Privacy Policy

CimaSystem — Privacy Policy

Effective date: August 21, 2025
Who we are: Cima System – 10800 N Military Trail, Suite 115
Palm Beach Gardens, FL 33410, [[email protected]]

This Privacy Policy explains how CimaSystem (“we,” “our”) collects, uses, discloses, and protects information when you use our websites, apps, and related services (the “Service”).

HIPAA Note: If you are a Covered Entity or Business Associate and we have a Business Associate Agreement (BAA) in place, we will handle Protected Health Information (PHI) as your Business Associate. If no BAA is in place, do not use features to store PHI. This Policy applies to personal information processed by us; your clinic’s own privacy notices may also apply.

1) Information We Collect

Account & Profile: name, contact details, clinic affiliation/role, login credentials, preferences.
Patient/Health Data (when enabled): information entered by you or your provider (e.g., labs ordered, assessments, nutrition plans), only in features designated for PHI.
Order & Payment: orders, subscriptions, billing address; payment card data is processed by our payment processor (e.g., Stripe) and not stored by us.
Device & Usage: IP address, identifiers, device type, browser, operating system, app version, activity logs (e.g., login timestamps, feature usage), and diagnostic data.
Support & Communications: messages, call notes, and email/chat records.
From Third Parties: labs, patient‑engagement, and fulfillment partners (e.g., Rupa Health, Bodysite, Fullscript, and Professional Formulas) may share status updates and results necessary to provide the Service.

2) How We Use Information

  • Provide, secure, and maintain the Service.
  • Create and manage accounts and subscriptions.
  • Process orders (e.g., lab tests, supplements) through third‑party partners.
  • Communicate with you (service announcements, security alerts, support).
  • Personalize features (e.g., nutrition plan templates) and improve performance.
  • Comply with law, prevent fraud/abuse, and enforce terms.
  • De‑identify or aggregate data for analytics and to improve the Service (not for advertising profiles).

Legal bases (EU/UK): performance of contract; legitimate interests (security, improvement, support); consent (where required); compliance with legal obligations.

3) Sharing & Disclosure

We share information only as needed to provide the Service, with:

  • Service providers/processors (e.g., hosting, storage, analytics, customer support).
  • Payment processors (e.g., Stripe) for billing.
  • Labs & fulfillment partners (e.g., Rupa Health, Bodysite, Fullscript, Professional Formulas, draw centers, and couriers) to place orders, coordinate collections, fulfill supplements, and deliver results.
  • Your clinic or provider if your account is associated with a clinic (subject to your clinic’s policies).
  • Legal & safety: to comply with law, respond to lawful requests, or protect rights, safety, and property.
  • Business transfers: in connection with a merger, acquisition, or asset sale.

We do not sell personal information, and we do not share it for cross‑context behavioral advertising as defined by California law.

4) Cookies & Tracking

We use strictly necessary cookies and similar technologies for authentication and security, and (where permitted) functional/analytics cookies to improve the Service. You can control cookies through your browser settings; some features may not work without them.

5) Data Retention

We retain information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods vary by data type and account status. We may retain de‑identified data after deletion.

6) Security

We use administrative, technical, and physical safeguards appropriate to the sensitivity of the data, including encryption in transit, access controls, and audit logging. No system is perfectly secure; please protect your credentials and notify us of any suspected compromise.

7) Your Rights & Choices

US (CA/CO/CT/VA/UT and similar laws): You may request access, correction, deletion, and information about our data practices; opt out of certain uses allowed by law; and appeal denials. We do not sell personal information.
EU/UK: You have rights to access, rectify, erase, restrict, object, and data portability; and to withdraw consent where processing is based on consent.
Exercising rights: Contact us at [email protected]. We will verify your request and respond within the time required by law. You may designate an authorized agent where permitted.

8) Children’s Privacy

The Service is not directed to children under 13 (or under 16 in the EU) and we do not knowingly collect their personal information without appropriate consent. If you believe a child has provided information, contact us to request deletion.

9) International Transfers

If you access the Service from outside the United States, your information may be transferred to and processed in the United States or other countries with different data protection laws. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses).

10) HIPAA & Business Associate Agreements

When we act as a Business Associate under HIPAA, our use and disclosure of PHI is governed by the BAA with your clinic and applicable law. In that case, the BAA controls to the extent of any conflict with this Privacy Policy. We do not use PHI for marketing or advertising.

11) Third‑Party Sites & Services

The Service may link to or integrate with third‑party services (e.g., labs, supplement vendors). Their privacy policies govern their practices; we are not responsible for their content or privacy practices.

Key integrations include: Rupa Health (lab ordering/results), Bodysite (patient engagement & care plans), Fullscript (supplement ordering/fulfillment), and Professional Formulas (product catalog/fulfillment). Use of these services is subject to their own terms and privacy notices; where required, we execute Business Associate Agreements (BAAs).

12) Changes to this Policy

We may update this Policy from time to time. Material changes will be posted in the Service with an updated effective date. Your continued use after changes take effect signifies acceptance.

13) Contact Us

Questions or requests: [email protected]
Postal: Cima System – 10800 N Military Trail, Suite 115
Palm Beach Gardens, FL 33410