Privacy Policy
How we collect, use, and protect information on our website.
Effective Date: July 11, 2026
Summary: We use PostHog as first-party analytics to operate and improve this Site. PostHog is served through our domain under a HIPAA business associate agreement and is not connected to advertising platforms.
PostHog runs when you visit unless you choose “Reject” in our consent banner or your browser sends a Global Privacy Control (GPC) signal.
Third-party tools such as Google Analytics, Google Tag Manager, and advertising pixels (for example Google Ads or Meta) load only if you affirmatively choose “Accept.”
We do not sell your information.
If you Accept, we may use information from your Site use for our own advertising and measurement — that use is not passive; you must Accept.
If you are uncomfortable with these practices, do not use the Site.
This policy covers our website only — medical records we keep as your healthcare provider are governed by our separate Notice of Privacy Practices.
1. About This Policy
Herself Health (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect information through our website. It applies to any website page that links to this policy (the “Site”).
This policy does not apply to companies we do not own or control, or to people we do not employ. If you do not agree with this policy or the data practices described here, please do not use the Site. Nothing in this Policy waives or limits any rights you may have under the California Consumer Privacy Act, as amended (Cal. Civ. Code §§ 1798.100 et seq.). Except as described here, we do not sell, rent, or disclose the personal information collected on our Site for others’ independent commercial purposes.
2. This Policy vs. Your Medical Records
This Privacy Policy governs information collected through the Site only. It does not govern Protected Health Information (“PHI”) that we create, receive, maintain, or transmit as a HIPAA-covered healthcare provider in connection with your care.
Our handling of your health information is governed by our Notice of Privacy Practices, the federal HIPAA rules, and the Minnesota Health Records Act — not by this website policy.
3. Information You Give Us
Generally, you can visit our Site without telling us who you are. When you choose to contact us or request information, we collect what you provide. Our “Contact Us” forms typically ask for your name, phone number, email address, and the best time to reach you, plus anything you choose to type in a free-text field.
Please do not include sensitive information — such as health details, financial information, or Social Security numbers — in our forms, or in regular email or text messages, which are not secure. Providing information is optional, but some features may not work without it (for example, requesting more information or booking a visit).
We may use the information you give us to send you information about our services, to maintain and improve the quality of our services, and to follow up on questions or concerns. If we receive similar questions from many people, we may post a general answer in an FAQ without identifying you.
4. Information Collected Automatically
When you visit our Site, some information may be collected automatically to help the Site work properly and to help us understand and improve it. Strictly necessary cookies and first-party analytics (PostHog) may run as described below unless you Reject or your browser sends a GPC signal. Third-party analytics and advertising technologies load only after you Accept.
Device and usage information
We (or our service providers) may collect details such as your browser, operating system, IP address, general location, date and time of your visit, device type, the website you came from, the pages you view, and how long you spend on them.
Cookies
Cookies are small pieces of data stored on your device. We use both session and persistent cookies. You can manage non-essential cookies through our consent tool, and you can also accept, reject, or be notified about cookies through your browser settings. Turning off some cookies may affect how the Site works.
Links, embedded content, and social buttons
Our Site may link to other websites or include embedded content or social-media buttons (for example, from Facebook, Instagram, YouTube, or X). These third parties may set their own cookies. Where these function as advertising or cross-site tracking, we load them only after you opt in through our consent banner. We are not responsible for the privacy practices of these third-party services.
5. Analytics by Default; Advertising Only With Your Accept
Summary: First-party analytics (PostHog) runs unless you choose “Reject” or send a GPC signal. Third-party analytics and advertising technologies — including Google Analytics, Google Tag Manager, Google Ads, and Meta pixels — do not load unless you affirmatively choose “Accept.” We honor the Global Privacy Control and similar browser opt-out signals.
When you first visit the Site, we show a consent banner that links to this policy and lets you Accept or Reject cookies and tracking technologies. You can change your choice at any time through our consent tool.
We use a limited set of service providers to operate, host, secure, and analyze the Site. Where a provider may handle information that could include health information on our behalf, it does so under a HIPAA business associate agreement (“BAA”). Advertising and third-party measurement tools, if any, operate only after you Accept.
6. The Service Providers We Use
Hosting (Vercel)
Our Site is hosted by Vercel Inc., which processes the technical information needed to deliver, secure, and operate the Site. Vercel acts as our service provider under a business associate agreement.
First-party product analytics (PostHog)
We use PostHog to understand how visitors interact with the Site so we can operate, secure, and improve it. PostHog is configured as our first-party analytics tool: it is served through our domain via a reverse proxy, operates under a HIPAA business associate agreement, strips personal identifiers where configured, and is not connected to advertising platforms. We do not sell PostHog data, and we do not use it for cross-context behavioral advertising. PostHog runs unless you choose Reject or your browser sends a GPC signal.
Third-party analytics and tags (Google Analytics 4 and Google Tag Manager) — only after you Accept
Only after you Accept, we may use Google Analytics 4 (“GA4”) and Google Tag Manager. These are third-party tools, not first-party analytics. They are not loaded if you Reject or if a GPC signal is present. Where used, we configure them to limit advertising features where practical, and they run only on our general, public pages — never on pages that present or collect medical or condition-specific information, and never in patient login areas.
Advertising (only with your Accept)
Only after you Accept, we may use advertising and measurement technologies such as Google Ads and the Meta (Facebook/Instagram) pixel for our own advertising and measurement. These do not load if you Reject, and they never operate on pages that present or collect medical or condition-specific information. This is not passive consent — advertising technologies require your affirmative Accept. You can withdraw your consent at any time through our consent tool.
Payments (Stripe)
We use Stripe, Inc. to securely process membership payments. When you enter payment details, that information goes directly to Stripe under its privacy policy (stripe.com/privacy). We do not store your full card number, bank account number, or similar financial data on our servers.
7. Health-Related Pages and the Patient Portal
We design our Site so that information from medical or condition-specific pages is shared only with vendors bound by a business associate agreement. On any page that presents or collects medical or condition-specific information, your information is never shared with a third party that has not signed a business associate agreement with us. Advertising technologies, and third-party analytics or tag-management tools that do not operate under such an agreement — including Google Analytics and Google Tag Manager — do not run on those pages or receive information from them. PostHog may operate on those pages only as our first-party analytics service provider under a BAA, subject to your Reject or GPC choice.
Patient portal
The patient portal available through our Site is hosted and operated by our electronic health record provider under that provider’s privacy practices and applicable law; this Privacy Policy does not govern your use of that portal. We do not currently host our own patient login areas. If we add patient login areas that we host, they will not include Google Analytics, Google Tag Manager, or advertising technologies. They may use PostHog only for error monitoring and product improvement, under a business associate agreement and with personal identifiers stripped, kept strictly separate from any marketing tools.
8. How We Use and Share Information; No Sale
We are a healthcare provider, and we use the information we collect for our own healthcare and business operations — to support your relationship with us and to operate, secure, and improve our Site and services.
We do not sell, rent, or lease your information. We do not disclose your information to third parties for their own independent purposes, except:
to service providers that handle information on our behalf under contract (and, where applicable, under a business associate agreement), including PostHog for first-party analytics;
to advertising and third-party analytics providers, only after you Accept through our consent banner, and only to the extent of that consent — under California law, that disclosure may constitute “sharing” for cross-context behavioral advertising; and
as required by United States law — for example, in response to a lawful subpoena or court order, or to protect the rights, property, or safety of Herself Health, our patients, or others.
9. Your Privacy Choices
You can change or withdraw your consent for cookies and tracking at any time through our consent tool, and you can accept, reject, or be notified about cookies through your browser settings. Choosing Reject (or sending a GPC signal) means we will not use PostHog first-party analytics as described and will not load third-party analytics or advertising technologies. We honor the Global Privacy Control (“GPC”) and other recognized browser opt-out signals. You can also learn about interest-based advertising choices through the Network Advertising Initiative and the Digital Advertising Alliance.
10. California Residents
If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA (“CCPA”), may provide additional rights regarding personal information collected through this Site.
We do not sell your personal information. We do not share personal information for cross-context behavioral advertising unless you choose Accept. If you Accept, disclosures to advertising platforms for our advertising and measurement may be “sharing” under California law; you may withdraw that choice at any time through our consent tool or via GPC.
Subject to CCPA exceptions (including for protected health information governed by HIPAA), California residents may have the right to know what personal information we collect, to access or correct it, to request deletion, to opt out of sale or sharing, to limit certain uses of sensitive personal information, and to be free from discrimination for exercising those rights. Nothing in this Policy or our Terms waives those rights.
Health-related information collected and analyzed through a consumer website can be sensitive personal information under California law. We design our Site so that advertising and non-BAA third-party analytics do not run on medical or condition-specific pages.
To make a request, contact us at hello@herself-health.com. We may need to verify your identity before we act on your request, as the law allows. We honor GPC as an opt-out of sale/sharing and as a decline of the analytics and advertising practices described above.
11. Minnesota Residents
Minnesota has a consumer data privacy law, the Minnesota Consumer Data Privacy Act. The health information we handle as part of your care — including PHI under HIPAA and health records under the Minnesota Health Records Act — is not covered by that law; it is governed by HIPAA, Minnesota health-records law, and our Notice of Privacy Practices.
Other information we collect through this website (such as website analytics or contact-form details) may be covered by that law, depending on how much information we process. Where that law applies to information we hold, Minnesota residents may have the right to know what we collect, to access or correct it, to ask us to delete it, and to opt out of certain uses. We honor the Global Privacy Control and similar opt-out signals, and we do not sell your information.
To make a request, contact us at hello@herself-health.com. We may need to verify your identity before we act on your request, as the law allows.
12. Electronic Communications on This Site
When you use the Site, we and our service providers may receive and process technical and interaction data (such as pages viewed, events, and device or browser information) as described in this Policy. PostHog first-party analytics may process those interactions unless you Reject or send a GPC signal. Advertising and third-party analytics technologies that send data to third-party platforms load only if you Accept. If you do not want your Site interactions processed as described, do not use the Site, choose Reject, or enable GPC.
13. Security
We take commercially reasonable steps to protect data transmitted through our Site and rely on our vendors to secure the services they provide. No method of transmission over the internet is completely secure, so we cannot guarantee the security of information you send us; you transmit information at your own risk.
14. Children
This website is intended for adults and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided information through our Site, please contact us and we will delete it.
15. Other Information Practices
Web beacons
We may use web beacons (also called pixel tags) on the Site and in emails or newsletters to tell whether you opened or acted on a message, to count visitors, and to compile aggregate statistics. Advertising-related pixels load only after you Accept.
Combining information
Except as described in this policy, we generally do not combine information collected on the Site with information collected elsewhere, except that we may combine information you provide in our forms with information we already have about your interest in our services.
Access to your information
If you wish to review, correct, or delete information we collected through the Site, contact us at the address below. We may ask you to verify your identity first.
Business transfers
If we are involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction, and the commitments in this policy will continue to apply.
“Do Not Track” signals
Apart from the Global Privacy Control and recognized opt-out signals described above, the Site does not currently respond to other browser “do not track” settings.
16. Relationship to Our Terms of Use
To the maximum extent allowed by law, this Privacy Policy is subject to our Website Terms of Use, including the sections on warranty disclaimers, limitations of liability, and dispute resolution (the arbitration agreement, class action waiver, and jury trial waiver). This does not waive rights that cannot be waived under California privacy law.
17. Changes to This Policy
We may update this Privacy Policy from time to time. The most current version will govern and will be available through the Privacy Policy link in the Site footer. By continuing to use the Site after changes take effect, you agree to the updated policy, except that nothing here waives non-waivable statutory privacy rights.
18. Contact Us
If you have any questions about this Privacy Policy or our Site’s practices, please contact us at hello@herself-health.com.
© 2026 Herself Health. All rights reserved. | 2004 Ford Pkwy, St Paul, MN 55116 | (888) 290-1209