Privacy Policy & Notice of Privacy Practices

This notice describes how medical and personal information about you may be used and disclosed, and how you can access this information. It applies to information we maintain in connection with mobile specimen collection, logistics, scheduling, and related services provided by Speedy Sticks LLC (“Speedy Sticks,” “we,” “our,” or “us”).

Speedy Sticks is committed to maintaining the privacy, security, and integrity of your information across all services, systems, and interactions, including our proprietary platform, mobile applications, websites, and communications channels.

Where we act as a business associate or handle protected health information (“PHI”) on behalf of covered entities or in our operations, we apply administrative, physical, and technical safeguards consistent with applicable law, including the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”), where applicable.

Speedy Sticks operates as:

A mobile specimen collection, logistics, and coordination provider.

We may:

• Collect specimens in home, workplace, facility, or other settings as ordered or instructed
• Coordinate healthcare logistics, including scheduling, dispatch, routing, and handoff to laboratories or couriers
• Facilitate lab workflows through documentation, requisitions, and chain-of-custody steps aligned to your program

We do not:

• Perform clinical laboratory testing or act as a clinical laboratory for diagnostic purposes
• Diagnose medical conditions or provide medical interpretation of laboratory results
• Substitute for your treating clinician or the laboratory that performs testing

All laboratory testing is performed by third-party CLIA-certified laboratories (or other laboratories as specified in your order or program). Results, interpretation, and clinical follow-up are provided by your ordering provider and laboratory unless otherwise required by law or contract.

Depending on your relationship with us and applicable law, you may have the following rights regarding PHI we maintain about you in a designated record set or as otherwise required by HIPAA or state law:

Access your information

• You may request access to inspect or obtain a copy of your electronic or paper health information as maintained by Speedy Sticks in connection with our services, subject to limited exceptions.
• We will respond within 30 days of a request (or as required by law), unless an extension applies. Reasonable, cost-based fees may apply for copies as permitted by law.

Request corrections

• You may request amendment of PHI you believe is inaccurate or incomplete. We may deny certain requests if the information was not created by us, is not part of our records, or is accurate and complete.
• If we deny an amendment request, we will provide a written denial with reasons and explain how you may submit a statement of disagreement, generally within 60 days where applicable.

Request confidential communications

You may request that we communicate with you using alternative means or at alternative locations (for example, a specific phone number or mailing address). We will accommodate reasonable requests that do not prevent us from collecting payment or endanger your care or the safety of others.

Request restrictions

You may request restrictions on certain uses and disclosures of PHI. We are not required to agree to all requested restrictions, except where we are legally obligated (for example, restrictions on disclosures to health plans for services you paid for out of pocket in full, when applicable).

Accounting of disclosures

You may request an accounting of certain disclosures of PHI that are not for treatment, payment, or health care operations, or as otherwise limited by law. The accounting may cover up to six (6) years prior to the request, unless a shorter period applies. One free accounting per 12-month period; a reasonable fee may apply for additional requests.

Obtain this notice

You may request a paper copy of this Notice at any time. We also make this Notice available on our website and may provide it electronically when required.

Appoint a representative

A person legally authorized to act on your behalf (for example, a guardian, holder of a healthcare power of attorney, or personal representative under applicable law) may exercise your rights with appropriate verification and documentation.

File a complaint

You may file a complaint if you believe your privacy rights have been violated:

• With Speedy Sticks using the email or phone number listed under Contact information. We will not retaliate against you for filing a complaint.
• With the U.S. Department of Health and Human Services, Office for Civil Rights, as described at hhs.gov/ocr.

You have choices about how information is used or shared in certain situations, subject to law and clinical necessity.

Care involvement

• You may choose to involve family members, friends, or others in your care when appropriate and consistent with professional standards and your instructions.
• In emergencies or disaster-relief circumstances, we may disclose limited information when necessary to respond to the emergency or to assist public health authorities, as permitted by law.
• If you are unable to communicate your preferences, we may use professional judgment and act in your best interest as permitted by law.

Uses and disclosures that require your written authorization

We will not use or disclose PHI for the following without your written authorization:

• Marketing that constitutes a sale of PHI or is not permitted without authorization under HIPAA
• Sale of PHI as defined by applicable law
• Psychotherapy notes, where applicable and subject to HIPAA exceptions

You may revoke an authorization in writing at any time, except to the extent we have already relied on it.

5.1 Core uses

Treatment coordination. We may use and disclose PHI to coordinate specimen collection and logistics with physicians, laboratories, healthcare professionals, and program sponsors as necessary to carry out treatment-related activities—for example, confirming orders, scheduling visits, labeling specimens, and facilitating delivery to the correct laboratory.

Health care operations. We may use and disclose PHI for our health care operations, including quality assessment, care coordination, training, licensing, compliance, auditing, business planning, and improvement of services—limited to what is permitted by law and our contracts.

Payment. We may use and disclose PHI to bill and collect payment for our services, including verification of coverage where applicable (notwithstanding that our standard patient-facing collection service is generally paid out of pocket), payment processing, collections, and related activities described in our Terms & Conditions.

5.2 Public health and legal uses

We may disclose PHI when required or permitted by law, including to:

• Prevent or control disease, injury, or disability
• Report child abuse or neglect, or domestic violence as required by law
• Report adverse events or product problems to the FDA or as required for public health surveillance
• Comply with workers' compensation laws and similar programs
• Respond to lawful requests by public health authorities or health oversight agencies
• Respond to subpoenas, court orders, or administrative requests when legally required and procedurally proper
• Support research when institutional review board or privacy board approval and waivers apply, or as otherwise permitted

5.3 Government and regulatory requests

We may disclose PHI to law enforcement, national security officials, or other government actors when required by law, including with appropriate documentation and limitations.

5.4 End-of-life situations

We may disclose PHI to medical examiners, coroners, or funeral directors as necessary to identify a deceased person, determine cause of death, or carry out duties authorized by law.

We are required to:

• Maintain the privacy and security of PHI as required by law and our policies
• Provide you with this Notice and notify you of material changes as required
• Notify affected individuals and regulators of breaches of unsecured PHI as required by HIPAA and state law
• Not use or disclose PHI except as permitted or required by law or as described in this Notice
• Mitigate harmful effects of inappropriate disclosures where feasible

Speedy Sticks operates a proprietary digital platform and related applications that process operational and service data, which may include identifiers, scheduling data, communications metadata, and PHI when necessary to perform services.

Speedy Sticks uses HIPAA-compliant infrastructure on Amazon Web Services (AWS) and Microsoft Azure—including regions and services configured for regulated workloads—with administrative, physical, and technical safeguards and business associate agreements (BAAs) or equivalent arrangements where applicable to our use of those services.

Telephone and fax services are provided through a HIPAA-compliant RingCentral account with appropriate safeguards and vendor agreements. Email, calendar, file storage, and collaboration use Google Workspace with HIPAA-eligible services and settings enabled, and business associate agreements or equivalent arrangements where applicable.

Examples of data processed through the platform include:

• Appointment logs and confirmations
• Technician dispatch, routing, and activity records tied to service delivery
• Communication history (for example, SMS, email, in-app messages) as configured
• Scheduling records, status updates, and workflow timestamps
• System logs, audit trails, and security events

Platform-generated records—including timestamps, confirmations, and activity logs—are treated as official operational and legal records of service execution for billing, compliance, dispute resolution, and quality purposes, subject to applicable law.

Our mobile applications and field workflows may collect location data from phlebotomists or technicians during active service delivery, including when the app is running in the foreground or, where enabled and permitted by the operating system, in the background during an active appointment window.

Location data may be used for:

• Real-time tracking and estimated arrival updates
• Safety, verification of service location, and fraud prevention
• Dispatch coordination, routing efficiency, and proof of service

Collection is generally limited to periods relevant to scheduled or active appointments. Location data is not sold and is not shared for unrelated third-party marketing. We apply access controls and retention limits consistent with operational and legal needs.

By providing your mobile phone number, you consent to receive SMS messages from Speedy Sticks or our service providers for operational purposes, subject to applicable law (including the Telephone Consumer Protection Act and carrier rules).

Messages may include:

• Appointment reminders and confirmations
• Service updates, dispatch or arrival notifications, and scheduling changes
• Account or security notices
• Limited promotional or educational messages where permitted and consistent with your consent preferences

Opt-in

Where required, you provide express consent before we send marketing or non-transactional SMS. Transactional messages related to an existing relationship may be sent as permitted by law.

Opt-out

You may opt out of SMS at any time by replying STOP to a message where supported, adjusting preferences in your account, or contacting us using the email or phone number listed under Contact information. Opting out of operational texts may affect our ability to coordinate your visit.

Data use

We do not sell your phone number. We do not share phone numbers for unrelated third-party marketing. Message and data rates may apply per your carrier.

Our websites and digital properties may use cookies, pixels, local storage, and similar technologies to enable functionality, measure performance, and—only with appropriate consent—analytics and advertising measurement.

Typical uses include:

• Essential cookies for security, load balancing, session management, and preferences
• Analytics (for example, Google Analytics) to understand aggregate traffic, navigation, and feature usage
• Advertising performance (for example, Google Ads conversion measurement) only where consent is obtained where required

Consent-based system

Non-essential cookies and similar technologies (including analytics and advertising tags) are deployed in a consent-first manner: they are not activated for analytics or ads until you provide consent through our cookie banner or preference center where implemented, except as strictly necessary to provide the service or comply with law.

Data collected

Data may include page URLs, timestamps, device and browser type, approximate geography derived from IP, and interaction events. We configure analytics to reduce unnecessary collection and to avoid sending PHI to analytics or ad platforms.

What we do not do

We do not:

• Use analytics or advertising tools to identify individuals based on PHI we collect for care
• Use health data for ad targeting or to build health-based audiences
• Upload PHI to advertising platforms

Speedy Sticks maintains a strict policy:

• We do not upload PHI to advertising platforms
• We do not use medical or clinical information for ad targeting
• We do not create advertising audiences based on healthcare interactions or conditions

Technical controls and vendor diligence support this policy. Marketing communications, if any, are operational or general in nature and not based on your diagnosis or test results.

We may share information with categories of third parties as needed to operate, including:

• Laboratories, couriers, and logistics partners
• Healthcare providers and program sponsors involved in your care
• Payment processors and merchant banks
• Cloud hosting; communications (including HIPAA-compliant RingCentral for voice and fax where used); Google Workspace for email and collaboration in a HIPAA-enabled configuration; authentication; and security vendors—each under appropriate agreements where PHI is involved
• Professional advisors (for example, attorneys and accountants) under confidentiality obligations

We require vendors that handle PHI to enter into appropriate agreements (including business associate agreements where required) and to implement safeguards. We are not responsible for independent acts of third parties outside our control, but we perform diligence and contracting proportionate to risk.

We implement a layered security program that may include:

• Encryption of data in transit (for example, TLS) and encryption at rest where appropriate
• Role-based access controls, least-privilege access, and authentication (including MFA where deployed)
• HIPAA-compliant hosting on Amazon Web Services (AWS) and Microsoft Azure, with hardened configuration and BAA-aligned controls where applicable
• Monitoring, intrusion detection, and security logging
• Workforce training and sanctions for policy violations

If we discover a breach of unsecured PHI (or other personal data as required by law), we will investigate, mitigate, and provide notifications to affected individuals and regulators as required by HIPAA, state breach-notification laws, and other applicable requirements. Notifications will include a description of what occurred, the types of information involved, steps we are taking, and what you can do to protect yourself, to the extent required.

We retain information only as long as necessary for legal, regulatory, contractual, operational, and business purposes—including audit, dispute resolution, and accounting—then securely delete or de-identify it in accordance with our retention schedules and applicable law.

While we implement strong technical and organizational measures, no system can guarantee 100% security. You acknowledge that electronic communications and storage carry inherent risks. You are responsible for safeguarding your account credentials and devices.

Unless your booking path, confirmation, or enterprise agreement states otherwise, the following may apply in addition to our Terms & Conditions:

• Payment is generally required at or before service as disclosed at booking.
• Cancellation with at least 24 hours' advance notice: may still be subject to a cancellation fee (for example, $50) depending on market, channel, and the policy shown at checkout.
• Cancellation with less than 24 hours' notice: may result in the full charge for the scheduled service.
• No-shows (including failure to be present during the scheduled window) may result in full charge and forfeit of the appointment slot.
• Rescheduling within 24 hours of the appointment may be restricted or subject to fees; same-day changes are not guaranteed.

Final fees, windows, and refund eligibility are controlled by the policy presented at booking and by the Terms & Conditions.

We may update this Notice and our Privacy Policy at any time. Changes apply to all information we maintain, including information created or received before the change, except where prohibited by law. Updated versions will be posted on this page with a new “Last updated” date. Material changes may require additional notice as required by law.

Speedy Sticks may capture images of specimens, labels, requisitions, or kit components for purposes including quality assurance, chain-of-custody verification, and operational accuracy. Imaging is limited to materials involved in collection and logistics—not routine photography of patients.

These images may contain limited Protected Health Information (PHI), such as patient identifiers present on specimen labels, and are handled in accordance with HIPAA and applicable privacy laws, including administrative, physical, and technical safeguards, access controls, and minimum-necessary use.

Speedy Sticks does not capture images, audio, or video recordings of patients during service delivery, except where explicitly required by law and with appropriate consent and process.

All such images are securely stored, access-controlled, and used solely for operational, compliance, and verification purposes, using HIPAA-compliant infrastructure on AWS and Azure consistent with this Notice. Retention follows legal, contractual, and operational requirements described elsewhere in this Notice. For related help topics, see our help center.

If you are a resident of the State of California, you are entitled to additional rights under the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”).

20.1 Categories of information we collect

We may collect the following categories of personal information:

• Identifiers (name, phone number, email, address)
• Health-related information (lab orders, appointment details, specimen-related data)
• Commercial information (services purchased, transaction history)
• Internet or electronic network activity (website usage, analytics data)
• Geolocation data (limited to operational tracking during appointments, as described in this Notice)

20.2 Sources of information

We collect personal information from:

• You directly (forms, bookings, SMS, calls)
• Healthcare providers or ordering entities
• Our website and platform systems
• Third-party integrations, when applicable

20.3 Purpose of collection

We collect and use personal information to:

• Provide and coordinate services
• Operate our platform and scheduling systems
• Communicate with you
• Improve services and operations
• Comply with legal obligations

20.4 Sale or sharing of personal information

Speedy Sticks does not sell personal information or Protected Health Information (PHI).

We also do not share health-related data for cross-context behavioral advertising or targeted advertising purposes.

Any sharing of information is limited to:

• Service fulfillment (for example, laboratories, providers, couriers)
• Legal obligations
• Operational vendors under written agreements and appropriate safeguards

20.5 Your California privacy rights

You have the right to:

1. Right to know

Request disclosure of:

• Categories of personal information collected
• Sources of information
• Business or commercial purposes for collection
• Categories of third parties receiving data

2. Right to access

Request a copy of the personal information we hold about you, subject to verification.

3. Right to delete

Request deletion of your personal information, subject to exceptions under law, including legal obligations and healthcare record retention requirements.

4. Right to correct

Request correction of inaccurate personal information.

5. Right to limit use of sensitive personal information

You may request limits on certain uses of sensitive personal information, where applicable under CPRA.

6. Right to non-discrimination

We will not:

• Deny services
• Charge different prices
• Provide lower quality service

for exercising your rights, unless permitted by law.

20.6 Exercising your rights

To submit a request:

Email: info@speedysticks.com
Phone: 347-292-9570
Fax: 347-658-1021

We may verify your identity before processing requests.

20.7 Authorized agents

You may designate an authorized agent to make requests on your behalf. We may require proof of authorization and verification consistent with law.

20.8 Data retention (California disclosure)

We retain personal information only as long as necessary for:

• Service delivery
• Legal compliance
• Operational needs

20.9 Shine the Light (California Civil Code Section 1798.83)

California residents may request information about disclosures of certain categories of personal information to third parties for their direct marketing purposes. Speedy Sticks does not disclose personal information to third parties for their direct marketing purposes as described in that statute.

20.10 Minors under 16

We do not knowingly:

• Sell or share personal information of consumers under 16
• Market to minors using personal data in violation of applicable law

20.11 Healthcare data and HIPAA alignment

Certain information we collect may be PHI protected under HIPAA and may be exempt from portions of the CCPA. Where HIPAA applies, we follow HIPAA requirements. We apply consistent privacy protections across data categories as required by law and our policies.

In the State of California:

• Speedy Sticks operates strictly as a mobile specimen collection provider
• We do not operate as a clinical laboratory
• We do not perform diagnostic testing

All specimens are:

• Collected by trained professionals
• Delivered to state-licensed, CLIA-certified laboratories

All services are conducted in accordance with California Business & Professions Code Section 1246 and other applicable state healthcare regulations.

Speedy Sticks complies with applicable U.S. state privacy laws. Depending on your state of residence, you may have additional rights. To exercise rights that apply to you, contact us using the email or phone number listed under Contact information. We may verify your identity and may decline requests where the law does not apply or an exception applies.

Virginia (VCDPA)

If you are a resident of Virginia, you may have the right to:

• Access your personal data
• Correct inaccuracies
• Delete personal data
• Obtain a copy of your data
• Opt out of targeted advertising or profiling in scope under the VCDPA

We do not engage in profiling in violation of applicable law and do not sell health data for monetary or other valuable consideration as described in the VCDPA.

Colorado (CPA)

If you are a resident of Colorado, you may have the right to:

• Access, correct, or delete personal data
• Opt out of targeted advertising, sales, or certain profiling, where applicable

Speedy Sticks does not use PHI for advertising. We limit use of data to service operations, legal compliance, and purposes described in this Notice.

Connecticut (CTDPA)

If you are a resident of Connecticut, you may have rights to:

• Access
• Correction
• Deletion
• Data portability
• Opt out of targeted advertising and certain sales, where applicable

We do not process sensitive health data for secondary purposes unrelated to providing our services without authorization where required by law.

Utah (UCPA)

If you are a resident of Utah, you may have the right to:

• Access and delete personal data
• Obtain a portable copy where applicable
• Opt out of targeted advertising or certain sales, where applicable

We do not sell sensitive data as defined under Utah law or share health data for advertising.

Texas (TDPSA)

If you are a resident of Texas, you may have rights to:

• Access, correct, and delete personal data
• Data portability
• Opt out of targeted advertising or sales, where applicable

Speedy Sticks processes data only as necessary for healthcare service delivery, scheduling, logistics, and legal compliance.

Florida (FDPA)

If you are a resident of Florida, you may have rights related to:

• Access to personal data
• Deletion requests
• Transparency in data use
• Correction and portability, where applicable

Speedy Sticks does not sell personal data as defined under applicable Florida law and does not use health data for targeted ads.

Oregon (OCPA)

If you are a resident of Oregon, you may have rights to:

• Access
• Correction
• Deletion
• Data portability
• Opt out of targeted advertising, profiling, or sales, where applicable

Delaware (DPDPA)

If you are a resident of Delaware, you may have rights to:

• Access
• Correction
• Deletion
• Data portability
• Opt out of targeted advertising or profiling, where applicable

New Hampshire

If you are a resident of New Hampshire, you may request:

• Access
• Correction
• Deletion
• Portability and appeal rights, where applicable

Montana (MCDPA)

If you are a resident of Montana, you may have rights to:

• Access
• Delete
• Correct
• Opt out of targeted advertising or profiling, where applicable

Iowa (ICDPA)

If you are a resident of Iowa, you may request:

• Access
• Deletion
• Data portability in scope under Iowa law

New Jersey (NJDPA)

If you are a resident of New Jersey, you may have rights to:

• Access
• Correction
• Deletion
• Opt out of processing for targeted advertising or sales of personal data, where applicable

Washington — My Health My Data Act (MHMDA)

If you are a Washington resident or we collect or process consumer health data in scope of the Washington My Health My Data Act (“MHMDA”), additional requirements may apply. The MHMDA can impose obligations that extend beyond HIPAA for certain categories of health-related information.

The following may apply under the MHMDA:

• Consent and notice requirements may apply to the collection and sharing of consumer health data, including in contexts not fully covered by HIPAA.
• Washington residents may have rights to access, delete, and withdraw consent for consumer health data, subject to exceptions.
• Geolocation data tied to certain health contexts may receive heightened protection.

Speedy Sticks

• Collects only data necessary to schedule, perform, and document specimen collection and logistics
• Does not sell consumer health data or share it for third-party advertising
• Uses data for operational, legal, and service purposes described in this Notice

Submit MHMDA-related requests using the email or phone number listed under Contact information. We may verify your identity before responding.

For questions about this Notice, privacy rights requests, or complaints:

Speedy Sticks LLC
Email: info@speedysticks.com
Phone: 347-292-9570
Fax: 347-658-1021

All questions and complaints regarding privacy practices should be directed using the contact information on this page. For Terms of service, see our Terms & Conditions.