Truemed Privacy Policy

In this Notice we refer to information that constitutes “personal data” or “Personal Data” (or other terms with a substantially similar definition and obligations) under U.S. data protection laws as “Personal Data,” subject to the limitations below. This Notice describes the types of Personal Data we collect on our own behalf in connection with our Services; our practices for using, maintaining, sharing, and protecting that Personal Data; and the rights and choices you may have with respect to your Personal Data.

In using certain components of the Services, you may provide information that may be protected under laws that govern the collection, use, and disclosure of personal medical information. The Medical Group and the Providers may be a “covered entity” or “business associate” under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and its related regulations (collectively and as amended, “HIPAA”). Truemed under some circumstances may be a “business associate” of the Medical Group and/or its affiliates or Providers. To the extent that Truemed is acting as a “business associate,” Truemed may be subject to certain provisions of HIPAA with respect to “protected health information” (“PHI,” as defined under HIPAA) that Truemed collects, uses, or discloses on behalf of the Medical Group or its Providers. We may de-identify PHI and/or Personal Data, and PHI and Personal Data that has been de-identified is neither PHI nor Personal Data under this Notice.

The Medical Group has adopted a Notice of Privacy Practices that describes how it collects, uses, and discloses PHI. Truemed, in its capacity as a business associate, collects, uses, and discloses PHI in a manner consistent with the Notice of Privacy Practices. PHI that is collected, used, and disclosed by Truemed on behalf of the Medical Group is not considered “Personal Data” under this Notice, and is not subject to this Notice. Examples of PHI that Truemed collects on behalf of the Medical Group includes your responses to the health-related questions in Truemed’s Qualification Survey and, under some circumstances, may include information about the products and services you purchase to prevent, treat, or mitigate a specific medical condition(s).

This Notice also does not apply to the collection and use of certain employment-related information. If you are a current or former Truemed job applicant, employee, contractor, director, or officer, please contact us for the appropriate notice.

We collect information you provide directly to us, which is often Personal Data. We call this “Submitted Data.” We also use various technologies to collect certain technical and usage information from your computer, mobile device, or other device when you use our Services. We call this information “Usage Data,” and certain Usage Data may also constitute Personal Data. Finally, we also may receive other information about you from or on behalf of third parties, including our Partners; some of that information may also constitute Personal Data.

2.1. Information you give Truemed

If you use the Truemed Services, either directly or through a merchant partner, the Personal Data we may collect about you includes, but is not limited to, the following Submitted Data:

• Identity and profile information. This may include your full name, email address, billing address, phone number, password and account preferences (if you create an account with us).

• Customer service interactions. We collect information you provide when you engage with Truemed's customer service personnel and mechanisms, including through email correspondence..

• Marketing and communications data. This information may be collected about you through cookies and other tracking technologies described below, and may also include your preferences in receiving marketing communications from us and our third parties (marketing and servicing vendors and merchant partners).

• Geolocation information. We may collect or infer information about your general or precise location (including the precise location of your device) when you provide your state of residence, shipping and/or billing addresses, or access or use the Services, or turn on Bluetooth, Wi-Fi or other geolocation functionality on your device.

2.2. Third-party payment processing providers

We use one or more third-party payment processing providers in connection with our Services. If you provide your financial account number (such as credit card number or debit card number) in connection with your payment for our Services, please be aware that: (i) you are providing such financial account number to the applicable third-party payment processing provider(s) (currently, Stripe and Basis Theory) and not to Truemed; (ii) we do not access, store, or otherwise process such financial account number; and (iii) the processing of such financial account number and any and all other data required or otherwise collected by such third-party payment processing provider (such as name, email address, phone number, postal address, commercial information, etc.) is subject to the applicable terms, conditions, and policies of such third-party payment processing provider (each of which may be modified from time to time by such third-party payment processing provider). We may receive from, and provide to, the payment processing provider a randomly-generated payment “token” in connection with your purchases.

2.3. Other information obtained from third parties

We may obtain Personal Data about you from other sources, including our Partners and sources that we rely on to enrich our Services, such as our service providers, online advertising companies, and social media platforms.

• Partners. We may obtain information about you from our merchant partners who have referred you to us to facilitate, or otherwise in connection with, the purchase of those Partners’ products or services.

• Vendors/service providers. This includes vendors we rely on to provide our Services, like IT service providers.

• Online advertising companies and social media platforms. Truemed may have access to your information from your accounts managed by third parties. The information we have access to varies by third party site and is controlled by your privacy settings on that site and your authorization.

2.4. Our collection of Usage Data

We collect Usage Data when you use our Services or otherwise interact with us through the use of cookies, advertising IDs, pixels, and similar online technologies, which we typically use through third-party vendors. Usage data enables us to personalize your experience with our Services and to improve the Services we provide.

• A “cookie” is a small alphanumeric text file that is stored in a browser by a website or by a third-party ad server or other third party that allows that website or third party to recognize that browser and that may be associated with Submitted Data, Usage Data, and other information.

• An “advertising ID” is an alphanumeric identifier made available by a platform or operating system (such as Apple iOS or Google Android) that allows application developers and third parties to recognize a particular device in an application environment and that may be associated with Submitted Data, Usage Data, and other information.

• A “pixel” is a line of code that is used by a website operator or third party to assign online activities to a device or browser, or more specifically to the applicable cookie ID or mobile advertising ID.

Usage Data may include the following categories and types of data:

Technical identifiers: These technical identifiers can be used to identify an individual’s browser, mobile advertising environment, and/or device, and typically include:

• Cookie IDs;

• Device IDs; and

• Internet protocol address (“IP address”) and data derived from an IP address, such as non-precise geolocation data that indicates the country, region, city, and/or postal code of a device.

Additional technical information which may include:

• Mobile advertising IDs (e.g., Apple IDFAs and Google Advertising IDs);

• Type of Internet browser, browser language, and operating system; and

• Connection type (wired or Wi-Fi), network to which the device is connected, and mobile carrier (if available).

Online interaction information: This information consists of online browsing activity to determine what types of activities, services and products an individual may be interested in and how that individual and other individuals interact with our Services and those provided by our merchant partners. This information may include:

• Records of the pages you view on or through the Services and the types of other websites/applications/pages viewed (i.e., in order to ascertain interests);

• Website/application and page that an individual came from before, and visited after, visiting the Services;

• Date and time of online activity;

• Frequency of visits to the Services;

• Search terms used; and

• Interactions with our Services and/or those of our Partners (e.g., the Partner that referred you to our Services).

For purposes of this Notice, “device” includes computers, smartphones, tablet computers, e-readers, and other digital devices capable of maintaining an Internet connection, and “mobile device” includes smartphones and tablet computers.

We also use analytics tools (including Mixpanel) when you use our Services, including to better understand how you use the Services and to improve the Services. To learn more about Mixpanel’s use of information (including information collected through the Services via Mixpanel), please visit https://mixpanel.com/legal/privacy-policy.

You can learn more about online tracking technologies and the options available to limit their collection and use of your information by visiting the websites for the Network Advertising Initiative and the Digital Advertising Alliance. Similarly, you can learn about your options to opt out of mobile app tracking by certain advertising networks through your device settings and by resetting the advertiser ID on your Apple or Android device.

Please note that opting out of cookies and other tracking technologies does not mean that you will not receive advertisements, nor will it prevent the receipt of interest-based advertising from other companies that do not participate in these programs. It will, however, exclude you from interest-based advertising conducted through participating networks, as provided by their policies and choice mechanisms. Note that if you delete your cookies, you may also delete your opt-out preferences.

3. How Truemed uses your Personal Data

Truemed may use Submitted Data, Usage Data, other Personal Data, and other information we collect and receive for a number of purposes, including but not limited to the following purposes:

3.1 Providing, tailoring, and improving our Services.

We use your Personal Data to provide and improve our products and Services. For example, we use Submitted Data you provide to us to host customer accounts, process transactions, and resolve disputes. We may also use Personal Data to facilitate your relationship with our Partners who you choose to interact with, or to suggest merchant partners that may be located near you.

3.2 Providing Services to our Partners.

We use your Personal Data to provide Services to our Partners. For example, we help certain of our Partners process your transactions (if, for instance, you used your HSA/FSA card to purchase one of our Partner’s products or services and completed your purchase through Truemed’s portal). We also use your Personal Data to provide accounting and financial planning & analytics services to our Partners.

3.3 Improving our Services and growing our business.

We use a variety of information, including Submitted Data and Usage Data, to understand our customer base, conduct research and analysis, develop new or improved products and Services, and build relationships with merchant partners. If you are an employee, representative, or agent of a merchant, vendor, or other business entity, Truemed may use Personal Data collected from you in connection with the business relationship between the entity and Truemed, or to market a prospective relationship to the entity you represent.

3.3 Responding to your requests.

We use your Personal Data to provide customer service and support, respond to your questions, comments, and other requests.

3.4 Communications and marketing.

We may use Personal Data to provide service update notices and to notify you about products, services, and promotions that may be of interest to you.

3.5 Offering, maintaining, and improving our website and other online Services.

We may process your Usage Data and other Personal Data to monitor the performance of our Services, improve the user experience, and to ensure the security of our Services.

3.6 Complying with legal and regulatory obligations.

We may process your Personal Data to comply with our regulatory requirements or in connection with inquiries from regulators, law enforcement agencies, or parties involved in litigation, in each case anywhere in the world, as necessary for Truemed to bring claims and exercise defenses, including to enforce the Terms of Service.

4. How Truemed shares your Personal Data

4.1 With service providers and contractors.

We engage service providers and contractors to perform functions on our behalf, such as processing transactions, marketing, billing and collection, auditing and accounting, professional services, measurement and analytics services, security and fraud prevention, maintenance and hosting of our Services, and IT.

4.2 With our Partners.

We disclose your information with our Partners that you interact with in connection with our Services to facilitate your transactions, for accounting and financial planning & analytics purposes, and to improve the Services. When you accept this Notice and use our Services, you consent to us sharing your Personal Data with merchants you interact with.

4.3 When required or as permitted by law.

We disclose information where necessary to comply with applicable law, to respond to requests from law enforcement agencies or other government authorities or third parties, as permitted by law, and without your consent when it is necessary to protect our customers, employees, or property, in emergency situations, to enforce our rights under our Terms of Service and policies, or to combat fraud or criminal activity.

4.4 As part of a corporate transaction.

Truemed may disclose your information in connection with corporate transactions, in the event that Truemed enters into, or intends to enter into, a transaction that alters the structure of our business, such as a reorganization, merger, sale, joint venture, assignment, transfer, change of control, or other disposition of all or any portion of our business, assets or stock. The acquiring party or the merged entity may not have the same privacy practices or treat your information the same as described in this Notice.

5. How Truemed protects your Personal Data

Truemed maintains safeguards intended to protect the information that we collect. However, no information system or method of electronic storage or transmission is 100% secure, so we cannot guarantee the absolute security of your Personal Data. Moreover, we are not responsible for the security of information you transmit to our Services over networks that we do not control, including the Internet and wireless networks.

6. How Truemed retains your information

Truemed will retain your Personal Data for as long as is necessary to complete the purposes for which it was collected, or as may be required by law. California law requires us to provide information regarding the criteria we use to determine the length of time for which we retain Personal Data.

We utilize the following criteria to determine the length of time for which we retain information:

• The business purposes for which the information is used, and the length of time for which the information is required to achieve those purposes;

• Website/application and page that an individual came from before, and visited after, visiting the Services;

• Whether we are required to retain the information type in order to comply with legal obligations or contractual commitments, to defend against potential legal claims, or as otherwise necessary to investigate activities potentially in violation of Truemed's policies and procedures applicable to you or against the law, to ensure a secure online environment, or to protect health and safety;

• The privacy impact of ongoing retention on the consumer; and

• The manner in which information is maintained and flows through our systems, and how best to manage the lifecycle of information in light of the volume and complexity of the systems in our infrastructure.

Individual pieces of Personal Data such as those listed above may exist in different systems that are used for different business or legal purposes. A different maximum retention period may apply to each use case of the information. Certain individual pieces of information may also be stored in combination with other individual pieces of information, and the maximum retention period may be determined by the purpose for which that information set is used.

7. Jurisdiction-specific information

7.1 Your U.S. state privacy rights

If you are a resident of a U.S. state with an effective general privacy law (such as California under the California Consumer Privacy Act, including as amended by the California Privacy Rights Act (as amended, “CCPA”) (each such state general privacy law, a “State Privacy Law”), you have some or all of the following rights with respect to your Personal Data, in each case as provided by the applicable State Privacy Law:

Right to Know/Access

You have the right to request that we disclose to you, following your verifiable/authenticated request:

• The categories of Personal Data we have collected (about you)

• The categories of sources from which the Personal Data is collected

• The business or commercial purpose for collecting, selling, or (under CCPA) “sharing” Personal Data

• The categories of third parties with which we disclose Personal Data

• The specific pieces of Personal Data we have collected about you

• The categories of Personal Data about you that we disclosed for a “business purpose”, and the categories of persons to whom it was disclosed for a “business purpose”

• If we sell or (under CCPA) “share” your Personal Data:

  • The categories of Personal Data that we sold or (under CCPA) shared about you

  • The categories of third parties to which your Personal Data was sold or (under CCPA) shared, by category or categories of Personal Data for each category of third parties to which the Personal Data was sold or (under CCPA) shared

Right to Delete

You have the right to request that we delete, following your verifiable/authenticated request, the specific pieces of Personal Data we have collected about you.

Right to Correct

You have the right to request that we correct, following your verifiable/authenticated request, inaccurate Personal Data that we have collected about you.

Right to Data Portability

You have the right to request that we provide you, following your verifiable/authenticated request, with a copy of the Personal Data about you that we process by automated means in a portable and, to the extent technically feasible, readily usable format that allows you to transmit it to another party.

Rights to “Opt-Out”:

Based on your applicable State Privacy Law, you may have some or all of the following rights:

• To direct us not to sell (as defined by the applicable State Privacy Law) or (under CCPA) “share” your Personal Data

• To opt out of “targeted advertising” (as defined by the applicable State Privacy Law), which is a type of Tailored Advertising

These State Privacy Law opt-out rights are different from the right to opt out of online behavioral advertising described in Section 2.1 above. Please note that we do not engage in “profiling” (as defined by applicable State Privacy Laws) in furtherance of decisions that produce legal or similarly significant effects concerning consumers.

Right to Non-Discrimination

We may not discriminate against you because you exercise any of your rights under your applicable State Privacy Law, including by:

• Denying goods or services to you

• Charging you different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties

• Providing a different level or quality of goods or services to you

• Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services

Please note the following:

• The process we currently use to verify/authenticate “requests to know/access”, “requests to delete”, “requests to correct”, and “requests for data portability” requires you to confirm certain details regarding your account and/or your subscription. In certain cases, we may need to ask for more information. If we are unable to verify/authenticate your request, we will let you know.

• Because we only collect limited information about individuals without an account, we are generally unable to verify/authenticate requests from non-account holders to the standard required by the applicable State Privacy Law.

• If you submit a “request to delete”, we may have a reasonable need to retain certain of your Personal Data, including for certain limited purposes permitted by the applicable State Privacy Law. Therefore, if you submit a “request to delete”, we will not delete the Personal Data that we reasonably need to retain.

• If we utilize “de-identification” to comply with a “request to delete” or similar legal obligation with respect to Personal Data, we will maintain and use such data in de-identified form and will not attempt to re-identify such de-identified data.

Methods of Submitting Requests

If you are a resident of a U.S. state with an effective State Privacy Law, you may submit requests under that State Privacy Law to exercise your “right to know/access”, your “right to delete”, your “right to correct”, and/or your “right to data portability” by email, to privacy@truemed.com.

If you are a resident of a U.S. state with an effective State Privacy Law, you may exercise your State Privacy Law “right(s) to opt-out” via the following method(s):

• By email, to: privacy@truemed.com

• Via the Global Privacy Control user-enabled universal opt-out mechanism, if and when such a universal opt-out mechanism is legally required as a method of opting out by the applicable State Privacy Law (for more information regarding Global Privacy Control, please visit the Global Privacy Control website: https://globalprivacycontrol.org/)

Please note that if you exercise your State Privacy Law “right(s) to opt-out”, we will honor that election to the extent technically feasible. However, it may not be technically feasible for us (i) to associate your email address and other Personal Data within the Personal Data you have provided to us with the Personal Data within your applicable usage data (e.g., browser/device ID) [if you submit such request via email] or (ii) to associate the applicable browser/device ID with your other Personal Data (e.g., your email address) [if you submit such request via Global Privacy Control].

Please also note that if we notify you that we were unable to verify/authenticate your “request to know/access”, “request to delete”, “request to correct”, or “request for data portability”, you may appeal our determination by emailing us at privacy@truemed.com and indicating why you disagree with our determination (including by providing additional information to support your request).

We will maintain records of consumer requests made under State Privacy Laws and how we responded to those requests in accordance with those State Privacy Laws.

Authorized Agents

If you are a resident of a U.S. state with an effective State Privacy Law, if and as required by that State Privacy Law, you may use an “authorized agent” to submit a request(s) to exercise your “right to know/access”, your “right to delete”, your “right to correct”, your “right to data portability”, and/or your State Privacy Law “right(s) to opt-out” (as applicable) on your behalf under that State Privacy Law. Your authorized agent will need to submit such request(s) to privacy@truemed.com and to include in such email a copy of a written permission that is signed by you and indicates that you have provided such authorization to so act on your behalf.

Authorized agents wishing to exercise rights on behalf of a consumer who is a resident of a U.S. state with an effective State Privacy Law should submit requests to privacy@truemed.com along with a copy of the consumer’s signed authorization designating you as their agent. If you do not have an account, while you may contact us at privacy@truemed.com with questions or concerns, we may not be able to respond to requests to exercise your rights under the applicable State Privacy Law.

7.2 Categories of Personal Data we collect

You have the right to receive notice of the categories of Personal Data we collect, and the purposes for which those categories of Personal Data will be used. We collect (and during the last 12 months have collected) the following categories of Personal Data, from the following categories of sources, and for the following business or commercial purposes:

Persons with disabilities may obtain this notice in alternative format upon request by contacting us at privacy@truemed.com.

7.3 Sale of data

We use for “targeted advertising” (as defined by applicable State Privacy Law), “share” (as defined by the CCPA), and/or may be deemed to “sell” (as defined by applicable State Privacy Law) (and during the last 12 months have used for “targeted advertising” and/or “shared” and/or may be deemed to have “sold”) each of the above categories of Personal Data with/to marketing partners in connection with our, their, and their respective customers’ marketing, advertising, and other business and commercial activities (in connection with our use and/or their provision of their products and services). While we may be deemed to “sell” and have “sold” such Personal Data under certain State Privacy Laws, we do not “sell” Personal Data for monetary consideration as part of our standard operational and commercial activities. However, we may “sell” each of the above categories of Personal Data in connection with a “change of control” transaction (please see Section 4.4 above).

If you are a resident of a U.S. state with an effective State Privacy Law, you have the right, at any time, to direct us under such State Privacy Law not to use your Personal Data for “targeted advertising” (as defined by the applicable State Privacy Law), “share” (as defined by CCPA) your Personal Data, and/or “sell” use your Personal Data (as defined by the applicable State Privacy Law), as set forth in the applicable State Privacy Law. You may exercise such “Rights to Opt-Out” via the methods set forth above in this section under the header “Methods of Submitting Requests”.

7.4 Residents of California

California Shine the Light

Residents of the State of California have the right to request information from Truemed regarding other companies to whom the company has disclosed certain categories of information during the preceding year for the other companies' direct marketing purposes. Truemed does not disclose any information for other companies’ direct marketing purposes.

California Consumer Privacy Act

You have the right under the CCPA to request that we restrict our use of certain pieces of Personal Data that are considered sensitive under California law—such as certain health information. If you would like to restrict the sharing of sensitive Personal Data, you can email us at privacy@truemed.com.

Do Not Track

California law requires us to disclose how we respond to browser “Do Not Track” signals or other choice mechanisms relating to interest-based advertising. Our Services do not currently respond to web browser “Do Not Track” signals, and we do not change any of our data collection practices when the Services receive such signals. If we do so in the future, we will describe how we do so in this Notice. For more information regarding Do Not Track, please visit the following website: www.allaboutdnt.org.

While we do not currently support “Do Not Track” signals, we do honor opt-out signals received from the Global Privacy Control universal opt-out mechanism as the applicable California consumer’s election to opt-out of the sale and/or sharing (each, as defined by CCPA) of their Personal Data, to the extent technically feasible. For more information regarding Global Privacy Control, please visit the Global Privacy Control website: https://globalprivacycontrol.org/.

8. Children’s information

The Services are not directed to, nor do we knowingly collect information from, children under the age of 18. If you are a parent or guardian and you believe that your child has provided us with Personal Data without your consent, please email us at privacy@truemed.com.

9. Changes to this Notice

We may update our privacy practices, and this Notice, from time to time. We recommend that you review this Notice periodically for any changes. Changes to this Notice are effective when they are posted on this page, and we will update the "Effective Date" at the top of this Notice. If we make any revisions that materially change the ways in which we use or share the information collected from you through the Services prior to the Effective Date of such changes, we will give you the opportunity to consent to such changes before applying them to that previously-collected information.

10. Contact Truemed

If you have questions or concerns regarding this Privacy Policy, you should contact us at privacy@truemed.com.

11. Effective Date

This Privacy Notice was last updated on 02/20/2025 and is deemed effective as amended as of that date.