily.co beyond the duration of the session unless recording has been enabled with your explicit prior written consent.

5.5 Authentication Providers

If you choose to sign in using Google or Apple OAuth, those providers will share limited profile information (name, email address, and unique identifier) with us for authentication purposes only. We do not receive or store your Google or Apple passwords. Authentication via these providers is governed by their respective privacy policies.

5.6 Cloud Infrastructure

Our platform is hosted on Amazon Web Services (AWS) infrastructure in the United States. AWS serves as a HIPAA business associate and operates under an executed BAA with MOCEAN Health. All data, including PHI, is stored exclusively within HIPAA-eligible AWS services and regions.

5.7 Legal Disclosures

We may disclose your information, including PHI, to the extent permitted by HIPAA, when we believe in good faith that disclosure is:

• Required by applicable law, regulation, judicial or administrative order, or valid legal process (e.g., a subpoena or court order)
• Necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public (45 C.F.R. § 164.512(j))
• Required for public health activities as specified in 45 C.F.R. § 164.512(b)
• Required by the Secretary of HHS for HIPAA compliance investigations

We will make reasonable efforts to notify you of any such disclosure in advance to the extent permitted by law.

We implement a comprehensive, defense-in-depth security program to protect your information against unauthorized access, use, alteration, disclosure, and destruction. Our security controls include:

6.1 Encryption

• Data at Rest: All PHI and sensitive personal data stored in our databases is encrypted using AES-256 encryption. In-platform chat messages are encrypted using AES-256-GCM with per-message initialization vectors.
• Data in Transit: All data transmitted between your browser or mobile device and our servers is protected using TLS 1.3. We enforce HTTPS exclusively and use HTTP Strict Transport Security (HSTS) headers.

6.2 Access Controls

• Role-based access control (RBAC) is enforced at the application layer. Each user role (Patient, Provider, Administrative Staff, CRM Staff, Administrator) has precisely scoped permissions, and access is restricted to the minimum necessary for each role's function.
• Multi-tenant data isolation ensures that information belonging to one organizational unit cannot be accessed by users of another, even within the same platform infrastructure.
• All administrative access to production systems requires multi-factor authentication (MFA).

6.3 Audit Logging

We maintain comprehensive audit logs of all access to PHI, including the identity of the accessing user, the time of access, the data accessed, and the action taken. Audit logs are immutable, retained for a minimum of three years, and reviewed regularly for anomalous activity.

6.4 Security Assessments

We conduct regular security assessments, including:

• Annual third-party penetration testing of our web application and API infrastructure
• Continuous automated vulnerability scanning and dependency auditing
• Periodic review and testing of our data backup and disaster recovery procedures
• Ongoing workforce security training and HIPAA awareness programs

6.5 Limitations

While we employ industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your information. In the event of a security incident, we will respond in accordance with our Incident Response Plan and our HIPAA Breach Notification obligations described in Section 4.4.

We retain your information only for as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law. The following retention schedules apply:

Upon expiration of the applicable retention period, we will securely delete or de-identify your information in accordance with NIST SP 800-88 guidelines for media sanitization. Note that deletion of your account does not eliminate our obligation to retain medical records for the legally mandated period.

As a patient and user of MOCEAN Health, you have the following rights with respect to your information. To exercise any of these rights, please contact our Privacy Officer as described in Section 13.

8.1 Right of Access

You have the right to inspect and obtain a copy of your PHI held in our designated record set, as provided by 45 C.F.R. § 164.524. We will fulfill access requests within 30 days of receipt (with one 30-day extension available upon notice). We may charge a reasonable cost-based fee for providing copies.

8.2 Right to Amend

You have the right to request amendments to your PHI if you believe information in your record is inaccurate or incomplete (45 C.F.R. § 164.526). We will act on your request within 60 days. If we deny your request, you have the right to submit a written statement of disagreement.

8.3 Right to Deletion

You may request deletion of your account and associated personal information. We will honor such requests to the full extent permitted by law. However, please be aware that we are legally obligated to retain medical records and PHI for the periods specified in Section 7, regardless of your deletion request. Deletion of your account will not result in deletion of clinically required records.

8.4 Data Portability

You have the right to receive a machine-readable copy of your health information in a standard electronic format (consistent with HITECH § 13405(e) and 21st Century Cures Act provisions on information blocking). You may also request that we transmit your records directly to another healthcare provider or health information exchange.

8.5 Right to an Accounting of Disclosures

You have the right to request an accounting of certain disclosures of your PHI made by us during the six years prior to the date of your request, as provided by 45 C.F.R. § 164.528. This right does not apply to disclosures made for treatment, payment, or healthcare operations.

8.6 Right to Restrict Uses and Disclosures

You have the right to request restrictions on certain uses and disclosures of your PHI. We are not required to agree to requested restrictions except as required by 45 C.F.R. § 164.522(a)(1)(vi) (where you have paid out-of-pocket in full for a healthcare service and request restriction on disclosure to a health plan).

8.7 Opt-Out of Non-Essential Communications

You may opt out of marketing and non-essential communications at any time by clicking the “unsubscribe” link in any email, replying STOP to any SMS message, or updating your notification preferences in your account settings. Note that opting out of non-essential communications will not affect clinically necessary notifications (e.g., appointment confirmations or urgent health updates).

8.8 Revoke Wearable Device Connections

You may disconnect any wearable device integration at any time through your account settings. Upon disconnection, we will cease collecting new data from that device. Previously collected data will be retained in accordance with the retention schedule in Section 7.

We use a limited set of cookies and similar tracking technologies on our web platform. We do not use cookies to serve you targeted advertising, and we do not sell or share cookie data with advertising networks.

9.1 Essential Cookies

These cookies are strictly necessary for the operation of our Services and cannot be disabled without affecting functionality. They include:

• Session cookies: Used to maintain your authenticated session, including your user role and tenant context, using cryptographically signed JWT tokens.
• CSRF protection tokens: Used to prevent cross-site request forgery attacks.
• Preference cookies: Used to remember settings such as your timezone and display preferences.

9.2 Analytics Cookies

We may use analytics tools to understand how users navigate our platform and to identify areas for improvement. Any analytics data collected is anonymized or pseudonymized before processing and is not linked to your PHI. We do not use analytics data to build individual behavioral profiles.

9.3 No Third-Party Advertising Trackers

We do not permit third-party advertising trackers, social media pixels, or cross-site tracking technologies on our platform. Our commitment to your privacy extends to refusing revenue models that depend on monetizing your behavioral or health data.

9.4 Managing Cookies

You may configure your browser to refuse some or all cookies, or to alert you when cookies are being sent. Please note that disabling essential cookies will impair your ability to use our Services. Consult your browser's help documentation for instructions on managing cookie settings.

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information or protected health information from minors. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact our Privacy Officer immediately at hello@moceanpt.com. Upon verification, we will promptly delete any such information from our records to the extent permitted by applicable law, including our medical record retention obligations.

Individuals seeking healthcare services for minors should contact us directly at 917-715-4665 or hello@moceanpt.com to discuss appropriate consent and authorization procedures under applicable law.

MOCEAN Health is operated in the United States and our Services are intended for users located in the United States. All information you provide, including PHI, is collected, stored, processed, and maintained on servers located within the United States and is subject to U.S. law, including HIPAA.

If you are accessing our Services from outside the United States, please be aware that your information will be transferred to, stored in, and processed in the United States. Data protection laws in the United States may differ from those in your country of residence. By using our Services, you consent to the transfer of your information to the United States and acknowledge that your information will be processed in accordance with this Privacy Policy and applicable U.S. law.

Where MOCEAN Health expands its operations to other countries, we will deploy separate regional infrastructure to comply with applicable local data residency requirements (e.g., GDPR in the European Union, PIPA in the Republic of Korea), and will update this Privacy Policy accordingly.

We reserve the right to update or modify this Privacy Policy at any time. We will provide notice of material changes through one or more of the following means:

• Posting a prominently displayed notice on our website and within the platform for at least 30 days before the effective date of the change
• Sending an email notification to the address associated with your account
• Displaying an in-app notification requiring your acknowledgment upon next login

For changes that materially affect the way we handle your PHI in a manner that is less protective than described in this Policy, we will obtain your express written consent before implementing the change, consistent with HIPAA requirements.

Your continued use of our Services after the effective date of any update constitutes your acceptance of the revised Privacy Policy with respect to information collected thereafter. The date at the top of this Policy reflects the most recent revision.

Prior versions of this Privacy Policy are available upon request by contacting our Privacy Officer at hello@moceanpt.com.

We take your privacy rights seriously and are committed to responding promptly and thoroughly to all privacy inquiries. Our designated Privacy Officer is responsible for overseeing our HIPAA compliance program, handling privacy complaints, and ensuring that our practices conform to this Policy and applicable law.

13.1 Privacy Complaints and Requests

To submit a privacy complaint, request access to your records, request amendment of your PHI, or exercise any other right described in Section 8, please contact our Privacy Officer in writing (email or letter) with:

• Your full name and contact information
• A description of your request or complaint
• Any relevant account information (e.g., email address associated with your account)

We will acknowledge receipt of your request within 5 business days and will respond substantively within the timeframes required by HIPAA and applicable law.

13.2 Filing a Complaint with HHS

If you believe your privacy rights under HIPAA have been violated and you are not satisfied with our response, you have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR):

• Online: hhs.gov/hipaa/filing-a-complaint
• Phone: 1-800-368-1019 (TDD: 1-800-537-7697)
• Mail: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, SW, Room 509F, HHH Building, Washington, D.C. 20201

We will not retaliate against you in any way for filing a complaint with HHS. Retaliation against individuals for exercising their HIPAA rights is strictly prohibited and unlawful.

13.3 New York State Complaints

Residents of New York State may also direct privacy complaints to the New York State Office of the Attorney General:

• Online: ag.ny.gov
• Phone: 1-800-771-7755