PRIVACY POLICY

1. Collection of your Personal Information

To provide services VitalOp may collect personally identifiable information you provide us, such as your: Name, Email Address, Age, Gender, Certain health information (e.g., weight, pre-existing medical conditions, health screenings, lab results, blood glucose and blood pressure readings, information concerning your diet, exercise, sleep, and other personal information), Credit card and/or other payment information, Location, and Race.

VitalOp encourages you to review the privacy statements and policies of the websites you choose to link from VitalOp so that you can understand how those websites collect, use and share your information. VitalOp is not responsible for the privacy statements or other content on websites outside of the VitalOp website.

2. Use of your Personal Information

VitalOp collects and uses your personal information to operate its dementia prevention plan and deliver the services you have requested. VitalOp may also use your personally identifiable information to inform you of other products or services available from VitalOp. VitalOp may also contact you via surveys to conduct research about your opinion of current services or of potential new services that may be offered.

VitalOp does not sell, rent or lease its customer lists to third parties. VitalOp may, from time to time, contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, your unique personally identifiable information (e-mail, name, address, telephone number) is transferred to the third party. VitalOp may share data with trusted partners to help perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. All such third parties are prohibited from using your personal information except to provide these services to VitalOp, and they are required to maintain the confidentiality of your information. VitalOp may keep track of the websites and pages our users visit within VitalOp, in order to determine what VitalOp services are the most popular. This data is used to deliver customized content and advertising within VitalOp to customers whose behavior indicates that they are interested in a particular subject area. VitalOp will disclose your personal information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on VitalOp or the site; (b) protect and defend the rights or property of VitalOp ; and, (c) act under exigent circumstances to protect the personal safety of users of VitalOp, or the public. VitalOp will also disclose your personal information upon your direction and consent. VitalOp may also use your personal data to track and report statistical trends among its users. In such cases, the data used will not be identifiable to any particular user. For example, VitalOp may use data to report the amount of weight loss for its users or a certain demographic of its users without identifying the weight loss for any particular user. VitalOp may also share such statistical information where another entity, such as an employer sponsoring its employees’ subscription to the App, requests statistical data regarding its employees, where the employee has authorized such disclosure under the terms of its agreement with the employer.

SECURITY OF YOUR PERSONAL INFORMATION

VitalOp secures your personal information from unauthorized access, use, or disclosure. VitalOp uses the following methods for this purpose:

SSL Protocol

When personal information (such as PHI) is transmitted, it is protected through the use of encryption, such as the Secure Sockets Layer (SSL) protocol.

Changes to this Statement

VitalOp will occasionally update this Privacy Policy to reflect company and customer feedback. VitalOp encourages you to periodically review this Policy to be informed of how VitalOp is protecting your information.

Contact Information

VitalOp welcomes your questions or comments regarding this Privacy Policy. If you believe that VitalOp has not adhered to this Policy, please contact VitalOp at [email protected] Your individual user account is protected by a password for your privacy and security. To help avoid unauthorized access to your account and personal information, we suggest that you safeguard your password appropriately, limit access to your devices and browsers, and sign off after you have finished accessing your account. With your purchase of this plan you acknowledge that you alone are responsible for the security of your electronic device and that VitalOp is not responsible for any breach of your personal information resulting from your use of the plan.

HIPAA NOTICE

INFORMATION COVERED BY THIS NOTICE

If your plan is paid for through an employer’s health care program, VitalOp may be considered a “covered entity” under the federal privacy law referred ti as the Health Information Portability and Accountability Act of 1996 (“HIPAA”). Regulations under HIPAA explain how we may use and disclose identifiable health information that we collect from and about you and how we must safekeep and secure that information.

When we receive information in connection with Health Care Services that relates to your past, present, or future physical or mental health or condition, to the provision of health care to you, or to your past, present, or future payment for health care, that information is considered “protected health information” or “PHI” under HIPAA, and this Notice applies to all of that information. For example, if you enroll in the program as part of an employee-led initiative and provide information on the plan, we treat all identifiable information that we receive from you as PHI governed by this Notice. In other circumstances, the information that we receive from you may or may not relate to your health or health care, like if you merely browse our public website but do not do so as part of an employer-sponsored health program. In those circumstances, we keep any personal information that we collect from you safe, private, and confidential under the terms of our Privacy Policy. In either situation, as further described in our Privacy Policy, we will not rent or sell your Personal Information or Protected Health Information, and we will not permit our business partners to rent or sell your Personal Information or Protected Health Information either.

Where appropriate to evaluate the services provided on the plan, we may collect PHI directly from your questionnaires, connected health devices (such as scales, blood pressure monitors, and blood glucose monitors), and exercise and food tracking, as well as other health information that you disclose to coaches and other participants in the Health Care Services. We receive this PHI to provide you with appropriate services and to comply with certain legal requirements.

VITALOP’S COMMITMENT TO PRIVACY

We understand that health information about you is private and personal. We are dedicated to maintaining the privacy and integrity of the PHI that we receive from you as part of your application for or participation in the Health Care Services.

We are required by law to maintain the privacy of your PHI and to provide you with notice of our legal duties and privacy practices related to that information. When we use or disclose your PHI, we are required to abide by the terms of this Notice (or ant other Notice in effect at the time of the use or disclosure).

HOW WE MAY USE AND DISCLOSE YOUR PHI

We are required to maintain the confidentiality of you PHI, and we have implemented policies, procedures, and other safeguards to help protect your PHI from improper use and disclosure. We protect your PHI in accordance with HIPAA and all other applicable laws and regulations. Where an applicable state law or any other applicable law or regulation requires more protection for your PHI than HIPAA, we comply with that law or regulation as well.

Below, we describe different ways that we may use your PHI amongst ourselves and disclose your PHI to other persons and entities. We have not listed every possible use or disclosure in the list below, but all of the ways that may use and disclose PHI fall within one of the categories below. As we describe below, some uses and disclosures will require your specific authorization.

The amount of PHI that we may legally use or disclose without your written permission will vary based on the circumstances, including the intended purpose of the use or disclosure. Sometimes we may only need to use or disclose a limited amount of PHI, such as to send you a reminder or to confirm your health insurance coverage. At other times, we may need to use or disclose more PHI, such as when a doctor required that information for medical treatment.

The list below includes examples of ways that we may disclose PHI about you without a written authorization from you.

Disclosure at Your Request. If you ask us to send PHI about you to a third party, such as a friend, family member, or health care provider, we will do so if we believe that your request is authentic. We may ask you to prove your identity before we honor this request. We may need up to 60 days to honor a request like this, depending on the data that you would like us to disclose, but in most cases, we can honor this request in 30 or fewer days.

We may use your PHI and disclose it to a physician or other health care provider to provide treatment and other services to you. For example, we may disclose your weight loss results to your physician so that he or she may monitor your results in our program.

We may use and disclose your PHI to obtain payment for the services that we provide to you. For example, we may disclose certain PHI to claim and obtain payment from your health insurer, your HMO, or any other company that arranges for or pays the cost of your health care (“Your Payor”) or to verify that Your Payor will pay for that health care.

Our Health Care Operations. We may use and disclose your PHI for our health care operations. Examples of our health care operations include improving the operation of our program, training clinical personnel, and other internal management functions such as legal and audit processes. When we use your PHI for our health care operations, we are required to use only the amount of PHI that is necessary. For example, if we were to evaluate the accuracy of our digital scale, and that evaluation could be accomplished by reviewing scale weights only by date and location and without additional identifiers, we would limit the PHI that we use for that evaluation to date and location information. Health Care Operations of Other Covered Entities. We are also permitted to share PHI about you with other covered entities that have a relationship with you (including, in some circumstances, your employer’s health plan, your health insurer, or other health care providers) for their health care operations and to certain companies that provide those covered entities with services as their business associates. For example, we might share PHI about you with your health insurer to enable the health insurer to evaluate which benefits to make available to you. As another example, we might share PHI about you with your physician’s office to enable the physician to demonstrate to the government that the physician referred you to a particular program and how that program works for you. Other examples of another covered entity’s health care operations may include using PHI about you for quality assessment activities, for disease management programs, to improve quality of care, for patient satisfaction surveys, for training, for benchmarking, and other purposes. In each of these cases, these covered entities may only seek from us PHI about you that is the minimum necessary for their health care operations purposes.

Business Associates. We provide some aspects of our Health Care Services through contracts with business associates for whom we are legally responsible. Examples of our business associates include companies for secure cloud hosting, management consultants, quality assurance reviewers, accreditation agencies, and billing and collection services. We may disclose your PHI to our business associates so that they can perform the jobs that we have asked them to perform. To protect you PHI, we require our business associates to sign written agreements requiring that they appropriately safeguard your PHI and use it only as we permit.

Health-Related Products and Services. We may use and disclose your PHI to tell you about our health-related products or services that may be of interest to you.

Communications with Family and Others When You Are Present. Sometimes a family member or other person involved in your care will be present when we are discussing your PHI with you. We may use your PHI or disclose it to a relative, a close friend, or any other person that you identify when you are present for that disclosure or you are available prior to the disclosure if we obtain your agreement, if we provide you with the opportunity to object to the disclosure and you do not object, or if we reasonable infer that you do not object to the disclosure.

Communications with Family and Others When You Are Not Present or Are Incapacitated. If you are not present, or you cannot practically agree or object to a use or disclosure because of your incapacity or an emergency, we may exercise out professional judgement to determine whether a disclosure is in your best interest. If we disclose information to a relative, a close friend, or any other person in this context, we would disclose only the information that we believe is directly relevant to that person’s involvement with your health care or health care payment. We may also disclose your PHI in order to notify or assist in notifying these people of your location, your general condition, or your death.

Threat to Health or Safety. We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person but only to someone who may be able to prevent that threat, as we determine in good faith.

ADDITIONAL SPECIAL SITUATIONS THAT DO NOT REQUIRE YOUR AUTHORIZATION

The following categories describe some additional circumstances in which we may use or disclose your PHI without your authorization.

Public Health Activities. We may disclose your PHI for the following public health activities: (1) to prevent or control disease, injury, or disability; (2) to report births and deaths; (3) to report the abuse or neglect of children, elders, and dependent adults; (4) to report reactions to medications or problems with products; (5) to notify people of recalls of products they may be using; (6) to notify people who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and (7) to notify emergency response employees regarding possible exposure to HIV/AIDS, to the extent necessary to comply with state and federal laws.

Victims of Abuse, Neglect, or Domestic Violence. If we reasonably believe you are a victim of abuse, neglect, or domestic violence, we may disclose your PHI to a governmental authority authorized by law to receive reports of such abuse, neglect, or domestic violence, including a social service or protective services agency.

Health Oversight Activities. We may disclose your PHI to a health oversight agency for activities authorized by law. One example of a health oversight agency is a state health insurance regulator or Medicaid program. These oversight activities include, for example, audits, investigations, inspections, licensure, and other activities necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Lawsuits and Other Legal Disputes. We may use and disclose PHI in responding to a court or administrative order, a subpoena, or a discovery request. We may also use and disclose your PHI without your authorization to the extent permitted by law in any other way related to our legal disputes, such as to defend against a lawsuit or in arbitration.

Law Enforcement Officials. We may disclose your PHI to the police or other law enforcement officials as required or permitted by law, including: (1) in response to a court order, subpoena, warrant, summons, or similar process; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) when concerning the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of criminal conduct; (5) about criminal conduct at VitalOp; and (6) in emergency circumstances to report a crime, the location of the crime, or victims or to report the identity, description, or location of the person who committed the crime.

We may disclose your PHI to a coroner or medical examiner as authorized by law. Organ and Tissue Donation. We may disclose your PHI to organizations that facilitate organ, eye, or tissue procurement, tissue banking, or transplantation.

Research that Does Not Involve Your Treatment. When a research study does not involve any treatment, we may disclose your PHI to researchers. To do this, we will either ask your permission to use your PHI or we will use a special process that protects the privacy of your PHI. For example, we are allowed to supply to a third-party researcher with a data set in which identifiers about you have been removed, except for complete dates and five-digit zip codes. The researcher, before receiving this data set, must contract with us to limit use of this data set, to safekeep the data set, and to destroy or return the data set when the research concludes.

Specialized Government Functions. We may use and disclose your PHI to units of the government with special functions, such as the U.S. military or the U.S. Department of State, under certain circumstances. We may use and disclose your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. We may use and disclose your PHI to authorized federal officials so they may provide protection to the President, to other authorized persons, or to foreign heads of state, or to conduct special investigations. If you are an inmate of a correctional institution or under custody of a law enforcement official, we may disclose PHI about you to the correctional institution or the law enforcement official to enable the correctional institution to provide you with health care, to protect your health and safety and the health and safety of others, and to protect the safety and security of the correctional institution.

Workers’ Compensation. We may disclose your PHI as authorized by and to the extent necessary to comply with state laws relating to workers’ compensation or other similar programs. As Required by Law. We may use and disclose your PHI when required to do so by any other law not already referred to in the preceding categories. For example, the Secretary of the Department of Health and Human Services may review our compliance efforts, which may include access to your PHI.

SITUATIONS THAT DO REQUIRE YOUR AUTHORIZATION

If we need to use your PHI for reasons that have not been described in the sections above, we will obtain your written permission, which is referred to as a written “authorization.” If you authorize us to use or disclose PHI about you, you may revoke that authorization in writing at any time. If you revoke your authorization, we will no longer use or disclose PHI about you for the reasons stated in that written authorization, except to the extent we have already acted in reliance on your authorization. Any revocation of an authorization applies only to what you or your representative had authorized and does not apply to the situations above where we are permitted to use or disclose PHI about you without an authorization. You understand that we are unable to take back any disclosures that we have already made with your permission and that we are required to retain our records of the care we provide to you. Examples of typical disclosures that require your authorization include: Special Categories of Treatment Information. In most cases, federal or state law requires your written authorization or the written authorization of your representative for disclosures of drug and alcohol abuse treatment, test results for Human Immunodeficiency Virus (HIV) and Acquired Immune Deficiency Syndrome (AIDS), and mental health treatment. If these laws apply to any PHI about you that we maintain, we will comply with them.

Research Involving Your Treatment. When you participate in a research study that involves your treatment, we may disclose your PHI to researchers, provided that you have signed a specific authorization for us to do so or an Institutional Review Board has approved the disclosure in connection with its review and approval of the research proposal and the procedures that the research organization has established to protect the privacy of your PHI.

We must obtain your written authorization prior to using your PHI to send you any information that HIPAA defines as marketing information. HIPAA considers communications about a product or service that encourage you to purchase or use that product or service to be marketing when that product or service is not one of VitalOp’s programs or services or when we are paid to communicate about the product or service to you. We may send some types of communications to you that are not part of our Health Care Services but that are not considered marketing communications for which we would need your prior authorization. We may send these communications to you directly, or one of our business associates may send them for us. For example, we may send you communications about care coordination and care management services that may be available to you if we are not paid to make this communication. We may also remind you to fill a prescription so long as we are only reimbursed for our expenses in doing so. We are also allowed to give you a promotional gift of nominal value.

YOUR RIGHTS REGARDING YOUR PHI

You have the following rights regarding PHI that we maintain about you. You may contact us to obtain additional information and instructions for exercising these rights in any of the manners described at the end of this Notice.

Right to Request Additional Restrictions. You may request restrictions on our use and disclosure of your PHI for treatment, payment, and health care operations. You may also request restrictions on our use and disclosure of your PHI to relatives, close friends, or other people identified by you and involved with your care or with payment related to your care or to notify or assist in notifying those individuals regarding your location and general condition. This request must be in writing, and we will send you a written response. If we agree with the request, we will comply with your request except to the extent that disclosure has already occurred or to the extent needed to provide you with emergency treatment. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction (except where you request that we not disclose PHI to a health plan and the PHI relates solely to a health care item or service for which you personally have paid in full).

Right to Receive Confidential Communications. You may request to receive your PHI by alternative means of communication or at alternative locations. For example, you can request that we only contact you at work or by mail. To request confidential communications, you must make your request in writing. We will not ask you for the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted. We note, however, that as our Health Care Services work best through an online digital platform, a request for alternative communications may negatively impact how you experience the Health Care Services.

Inspection and Copies. You have an absolute right to obtain copies of the PHI about you that we collect and use in the normal course of providing the Health Care Services to you. You do not have a right to obtain copies of PHI in research databases or in data sets that we use to study and improve the quality of our business, to train our employees, or to manage the legal and financial aspects of our business. Typically, we do not use PHI for most of those. We will hold your personal information in our systems for as long as necessary to fulfill the purposes for which we collected it, including satisfying any legal, accounting, or reporting requirements The period may depend on the type of data and the purpose for which it is held. Further information about retention periods in relation to specific types of personal information can be obtained by contacting [email protected]. We require that you make any request to obtain a copy of PHI about you in a manner that we can reliably conclude is authentic. You may request a copy of PHI about you in writing on paper or through email by contacting [email protected] in a manner that allows our support team to confirm your identity. If you would like your attorney or other legal representative to request PHI about you on your behalf, he or she must request the copy in writing as we have not issued any digital identity credentials to your representatives. We reserve the right to reject an online request as inauthentic.

Once we receive your authentic request, we will determine if the information that you have requested is easily available to you through your account with us, and we may instruct you how to access it. If providing the requested information entails more work of us, we will have up to 30 days to complete that work, which we may extend by another 30 days if necessary to prepare the data. Once we receive your authentic request, we also will discuss with you the form and format in which you would like to receive the information, among those that we offer. For example, we will discuss with you whether you would like the information printed or in a secure spreadsheet. We will also discuss with you how to deliver the information. We are obliged to send PHI securely, and we do not allow the copying of PHI onto mobile storage devices like thumb-drives in order to protect the security of our systems.

We will provide (or transmit at your request) one copy of your PHI per calendar year at no cost to you. If you request more than one copy per calendar year, we may charge you for copying and mailing/transmission, and we will supply you with an estimate before proceeding.

Right to Amend Your Records. You have the right to request that we amend PHI that we maintain about you. If you desire to amend your records, you must submit your request in writing, which may include an email or a secure message that we believe is authentically from you. We will comply with your request unless we believe that the information that would be amended is already accurate and complete or other special circumstances apply. If we deny your request, you will be permitted to submit a statement of disagreement for inclusion in your records.

Right to Addendum. You have the right to add an addendum to your PHI that is maintained in your medical record.

Right to Receive an Accounting of Disclosures. You can request that we provide you with an “accounting of disclosures,” which summarizes the people and organizations outside of VitalOp to whom we have disclosed PHI about you (other than other covered entities that have a relationship with you and that have received PHI for permitted purposes as described above in this Notice). You must request any accounting of disclosures in writing to ensure that we have written records detailing your request. You may request an accounting of disclosures in writing on paper or, via an email by contacting [email protected]. If you would like your attorney or other legal representative to request an accounting of disclosures on your behalf, he or she must request the accounting of disclosures in writing as we have not issued any digital identity credentials to your representatives. We reserve the right to reject an online request as inauthentic. By submitting a written request, you may obtain an accounting of certain disclosures of your PHI made by us during any period of time within the six years preceding the date of your request. Your written request should indicate in which form you would like to receive this list (e.g, on paper or electronically). We will provide (or transmit at your request) one accounting of disclosures per calendar year at no cost to you. If you request more than one accounting of disclosures per calendar year, we may charge you the costs of fulfilling your request, and we will supply you with an estimate before proceeding. Copy of this Notice. You are entitled to a copy of this Notice. You may obtain a copy of this Notice at our website: You may print out a paper copy of this Notice from our website at any time. You are also entitled to ask that we print this Notice and mail it to you. To receive a paper copy of this Notice from us, you may contact us in any of the manners described at the end of this Notice.

MINIMUM NECESSARY

To the extent required by law, when using or disclosing your PHI or when requesting your PHI from another covered entity, we will make reasonable efforts not to use, disclose, or request more than the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, taking into consideration practical and technological limitations.

CHANGES TO THIS NOTICE

This Notice describes how we may access health information about you in compliance with HIPAA and how that information may be used in compliance with HIPAA. We may prospectively change the terms of this Notice from time to time, but we may not change this Notice in a way that would violate HIPAA. Changes will apply to PHI that we currently maintain as well as new PHI that we receive after the change occurs. We will post the new Notice on our website. To receive a paper copy of any revised Notice from us, you may contact us in any of the manners described at the end of this Notice.

CONCERNS OR COMPLAINTS

If you desire further information about your privacy rights, if you are concerned that we have violated your privacy rights, or if you disagree with a decision that we made about access to your PHI, you may contact our Privacy Officer in any of the manners described at the end of this Notice. You also may send a written complaint to the U.S. Department of Health and Human Services, Office of Civil Rights, and we can provide you with the office’s current address. We will not take any action against you for filing a complaint.

HOW TO CONTACT US

If you would like more information about your privacy rights, please contact VitalOp by emailing [email protected]. Please direct any written requests to VitalOp at:

VitalOp

P.O. Box 52537

Shreveport, LA 71105-5303

Version Effective: January 16, 2024