Faros Health ENLIGHT Privacy Notice

Faros Health, Inc. (“Faros Health,” “we,” “our,” or “us”) values your privacy and the protection of information we collect that can be used to identify you or that we can link to or associate with you (“Personal Data”). This Privacy Notice (“Notice”) explains how we collect, store, use, share, transfer, delete, and otherwise process your Personal Data.

Please review this Notice carefully. To the extent permitted by law, by providing us your Personal Data or otherwise interacting with us, you are acknowledging this Notice. If you do not agree with our policies and practices, it is your choice not to use our Services or otherwise engage with us.

This Notice is available to persons with disabilities. To access this Notice in an alternative, downloadable format, please click here.

This Notice describes the types of Personal Data that Faros Health may collect or process, how we may use and disclose that Personal Data, how you may exercise any rights you may have regarding our processing of your Personal Data, and how you can contact us if you would like to exercise those rights or if you have any questions or concerns.

This Notice applies to Personal Data we collect or process through the ENLIGHT platform or when you contact us (collectively, “Services”). For users in Washington, Nevada, or other states with similar consumer health data privacy laws, this notice is supplemented by our Consumer Health Data Privacy Notice.

This Notice does not apply to the Faros Health website (https://faroshealth.com/). You may find the website privacy notice here.

This Notice does not address or apply to “protected health information” (“PHI”), which is regulated by the Health Insurance Portability and Accountability Act (“HIPAA”). HIPAA provides specific protections for the privacy and security of PHI. Please read the Notice of Privacy Practices of your health care provider, health plan, and/or plan sponsor to understand how your PHI can be used and disclosed by those entities.

Faros Health may provide you with a different privacy notice in certain situations, in which case that privacy notice or policy will apply to the Personal Data collected or processed in that specific situation, rather than this one.

We may collect or process Personal Data as a service provider on behalf of our customers, such as your employer. In those instances, you should consult the customer’s applicable privacy notice or reach out to the customer for information regarding how they process your Personal Data.

If you provide us with Personal Data related to anyone other than yourself, please note that you are responsible for complying with all privacy and data protection laws prior to providing that information to Faros Health (including obtaining consent, if required).

We may collect or process your Personal Data when you engage with the Services, including when you register for or use ENLIGHT.

Examples of the types of Personal Data we collect or process (Personal Data that may be considered sensitive under some data protection laws is noted with a “^”):

• Identity and contact information, such as:
  • username and password^{^}
  • first and last name or unique pseudonym
  • honorifics and titles, preferred form of address
  • employer / company
  • email address
  • postal address
  • phone number
• Information regarding health^{^}, such as:
  • information you share about your health-related conditions, symptoms, experiences, diagnoses, testing, medications, or treatments
  • information that could identify your attempt to seek health care
  • information about your health insurance coverage, including relevant ID numbers, copay, and billing information
  • other information that may be used to infer or derive data related to the above or other health information
• Technical or electronic network activity information, such as:
  • Internet Protocol (IP) addresses (which may identify your general geographic location or company)
  • browser type and browser language
  • device type
  • date and time you use our Services
  • Uniform Resource Locators, or URLs (i.e., website addresses) visited prior to arriving at and after leaving our Services
  • activity and online behavior while on our Services and referring websites or applications, including forms and other information submitted, videos watched, your clicks on our site pages
  • data collected from cookies or other similar technologies^*

• Where do we get your Personal Data?
• you and those authorized to provide Personal Data on your behalf, such as your caregiver or authorized representative
• your employer, health plan, and/or plan sponsor
• your personal devices
• business partners or other service providers that assist us in providing and improving our services

Why do we process your Personal Data?

• to provide you with our Services
• to communicate with you
• to administer our relationship with your organization
• to identify and authenticate you
• to detect security incidents
• to protect against malicious, fraudulent, or illegal activity
• to ensure the appropriate use of our Services
• to improve our Services
• for short-term, transient use
• for administrative purposes
• for marketing, internal research, and development
• for quality assurance
• to comply with legal and regulatory obligations

Who may receive your Personal Data?

• Faros Health and our affiliates
• individuals or entities that you designate or instruct us to share your Personal Data with
• authorized representatives
• third parties who assist with fraud prevention, detection, and mitigation
• third parties who assist with our information technology and security programs and our loss prevention programs
• Faros Health’s lawyers, auditors, and consultants
• partners that assist us in providing or improving our Services or help us improve our marketing or administration^**

* Please see our Cookie Notice for more information on how we use cookies and similar technologies.

** In limited circumstances, recipients may include:

1. in the event of a sale, assignment, merger, consolidation, corporate reorganization, or transfer, to the buyer, assignee, or transferee; and
2. government or regulatory officials, law enforcement, courts, public authorities, or others when permitted by this Notice or required by law.

Personal Data of Children

Faros Health does not knowingly collect, maintain, disclose, or otherwise process Personal Data from minors below the age of 16 without the permission of such minor’s parents or legal guardians.

Marketing, Cookies, and Analytics

• We may use your contact details to contact you to determine whether you would like to initiate a business relationship with us or to send you marketing emails. If you do not wish to receive such marketing emails, you may opt out by declining to receive such emails when registering, in our subsequent communications by following opt-out or unsubscribe instructions included in the email, by contacting us, or at other information collection points while using the Services.
• We may collect Personal Data automatically through cookies and other technologies to provide functionality to our Services; to recognize you across devices when using our Services; in each case where this is justified under applicable data protection law for our legitimate business purposes or with consent, where required. These legitimate business purposes include evaluating information about the use of our Services and identifying trends; developing or enhancing our Services; providing an experience tailored to you when you use our Services; effecting certain security controls; and identifying the advertisements and offers we think may interest you so that we may display them to you when you use our Services.
• We do not engage in profiling subject to the privacy laws using Personal Data.
• We do not “sell” your Personal Data or share it for the purposes of cross-context behavioral (i.e., “targeted”) advertising or profiling nor do we process your sensitive Personal Data to infer characteristics about you. We do allow certain third parties to collect information about the users of our Services to provide valuable services to us, such as fraud detection, reporting, and analytics. This may include sharing information about your interactions with our Services, including information searched for or viewed in connection with our Services for the purposes of providing you with information related to your searches, queries, or other interactions with our Services.
• We also perform statistical analyses of the users of our Services to improve the functionality, content, design, and navigation of our Services.

In addition, if you do not want information collected through the use of cookies, there is a simple procedure in most browsers that allows you to automatically decline cookies or be given the choice of declining or accepting the transfer to your computer of a particular cookie (or cookies) from a particular site. Visit http://www.allaboutcookies.org/manage-cookies/index.html for more information. If, however, you do not accept these cookies, you may experience some inconvenience in your use of the Services. For example, we may not be able to recognize your computer, and, where applicable, you may need to log in every time you visit.

Do-Not-Track Signals

Certain web browsers and other programs may transmit “opt-out” signals, also called Global Privacy Control (or GPC) signals or Do-Not-Track signals (GPC Signals), to websites with which the browser communicates. Please note that we do not have the ability to recognize or honor browser do-not-track or similar signals at this time. However, Faros Health does not engage in targeted advertising or the sale of Personal Data.

Marketing

To the extent permitted by law, including with your consent where required, we may use your contact details to contact you to determine whether you would like to initiate a business relationship with us or to send you marketing emails. If you do not wish to receive such marketing emails, you may opt out by declining to receive such emails when registering, in our subsequent communications by following opt-out or unsubscribe instructions included in the email, by contacting us, or at other information collection points while using the Services.

We do not “sell” your Personal Data or share it for the purposes of cross-context behavioral (i.e., “targeted”) advertising or profiling nor do we process your sensitive Personal Data to infer characteristics about you. We do allow certain third parties to collect information about the users of our Services to provide valuable services to us, such as fraud detection, reporting, and analytics. This may include sharing information about your interactions with our Services, including information searched for or viewed in connection with our Services for the purposes of providing you with information related to your searches, queries, or other interactions with our Services.

Service Providers and Third Parties

Service Providers

Service providers or vendors (or processors) acting on our behalf must execute agreements requiring them to maintain confidentiality and to process Personal Data only to provide the services to us and in a way that aligns with this Notice, other applicable privacy notices, and as explicitly permitted or required by applicable laws, rules, and regulations.

Links to Other Services

Our Services may contain links to other websites, applications, or services that are not owned or operated by Faros Health. Such links do not imply an endorsement with respect to any third party, any website, or the products or services provided thereby. You should carefully review the privacy policies and practices of other websites and services as we cannot control and are not responsible for privacy policies, notices, or practices of third-party websites, applications, and services.

Your Rights Regarding Your Personal Data

Depending on where you live, you may have the following rights with respect to some or all of your Personal Data:

• to request information about or explain whether, and how, we process your Personal Data
• to request access to and a copy of your Personal Data, including to provide your Personal Data directly to another organization (called, in some locations, a right to data portability)
• to request that we correct or update your Personal Data
• to request that we delete your Personal Data
• to request that we restrict, suspend, block, or to object to or opt-out of the processing of your Personal Data, including your sensitive Personal Data, including withdrawing consent
• to appeal the denial of a request
• to lodge a complaint with the data protection authority in your jurisdiction

To make a request, submit a complaint about how we process your Personal Data, or to appeal the denial of one of your requests, please contact us using the information at the bottom of this Notice. Even if you make a complaint to us, you may also in some jurisdictions lodge a complaint with the relevant privacy or data protection authority in your location, such as your attorney general.

We will not discriminate against you for exercising any of the rights described above, although we may not be able to continue to provide you with certain Services or it may otherwise affect the way we are able to interact with you.

We will make reasonable efforts to respond promptly to your requests. We may, after receiving your request, require additional information from you to honor your request and verify your identity. Please be aware that we may be unable to afford these rights to you under certain circumstances, such as if we are legally prevented from doing so.

Safeguarding Personal Data

Consistent with applicable laws and requirements, Faros Health has put in place physical, technical, and administrative safeguards designed to protect Personal Data from loss, misuse, alteration, theft, unauthorized access, and unauthorized disclosure consistent with legal obligations and industry practices. However, as is the case with all websites, applications, products, and services, we unfortunately are not able to guarantee security for data collected through our Services. In addition, it is your responsibility to safeguard any passwords, identification or ID numbers, or similar individual information associated with your use of the Services.

How Long Your Personal Data Will Be Kept

We generally retain Personal Data for as long as needed for the specific purpose or purposes for which it was collected or obtained, and as outlined in this Notice. In some cases, we may be required to retain Personal Data for a longer period of time as required by law or for other necessary or required purposes. Whenever possible, we aim to deidentify or anonymize your Personal Data or otherwise remove some or all information that may identify you from records that we may need to keep for periods beyond the specified retention period. The criteria used to determine our retention periods include:

• the length of time we have an ongoing relationship with you; and
• whether retention is determined to be necessary for Faros Health due to limitation periods, litigation, or other legal or regulatory obligations.

Faros Health takes reasonable steps to securely dispose of Personal Data upon the expiration of retention periods, taking into consideration these litigation, legal, or regulatory obligations.

International Transfers of Personal Data

Faros Health operates exclusively in the United States and does not target or market itself to persons outside of the United States. If you are accessing the Services from a foreign jurisdiction including, but not limited to, the European Economic Area, the United Kingdom, or Switzerland, your Personal Data may be transmitted to, stored, and processed in the United States or other jurisdictions whose laws are not as protective of Personal Data as the laws in your jurisdiction. If you object to such processing, you should cease using the Services.

Changes to this Privacy Notice

From time-to-time, we may change this Notice. We will post any changes on this page. If we change the Notice significantly, we will notify you by adding a prominent notice on the ENLIGHT platform, our websites, and services; by sending you an email notification; or via other appropriate communication channels, as required by applicable law. To the maximum extent permitted by applicable law, any changes will become effective when we post the updated Notice, and your use of our services following these changes means that you accept the updated Notice. We encourage you to review this Notice when you use our services to stay aware of our information practices.

Contact Us

If you have any questions about our practices or this Privacy Notice, please contact us at compliance@faroshealth.com or by phone at (214)-296-9006.