Truemed Privacy Policy

This Privacy Notice ("Notice") explains how True Medicine, Inc. ("Truemed") collects,

uses and discloses your information when you request and obtain our products

and services, interact with Truemed through one of our partner merchants

(“Partners) or as a representative of another business, use our website at

www.truemed.com, including our qualiﬁcation survey at app.truemed.com

(“Qualiﬁcation Survey”), or otherwise interact with us (our "Services"). We also

explain your data privacy rights and how you can exercise them.

By using our Services, and/or by sharing your information with us, you are

accepting and consenting to the practices described in this Notice, which forms part

of the Truemed Terms of Service.

In this Notice we refer to information that constitutes “personal data” or “Personal

Data” (or another term with a substantially similar deﬁnition and obligations) under

applicable data protection law as “Personal Data”.

1. How Truemed collects your Personal Data

We collect information you provide directly to us, which is often Personal Data. We

call this “Submitted Data.” We also use various technologies to collect certain

technical and usage information from your computer, mobile device, or other

device when you use our Services. We call this information “Usage Data,” and

certain Usage Data may also constitute Personal Data. Finally, we also may receive

other information about you from or on behalf of third parties, including our

Partners; some of that information may also constitute Personal Data.

1.1. Information you give Truemed

If you use the Truemed Services, either directly or through a merchant partner, the

Personal Data we may collect about you includes, but is not limited to, the following

Submitted Data:

● Identity and proﬁle information. This may include your full name, email

address, billing address, phone number, password and account preferences (if

you create an account with us).

● Qualiﬁcation survey information. This includes your biological sex and

information you tell us about speciﬁc health conditions, including those that

you’re preventing, managing, or reversing; for which you have a family history;

or that you have discussed with a medical professional.

● Customer service interactions. We collect information you provide when you

engage with Truemed's customer service personnel and mechanisms,

including through email correspondence.

● Commercial and transactional information. We collect transactional

information about the services you elect to purchase and the company that

manages your HSA or FSA account.

● Marketing and communications data. This information may be collected

about you through cookies and other tracking technologies described below,

and may also include your preferences in receiving marketing communications

from us and our third parties (marketing and servicing vendors and merchant

partners).

● Geolocation information. We may collect or infer information about your

general or precise location (including the precise location of your device) when

you provide your state of residence, shipping and/or billing addresses, or

access or use the Services, or turn on Bluetooth, Wi-Fi or other geolocation

functionality on your device.

1.2. Third-party payment processing providers

We use one or more third-party payment processing providers in connection with

our Services. If you provide your ﬁnancial account number (such as credit card

number or debit card number) in connection with your payment for our Services,

please be aware that: (i) you are providing such ﬁnancial account number to the

applicable third-party payment processing provider (currently, Stripe) and not to

Truemed; (ii) we do not access, store, or otherwise process such ﬁnancial account

number; and (iii) the processing of such ﬁnancial account number and any and all

other data required or otherwise collected by such third-party payment processing

provider (such as name, email address, phone number, postal address, commercial

information, etc.) is subject to the applicable terms, conditions, and policies of such

third-party payment processing provider (each of which may be modiﬁed from time

to time by such third-party payment processing provider). We may receive from,

and provide to, the payment processing provider a randomly-generated payment

“token” in connection with your purchases.

1.3. Other information obtained from third parties

We may obtain Personal Data about you from other sources, including our Partners

and sources that we rely on to enrich our Services, such as our service providers,

online advertising companies, and social media platforms.

● Partners. We may obtain information about you from our merchant partners

who have referred you to us to facilitate, or otherwise in connection with, the

purchase of those Partners’ products or services.

● Vendors/service providers. This includes vendors we rely on to provide our

Services, like IT service providers.

● Online advertising companies and social media platforms. Truemed may

have access to your information from your accounts managed by third parties.

The information we have access to varies by third party site and is controlled

by your privacy settings on that site and your authorization.

1.4. Our collection of Usage Data

We collect Usage Data when you use our Services or otherwise interact with us

through the use of cookies, advertising IDs, pixels, and similar online technologies,

which we typically use through third-party vendors. Usage data enables us to

personalize your experience with our Services and to improve the Services we

provide.

● A “cookie” is a small alphanumeric text ﬁle that is stored in a browser by a

website or by a third-party ad server or other third party that allows that

website or third party to recognize that browser and that may be associated

with Submitted Data, usage data, and other information.

● An “advertising ID” is an alphanumeric identiﬁer made available by a

platform or operating system (such as Apple iOS or Google Android) that

allows application developers and third parties to recognize a particular

device in an application environment and that may be associated with

Submitted Data, Usage Data, and other information.

● A “pixel” is a line of code that is used by a website operator or third party to

assign online activities to a device or browser, or more speciﬁcally to the

applicable cookie ID or mobile advertising ID.

Usage Data may include the following categories and types of data:

Technical identiﬁers: These technical identiﬁers can be used to identify an

individual’s browser, mobile advertising environment, and/or device, and typically

include:

● Cookie IDs;

● Device IDs; and

● Internet protocol address (“IP address”) and data derived from an IP address,

such as non-precise geolocation data that indicates the country, region, city,

and/or postal code of a device.

Additional technical information which may include:

● Mobile advertising IDs (e.g., Apple IDFAs and Google Advertising IDs);

● Type of Internet browser, browser language, and operating system; and

● Connection type (wired or Wi-Fi), network to which the device is connected,

and mobile carrier (if available).

Online interaction information: This information consists of online browsing

activity to determine what types of activities, services and products an individual

may be interested in and how that individual and other individuals interact with our

Services and those provided by our merchant partners. This information may

include:

● Records of the pages you view on or through the Services and the types of

other websites/applications/pages viewed (i.e., in order to ascertain

interests);

● Website/application and page that an individual came from before, and

visited after, visiting the Services;

● Date and time of online activity;

● Frequency of visits to the Services;

● Search terms used; and

● Interactions with our Services and/or those of our Partners (e.g., the Partner

that referred you to our Services).

For purposes of this Notice, “device” includes computers, smartphones, tablet

computers, e-readers, and other digital devices capable of maintaining an Internet

connection, and “mobile device” includes smartphones and tablet computers.

We also use analytics tools (including Mixpanel) when you use our Services,

including to better understand how you use the Services and to improve the

Services. To learn more about Mixpanel’s use of information (including information

collected through the Services via Mixpanel), please visit

https://mixpanel.com/legal/privacy-policy.

You can learn more about online tracking technologies and the options available to

limit their collection and use of your information by visiting the websites for the

Network Advertising Initiative and the Digital Advertising Alliance. Similarly, you can

learn about your options to opt out of mobile app tracking by certain advertising

networks through your device settings and by resetting the advertiser ID on your

Apple or Android device.

Please note that opting out of cookies and other tracking technologies does not

mean that you will not receive advertisements, nor will it prevent the receipt of

interest-based advertising from other companies that do not participate in these

programs. It will, however, exclude you from interest-based advertising conducted

through participating networks, as provided by their policies and choice

mechanisms. Note that if you delete your cookies, you may also delete your opt-out

preferences.

2. How Truemed uses your information

Truemed may use Submitted Data, Usage Data, other Personal Data, and other

information we collect and receive for a number of purposes, including but not

limited to the following purposes:

2.1 Providing, tailoring, and improving our Services.

We use your Personal Data to provide and improve our products and Services. For

example, we use Submitted Data you provide to us to evaluate your eligibility,

generate Letters of Medical Necessity (“LMNs”), process transactions, and resolve

disputes. We may also use Personal Data to facilitate your relationship with our

Partners who you choose to interact with, or to suggest merchant partners that

may be located near you.

2.2 Providing Services to our Partners.

We use your Personal Data to provide Services to our Partners. For example, we

help certain of our Partners process your transactions (if, for instance, you used

your HSA/FSA card to purchase one of our Partner’s products or services and

completed your purchase through Truemed’s portal). We also use your Personal

Data to provide accounting and ﬁnancial planning & analytics services to our

Partners.

2.3 Improving our Services and growing our business.

We use a variety of information, including Submitted Data and Usage Data, to

understand our customer base, conduct research and analysis, develop new or

improved products and Services, and build relationships with merchant partners. If

you are an employee, representative, or agent of a merchant, vendor, or other

business entity, Truemed may use Personal Data collected from you in connection

with the business relationship between the entity and Truemed, or to market a

prospective relationship to the entity you represent.

2.3 Responding to your requests.

We use your Personal Data to provide customer service and support, respond to

your questions, comments, and other requests.

2.4 Communications and marketing.

We may use Personal Data to provide service update notices and to notify you

about products, services, and promotions that may be of interest to you.

2.5 Oﬀering, maintaining, and improving our website and other online

Services.

We may process your Usage Data and other Personal Data to monitor the

performance of our Services, improve the user experience, and to ensure the

security of our Services.

2.6 Complying with legal and regulatory obligations.

We may process your Personal Data to comply with our regulatory requirements or

in connection with inquiries from regulators, law enforcement agencies, or parties

involved in litigation, in each case anywhere in the world, as necessary for Truemed

to bring claims and exercise defenses, including to enforce the Terms of Service.

3. How Truemed shares your information

3.1 With service providers and contractors.

We engage service providers and contractors to perform functions on our behalf,

such as processing transactions, marketing, billing and collection, auditing and

accounting, professional services, measurement and analytics services, security and

fraud prevention, maintenance and hosting of our Services, and IT. This includes

disclosing your survey responses, and other information that you provide us and/or

that we receive from our Partners, to licensed professionals who, as further

described in our Terms of Service, make administrative determinations regarding

your eligibility to use your FSA/HSA funds and who issue Letters of Medical

Necessity in connection with Truemed’s provision of the Services.

3.2 With our Partners.

We disclose your information with our Partners that you interact with in connection

with our Services to facilitate your transactions, for accounting and ﬁnancial

planning & analytics purposes, and to improve the Services. When you accept this

Notice and use our Services, you consent to us sharing your information with

merchants you interact with.

3.3 When required or as permitted by law.

We disclose information where necessary to comply with applicable law, to respond

to requests from law enforcement agencies or other government authorities or

third parties, as permitted by law, and without your consent when it is necessary to

protect our customers, employees, or property, in emergency situations, to enforce

our rights under our Terms of Service and policies, or to combat fraud or criminal

activity.

3.4 As part of a corporate transaction.

Truemed may disclose your information in connection with corporate transactions,

in the event that Truemed enters into, or intends to enter into, a transaction that

alters the structure of our business, such as a reorganization, merger, sale, joint

venture, assignment, transfer, change of control, or other disposition of all or any

portion of our business, assets or stock. We cannot promise that an acquiring party

or the merged entity will have the same privacy practices or treat your information

the same as described in this Notice.

4. How Truemed protects your information

Truemed maintains reasonable and appropriate safeguards intended to protect the

information that we collect. However, no information system or method of

electronic storage or transmission is 100% secure, so we cannot guarantee the

absolute security of your information. Moreover, we are not responsible for the

security of information you transmit to our Services over networks that we do not

control, including the Internet and wireless networks.

5. How Truemed retains your information

Truemed will retain your Personal Data for as long as is necessary to complete the

purposes for which it was collected, or as may be required by law. California law

requires us to provide information regarding the criteria we use to determine the

length of time for which we retain Personal Data.

We utilize the following criteria to determine the length of time for which we retain

information:

● The business purposes for which the information is used, and the length of

time for which the information is required to achieve those purposes;

● Whether we are required to retain the information type in order to comply

with legal obligations or contractual commitments, to defend against potential

legal claims, or as otherwise necessary to investigate activities potentially in

violation of Truemed's policies and procedures applicable to you or against the

law, to ensure a secure online environment, or to protect health and safety;

● The privacy impact of ongoing retention on the consumer; and

● The manner in which information is maintained and ﬂows through our

systems, and how best to manage the lifecycle of information in light of the

volume and complexity of the systems in our infrastructure.

Individual pieces of Personal Data such as those listed above may exist in diﬀerent

systems that are used for diﬀerent business or legal purposes. A diﬀerent

maximum retention period may apply to each use case of the information. Certain

individual pieces of information may also be stored in combination with other

individual pieces of information, and the maximum retention period may be

determined by the purpose for which that information set is used.

6. Jurisdiction-speciﬁc information

6.1 Your U.S. state privacy rights

If you are a resident of a U.S. state with an eﬀective general privacy law (such as

California under the California Consumer Privacy Act, including as amended by the

California Privacy Rights Act (as amended, “CCPA”) (each such state general privacy

law, a “State Privacy Law”), you have some or all of the following rights with respect

to your Personal Data, in each case as provided by the applicable State Privacy Law:

Right to Know/Access

You have the right to request that we disclose to you, following your

veriﬁable/authenticated request:

● The categories of Personal Data we have collected (about you

● The categories of sources from which the Personal Datais collected

● The business or commercial purpose for collecting, selling, or (under CCPA)

“sharing” Personal Data

● The categories of third parties with which we disclose Personal Data

● The speciﬁc pieces of Personal Data we have collected about you

● The categories of Personal Data about you that we disclosed for a “business

purpose”, and the categories of persons to whom it was disclosed for a

“business purpose”

● If we sell or (under CCPA) “share” your Personal Data:

○ The categories of Personal Data that we sold or (under CCPA) shared about

you

○ The categories of third parties to which your Personal Data was sold or

(under CCPA) shared, by category or categories of Personal Data for each

category of third parties to which the Personal Data was sold or (under

CCPA) shared

Right to Delete

You have the right to request that we delete, following your veriﬁable/authenticated

request, the speciﬁc pieces of Personal Data we have collected about you.

Right to Correct

You have the right to request that we correct, following your

veriﬁable/authenticated request, any inaccurate Personal Data that we have

collected about you.

Right to Data Portability

You have the right to request that we provide you, following your

veriﬁable/authenticated request, with a copy of the Personal Data about you that

we process by automated means in a portable and, to the extent technically

feasible, readily usable format that allows you to transmit it to another party.

Rights to “Opt-Out”:

Based on your applicable State Privacy Law, you may have some or all of the

following rights:

● To direct us not to sell (as deﬁned by the applicable State Privacy Law) or

(under CCPA) “share” your Personal Data

● To opt out of “targeted advertising” (as deﬁned by the applicable State Privacy

Law), which is a type of Tailored Advertising

These State Privacy Law opt-out rights are diﬀerent from the right to opt out of

online behavioral advertising described in Section 1.1 above. Please note that we do

not engage in “proﬁling” (as deﬁned by applicable State Privacy Laws) in furtherance

of decisions that produce legal or similarly signiﬁcant eﬀects concerning

consumers.

Right to Non-Discrimination

We may not discriminate against you because you exercise any of your rights under

your applicable State Privacy Law, including by:

● Denying goods or services to you

● Charging you diﬀerent prices or rates for goods or services, including through

the use of discounts or other beneﬁts or imposing penalties

● Providing a diﬀerent level or quality of goods or services to you

● Suggesting that you will receive a diﬀerent price or rate for goods or services

or a diﬀerent level or quality of goods or services

Please note the following:

● The process we currently use to verify/authenticate “requests to know/access”,

“requests to delete”, “requests to correct”, and “requests for data portability”

requires you to conﬁrm certain details regarding your account and/or your

subscription. In certain cases, we may need to ask for more information.

● Because we only collect limited information about individuals without an

account, we are generally unable to verify/authenticate requests from

non-account holders to the standard required by the applicable State Privacy

Law.

● If you submit a “request to delete”, we may have a reasonable need to retain

certain of your Personal Data, including for certain limited purposes permitted

by the applicable State Privacy Law. Therefore, if you submit a “request to

delete”, we will not delete the Personal Data that we reasonably need to retain.

● If we utilize “de-identiﬁcation” to comply with a “request to delete” or similar

legal obligation with respect to Personal Data, we will maintain and use such

data in de-identiﬁed form and will not attempt to re-identify such de-identiﬁed

data.

Methods of Submitting Requests

If you are a resident of a U.S. state with an eﬀective State Privacy Law, you may

submit requests under that State Privacy Law to exercise your “right to

know/access”, your “right to delete”, your “right to correct”, and/or your “right to

data portability” by email, to privacy@truemed.com.

If you are a resident of a U.S. state with an eﬀective State Privacy Law, you may

exercise your State Privacy Law “right(s) to opt-out” via the following method(s):

● By email, to: privacy@truemed.com

● Via the Global Privacy Control user-enabled universal opt-out mechanism, if

and when such a universal opt-out mechanism is legally required as a

method of opting out by the applicable State Privacy Law (for more

information regarding Global Privacy Control, please visit the Global Privacy

Control website: https://globalprivacycontrol.org/)

Please note that if you exercise your State Privacy Law “right(s) to opt-out”, we will

honor that election to the extent technically feasible. However, it may not be

technically feasible for us (i) to associate your email address and other Personal

Data within the Personal Data you have provided to us with the Personal Data

within your applicable usage data (e.g., browser/device ID) [if you submit such

request via email] or (ii) to associate the applicable browser/device ID with your

other Personal Data (e.g., your email address) [if you submit such request via Global

Privacy Control].

Please also note that if we notify you that we were unable to verify/authenticate

your “request to know/access”, “request to delete”, “request to correct”, or “request

for data portability”, you may appeal our determination by emailing us at

privacy@truemed.com and indicating why you disagree with our determination

(including by providing additional information to support your request).

We will maintain records of consumer requests made under State Privacy Laws and

how we responded to those requests in accordance with those State Privacy Laws.

Authorized Agents

If you are a resident of a U.S. state with an eﬀective State Privacy Law, if and as

required by that State Privacy Law, you may use an “authorized agent” to submit a

request(s) to exercise your “right to know/access”, your “right to delete”, your “right

to correct”, your “right to data portability”, and/or your State Privacy Law “right(s) to

opt-out” (as applicable) on your behalf under that State Privacy Law. Your

authorized agent will need to submit such request(s) to privacy@truemed.com and

to include in such email a copy of a written permission that is signed by you and

indicates that you have provided such authorization to so act on your behalf.

Authorized agents wishing to exercise rights on behalf of a consumer who is a

resident of a U.S. state with an eﬀective State Privacy Law should submit requests

to privacy@truemed.com along with a copy of the consumer’s signed authorization

designating you as their agent. If you do not have an account, while you may

able to respond to requests to exercise your rights under the applicable State

Privacy Law.

6.2 Categories of Personal Data we collect

You have the right to receive notice of the categories of Personal Data we collect,

and the purposes for which those categories of Personal Data will be used. We

collect (and during the last 12 months have collected) the following categories of

Personal Data, from the following categories of sources, and for the following

business or commercial purposes:

Categories of

Personal Data

Categories of

Sources

Business/Commercial Purposes

Identiﬁers (such

as a real name,

postal address,

email address,

an online

identiﬁer, or an

IP address)

Qualiﬁcation

Survey

Transactional Info

from Partners

Qualify customers’ purchases of Partner

products and services

Generate and issue LMNs to customers

Protect Truemed’s systems from abuse,

unauthorized access, inauthentic

content, fraud, or other violations of our

Conduct business analytics to improve

our Services and advise our Partners

Personal

information

described in

subdivision (e) of

Section 1798.80

of the California

Civil Code

Qualiﬁcation

Survey

Transactional data

submitted by

customers

Transactional data

provided by

Partners

Qualify customers’ purchases of Partner

products and services

Generate and issue LMNs to customers

Characteristics of

protected

classiﬁcations

under California

or federal law

Qualiﬁcation

Survey

Qualify customers’ purchases of Partner

products and services

Generate and issue LMNs to customers

Categories of

Personal Data

Categories of

Sources

Business/Commercial Purposes

(such as gender

and age)

Commercial

information

(such as records

of the products

and/or services a

consumer

purchased,

obtained, or

considered)

Qualiﬁcation

Survey

Transactional data

provided by

Partners

Verify the purchase

Process transactions, including for

Truemed directly and on behalf of

Truemed’s Partners

Internet or other

electronic

network activity

information

(such as

browsing history,

search history,

and information

regarding

interactions with

our websites)

Qualiﬁcation

Survey

Internal &

third-party

analytics services

Protect Truemed’s systems from abuse,

unauthorized access, inauthentic

content, fraud, or other violations of our

Conduct business analytics to improve

our Services and advise our Partners

Geolocation data

(such as IP

address)

Qualiﬁcation

Survey

Internal &

third-party

analytics services

Coordinate among Truemed’s licensed

service providers

Protect Truemed’s systems from abuse,

unauthorized access, inauthentic

content, fraud, or other violations of our

Categories of

Personal Data

Categories of

Sources

Business/Commercial Purposes

Conduct business analytics to improve

our Services and advise our Partners

Sensitive

personal

information

(such as, if

deemed

“sensitive”,

information

concerning your

health and your

password

information)

Qualiﬁcation

Survey

Authentication

screens

Qualify customers’ purchases of Partner

products and services (health-related

Personal Data)

Generate and issue LMNs to customers

(health-related Personal Data)

To provide login and account

management Services to Truemed

customers

Protect Truemed’s systems from abuse,

unauthorized access, inauthentic

content, fraud, or other violations of our

Inferences

(drawn from any

of the other

categories of

Personal Data

set forth above

to create a

proﬁle about a

consumer

reﬂecting, for

example, a

consumer’s

product

preferences)

N/A

Truemed does not draw inferences from

Personal Data it collects or receives

Persons with disabilities may obtain this notice in alternative format upon request

by contacting us at privacy@Truemed.com.

6.3 Sale of data

We use for “targeted advertising” (as deﬁned by applicable State Privacy Law),

“share” (as deﬁned by the CCPA), and/or may be deemed to “sell” (as deﬁned by

applicable State Privacy Law) (and during the last 12 months have used for

“targeted advertising” and/or “shared” and/or may be deemed to have “sold”) each

of the above categories of Personal Data, other than “Sensitive Personal Data” or

other information collected through the Qualiﬁcation Survey, with/to marketing

partners in connection with our, their, and their respective customers’ marketing,

advertising, and other business and commercial activities (in connection with our

use and/or their provision of their products and services). While we may be deemed

to “sell” and have “sold” such Personal Data under certain State Privacy Laws, we do

not “sell” Personal Data for monetary consideration as part of our standard

operational and commercial activities. However, we may “sell” each of the above

categories of Personal Data in connection with a “change of control” transaction

(please see Section 3.4 above).

If you are a resident of a U.S. state with an eﬀective State Privacy Law, you have the

right, at any time, to direct us under such State Privacy Law not to use your

Personal Data for “targeted advertising” (as deﬁned by the applicable State Privacy

Law), “share” (as deﬁned by CCPA) your Personal Data, and/or “sell” use your

Personal Data (as deﬁned by the applicable State Privacy Law), as set forth in the

applicable State Privacy Law. You may exercise such “Rights to Opt-Out” via the

methods set forth above in this section under the header “Methods of Submitting

Requests”.

6.4 Residents of California

California Shine the Light

Residents of the State of California have the right to request information from

Truemed regarding other companies to whom the company has disclosed certain

categories of information during the preceding year for the other companies' direct

marketing purposes. Truemed does not disclose any information for other

companies’ direct marketing purposes.

California Consumer Privacy Act

You have the right under the CCPA to request that we restrict our use of certain

pieces of Personal Data that are considered sensitive under California law—such as

certain health information. If you would like to restrict the sharing of sensitive

Personal Data, you can email us at privacy@truemed.com.

Do Not Track

California law requires us to disclose how we respond to browser “Do Not Track”

signals or other choice mechanisms relating to interest-based advertising. Our

Services do not currently respond to web browser “Do Not Track” signals, and we

do not change any of our data collection practices when the Services receive such

signals. If we do so in the future, we will describe how we do so in this Notice. For

more information regarding Do Not Track, please visit the following website:

www.allaboutdnt.org.

While we do not currently support “Do Not Track” signals, we do honor opt-out

signals received from the Global Privacy Control universal opt-out mechanism as

the applicable California consumer’s election to opt-out of the sale and/or sharing

(each, as deﬁned by CCPA) of their Personal Data, to the extent technically feasible.

For more information regarding Global Privacy Control, please visit the Global

Privacy Control website: https://globalprivacycontrol.org/.

7. Children’s information

The Services are not directed to, nor do we knowingly collect information from,

children under the age of 18. If you are a parent or guardian and you believe that

your child has provided us with Personal Data without your consent, please email

us at privacy@truemed.com.

8. Changes to this Notice

We may update our privacy practices, and this Notice, from time to time. We

recommend that you review this Notice periodically for any changes. Changes to

this Notice are eﬀective when they are posted on this page, and we will update the

"Eﬀective Date" at the top of this Notice. If we make any revisions that materially

change the ways in which we use or share the information collected from you

through the Services prior to the Eﬀective Date of such changes, we will give you

the opportunity to consent to such changes before applying them to that

previously-collected information.

9. Contact Truemed

If you have questions or concerns regarding this Privacy Policy, you should contact

us at privacy@Truemed.com.