Privacy Policy

1. Sources of Personal Data

We collect Personal Data about you from the following sources:

• Directly from you, such as when you create an account, enroll in a membership, complete intake forms, contact us through our website, communicate with us via email or phone, or submit medical records or other information through our platform.
• From your healthcare providers, such as when we retrieve medical records from hospitals, laboratories, imaging centers, pharmacies, and other providers on your behalf and with your authorization.
• Data collected automatically. We collect limited technical data automatically when you visit our website, as described in Section 5 below. We minimize automatic data collection and do not use third-party advertising trackers, pixels, or cookies.
• From third-party service providers, such as payment processors, identity verification services, and electronic health record networks that facilitate record retrieval.

We may combine information received from these sources to provide and improve our Services.

2. Types of Personal Data We Collect

We may collect the following categories of Personal Data:

Information we do NOT collect through our Digital Properties: We do not collect Social Security numbers, driver's license numbers, financial account numbers (other than payment information processed by Stripe), biometric identifiers, or precise geolocation through our website or marketing activities. Health-related information you provide through our clinical platform is PHI governed by our Notice of Privacy Practices, not this Privacy Policy.

3. How We Use Personal Data

We use Personal Data for the following purposes:

• To provide and manage your account and Services, including processing enrollment, verifying your identity and eligibility, maintaining your account, processing payments, communicating with you about your account and membership, and providing customer support.
• To facilitate healthcare services, including retrieving medical records on your behalf, coordinating with laboratories and imaging centers, transmitting prescriptions, facilitating specialist referrals, and scheduling consultations. (Note: The use of your health information for clinical purposes is governed by our Notice of Privacy Practices, not this Privacy Policy.)
• For internal business operations, including maintaining business records, accounting, financial administration, auditing, quality assurance, and IT administration.
• For research and improvement, including improving our Services, developing and improving our technology and algorithms, analyzing aggregate usage patterns, and conducting de-identified outcomes research (with your separate consent where required). When Personal Data is used for research, it is de-identified in accordance with HIPAA de-identification standards, including application of random date shifting.
• For legal, safety, and security purposes, including complying with applicable laws and regulations, responding to legal process, enforcing our Terms of Service, protecting our rights, property, or safety and that of our patients and others, and detecting and preventing fraud or security incidents.
• For direct communications from us, including sending you information about our Services, membership updates, health-related educational content, and administrative notices. We do not sell your Personal Data for third-party marketing purposes. We do not serve third-party advertisements. You may opt out of non-essential communications at any time.
• In connection with a corporate transaction, such as a merger, acquisition, reorganization, sale of assets, or bankruptcy proceeding.

We may use anonymized, de-identified, or aggregated information for any purpose permitted by law, including outcomes research, quality improvement, and publication of aggregate findings.

4. How We Disclose Personal Data

We may disclose Personal Data to the following categories of recipients, and only for the purposes described in this Privacy Policy:

• Affiliated entities, including Modulus AI, Inc. (our management services organization) and our affiliated physician entities, as necessary to operate and provide the Services.
• Service providers that perform services on our behalf, including cloud hosting and data storage providers (Google Cloud Platform), payment processors (Stripe), electronic health record and health information exchange networks (for record retrieval), e-prescribing services, electronic signature providers, telehealth platform providers, email and communication providers, and IT security providers. These service providers are contractually obligated to protect your information and use it only as directed by us.
• Healthcare providers and clinical partners, such as laboratories, imaging centers, pharmacies, and specialists, as necessary to provide your care and as authorized by you.
• Professional advisors, including attorneys, accountants, auditors, and consultants, as necessary for our business operations.
• Law enforcement and government agencies, when required by law, legal process, or government request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.
• Parties to a corporate transaction, in connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy proceeding, subject to standard confidentiality obligations.
• With your consent, to other parties when you have directed or authorized us to do so.

We Do NOT Disclose Personal Data To:

• Advertisers, advertising networks, or ad platforms
• Social media companies for advertising or tracking purposes
• Data brokers or commercial data partners
• Any third party for their own independent marketing purposes

We do not sell your Personal Data. We do not share your Personal Data for cross-context behavioral advertising.

5. Cookies and Tracking Technologies

Our Approach to Tracking

We take a minimal approach to cookies and tracking technologies. We do not use third-party advertising cookies, tracking pixels, social media pixels, or retargeting technologies on our website or platform. We do not allow third-party advertisers to collect information about you through our Digital Properties.

Technologies We Use

We use only the following limited technologies:

• Essential cookies that are strictly necessary for the operation of our website and platform, such as session cookies that maintain your login state, remember your preferences, and enable core functionality. These cookies do not track you across other websites.
• First-party analytics. We may use privacy-respecting, first-party analytics to understand aggregate usage patterns on our website (such as which pages are most visited and general traffic volumes). We do not use Google Analytics or any third-party analytics service that shares data with advertising platforms. Any analytics data is aggregated and is not used to identify individual users for marketing purposes.
• Security technologies that help us detect and prevent fraud, abuse, and unauthorized access to our systems.

Technologies We Do NOT Use

• Third-party advertising cookies or pixels (including Meta/Facebook Pixel, Google Ads, TikTok Pixel, LinkedIn Insight Tag, or any similar technology)
• Cross-site tracking technologies
• Session replay or screen recording tools
• Fingerprinting technologies
• Social media tracking widgets or plug-ins

Your Choices

You can refuse or delete cookies through your browser settings. Because we use only essential and privacy-respecting cookies, disabling cookies may affect the functionality of our website and platform. We honor Global Privacy Control (GPC) signals and Do Not Track (DNT) browser signals, though given our minimal tracking practices, these signals will have limited practical effect.

6. Data Security

We implement administrative, technical, and physical safeguards designed to protect your Personal Data, including:

• Encryption of data in transit (TLS) and at rest (AES-256 / SSE-KMS)
• Multi-factor authentication for all staff access to systems containing Personal Data
• Role-based access controls with minimum necessary access
• Regular access reviews and audit logging
• HIPAA-compliant cloud infrastructure with signed Business Associate Agreements
• Staff training on privacy and security practices at onboarding and annually
• Incident response procedures for promptly identifying and addressing security events

While we take reasonable measures to protect your information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your Personal Data.

7. Data Retention

Personal Data

We retain Personal Data for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with our legal obligations, resolve disputes, and enforce our agreements. When Personal Data is no longer required, we securely delete or de-identify it.

Medical Records and PHI

Medical records and PHI are retained for a minimum of ten (10) years in accordance with applicable federal and state law, as further described in our Notice of Privacy Practices.

De-Identified Data

We may retain de-identified data (data from which all HIPAA-defined identifiers have been removed) indefinitely for research, quality improvement, and aggregate analysis purposes. De-identification includes application of random date shifting (plus or minus 1-5 days on all dates, including date of birth) and removal of all direct and indirect identifiers as required by the HIPAA Safe Harbor or Expert Determination methods.

Payment Records

Payment and billing records are retained as required by applicable tax and financial regulations.

8. Your Privacy Rights

Rights Available to All Patients

Regardless of your state of residence, you may:

• Request access to the Personal Data we hold about you
• Request correction of inaccurate Personal Data
• Request deletion of your Personal Data, subject to our legal retention obligations
• Opt out of non-essential communications from us
• Request a copy of your medical records (as described in our Notice of Privacy Practices)

To exercise any of these rights, please contact us at legal@modulus.ai. We will respond to verified requests within the timeframes required by applicable law. We will not discriminate against you for exercising your privacy rights.

California Residents — Additional Rights Under CCPA/CPRA

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), provides you with additional rights regarding your Personal Data:

• Right to Know. You have the right to request that we disclose the categories and specific pieces of Personal Data we have collected about you, the categories of sources from which we collected it, the business purposes for collection, and the categories of third parties with whom we shared it.
• Right to Delete. You have the right to request deletion of your Personal Data, subject to certain exceptions (including our obligation to retain medical records).
• Right to Correct. You have the right to request correction of inaccurate Personal Data.
• Right to Opt Out of Sale or Sharing. We do not sell your Personal Data and do not share it for cross-context behavioral advertising. No opt-out is necessary, but you may submit a request for confirmation.
• Right to Limit Use of Sensitive Personal Information. To the extent we process sensitive Personal Data (such as health information used for non-clinical purposes), you have the right to limit our use to purposes authorized by the CCPA.
• Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, please contact us at legal@modulus.ai or write to us at the address in Section 13. We will verify your identity before fulfilling your request. You may designate an authorized agent to submit a request on your behalf.

Note: The CCPA exempts certain health information, including PHI governed by HIPAA and medical information governed by the California Confidentiality of Medical Information Act (CMIA). Your rights regarding such information are described in our Notice of Privacy Practices.

California Residents — Genetic Information Privacy Act (GIPA)

If you are a California resident and you use our genomic sequencing services (Modulus Bio), the California Genetic Information Privacy Act ("GIPA") provides you with additional protections. We will not disclose your genetic data to third parties without your express written consent, except as required by law or as necessary to provide your healthcare services. You may revoke consent for genetic data use at any time by contacting us at legal@modulus.ai.

Washington State Residents — My Health My Data Act (MHMDA)

If you are a Washington state resident, the Washington My Health My Data Act ("MHMDA") provides you with additional protections regarding consumer health data. We will:

• Obtain your consent before collecting, sharing, or selling consumer health data, except as permitted for providing you with requested services
• Provide you with the right to access, delete, and withdraw consent regarding your consumer health data
• Not sell your consumer health data without your affirmative, express consent
• Not use geofencing around healthcare facilities to collect consumer health data

Where our collection of health data is governed by HIPAA (i.e., PHI created or received in the course of your treatment), HIPAA applies rather than the MHMDA. For health data not covered by HIPAA, the MHMDA protections apply. To exercise your MHMDA rights, contact us at legal@modulus.ai.

Other State Privacy Laws

If you are a resident of a state with a comprehensive consumer privacy law (such as Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or others), you may have additional rights including the right to access, correct, delete, and obtain a portable copy of your Personal Data, and the right to opt out of targeted advertising, profiling, and sale of your data. Because we do not engage in targeted advertising, profiling for automated decision-making, or sale of Personal Data, many of these opt-out rights are already satisfied by our practices. To exercise any applicable state privacy rights, contact us at legal@modulus.ai.

9. De-Identified Data and Outcomes Research

With your separate, voluntary consent, we may use de-identified data derived from your medical records for our outcomes research registry. This registry is used to measure the effectiveness of our diagnostic methods, improve clinical quality, and contribute to medical knowledge.

De-identified data has had all HIPAA-defined identifiers removed, including application of random date shifting, and cannot reasonably be used to identify you. We do not attempt to re-identify de-identified data, and we contractually prohibit recipients of de-identified data from attempting re-identification.

Participation in the outcomes research registry is entirely voluntary. You may opt in or opt out at any time without affecting your membership, the quality of your care, or your access to Services. To change your participation status, contact us at legal@modulus.ai.

10. Genetic Data

If you use our genomic sequencing services (Modulus Bio add-on), we may collect, process, and store genetic data, including whole genome sequencing results. Genetic data is among the most sensitive categories of personal information, and we apply enhanced protections:

• Genetic data is collected and used only with your express, informed consent
• Genetic data is stored using the same encryption and security controls as all PHI
• We do not disclose genetic data to employers, insurers, or any third party for underwriting, employment, or eligibility purposes
• We do not sell genetic data
• You may request deletion of your genetic data at any time, subject to our medical record retention obligations and applicable law
• Genetic data is processed in accordance with the Genetic Information Nondiscrimination Act (GINA), and where applicable, the California Genetic Information Privacy Act (GIPA) and the Washington My Health My Data Act (MHMDA)

If you are located in Washington state or California, genetic data consent defaults to off and requires your affirmative opt-in before any collection or processing occurs.

11. Children's Privacy

Our Services are intended for individuals 18 years of age and older. We do not knowingly collect Personal Data from children under 18 years of age. If you believe we have inadvertently collected Personal Data from a child under 18, please contact us immediately at legal@modulus.ai, and we will promptly delete the information.

A parent or legal guardian may enroll a dependent minor in our Services. In such cases, the parent or legal guardian is responsible for providing consent and managing the minor's account.

12. External Links

Our Digital Properties may contain links to external websites or services that we do not own or control. We are not responsible for the privacy practices, data collection policies, or content of those third-party services. We encourage you to review the privacy policies of any third-party service before providing them with your information.

13. Contact Information

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how your information is handled, please contact us:

For questions specifically about your Protected Health Information or medical records, please refer to our Notice of Privacy Practices or contact us at the same address above.