Goza
Employers
← Back

Lux Health, LLC d/b/a Goza

Privacy Policy

How we collect, use, and protect your personal information

Effective Date: April 23, 2026

This Privacy Policy does not cover our use of Protected Health Information (PHI), which is governed by our separate Notice of Privacy Practices as required by HIPAA. If you are a resident of Washington, Nevada, Connecticut, or another state with specific consumer health data laws, please also review our Consumer Health Data Privacy Policy.

Lux Health, LLC, d/b/a Goza ("Company," "we," "us," or "our") is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, and protect your Personal Data and Usage Data when you visit goza.health (the "Website") or use our services (the "Services").

1. Information We Collect

A. Personal Data You Provide

  • Name, date of birth, and gender
  • Email address, phone number, and mailing address
  • Emergency contact information
  • Government-issued identification numbers (where required)
  • Financial and payment information (credit/debit card, bank account information)
  • Account credentials (username and password)
  • Communications you send to us (emails, messages, feedback)

B. Usage Data Collected Automatically

  • IP address, browser type, device information, and operating system
  • Pages visited, date and time of visits, time spent on pages
  • Referring URLs, search terms, and clickstream data
  • Cookies and similar tracking technology data
  • Language preferences

C. Information Stored for Returning Visit Convenience

When you complete an intake questionnaire, we may store certain reusable information on our secure servers to improve your experience on future visits. This includes:

  • Medical history responses (e.g., known allergies, current medications, existing conditions) — so you do not have to re-enter them each visit
  • Pharmacy preference (e.g., your preferred local pharmacy or mail-order pharmacy selection)
  • Consent records (date and document versions of your most recent telehealth consent) — to streamline the consent process on repeat visits when documents have not changed

This data is stored in our encrypted database, associated with your email address, and is used solely to pre-populate intake forms on subsequent visits. All pre-filled fields are fully editable — you may update any information at any time. You may request deletion of this stored data by contacting us at support@goza.health.

D. Information from Third Parties

We may receive information about you from third-party sources, including healthcare providers, laboratories, pharmacies, payment processors, and analytics providers.

2. How We Use Your Information

  • To create and manage your account and profile
  • To provide and improve our Website and Services
  • To process payments and manage billing
  • To communicate with you regarding appointments, account updates, and service changes
  • To send you promotional and marketing communications (with your consent, where required)
  • To conduct analytics and improve user experience
  • To comply with legal obligations, respond to subpoenas, court orders, or other legal process
  • To enforce our Terms and Conditions and other agreements
  • To protect our rights, property, or safety, and the rights, property, or safety of our users and the public
  • To detect, prevent, and address fraud, security breaches, and technical issues

3. With Whom We Share Your Information

We do not sell your Personal Data. We do not sell Personal Data in exchange for monetary consideration, and we do not engage in the "sale" or "sharing" of Personal Data as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA) or the Washington My Health My Data Act (MHMDA), except as expressly described in this Section 3. We may share your information as follows:

  • With our employees and staff who have a business need to access your information
  • With Business Associates and Service Providers who perform services on our behalf, pursuant to written agreements (including HIPAA Business Associate Agreements where applicable) that require them to protect your information
  • With payment processors and billing services for the purpose of processing payments
  • With third-party analytics and advertising platforms (non-PHI only), including cookies and tracking pixels
  • As required by law, including in response to court orders, subpoenas, or government requests
  • To protect our rights, property, or safety, or the rights, property, or safety of others
  • In connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets (in which case we will notify you and provide an opportunity to opt out where required by law)

Named Third-Party Service Providers

We share limited information with the following named service providers only as necessary to deliver our Services. Each provider is contractually bound to protect your information and use it only for the purposes below. This list is current as of the effective date and may be updated as our vendor relationships change.

  • DrChrono (by EverHealth) — Electronic Health Record (EHR) and practice management; HIPAA Business Associate
  • Stripe, Inc. — Payment processing (credit/debit cards, ACH, subscriptions); PCI-DSS Level 1 certified
  • Fullscript, Inc. — Lab order fulfillment and Quest Diagnostics integration (lab orders only, when selected)
  • Quest Diagnostics, Incorporated — Clinical laboratory services (lab orders only, when selected)
  • Amazon Web Services (AWS) — Cloud hosting (U.S. regions only) and transactional email (AWS SES); HIPAA-eligible
  • Google LLC — Google Analytics 4 (GA4) for website usage analytics on the non-PHI marketing site only; IP anonymization enabled
  • Cost Plus Drugs (Mark Cuban Cost Plus Drug Company) — Mail-order pharmacy fulfillment, only when selected by patient
  • Lightsail / AWS — Compute infrastructure for website and intake application

We do not share PHI with advertising or analytics platforms. Google Analytics on our marketing site (goza.health) collects only non-PHI website usage data. No user-identifiable health information is transmitted to advertising or analytics services.

We require third-party recipients of your Personal Data to contractually agree to process data only for specified purposes, provide equivalent privacy protection, and notify us if they can no longer meet these obligations.

4. Cookies and Tracking Technologies

A. Types of Cookies We Use

  • Essential Cookies: Required for the operation of our Website and patient portal
  • Analytics Cookies: Help us understand how visitors interact with our Website
  • Advertising Cookies: Used to deliver relevant advertisements and track campaign effectiveness

B. Local Storage

We use browser local storage (a technology similar to cookies) to:

  • Maintain your login session in patient, employee, and employer portals
  • Save your intake questionnaire progress so you can resume if you navigate away
  • Cache returning patient data (medical history) for faster form pre-fill on the same device

Local storage data remains on your device and is not transmitted to third parties. You may clear local storage through your browser settings at any time.

C. Third-Party Cookies

We utilize third-party software to create a better and more relevant advertising experience. By using the Website, you accept the use of cookies and any exported data that is sent to those third parties. You may configure your browser to accept or reject cookies; however, if you disable cookies, certain features may not function properly.

D. Do Not Track

Our Website does not currently respond to "Do Not Track" browser signals. We will update this Privacy Policy if our practices change.

5. Data Retention

We retain your Personal Data only for as long as is necessary to perform our obligations, comply with legal requirements, resolve disputes, and enforce our agreements. For information about retention of Protected Health Information (PHI), please refer to our Notice of Privacy Practices.

Specific retention periods include:

  • Medical records (including intake responses and clinical notes): minimum of seven (7) years from the date of last entry for adult patients, or longer as required by Florida Statutes § 456.057 and Florida Administrative Code Rule 64B8-10.002
  • HIPAA authorizations, accountings of disclosures, and compliance documentation: six (6) years from the date of creation or last effective date, as required by 45 C.F.R. § 164.530(j)
  • Consent audit records (including e-signatures, IP addresses, and document version hashes): seven (7) years minimum, retained as a tamper-evident append-only log
  • Financial and billing records: seven (7) years, consistent with IRS and Florida tax law retention requirements
  • Marketing consent records and opt-out requests: four (4) years, consistent with TCPA statute of limitations
  • Website usage / Usage Data (analytics, log files): generally no more than twenty-six (26) months, or a shorter period when used for security/fraud prevention only
  • Backup copies: up to ninety (90) days beyond the deletion of source records, after which backups are fully overwritten

After applicable retention periods end, we will either delete, de-identify, or anonymize your Personal Data in a manner consistent with our information security policies.

6. Security of Your Information

  • Encryption of data in transit and at rest
  • Access controls and authentication requirements
  • Regular security assessments and audits
  • Employee training on data security

Despite our best efforts, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your information.

7. Children's Privacy

Our Services are not intended for individuals under the age of eighteen (18). We do not knowingly collect personally identifiable information from anyone under the age of 18. In compliance with the federal Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501-6506), we do not knowingly collect personal information from children under the age of thirteen (13) without verified parental consent. If we learn that we have collected information from a child under 18 (or 13 for COPPA purposes) without appropriate parental consent, we will promptly delete that information. If you are a parent or guardian and become aware that your child has provided us with Personal Data, please contact us immediately at support@goza.health.

8. Your Privacy Rights

A. General Rights

  • Right to access your Personal Data
  • Right to correct inaccurate Personal Data
  • Right to request deletion of your Personal Data
  • Right to data portability (obtain a transferable copy in a structured, machine-readable format)
  • Right to object to or restrict processing of your Personal Data
  • Right to withdraw consent at any time without penalty

B. Florida Residents

Florida residents have additional rights under the Florida Information Protection Act of 2014 (FIPA). We will notify you of any data breach involving your personal information as required by FIPA.

C. California Residents (CCPA/CPRA)

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, their sources, purposes, and sharing categories
  • Right to Delete: Request deletion of your personal information, subject to certain legal exceptions
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt Out of Sale/Sharing: Via the "Your Privacy Choices" link on our Website or by contacting us
  • Right to Limit Use of Sensitive Personal Information: Limit use and disclosure of health data, SSN, and precise geolocation
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights

To exercise any of these rights, contact us at support@goza.health or call 305-306-1387.

D. Other State Privacy Laws

Residents of Colorado, Virginia, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, and other states with comprehensive privacy laws may have additional rights including the right to access, correct, delete, and port their personal data, and the right to opt out of targeted advertising. We will comply with all applicable state privacy laws.

E. Your Privacy Choices

  • "Your Privacy Choices" link on our Website — opt out of targeted advertising, sale or sharing of personal information
  • Email requests to support@goza.health
  • Phone requests to 305-306-1387
  • Browser-based opt-out controls (cookie settings, Do Not Track signals)

We honor Global Privacy Control (GPC) signals as a valid opt-out of the sale or sharing of personal information where required by applicable law.

9. Changes to This Privacy Policy

We reserve the right to change this Privacy Policy at any time. We will notify you via email and/or a prominent notice on our Website prior to the change becoming effective. Your continued use of our Services after changes are posted constitutes acceptance of the revised Privacy Policy.

10. Contact Information

Lux Health, LLC, d/b/a Goza

Email: support@goza.health
Phone: 305-306-1387
Website: goza.health

Questions? Contact Lux Health, LLC d/b/a Goza at support@goza.health or (305) 306-1387. Website: goza.health

Employer Telehealth Benefits

Offer your team affordable telehealth — starting at $39/employee/mo

Employer LoginLearn More