Privacy Policy

Effective Date: October 5, 2025

Healsend Inc. ("Healsend," "we," "us," "our") operates as a Management Services Organization (MSO). We provide technology infrastructure, administrative services, billing coordination, and platform management to a network of licensed independent Professional Entities — physician groups, professional corporations, and other licensed healthcare providers — that independently deliver clinical care to patients through the Platform.

We are a technology and administrative services company, not a medical provider. Healsend does not practice medicine, does not diagnose or treat patients, does not employ licensed clinicians in a clinical capacity, and does not function as a covered entity under HIPAA with respect to its own platform operations. The Professional Entities we support are independent licensed entities that may be covered entities or business associates under HIPAA, and Healsend serves as a Business Associate under those arrangements.

This Privacy Policy applies to all information collected through healsend.com and all associated applications, platforms, portals, and services (collectively, the "Platform"). Our mailing address is 30 N Gould St Ste R, Sheridan WY 82801. Contact: yourhealth@healsend.com | https://healsend.com.

This Policy applies to all individuals who: visit or interact with healsend.com or the Platform; create an account or register as a patient; complete health intake questionnaires or consultations; purchase or use any service through the Platform; or contact us for support or information.

This Policy does not apply to information processed exclusively by Professional Entities in their capacity as independent covered entities. Patients seeking access to their Protected Health Information (PHI) held by a treating Professional Entity should contact that entity directly or submit a HIPAA request to Healsend's Privacy Officer (see Section 28).

Our Platform and services are available only to residents of the United States who are 18 years of age or older. We do not knowingly market to or process information of non-U.S. residents or individuals under 18.

• Personal Information (PI): Any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular individual or household.
• Consumer Health Data (CHD): Personal information that identifies your past, present, or future physical or mental health condition, including health history, diagnoses, medications, treatment, and related data. Where collected outside a HIPAA business associate context, CHD is regulated under state consumer health data laws such as Washington's My Health My Data Act (MHMDA) and Nevada SB 370.
• Sensitive Personal Information (SPI): A subset of PI that includes: Social Security Number or government ID; precise geolocation; racial or ethnic origin; religious beliefs; union membership; content of personal communications; genetic or biometric data; health information; sexual orientation or gender identity; and financial account credentials. SPI receives the highest level of protection under this Policy.
• Protected Health Information (PHI): Individually identifiable health information created, received, maintained, or transmitted by a HIPAA-covered entity or Business Associate that relates to health condition, provision of care, or payment.
• Professional Entity: Independent licensed physician groups, professional corporations, PLLCs, and other licensed healthcare providers that contract with Healsend's MSO and independently deliver clinical care to patients.
• Service Provider / Business Associate: Third parties that process data on behalf of Healsend or Professional Entities under Data Processing Agreements (DPAs) or Business Associate Agreements (BAAs) that contractually limit their use of data.

We collect the following categories of personal information depending on how you interact with the Platform:

Identifiers & Contact Information

• Name, email, phone, mailing address, date of birth
• Username and account credentials (passwords stored as salted hashes; we never store plaintext passwords)
• IP address, device identifier, session tokens, browser fingerprint

Health & Clinical Intake

• Responses to health intake questionnaires (symptoms, medical history, medications, allergies, surgical history, family history)
• Consultation notes, clinical determinations, and treatment preferences
• Lab results, imaging reports, or medical records you upload or authorize providers to share
• Weight, height, BMI, body measurements, and self-reported biometric data

Financial & Transaction

• Payment card details (processed by PCI-DSS-compliant third-party processors; we store only payment tokens)
• Billing address, transaction history, subscription status

Internet & Network Activity

• Browser type, operating system, referring URLs
• Pages visited, features used, time on Platform, click patterns, search queries within Platform
• Cookie identifiers and tracking pixel data (see Section 12)

Geolocation

• State and ZIP code (required for provider licensing compliance); city-level IP-inferred location

Communications

• Messages you send to support, providers, or through Platform messaging
• Survey responses, feedback submissions, and call recordings (where disclosed)

Images & Media

• Profile photos or identification images uploaded for identity verification
• Clinical photos uploaded at provider request (e.g., skin condition images)

Inferences

• Treatment eligibility inferences drawn from intake data
• Risk or wellness scores derived from self-reported health information (used only for platform routing, not for denial of care)

Biometric (where collected)

• Face geometry for identity verification (where applicable; subject to state biometric law disclosures — see Section 10)

We collect personal information from the following sources:

• Directly from you: Account registration, health intake forms, consultations, payment, support contacts, survey responses, and profile updates.
• Automatically: Cookies, pixels, server logs, analytics SDKs, and similar technologies when you interact with the Platform (see Section 12).
• From Professional Entities & Pharmacies: Clinical determinations, prescription confirmations, dispensing records, lab results, and treatment notes created during the care delivery process.
• From Payment Processors: Transaction status, fraud signals, and tokenized payment information.
• From Public Sources: Publicly available directories or records used to verify licensure or validate contact information.

• Account Creation & Authentication: Creating and maintaining your account, verifying identity, and securing access.
• Telehealth Facilitation: Routing intake data to the appropriate Professional Entity, enabling asynchronous or synchronous consultations, and coordinating care pathways.
• Prescription & Pharmacy Coordination: Transmitting prescriptions to partner pharmacies (including compounding pharmacies) and tracking order/shipment status.
• Payment Processing: Billing subscription and one-time fees, managing refunds and payment disputes.
• Customer Support: Responding to inquiries and resolving issues.
• Fraud Prevention & Security: Detecting unauthorized access, fraudulent transactions, and malicious activity.
• Analytics & Platform Improvement: Understanding usage patterns, debugging technical issues, and testing new features using de-identified or aggregated data wherever possible.
• Legal Compliance & Regulatory Obligations: Fulfilling recordkeeping, reporting, and response obligations under applicable law.
• Internal Audits: Records of consent, privacy requests, and processing activities for legal defensibility.
• Consent-Based Purposes: Marketing, research, or personalization activities performed only where you have given separate explicit consent.

Healsend acts as a Management Services Organization and technology platform. We do not practice medicine, diagnose conditions, or write prescriptions. All clinical care, diagnoses, prescriptions, and treatment decisions are made exclusively by the independent licensed Professional Entities and their associated providers.

Professional Entities are solely responsible for the clinical quality of care they deliver and for compliance with their own HIPAA obligations, state medical licensing laws, and professional conduct standards. Healsend is not liable for clinical decisions made by Professional Entities.

Healsend's administrative role includes: platform hosting, patient intake routing, secure messaging infrastructure, billing coordination, customer support, and logistics facilitation. None of these administrative functions constitute the practice of medicine.

Where a Professional Entity is a HIPAA-covered entity, Healsend serves as a Business Associate (BA) under 45 CFR §160.103 and §164.502(e). In that capacity, Healsend signs a Business Associate Agreement (BAA) with each Professional Entity before receiving, creating, or transmitting any Protected Health Information (PHI) on the Professional Entity's behalf.

PHI processed under a BAA is governed by HIPAA's Privacy and Security Rules and HITECH's breach notification provisions. Healsend implements the safeguards required by 45 CFR §164.308 (administrative), §164.310 (physical), and §164.312 (technical).

For personal information Healsend manages outside a BAA context — such as data collected from Platform visitors, prospective patients, or non-clinical account management — this Privacy Policy and applicable state consumer privacy laws govern.

Where we collect or process Consumer Health Data (CHD) outside of a HIPAA BAA context (e.g., data collected from Platform interactions or health intake forms before a clinical relationship is established), we comply with the Washington My Health My Data Act (RCW 19.373) and Nevada SB 370 (NRS 603A), as applicable.

We obtain separate, explicit consent before collecting CHD for purposes beyond direct care delivery. We do not sell CHD. Washington residents may request a list of all third parties with whom their CHD has been shared. See our Consumer Health Data Policy for full details.

Where Healsend collects biometric identifiers or biometric information (as defined by Illinois BIPA (740 ILCS 14), Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code §503.001), or Washington RCW 19.375), Healsend: (a) provides a written policy governing retention and destruction; (b) obtains informed written consent before collection; (c) does not sell or profit from biometric data; and (d) destroys biometric data within 3 years of collection or within 1 year of your last interaction, whichever is earlier. Illinois residents may request biometric deletion within 30 days.

We use and disclose Sensitive Personal Information (SPI) only for the following purposes: (a) providing the services you requested; (b) preventing and detecting fraud and security incidents; (c) ensuring safety of persons or property; (d) short-term transient use that does not include building profiles or altering experiences; (e) performing services for us (e.g., maintaining accounts, providing customer service); (f) verifying quality or safety of our services; and (g) as required by law.

We do not use SPI to infer characteristics about you unrelated to the telehealth services you requested. California residents may exercise the right to limit use of SPI at yourhealth@healsend.com.

We use the following categories of cookies and tracking technologies (see Appendix F for full details):

• Strictly Necessary: Session management, authentication, security tokens — cannot be disabled.
• Functional: Language preferences, saved form state — enabled by default, disable via browser settings.
• Analytics: Aggregate usage data to improve Platform performance — opt out via our cookie banner or browser.
• Advertising/Retargeting: Interest-based ads — opt out via cookie banner, NAI/DAA tools, or GPC signal.

We honor Global Privacy Control (GPC) signals as opt-out requests for sale and sharing of personal information. You may also manage cookie preferences through our cookie consent manager or your browser's cookie settings.

We may use third-party advertising networks and analytics providers to deliver interest-based advertising and measure Platform performance. These services may set cookies or pixels that allow them to recognize your browser across sites.

We do not sell your personal information for monetary consideration. Some data sharing with advertising partners for targeted advertising may constitute "sharing" under California law. You may opt out of this sharing by: (1) using our cookie consent manager; (2) sending a GPC signal; (3) contacting us at yourhealth@healsend.com; or (4) using the NAI opt-out tool at optout.networkadvertising.org.

We share personal information only in the following circumstances:

• Professional Entities: Intake and health data is routed to the licensed provider group assigned to your case. The Professional Entity retains this data as PHI under their own HIPAA obligations.
• Pharmacies: Prescription details are transmitted to licensed compounding or retail pharmacies to fulfill authorized treatment plans.
• Service Providers: Third-party vendors (infrastructure, payment processing, identity verification, analytics, customer support, email/SMS delivery) operate under DPAs that restrict use to performing services on our behalf.
• Corporate Affiliates: We may share information with corporate affiliates subject to this Privacy Policy.
• Legal & Regulatory Authorities: In response to valid legal process (subpoenas, court orders, regulatory requests), to prevent imminent harm, or to report suspected illegal activity.
• Business Transfers: In a merger, acquisition, or sale of assets, your information may be transferred to the successor entity subject to equivalent protections.

We do not sell personal information for monetary consideration. We do not share PHI for marketing purposes.

We retain personal information for as long as necessary to fulfill the purposes described in this Policy and our legal obligations. Our retention schedule (see Appendix B):

• Account data & identifiers: Account life + 7 years
• Health intake (non-PHI context): 7 years from last activity
• Payment tokens: 7 years from last transaction
• Server/application logs: 12–24 months (anonymized after)
• Privacy requests & consent records: 24 months minimum

Upon expiration of applicable retention periods, we securely delete, anonymize, or destroy personal information using industry-standard methods (NIST SP 800-88 media sanitization). You may request deletion of your personal information subject to legal retention obligations.

We maintain a comprehensive information security program aligned with NIST Cybersecurity Framework and HIPAA Security Rule standards:

• Administrative Safeguards: Privacy Officer and Security Officer roles; annual security training for all personnel; workforce access management; vendor risk assessments; incident response plan.
• Technical Safeguards: TLS 1.3 encryption in transit; AES-256 encryption at rest (FIPS 140-2 validated modules); multi-factor authentication (MFA) for administrative access; role-based access controls; continuous vulnerability scanning; annual third-party penetration testing; 12-month immutable audit logs.
• Physical Safeguards: Access-controlled facilities; certified media destruction; U.S.-based data centers with SOC 2 certifications.

In the event of a security incident affecting your personal information, we will:

• Notify affected individuals promptly and in compliance with applicable state breach notification laws
• Notify HHS within 60 days of discovery for HIPAA breaches affecting 500 or more individuals
• Notify the Washington Attorney General within 30 days for MHMDA breaches
• Provide notification that includes: description of data involved, timeline of the incident, steps taken to mitigate, and recommended protective measures for affected individuals

To report a suspected security incident, contact us immediately at yourhealth@healsend.com.

Depending on your state of residence, you may have the following rights with respect to your personal information:

• Right to Access/Know: Obtain a copy of, and information about, the personal information we hold about you.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Delete: Request deletion of your personal information, subject to legal retention obligations.
• Right to Opt Out of Profiling: Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
• Right to Appeal: If we deny your request, you may appeal to our Privacy Officer within 45 days of receiving our denial.

To exercise these rights, submit a verifiable request to yourhealth@healsend.com or write to 30 N Gould St Ste R, Sheridan WY 82801. We respond within 45 days (extendable by 45 days with written notice).

California residents have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know/Access: Request disclosure of the categories and specific pieces of personal information collected about you, sources, business purpose, and categories of third parties with whom we share information.
• Right to Delete: Request deletion of personal information we collected from you, subject to exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Portability: Receive your personal information in a portable format.
• Right to Opt Out of Sale/Sharing: Opt out of the sale or sharing of personal information for cross-context behavioral advertising.
• Right to Limit Use of SPI: Limit Healsend's use and disclosure of Sensitive Personal Information to necessary purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights.

California residents may submit requests to yourhealth@healsend.com. We verify identity before processing. For the 12 months preceding the date of this Policy, we did not knowingly sell or share the personal information of consumers under 16 years of age.

Residents of the following states have rights to access, correct, delete, and port their personal data, as well as to opt out of targeted advertising, profiling, and sale of personal data, under their respective state privacy laws: Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA), Iowa (ICDPA), Montana (MCDPA), Nebraska (NDPA), New Hampshire (NHPA), New Jersey (NJDPA), Nevada (NPICICA/SB370), Oregon (OCPA), Texas (TDPSA), Utah (UCPA), Virginia (VCDPA).

To exercise these rights, contact us at yourhealth@healsend.com. The strongest applicable consumer protection under any law in your state of residence will be applied to your request.

Our Platform is intended for individuals 18 years of age and older. We do not knowingly collect personal information from individuals under 18. If we discover that we have inadvertently collected information from someone under 18, we will promptly delete it. If you believe we may have inadvertently collected information from a minor, please contact us at yourhealth@healsend.com.

We send two categories of communications:

• Transactional/Service Messages: Account confirmations, appointment notifications, prescription updates, billing statements. These are necessary for service delivery and do not require separate consent.
• Marketing Messages: Promotional offers, health tips, and new service announcements. These require your explicit opt-in consent and include an easy opt-out mechanism in every message.

To opt out of marketing emails, click "Unsubscribe" in any marketing email. To opt out of marketing SMS, reply STOP to any marketing text message. We process opt-outs within 10 business days. Opting out of marketing will not affect transactional messages required to deliver your services.

All payment processing is handled by PCI-DSS-compliant third-party payment processors. Healsend does not store full payment card numbers. We store only payment tokens provided by the processor. Your card data is transmitted directly to the processor over encrypted channels. For questions about a specific charge, contact us at yourhealth@healsend.com.

Where applicable, information related to substance use disorder treatment is protected under 42 CFR Part 2 and is not disclosed without your separate written consent except in narrow circumstances permitted by law (e.g., medical emergency). Prescriptions for controlled substances may have additional recordkeeping requirements under the Drug Enforcement Administration (DEA) and applicable state pharmacy laws.

We are committed to making this Privacy Policy accessible. If you need this Policy in an alternative format due to a disability, please contact us at yourhealth@healsend.com. We comply with the Americans with Disabilities Act (ADA) and Section 508 of the Rehabilitation Act with respect to our Platform's accessibility. We will not discriminate against you based on a protected characteristic in how we process your personal information.

Healsend may use automated algorithms to: route intake forms to appropriate provider queues; detect potential fraud or account anomalies; and suggest relevant Platform content. These automated processes do not make final clinical determinations, diagnoses, or treatment decisions — all such decisions are made by licensed Providers. We do not use automated profiling to deny access to medical care or services based on protected characteristics.

Our primary telehealth modality is asynchronous "store and forward" — you submit intake data through the Platform, it is stored on our secure servers, and then forwarded to a licensed Provider for review. This means your health information may reside in Healsend's systems before being reviewed by a Provider. This data flow is governed by our BAA with the Professional Entity and by this Privacy Policy.

Where multiple Professional Entities or pharmacies are involved in your care (e.g., a prescribing provider and a compounding pharmacy), data is shared between them only to the extent necessary for your treatment. Each entity is contractually bound to protect your information under BAAs or DPAs.

To exercise any privacy right described in this Policy:

1. Submit a request to yourhealth@healsend.com with subject line "Privacy Request."
2. We will acknowledge your request within 10 business days.
3. We will verify your identity before processing (typically by confirming your account email and one additional identifier).
4. We will respond within 45 days. Complex requests may be extended by an additional 45 days with written notice.
5. If you are dissatisfied with our response, you may appeal by replying to our response email within 30 days.

We do not charge a fee for the first request in any 12-month period. Subsequent requests may incur a reasonable fee to cover costs of compliance.

We may update this Policy from time to time. We will post a revised version with a new effective date. Material changes will be communicated via a prominent notice on the Platform homepage and, where required by law, by direct email notification. Continued use of the Platform after the effective date of any revision constitutes your acceptance of the revised Policy. We maintain a 7-year archive of prior policy versions available upon request.

To exercise privacy rights, ask questions, file a complaint, or request an alternative-format copy of this Policy:

• Privacy Officer
  Healsend Inc.
  30 N Gould St Ste R
  Sheridan, WY 82801
• Email: yourhealth@healsend.com

We acknowledge requests within 5 business days and provide a substantive response within the statutory timeframe applicable to your state (generally 45 days).

Appendix A — Data Inventory & Categories: Available upon request.

Appendix B — Retention Schedule: Account + IDs: account life +7 yr; Health intake non-PHI: 7 yr; Payment tokens: 7 yr; Logs: 12–24 mo; Privacy requests: 24 mo.

Appendix C — State Privacy Rights Summary: Access/Know • Correct • Delete • Portability • Opt-Out Targeted Ads • Appeal — rights honored for all applicable states listed in Sections 19–20.

Appendix D — Incident Response & Notification Workflow: Available upon request.

Appendix E — Service Provider/Subprocessor Standards: All service providers processing personal information on our behalf are subject to DPAs requiring NIST SP 800-53 security safeguards and HIPAA-equivalent protections where applicable.

Appendix F — Cookies & Tracking Technologies: Strictly Necessary (session/auth) | Functional (preferences) | Analytics (13 mo) | Advertising/Retargeting (opt-out via cookie banner or GPC).