Privacy Policy

Effective Date: June 10, 2026

This Privacy Policy (this "Privacy Policy") describes how OneTwenty Health Inc. and its corporate affiliates (collectively, "OneTwenty," "we," "us" or "our") collect, use, share, and otherwise process Personal Information (as defined in Section 1 below) about you through our digital or online platforms or services (including as applicable, our website and social media pages) as well as all related products, services, features, tools, web applications, content offered by OneTwenty, our marketing activities, any other activities described in this Privacy Policy, or when you otherwise contact or interact with us (collectively, the "Services"). The terms "you" and "your" refers to you, the user. If you are using the Services on behalf of a business, association, or other entity, "you" or "your" will also refer to such business, association, or other entity, unless the context clearly dictates otherwise. You agree that you are authorized to consent to these terms on behalf of such business, association, or other entity, and we can rely on this.

Please read this Privacy Policy carefully. If you do not agree with this Privacy Policy, do not use our Services. By using/continuing to use our Services, you acknowledge that you have read this Privacy Policy and the Terms of Service which is incorporated by reference and you understand, and consent to be bound by, the terms and conditions herein and therein. Where we rely on consent as the legal basis for processing your Personal Information, we will obtain your affirmative consent through clear opt-in mechanisms at the point of collection. You may withdraw your consent at any time; however, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Where we rely on other legal bases for processing (such as contractual necessity or legitimate interests), your continued use of the Service constitutes your acknowledgment of such processing as described herein. If you do not agree, please do not access or use the Service.

We built OneTwenty for families, ourselves, and you. Your privacy is one of our top priorities. We empower you to take control of your health and that includes having control of certain aspects of your Personal Information.

OneTwenty offers a direct-to-consumer technology platform and is not a healthcare provider. OneTwenty is not acting as a covered entity or business associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") in connection with the Services, as it does not provide healthcare services and does not perform services on behalf of covered entities or business associates.

However, certain information processed through the Services—such as laboratory results, telehealth records, and prescription-related information—may constitute Protected Health Information ("PHI") when handled by licensed healthcare providers and will be subject to applicable healthcare privacy laws in those contexts.

Although HIPAA may not apply to OneTwenty in all circumstances, OneTwenty, voluntarily and to the extent practicable, applies technical and organizational safeguards consistent with HIPAA Security Rule standards and industry best practices to protect user information.

Eligibility to Use the Services

To use the Services you must be, and represent and warrant that you are, at least the age of majority in your state, province, or jurisdiction of residence and competent to agree to these terms; or if you are under the age of majority in your state, province, or jurisdiction of residence, you represent and warrant that your parent or legal guardian has reviewed this Privacy Policy with you and accepts them on your behalf; parents or legal guardians are responsible for the activities of their minor dependents while using the Services.

Terms of Service

If you choose to access or use the Services, your access and use, and any dispute over privacy is subject to this Privacy Policy and our Terms of Service, including, but not limited to, limitations on damages and resolution of disputes.

1. Personal Information We Collect

The personal information we collect depends on how you interact with us and the portions of the Service you use. Generally, we receive and collect four (4) types of information about you: (A) information and content that you directly submit to us; (B) information we get about you from other sources; (C) information we gather automatically when you use our Services; and (D) demographic information. When we talk about "Personal Information" in this Privacy Policy, we are talking about any information collected in accordance with this section. Please see below for more information on each category.

A. Information and Content You Give Us Directly

(i) Personal Information. We collect your name, email address, phone number, mailing address, date of birth, billing details, and account login credentials (including username and password). Critically, we also collect your lab results, prescription details, telehealth records, and other medical and health-related data. Certain lab tests may produce genetic data that relates to inherited characteristics. We may also collect information you provide when communicating with our care team, including health questions and related correspondence.

(ii) Biometric Information. Depending on the Services you use, we may collect biometric information, which may include physiological measurements and identifiers such as heart rate variability, sleep patterns, activity levels, blood oxygen levels, body temperature, and other biometric data obtained from wearable devices you choose to connect to the Services. We may also collect biometric identifiers derived from lab tests, including but not limited to blood biomarkers, hormone levels, metabolic markers, and genetic information. Under certain state laws, some of this information may be classified as "biometric information" or "biometric identifiers" subject to heightened protections. We obtain your consent before collecting biometric information where required by applicable law.

(iii) Email Correspondences. Records and copies of your email messages together with your email address and our responses, if you choose to correspond with us through email.

(iv) Transaction Information. We or service providers working on our behalf may collect information and details about any purchase or transactions made on the Services. This includes payment information, such as your credit or debit card number and other card information; other account and authentication information; and contact details. We do not collect or store payment card information ourselves; rather we rely on third party payment processors to store and process this information as part of the Services.

B. Information We Get About You from Other Sources

(i) Device & Wearable Data. When you connect third-party wearable devices (such as Apple Watch, Oura Ring, Fitbit, Whoop, Garmin, or Withings devices) to the Services, we collect health and fitness data synced from those devices. The Services enable real-time or near real-time collection of this data, including continuous monitoring of certain biometric data points when your device is connected and syncing with our platform. Specific data collected may include heart rate, heart rate variability, sleep duration and quality, step count, activity and exercise data, respiratory rate, blood oxygen saturation, body temperature, and menstrual cycle tracking data. We do not warrant the accuracy of third-party device data and are not responsible for errors or omissions in device reporting. You can disconnect your wearable device at any time through your account settings.

(ii) Lab Testing Data. When you use our lab testing services, we collect and process laboratory test results and related health information. This includes blood panels, metabolic markers, hormone levels, vitamin and nutrient levels, inflammatory markers, genetic markers (where applicable), and other diagnostic test results. Lab tests are performed by independent, third-party Clinical Laboratory Improvement Amendments (CLIA)-certified laboratories. We receive your test results from these laboratory partners to display in your account dashboard and to provide personalized health insights.

(iii) Care Team Communications. When you interact with our care team through the Services, we collect the content of your communications, including questions, messages, and any health information you share during those interactions. Our care team may include non-clinical staff providing general wellness guidance and, where applicable, licensed healthcare professionals providing clinical support. Communications with licensed healthcare professionals may be subject to additional healthcare privacy protections. We retain records of care team communications to provide continuity of service and improve our offerings.

C. Information We Obtain Automatically When You Use Our Services

(i) Inferences and Scoring. We collect and generate data based on inferences about you that we derive from your biological data. This includes the creation of proprietary health scores, longevity markers, and predicted health trajectories. We use automated means to generate this information about your likely health characteristics and biological age based on the biomarkers and usage patterns we collect. OneTwenty is a health technology company, not a healthcare provider. OneTwenty provides administrative and technology services that enable users to access independent, licensed healthcare providers, laboratories, and pharmacies. OneTwenty does not provide medical care, diagnosis, or treatment. All information provided by OneTwenty is for informational and educational purposes only.

(ii) Automated Information Collection. When you access or use the Services, we automatically collect certain information, including: (a) device information (device type, operating system, unique device identifiers, browser type, mobile network information); (b) log information (access times, pages viewed, IP address, referring URL); (c) location information (approximate location based on IP address or, with your consent, precise geolocation from your device); and (d) information collected through cookies, pixel tags, and other similar technologies (collectively, the "Technologies") as described in Section 7 below.

D. Demographic Information

We may collect demographic, statistical, or other aggregate information that is about you, but individually does not identify you. Some of this information may be derived from Personal Information, but it is not Personal Information and cannot be tied back to you. Examples of such aggregate information include gender, age, and race.

2. How We Use Your Personal Information

We may use the information we collect about you in a variety of ways to provide, maintain, and improve the Services, for administrative purposes, to market and advertise our Services and products, and for internal analytics and product development.

A. We Use Your Personal Information to Provide, Maintain, and Improve the Services

We may use your Personal Information to: (i) provide the Service and its content to you, including the facilitation of lab tests, telehealth consultations, and prescription fulfillment, to display results and scoring in your dashboard, to process payments, and to manage your subscriptions; (ii) respond to comments, questions, and provide customer service; (iii) communicate with you about your account; (iv) inform you about important changes to, or other news about, the Service or any of its features or content; and (v) fulfill any other purpose for which you provide Personal Information. Identifiable health-related information is not used for commercial purposes except as permitted by applicable law or with appropriate authorization. Any de-identification of health-related information will be performed in accordance with applicable legal standards. Even where not legally required to comply with HIPAA, OneTwenty applies privacy and security safeguards designed to protect health-related information consistent with industry standards.

B. We Use Your Personal Information for Administrative Purposes

We may use your Personal Information to: (i) operate, maintain, improve, personalize, and analyze the Services; (ii) monitor and analyze trends, usage, and activities for marketing or advertising purposes; (iii) detect, prevent, or investigate security breaches, fraud, and other unauthorized or illegal activity; (iv) carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection; (v) maintain appropriate records for internal administrative purposes; (vi) allow you to participate in interactive features on the Services; and (vii) develop, improve, and analyze our generative and/or predictive models, both experimental and underlying the Services, including for purposes of automated decision-making and profiling. Where required by applicable law, we will inform you when a decision is being made solely by automated means (including AI-powered tools) that produces legal or similarly significant effects concerning you, and we will provide you with the opportunity to request human review of such decision. AI tools are not used to make clinical decisions, diagnose conditions, or determine treatment.

C. We Use Your Personal Information to Market and Advertise Our Services and Products

We may use your Personal Information to: (i) send promotional communications, such as information about features, newsletters, offers, promotions, contests, and events; (ii) share information across services and devices to provide a more tailored and consistent experience on the Service; and (iii) develop, test, and improve new products or services, including by conducting surveys and research and testing and troubleshooting new products and features.

3. How We Share or Disclose Your Personal Information

To the extent permitted under applicable law, we may deidentify, aggregate, or anonymize Personal Information so that it will no longer be considered Personal Information and share or disclose it to third parties without restriction for a variety of business purposes. Once deidentified, we do not attempt to reidentify the data and we implement technical, organizational, and contractual measures to prevent reidentification by us or third parties. Our use and disclosure of deidentified, anonymized, or aggregated information is not governed by this Privacy Policy. The following describes in additional detail the ways we may share or disclose your Personal Information:

A. We Disclose Your Information to Provide Our Services

(i) Laboratory Partners. We share your Personal Information with independent third-party CLIA-certified laboratories and their partner locations to facilitate blood draws and laboratory testing. Laboratory partners receive your name, date of birth, contact information, and relevant medical information necessary to perform and report test results. Laboratory partners are independent entities subject to their own privacy practices. Legal basis: Art. 6(1)(a) GDPR (consent); Art. 6(1)(b) GDPR (situation similar to contract).

(ii) Telehealth Provider. We engage an independent third-party telehealth provider to deliver telehealth consultations and prescribing services. When you use telehealth features, we share your name, contact information, health history, lab results, and other information necessary for the telehealth provider to deliver care. The telehealth provider operates as an independent healthcare provider and is subject to its own privacy practices and applicable healthcare privacy laws. Legal basis: Art. 6(1)(a) GDPR (consent); Art. 6(1)(b) GDPR (situation similar to contract).

(iii) Pharmacy Partners. If you receive prescriptions through the Services, we share your Personal Information with pharmacy partners to facilitate prescription fulfillment. This includes your name, contact information, prescription details, and relevant health information. Legal basis: Art. 6(1)(a) GDPR (consent); Art. 6(1)(b) GDPR (situation similar to contract).

(iv) Wearable Device Providers. When you connect third-party wearable devices, the sharing of data between OneTwenty and the device provider is governed by the device provider's terms and privacy policy. We may receive data from, and in limited circumstances share data with, these providers to enable device integration. We encourage you to review the privacy practices of your wearable device provider. Legal basis: Art. 6(1)(a) GDPR (consent); Art. 6(1)(b) GDPR (situation similar to contract).

(v) Service Providers. We engage third-party service providers who perform functions on our behalf, such as hosting, data storage, payment processing, customer support, email delivery, and analytics. These service providers are contractually bound to protect your Personal Information and may only use it to provide services to us. For service providers that handle sensitive health information, we implement additional contractual and technical safeguards. Legal basis: Art. 6(1)(a) GDPR (consent); Art. 6(1)(b) GDPR (situation similar to contract).

OneTwenty does not control or direct the clinical services provided by these independent third parties. Information is shared with third parties only as necessary to fulfill services requested and authorized by you. You retain the ability to choose whether to engage with any healthcare provider, laboratory, or pharmacy. Where required, we enter into appropriate data processing agreements or business associate agreements with these partners.

B. We May Disclose Your Information in the Event of a Merger, Sale or Other Asset Transfers

If we become involved in a merger, acquisition, financing due diligence, divestiture, restructuring, reorganization, bankruptcy, dissolution, sale, or transfer of some or all of our assets (whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding), or transition of the Services to another provider, your Personal Information may be sold or transferred to business entities or people involved in such process. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

C. We Disclose Your Information to Protect Us or Others

(i) When Required by Law. We may share your Personal Information to comply with any court order, law, or legal process, including to respond to any government or regulatory request. Legal basis: Art. 6(1)(c) GDPR (legal obligation).

(ii) To Enforce Our Rights. We may share your Personal Information to enforce or apply this Privacy Policy, our Terms of Service, and other agreements, including for billing and collection purposes. Legal basis: Art. 6(1)(b) GDPR (situation similar to contract).

(iii) To Protect Lawful Interests. We may share your personal information if we believe disclosure will help us protect the rights, property, or safety of OneTwenty, our users, partners, agents, and others. This may include exchanging information with other companies and organizations for fraud protection, and spam and malware prevention. Legal basis: Art. 6(1)(b) GDPR (situation similar to contract); Art. 6(1)(f) GDPR (legitimate interest).

4. Your Privacy Choices and Rights

A. Mechanisms to Control Your Personal Information

(i) SMS Communications. By providing your mobile number and opting in to receive text messages, you consent to receive SMS communications from OneTwenty related to your account, onboarding, appointments, and subscription updates. Messages may include reminders and notifications about your membership. We do not include medical results, diagnoses, or prescription details in SMS communications. SMS is not a fully secure medium; please avoid sharing sensitive health or financial information via text. You may opt out at any time by replying STOP to any message or contacting [email protected]. Standard message and data rates may apply. We deliver these communications primarily through self-hosted messaging infrastructure operated by OneTwenty; where we engage third-party delivery providers, they are contractually prohibited from using your data for their own purposes.

(ii) Technologies. You may be able to set your browser to reject cookies and certain other Technologies by adjusting the appropriate settings in your browser. Please see Section 7 for more information on the mechanisms available to you to control the Technologies we use.

(iii) "Do Not Track". "Do Not Track" ("DNT") is a privacy preference you can set in certain web browsers. When you turn on this preference, it sends a signal or message to the platforms you visit indicating that you do not wish to be tracked. Please note that we currently do not respond to or honor legacy DNT signals or similar mechanisms transmitted by web browsers, as there is no common industry standard for DNT. Because we do not sell your Personal Information or share it with third parties for cross-context behavioral advertising or targeted advertising, universal opt-out preference signals such as Global Privacy Control ("GPC") do not currently apply to our practices. If our practices change, we will recognize and honor GPC signals as a valid opt-out request as required by applicable law.

B. Accessing and Correcting Your Information

In accordance with applicable law, you may have the following rights regarding your Personal Information:

(i) Access: You have the right to access Personal Information about you, including: (1) confirming whether we are processing your Personal Information; (2) obtaining access to or a copy of your Personal Information; and (3) receiving an electronic copy of personal information that you have provided to us, or asking us to send that information to another company (the "right of data portability").

(ii) Correction: You have the right to request corrections to your Personal Information where it is inaccurate, incomplete, or improperly possessed.

(iii) Deletion/Erasure. You may request deletion/erasure of your Personal Information held by us about you. Please note: we cannot delete your Personal Information except by also deleting your account.

(iv) Restrict/Opt-out of Processing: You have the right to request to restrict/opt-out of the processing of your Personal Information, including for the purpose(s) of: (1) targeted advertising; (2) sale or sharing of personal information; or (3) profiling to make decisions that have legal or other significant effects on you.

(v) Withdrawal of Consent: Where we rely on your consent as the legal basis for processing your Personal Information, you may have the right to withdraw such consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

(vi) Automated Decision-Making and AI Profiling. To the extent OneTwenty uses automated decision-making, including AI-powered profiling, that produces legal or similarly significant effects concerning you, you may have the right, where required by applicable law, to: (1) not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you; (2) be informed that such automated processing is taking place and receive meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing; (3) request human review of any decision made solely by automated means; (4) contest the outcome of such automated decision and express your point of view; and (5) opt out of such automated processing.

(vii) Destruction of Biological Samples: Depending on applicable law, you may request the destruction of biological samples from which genetic data is derived.

If you would like to exercise any of these rights, please contact us as set forth in the "Contact Information" section below. We will process such requests in accordance with applicable law.

The following are additional consumer privacy rights:

(i) Non-Discrimination. Residents have the right not to receive discriminatory treatment by covered businesses for the exercise of their rights conferred by the applicable privacy law.

(ii) Verification. To protect your privacy, we will take the following steps to verify your identity before fulfilling your request. When you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative, which may include asking you to answer questions regarding your account and use of our Services.

C. Your Right to Appeal

If you are dissatisfied with the refusal of OneTwenty to take action in accordance with the exercise of your rights in the "Accessing and Correcting Your Information" section above, you may request reconsideration by OneTwenty, by sending a written request for reconsideration to the mailing address found in the "Contact Information" section below. Within sixty (60) days of OneTwenty's receipt of such written request for reconsideration (or within forty-five (45) days where required by applicable law), OneTwenty shall inform you in writing (at the address indicated in your initial written request) of any action taken or not taken in response to your request for reconsideration, including a written explanation of the reasons for the decision. In addition, if your request for reconsideration is denied, you have the right to file a complaint with the applicable supervisory authority or attorney general in your jurisdiction of residence (see subsection (D) below and the state-specific privacy notices for more information). This appeal right is available to residents of all states whose applicable state privacy laws provide for such a right, including but not limited to Colorado, Connecticut, Delaware, Indiana, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, and Virginia.

D. Complaints to Data Protection Authority

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Information. For more information, if you are in the European Economic Area (EEA), please contact your local data protection authority in the EEA.

5. Data Security and Retention

A. Data Security

We have implemented reasonable technical, physical, administrative, and organizational safeguards designed to protect your Personal Information against loss, misuse, unauthorized access, disclosure, or modification, including using HIPAA-compliant systems, encryption, and access controls. Notwithstanding the foregoing, no system or network can be guaranteed to be one hundred percent (100%) secure, and we cannot ensure or warrant the security of any information you provide to us. Any transmission of Personal Information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Service. In the event of a data breach involving your Personal Information, we will notify you and the applicable supervisory or regulatory authorities as required by applicable law.

B. Retention

We retain your Personal Information for as long as reasonably necessary to fulfill the purposes for which it was collected, manage your relationship with us, and as otherwise required by law and professional standards. Marketing and contact data may be deleted upon your request. In determining the appropriate retention period, we consider the nature and sensitivity of the Personal Information, the purposes for which it is processed, applicable legal and regulatory requirements, and applicable statutes of limitations. The following general retention periods apply by category of Personal Information: (i) account and registration information is retained for the duration of your account and for a reasonable period thereafter as required by applicable law; (ii) transaction information is retained for the period required by applicable tax, accounting, and financial reporting obligations; (iii) activity and usage information is retained for up to twenty-four (24) months from the date of collection, unless a longer period is required for security or fraud prevention purposes; and (iv) sensitive personal information (if any) is retained only for so long as necessary to fulfill the specific purpose for which it was collected. Where we retain data, we do so in accordance with our record retention policies and any limitation periods imposed by applicable law.

6. International Transfer of Personal Information

If you provide Personal Information through or in connection with the Services, you acknowledge and agree that such Personal Information may be transferred from your current location to the offices and servers of OneTwenty and the other third parties referenced in this Privacy Policy located in the United States or other countries, which may have data protection laws that are different from the laws where you live. Where required by applicable law, we implement appropriate safeguards for such transfers, including Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms.

7. Cookies and Other Tracking Technologies

A. Description of the Technologies

We, as well as third parties that provide the content, advertising, or other functionality on the Services, may use Technologies to automatically collect information through your use of the Services. The following describes some of these Technologies we may use for this automatic data collection:

(i) Cookies: A cookie is a small data file stored on the hard drive of your computer or other user device to allow web servers to record activities and remember preferences. We use "session cookies" that are deleted when a session ends and "persistent cookies" that remain longer.

(ii) HTML5 Local Storage: HTML5 local storage allows data from websites to be stored or "cached" within your browser to store and retrieve data in HTML5 pages when the website is revisited.

(iii) Web Beacons: Web beacons are small files that are embedded in webpages, applications, and emails (also known as pixel tags or clear GIFs) that collect information about engagement on our Services. For example, web beacons can be used to demonstrate that a webpage or email was accessed or opened.

(iv) JavaScripts. JavaScripts are code snippets embedded in various parts of platforms and applications that facilitate a variety of operations including accelerating the refresh speed of certain functionality or monitoring usage of various online components.

(v) Entity Tags. Entity Tags are HTTP code mechanisms that allow portions of platforms to be stored or "cached" within your browser and validates these caches when the platform is opened, accelerating platform performance since the web server does not need to send a full response if the content has not changed.

(vi) Resettable Device Identifiers. Resettable device identifiers (also known as "advertising identifiers") are similar to cookies and are found on many mobile devices and tablets (for example, the "Identifier for Advertisers" or "IDFA" on Apple iOS devices and the "Google Advertising ID" on Android devices), and certain streaming media devices. Like cookies, resettable device identifiers are used to make online advertising more relevant.

B. Our Uses of the Technologies

We may also use these Technologies for security purposes, to facilitate navigation, to display information more effectively, to personalize your experience, and for platform administration purposes, including gathering statistical information about usage of the Service to improve its design and functionality. We do not use tracking technologies to collect or process health-related information for advertising purposes.

C. Mechanisms to Control Cookies and Other Technologies

You may be able to set your browser to reject cookies and certain other technologies by adjusting the appropriate settings in your browser. Each browser is different, but many common browsers have preferences that may be adjusted to allow you to either accept or reject cookies and certain other technologies before they are set or installed, or allow you to remove or reject the use or installation of certain technologies altogether. We recommend that you refer to the "Help" menu in your browser to learn how to modify your browser settings. If you disable or refuse cookies, please note that some parts of the Service may become inaccessible or may not function properly.

D. Third Party Technologies and Third-Party Websites

This Privacy Policy covers the use of cookies by OneTwenty and does not cover the use of tracking technologies by any third parties. The Services may contain links, content, advertising, or references to other websites or applications run by third parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies or other tracking technologies to collect information about you when you interact with their content on the Services. The information they collect may be associated with your Personal Information or they may collect information about your online activities over time and across different websites. These third-party services, websites, or applications are not controlled by us and may have privacy policies that differ from our own. We encourage you to read the privacy statements and terms and conditions of each third-party website and application with which you interact. We do not endorse, screen, or approve, and are not responsible for the practices of such third parties or the content of their application or website. Providing Personal Information to third-party websites or applications is at your own risk. If you have any questions about an ad or other targeted content, you should contact the responsible provider directly.

E. Third-Party Analytics

We use privacy-focused analytics and observability tools to understand use of the Services and to maintain their reliability and security. These include: (i) a self-hosted instance of Umami, an open-source analytics platform that runs on our own infrastructure, meaning analytics data is processed by us and is not transmitted to a third-party analytics provider; (ii) Fathom Analytics, a privacy-first, cookieless analytics service (you can learn more about Fathom's practices at usefathom.com/privacy); and (iii) Coralogix, a logging and observability platform we use for system monitoring and security, operated under HIPAA-aligned safeguards (you can learn more at coralogix.com/privacy-policy). These tools do not use cross-site tracking cookies and are not used to collect or process health-related information for advertising purposes.

8. Children's Privacy

We are committed to complying with the Children's Online Privacy Protection Act ("COPPA") and protecting the privacy of children. Our Services are directed at a general audience over the age of eighteen (18) years old, and we do not knowingly collect Personal Information from minors under eighteen (18) years of age ("Child" or "Children"). If we learn that we have inadvertently collected or received Personal Information from a Child without appropriate consent, we will use reasonable efforts to immediately delete such information, unless we have a legal obligation to retain it. If you are a parent or legal guardian and believe your Child has provided us information without your consent, please contact us via the information found in the "Contact Information" section below.

9. Disclaimers

Supplement Disclaimer: Statements regarding supplements offered through OneTwenty have not been evaluated by the Food and Drug Administration. These products are not intended to diagnose, treat, cure, or prevent any disease.

Device Disclaimer: OneTwenty's platform integrates with third-party devices. We are not responsible for inaccuracies in third-party device data or reporting.

10. California and Other State-Specific Privacy Rights

This section provides additional information for residents of states with comprehensive consumer privacy laws and supplements the information contained in this Privacy Policy. For purposes of this section, "Personal Information" has the meaning given under applicable state law. The categories of Personal Information collected (described in Section 1) and third parties with whom we share Personal Information (described in Section 3) apply to this section.

A. California Privacy Rights (CCPA/CPRA)

The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), provides California residents with specific rights regarding their Personal Information. This section describes those rights and explains how California residents may exercise them.

(i) Categories of Personal Information Collected. In the preceding twelve (12) months, we have collected the following categories of Personal Information: (1) Identifiers (name, email address, phone number, mailing address, account name, IP address, device identifiers); (2) Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (name, address, telephone number, health information, medical information, health insurance information); (3) Protected classification characteristics under California or federal law (age, date of birth, sex, gender); (4) Commercial information (transaction history, subscription information, purchasing history); (5) Biometric information (physiological measurements from wearable devices, health biomarkers from lab tests); (6) Internet or other electronic network activity information (browsing history, search history, interaction with Services); (7) Geolocation data (approximate location based on IP address); (8) Professional or employment-related information (if provided); (9) Inferences drawn from the above categories to create a profile about you (health scores, wellness predictions, personalized recommendations); and (10) Sensitive Personal Information (as described below).

(ii) Sensitive Personal Information. We collect the following categories of Sensitive Personal Information as defined under the CCPA: (1) Personal Information that reveals a consumer's health information (lab results, medical records, prescription information, health conditions); (2) genetic data (where lab tests include genetic markers); and (3) biometric information for uniquely identifying you (certain biometric data from wearable devices). We use Sensitive Personal Information only for the purposes permitted under the CCPA, specifically: (a) to perform services or provide goods reasonably expected by an average consumer; (b) to detect security incidents; (c) to resist malicious, deceptive, fraudulent, or illegal actions; (d) to ensure physical safety; (e) for short-term transient use; (f) to perform or provide services on behalf of the business; (g) to verify or maintain quality or safety of services; and (h) for purposes for which you have provided specific consent. You have the right to limit the use and disclosure of your Sensitive Personal Information as described below.

(iii) Sale and Sharing of Personal Information. We do not "sell" your Personal Information for monetary consideration, and we do not "share" your Personal Information with third parties for cross-context behavioral advertising purposes as defined under the CCPA. If our practices change, we will update this Privacy Policy and provide you with the right to opt out. We do not sell or share the Personal Information of consumers we know to be under sixteen (16) years of age. We do not sell or share Sensitive Personal Information for advertising purposes.

(iv) Your California Privacy Rights. If you are a California resident, you have the privacy rights described in Section 4.B ("Accessing and Correcting Your Information") of this Privacy Policy. In addition, under the CCPA, you have the following California-specific rights:

(1) Right to Know: You have the right to request that we disclose the categories of Personal Information we have collected about you, the categories of sources, the business or commercial purpose for collecting or sharing, and the categories of third parties to whom we disclose Personal Information.

(2) Right to Opt-Out of Sale/Sharing: You have the right to opt out of the "sale" or "sharing" of your Personal Information for cross-context behavioral advertising purposes. To exercise this right, contact us as set forth in the "Contact Information" section below.

(3) Right to Limit Use of Sensitive Personal Information: You have the right to limit our use and disclosure of your Sensitive Personal Information to uses that are necessary to perform the Services, or as otherwise permitted by law. To exercise this right, contact us as set forth in the "Contact Information" section below.

(v) How to Exercise Your California Rights. To exercise the rights described in Section 4.B or above, please contact us as set forth in the "Contact Information" section below. Only you, or an authorized agent registered with the California Secretary of State, may make a verifiable consumer request related to your Personal Information. You may only make a verifiable consumer request for access or data portability twice within a twelve (12) month period. We will respond to verifiable requests within forty-five (45) days of receipt, or notify you if we require additional time (up to an additional forty-five (45) days).

(vi) Financial Incentive Programs. We do not offer financial incentives for the collection, sale, retention, or deletion of Personal Information.

(vii) California Shine the Light. The California "Shine the Light" law (Cal. Civ. Code § 1798.83) permits users who are California residents to request and obtain from us once a year, free of charge, a list of the third parties to whom we have disclosed their personal information (if any) for their direct marketing purposes in the prior calendar year, as well as the type of personal information disclosed to those parties. If you are a California resident and would like to exercise any of your rights under the law, please contact us as set forth in the "Contact Information" section below. We will process such requests in accordance with applicable laws.

B. Virginia, Colorado, Connecticut, and Other State Privacy Laws

Residents of Virginia (Virginia Consumer Data Protection Act, "VCDPA"), Colorado (Colorado Privacy Act, "CPA"), Connecticut (Connecticut Data Privacy Act, "CTDPA"), Utah (Utah Consumer Privacy Act, "UCPA"), Texas (Texas Data Privacy and Security Act, "TDPSA"), Oregon (Oregon Consumer Privacy Act), Montana (Montana Consumer Data Privacy Act), Delaware (Delaware Personal Data Privacy Act), New Jersey (New Jersey Data Privacy Act), New Hampshire (New Hampshire Privacy Act), Iowa (Iowa Consumer Data Protection Act), Tennessee (Tennessee Information Protection Act), Indiana (Indiana Consumer Data Protection Act), and other states with comprehensive consumer privacy laws may have the following rights regarding their Personal Information:

(i) Sensitive Data. Under certain state privacy laws, categories of Personal Information we collect may be classified as "sensitive data," including precise geolocation data, health data, genetic data, and biometric data. Where required by applicable state law, we obtain your consent before processing sensitive data, or we process sensitive data only for purposes permitted without consent. For information on withdrawing consent, see Section 4.B.(v) above.

(ii) Your State Privacy Rights. Residents of the states listed above have the privacy rights described in Section 4.B ("Accessing and Correcting Your Information") of this Privacy Policy, including the rights to access, correct, delete, and obtain a portable copy of your Personal Information, as well as the right to opt out of targeted advertising, sale of Personal Information, and profiling. For information on how to exercise these rights, please see Section 4.B. For information on appeal rights and filing complaints with your state attorney general, please see Section 4.C ("Your Right to Appeal").

Additional State-Specific Rights. The following additional rights apply to residents of certain states:

(1) Delaware, Maryland, and Oregon. You have the right to request a list of the specific third parties to which OneTwenty has disclosed your Personal Information.

(2) Minnesota. You have the right to (a) request the specific third parties to whom OneTwenty has disclosed Personal Information and/or (b) question the results of OneTwenty's profiling to the extent it produced legal effects.

C. Washington My Health My Data Act and State Health Data Laws

The Washington My Health My Data Act ("MHMDA") and similar state health data privacy laws (including Nevada's consumer health data privacy law, SB 370) provide residents of those states with specific rights regarding their consumer health data. "Consumer health data" under these laws generally means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. This section supplements the information collection disclosures in Section 1 and the sharing disclosures in Section 3.

(i) Consumer Health Data We Collect. We collect the following categories of consumer health data: (a) health conditions, diagnoses, and treatment information (from lab results, telehealth consultations, and care team interactions); (b) bodily functions, vital signs, and biometric measurements (from wearable devices and lab tests); (c) health-related scores, predictions, and inferences; (d) genetic data (where applicable lab tests include genetic markers); (e) prescription and medication information; and (f) reproductive and sexual health information (if disclosed by you or reflected in lab results).

(ii) Purposes for Collecting Consumer Health Data. We collect consumer health data for the following purposes: (a) to provide and maintain the Services, including lab testing coordination, telehealth consultations, prescription fulfillment, and health tracking features; (b) to generate personalized health insights, scores, and recommendations; (c) to communicate with you about your health data and Services; (d) to improve and develop our Services; (e) to comply with legal obligations; and (f) with your consent, for other purposes disclosed at the time of collection.

(iii) Categories of Sources. We collect consumer health data from: (a) you directly, when you provide information through the Services or in communications with us; (b) third-party laboratories that perform lab tests on your behalf; (c) third-party wearable devices that you connect to the Services; (d) telehealth providers that provide consultations through the Services; and (e) automated collection through the Services (such as usage data and inferences).

(iv) Categories of Third Parties with Whom We Share Consumer Health Data. We share consumer health data with the third parties described in Section 3.A ("We Disclose Your Information to Provide Our Services"), including third-party laboratories, telehealth providers, pharmacies, and service providers. We may also share consumer health data as otherwise required by law or with your consent.

(v) Consent for Collection and Sharing. We obtain your consent before collecting or sharing consumer health data, except where an exemption applies under applicable law. Your consent is obtained through clear and conspicuous disclosures and affirmative opt-in mechanisms. For information on withdrawing consent, see Section 4.B.(v) above.

(vi) Sale of Consumer Health Data. We do not sell consumer health data without your valid authorization. Any sale of consumer health data would require separate, voluntary authorization that is not a condition of providing the Services.

(vii) Your Health Data Rights. If you are a Washington or Nevada resident, or a resident of another state with applicable health data privacy laws, you have the following rights regarding your consumer health data, in addition to the rights described in Section 4.B: (a) Right to Confirm: You have the right to confirm whether we are collecting, sharing, or selling consumer health data concerning you. (b) Right to Access: You have the right to access your consumer health data, including a list of all third parties and affiliates with whom we have shared your consumer health data and an active email address or other online mechanism for contacting those third parties. (c) Right to Delete: You have the right to request that we delete your consumer health data, including any consumer health data we have shared with third parties or affiliates. (d) Right to Withdraw Consent: You have the right to withdraw your consent to the collection and sharing of your consumer health data (see Section 4.B.(v)).

(viii) How to Exercise Your Health Data Rights. To exercise your rights under applicable state health data privacy laws, please contact us as set forth in the "Contact Information" section below. We will respond to your request within the timeframe required by applicable law.

(ix) Geofencing Prohibition. We do not use geofencing technology around healthcare facilities, including hospitals, medical offices, reproductive health clinics, or mental health facilities, to identify, track, collect, or sell consumer health data.

11. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy from time to time in order to reflect changes to our practices or for other operational, legal, or regulatory reasons. Updates will be posted on this page with a new effective date. We may elect to notify you of material changes by mail, email, posting of modified Privacy Policy, or some other similar manner. However, it is your responsibility to check this page regularly for changes to this Privacy Policy. Your continued use of or access to the Service following the posting of any changes to this Privacy Policy constitutes acceptance of those changes.

12. Contact Information

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by email at [email protected]. You may also write to us by mail at: OneTwenty Health Inc., 221 W 9th St, PMB 524, Wilmington, DE 19801.