Data Privacy Declaration

1. Who We Are

DexaCore provides DEXA body-composition and bone-density scan management for clinics and their patients. The "app" refers to the DexaCore mobile application and associated services.

2. Data We Collect

We only collect data that is necessary to provide the service. We do not run advertising, profiling, or third-party behavioral analytics.

• Personal Information

  • Name, email address, phone number
  • Date of birth, gender (required to calculate scan results)
  • Account credentials (password is stored encrypted; never in plain text)

• Health and Fitness Data (Sensitive)

  • Height, weight, and DEXA scan measurements: total / fat / lean mass, body fat percentage, visceral adipose tissue, bone mineral density, T-scores, Z-scores, resting metabolic rate, skeletal muscle index
  • DICOM scan images and PDF medical reports associated with your account
  • Clinician notes attached to a scan

• Financial Data

  • Purchase and subscription history (package type, credits, invoices)
  • Payment details are entered directly into Stripe's secure fields and are never stored on our servers. We keep only a Stripe customer identifier.

• Files and Documents

  • Signed waiver / consent PDFs and the signature captured during signing

• App Activity

  • Appointment bookings, cancellations, attendance, and check-in history
  • Push-notification subscription status

• Device and Technical Data

  • Device identifier and platform (iOS / Android) used to deliver push notifications
  • IP address and timestamp at sign-in and at the moment a waiver is signed (fraud prevention and legal evidence of consent)
  • Crash and performance diagnostics generated by the application runtime

• Data We Do Not Collect

  • Precise or approximate device location / GPS
  • Contacts, calendar, messages, microphone, camera feed, or browsing history
  • Advertising identifiers
  • Third-party behavioral analytics (no Google Analytics, Firebase Analytics, Mixpanel, Meta SDK, or similar)

3. How We Use Your Data

We do not use your data for advertising, sell it, or share it with data brokers.

• App functionality: Create your account, schedule appointments, store and display your DEXA results, process payments, and deliver digital waivers.
• Account management: Authenticate you, reset passwords, and verify your email.
• Developer communications: Transactional emails (booking confirmations, results ready, waiver notifications, credit transfers) and opt-in push notifications (appointment reminders).
• Fraud prevention, security, and legal compliance: Store sign-in IP and waiver-signing IP as evidence of consent and to detect abuse.

4. Third Parties That Process Data on Our Behalf

We rely on the following processors. Each operates under its own privacy policy and receives only the data needed to perform its function.

• Stripe: Name, email, payment method entered in Stripe's fields, customer and transaction identifiers — to process payments and manage subscriptions.
• DocuSeal: Name, email, signature, signing IP, signed PDF — to deliver and store signed waivers / consent forms.
• OneSignal: Device identifier, platform, push subscription ID, notification content — to deliver push notifications.
• SendGrid (Twilio): Name, email, message content — to send transactional email.
• Amazon Web Services (S3): DICOM scan files, report PDFs, signed documents — encrypted file storage.
• New Relic: Application error and performance logs (no personal health data) — to diagnose crashes and monitor availability.

5. Security Practices

• All data is transmitted over TLS / HTTPS.
• Passwords are stored using a one-way cryptographic hash.
• Files are stored in encrypted AWS S3 buckets with access restricted to authorized services.
• Access to production data is limited to authorized personnel with role-based permissions.

6. Data Retention and Deletion

We retain your data for as long as your account is active and your clinic requires it to deliver care. You can request deletion of your account and associated data at any time by emailing info@dexacore.com. Upon deletion we remove your personal information, scans, waivers, notifications, and devices from our systems. Active subscriptions are cancelled in Stripe prior to deletion. Records we are legally required to retain (for example, invoices) are archived separately and purged once the retention period expires.

7. Your Rights

• Access, correct, or export the data we hold about you
• Request deletion of your account and data
• Withdraw consent for non-essential communications (e.g. appointment-reminder push notifications) at any time from the app settings or your device settings

8. Children

DexaCore is not directed to children under 13 and we do not knowingly collect data from them. If a minor is scanned at a clinic, the account is created and managed by a parent or legal guardian.

9. Changes to This Declaration

We will update this page when our data practices change and revise the "Last updated" date at the top. Material changes will also be announced in-app or by email.

10. Contact Us

Questions or data-deletion requests: info@dexacore.com.

• DexaCore, LLC
• 681 Encinitas Blvd, #316
• Encinitas, CA 92024
• 760-727-8080
• info@dexacore.com

© 2026 DexaCore. All rights reserved.