Carbon Health Privacy Policy

Last modified: January 26, 2022

Carbon Health Technologies, Inc. (“Carbon Health” “we,” “our,” or “us”) is committed to protecting your privacy.

You and your data are not our product. Our business is your health, not your data. We do not sell your data.

To understand how Carbon Health protects your privacy, we suggest that you start by reading our Privacy Overview, which is a summary of our privacy protections as represented by this document. The Privacy Overview is organized to present answers for privacy concerns that are most regularly discussed with us, and it also links to our full Privacy Policy below. We recommend that you carefully review the full policy.

Privacy Overview

Keeping Your Data Yours

Do we sell personal information? No

Do we sell Protected Health Information (“PHI”)? No

Do we sell aggregate or de-identified healthcare information? No

Do we use Protected Health Information (“PHI”) for advertising or marketing purposes? No

Do we delete personal information received by our Website upon request? Yes, where allowed by law.

Respecting Your Protected Health Information

Do we employ protections specific to Protected Health Information (“PHI”)? Yes

Do we abide by healthcare laws for the preservation of healthcare information? Yes

Do we share healthcare information with your employer or your school? Only with your explicit, signed, authorization.

Do we delete healthcare information collected from our Website and Application upon request?Yes, where allowed by law.

Do we allow you to download, receive copies of, and where appropriate make corrections to your Protected Health Information (“PHI”)? Yes

Our Privacy Tooling, Your Privacy Choices

Is your healthcare data, your Protected Health Information (“PHI”), protected by default? Yes.

Do we provide the same stringent protections for all users, from individuals to large enterprises? Yes

Do we allow users to opt-out of receiving advertising or marketing content? Yes

Do we delete non-healthcare information collected from our Website upon request? Yes, where allowed by law.

Do we use non-healthcare information collected from our Website for advertising or marketing purposes? Yes

Do we allow users to opt-out of receiving targeted advertising or marketing content? Yes

Do we allow users to opt-out of receiving Carbon Health promotional emails? Yes

Tracking Technologies, Analytics, and Customer Engagement

Do we use Cookies (or browser cookies) to receive and store certain types of information? Yes

Do we allow users to refuse to accept browser cookies by activating the appropriate setting in their web browser or mobile device? Yes

Do we use web analytics services to help us analyze your use of our Website, and to help us identify and address technical issues? Yes

Do we use customer engagement platforms to help us improve our services? Yes.

Do we allow users to opt-out of receiving targeted advertising or marketing content? Yes

Hardware and Smartphone Device Features

Do our applications leverage hardware and smartphone device features? Yes

1. Introduction

Carbon Health Technologies, Inc. (“Carbon Health,” “we,” “our,” or “us”) respects your privacy, and we are committed to protecting it through our compliance with this policy and also through our compliance with our Notice of Privacy Practices (“HIPAA Privacy Practices”, “Notice of HIPAA Privacy Practices”).

This Privacy Policy (our “Privacy Policy”) describes the types of information we may receive from you or that you may provide when you visit the website carbonhealth.com (our “Website”) and the Carbon Health applications (collectively, our “Application”) and our practices for collecting, using, maintaining, protecting, and disclosing that information.

This Policy does not define how we ensure our adherence to Federal and State laws regarding your Protected Health Information, including the Health Insurance and Portability Act of 1996 (“HIPAA”). Our policies regarding the processing of your Protected Health Information (“PHI”) are covered in our Notice of Privacy Practices (“HIPAA Privacy Practices”). Our HIPAA Privacy Practices define how we preserve the privacy of your Protected Health Information, and you should refer to that document, not this one, regarding all processes associated with your healthcare records and other PHI.

Carbon Health websites and applications, including carbonhealth.com that do not require secure accounts and authentication, do not host Protected Health Information (“PHI”). Our websites and applications that do not host PHI are available to everyone on the internet, and represent information made generally available by us, and these sites receive information made available by visitors and users.

While it is important to understand the difference between the content generally exchanged between us and users of our websites and applications that do not require you to have an account, and the information shared by, and with, Carbon Health through our private sites and applications that require authorized accounts, for all personal information you share with us the following holds true:

We do not sell any personal information that may have been received by any Carbon Health websites or applications you may have visited or otherwise used.

Furthermore, we have committed that:

• We will not sell any of your personal information from our websites or applications whether they are freely/publicly available or if they require accounts.
• We will not sell any of your Protected Health Information (“PHI”).
• We will not sell your data in any form, even if de-identified to an extent ensuring there is no reasonable basis to believe it could be used to identify an individual, including you.
• To understand how Protected Health Information (“PHI”) may be used and disclosed by Carbon Health please refer to our Notice of Privacy Practices (“HIPAA Privacy Practices”).

In addition to these protections that we provide for all data, we do also employ a great number of additional privacy measures and restrictions specific to your PHI as detailed in ourHIPAA Privacy Practices. Please reference that policy for information about the care and handling of your Protected Health Information.

This Privacy Policy applies to information that is not Protected Health Information, and which we may collect:

• on our Website and Application that do not require you to have an account;
• in email, text, and other electronic messages between you and our Website and Application that do not require you to have an account;
• when you interact with our advertising and applications on third party websites and services, if those applications or advertising include links to this policy.

This policy does not apply to information collected by:

• Third party websites, products, or services, even if they link to our Applications or Websites
• Third party websites, products, or services (including advertising), that we may link to from our Public Websites
• Data that may be collected by us offline.

Please read this document carefully to understand our policies and practices regarding your information that is not Protected Health Information, and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Website and Applications. By accessing or using our Website and/or Application, you agree to this Privacy Policy. This Privacy Policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of our Website or Application after we make changes is deemed to be acceptance of those changes, so please check this Privacy Policy periodically for updates.

2. Children Under the Age of 18

If you are under the age of eighteen (18) and wish to create an account with Carbon Health, your parent or legal guardian must create the account, submit your Personal Data, and agree to these Terms of Use on your behalf. If you are under the age of 13, you may only use our services or access our Website or Application with the supervision and consent of your parents or legal guardians, including the Provider consultation services. If we learn that we have collected personal information from someone under the age of 13 that was not provided with the supervision and consent of the minor’s parents or legal guardian, we will promptly delete that information. If you believe we have impermissibly collected personal information from someone under the age of 13, please contact us at privacy@carbonhealth.com or call us at 1-844-234-7741.

3. Information We Collect About You and How We Collect It

Generally

We collect several types of information from and about users (collectively, “Personal Data”) of our Website and Application that do not require you to have an account. As noted above, all information collected from our websites and applications that do require accounts and secure authentication, and all healthcare data, is considered Protected Health Information by Carbon Health and you should refer to our HIPAA Privacy Practices to understand our care and handling of that information. This policy describes our processing of Personal Data that is not PHI, but which may include information:

• by which you may be personally identified, such as name, address, e-mail address, telephone numbers, date of birth, bank account numbers, credit or debit card number (for payment purposes only), driver’s license numbers or other government issued identification (to verify age and identity), images and video of you;
• about your Internet connection, the equipment you use to access our Website or use our Application and usage details, such as traffic data, logs, referring/exit pages, date and time of your visit to our Website or use of our Application, error information, clickstream data, and other communication data and the resources that you access and use on the Website or through our Application.

We collect this information:

• directly from you when you provide it to us;
• automatically as you navigate through the Website or use our Application. Information collected automatically may include usage details, IP addresses, and information collected through cookies and other tracking technologies; and
• From third parties, for example, our business partners.

Information You Provide to Us

The information we collect on or through our Website or through our Application that do not require you to have an account includes:

• information that you provide by filling in forms on our Website or the Application. This includes information provided at the time of registering to use our Website or Application, purchasing some products, or requesting some services. We may also ask you for information when you report a problem with our Website or Application;
• records and copies of your correspondence (including email addresses), if you contact us; and
• details of non-healthcare transactions you carry out through our Website or through the Application and of the fulfillment of your orders. You may be required to provide financial information before placing an order through our Website or Application.

You also may provide information to be published or displayed (hereinafter, “posted”) on public areas of the Website or Application or transmitted to other users of the Website or Application or third parties (collectively, “User Contributions”). Your User Contributions are posted on our Website or Application and transmitted to others by your own actions, and at your own risk. Although we limit access to certain pages, please be aware that no security measures are perfect or impenetrable. Additionally, we cannot control the actions of other users of the Website and Application with whom you may choose to share your User Contributions. Therefore, we cannot and do not guarantee that your User Contributions will not be viewed by unauthorized persons.

Information We Collect Through Automatic Data Collection Technologies

As you navigate through and interact with our Website and Application, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, specifically:

• details of your visits to our Website or Application, such as traffic data, location, logs, referring/exit pages, date and time of your visit to our Website or use of our Application, error information, clickstream data, and other communication data and the resources that you access and use on the Website or in the Application; and
• information about your computer, mobile device, and Internet connection, specifically your IP address, operating system, browser type, and Application version information.

The information we collect automatically may include Personal Data or we may maintain it or associate it with Personal Data we collect in other ways or receive from third parties. We will not share any of your Protected Health Information (“PHI”) with third parties except as detailed in our HIPAA Privacy Practices. Our use of automatic data collection technologies defined in this policy does not change any of the protections applied to your PHI and you should refer to our HIPAA Privacy Practices and not this document to understand how your PHI is protected. We employ automatic data collection technologies to help us to improve our Website and Application and to deliver a better and more personalized service as they enable us to:

• estimate our audience size and usage patterns;
• improve our product and services offering;
• store information about your preferences, allowing us to customize our Website and our Application according to your individual interests;
• recognize you when you return to our Website and our Application.

The technologies we use for this automatic data collection may include:

• Cookies (or browser cookies). We and our service providers may use cookies and other technologies to receive and store certain types of information whenever you interact with our Website and Application through your computer or mobile device. A “cookie” is a small piece of data sent from a website and stored on the user's computer by the user's web browser while the user is browsing. On your computer, you may refuse to accept browser cookies by activating the appropriate setting on your browser, and you may have similar capabilities on your mobile device in the preferences for your operating system or browser. However, if you select this setting you may be unable to access certain parts of our Website or use certain parts of our Application. Unless you have adjusted your browser or operating system setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website or use our Application.
• Google Analytics. We use Google Analytics, a web analytics service provided by Google, Inc. (“Google”) to collect certain information relating to your use of the Website. Google Analytics uses cookies to help the Website analyze how users use the site. You can find out more about how Google uses data when you visit our Website by visiting “How Google uses data when you use our partners' sites or apps”, (located atwww.google.com/policies/privacy/partners/). We may also use Google Analytics Advertising Features or other advertising networks to provide you with interest-based advertising based on your online activity. For more information regarding Google Analytics please visit Google's website, and pages that describe Google Analytics, such as www.google.com/analytics/learn/privacy.html.
• Customer Engagement Platforms. We may use customer engagement platforms to help us improve our services: to help us identify problems with how we present or collect data; to help inform users of services and features available to them; to help improve site content.
• Hardware and Smartphone Device Features. Our healthcare applications can use hardware and smartphone device features made available by the Windows, MacOS, Apple iOS, and Google Android operating systems, providing functionality that empowers your healthcare journey:
  • To help you find a nearby pharmacy, you can permit access to your device location data.
  • To enable a telehealth visit from the comfort of your own home, you can allow the applications to access your device camera and microphone.
  • To help secure your account, or to receive an SMS notification of an upcoming appointment, you may choose to share your phone number with the applications.
  • To allow you to add to, update, or otherwise augment your healthcare record, you can enable the applications to upload specific files, images, as well as audio and video files, by permitting the app to access files stored on your device. Including but not limited to: Allowing the app access to your camera roll or photo storage, allowing the app access to your local drive/files.
  • To enable connections to your Home Health devices, such as a heart rate monitor or a blood glucose monitor, Bluetooth and WiFi features can be shared with the applications.
  • To share step counter and other health data with your healthcare provider, you can enable the applications to access such data on smartphones that support these features.
  • To be notified of health events that affect you, such as when your healthcare record has been updated, or new lab results have been received, you can enable push notifications to be received by the mobile applications.

4. How We Use Your Information

Carbon Health will use and disclose Protected Health Information only as permitted in Carbon Health’s HIPAA Privacy Practices or in agreements with other medical providers, including your own medical provider (if you do not use a Carbon Health Provider) and we only collect the PHI we need to fully perform our services and to respond to you or your Provider. The care and handling of PHI, whether by Carbon Health (or your own medical provider if you do not use a Carbon Health Provider) must be defined by a Notice of Privacy Practices (“HIPAA Privacy Practices”) describing the collection, use, and disclosure of your health information. If you do not use a Carbon Health Provider, please ask your provider to provide you with their Notice of Privacy Practices(“HIPAA Privacy Practices”).

To understand how Carbon Health may use Protected Health Information (“PHI”) please refer to our HIPAA Privacy Practices and not this Policy. The Carbon Health HIPAA Privacy Practices do not apply to healthcare workers that are not provided by Carbon Health

For clarity, our use of any information we collect that constitutes Protected Health Information (“PHI”) under the U.S. Health Insurance Portability and Accountability Act (“HIPAA”) is described in our HIPAA Privacy Practices and not this Policy.

Data we receive that is not PHI may include information that we collect about you or that you provide to us, including any Personal Data used:

• to present our Website and its contents to you;
• to present our Application;
• to provide our products and services to you;
• to provide you with information, products, or services that you request from us or that may be of interest to you;
• to process, fulfill, support, and administer transactions and orders for products and services ordered by you;
• to provide you with notices about your Carbon Health account;
• to contact you in response to a request;
• to administer surveys and solicit feedback;
• to fulfill any other purpose for which you provide it;
• to carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection;
• to notify you about changes to our Website, our Application, or any products or services we offer or provide though them;
• in any other way we may describe when you provide the information; and
• for any other purpose with your consent.

We will not use Protected Health Information (“PHI”) for any purpose that is not defined in our HIPAA Privacy Practices, including advertising or marketing purposes, without your consent.

We may use your information that is not PHI to contact you about goods and services that may be of interest to you, including through newsletters. If you wish to opt-out of receiving such communications, you may do so at any time by clicking unsubscribe at the bottom of these communications, by visiting your Account page, or by reaching out to our support team available from support@carbonhealth.com. For more information, see Choices About How We Use and Disclose Your Information.

5. Disclosure of Your Information

We do not sell Personal Data. We do not share or otherwise disclose your Personal Data for purposes other than those outlined in this Privacy Policy. We will not use Protected Health Information (“PHI”) for any purpose that is not defined in our HIPAA Privacy Practices, including advertising or marketing purposes, without your consent. We may disclose aggregated information about our users, and information that does not identify any individual, without restriction.

We may disclose Personal Data we collect, or you provide, that is not Protected Health Information as described in this Privacy Policy:

• to contractors, service providers, and other third parties we use to support our business. The services provided by these organizations include providing IT and infrastructure support services, and ordering, marketing, and payment processing services;
• to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Carbon Health about our Website and Application users are among the assets transferred;
• to fulfill the purpose for which you provide it. For example, we may disclose your personal information to a Provider;
• for any other purpose disclosed by us when you provide the information;
• with your consent.

We may also disclose your Personal Data:

• to comply with any court order, law, or legal process, including to respond to any government or regulatory request;
• to affiliates and third parties to market their products or services to you if you have not opted out of these disclosures. For more information, see Choices About How We Use and Disclose Your Information;
• to enforce or apply our Terms of Use and other agreements, including for billing and collection purposes; and
• if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Carbon Health, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

6. Choices About How We Use and Disclose Your Information

We do not sell Personal Data. We do not share or otherwise disclose your Personal Data for purposes other than those outlined in this Privacy Policy. We will not use Protected Health Information (“PHI”) for any purpose that is not defined in our HIPAA Privacy Practices, including advertising or marketing purposes, without your consent.

We do not control the collection and use of your Personal Data that is not Protected Health Information defined in our HIPAA Privacy Practices, and which may be collected by third parties as described above in the Disclosure of Your Information section of this Policy. These third parties may aggregate the information they collect with information from their other customers for their own purposes.

We strive to provide you with choices regarding the Personal Data you provide to us. We have created mechanisms to provide you with control over your Personal Data:

• Tracking Technologies and Advertising. You can set your browser or operating system to refuse all or some cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of our Website or Application may then be inaccessible or not function properly
• Promotional Offers from Carbon Health. If you do not wish to have your email address used by Carbon Health to promote our own products and services, you can opt-out at any time by clicking the unsubscribe link at the bottom of any email or other marketing communications you receive from us, or by adjusting settings found when logged onto your Account page. This opt out does not apply to information provided to Carbon Health as a result of a product purchase, or your use of our services.
• Targeted Advertising. To learn more about interest-based advertisements and your opt-out rights and options, visit the Digital Advertising Alliance and the Network Advertising Initiative (NAI) websites (www.aboutads.info and www.networkadvertising.org). Please note that if you choose to opt out, you will continue to see ads, but they will not be based on your online activity. We do not control third parties’ collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. You can also opt out of receiving targeted ads from members of the NAI on its website.

7. Your Rights Regarding Your Information and Accessing and Correcting Your Information

You can review and change your Personal Data by logging into our Website or Application and visiting either the Settings or Account sections of our Application or Website. You may also notify us through the Contact Information below of any changes or errors in any Personal Data we have about you to ensure that it is complete, accurate, and as current as possible or to delete your account. We cannot delete your personal information except by also deleting your account with us. We may also not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect.

With respect to any Protected Health Information that Carbon Health may obtain, you have certain rights under HIPAA to access your data, to restrict use and disclosure of it, to request communication methods, to request corrections to your data, to receive an accounting of disclosures and to receive notice of any breach. To understand your rights regarding your Protected Health Information please see our HIPAA Privacy Practices, or if you do not use a Carbon Health Provider, please ask your Provider for their Notice of Privacy Practices (“HIPAA Privacy Practices”), for more information.

8. Do Not Track Signals

We also may use automated data collection technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking). Some web browsers permit you to broadcast a signal to websites and online services indicating a preference that they “do not track” your online activities. At this time, we do not honor such signals, and we do not modify what information we collect or how we use that information based upon whether such a signal is broadcast or received by us.

9. Data Security

We have implemented measures designed to secure your Personal Data from accidental loss and from unauthorized access, use, alteration, and disclosure. We use encryption technology for information sent and received by us. We also employ other security practices, such as data segmentation, access log collection, automated monitoring, and other security controls.

The safety and security of your information also depends on you. Where you have chosen a password for the use of our Website or Application, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we work diligently to try and protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted to our Website or on or through our Application. Any transmission of Personal Data is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website, in your operating system, or in the Application.

10. California Residents

Carbon Health has committed to honor the terms of the California Consumer Privacy Act of 2018 (CCPA) in the care and handling of your Personal Data that is not Protected Health Information protected by other laws. The CCPA expressly excludes personal information collected, processed, sold, or disclosed pursuant to certain sector-specific privacy laws, including medical information governed by the California Confidentiality of Medical Information Act (CMIA), protected health information collected by a covered entity or business associate governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), or a provider of health care governed by the CMIA or covered entity governed by HIPAA to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information under the CMIA or HIPAA, respectively. This Policy does not define how we ensure our adherence to Federal and State laws regarding your Protected Health Information, including the Health Insurance and Portability Act of 1996 (“HIPAA”). Our policies regarding the processing of your Protected Health Information (“PHI”) are covered in our Notice of Privacy Practices (“HIPAA Privacy Practices”). Our HIPAA Privacy Practicesdefine how we preserve the privacy of your Protected Health Information, and you should refer to that document, not this one, regarding all processes associated with your healthcare records and other PHI.

For clarity, Protected Health Information (“PHI”) collected by Carbon Health falls under the CCPA exclusions, and is generally exempt from the CCPA, and is instead protected by our adherence to our HIPAA Privacy Practices.

The CCPA does provide you with rights regarding your data that is not covered by healthcare related exemptions, the handling of which is defined in our HIPAA Privacy Practices.

Your CCPA Granted Rights and How to Exercise Them

Your right to know the personal information we collect from you and how we may share or otherwise disclose it.

The CCPA gives you the right to know the personal information we may have collected about you, and you may request that we disclose this to you by contacting us through the channels defined in the Contact Information section of this document. This CCPA protected right will be upheld once we receive and confirm the validity of your request.

Carbon Health does not sell Personal Data. We do not share or otherwise disclose your Personal Data for purposes other than those outlined in this Privacy Policy. We will not use Protected Health Information (“PHI”) for any purpose that is not defined in our HIPAA Privacy Practices. Protected Health Information (“PHI”) collected by Carbon Health falls under the CCPA exclusions, and is generally exempt from the CCPA, and is instead protected by our adherence to our HIPAA Privacy Practices. The CCPA does apply to Personal Data that we collect, or you provide, as described in this Privacy Policy, and which we may disclose. You have the right to request that we provide a means to download your personal information that we have collected that is not exempt from the CCPA. If you make such a request regarding data that is not PHI exempted from the CCPA, we will include a list of the categories of personal information that we may have disclosed about you, as well as the categories of third parties to whom your personal information may have been disclosed. To understand how we protect your PHI that is exempted from the CCPA, please refer to our HIPAA Privacy Practices.

Contacting Us to Request a CCPA Disclosure

You may contact us through the channels defined in the Contact Information section of this document to request a disclosure of your Personal Data that is protected by the CCPA.

The CCPA ensures that you have the right to make a request for such a disclosure twice in any 12-month period. Carbon Health will make the requested disclosure within 45 days of receiving your request, unless we determine the need for, and then request an extension. If we determine that we have a reasonably defined need for a 45-day extension, we will notify you of the extension within the initial 45-day period.

Right of deletion

You have the right to request that we delete your personal information. Any such request is subject to certain exceptions, including Federal and State laws regarding your Protected Health Information, as with the Health Insurance and Portability Act of 1996 (“HIPAA”). Upon receipt of a deletion request from you, we will validate the request, and then delete your personal information, as well as direct our service providers to delete any of your personal information, unless an exception applies. To request deletion of personal information protected by the CCPA, you may contact us through the channels defined in the Contact Information section of this document.

Right to non-discrimination

You have the right not to receive any discriminatory treatment as a result of any choice or action on your part to exercise your privacy rights as provided by the CCPA.

Disclosures About Your Personal Information Protected by CCPA

Categories of information we collect and disclose for a business purpose

The following categories of personal information, as defined in the CCPA, are collected from you in connection with your use of the Carbon Health Website and Application. To understand our collection, use, and disclosure of your Protected Health Information (“PHI”) please refer to our HIPAA Privacy Practices and not this document. Protected Health Information (“PHI”) collected by Carbon Health falls under the CCPA exclusions, and is generally exempt from the CCPA. Personal Information that we may have disclosed in the last twelve months that does not fall under protections documented in our HIPAA Privacy Practices, and information which is not exempt from the CCPA, includes the following categories of personal information used for a business purpose:

• Identifiers, such as your first and last name, Internet Protocol address, email address, and other similar identifiers.
• Personal information categories listed in the California Customer Records provisions, including physical characteristics, such as weight, and payment information, such as your credit card number.
• Characteristics of protected classifications under California or federal law, such as your gender and age.
• Commercial information, such as the record of purchase of your Summit membership.
• Biometric information, such as your exercise data.
• Internet or other electronic network activity information, such as session logs.
• Geolocation data, such as the physical location of your recorded activity.
• Electronic, visual, or similar information, such as photos.
• Inferences drawn from any of the above information to create a profile reflecting your preferences, characteristics, behavior, abilities, and aptitudes, such as Relative Effort.

According to California law, the CCPA does not apply to, and personal information does not include:

• Publicly available information from government records.
• De-identified or aggregated consumer information.

Other disclosures about your personal information

This Policy does not define how we ensure our adherence to Federal and State laws regarding your Protected Health Information, including the Health Insurance and Portability Act of 1996 (“HIPAA”). Our policies regarding the processing of your Protected Health Information (“PHI”) are covered in our Notice of Privacy Practices (“HIPAA Privacy Practices”). This Privacy Policy defines additional disclosures about your personal information that CCPA requirements ensure are provided to you. Please read the whole of this Privacy Policy and also our HIPAA Privacy Practices to understand the various sources including our Website and Application from which we collect your personal information, the business or commercial purposes for which we collect your personal information, and the categories of third parties with whom we share your personal information.

How to contact us

If you have questions about your rights or our disclosures under the CCPA, you may reach us through the channels defined in the Contact Information section of this document.

Further, note that information regarding Carbon Health job applicants, employees, owners, directors, officers, or contractors, emergency contact information from the same, and information necessary for Carbon Health to administer benefits to the same, and information Carbon Health obtains from a consumer acting on behalf of a company and whose communications with Carbon Health occur solely within the context of Carbon Health conducting due diligence regarding, or providing or receiving a product or service to or from another company, are generally exempt from much of CCPA, as different rules, laws, and regulations apply to your Protected Health Information. To understand your rights regarding your Protected Health Information please see our HIPAA Privacy Practices, or if you do not use a Carbon Health Provider, please ask your Provider for their Notice of Privacy Practices (“HIPAA Privacy Practices”), for more information. If you have questions about any of the foregoing, please contact us using the information set forth below underContact Information.

11. Changes to Our Privacy Policy

We will not weaken the privacy protections applied to your Personal Data as defined in this Privacy Policy without first notifying you. We reserve the right to make changes to this Privacy Policy at any time. It is our policy to post any changes we make to our Privacy Policy on this page with a notice that the Privacy Policy has been updated on the Website’s home page or the Application’s home screen. If we make material changes to how we treat our users’ Personal Data, we will notify you by sending email to the email address specified in your account or through a notice on the Website’s home page or the Application’s home screen. To understand your rights regarding your Protected Health Information please see our HIPAA Privacy Practices, or if you do not use a Carbon Health Provider, please ask your Provider for their Notice of Privacy Practices (“HIPAA Privacy Practices”), for more information. The date this Privacy Policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically accessing the Application or visiting our Website and reviewing this Privacy Policy to check for any changes.

12. Contact Information

If you have any questions, concerns, complaints or suggestions regarding our Privacy Policy or otherwise need to contact us, you may contact us at the contact information below or through the “Contact Us” page on our Website or in the Application.