Privacy policy
Kora Health, LLC
Date: March 31, 2026
I. PURPOSE AND SCOPE
This memorandum supersedes the comprehensive remediation roadmap delivered on March 30, 2026, for purposes of immediate implementation planning. At the client's request, this document distills the full compliance audit into the items that must be addressed now to avoid severe regulatory exposure, including FTC enforcement actions, state attorney general investigations, and private litigation.
This memorandum covers only the Tier 1 (Immediate, 24-48 hours) and Tier 2 (Urgent, 7 days) action items. The complete audit, replacement legal documents, and the remaining Tier 3 and Tier 4 items remain valid and should be implemented on the timeline described in the comprehensive memorandum. The accompanying Priority Markup Guide provides the developer team with the specific changes required for each item described herein.
The replacement legal documents previously delivered (Terms and Conditions, Privacy Policy, MHMDA Policy, California Privacy Disclosures, Cancellation Policy, and Telehealth Informed Consent) remain unchanged and should be deployed as part of this priority remediation.
II. WHY THESE ITEMS CANNOT WAIT
The regulatory environment for GLP-1 telehealth platforms is the most aggressive enforcement area in consumer health law. The following recent enforcement actions demonstrate the financial exposure the Platform faces if these items are not addressed promptly:
| Action | Amount | Relevant Issue |
|---|---|---|
| FTC v. NextMed/LifeMD | $150,000 | First GLP-1 telehealth enforcement; unsubstantiated claims |
| FTC v. Noom | $56,000,000 | Unsubstantiated weight loss claims; auto-renewal violations |
| FTC v. Cerebral | $7,000,000 | Tracking pixel health data sharing |
| FTC v. BetterHelp | $7,800,000 | Health data shared via tracking pixels |
| FTC v. GoodRx | $1,500,000 | Tracking pixel health data disclosure |
| Done Global CEO Conviction | Criminal | Platform control over clinical decisions |
| FDA Warning Letters (Sept. 2025) | 55+ letters | Compounded GLP-1 promotion post-shortage resolution |
III. EMERGENCY ACTION -- REPLACE TERMS OF SERVICE (WITHIN 24 HOURS)
The current Terms of Service published on koramd.com reference "Kora" throughout the document. This is another company's legal document. A consumer could argue that no valid contract exists between Kora MD and any user of the website. This eliminates the Platform's arbitration clause, limitation of liability, limitation on damages, warranty disclaimers, and every other protective provision.
Action: Replace the current Terms of Service page in its entirety with the replacement Terms and Conditions (Document 02) delivered with this engagement. This is the single highest-priority action item and should be completed within 24 hours.
IV. IMMEDIATE ACTIONS (24-48 HOURS)
The following items each carry active enforcement risk and must be addressed before any new marketing spend or advertising pixel deployment.
A. Entity Attribution - Add Footer Disclaimer to Every Page
The website does not disclose anywhere that OpenLoop Healthcare Partners, PC provides the medical services. Consumers see only the Kora MD brand. In every strict corporate practice of medicine (CPOM) state, including California, New York, Texas, Illinois, New Jersey, Oregon, and Minnesota, a non-physician entity that represents itself as providing medical services may face sanctions ranging from cease-and-desist orders to criminal prosecution. LegitScript certification, which is required for Google Ads and Meta advertising, will be denied without this disclosure.
Action: Add the following footer disclaimer to every page of the website, above the copyright notice, in a minimum 10-point font:
"All medical services, including clinical evaluations, treatment planning, and prescribing decisions, are provided exclusively by independently licensed healthcare providers affiliated with OpenLoop Healthcare Partners, PC and its affiliated professional entities. Kora MD Health International, Inc. provides the technology platform and administrative services only. Kora MD does not provide medical services, does not make prescribing decisions, and does not practice medicine. Prescription medications, when prescribed, are dispensed by independently licensed pharmacy partners, including RedRock Pharmacy, Health Warehouse, Precision Compounding Pharmacy, and Triad Rx."
Additionally, search the entire site for first-person clinical language such as "we prescribe," "our doctors," "our medical team," and "your Kora MD prescription." Replace every instance. The Platform does not prescribe anything. When the site says "we prescribe," it represents to regulators that Kora MD itself practices medicine.
B. Remove Unsubstantiated Social Proof Claims
The homepage displays "20,000+ members" and "Trusted by over 23,000+ happy customers" alongside a Trustpilot rating badge. The FTC's 2024 rule on fake reviews specifically prohibits misleading consumer counts and fabricated social proof statistics. If these numbers cannot be substantiated with documentary evidence showing actual paying members or verified customers, they must be removed immediately. We understand the Platform is relatively new, making these figures particularly difficult to defend.
Action: If substantiable with documentary evidence, keep and add a footnote with source and date. If not substantiable, remove immediately. Do not replace with other unverified numbers.
C. Remove or Disclaim Before-and-After Photos
The website displays before-and-after photos with specific weight loss claims (e.g., "Hannah lost 38 lbs in 5 months," "Sandra K. lost 42 lbs in under 4 months"). Under the 2023 FTC Endorsement Guides (16 C.F.R. Part 255), each such image requires a disclosure of generally expected results, a statement that results are not typical if they are not, a disclosure of any material connection, and for compounded medications, a statement that clinical trial data from branded products may not apply.
If AI-generated, stock photos, or not from actual Kora MD patients: Remove immediately. There is no compliant path for using fabricated or borrowed testimonial imagery.
If from actual Kora MD patients with documented consent: Keep, but add the following disclaimer immediately adjacent to each image:
"Individual results vary. [Name]'s results reflect one individual's experience and may not be typical. Weight management outcomes depend on adherence to treatment, diet, exercise, metabolism, and underlying health conditions. No specific weight loss result is guaranteed. [If compounded medication was used:] This patient used a compounded medication that is not FDA-approved. Clinical trial data from branded products may not apply."
D. Fix Prescription Guarantee Language
The homepage displays "Same-day Medical Evaluations & Prescriptions" as a feature bullet. This language implies that prescriptions are guaranteed as part of the service, which undermines the clinical independence of the prescribing provider and exposes the Platform to FTC deceptive advertising enforcement and CPOM claims.
Action: Replace with: "Same-day medical evaluations available. Prescriptions issued only when clinically appropriate as determined by your licensed healthcare provider." Alternative (preserves marketing energy): "Same-day medical evaluations available. If your provider determines medication is clinically appropriate, prescriptions may be issued the same day. A prescription is not guaranteed."
E. Add Physical Business Address to Footer
LegitScript certification requires a verifiable physical business address. Without it, the certification application will be denied, which blocks Google Ads and Meta advertising for telehealth services.
Action: Add to footer: "Kora MD Health International, Inc., 10503 Foundation Road, Austin, TX 78726."
F. Correct Trademark Errors and Add Required Disclaimers
The website references "Zepound," which appears to be a misspelling of "Zepbound." All brand- name medication references require registered trademark symbols and ownership attribution. Failure to include these disclaimers risks trademark infringement claims and creates the false impression that Kora MD is affiliated with the brand manufacturers.
Action: Correct "Zepound" to "Zepbound" everywhere it appears. Add the following trademark disclaimer to the footer and to every page referencing brand-name medications: "Ozempic and Wegovy are registered trademarks of Novo Nordisk A/S. Mounjaro and Zepbound are registered trademarks of Eli Lilly and Company. Kora MD Health International, Inc. is not affiliated with, endorsed by, or sponsored by Novo Nordisk A/S or Eli Lilly and Company."
G. Add Compounding Disclosure to Every Compounded Product Page
Following the FDA's resolution of the semaglutide shortage on February 21, 2025, and the subsequent issuance of 55+ warning letters to compounding entities in September 2025, every page offering compounded medications must include a clear compounding disclosure. This disclosure must appear on the GLP-1 Treatments, GLP-1 Microdosing, NAD+ Injection, Semorelin, Oral GLP/GIP, and Glutathione pages. It must NOT appear on brand-name-only sections.
Required disclosure: "Compounded medications are not FDA-approved. The FDA has not verified the safety, effectiveness, or quality of compounded medications. Compounded medications are prepared by licensed pharmacies based on individual patient prescriptions and are not bioequivalent to or interchangeable with any commercially available FDA-approved product."
H. Separate Brand-Name and Compounded Medications
The website currently mixes brand-name medication references with compounded product descriptions. This creates consumer confusion and undermines the required regulatory distinction between the two product categories. Compounding disclaimers should never appear on pages or sections describing FDA-approved brand-name products, and brand-name clinical trial data should never be referenced in connection with compounded formulations.
Action: Create clearly separate sections on any page that offers both compounded and brand-name medications. The compounded section receives the compounding disclosure. The brand-name section receives the trademark disclaimer but no compounding disclosure. Do not compare compounded products favorably against FDA-approved products on efficacy or safety metrics, and do not offer compounded products on the brand specific product pages.
I. Remove Kora MD-Branded White Coat Provider Image
The website displays a photo of a provider wearing a Kora MD-branded white coat in the "24/7 provider support" section. This creates the false impression that the provider is employed by Kora MD rather than by the Practice. In CPOM states, this image alone could be cited as evidence that Kora MD holds itself out as providing medical services.
Action: Remove the image or replace it with an image that does not include Kora MD branding on clinical personnel.
J. Deploy Cookie Consent Banner Before Any Advertising Pixels
No cookie consent banner currently exists on the website. The Platform has confirmed that advertising tracking pixels (Meta Pixel, Google Ads) are not yet deployed but are planned. This is a significant compliance opportunity: the consent infrastructure must be deployed before any advertising pixels go live. BetterHelp, Cerebral, and GoodRx collectively paid over $16 million in fines for sharing health data through tracking pixels without consent.
Action: Deploy a consent management platform immediately. The banner must appear before any non-essential tracking fires, must have equally prominent "Accept" and "Decline" buttons, must offer category selection (Strictly Necessary, Analytics, Advertising), must link to the Privacy Policy, and must honor Global Privacy Control signals. Do NOT deploy Meta Pixel or Google Ads conversion tags on any page where health information is collected (quiz, checkout, product pages with health content, patient portal).
K. Remove All Dark Patterns from Checkout Flow
The FTC evaluates dark patterns as a "flow" analysis. Multiple dark patterns in a single transaction flow are treated as evidence of intentional manipulation. The following must be addressed immediately:
Countdown timers: If the checkout flow displays countdown timers (e.g., "Your Discount is Reserved for 06:31"), remove entirely. Compounded medications are prepared per individual prescription; there is no genuine time-limited event.
Scarcity claims: Remove "Low stock," "Limited supply," "Only X spots left," or any similar language for compounded medications.
Pre-checked consent boxes: All consent checkboxes must be unchecked by default. Pre-checked boxes violate the FTC Click-to-Cancel Rule and ROSCA.
Cancellation parity: The cancellation process must be at least as simple as enrollment. If enrollment is online, cancellation must be available online with a clear "Cancel Membership" button in account settings.
Hidden costs: All costs must be disclosed before payment. No charges may be added after the initial price display.
L. Add OpenLoop State Coverage Verbiage
Action: Add to footer and Terms and Conditions: "Currently offering services in all 50 states plus Washington D.C. Some services may not be available in all 50 states or Washington D.C. Subject to change." This language is required by OpenLoop and will be verified during LegitScript certification.
M. Add Auto-Renewal Disclosures on All Purchase Entry Points
Any button or link on the homepage or product pages that initiates a purchase must include a nearby disclosure stating that the purchase is a recurring subscription.
Action: Add near every purchase button: "This is a recurring subscription that renews automatically until you cancel." Include pricing, billing frequency, and cancellation instructions.
V. URGENT ACTIONS (WITHIN 7 DAYS)
A. Deploy All Replacement Legal Documents
The following replacement documents were delivered with the comprehensive engagement package and must be deployed on the website within 7 days. Each document should be published as its own page and linked from the site footer.
| Doc | Document | URL | Replaces |
|---|---|---|---|
| 02 | Terms and Conditions | koramd.com/terms | Current Kora Terms (EMERGENCY) |
| 03 | Privacy Policy | koramd.com/privacy | Current Privacy Policy |
| 04 | Consumer Health Data Privacy Policy (MHMDA) | koramd.com/health-data-privacy | New page (required by WA law) |
| 05 | California Privacy Disclosures | koramd.com/california-privacy | New page (required by CA law) |
| 06 | Cancellation and Refund Policy | koramd.com/cancellation | Current Cancellation Policy |
| 07 | Telehealth Informed Consent | koramd.com/telehealth-consent | New page (required for telehealth) |
Additionally, link to OpenLoop's own Telehealth Consent at https://openloophealth.com/telehealth-consent from the Kora MD Telehealth Consent page.
B. Add Footer Links to All Required Legal Pages
The footer on every page must include clearly labeled links to: Terms and Conditions, Privacy Policy, Telehealth Consent, Consumer Health Data Privacy Policy, California Privacy Disclosures (labeled "Your California Privacy Rights"), Cancellation and Refund Policy, and "Do Not Sell or Share My Personal Information" (required by California law as a separate link).
C. Product Page Compounding and Entity Attribution Review
Each of the seven product/service pages (GLP-1 Treatments, GLP-1 Microdosing, NAD+ Injection, Semorelin, Oral GLP/GIP, Hormone Therapy, Glutathione) must receive entity attribution language and, for all compounded products, the compounding disclosure. Do not make disease treatment claims for NAD+, glutathione, or sermorelin unless substantiable with competent and reliable scientific evidence. Add the following to each compounded product page: "All prescribing decisions are made solely by independently licensed healthcare providers affiliated with OpenLoop Healthcare Partners, PC. Kora MD does not prescribe medications or make clinical decisions. A prescription is not guaranteed."
D. Blog Content Review
Review all blog posts for unsubstantiated weight loss claims, brand-name references used in connection with compounded products, and missing entity attribution. For any post citing specific weight loss percentages or clinical trial results, add: "These results are from clinical trials of FDA-approved formulations and may not be representative of results from compounded medications.
E. Tracking Technology Restrictions
Ensure Customer.io receives only contact information (name, email, phone) and membership status. Customer.io must not receive health assessment data, clinical information, or quiz responses. When advertising pixels are eventually deployed, restrict them to general marketing pages only. Advertising and analytics technologies must never fire on quiz pages, checkout flow screens, product pages displaying health content, or any page where a consumer submits health information.
VI. LEGITSCRIPT HEALTHCARE MERCHANT CERTIFICATION READINESS
LegitScript Healthcare Merchant Certification is required by Visa, Mastercard, Google, Microsoft Bing, Meta (Facebook/Instagram), and TikTok for telehealth providers that facilitate prescribing. Without certification, the Platform cannot advertise on any major digital advertising platform and may face merchant account suspension. The application fee is $975 (non-refundable) and the annual certification fee is $2,150 per website.
LegitScript evaluates telehealth applicants against 10 certification standards organized into three categories: Registration and Compliance, Internal Practices, and External Practices. The following table maps each standard to the specific website elements required and the status of each element after the priority remediation items in this memorandum are completed.
A. Registration and Compliance Standards
Standard 1: Licensure and Business Registration
The applicant must be adequately licensed for the services offered and in the jurisdictions served. Medical providers and pharmacies must be duly licensed in the jurisdictions from which medications are prescribed/dispensed and the jurisdiction in which the patient is located.
Website Requirement: The site must identify the licensed medical practice entity and its providers. The replacement Terms and Conditions (Document 02) and the entity attribution footer (GLOBAL- 2) identify OpenLoop Healthcare Partners, PC and its affiliated professional entities as the licensed medical practice providing all clinical services. The footer identifies all four licensed pharmacy partners by name, address, and contact information. The state coverage verbiage (GLOBAL-6) discloses the jurisdictions served.
Status after remediation: READY. Deploy the entity attribution footer, replacement Terms, and state coverage verbiage as directed in the Priority Markup Guide.
Standard 2: Legal Compliance
The applicant must comply with all applicable laws and regulations. The website must not facilitate prescribing or dispensing of unapproved medications.
Website Requirement: Compounding disclosures on all compounded product pages (SP-2) address the FDA approval status. The 503A significant difference framework (in the comprehensive memorandum) addresses the legal basis for compounding post-semaglutide-shortage-resolution. The replacement legal documents (Terms, Privacy Policy, MHMDA Policy, California Privacy Disclosures, Telehealth Consent) ensure compliance with applicable federal and state laws.
Status after remediation: READY. Deploy all six replacement legal documents and compounding disclosures as directed.
Standard 3: Domain Name Registration
The domain name registration for koramd.com must be accurate, and the registrant must have a logical nexus to the applicant's business. Domain name registration should not be privacy-protected, or the applicant must provide LegitScript with non-privacy-protected registration information.
Action Required: Verify that the WHOIS registration for koramd.com identifies Kora MD Health International, Inc. or a principal of the company as the registrant. If privacy protection is enabled, either remove it or be prepared to provide LegitScript with the underlying registration information during the application process.
B. Internal Practices Standards
Standard 4: Prior Discipline and History
The applicant and its principals, key staff, and associated medical/pharmacy practitioners must disclose any criminal, regulatory, or civil violations from the past ten years. Recent or repeated disciplinary sanctions may be disqualifying.
Action Required: Before submitting the LegitScript application, confirm with OpenLoop Healthcare Partners, PC that no providers on the platform have unresolved disciplinary actions. Confirm that none of Kora MD's principals or officers have relevant disciplinary history. LegitScript will conduct its own background checks.
Standard 5: Affiliates and Partners
All affiliates and partners must comply with certification standards and operate legally. Partner pharmacies responsible for prescription fulfillment are generally required to be LegitScript-certified or accredited by another recognized body (e.g., NABP VIPPS, PCAB).
Action Required: Confirm the LegitScript certification or equivalent accreditation status of each pharmacy partner: RedRock Pharmacy, Health Warehouse, Precision Compounding Pharmacy, and Triad Rx. If any pharmacy partner is not currently LegitScript-certified or otherwise accredited, this must be addressed before or concurrently with the Kora MD application. Additionally, confirm the pharmacy partner URL discrepancy: OpenLoop references "Precision Medicine" at precisionmeds.com, while current documents reference "Precision Compounding Pharmacy" at mypcphealth.com. Resolve this with OpenLoop before submission.
C. External Practices Standards
Standard 6: Patient Services
This is the most website-intensive standard. The website must clearly disclose: (a) all states/territories where services are available; (b) an accurate street address; (c) the identity and location of medical practitioners providing care; (d) an accurate street address for each dispensing pharmacy; and (e) an accurate, readily accessible phone number or secure contact mechanism for patients to contact a provider or pharmacist regarding complaints, concerns, or adverse events.
Website Requirements and Status:
(a) State disclosure: READY after deploying GLOBAL-6 ("Currently offering services in all 50 states plus Washington D.C. Some services may not be available in all 50 states or Washington D.C. Subject to change.").
(b) Platform street address: READY after deploying GLOBAL-5 ("Kora MD Health International, Inc., 10503 Foundation Road, Austin, TX 78726").
(c) Medical practice identification: READY after deploying the entity attribution footer (GLOBAL-2) identifying OpenLoop Healthcare Partners, PC as the medical practice.
(d) Pharmacy addresses: The entity attribution footer (GLOBAL-2) names all four pharmacy partners. The comprehensive memorandum (Section II.C) includes full addresses and phone numbers for each. LegitScript may require these addresses to appear on the website. Add the following to the footer or to a dedicated "Our Partners" section:
"Pharmacy Partners: RedRock Pharmacy, 1240 E 100 S #220, St. George, UT 84790; Health Warehouse, 7107 Industrial Rd., Florence, KY 41042; Precision Compounding Pharmacy, 2657 Merrick Road, Bellmore, NY 11710; Triad Rx, 26258 Pollard Road, Daphne, AL 36526."
(e) Patient contact mechanism: The replacement Terms (Section XXIV) and the Telehealth Consent include patient support contact information: patientsupport@openloophealth.com and (855) 597-1248 for clinical questions; care@koramd.com for platform/billing questions. Ensure these are prominently displayed on the website (footer or Contact page). LegitScript requires patients to be able to contact their prescribing provider -- the OpenLoop patient portal and patientsupport@openloophealth.com satisfy this requirement.
Standard 7: Privacy
The applicant must comply with all applicable privacy laws and post its privacy policy on the website. US-based applicants collecting PHI must comply with HIPAA.
Status after remediation: READY. The replacement Privacy Policy (Document 03), MHMDA Consumer Health Data Privacy Policy (Document 04), and California Privacy Disclosures (Document 05) address all applicable privacy frameworks. The Telehealth Consent (Document 07) addresses clinical data. The Privacy Policy links to OpenLoop's Notice of Privacy Practices for HIPAA-covered clinical data.
Standard 8: Validity of Prescription
Prescriptions must only be dispensed upon receipt of a valid prescription from a person authorized to prescribe. Prescriptions must not be issued prior to provision of care by a licensed medical professional. The applicant must comply with all applicable telemedicine laws.
Website Requirement: The website must not imply that prescriptions are issued automatically or prior to clinical evaluation. The priority remediation addresses this through: removal of "Same-day Prescriptions" guarantee language (HP-3); "A prescription is not guaranteed" disclosure throughout the checkout flow and product pages; the entity attribution framework establishing that all prescribing decisions are made by independently licensed providers; and the quiz/checkout flow disclaimers confirming clinical evaluation precedes prescribing.
Status after remediation: READY. Deploy the language changes in HP-3, SP-1, and the checkout flow disclosures as directed.
Standard 9: Transparency
The applicant may not engage in deceptive or fraudulent practices, including in marketing and advertising. This includes deceptive pricing, unsubstantiated claims, fake testimonials, and misleading representations about services.
Website Requirements and Status:
Unsubstantiated social proof ("20,000+ members"): ADDRESSED by HP-1 (substantiate or remove).
Before-and-after photos: ADDRESSED by HP-2 (remove if not from actual patients; add FTC disclaimers if genuine).
Dark patterns (countdown timers, scarcity claims, pre-checked boxes): ADDRESSED by DP-1 through DP-7.
Prescription guarantee language: ADDRESSED by HP-3 and checkout flow revisions.
Kora Terms of Service: ADDRESSED by GLOBAL-1 (emergency replacement).
Transparent pricing: ADDRESSED by HP-6 and SP-4 (auto-renewal disclosures, no hidden costs).
Standard 10: Advertising
All advertising must be transparent and comply with applicable laws. Advertisements must not deceive, mislead, or defraud the public. Advertising in violation of platform terms of service may result in certification denial or revocation.
Status: No advertising should be deployed until all priority remediation items are complete. Once the entity attribution footer, compounding disclosures, trademark disclaimers, cookie consent banner, and replacement legal documents are live, the website will be in position for LegitScript certification. After certification is obtained, advertising may proceed on Google, Meta, and other platforms in compliance with each platform's healthcare advertising policies.
D. LegitScript Application Preparation Checklist
Complete the following before submitting the LegitScript application:
[ ] All Tier 1 and Tier 2 website remediation items from this memorandum are deployed and live
[ ] All six replacement legal documents are published on the website
[ ] Entity attribution footer is live on every page
[ ] Physical business address is displayed in footer
[ ] State coverage verbiage is displayed in footer
[ ] Pharmacy partner names and addresses are displayed on the website
[ ] Patient contact mechanism is displayed (care@koramd.com, (855) 597-1248, patientsupport@openloophealth.com)
[ ] Privacy Policy is posted and linked from every page
[ ] Cookie consent banner is deployed and functional
[ ] Compounding disclosures are on all compounded product pages
[ ] No unsubstantiated claims remain on the site
[ ] No dark patterns remain in the checkout flow
[ ] WHOIS registration for koramd.com is accurate or documentation is ready for LegitScript
[ ] Pharmacy partner LegitScript certification or accreditation status confirmed
[ ] OpenLoop has confirmed no unresolved provider disciplinary actions
[ ] Kora MD principals have confirmed no relevant disciplinary history
[ ] Pharmacy partner URL discrepancy resolved (Precision Medicine vs. Precision Compounding Pharmacy)
[ ] Trademark disclaimers are displayed on all brand-name medication references
[ ] "Kora" Terms of Service have been replaced
[ ] No advertising pixels are deployed without consent framework in place
Timing: We recommend submitting the LegitScript application within 7-14 days of completing all Tier 1 and Tier 2 remediation items. LegitScript review timelines vary but typically range from 4-12 weeks depending on application volume, complexity, and applicant responsiveness. Expedited processing is available from LegitScript for an additional fee.
VII. ITEMS DEFERRED TO PHASE 2 (30-90 DAYS)
The following items from the comprehensive audit remain valid but are not required for immediate legal compliance. They should be implemented within 30-90 days as development resources permit:
Standard (30 Days): Complete checkout flow redesign with full replacement screen text; deploy replacement quiz instrument with 503A prescreening questions; deploy Safety Information page; deploy replacement FAQ page; deploy replacement How It Works page; Section 1557 Nondiscrimination Notice; Good Faith Estimate mechanism.
Recommended (60-90 Days): Accessibility statement (WCAG 2.1 AA); post-implementation compliance review; quarterly compliance review calendar; genuine social proof development through verified patient testimonials; adverse event reporting workflow; Provider SOP adoption for 503A significant difference determinations.
VIII. CONCLUSION
The items in this memorandum represent the minimum actions required to bring the Platform into defensible compliance posture. The underlying business model is legitimate, the clinical workflow through OpenLoop is well-structured, and the pharmacy partner network is properly configured. The issues identified are fixable, specific, and representative of common patterns in the GLP-1 telehealth space.
We strongly recommend completing all Tier 1 items within 48 hours and all Tier 2 items within 7 days. No new advertising spend (Google Ads, Meta, Instagram) should be deployed until the cookie consent banner, entity attribution footer, and compounding disclosures are live.
We are available to review the implementation before the changes go live and to address any questions as remediation proceeds.
Respectfully submitted,
ZACHARY SIMPSON, ESQ.
Of Counsel
Gordon Rees Scully Mansukhani, LLP
This memorandum constitutes attorney work product and is protected by the attorney-client privilege. It is provided for the exclusive use of the intended recipient and should not be shared with third parties without the express written consent of Gordon Rees Scully Mansukhani, LLP.
