Legal
Privacy Policy
ApexTruth Health LLC | Version 1.1 | Last updated May 27, 2026
Plain English first. This policy is written to be understood, not to bury things in legal language. Every section explains what we do, why we do it, and what your options are. Questions: hello@apextruthhealth.com
Who we are
ApexTruth Health is an independent health research publication and clean living marketplace. We follow the funding on every claim we publish. We name the funders. We show primary sources. Every product on the marketplace comes from an independent American business that meets our sourcing standards.
We exist because Americans are making health decisions based on research funded by the people who profit from the outcome. This site is our answer to that.
Contact: hello@apextruthhealth.com | 6701 Corporate Dr Ste N, Johnston, Iowa 50131
What we collect and why
1. Information you give us directly
When you create an account:
- Email address
- First and last name
- Password (stored as a bcrypt hash; we never see your actual password)
We use this to identify you across sessions, send you order and account emails, and let you save articles and health notes.
When you place an order:
- Shipping address
- Phone number (optional, used for delivery questions)
- Payment information
Your payment details are handled by Stripe. We do not store or see your card number, expiration date, or CVV. Stripe processes all payment data under their own PCI-DSS compliance. See stripe.com/privacy.
When you subscribe to the newsletter:
Email address only. We do not require a name. You can unsubscribe from any email with one click.
When you use ATH Coach:
- Intake profile data you choose to provide: age, biological sex, height, weight, training experience, goals, injuries, sport, season phase
- Messages sent to the coaching interface
- Training plans generated during your sessions
- Subscription status and billing information (handled by Stripe)
Coaching sessions use the Anthropic API to generate responses. Messages are sent to Anthropic for processing and are subject to their data handling practices. We do not store your coaching messages beyond the current session context window. Your intake profile and generated training plans are stored in your account and visible only to you. We do not use coaching conversation data to train models or for any purpose other than generating your response.
When you use ATH Labs:
- Biomarker values you enter manually
- Lab result PDFs you upload for extraction (see note below)
- Test dates and lab names you provide
- Biomarker history across multiple sessions
Lab result data is stored in your account and is only accessible to you. We do not share your biomarker data with third parties, insurers, employers, or advertisers. Your lab data is permanently deleted when you delete your account.
PDF uploads: if you upload a lab result PDF, the file is sent to the Anthropic API for data extraction and is immediately discarded. We do not store the PDF itself at any point. Only the extracted biomarker values are saved to your account, and only after you review and confirm them.
ATH Labs provides research context and educational information. It is not a medical service and does not constitute a clinical relationship. Lab result data handled within ATH Labs under the current model (manual entry and PDF upload by the user) is not subject to HIPAA because no covered entity transmits data to ATH. If a lab partner API integration is activated in a future phase, this policy will be updated to reflect the applicable HIPAA framework before that integration goes live.
When you apply to sell on ATH or register on Farm Direct:
Business name, contact information, address, and product details. Farm contact information (email, phone, USDA farm number, Stripe account details) is never shown in public pages. It is used only for platform operations and seller payouts.
2. Information collected automatically
Analytics
We use PostHog and Google Analytics 4. Both collect standard web analytics data: pages visited, time on site, browser type, approximate location (city/region level, not precise), and how you arrived. Neither collects your name or email unless you provided it separately. You can opt out of GA4 at tools.google.com/dlpage/gaoptout.
Error monitoring
We use Sentry to capture errors. Sentry logs include page URLs, browser information, and anonymized IP address fragments. Sentry does not log passwords, payment information, or email addresses.
Server logs
Our hosting infrastructure (Vercel, Railway) generates standard server logs including IP addresses, request timestamps, and status codes. Retained for 30 days, used for debugging and security only.
3. Bot prevention and security
Cloudflare
All traffic passes through Cloudflare. Cloudflare inspects traffic patterns to detect and block automated bot traffic before it reaches our servers. See cloudflare.com/privacypolicy.
Cloudflare Turnstile (invisible mode)
We use Cloudflare Turnstile on our account creation, sign-in, and password reset forms. Turnstile verifies you are human without showing a checkbox or image challenge. It analyzes behavioral signals (mouse movement, timing, browser characteristics) invisibly. Most users will never see any indication it is running.
As required by Cloudflare for invisible mode use: by using apextruthhealth.com, you acknowledge that Cloudflare Turnstile may process data about your browser and interaction patterns as described in the Cloudflare Turnstile Privacy Addendum. Turnstile does not use cookies, does not track you across sites, and does not build advertising profiles.
Cookies
We use a small number of cookies to make the site work:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| _medusa_jwt | Keeps you signed in | Essential | Session |
| _medusa_cache_id | Region routing | Essential | 24 hours |
| _ga, _ga_* | Google Analytics | Analytics | 2 years |
| ph_* | PostHog analytics | Analytics | 1 year |
We do not use advertising cookies. We do not use third-party tracking cookies. We do not sell data to advertisers or data brokers. If you block all cookies the site will still work for reading articles; you will not be able to stay signed in.
How we use your information
We use the information we collect to:
- Process orders and route them to the correct seller
- Maintain your account and its features (saved articles, health notes, order history)
- Send transactional emails (order confirmations, shipping, password resets)
- Send the newsletter if you subscribed
- Detect and prevent fraud, spam, and bot activity
- Debug errors and improve the site
- Understand aggregate usage patterns
We do not use your information to:
- Sell or rent it to third parties
- Build advertising profiles
- Train AI models on personal data
- Contact you with promotions from other companies
Your health data pledge
ATH collects health-related information to personalize your experience: biomarker results, coaching intake profile, health score inputs, and responses to profile questions. This data is governed by a commitment that goes beyond standard privacy language.
We will never sell your individual health data. Not to insurance companies. Not to hospitals or health systems. Not to pharmaceutical companies, employers, advertisers, data brokers, or research institutions. Not to anyone. This is not a policy that changes with ownership or funding. It is a founding commitment.
We will never share your individual health data. Your biomarker results, lab values, coaching conversations, health score inputs, and profile responses are accessible only to you through your authenticated account. No employee, contractor, or partner has access to individual user health data for any purpose outside of resolving a technical support issue you have explicitly requested help with.
What your health data is used for. Your health data has exactly two uses: generating your personalized outputs on ATH (your score, your coaching responses, your content recommendations), and improving the underlying predictive models that generate those outputs over time. That is the complete list.
Research, grants, and publications. ATH is pursuing federal research funding to improve the models that power your health score. Any research publication, grant application, or external scientific communication uses only aggregate, non-identifiable data derived from the model. No individual record is ever included in research output. The model improves. Your identity stays private. If you ask us to delete your account, your data is removed from all systems and is never included in any research output from that point forward.
Your data if ATH is acquired. If ATH is acquired by another company, this health data pledge transfers as a binding contractual obligation. A buyer cannot change it. If a proposed acquisition would require modifying this pledge, ATH will give users 90 days notice and the option to delete their accounts and all associated data before the transaction closes.
Who we share data with
We share data only with the services that make the site run. These are infrastructure providers, not advertising partners:
| Service | What they receive | Why |
|---|---|---|
| Stripe | Payment data, purchase amount, billing address, subscription status | Payment processing and subscription billing |
| Anthropic | Coaching messages (session only), lab PDF content (discarded after extraction) | AI response generation and lab PDF parsing |
| Cloudflare | All traffic | CDN, security, bot prevention |
| Vercel | Storefront traffic | Hosting |
| Railway | Backend traffic | Hosting |
| Resend | Email address, order details | Transactional emails |
| Cloudinary | Product and editorial images | Image hosting |
| PostHog | Anonymized usage data | Analytics |
| Google Analytics | Anonymized usage data | Analytics |
| Sentry | Error data, anonymized session info | Error monitoring |
Sellers receive the shipping information needed to fulfill your order: your name, shipping address, and the items ordered. Sellers do not receive your email address, payment details, or account information.
We do not share data with data brokers, advertising networks, or anyone outside the list above.
Data storage and security
- Passwords are hashed using bcrypt (minimum 12 rounds). We cannot retrieve your password.
- Email verification tokens are stored as SHA-256 hashes and expire in 24 hours.
- All traffic is encrypted in transit via HTTPS/TLS.
- Backend database and CMS run on Railway's US infrastructure. Storefront runs on Vercel's edge network. All US-based.
- We do not store payment card data on our servers at any point.
Your rights
Access: You can request a copy of the personal data we hold about you.
Correction: Update your account information at apextruthhealth.com/account/profile or email us.
Deletion: Request deletion of your account and associated data. Order records may be retained for accounting and legal compliance for up to 7 years.
Unsubscribe: Every newsletter email has a one-click unsubscribe link.
California residents (CCPA): We do not sell personal information. We do not share personal information for cross-context behavioral advertising. To exercise your rights, email hello@apextruthhealth.com.
European residents (GDPR): Our legal basis for processing is contract performance (account and order operations) and legitimate interest (analytics, security). You have the rights of access, rectification, erasure, restriction, and portability. Email hello@apextruthhealth.com. You also have the right to lodge a complaint with your local data protection authority.
Children
This site is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, email hello@apextruthhealth.com and we will delete it.
Changes to this policy
When we make a material change we will update the version and date at the top of this page and notify newsletter subscribers if the change is significant. Continued use of the site after a change constitutes acceptance of the updated policy.
Material changes include: adding a new third-party data processor, changing how we use your data, or any change that meaningfully affects your rights. Minor wording clarifications and formatting updates do not require notice.
Contact
For privacy questions, data requests, or concerns:
hello@apextruthhealth.com
ApexTruth Health
6701 Corporate Dr Ste N, Johnston, Iowa 50131
We respond to all privacy requests within 30 days.
Version history
| Version | Date | Changes |
|---|---|---|
| 1.1 | May 27, 2026 | Added ATH Coach data handling (intake profile, coaching sessions, Anthropic API), ATH Labs data handling (manual entry, PDF upload, biomarker storage, HIPAA note), Anthropic added to third-party sharing table, Stripe entry updated to reflect subscription billing. |
| 1.0 | May 23, 2026 | Initial policy. Covers accounts, Stripe, analytics (PostHog + GA4), Cloudflare Bot Fight Mode, Cloudflare Turnstile invisible mode, Sentry, Resend, Farm Direct seller data handling. |