Genesis MD, Inc. (a California Professional Corporation), operating under the registered fictitious business name Genesis Sleep MD, Inc. (hereinafter referred to uniformly as “the Company” or “Genesis Sleep MD”)
Website: genesissleepmd.com
Effective Date: June 29, 2026
Version: 1.0
Last Updated: June 29, 2026
THIS PRIVACY POLICY GOVERNS PERSONAL INFORMATION COLLECTED THROUGH THE COMPANY’S PUBLIC-FACING, NON-CLINICAL WEBSITE AND MARKETING ENVIRONMENT. IT DOES NOT GOVERN PROTECTED HEALTH INFORMATION CREATED OR MAINTAINED WITHIN THE COMPANY’S SECURE CLINICAL PORTAL, WHICH IS GOVERNED SEPARATELY BY THE COMPANY’S HIPAA NOTICE OF PRIVACY PRACTICES. PLEASE READ SECTION 1 CAREFULLY TO UNDERSTAND THIS DISTINCTION.
Genesis MD, Inc. (a California Professional Corporation), operating under the registered fictitious business name Genesis Sleep MD, Inc. (hereinafter referred to uniformly as “the Company” or “Genesis Sleep MD”), respects your privacy and is committed to protecting the personal information you provide to the Company. This Privacy Policy (the “Policy”) explains how the Company collects, uses, discloses, and protects personal information, and describes the rights available to you under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (collectively, the “CCPA/CPRA”) and other applicable law.
The Company’s principal place of business is 510 Superior Avenue, Suite 200A, Newport Beach, California 92663.
1.2 Scope of This Policy
This Policy applies solely to personal information collected through the Company’s public-facing, non-clinical environment, including:
(a) the website located at genesissleepmd.com and all associated subdomains, web pages, landing pages, and sales funnels;
(b) the Sleep Blocker Quiz and any other lead-capture or intake forms presented before the clinical relationship is formed;
(c) the pre-recorded masterclass webinar, downloadable guides, and other Educational Materials;
(d) the Company’s marketing email and SMS programs;
(e) the Company’s RedNova CRM marketing infrastructure;
(f) the Company’s ManyChat / Instagram direct-message marketing channels; and
(g) checkout, account-creation, and purchase flows for the Tier 1, Tier 2, and Tier 3 offerings.
PROTECTED HEALTH INFORMATION (“PHI”) CREATED, RECEIVED, MAINTAINED, OR TRANSMITTED WITHIN THE COMPANY’S SECURE, AUTHENTICATED CLINICAL ENVIRONMENT — THE HEALTHIE EHR (INCLUDING THE INTEGRATED ZOOM FOR HEALTHCARE VIDEO PLATFORM) — IS NOT GOVERNED BY THIS POLICY.
All PHI processed once you become a patient and enter the authenticated Healthie EHR is governed exclusively by the Company’s separate HIPAA Notice of Privacy Practices and by the federal Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the California Confidentiality of Medical Information Act (CMIA, California Civil Code § 56 et seq.). Where information qualifies as PHI under HIPAA or medical information under the CMIA, those statutes — which impose stricter standards — control, and the CCPA/CPRA obligations described in this Policy are modified accordingly to the extent the law so provides.
This Policy therefore governs the commercial, marketing, and educational layer of the Company’s business. The HIPAA Notice of Privacy Practices governs the regulated clinical layer. This firewall is intentional and is described further in Section 1.4.
1.4 Separation of Public and Clinical Environments (UPM Protection)
The Company maintains a deliberate and structural separation between (i) the Company’s public, non-clinical marketing and educational environment (including the RedNova CRM and ManyChat channels), and (ii) the Company’s secure, authenticated clinical environment (the Healthie EHR). No physician-patient relationship is formed, and no clinical care is provided, through the public environment governed by this Policy. The Sleep Blocker Quiz, masterclass, marketing communications, and the Tier 1 Foundations Program are administrative, commercial, and educational in nature, and are not clinical. This separation protects the lawful, jurisdictionally appropriate delivery of regulated clinical care and is reflected throughout this Policy.
2. Notice at Collection — Categories of Personal Information We Collect
Consistent with the CCPA/CPRA requirement to provide notice at or before the point of collection, the following categories of personal information are or may be collected through the public environment. The Company presents a short-form “Notice at Collection” at each collection point (for example, at the Sleep Blocker Quiz and at checkout), linking to this Policy.
2.1 Identifiers
Real name; postal or mailing address; email address; telephone number; account username and password; IP address; device identifiers; and online identifiers captured during booking, account creation, or checkout.
2.2 Customer Records / Commercial Information
Transaction and purchase records, including records reflecting purchases of the Tier 1 ($2,500) Foundations Program, the Tier 2 ($4,997) Precision Concierge package, or the Tier 3 ($7,500) Longevity Elite package; billing and shipping information; payment-method tokens (processed by the Company’s PCI-compliant payment gateway; the Company does not store full card numbers); and records of products or services purchased, considered, or returned.
Browsing and interaction history on the Company’s Website; cookie and pixel configurations; pages viewed; referral sources; session metadata; and engagement metrics, including data captured via server-side conversion measurement.
Approximate (non-precise) geolocation derived from IP address, used in part to determine eligibility for Clinical Services and to route ineligible (out-of-state) leads to the non-clinical Tier 1 Foundations Program.
Non-diagnostic, self-reported lifestyle and sleep-related inputs voluntarily submitted through the public Sleep Blocker Quiz, and inferences drawn from your interactions for the purpose of providing the requested service (for example, routing and scheduling). Certain of this information constitutes Sensitive Personal Information under California law.
The text content of messages you send through the Company’s non-clinical channels (e.g., marketing email replies, ManyChat / Instagram direct messages). Telehealth encounters within the clinical environment are documented by a text-only ambient AI scribe and are governed by the HIPAA Notice of Privacy Practices, not this Policy; no audio or video recordings of clinical encounters are retained.
The Company does not knowingly collect personal information from individuals under eighteen (18) years of age through the public environment, and the Company’s Services are restricted to individuals 18 and older. The Company does not knowingly collect information from children under thirteen (13) in violation of the Children’s Online Privacy Protection Act (COPPA).
Under the CCPA/CPRA, certain categories of personal information are classified as Sensitive Personal Information (“SPI”). The Company recognizes that self-reported health, symptom, sleep, and wellness inputs voluntarily provided through the public Sleep Blocker Quiz or similar public forms, as well as account log-in credentials, may constitute SPI.
The Company collects and uses SPI strictly to perform the services you request and for the limited business purposes expressly permitted by the CCPA/CPRA. The Company does not use or disclose SPI to infer characteristics about you, and the Company does not use or disclose SPI for any secondary commercial profiling, cross-context behavioral advertising, or any purpose beyond those permitted under California Civil Code § 1798.121.
Permitted uses include routing out-of-state leads to the non-clinical Tier 1 Foundations Program, scheduling a triage or discovery consultation, delivering the products and services you purchase, and performing services reasonably expected by an average consumer who requests them.
3.3 Right to Limit
Because the Company uses SPI only for permitted business purposes and does not use it beyond those purposes, the statutory “Right to Limit the Use of My Sensitive Personal Information” has limited application. Nonetheless, in an abundance of caution and consistent with California enforcement guidance, the Company provides a “Limit the Use of My Sensitive Personal Information” link in the Company’s global website footer through which you may exercise this right.
The Company collects personal information from the following sources:
(a) directly from you (quiz completions, intake and booking forms, account registration, checkout, and messages you send);
(b) automatically through your device and browser (cookies, pixels, server logs, and similar technologies, subject to your consent choices); and
(c) from service providers and partners that support the Company’s operations (for example, the Company’s payment gateway and the Company’s marketing infrastructure).
4.2 Business and Commercial Purposes
The Company uses personal information for the following purposes:
(a) to provide, operate, and deliver the Services, including fulfilling lifetime access to the Tier 1 curriculum, shipping the physical Sleep Success Kit, and scheduling consultations;
(b) to process transactions and manage billing through the Company’s payment gateway;
(c) to determine eligibility and route ineligible leads to the appropriate non-clinical offering;
(d) to send administrative and logistical communications;
(e) to send marketing communications where you have consented;
(f) to measure and improve marketing and Website performance;
(g) to maintain security, prevent fraud, and protect against malicious or unlawful activity;
(h) to comply with legal obligations; and
(i) to establish, exercise, or defend legal claims.
If you elect to finance a purchase through an independent third-party consumer lender — namely CareCredit or Cherry — certain personal information necessary to initiate the financing application is shared with, or collected directly by, that lender. Each such lender is an independent entity that maintains its own separate privacy practices and policies, over which the Company has no control. The Company encourages you to review the privacy policy of CareCredit or Cherry before submitting information to them. The handling of your information by those lenders is governed by their policies and applicable law, not by this Policy.
The Company discloses personal information to service providers and contractors who process it on the Company’s behalf and for the Company’s business purposes under written contracts that restrict their use of the information, including the Company’s payment gateway, hosting and infrastructure providers, the Company’s RedNova CRM marketing platform, email and SMS providers, and analytics providers.
5.2 No Sale of Personal Information for Money
The Company does not sell your personal information in exchange for monetary consideration.
The CCPA/CPRA defines “sharing” broadly to include the disclosure of personal information to third parties for cross-context behavioral advertising, even where no money changes hands. The Company’s deployment of advertising and conversion-measurement technologies (for example, server-side conversion tracking used to measure advertising performance) may constitute “sharing” under this broad definition. Where this is the case, you have the right to opt out, as described in Sections 6 and 8.
The Company does not deploy marketing, targeting, or optional advertising pixels behind any authentication gate, within the Company’s secure patient intake systems, or on any sub-page that handles specific medical conditions or sleep pathology entries. All data collected within the authenticated clinical patient portal is managed within the Company’s secure, HIPAA-compliant Healthie EHR and is fully insulated from client-side commercial tracking networks.
To reduce risk consistent with HHS Office for Civil Rights (OCR) guidance and Federal Trade Commission (FTC) enforcement activity concerning health-related online trackers, the Company favors server-side conversion measurement with personal identifiers stripped over client-side third-party pixels on health-related pages.
5.5 Other Disclosures
The Company may disclose personal information:
(a) to comply with law, legal process, or valid governmental or law-enforcement requests;
(b) to enforce the Company’s agreements and protect the Company’s rights, property, and safety, and those of the Company’s users and the public; and
(c) in connection with a merger, acquisition, financing, reorganization, or sale of assets, in which case personal information may be transferred to a successor consistent with this Policy.
6. Global Privacy Control (GPC) and Opt-Out Preference Signals
The Company recognizes and honors the Global Privacy Control (“GPC”) and other legally recognized opt-out preference signals. When you visit the Company’s Website using a browser or device configured to transmit a GPC signal, the Company’s systems are configured to treat that signal as a valid request to opt out of the “sale” or “sharing” of personal information associated with that browser or device, and to disable applicable advertising and targeting technologies for that interaction, to the extent required by law. Because GPC operates at the browser/device level, you may need to enable it on each browser and device you use.
THE COMPANY’S MANYCHAT AND INSTAGRAM DIRECT-MESSAGE INFRASTRUCTURES ARE NON-CLINICAL, NON-HIPAA-COMPLIANT MARKETING MECHANISMS AND ARE NOT ENCRYPTED. DO NOT TYPE OR TRANSMIT SYMPTOMS, MEDICAL HISTORY, DIAGNOSES, MEDICATIONS, OR ANY CLINICAL OR HEALTH-RELATED INFORMATION INTO ANY DIRECT-MESSAGE OR SOCIAL-MEDIA CHANNEL.
These channels are intended for general, non-clinical marketing engagement and administrative purposes only. The Company’s automated system is configured with an automated keyword redirect sensor designed to identify clinical symptom input before it is transmitted through the ongoing direct-message interaction. Upon detection of clinical symptom input, the automated keyword redirect sensor will block the text transmission, discontinue the clinical portion of the conversation, and route the user to the secure Healthie EHR patient link. You should never rely on these channels for any clinical communication, and you transmit information through them at your own risk and subject to the privacy practices of the applicable social-media platform.
Subject to verification and the exceptions provided by law (including the modifications applicable to PHI and CMIA-protected medical information), you have the following rights with respect to the personal information the Company processes under this Policy.
8.1 Enumerated Rights
(a) Right to Know / Access — to request the categories and specific pieces of personal information the Company has collected, the sources, the purposes, and the categories of third parties to whom it was disclosed.
(b) Right to Delete — to request deletion of personal information the Company has collected, subject to legal exceptions.
(c) Right to Correct — to request correction of inaccurate personal information.
(d) Right to Opt Out of Sale/Sharing — to direct the Company not to “sell” or “share” your personal information.
(e) Right to Limit Use of SPI — to limit the use and disclosure of Sensitive Personal Information to permitted purposes.
(f) Right to Data Portability — to receive a copy of your personal information in a portable, usable format.
(g) Right to Non-Discrimination — to not receive discriminatory treatment for exercising any of these rights.
8.2 How to Submit a Request — Two Methods
You may submit a request through either of the following methods:
Online: through the dedicated web-based privacy request form available on the Company’s Website (and, where applicable, via the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links in the Company’s global footer); and
Email: by writing to [email protected] with the subject line “California Privacy Request.”
8.3 Verification
To protect your information from unauthorized or fraudulent requests — and given the sensitivity of wellness-related data — the Company will verify your identity before fulfilling a request. Verification ordinarily requires matching the email address and telephone number logged during your quiz submission, checkout, or account creation. The Company may request additional information reasonably necessary to verify your identity, and the Company applies a heightened standard of verification for requests involving sensitive data. Information provided for verification is used only for that purpose.
You may designate an authorized agent to submit a request on your behalf. The Company may require the agent to provide proof of authorization and may require you to verify your identity directly with the Company.
8.5 Response Timelines
The Company will confirm receipt of your request within ten (10) business days and will respond substantively within forty-five (45) calendar days. Where reasonably necessary, the Company may extend the response period by an additional forty-five (45) calendar days, and the Company will notify you of any extension and the reason for it within the initial 45-day period.
9. Data Retention
The Company retains personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected, to comply with legal, accounting, or reporting obligations, and to establish, exercise, or defend legal claims. Retention periods vary by category:
(a) Marketing leads and CRM records — personal information captured through the public environment (including the RedNova CRM) is retained for standard operational marketing and administrative lifecycles, and is deleted or de-identified when no longer needed for those purposes.
(b) Transaction and account records — retained as required for tax, accounting, warranty, dispute-resolution, and recordkeeping purposes.
(c) Clinical records — once you transition into a formal patient relationship within the clinical environment, the resulting medical records are retained under the Company’s HIPAA Notice of Privacy Practices and applicable medical-record retention law, including California’s minimum retention requirements (generally seven (7) years for adult records). Such clinical retention is governed by the Company’s HIPAA Notice of Privacy Practices, not this Policy.
The Company maintains reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, or destruction. Personal information processed under this Policy is stored within the United States. No method of transmission or storage is completely secure, and the Company cannot guarantee absolute security. Email and standard SMS are not encrypted by default; you should not transmit sensitive information through unencrypted channels.
The Company’s use of cookies, web beacons, server-side pixels, and similar technologies, and the granular consent choices available to you (strictly necessary, functional, analytics, and marketing categories), are described in the Company’s separate Cookie Notice. Optional analytics and marketing technologies are not activated until you provide consent through the Company’s cookie-consent interface, and the Company honors GPC signals as described in Section 6.
The Company’s Website may contain links to, or embed components from, third-party websites and services, including embedded video, the Company’s payment gateway, and the financing portals of CareCredit and Cherry. The Company does not control, and is not responsible for, the privacy practices of those third parties. Their collection and use of your information is governed by their own privacy policies.
This Policy addresses privacy practices only. Your financial, payment, refund, and financing terms are governed by the Company’s Financial Agreement & Refund Policy, the Company’s Terms of Service, and, for the Tier 1 Foundations Program, the Course Terms / EULA. For your awareness and without modifying those documents:
No refunds will be granted or issued under any circumstances after (i) any physical component — including the Sleep Success Kit or the WatchPAT home sleep testing unit — has been shipped from the Company’s logistics facility, (ii) any laboratory or diagnostic order has been transmitted to Quest Diagnostics, or (iii) any clinical service has been initiated or rendered. For the Tier 1 Foundations Program, all sales are final upon digital delivery of login credentials. Cancellations requested after checkout but before any physical component enters active shipping and before any clinical action is initiated may be refunded less a mandatory three percent (3%) third-party payment-processor administrative fee, as set forth in the Financial Agreement & Refund Policy.
The Company is not a lender, creditor, credit broker, or financing entity. Where you elect financing through CareCredit, Cherry, or any other third-party lender, you enter a separate, independent contractual relationship with that lender, and all credit decisions, annual percentage rates (APR), interest, fees, repayment schedules, collections, and disclosures — including all rights and obligations arising under the federal Truth in Lending Act (TILA), Regulation Z, and any analogous state law — are the sole responsibility of, and reside exclusively between, you and that lender. The Company is fully and expressly insulated from, and shall have no liability for, any claim or dispute arising under TILA or any other consumer-credit law relating to such financing, and your obligation to repay the lender remains in force regardless of your satisfaction with any product or service.
You agree to indemnify, defend, and hold harmless the Company and its officers, directors, shareholders, employees, contractors, agents, successors, and assigns from and against any and all claims, liabilities, damages, losses, costs, and expenses, including reasonable attorneys’ fees, arising out of or relating to your submission or provision of false, inaccurate, incomplete, or misleading financial, registration, or eligibility information, whether by act or omission. The Company reserves the right to assume the exclusive defense and control of any matter subject to indemnification, in which case you agree to cooperate fully with the Company’s defense.
The Company may update this Policy from time to time. The “Last Updated” date above reflects the most recent revision. Material changes will be communicated by reasonable means, and your continued use of the Company’s Website after the effective date of a revised Policy constitutes acceptance of the revised Policy. A versioned archive is available upon request.
For questions about this Policy, to exercise your privacy rights, or to submit a complaint, contact:
Privacy / General Inquiries and Privacy Requests: [email protected]
HIPAA Privacy Officer (clinical / PHI matters): Dr. Meneena Bright
Mailing Address: Genesis MD, Inc., operating as Genesis Sleep MD, 510 Superior Avenue, Suite 200A, Newport Beach, California 92663
Registered Agent (Service of Process): 500 North Brand Boulevard, Suite 890, Glendale, California 91203
You also have the right to lodge complaints with the California Privacy Protection Agency and the California Attorney General. For complaints concerning PHI, you may contact the U.S. Department of Health and Human Services, Office for Civil Rights, as described in the Company’s HIPAA Notice of Privacy Practices.
Copyright © Genesis MD, Inc. 2026. All rights reserved. “Genesis Sleep MD,” “Genesis MD,” and “Genesis Protocol” are trademarks or service marks of Genesis MD, Inc.

Email: [email protected]
Get daily insights, sleep tips, and behind-the-scenes content from Dr. Bright
© 2026 Genesis Sleep MD. Developed by Natalie Minh Interactive.