Privacy Policy

Last updated: May 10, 2026

1. Who's behind Therisse — and who handles your medical information

Therisse is a brand operated by Ironoak Holdings LLC ("Therisse," "we," "us"), a Texas limited liability company. We handle marketing, billing, and customer support.

The actual medical services — physician consultations, intake forms, prescriptions, and your medical records — are provided by MDI Medical Group PC and its network of independently licensed, board-certified physicians. MDI is a HIPAA-covered entity and the sole keeper of your protected health information ("PHI"). When you complete the medical intake form, you are interacting with MDI's HIPAA-compliant platform, not with Therisse. No PHI is stored on therisse.com.

2. What we collect

On therisse.com (Ironoak Holdings):

  • Your name, email address, and phone number for account and order confirmations
  • Your billing address and payment information, handled by Stripe (we never see or store your full card number)
  • Standard web analytics: IP address, browser type, device, and page interactions
  • Marketing engagement signals via the Meta Pixel and Meta Conversions API (used for ad measurement; hashed before transmission)

On MDI's platform (separate from Therisse): medical history, current symptoms, photos uploaded for physician review, lab results, prescriptions, and message history. This data is governed by MDI's Notice of Privacy Practices, provided to you when you start the intake form. We do not receive copies of this information.

3. How we use what we collect

We use information collected by Therisse to provide and improve our services, process payments, send you order confirmations and operational emails, route you to MDI's medical platform when you complete a purchase, and measure the performance of our marketing.

4. Who we share information with

We do not sell your personal information. We share data only with the partners required to deliver our service:

  • MDI Medical Group PC — your name, email, and phone are passed so MDI can create your patient record. From there, MDI collects and manages your medical information under their own HIPAA-compliant privacy practices.
  • Stripe — payment processing and subscription billing.
  • Compounding pharmacies — for medication fulfillment, only after a licensed physician has prescribed treatment.
  • Email and customer support tools (e.g., Google Workspace) — to communicate with you about your account.
  • Advertising platforms (Meta, etc.) — hashed identifiers and conversion signals for ad measurement. We do not share any medical condition or treatment information with advertising platforms.
  • When legally required (subpoena, court order, regulatory request).

5. HIPAA and your medical records

Therisse is not a HIPAA-covered entity. Therisse and MDI Medical Group PC are not in a business associate relationship under HIPAA, because Therisse does not store or process protected health information on its own systems.

Your protected health information lives on MDI's HIPAA-compliant platform. To access, correct, or request a copy of your medical records, contact MDI directly using the address provided in their Notice of Privacy Practices, or use the patient portal accessible from any clinician message you receive.

6. Data security

We use industry-standard encryption (TLS/HTTPS) for data in transit and at rest. Access to Therisse-side personal information is restricted to authorized personnel. Payment data is tokenized and held by Stripe, a PCI-DSS Level 1 service provider. Medical information is held by MDI on infrastructure they certify as HIPAA-compliant.

7. Your rights

You may at any time ask us to:

  • Access the personal information Therisse holds about you (name, email, billing records, account history)
  • Correct inaccurate personal information
  • Delete your Therisse account and the personal information tied to it (subject to financial recordkeeping requirements)
  • Opt out of marketing emails using the unsubscribe link in any message

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to request disclosure of categories of personal information collected and to opt out of sale or sharing of personal information. We do not sell personal information.

To exercise any of these rights, email support@therisse.com. To access or amend medical records, contact MDI directly per Section 5.

8. Cookies, pixels, and analytics

therisse.com uses essential cookies to run the site and authenticate sessions. We use Meta Pixel and server-side Meta Conversions API to measure the performance of advertising. We do not transmit medical condition, treatment, or health-status information to advertising platforms. You can control cookie preferences and opt out of advertising via your browser settings or platform-level controls (e.g., your device's ad tracking settings).

9. Children

Therisse services are not intended for individuals under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page and, where appropriate, by email.

11. Contact

Questions about this Privacy Policy or your Therisse account? Email support@therisse.com.

Therisse is operated by Ironoak Holdings LLC, a Texas limited liability company. For medical records access, contact MDI Medical Group PC directly via the patient portal or as instructed in their Notice of Privacy Practices.