ENLIGHT Consumer Health Data Privacy Notice

Effective Date: August 20, 2024

This ENLIGHT Consumer Health Data Privacy Notice (“Notice”) supplements the Faros Health, Inc. (“Faros Health,” “we,” or “us”) ENLIGHT Privacy Notice and applies to Consumer Health Data (as defined below) subject to the Washington State My Health My Data Act, Nevada’s Consumer Health Data Privacy Law (SB 370), and similar state laws (collectively, “Consumer Health Data Laws”).

This Notice does not address or apply to information or practices that are not subject to the Consumer Health Data Laws, including “protected health information” (“PHI”), which is regulated by the Health Insurance Portability and Accountability Act (“HIPAA”). HIPAA provides specific protections for the privacy and security of PHI. Please read the Notice of Privacy Practices of your health care provider, health plan, and/or plan sponsor to understand how your PHI can be used and disclosed by those entities.

This Notice is available to persons with disabilities. To access this Notice in an alternative, downloadable format, please click here.

Our Collection and Use of Consumer Health Data

The term “Consumer Health Data” as used in this Notice means any personal information that is linked or reasonably linkable to you and that identifies your past, present, or future physical or mental health status as defined in the Consumer Health Data Laws. The data we collect depends on the context of your interactions with us and, in most cases, is information that you decide to share with us. Consumer Health Data does not include information that is considered deidentified under the Consumer Health Data Laws. Examples of Consumer Health Data that Faros Health may collect include:

• Information you share about your health-related conditions, symptoms, experiences, diagnoses, testing, medications, or treatments.
• Information that could identify your attempt to seek health care.
• Information about your health insurance coverage, including relevant ID numbers, copay, and billing information.
• Other information that may be used to infer or derive data related to the above or other health information.
• Information listed herein that is derived or extrapolated from information that is not Consumer Health Data, including, without limitation, proxy, derivative, inferred, or emergent data derived through an algorithm, machine learning, or any other means.

We may process and/or use this information collected online and offline (including with your consent where required by Consumer Health Data Laws) for the following purposes:

• In the provision of services including the ENLIGHT platform, our websites, and related services to communicate with you.
• To identify and authenticate you.
• To help ensure security and integrity of our systems to the extent the use of Consumer Health Data is reasonably necessary and proportionate for these purposes.
• Administrative purposes including providing customer service (including online service and virtual chatbots), verifying customer information, providing analytic services, providing storage, or providing similar services.
• Undertaking internal research for technological development and demonstration.
• Undertaking activities to verify or maintain the quality or safety of a service that is owned or controlled by us, and to improve, upgrade, or enhance the service that is owned or controlled by us.
• To protect against malicious, fraudulent, or illegal activity.
• Complying with legal and regulatory obligations.
• For commercial purposes such as to provide investor and investment information.
• Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
• For short-term, transient use including, but not limited to, non-personalized advertising shown as part of your current interaction with us.
• Other purposes we may notify you about or for which you provide your consent or authorization.

Sources From Which Your Consumer Health Data Is Collected

The Consumer Health Data we collect may come from various sources, including:

• You and those authorized to provide Consumer Health Data on your behalf, such as your caregiver or authorized representative.
• Your employer, health plan, and/or plan sponsor
• Your personal devices
• Third parties that provide access to information you make available, such as social media services
• Companies conducting non-clinical research such as market research companies; and
• Business partners or other service providers that assist us in providing and improving our services

Our Disclosure of Consumer Health Data

We may share the categories of Consumer Health Data set forth above as follows:

• Faros Health and Our Affiliates: We may share your Consumer Health Data internally or with our affiliates as needed for the purposes listed above.
• Service Providers: We work with a variety of service providers who help us process your Consumer Health Data, such as to facilitate the provision of the service or that perform business or operational services for us or on our behalf, such as website hosting, infrastructure provisioning, IT services, payment processing services, legal, and administrative services.
• Parties with Whom the Consumer Has a Direct Relationship: We may share with parties with whom the consumer has a direct relationship for the purpose of providing services requested by the consumer, in circumstances, where Faros Health maintains control and ownership of the data and the party only uses the Consumer Health Data at Faros Health’s direction for the purpose for which the Consumer Health Data was collected or consented to.
• Business Transactions: We may take part in or be involved with a business transaction, such as a merger. We may disclose Consumer Health Data to a third party during the negotiation of or in connection with such a transaction to the extent permitted by applicable law.
• Legal Obligations and Rights: We may disclose Consumer Health Data to third parties: in connection with the establishment, exercise, or defense of legal claims; to comply with laws or to respond to lawful requests and legal processes; to protect our rights and property and the rights and property of others, including to enforce our agreements and policies; to detect, suppress, or prevent fraud; to protect the health and safety of us and others; or as otherwise required by applicable law.
• With Your Consent: We may disclose Consumer Health Data about you to certain other service providers or publicly with your consent or at your direction.

In the event we process deidentified data, we will maintain and use deidentified data without attempting to reidentify a consumer except as permitted by law and will contractually obligate any recipients of such data to satisfy these criteria.

Exercising Your Privacy Rights

Some Consumer Health Data Laws provide certain rights with respect to Consumer Health Data, including rights to access, delete, or withdraw consent relating to such data, subject to certain exceptions.

To exercise any of your privacy rights, or if you have any questions about your privacy rights, please do not hesitate to contact us at:

E-mail: [compliance@faroshealth.com]

Phone: [214.296.9006]

If we decline or are unable to take action regarding your request, we will notify you by providing our reasons and will provide instructions for how you can appeal the decision. If the appeal is unsuccessful, you may raise a concern or lodge a complaint with the applicable attorney general or other regulatory authority in your state.

With respect to sharing identifiers, internet, network, or other electronic activity which may constitute Consumer Health Data relating to your interaction with ENLIGHT, you may withdraw consent from collection and future sharing at the application level by navigating to [description of cookie/tracker opt-out method] .

Changes to this Consumer Health Data Privacy Notice

From time-to-time, we may change this Notice. We will post any changes on this page. If we change the Notice significantly, we will notify you by adding a prominent notice on the ENLIGHT platform, our websites, and services; by sending you an email notification; or via other appropriate communication channels, as required by applicable law. To the maximum extent permitted by applicable law, any changes will become effective when we post the updated Notice, and your use of our services following these changes means that you accept the updated Notice. We encourage you to review this Notice when you use our services to stay aware of our information practices.