Privacy Policy
DexaFit Boston
Last Modified: June 12, 2026
1. Introduction
This Privacy Policy explains the practices of DexaFit Boston LLC ("DexaFit Boston," "we," "us," or "our") regarding the collection, use, protection, and disclosure of personal information in connection with the general wellness services we provide at our location and the websites, scheduling tools, intake forms, and other interactive features we make available that link to this Privacy Policy (collectively, our "Services").
Who we are (please read). DexaFit Boston LLC is an independently owned and operated business. We license the DexaFit® trademark and use the DexaFit software platform under license from DexaFit, Inc. and its subsidiaries and affiliates (collectively, "DexaFit, Inc." or "DexaFit Corporate"). DexaFit Boston LLC is not owned, operated, managed, controlled, staffed, or supervised by DexaFit, Inc., and DexaFit, Inc. is not responsible for the services, equipment, premises, personnel, or conduct at our location. We are what DexaFit, Inc.'s materials refer to as a "Licensed Operator." Section 2 explains this relationship and what it means for your data.
What we do at our location. We provide in-person general wellness assessments, which may include DEXA body composition scans, Resting Metabolic Rate (RMR) assessments, Red Light Therapy, and VO2 Max (cardiorespiratory) testing. To deliver your results, we capture your assessment data and transmit it to the DexaFit software platform (including the DexaFit Operator and DexaFit AI applications) operated by DexaFit, Inc., which generates your reports. We then deliver your results to you, including by email. Section 6 describes this data flow in detail.
Physician oversight (please read). Certain of our wellness assessments are made available under the general oversight of a licensed physician who serves as our medical director, whose role is limited to reviewing and authorizing the appropriateness of assessments (including those that involve low-dose imaging) as required by applicable law. This oversight is administrative and authorizing in nature. It does not constitute the practice of medicine, the provision of medical care, diagnosis, or treatment, and it does not create a physician-patient or treatment relationship. Our assessments, reports, scores, and insights are general wellness information and are not medical records. See Sections 6 and 16.
General Wellness Disclaimer. Our Services are general wellness offerings intended to support your overall health and wellness. They are not designed or intended to diagnose, treat, cure, mitigate, or prevent any disease or medical condition. Our assessments, reports, scores, and insights are educational and are not medical advice and not a substitute for care from a qualified healthcare provider. Our general wellness Services are intended to be consistent with applicable FDA guidance for general wellness/low-risk products. Always consult your physician before making decisions about your health, fitness, nutrition, or exercise.
EMERGENCY NOTICE: IF YOU ARE EXPERIENCING A MEDICAL EMERGENCY, DIAL "911" IMMEDIATELY. Our Services are not for medical emergencies or urgent situations.
Geographic scope. Our Services are offered in the United States and are directed to U.S. residents. The DexaFit software platform that processes your data is operated from the United States. If you access our Services or the platform from outside the United States, your information may be transferred to, processed, and stored in the U.S., where privacy laws may differ from those in your country. By using our Services, you acknowledge this Privacy Policy; where consent is the applicable legal basis, we obtain it as required by law.
This Privacy Policy is not a contract and does not create any legal rights or obligations beyond those provided by applicable law. The binding terms that govern your assessments — including any consent, assumption of risk, and authorization to collect, process, and transmit your data — are set out in the intake, consent, and waiver forms you sign and in our Terms and Conditions
We encourage you to read this Privacy Policy carefully to understand our practices and your rights.
2. Our Relationship with DexaFit, Inc. and How Responsibility Is Allocated
This section is important to how your data is handled and who is responsible for what.
What DexaFit Boston does. We operate our physical location and perform your in-person assessments. We determine why and how the personal information we collect from you on-site is used to deliver your Services. For that information, we act as the data controller (the party responsible for the data).
What DexaFit, Inc. does. DexaFit, Inc. (a) licenses the DexaFit brand to us and (b) provides the software platform, applications, analytics, and reporting that process assessment data and present your results and reports. When DexaFit, Inc. processes the data we transmit in order to generate your reports and power the apps, it acts as our service provider / processor for that purpose. Separately, DexaFit, Inc. may use information as an independent controller for its own purposes — for example, to operate, secure, and improve its platform, and to create and commercially license De-Identified Information as described in its own privacy policy. DexaFit, Inc. is solely responsible for those independent uses; we are not.
Which policy applies. This Privacy Policy governs the personal information we collect from you at our location and through our Services. Once your data is transmitted to and processed on the DexaFit platform, DexaFit, Inc.'s Privacy Policy also applies and governs DexaFit, Inc.'s handling of that data, including its independent and De-Identified uses. The DexaFit, Inc. Privacy Policy is available at dexafit.com/privacy and is incorporated here by reference for those purposes. Each document controls for the data and activities it covers; in the event of a conflict regarding data we collect and control at our location, this Privacy Policy governs.
Allocation of responsibility. Our use of the DexaFit brand and platform does not make DexaFit, Inc. responsible for the acts, omissions, services, equipment, premises, or conduct at our location. Any issue, claim, or dispute relating to services performed, equipment used, or conduct occurring at our location must be addressed directly with DexaFit Boston LLC. Conversely, we are not responsible for DexaFit, Inc.'s operation of its platform or its independent uses of data described in its own privacy policy.
3. Key Definitions
"Personal Information" means any data that can directly or indirectly identify you, such as your name, email address, phone number, and wellness-related information.
"De-Identified Information" means information that has been processed so that it can no longer reasonably be linked back to you, and which is maintained and used only as De-Identified Information.
"Consumer Health Data" means personal information that identifies your past, present, or future physical or mental health status, as defined under applicable consumer-health-privacy laws. This includes body composition, bone density, metabolic, and fitness assessment data.
"DexaFit Platform" or "platform" means the DexaFit software, applications (including the DexaFit Operator and DexaFit AI apps), analytics, and reporting operated by DexaFit, Inc.
"Services" means the in-person general wellness assessments and related websites, scheduling, intake, and interactive features we provide.
4. Information We Collect
We collect the following categories of information to provide and improve our Services. The categories collected depend on how you interact with us. We may also provide additional or "just-in-time" privacy disclosures at the point we collect certain information; those disclosures supplement this Privacy Policy.
Personal Identifiers. Name, email address, postal address, phone number, and account or scheduling credentials — for booking, account creation, communication, and providing the Services you request.
Wellness Information (Consumer Health Data). Body composition data, bone density evaluations, cardiorespiratory and VO2 Max results, RMR and metabolic assessments, wellness histories, and related information collected at our location or entered by you. We use this data to generate your reports and provide personalized insights. This information is not, and is not intended to be, an Electronic Health Record (EHR), Electronic Medical Record (EMR), or a medical record, and our general wellness Services are generally not subject to HIPAA (see Section 16).
Demographic and Lifestyle Information. Age, sex, ethnicity, lifestyle choices, and similar information used to perform and personalize your assessments.
Payment Information. When you pay for Services, payment is processed by a third-party payment processor (for example, Stripe or Square). We do not collect or store your full payment card number or other sensitive payment credentials; you provide that information directly to the payment processor, whose use of it is governed by its own privacy policy. We may retain limited transaction records (such as billing name, amount, date, and a confirmation reference) for accounting and tax purposes.
Premises and Security Information. Because we operate a physical location, we may collect check-in records and, where in use, video security footage of our premises, for the safety and security of our clients, staff, and property. Notice of any recording is provided at our premises, and where any audio is recorded we obtain consent as required by Massachusetts law (see Section 10).
Third-Party Wellness Integrations. If you choose to connect services such as Apple Health or Google Fit through the DexaFit apps, the data you authorize is handled as described in the DexaFit, Inc. Privacy Policy, including the strict limits that connected-health data is never used for advertising, never sold, and never included in any De-Identified dataset licensed to third parties.
Visitor and Communication Data. Limited information from non-registered visitors who interact with our Services, and records of your communications with us, including scheduling, support requests, feedback, and marketing interaction history.
Usage and Technical Data. Collected automatically through cookies and similar technologies (see Section 7), including device and browser information, IP address and approximate location, and general interaction data. We use a limited set of such technologies and do not use session-replay or keystroke-logging tools.
Investor Information. Where applicable, we collect limited information from members and investors of DexaFit Boston LLC, such as name, contact details, and ownership interest, used to manage investor relations and our internal records. See Section 15.
Inferences. Limited inferences we may draw from the information above to personalize your experience. The wellness scores and predictive insights in your reports are generated on the DexaFit Platform, as described in Section 11.
Other Information. Any other information you choose to provide, or that we collect with notice, which we will use as described in this Privacy Policy or as disclosed at the time of collection.
5. How We Use Your Information
Service Provision and Scheduling. Perform your assessments; manage your bookings and account; process transactions and billing; provide support; verify your identity; and coordinate the delivery of your results.
Generating and Delivering Your Results. Transmit your assessment data to the DexaFit Platform so your reports can be generated, and deliver those results to you, including by email (see Section 6).
Physician Oversight. Make limited information available to our medical director for the sole purpose of reviewing and authorizing the appropriateness of assessments, consistent with applicable law (see Sections 1, 6, and 16).
Communications. Send service updates, appointment confirmations and reminders, results notifications, and policy changes; respond to inquiries; and — where you have provided your contact details and any required consent — send marketing communications and surveys by email or text. You may opt out of marketing emails via the unsubscribe link in any marketing email (we honor opt-out requests as required by the CAN-SPAM Act). Service- and transaction-related communications are not promotional and cannot be opted out of while you use the Services.
Text Messaging (SMS/MMS). With your express consent, we may send you (i) service and transactional texts (such as appointment confirmations, reminders, and results notifications) and (ii) marketing texts about our Services and offers. Message frequency varies. Message and data rates may apply. Reply STOP to any message to opt out of further texts, and HELP for help. Your consent to receive marketing texts is not a condition of purchasing any goods or services. We do not share mobile opt-in information or text-messaging consent with any third parties or affiliates for their own marketing or promotional purposes. The binding terms of our messaging program — including the program description, the consent you provide at sign-up, and applicable carrier disclaimers — are set out in our Terms and conditions.
Personalization and Improvement. Personalize your experience and analyze usage to improve our Services.
Security, Compliance, and Legal. Maintain the security of our Services and premises, prevent fraud, comply with legal and regulatory obligations, enforce our terms, establish and defend legal claims, and protect the rights and safety of our clients, staff, and business.
De-Identified Information. We may create and use De-Identified, aggregated, or anonymized information that cannot reasonably be used to identify you for internal analytics and business insights. Where De-Identified Information is created and commercially licensed at the platform level, that activity is conducted by DexaFit, Inc. as an independent controller under its own privacy policy. We do not attempt to re-identify De-Identified Information.
6. How We Share Your Information
We do not sell your Personal Information for money in the traditional sense. We share information only as described below.
DexaFit, Inc. (Platform Provider).This is core to how your results are produced. We transmit the Personal Information and Consumer Health Data from your assessments to the DexaFit Platform operated by DexaFit, Inc., which processes that data to generate your reports and deliver your app experience. DexaFit, Inc. acts as our service provider/processor for this purpose and, for its own independent and De-Identified uses, under its own privacy policy. By using our Services, you understand that your assessment data is transmitted to and processed on the DexaFit Platform, and that your results may be delivered to you by email. DexaFit, Inc.'s handling of that data is described in the DexaFit Privacy Policy, available at dexafit.com/privacy.
Medical Director / Supervising Physician. We may make limited Personal Information available to the licensed physician who serves as our medical director, solely so that physician can review and authorize the appropriateness of your assessments as required by applicable law. This information is handled confidentially and used only for that authorization and oversight purpose. As stated in Sections 1 and 16, this does not create a physician-patient or treatment relationship and does not render the information a medical record.
Service Providers. We use trusted vendors (e.g., scheduling, payment processing, hosting, communications, and support) who process data on our behalf, are bound by confidentiality and data-protection obligations, and may use it only for the purposes we specify.
Legal and Regulatory Compliance. We may disclose information to comply with legal obligations, court orders, subpoenas, or government requests; to establish, exercise, or defend legal claims; to enforce our agreements and protect our rights and property; to detect or prevent fraud; and to protect the safety of any person.
Business Transactions. In connection with a merger, acquisition, financing, restructuring, or sale of company assets — and in the unlikely event of insolvency, receivership, or bankruptcy — your information may be transferred or assigned as part of that transaction, subject to applicable law and your rights.
Emergency Situations. We may share information when we believe in good faith that disclosure is necessary to protect the vital interests of a person or to address an urgent safety concern.
With Your Consent or Direction. With your consent or at your direction, we may share information — for example, to deliver results to a wellness or fitness professional you designate, or to publish a testimonial you provide. If you choose to make content public (such as a testimonial or review), it may be seen, copied, cached, or stored by others, and we are not responsible for any such use of information you have chosen to make public.
Mobile / SMS Data. We do not share mobile information or text-messaging originator opt-in data and consent with any third parties or affiliates for marketing or promotional purposes.
"Sale"/"Sharing" Under State Law. Some U.S. state laws define "sale" and "sharing" (including for targeted advertising) broadly, and certain cookie-based advertising activity may fall within those definitions. To the extent any of our practices are considered a "sale" or "sharing" under those laws, you have the right to opt out — see Sections 7 and 9. We do not sell, and do not "share" for cross-context behavioral advertising, your Wellness Information or Consumer Health Data, your sensitive personal information, or the personal information of anyone we know to be under 18.
7. Cookies and Tracking Technologies
We use cookies and similar technologies to operate and improve our Services, including essential cookies (functionality, security), performance cookies (usage analytics), functional cookies (preferences), and, where applicable, marketing cookies. We may also use web beacons or pixel tags in our marketing emails to understand whether messages were opened or links were clicked.
You can manage cookies through any cookie banner we provide and through your browser settings; disabling some cookies may affect functionality. Third-party analytics and advertising partners may use their own technologies subject to their own privacy policies.
Consent before non-essential tracking. Essential cookies (needed for security, login, and core functionality) operate by default. Non-essential cookies and tracking technologies — including analytics and advertising/marketing technologies such as the Meta (Facebook) Pixel and Google advertising tags — do not load until you accept them through our cookie consent banner, and you may withdraw or change your choices at any time through that banner. Where we are required to obtain consent before such technologies operate, we obtain it.
Opt-out preference signals and Do Not Track. Where required by applicable law, we honor recognized opt-out preference signals, including the Global Privacy Control (GPC). Some browsers offer a "Do Not Track" (DNT) setting; because there is no common industry standard for DNT, we do not respond to DNT signals at this time, but we do honor GPC as described above.
Targeted advertising. If you accept advertising cookies through our consent banner, we and our advertising partners may use interest-based advertising technologies — including the Meta (Facebook) Pixel, Google advertising tags, and similar tools — to measure our marketing, understand how visitors reach and use our Services, and show you relevant ads on other websites and platforms. These technologies may collect information such as the pages you visit on our Services, your device and browser data, and identifiers, and may share a common identifier (such as a hashed email) with advertising partners. You may exercise additional controls beyond our banner: device-level controls (such as Apple's App Tracking Transparency framework or Android's ad-personalization settings); the Digital Advertising Alliance (optout.aboutads.info) and Network Advertising Initiative (optout.networkadvertising.org) opt-out programs; and the controls offered by the providers we use, such as Google. Opting out does not stop all advertising; it means the ads you see should not be based on your interests. We are not responsible for the effectiveness of, or compliance with, any third party's opt-out program. Certain targeted-advertising activity may constitute a "sale" or "sharing" under state law, and you may opt out as described in Section 9.
Limits on use of health information for advertising. We do not provide your assessment results or other Wellness Information / Consumer Health Data (such as your body composition, bone density, metabolic, or fitness assessment results) to advertising partners or ad networks, and we do not use that assessment data to target ads to you. We do not sell your Wellness Information or Consumer Health Data. If you accept advertising cookies, the advertising technologies described above may collect general browsing information about your visit (such as pages viewed), which is why those technologies do not operate until you consent and can be declined or withdrawn through our consent banner.
8. Consumer Health Data
The wellness data we collect — including body composition, bone density, metabolic, and fitness assessment results — may constitute Consumer Health Data. We collect it to provide the Services and reports you request, and, where applicable law requires, we obtain your consent to collect and process it. We will not share or sell Consumer Health Data in a way that identifies you without your separate consent or, where required, your valid written authorization. We do not provide your assessment results or other Consumer Health Data to advertising partners and do not use that assessment data to target ads to you (see Section 7). We do not use geofencing to track you around any health facility for advertising or to send health-related messages. Where you reside in a state with a specific consumer-health-data law (such as Washington's My Health My Data Act or Nevada SB 370), the rights and protections of that law apply to you; to exercise them, contact us using the details in Section 20.
9. Your Privacy Rights
Depending on where you live, you may have some or all of the following rights with respect to the Personal Information we hold as a controller:
Access — request a copy of, and information about, the Personal Information we hold about you.
Correction — correct inaccurate or outdated information.
Deletion — request deletion of your Personal Information, subject to legal retention and legitimate business needs.
Portability — request transfer of your Personal Information where applicable.
Withdraw Consent — withdraw consent for processing based on consent, at any time.
Marketing Opt-Out — opt out of marketing emails via the unsubscribe link, and opt out of marketing texts by replying STOP. You cannot opt out of service- or transaction-related communications (such as appointment confirmations, results delivery, and account, security, or policy notices), which are necessary to provide the Services.
Limit Sensitive Data / Opt Out of "Sale" or "Sharing" — where provided by applicable law.
Non-Discrimination — we will not discriminate or retaliate against you for exercising your privacy rights.
State-Specific Rights. Residents of U.S. states with comprehensive privacy laws — including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and others as they take effect — have the rights provided under their respective laws, which may include the rights above and, in some states, the right to appeal a denied request. This list is illustrative and not exhaustive.
Massachusetts residents: see Section 10 for protections that apply specifically to you.
Because much of your data is processed on the DexaFit Platform, certain requests may be coordinated with DexaFit, Inc. We will forward and assist with requests as appropriate so they can be honored across both our records and the platform.
How to exercise your rights. Contact us using the details in Section 20 with your full name, the email associated with your bookings, the specific request, and verification information. We will respond within the timeframe required by applicable law and may request additional verification to confirm your identity. You may use an authorized agent where the law allows. If we are unable to verify your identity or locate your information, or where an exception applies, we may decline a request and will explain why.
Declining to provide information. Some information is necessary for us to provide the Services. If you choose not to provide information we identify as required, we may be unable to schedule or perform your assessments or deliver your results.
10. Massachusetts Residents
DexaFit Boston LLC is located in the Commonwealth of Massachusetts, and the following applies to our handling of Massachusetts residents' personal information:
Written Information Security Program. We maintain a Written Information Security Program (WISP) designed to comply with the Massachusetts Standards for the Protection of Personal Information (201 CMR 17.00), including administrative, technical, and physical safeguards and encryption of personal information in transit and on portable devices where required by that regulation.
Breach Notification. In the event of a breach of security involving Massachusetts residents' personal information, we will provide notice consistent with the Massachusetts data-breach-notification law (M.G.L. c. 93H), including, where required, notice to affected residents, the Massachusetts Attorney General, and the Office of Consumer Affairs and Business Regulation.
Secure Destruction. We dispose of records containing personal information in a manner consistent with M.G.L. c. 93I.
Recording. Massachusetts is an all-party-consent jurisdiction under the Massachusetts wiretap statute (M.G.L. c. 272, § 99). Where we use audio recording, we obtain consent as required by law. Video-only security recording is conducted with notice posted at our premises.
Comprehensive Privacy Rights. Massachusetts does not currently have a comprehensive consumer-privacy statute granting CCPA-style access and deletion rights. We nonetheless honor the requests described in Section 9 to the extent we are able as a matter of practice and as required by other applicable law.
11. Automated Processing and Insights
The wellness scores, insights, and predictions presented in your reports are generated by DexaFit, Inc.'s machine-learning models on the platform. These outputs are educational wellness information; they are not automated decisions that produce legal or similarly significant effects, and they do not replace professional advice. Where applicable law gives you the right to information about, or human review of, automated processing or profiling, you may exercise it by contacting us or DexaFit, Inc. as described in the respective privacy policies.
12. Data Security
We implement industry-standard administrative, technical, and physical safeguards to protect Personal Information, including, as appropriate, encryption, access controls, secure storage, staff confidentiality obligations, and incident-response procedures, consistent with our Massachusetts WISP (Section 10). Data transmitted to and processed on the DexaFit Platform is protected by the safeguards described in the DexaFit, Inc. Privacy Policy.
No method of internet transmission or electronic storage is completely secure, and we cannot guarantee absolute security. Please use strong passwords and report suspicious activity. In the event of a data breach affecting your Personal Information, we will notify affected individuals and regulators as required by applicable law.
13. Data Retention
We retain Personal Information only as long as necessary for the purposes in this Privacy Policy and to meet legal obligations:
Account and Scheduling Information — for the life of your relationship with us and a reasonable period thereafter (typically 3–7 years) for backup, audit, and legal purposes.
Wellness Information — for as long as needed to provide your reports and history and to meet legal and business requirements.
Transaction Data — as needed for contractual, tax, and accounting obligations (typically 7 years).
Communication and Marketing Data — as needed for support, dispute resolution, and legal compliance, or until you opt out.
Security Footage — for a limited period consistent with our security needs (typically 30–90 days), unless retained longer for an investigation or legal matter.
De-Identified Information — may be retained indefinitely for research, analytics, and business purposes.
When retention periods expire or you request deletion, we securely delete or anonymize Personal Information; some data may persist briefly in backups before final deletion. Data held on the DexaFit Platform is retained as described in the DexaFit, Inc. Privacy Policy.
14. Children's Privacy
Our Services are intended for individuals 18 years of age and older. We do not knowingly collect Personal Information from anyone under 18. If we learn that we have collected Personal Information from a person under 18, we will delete it. If you believe we have collected information from someone under 18, please contact us using the details in Section 20.
15. Investor Information
In addition to the practices described above, we collect limited Personal Information from members and investors of DexaFit Boston LLC — such as name, contact details, ownership or membership interest, and related records — to manage investor relations, maintain our internal and capitalization records, process distributions, and meet tax and legal obligations. We use and disclose this information consistent with Sections 5 and 6 and applicable law.
16. Regulatory Compliance
HIPAA and Physician Oversight. Our general wellness Services are generally not subject to the Health Insurance Portability and Accountability Act (HIPAA), and the wellness data we process is not a medical record. We do not bill health insurance for our Services, and we do not represent that our Services are "HIPAA-compliant." The oversight provided by our medical director is limited to reviewing and authorizing the appropriateness of assessments as required by applicable law; it is administrative in nature and does not, by itself, render DexaFit Boston a HIPAA covered entity, constitute the practice of medicine, or create a physician-patient or treatment relationship. Where we (or DexaFit, Inc.) act as a Business Associate to a covered entity under a Business Associate Agreement (BAA), the applicable HIPAA obligations are honored for that Protected Health Information.
GDPR / UK GDPR. Our Services are directed to the United States and are not targeted to individuals in the EU/EEA or UK. We make no independent commitment under those frameworks. Where the GDPR or UK GDPR applies to processing on the DexaFit Platform, the commitments and data-subject rights described in the DexaFit, Inc. Privacy Policy apply.
Other. We adhere to applicable FDA guidance for general wellness products, FTC guidelines on data security and consumer protection, applicable U.S. state privacy and consumer-health-data laws as they take effect, and relevant industry standards for wellness data.
17. Third-Party Websites and Services
Our Services may include links to, or integrations with, third-party websites, applications, and services. Except where we expressly adopt or refer to this Privacy Policy, this Privacy Policy does not apply to the data practices of third parties. We are not responsible for the content or privacy practices of third parties, and we encourage you to review their privacy policies.
18. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or for legal, operational, or regulatory reasons. We will communicate significant changes through our Services or by email, and the "Last Modified" date above reflects the latest update. Changes are effective when posted unless otherwise stated. Please review this policy periodically.
19. Governing Law
This Privacy Policy and any matter relating to it are governed by the laws of the Commonwealth of Massachusetts without regard to its conflict-of-laws principles. Dispute resolution, including any arbitration and class-action-waiver provisions, is addressed in our Terms and Conditions
20. Contact Information
For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, contact us:
DexaFit Boston LLC Privacy Department 799 Concord Ave, Cambridge, MA 02138
Email: boston@dexafit.com
For matters concerning the DexaFit Platform operated by DexaFit, Inc., see the DexaFit Privacy Policy at dexafit.com/privacy or contact privacy@dexafit.com.