PRIVACY POLICY 

Effective Date: May 14, 2026

Version 1.0

Last reviewed: May 2026

A plain-language summary: Vega collects information about your child and family to match you with a consultant and provide care coordination support. We store that information securely on HIPAA-compliant platforms. We never sell your data or share it with advertisers. We share only what is necessary to deliver your consulting services, as required by law, or with your explicit consent. You can request access to, correction of, or deletion of your personal information at any time.

1. About This Privacy Policy

This Privacy Policy describes how Vega Pediatrics, LLC ("Vega," "we," "us," or "our") collects, uses, discloses, retains, and protects personal information — including protected health information ("PHI") — when you visit our website at vegapediatrics.com (the "Site"), submit an intake form, communicate with a consultant, or otherwise use our services.

This Policy applies to all users of the Site and all families and guardians who engage with Vega's consulting services, including through third-party platforms we operate (such as our HIPAA-compliant intake system). It supplements, and does not replace, any separate HIPAA Notice of Privacy Practices provided to you in connection with covered health services.

By using this Site or submitting information to Vega, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any of its terms, please do not use the Site or submit information to Vega.  By using the Site or submitting information to Vega, you are bound by this Policy. 

2. Who We Are

Vega Pediatrics, LLC is a pediatric healthcare consulting and care coordination company. We are not a licensed clinical practice, hospital, health plan, or insurance company. We do not deliver care, prescribe medications, or make diagnoses. We are a Business Associate under HIPAA to the extent we receive or process PHI on behalf of covered entities, and we maintain signed Business Associate Agreements with all applicable vendors.

3. Information We Collect

Vega collects several categories of personal information, described below. Because our services are focused on children with complex health needs and disabilities, much of the information we collect is sensitive health information. We collect only what is necessary to deliver consulting services.

3.1 Information You Provide Directly

When you submit an intake form, communicate with a consultant, request information from us or otherwise interact with Vega, you may provide:

Category of Information

Examples

Purpose

Guardian / Family Information

Legal guardian name, relationship to child, address, phone, email, preferred contact method

Match family to consultant; establish service relationship; communicate about consulting support

Child's Identity Information

Child's first name or preferred name, date of birth, gender (optional)

Personalize consultant communications; maintain longitudinal care record

Child's Health Information (PHI)

Diagnoses, medical history, surgeries, medications, allergies, medical devices, hospitalization history

Understand child's care complexity; tailor consulting services to specific needs

Care Team Information

Primary care provider name and practice, specialist names and specialties, affiliated hospitals

Support care coordination; identify gaps in care team; facilitate referrals and introductions

Insurance and Financial Information

Insurance type (private, Medicaid/CHIP, dual, uninsured), plan name, prior authorization history, out-of-pocket cost concerns

Provide insurance consulting support; identify benefits programs; assist with coverage barriers

Urgency and Consulting Needs

Nature and urgency of consulting need, upcoming appointments, crisis status

Triage and prioritize consultant response; route urgent cases appropriately

Referral Source

How you learned about Vega (physician referral, employer benefit, online search, etc.)

Understand referral pathways; improve outreach to families who need consulting support

Open-Ended Notes

Any additional context you choose to share about your child's care situation

Provide consultant with full picture of family needs

3.2 Information Collected Automatically

When you visit the Site, we and our service consultants may automatically collect certain technical information, including:

•       IP address and approximate geographic location;

•       Browser type and version, operating system, device type;

•       Pages visited, time spent on pages, links clicked, referring URL; and

•       Date and time of visits.

This information is collected through standard web analytics tools (such as Google Analytics) and is used to improve Site performance and understand how families find and use our resources. Vega does not use tracking technologies on authenticated or HIPAA-protected pages of the Site.

In accordance with HHS guidance on online tracking and HIPAA (updated 2024), Vega does not deploy third-party tracking pixels or advertising trackers on any page where health information may be entered or accessed.

3.3 Information From Third Parties

We may receive information about you from referring physicians, hospital care coordinators, employer benefit programs, or other healthcare partners who refer families to Vega. We treat all such information in accordance with this Privacy Policy and applicable law.

4. How We Use Your Information

Vega uses personal information solely for the purposes for which it was collected and as permitted or required by applicable law. Our primary uses are:

4.1 Delivering Consulting Services

•       Matching your family with an appropriate Vega consultant based on your child's needs, diagnosis category, insurance situation, and urgency;

•       Enabling consultants to understand your child's care history and current situation before initial contact;

•       Providing longitudinal consulting support across the arc of your child's care;

•       Facilitating introductions to specialists, programs, community resources, and healthcare providers; and

•       Supporting insurance consulting, prior authorization guidance, and benefits identification.

4.2 Communications

•       Contacting you to confirm receipt of your intake and schedule consultant introductions;

•       Sending service-related messages such as appointment reminders, resource follow-ups, or consultant updates; and

•       Sending urgent alerts to consultants for crisis-level intake submissions (internally only; no PHI transmitted via unencrypted channels).

Vega does not send unsolicited marketing communications. If we send optional updates about new resources or programs, you will have a clear way to opt out.

4.3 Service Improvement and Quality

•       Evaluating and improving the quality of our consulting services;

•       Training consultants using de-identified or aggregated case patterns (never with identifiable PHI without authorization); and

•       Analyzing aggregate trends in the needs of families we serve to improve service design and identify gaps.

4.4 Legal and Compliance Obligations

•       Complying with applicable federal and state laws, including HIPAA, state health information privacy laws, and consumer data protection laws, including to the extent necessary to comply with HIPAA's required disclosures to the Secretary of HHS for compliance investigations;

•       Responding to lawful requests from courts, regulators, or law enforcement as required by law; and

•       Maintaining audit logs and records as required by HIPAA and our BAA obligations.

What we never do: Vega does not sell your personal information or PHI. We do not use your information for targeted advertising. We do not share information with pharmaceutical companies, device manufacturers, or any third party for commercial purposes.

5. How We Share Your Information

Vega shares personal information only in the following limited circumstances:

5.1 With Business Associates and Service Providers

We share information with vendors who help us operate our platform and deliver services. All vendors who handle PHI are bound by Business Associate Agreements (BAAs) requiring them to protect information in accordance with HIPAA. Key vendors include:

•       Our intake form and submission storage platform;

•       Website hosting and infrastructure providers (under applicable data processing agreements); and

•       Consultant communication tools (only BAA-covered platforms for PHI).

We do not permit vendors to use your information for any purpose other than providing services to Vega.

5.2 With Consultants

Consultants assigned to your family will have access to the information you submitted in your intake form in order to provide consulting services. Consultants are bound by confidentiality obligations and Vega's internal data handling policies. Consultant access is authenticated and logged.

5.3 With Your Healthcare Team (With Your Consent)

With your explicit, prior consent, Vega may communicate with your child's physicians, specialists, or care coordinators to facilitate consulting support. We will ask for your authorization before contacting any clinical provider on your behalf and will only share information necessary for that specific purpose.

5.4 With Referring Partners

If you were referred to Vega by a physician, hospital, or employer benefit program, we may confirm your enrollment with the referring party (e.g., to satisfy a referral completion requirement). We will not share your child's clinical details with a referring employer without your consent.

5.5 In Connection with Business Transfers

If Vega is involved in a merger, acquisition, or sale of all or substantially all of its assets, personal information may be transferred as part of that transaction. We will notify you via email or prominent Site notice before PHI is transferred and becomes subject to a different privacy policy. Any successor entity will be required to honor the commitments in this Policy.

5.6 To Protect Safety

We may disclose information to the proper authorities when we have a good-faith belief that disclosure is necessary to prevent imminent harm to your child, another person, or the public, consistent with applicable law and professional standards.

6. Children's Health Information and HIPAA

6.1 Our Services Involve Minor Children

Vega's services are designed for and directed at the parents and legal guardians of minor children (persons under age 18). We do not knowingly collect personal information from minors directly; all information is submitted by a parent or legal guardian who represents that they have full authority to do so.

Under HIPAA, the parent or legal guardian of a minor child is generally treated as the child's "personal representative" and has rights to access, correct, and authorize uses of the child's PHI. This principle was reaffirmed in a December 2025 HHS/OCR guidance memo. Limited exceptions may apply under state law for certain sensitive services (such as reproductive health or substance use treatment), but those services are outside the scope of Vega's consulting services.

6.2 HIPAA Rights of Parents and Guardians

As the personal representative of a minor child, you have the following rights under HIPAA with respect to PHI we maintain:

•       Right of Access: Request a copy of the PHI we hold about your child.

•       Right to Amend: Request correction of inaccurate or incomplete PHI.

•       Right to an Accounting of Disclosures: Request a list of disclosures we have made of your child's PHI (other than for treatment, payment, and healthcare operations).

•       Right to Restrict: Request restrictions on how we use or disclose your child's PHI.

•       Right to Confidential Communications: Request that we communicate with you by a specific method or at a specific address.

To exercise these rights, please contact privacy@vegapediatrics.com. We will respond within 30 days (or as required by applicable law). We may not be able to honor all restriction requests, but will explain any limitations.

6.3 Children’s Online Privacy Protection Act COPPA

Vega's Site is not directed at children, and we do not knowingly solicit or collect personal information directly from anyone under age 13. All intake submissions are made by parents and guardians on behalf of their children. If you believe a child under 13 has submitted personal information to us directly, please contact us immediately at privacy@vegapediatrics.com.  Parents and guardians of children under 13 always have the right to request that we remove their child’s personal information.  Nonetheless, we may need to verify your identity before processing your request.

7. Data Retention

We retain personal information, including PHI, for as long as necessary to provide consulting services to your family and to comply with our legal obligations. Our current retention practices are:

•       Active family records: Retained for the duration of your engagement with Vega and for a period following service conclusion as required by applicable law and our BAA obligations.

•       Inactive intake submissions: Submissions from families who do not proceed to active service are purged on a scheduled basis consistent with a 7-year retention period, in accordance with HIPAA medical record retention standards.

•       Consultant communications: Retained for the duration of service plus any legally required period thereafter.

•       Website analytics data: Retained in aggregate, anonymized form. Individual session data is not retained beyond standard analytics windows.

You may request deletion of your information at any time. We will honor deletion requests to the extent permitted by law, excluding information we are required to retain for legal, regulatory, or audit purposes.

8. How We Protect Your Information

Vega takes the security of personal information and PHI seriously.      We use multiple  safeguards that include:

•       All intake data is stored on HIPAA-compliant platform under a signed BAA. Submission access requires consultant authentication (password or SSO with two-factor authentication enabled).

•       All data transmissions between your browser and our intake platform are encrypted via TLS/HTTPS.

•       We do not export PHI to third-party tools that do not have their own BAAs in place.

•       Access to PHI is password protected and limited to consultants and staff with a legitimate need to know, and is revoked promptly upon role change or departure.

No data transmission over the internet or storage system can be guaranteed to be 100% secure. In the event of a breach involving your PHI, we will notify you as required by the HIPAA Breach Notification Rule and applicable state law.  For information on the HIPAA Breach Notification Rule, see https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

9. Cookies and Online Tracking

A cookie is a small data text file, which is stored on the hard drive of your device when you visit the Site.  Each cookie is unique to your web browser.  It may contain some anonymous information such as a unique identifier, a website’s domain name, and some digits and numbers.  Cookies cannot be used to run programs or deliver viruses to your device.  The Site uses cookies and similar technologies for standard website functionality and analytics. We do not use advertising cookies or allow third-party advertisers to track users on our Site.  At no time will our cookies collect your personal information. 

•       Essential cookies: Required for the Site to function (e.g., session management, security). Cannot be disabled without impairing Site function.

•       Analytics cookies: Help us understand how visitors navigate the Site (e.g., Google Analytics). We configure analytics tools to anonymize IP addresses and do not use them on HIPAA-protected pages.

You may control cookies through your browser settings. Disabling cookies may affect some Site functionality. Vega does not respond to "Do Not Track" signals at this time, but we do not engage in cross-site behavioral advertising.

10. State Privacy Rights

Depending on your state of residence, you may have additional privacy rights under state law. Vega will honor applicable rights regardless of the state framework under which they arise.                                         

a.    California Privacy Rights Disclosure

If you are a California resident, the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), the California Online Privacy Protection Act (CalOPPA), provide you additional rights with the respect to your personal information.  California law permits California residents to request certain information about our disclosure of their personal information to third parties for direct marketing purposes during the preceding calendar year. This request is free and may be made once a year. To make such a request, see Section 2 above.

Further, California law provides residents with the following additional rights with respect to your personal information:

●      The right to know what personal information we have collected, used, disclosed and sold about you. You may submit a request to know by using the contact information detailed in this Section. You also may designate an authorized agent to make a request for access on your behalf.

●      The right to request that we delete any personal information we have collected about you. You may submit a request for deletion by using the contact information detailed in this Section. You also may designate an authorized agent to make a request for deletion on your behalf.

California residents may also have the right not to be subject to automated decision-making, including profiling, where it would have a legal or similarly significant effect on them; and the right to data portability with regard to the data they provided to us.  If you exercise any of these rights and submit a request to us, we may verify your identity.  We also may use a third-party verification provider to verify your identity.  Your exercise of these rights will have no adverse effect on the price and quality of our goods or services. 

b.   Connecticut Data Privacy Rights.

If you are a Connecticut resident, (Public Act No. 22-15) An Act Concerning Personal information Privacy and Online Monitoring provides you additional rights with the respect to your personal information.  The Act grants Connecticut consumers the right to (A) access, correct, delete and obtain a copy of personal information that we collect, and (B) opt out of the processing of personal information for the purposes of (i) targeted advertising, (ii) certain sales of personal information, or (iii) profiling.

c.   Utah Consumer Privacy Rights.

If you are a Utah resident, the Utah Consumer Privacy Act (UCPA) (S.B. 227) gives consumers a number of rights related to their personal information, including the right to: (A) access and delete personal information, (B) opt out of the collection and use of personal information for certain purposes, and (C) obtain a copy of their personal information.

d.   Virginia Consumer Data Privacy Protection Act.

If you are a Virginia resident, the Virginia Consumer Data Protection Act (“VCDPA”) (Va. Code § 59.1-575) allows for consumers to request that the company collecting their personal information: (A) confirm if the company is actually processing their personal information, (B) correct inaccuracies in the consumer’s personal information that is collected by the company, (C) delete personal information provided by or obtained about the consumer, (D) obtain copies of the personal information collected by the company, and (E) opt out of the processing of personal information for purposes of targeted advertising, the sale of personal information, or further profiling.

e.   Colorado Protect Personal Data Privacy Act.

If you are a Colorado resident, the Protect Personal information Privacy Act (SB21-190) gives consumers a number of rights related to their personal information, including the right to: (A) access and delete personal information, (B) opt out of the collection and use of personal information for certain purposes, and opt out of secondary use of such data.

f.    Delaware Personal Data Privacy Act.

If you are a Delaware resident, the Delaware Personal Data Privacy Act (HB-154) gives consumers a number of rights related to their personal information, including the right to: (A) to know what information is being collected about them, (B) see the information, (C) correct any inaccuracies, or (D) request deletion of their personal information that is being maintained by entities or people.

g.   Iowa Consumer Data Protection Act.

If you are an Iowa resident, the Iowa Consumer Data Protection Act (ICDPA) gives consumers a number of rights related to their personal information, including the right to: (A) to know what information is being collected about them, (B) see the information, (C) correct any inaccuracies, or (D) request deletion of their personal information that is being maintained by entities or people.

h.  Montana Consumer Data Privacy Act.

If you are an Montana resident, the Montana Consumer Data Privacy Act (MCDPA) companies who collect personal information from Montana residents my receive clear consent before processing such personal information.  The Act also grants Montana residents the right to (A) access, correct, delete and obtain a copy of personal information that we collect, and (B) opt out of the processing of personal information for the purposes of targeted advertising.

i.    Oregon Consumer Privacy Act.

If you are an Oregon resident the Oregon Consumer Privacy Act (SB-619) gives consumers a number of rights related to their personal information, including the right to: (A) access and delete personal information, (B) opt out of the collection and use of personal information for certain purposes, and (C) obtain a copy of their personal information.

j.   Texas Data Privacy and Security Act.

If you are a Texas resident the Texas Data Privacy and Security Act (HB-04F) allows for Texas residents to request that the company collecting their personal information: (A) confirm if the company is actually processing their personal information, (B) correct inaccuracies in the consumer’s personal information that is collected by the company, (C) delete personal information provided by or obtained about the consumer, (D) obtain copies of the personal information collected by the company, and (E) opt out of the processing of personal information for purposes of targeted advertising, the sale of personal information, or further profiling.

k.  Nebraska Data Privacy Act.

If you are a Nebraska resident, (Legislative Bill 1074) the Nebraska Data Privacy Act provides you additional rights with respect to your personal data.  The Act grants Nebraska consumers the right to (A) access, correct, delete and obtain a copy of personal data that we collect, and (B) opt out of the processing of personal data for the purposes of (i) targeted advertising, (ii) certain sales of personal data, or (iii) profiling.

l.   New Hampshire Expectation of Privacy Act.

If you are a New Hampshire resident, (Senate Bill 255) under the Expectation of Privacy Act, you have the following rights: (1) Confirm whether or not certain businesses are processing your personal data; (2) Obtain Access to your personal data being processed by those businesses; (3) Correct inaccuracies in your personal data being processed by those businesses; (4) Delete personal data provided by, or obtained about, you by those businesses; (5) Obtain a copy of your personal data in a portable format; and (6) Opt-out of the future processing of personal data for purposes of: (a) targeted advertising, (b) the sale of personal data, or (c) certain types of automated profiling.

m.   New Jersey Data Privacy Law.

If you are a New Jersey resident, the New Jersey Data Privacy Law P.L. 2023, c. 266 (NJDPL) gives consumers a number of rights related to their personal data, including the right to: (A) know what information is being collected about them, (B) see the information, (C) correct any inaccuracies, or (D) request deletion of their personal data that is being maintained by entities or people.

n.   Tennessee Data Privacy Law.

If you are a Tennessee resident, the Tennessee Information Protection Act (TIPA), (HB 1181) allows for consumers to request that the company collecting their personal data: (A) confirm if the company is actually processing their personal data, (B) correct inaccuracies in the consumer’s personal data that is collected by the company, (C) delete personal data provided by or obtained about the consumer, (D) obtain copies of the personal data collected by the company, and (E) opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or further profiling.

o.   Minnesota Data Privacy Law.

If you are a Minnesota resident, the Minnesota Consumer Data Privacy Act (MCDPA) (H4757-4) gives consumers a number of rights related to their personal data, including the right to: (A) see what data is collected, (B) understand the purpose for its collection, (C) see the third parties that the data is shared with, and (D) opt out of the collection and use of personal data for certain purposes.

p.   Maryland Data Privacy Law.

If you are a Maryland resident, the Maryland Online Data Privacy Act (MODPA) aims to protect the privacy and personal data of Maryland residents by regulating its collection, processing, and use.  Specifically, MODPA allows Maryland consumers to request that the company collecting their personal data: (A) confirm if the company is actually processing their personal data, (B) correct inaccuracies in the consumer’s personal data that is collected by the company, (C) delete personal data provided by or obtained about the consumer, (D) obtain copies of the personal data collected by the company, and (E) opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or further profiling.

q.   Indiana Consumer Data Protection Act.

If you are an Indiana resident, the Indiana Consumer Data Protection Act (Senate Bill 5) gives consumers a number of rights related to their personal information, including the right to: (A) to know what information is being collected about them, (B) see the information, (C) correct any inaccuracies, or (D) request deletion of their or their child’s personal information that is being maintained by entities or people.

r.    Kentucky Consumer Data Protection Act.

If you are a Kentucky resident, the Kentucky Data Protection Act (KRS 367.3611) allows for Kentucky residents to request that the company collecting their personal information: (A) confirm if the company is actually processing their personal information, (B) correct inaccuracies in the consumer’s personal information that is collected by the company, (C) delete personal information provided by or obtained about the consumer, (D) obtain copies of the personal information collected by the company, and (E) get consent prior to using or processing personal information for purposes of targeted advertising or the sale of personal information.

s.  Rhode Island Data Transparency and Privacy Protection Act.

If you are a Rhode Island resident, the Rhode Island Data Transparency and Privacy Protection Act (H 7787) allows for Rhode Island residents to request all categories of personal data that the controller collects through the website or online service about customers; (ii) Identify all third parties to whom the controller has sold or may sell customers' personally identifiable information; and (iii) Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller; (a) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing.

To exercise any of these rights, contact privacy@vegapediatrics.com. We will respond within the timeframe required by applicable law. We may need to verify your identity before processing your request.

11. Third-Party Links and Resources

The Site may contain links to external websites, government programs, support organizations, and other resources. Vega is not responsible for the privacy practices of those sites. When you click a third-party link, you leave Vega's Site and this Privacy Policy no longer applies. We encourage you to review the privacy policies of any third-party site you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

•       Update the "Effective Date" at the top of this Policy;

•       Post the revised Policy prominently on the Site; and

•       Notify active families by email prior to the effective date of a material change.

Your continued use of the Site or Vega's services after a revised Policy becomes effective constitutes your acceptance of the updated terms. If we make changes that materially affect how we handle PHI, we will provide notice consistent with HIPAA requirements.

13. How to Contact Us

For questions, concerns, or requests related to this Privacy Policy or your personal information, please contact:

Vega Pediatrics, LLC Privacy Office

Email: privacy@vegapediatrics.com

Website: www.vegapediatrics.com

For HIPAA-related complaints, you also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at www.hhs.gov/ocr/privacy/hipaa/complaints. We will not retaliate against you for filing a complaint.