Privacy Policy

Introduction

Welcome to HealthTree®, tools (Cure Hub, Connect, Coach, University, Events, Chapters, and Podcasts) created by the HealthTree Foundation ("Company", "We", "Us"). HealthTree is a data platform for cancer patients, researchers, and clinical practitioners to help advance cures.

Please read this Policy carefully to understand our practices regarding your information. By accessing or using the Platform, you agree to this Privacy Policy. If you do not want to agree to this Privacy Policy, you must not access or use the Platform.

We may revise this Privacy Policy from time to time. Upon any material changes, you will be notified upon entering the platform that this policy has been updated with a link to the policy. Clicking ok on this message is your agreement to what is contained within this privacy policy.

Purpose of This Privacy Policy

The purpose of this Policy is to explain how we collect and use information about you through the Platform, including personally identifiable information that you provide to us, such as your name, demographics, age, email address, phone number, birthdate, fitness level, and information about your medical history, health conditions, and prior treatments (“Personal Information”). We want you to know how your Personal Information will be protected, under what circumstances we may share it with third parties, and for what purposes.

This Policy describes the types of information we may collect from you (paper records, electronic records, e-mail, text, chat, and other electronic messages) or that you may provide when you visit https://www.healthtree.org/ (the "Platform") and our practices for collecting, using, maintaining, protecting, and disclosing that information.

The Policy does not apply to information collected by us offline or through any other means, including on any other website operated by Company or any third party, including through any application or content (including advertising) that may link to or be accessible from the Platform.

Why We Collect Your Personal Information

HealthTree provides information about potential treatment options and clinical trial matching. This requires the collection of Personal Information in order to process and display personalized treatment possibilities or clinical trials and other information tailored to your needs, such as collective reports (e.g., time to progression based on treatment, fitness level impact on overall outcomes, etc.).

The treatment options are only suggestions of the options available to you as a patient for your own research purposes. They are not medical advice coming from a human or an automated decision-making (ADM) tool using algorithms to make choices about you or for you.

We Care About Your Privacy

Sharing information benefits other cancer patients and the research communities, but we want you to understand exactly what you are sharing and how your information is protected.

The information you share about yourself, your condition, and your treatments becomes part of a database that is normalized and anonymous. This database is used for research purposes.
You will be asked to choose a username and profile picture that appear throughout the platform. We recommend choosing a username and profile picture that are non-identifying if you don't want people to know who you are.
At any time, you may revoke your consent to this Policy and our Terms of Use and stop using the Platform. You can deactivate your account anytime by going to your account profile. Your account will become inactive immediately upon deletion. Many people accidentally delete their accounts. If you decide to reactivate your account, you have seven days to request reactivation without losing any information previously entered by emailing support@healthtree.org or calling us at 1-800-709-1113. Your account, including any data in your profile, will be permanently deleted exactly seven days after it becomes inactive.
We maintain all accounts as active accounts regardless of use or how frequently accessed. We do not delete accounts due to a lack of use over a certain period of time.

Opting Out or Deleting Your Account And Data

HealthTree believes that your medical data is yours. Your data does not belong to the company or anyone else. You always have the right to remove your data from our database. To remove your data and/or delete your account:

Sign in to HealthTree
In the top right side, click on the circle next to the bell for notifications.
Select Delete Accounts
You can select the programs you want to remove data from or delete the account to remove your entire account and all the data associated with it.

You can also contact us directly at support@healthtree.org or by calling 1-800-709-1113, and we will delete your account and all associated data.

Communication and Updates

We may use your email address to send you updates about our products, services, research opportunities, events, relevant clinical trials, and fundraising. These communications are intended to keep you informed about advancements that may interest you.

You can opt out of these communications at any time by following the unsubscribe link in our emails, replying STOP to any SMS messages, or contacting us directly at support@healthtree.org or calling 1-800-709-1113.

Why Should You Share Your Data

Curing cancer is a group effort; there is power in numbers, and when we combine our medical information, the power becomes immeasurable. Our lives become one big story that has the context researchers are looking for.

At HealthTree, we believe the answers to a cure are out there, but we can't get to them. Sharing your data allows researchers to see you as a whole person rather than just a certain part of you at a certain time. Building a robust flow of data that represents you provides the potential to find the answers that move us to a cure faster.

Many of the recently approved treatments started in development 17 years ago. That is way too long for life-saving drugs, and we believe sharing our data can cut that time in half, if not more.

HealthTree acquires your medical information to provide you with a personalized list of treatment options and matches you to clinical trials for which you meet the inclusion criteria. HealthTree also shared deidentified data with vetted academic researchers to further their research capabilities, and that can help us get to cures faster.

Consent to Collect Your Personal Information

You must register to use HealthTree and create a profile that may include your Personal Information. We collect information about you relating to your care and treatment directly from you and third parties. There are three ways to share your information with HealthTree.

Connect your facilities portal (electronic medical records) to the platform. During this process you are able to select only the data that you want to share. By doing so, your information will update automatically on the platform.
Share your username and password for your facility portal if an electronic connection does not exist between your facility and HealthTree. HealthTree's medical team will complete your HealthTree Cure Hub profile using your credentials.
Request consent to collect your paper medical information from your facility if they do not have a portal.

We also offer you the option of revoking your consent ("opting out" or "unsubscribing") if you later decide that you no longer want to use the Platform or receive additional information from us. If we wish to use this information for purposes incompatible with the purposes for which the data was initially collected, we will offer an effective way to opt out of the secondary use.

You may be invited to participate in surveys facilitated by the Company, third parties, or researchers. Your responses will be received and stored on HealthTree servers. We may collect and publish profile information and postings (Twin Machine or Connect) on the Platform to permit users to share information with each other and with other partners. We may also use HealthTree Connect posts in email communications to encourage answers, help inform other users, and encourage involvement in our communities. We may also collect the information you share with our support team.

You may choose to participate in surveys that ask questions about you and your family's medical history. These questions are optional and will not be disclosed to the general public, nor will they be sold to third parties for marketing purposes.

Importing Data By Third-Party Services and Personal Devices

You may choose to sync your Platform account from your other accounts held by third parties, such as healthcare providers, Electronic Health Record (EHR), EPIC, Cerner, The VA, NavigatingCare CareSpace, Apple Health, or wearable technology fitness monitors such as Fitbit or Apple Watch, and genetic testing companies, bio-banks, etc.)

Third parties can control or give you the option of how long your medical record connection remains in place. It can be until you disconnect the connection, or it can allow you to select anywhere from 1 hour to a year, depending on the EHR in use. If the connection stops, you will get a message from HealthTree letting you know the connection is no longer in place, and you will need to reconnect to continue syncing your records to the Platform.

By connecting your Platform account, you authorize the Platform to access your third-party account information maintained by identified third parties on your behalf as your agent, and you expressly authorize such third parties to disclose your information to us. This includes any data that may not be relevant, accurate, or timely.

All structured data will be made available in the application for your review. Some data may come in, such as a scanned document or a doctor's note. This data is not made available in the application for your review. You may request that we validate your account. A doctor will place the information from the scanned documents or the doctor's notes into a structured database that will then be made available for you to view in the application.

The Platform always allows you to remove or delete your medical information connection with HealthTree. The Epic EHR system gives users the option of how long they want their records to sync with HealthTree. For those connections, upon disconnection, you can reconnect yourself or ask HealthTree to resync your account for you. If you ask HealthTree to re-sync your account, you will be asked to provide your username and password to HealthTree.

Please note that HealthTree may log in to your third-party accounts occasionally to connect and update your Platform Account with information from your third-party accounts. More specifically, HealthTree will only log in to your third-party accounts to establish, maintain, or debug a secure connection and update or validate medical information in the Platform. Again, we will not share or disclose your Health Information or any other information associated with your third-party accounts to any other party unless you expressly direct us to do so.

If you find errors in your medical information, there is a Report An Issue button in the treatment options section where you can report errors or data you would not like to display in the platform. Reported errors will be validated and corrected in HealthTree. Please note that this does not correct the error in your care center's medical record system.

Collection of Anonymous Computer Information

We collect non-personal information such as website usage, traffic patterns, site performance, and related statistics regarding your visits to the Platform using “cookies,” which are small files placed on the hard drive of your computer through your web browser. Cookies are not associated with your personal identity. We use cookies to track users’ paths through the Platform during a visit to help us understand how people use the Platform and to recognize a repeat visitor to the Platform, enabling us to offer the user a set of services or information requested in a previous visit. You may refuse to accept browser cookies by activating the appropriate settings on your browser. However, if you select this setting, you may be unable to access certain parts of the Platform. Unless you have adjusted your browser settings to refuse cookies, our system will issue cookies when you direct your browser to the Platform.

We use cookies for several purposes, including:

Site Functionality & User Experience: To track users’ paths through the Platform during a visit, help us understand how people use the Platform, and recognize repeat visitors. This enables us to offer users services or information requested in previous visits.
Marketing & Remarketing: We use cookies to deliver personalized advertisements based on your interests and previous interactions with our Platform. This includes remarketing strategies to reconnect with visitors who have shown interest in our services or content.

The following third-party tools and platforms may set cookies on your device for marketing and analytics purposes:

Google Ads – For serving personalized ads and remarketing.
Meta Pixel (Facebook Pixel) – For tracking conversions and remarketing on Facebook and Instagram.
Google Analytics – For analyzing website traffic and user behavior.
LinkedIn Insight Tag – For conversion tracking, retargeting, and analytics on LinkedIn.

You may refuse to accept browser cookies by activating the appropriate settings on your browser. However, if you select this setting, you may be unable to access certain parts of the Platform. Unless you have adjusted your browser settings to refuse cookies, our system will issue cookies when you direct your browser to the Platform.

How We Use Your Information

We may use and disclose your Personal Information for the following purposes:

We may use and disclose information you have entered to communicate with you by email or phone for account management purposes, notifications and reminders, systems maintenance, and other purposes.
We analyze the information we collect to improve patient care. We may share de-identified data to perform research and produce reports for you as a patient and for the research community.
Your de-identified data may be shared with other users or with service providers, such as hosting and data analytics companies or third-party vendors. If your data is ever shared with any third parties, they will be bound to the terms outlined in this privacy policy.
Your data may be shared to comply with legal obligations, law enforcement requests, legal directives such as a court order or subpoena, or to protect your, our, or others’ rights, property, or safety.
When you participate in surveys that our partners or we facilitate, your de-identified information may be shared with your survey responses. Participation in such surveys is optional.
We may use information you have entered, provided, or synced, including, without limitation, information in your medical records and demographic information, with us to communicate about specific clinical trials you may be eligible for based on this information. These clinical trials may be government-sponsored or industry-funded.
We may share your information with our research partners, such as academic researchers, clinical research organizations, and sponsors that facilitate and/or provide clinical trials, real-world evidence studies, or similar research engagements, with your consent.
If you decide to participate in a survey or study requiring consent, you will opt in and know exactly what data is being shared, who will have access to that data, and you will always have the right to withdraw or opt out at any time.
Where de-identified or anonymized information is shared with a third-party partner in connection with a survey, study, or research activity, and participant consent limits the sharing of personal information, such partner is prohibited from attempting to re-identify any individual, whether through data matching, aggregation with other datasets, reverse engineering, or any other means.
If a survey or study includes consent to not share personal information, the partner we are doing the study or survey with cannot attempt to re-identify any de-identified for anonymized information shared with them.
From time to time, we may offer services or content in partnership with other organizations. To use those partner services, you may need to complete a new online registration. When you decide to share your data outside of HealthTree, the data practices under this Privacy Policy will no longer apply to the information held by that outside entity.
If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, your Personal Information may be disclosed in connection with the negotiation of such transaction, and/or sold or transferred as part of such a transaction as permitted by law and/or contract. You will be notified by email twice before any ownership or transition of service changes. Upon your request, your entire HealthTree profile, which includes your account information and all of your data, will be permanently deleted.
We do not contract with insurance companies or provide insurance companies access to your Personal Information. However, we cannot guarantee that insurance companies will not be able to access the de-identified information publicly available on HealthTree’s website.
We will not disclose your Personal Information to the general public. We will not sell your Personal Information, family members' personal information, or any other individual identified in your HealthTree profile for third-party marketing purposes.

Medical Record Research Retention

HealthTree is required to keep the medical records of participants involved in some of our research studies. HealthTree's policy on these studies is to keep such research-related records on file for six years.

Reference the following federal agencies' policies below:

The Department of Health and Human Services regulations require that records be kept for three years (45 CFR 46.115(b) and 21 CFR 56.115(b)).
For research subject to the Health Insurance Portability and Accountability Act (HIPAA), records must be kept for six years after completion (45 CFR 164.530(j)). This includes records of IRB determinations of waivers of authorization, and records of disclosure not listed in the consent and authorization document (e.g., secondary analysis of data studies conducted under a waiver).
For federal agencies, the length of record retention can be determined by the grant period. Depending on the agencies, records must be kept for up to seven years from the expiration of the grant.
For studies regulated by the Food and Drug Administration, records must be kept for two years after the last marketing approval (21 CFR 312.62).

How We Protect Your Information

You agree that the information you provide to us through the Platform is accurate and that you will keep it up-to-date. When you register for a user profile on the Platform, you will be asked to provide a password. You are solely responsible for maintaining the confidentiality of your user profile and password, and you accept responsibility for all activities that occur under your user profile.

If you believe that your account is no longer secure, you must immediately notify us at support@healthtree.org or by calling 1-800-709-1113.

The account in question will be immediately deactivated while we investigate the suspected issue. Any issues discovered will be addressed to prevent further security issues. The account holder and any other accounts affected by the issue will be notified of any actions required on their part.

The company is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and therefore is not required by law to comply with HIPAA’s requirements for handling protected health information. The company has a security program in place that seeks to mitigate risk and to use reasonable and appropriate procedures and technologies to help protect the confidentiality of Personal Information collected through the Platform. We periodically review and modify our security policies and procedures, as appropriate.

Please note that despite our precautions, no website can be absolutely protected against intentional or malicious intrusion. Furthermore, the Company does not control the devices, computers, or networks over which you may choose to send Personal Information to the Platform, and therefore cannot prevent potential interceptions or compromises to your information while in transit to the Platform. The Company has implemented measures designed to safeguard your Personal Information, but cannot make any guarantees as to the security, integrity, or confidentiality of electronic communications made over the Internet or any information transmitted to or from or maintained on the Platform.

Security Program

Patients who join the HealthTree Cure Hub are willing to share their data. Our security model is built on top of Google’s best-in-class network that offers secure-by-default encryption mechanisms.

The following security best practices are in place:

Encryption in transit

All of the communications from our web and mobile clients to our Google server environment are encrypted in transit using TLS. This ensures that the patient’s data is safe, no matter the network from which they are accessing the platform. Removing the need to trust the lower layers of the network, which are commonly provided by third parties.

Encryption at rest

All of the data on both Firestore and Google HealthCare APIs is encrypted at rest using AES256. This provides an extra level of security for our patients in case of any unauthorized physical access to the storage.

Role-based access

The platform uses a role system to give granular access to administrative users. The platform supports Super Admins, Patient Experience Members, Coaches, Caregivers, and Patients.
The role system can be extended to support more roles.

Traceability

All of the operations to Firestore and Google HealthCare APIs are traceable, meaning that every time any of the different users read, edit, or delete any data, the system logs an event containing the difference between the old and new data and the following metadata: User, Role, Timestamp, Operation Type. This mechanism allows a granular audit trail of any authorized or unauthorized access to the data.

Two Factor Authentication - 2FA

All users with administrative access to the admin panel platform are forced to implement a mechanism for two-factor authentication. This provides an extra security layer in case credentials are compromised or a device is stolen.

Data storage

Your medical data is not stored on your device; it is stored on Google Cloud Services.

Accessing other data

This technology or app does not request access to other device data, such as your phone’s camera, photos, or contacts.
This technology or app does not allow you to share the collected data with your social media accounts.

What Happens If There Is A Data Breach

If there has been a breach of your data (your information is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so) HealthTree will reach out to you via email and a written letter mailed to the address on file informing you of the breach and what to do next.

What will HealthTree do?

Investigate the breach ASAP to understand what was taken, who it was taken from, and how it was taken.
Informing you of:
1. The type of breach
2. What information was affected
3. What you need to do to mitigate losses is to change your password
4. What HealthTree will do to mitigate and correct the breach
5. How HealthTree will prevent the same issue from occurring again

If you believe that your account is no longer secure, you must immediately notify us at support@healthtree.org or by calling 1-800-709-1113.

Applicable to California Residents

California Civil Code Section § 1798.83 permits users of the Platform that are California residents to request certain information regarding the disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please contact us at support@healthtree.org or call 1-800-709-1113.

If you reside in California, you have the right to ask one (1) time each year if we have shared your Personal Information with third parties for their direct marketing purposes. Keep in mind, at the present time, we do not share any information for marketing purposes. If you would like to make a request, send an email to support@healthtree.org or call 1-800-709-1113, indicating that you are a California resident making a “Shine the Light” request.

International Users

The company operates solely in the United States, and the Platform is intended to be used by persons residing in the United States. If you choose to use our Services from the European Economic Area, the United Kingdom, or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that by accessing and using the Platform, you consent to the transfer of your Personally Identifiable Information to the United States and the processing of your information in the United States. By providing any information, including personal information, on or to the Platform, you consent to such transfer, storage, and processing and acknowledge that US law may not offer the same privacy protections as the law of your jurisdiction.

If you are a resident of the European Economic Area (EEA), you have certain data protection rights. If you wish to be informed what Personal Information we hold about you and if you want it to be removed from our systems, please contact us at support@healthtree.org or call 1-800-709-1113.

In certain circumstances, you may have the following data protection rights:

The right to access, update, or delete the information we have about you.
The right of rectification.
The right to object.
The right of restriction.
The right to data portability.
The right to withdraw consent.

Platform Not Intended For Use By Children Under 13 Years of Age

We do not knowingly collect Personal Information from children under 13 years of age. If you are under 13, do not use or provide any information on or through the Platform or any of its features, or provide any information about yourself to us, including your name, address, telephone number, e-mail address, or any screen name or user name you may use. If we learn that we have collected or received Personal Information from a child under 13 without verification of parental consent, we will delete such information. If you believe we may have any information from or about a child under 13, please contact us at support@healthtree.org or call 1-800-709-1113.

Updates to Privacy Policy

You can determine when this privacy policy was last updated by checking the effective date in the section. We encourage you to review our Privacy Policy periodically to stay up-to-date about our privacy practices. As long as you use the Platform, you are agreeing to this Privacy Policy and any updates made to it. If you have questions regarding this Privacy Policy, please contact us at support@healthtree.org or call 1-800-709-1113.

Contact Us

If you have any questions, comments, or concerns, you may contact us at support@healthtree.org, call us at 1-800-709-1113, or you can write to:

HealthTree Foundation

10897 S River Front Parkway

Suite #550

South Jordan, Utah 84095

This Privacy Policy was last updated on June 8, 2026.