The Privacy Policies of the Top 15 GLP-1 Telehealth Sites, Scored
Most privacy policies are written to satisfy lawyers, not to inform patients. The structure is the same on every site — definitions, types of information collected, how it's used, how it's shared, your rights — and the hard work of reading one is separating the real protections from the boilerplate.
Rather than publish a specific score for each of the 15 largest GLP-1 telehealth providers (that score will be on our live-updated Watchlist, because these policies change often enough that a static table would go stale within weeks), this piece explains our scoring framework. Once you understand what we look for, you can apply it to any provider yourself in about 10 minutes.
Why we built a scoring framework
Reading a privacy policy front-to-back is boring. Most people don't do it. We needed a way to make the comparison mechanical: eight questions, each scored 0-2 points, for a total of 16. Anything under 10 raises a flag. Anything at 14 or above is a policy we'd describe as well-written.
The eight questions
1. Is there a clear separation between the marketing entity and the medical entity?
Legitimate telehealth operations usually have two distinct legal entities: the consumer-facing brand (LLC) and the medical practice that actually employs the prescribing clinicians (PC or PLLC). The privacy policy should explain this and describe how data flows between them.
- 2 points: The policy clearly names both entities and explains the HIPAA-covered boundary.
- 1 point: The policy mentions the structure but doesn't clearly explain data flow.
- 0 points: The policy treats the entire operation as one entity with no mention of the medical practice.
2. Are third-party trackers on pre-HIPAA pages disclosed and enumerated?
If a site uses Meta pixels, Google Analytics, TikTok pixels, or similar, the privacy policy should list them by name. Vague references to "third-party analytics partners" are a yellow flag; specificity is a green flag.
3. Is the pharmacy partner named?
You are entitled to know which 503A compounding pharmacy or licensed dispensing pharmacy will fill your prescription. The best policies name the pharmacy, state its license number or NABP ID, and describe the BAA relationship.
4. Is there a clear data retention policy with time limits?
"We retain your information as long as necessary to provide services and comply with legal obligations" is boilerplate. A good policy says something specific: medical records retained for X years (driven by state law, usually 6-10 years for adults), marketing data retained for Y, ID verification photos retained or deleted within Z.
5. Are de-identified data sales and research partnerships disclosed?
Many telehealth companies monetize de-identified outcomes data. This is legal if done correctly, but should be disclosed. The policy should reference the HIPAA Safe Harbor method or an expert determination, and should describe whether research partners receive any re-identifiable data.
6. Are the patient's rights clearly enumerated?
Under HIPAA, you have: the right of access, the right to request amendments, the right to an accounting of disclosures, the right to request restrictions, and the right to confidential communications. A good policy lists these rights specifically, with the email address or form to exercise each. A bad policy buries them in a paragraph and asks you to mail a letter.
7. Are state-level protections referenced?
If the company operates in California, Washington, Colorado, Virginia, or other states with stronger privacy laws, the policy should include state-specific sections. The California CMIA, Washington's My Health My Data Act, and the state biometric laws all create obligations beyond HIPAA.
8. Is there a breach notification procedure?
In the event of a breach, how does the company notify you, how quickly, and what does it commit to do for affected patients? Strong policies describe a specific notification timeline (60 days is the HIPAA maximum; 30 is better) and mention free credit monitoring where appropriate.
Red flags that knock points off fast
- Pre-checked consent boxes for sharing with "affiliated brands" or "third-party marketing partners."
- Arbitration clauses with class action waivers tucked into the terms of service referenced by the privacy policy. This isn't strictly a privacy issue, but it affects your remedies if the policy is violated.
- "We may update this policy at any time without notice." The best policies commit to a 30-day notice period and maintain an archive of prior versions.
- No effective date or last-updated stamp on the policy. You can't tell what you agreed to without a version history.
- Any reference to selling identifiable patient data to advertisers. This should be zero, full stop.
The categories we see on real policies
After reading many privacy policies, they cluster into four practical tiers:
- Well-crafted, patient-first (score 14-16): Usually from companies whose core business has meaningful clinical operations. Specificity, clear data flow diagrams, named pharmacy partners.
- Standard compliant (score 10-13): Meets HIPAA, hits state law requirements, but doesn't go beyond. These are fine — most of the industry sits here.
- Compliant but evasive (score 7-9): Technically legal but full of vague language, unnamed partners, and broad "affiliated brands" grants. Read carefully before signing up.
- Red-flag territory (score 0-6): Missing major elements, pre-checked consents, aggressive data grants. Consider alternatives.
How to apply this yourself in 10 minutes
- Open the privacy policy in a browser tab. Don't read it top to bottom yet.
- Ctrl-F for: "pharmacy," "third party," "sell," "marketing partner," "arbitration," "retain," "Meta," "pixel," "California," "affiliated."
- Jump to each hit. Each gives you a data point for one of the eight questions.
- Score each question 0, 1, or 2. Add them up. Anything below 10 is a yellow light.
- Open the Terms of Service in a second tab. Check the arbitration clause and the class action waiver. Privacy protections are only as good as your enforcement options.
What we wish privacy policies did (but they don't)
If we were designing the perfect GLP-1 telehealth privacy policy, it would:
- Include a one-page plain-English summary at the top
- Specify every third-party vendor by name (not just "analytics providers")
- Commit to a data minimization principle: collect only what's needed for treatment
- Provide a self-service portal to review, export, and delete your marketing data
- Maintain a public version history so you can see exactly what changed and when
- Publish an annual transparency report showing law enforcement requests, subpoenas, and de-identified data sales
A handful of larger healthcare companies have started publishing transparency reports in the mold of tech platforms. None of the dedicated GLP-1 telehealth brands has, to our knowledge, published one. This will probably change as regulatory pressure and consumer awareness grow.
Bottom line
A privacy policy is a contract you sign on behalf of your future self. It governs what happens to your data for years — usually longer than you'll be a customer. Ten minutes of scoring before you sign up is the cheapest privacy insurance you'll ever buy. If a provider you're considering scores in the bottom tier, the right move is usually to pick someone else. If they score well, keep a copy of the version you agreed to; the policy can change later, but the version in effect when you enrolled is the one you're entitled to.