Medly Health Privacy Policy

Effective Date: June 1, 2022

Medly Health Inc., including its subsidiary entities and pharmacies operating under the Medly Pharmacy, Medly Mail Service Pharmacy, and Pharmaca Integrative Pharmacy banners (collectively “Medly,” “we,” “us,” “our”), respects the privacy rights of our patients, customers, visitors to our websites, and other individuals with whom we interact and from whom we collect information. This Privacy Policy summarizes categories and types of information we collect, the ways we use information, and how we may share it. Throughout this policy, when we say “Websites or Apps” we mean any of our websites or applications which link to this Privacy Policy and any other microsites or mobile versions of those websites or applications. “Social Media Pages” are the official social media pages we operate on Facebook, LinkedIn, TikTok, Twitter, Instagram, and other social media platforms. “Services” refers to our combined offerings of goods and services and the ways that individuals may access or use our offerings such as by shopping online or in any of our locations, interacting with us digitally through our Websites or Apps, enrolling in any of our programs or promotional offerings, remotely accessing our Services, or through any other means of interaction with us. Except as otherwise defined in the State Privacy Addendum to this policy, “Personal Information” in this Privacy Policy means information that can be directly associated with or used to identify a specific individual such as a name, address, phone or fax number, credit card or other financial account information, online registration information, email address, and any other information that is linked to, or able to be associated with, an individual. This Privacy Policy applies to Personal Information collected by us, or by a service provider on our behalf, through your interaction with our retail locations, Websites or Apps, and Social Media Pages and through our direct communications with you, including in person or via phone, text, email, chat, or any other method of personal interaction. Individually Identifiable Health Information collected by us when providing pharmacy Services or otherwise when acting in our capacity as a health care provider or in our capacity as the sponsor of a company health plan is subject to HIPAA rights and protections as outlined in our HIPAA Notice of Privacy Practices (“HIPAA Notice”). If there is any conflict between this Privacy Policy and our HIPAA Notice, the HIPAA Notice will apply to all uses and disclosures by us of Protected Health Information (“PHI”).

Topics Addressed by This Policy

  1. Types of Information We Collect
  2. How We Collect Information
  3. How We Use Collected Information
  4. How We Share Information with Service Providers and Third Parties and for What Purposes
  5. Your Privacy Choices
  6. Supported Web Browsers and Do Not Track Signals
  7. Children's Privacy
  8. Security
  9. Data Storage and Processing Locations
  10. Updates
  11. Contact Us

1. Types of Information We Collect

We, directly or through our service providers, collect various types or categories of information, which may include Personal Information when the information collected is linked or linkable to a specific individual, about our customers and others who access our Websites, Apps, or Social Media Pages or use our Services. In the past 12 months, we may have collected: •Identifying Information. We collect identifiers such as your name, postal, shipping, and email addresses, phone number(s), username and password for our Websites or Apps, online identifiers, social media account information, identification numbers, and other information that can be used to identify you. •Location Information. We use various technologies to learn your precise geographic location, such as by collecting your device's Internet Protocol (“IP”) address or other information, depending on your device's settings for location services. •Device Information. When you visit our Websites or Apps, interact with our Social Media Pages or online ads, or open our emails, we learn about your browser type and version, device type, IP address or other device identification numbers, internet service provider, and other technical information about your device. •Transactional Information. We collect transactional and related information in connection with a purchase or order such as the date, items ordered or purchased, the dollar amount or transaction value, your payment type and related details, and any Personal Information needed to process and/or deliver your purchase or order. •Call, Chat, and Email Records. If you call, chat, or email our customer service agents, we may keep records or recordings of those interactions. •Commercial Information. We keep track of the Services or products you purchase, your consuming histories or tendencies, and any loyalty program participation information. •Health Information. We collect PHI when we are providing services to you in our capacity as a health care provider or in some instances in our capacity as the sponsor of a company health plan. This information is subject to HIPAA protections as described in our HIPAA Notice.Website Interactions. We may use cookies, local shared objects (flash cookies), web beacons, Uniform Resource Locators (URLs), and similar technologies to collect and track information about you and your interactions with our Website, Social Media Pages, and Services and about other third-party websites or online services from which and to which you navigate over time and across websites or online services. The information collected may include information such as your IP address and operating system, your browser type, domain names, access dates and times, mouse clicks and movements, scrolling activities, and other ways you use and interact with our Websites, Apps, content, and Services. We do not currently respond to “Do Not Track” signals of web browsers. •Submitted Content. We collect any content you submit to our Websites, Apps, Social Media Pages, or otherwise provided to us, whether or not solicited by us, including photos, reviews, comments, chats, and other types of content. •Profile Information. We use information such as your shopping preferences and behaviors to create individual profiles and collective audiences. •Demographic Information/Characteristics of Protected Classifications. We collect or may have access to demographic details about individuals such as birthdate, gender, ZIP code, and other similar details. •Job Applicant Information. If you apply for employment with us, we collect the content you provide such as your resume, cover letter, and any information contained therein and additional information gathered from or provided to us by third parties while processing your application. •Audio or Video Information. Our retail locations may use cameras and video capture technologies for fraud and theft prevention and security and for other operational or analytical purposes, such as measuring traffic patterns, and for protecting and improving our Services. We may or may not be able to associate captured video images with you. You may also share photographs or video with us, and we may record customer service or other audio or visual interactions with us. We may use any of the information we collect for analytical purposes and to derive inferences about you individually or collectively with other individuals such as consumer preferences, behaviors, and characteristics.

2. How We Collect Information

We may collect the information described above directly from you, from other health care providers or payers, from third party service providers or partners, or through cookies or other automated means. The categories of sources from which we have collected Personal Information over the last 12 months include: •You: Information is collected directly from you when you make a purchase, visit our Websites, Apps, or locations, contact us with questions or comments, upload content, create an account, sign up for communications, participate in our loyalty or rewards programs, use or set up our mobile applications, respond to a survey, write a review, apply for employment with us, or use or like our Social Media Pages •Your Device or Browser: Your device or browser may allow us to automatically collect information when you visit our Websites or Apps, interact with our Social Media Pages or online advertising, or open our emails. •Third Parties: Third parties with whom we partner or that provide services to us, such as payment processors, analytical services, delivery partners/carriers, survey providers, data storage and suppliers, advertising companies, software solution providers, etc., may collect and process your information on our behalf or on their own behalf when you click through to or otherwise access their websites or use their mobile applications. This Privacy Policy does not apply to, and we are not responsible for, any such independent collection of information by a third party, and we encourage you to review their privacy notices for information about their privacy practices. We may also obtain information collected about you by third parties, on their own behalf, and may combine it with other information pertaining to you. •Health Care Providers and Payers: Health care providers, insurance companies and other payers, and their business associates share PHI with us directly and electronically for purposes related to the provision of treatment, processing of payment, or for health care operations, as permitted or required by HIPAA. •Social Media Platforms: Social media platforms share information with us as outlined in their privacy policies and terms. •Cookies, Device Identifiers, and Similar Technologies: We or our service providers may use cookies (small data files stored on your device or browser), pixel tags (tiny graphic images embedded in a website or email), clear gifs, device identifiers, and other similar technologies to automatically collect, track, and link information over time when you visit our Websites or interact with our emails. We also contract with third party advertising or analytics companies to serve you online ads on other websites. These companies use cookies or similar technologies to collect information about your interactions with our Websites and interactions with other websites. These advertising companies may use and share the information gathered to deliver ads more tailored to your interests. We receive aggregate information from these third parties to understand our advertising effectiveness.

3. How We Use Collected Information

We or our service providers on our behalf may use the information we collect for various business purposes including: •Customer Service Communications: Communicating with you about our Services, responding to your inquiries, and keeping a record of these interactions. •Fulfillment: Fulfilling your orders and other requests including, but not limited to, processing payments and delivering your purchases. •Understanding Our Customers: Analyzing your activity with us (including your interactions with our Websites, Apps, locations, Social Media Pages, and emails or other forms of communication) to allow us to serve you better and to assess the effectiveness of our communications and advertising. •Customer Experience and Analytics: Serving content on our Websites, Apps, and Social Media Pages, developing and analyzing our products, Websites, Apps, Services, and constantly improving our customers’ experience including, but not limited to, troubleshooting customer service issues and improving site functionality and effectiveness. •Personalization: Using your preferences and other collected information to customize and personalize your experience with us, such as presenting customized communications, advertising, and experiences on our Websites, Apps, emails, and ads on social media. •Advertising: Presenting advertising online and via mail, email, text, or other communication channels, including through partnerships with social media platforms and internet search engines. •Events: Running contests, promotions, and sweepstakes and conducting surveys and other market research activities. •Third Party Interactions: Enabling interactions with other service providers by hosting their ads, content, or links on our Websites, Apps, and Social Media Pages. •Recruiting and Hiring: Collecting, evaluating, and processing applicant information. •Product Safety: Alerting you about product recalls and safety announcements. •Security: Verifying or validating your identity or in other ways necessary to protect our business or our customers from fraud, personal or informational security threats, other illegal or harmful activity. •De-identified Data: Creating de-identified, pseudonymized, anonymized, or aggregated information for analytical and statistical purposes. •Legal Obligations: Complying with legal and regulatory obligations; responding to requests from law enforcement, courts, or other governmental authorities, as permitted or required by law; initiating or participating in administrative or judicial proceedings; responding to subpoenas and other lawful requests; using information as permitted for our own legal defense; and investigating suspected unlawful or fraudulent activities. •Terms of Use: For any other purpose described in our Terms of Use and for complying with or enforcing the Terms or any other agreement or policy.

4. How We Share Information with Service Providers and Third Parties and for What Purposes

We may share Personal Information with third parties for certain business purposes. In the past 12 months we may have shared the above categories of Personal Information with: •Service Providers: We partner with third parties to assist with many aspects of our business, including fulfilling orders, advertising, analyzing your interests and activity on our Websites, Apps, and Social Media Pages, and effectively communicating with you and others. These third parties may provide services related to any of the purposes described in How We Use Collected Information, and we may share with them any types of information described in Information We Collect. We may also receive information collected by these third parties and combine it with the information we have collected. Your information may also be collected and processed by third parties, such as the payment providers you select, who will process your information independently in accordance with their own privacy notices. •Marketing Providers: We partner with third parties to assist with the advertising and marketing of our business. We may share with them the types of information described in How We Use Collected Information. •Other Third Parties: We will disclose information about you, including to government bodies or law enforcement agencies, when we believe it to be necessary for compliance with the law or to protect our business, our customers, or the public. •Parties to a Business Transaction: If our company is merged with or acquired by another company, if it acquires another company, or if it is involved in a corporate reorganization or other change in corporate control, your information could be shared with the other business entity involved in the transaction. •Internally: We share information internally with our affiliates and subsidiaries.

5. Your Privacy Choices

You can control the information we collect and use in the following ways: •Location Information: You can disable location-based services on your mobile device or web browser by adjusting your settings or, for some devices, by revoking permission for our mobile app to access your location information. Note that some of our Services may not be available if you disable location-based services. •Emails: You can unsubscribe from marketing emails by clicking the unsubscribe link in the footer of such email. •Push Notifications/Alerts: You can disable push notifications or alerts we send through our mobile applications by changing the notification settings on your device. •Social Media: This privacy policy does not cover the privacy and security practices of social media platforms on which we have Social Media Pages. Please review the terms, policies, and settings of those social media platforms if you have questions about how they collect and use your data. •Online Advertising: For information about opting out of third party advertising, visit: NAI Opt-Out and DAA Opt-Out (you will leave this Website for a separately managed online site where you can specify your preference under those programs). You can also click on the icon that may appear on some of our advertising served through these technologies. We may use more than one third party company for advertising, which would require you to opt out of each company individually. •Google Analytics: You can opt out of Google Analytics across all websites you use. To do so, visit this website.Cookies, Device Identifiers, and Similar Technologies: Some browsers provide the ability to block or delete cookies on your device. Refer to your browser’s instructions for details. Flash cookies are managed separately through Adobe. To learn more, click here. Disabling cookies may impact the features and functionality of our Websites. •Account Modification/Deletion: To request modification or deletion of your account information, you may email your request to our Privacy Office at privacyoffice@medly.com or otherwise submit it as described in the Contact Us section below.

6. Supported Web Browsers

We recommend that you use the latest web browser versions to optimize your experience. Older web browser versions may not be able to access or utilize all pages on our Websites as intended

7. Children's Privacy

Our Services, Websites, Apps, and Social Media Pages are directed to and intended for adults. We do not knowingly solicit or collect the Personal Information of children under the age of 16.

8. Security

We care about the security of your information and employ administrative, physical, and electronic safeguards designed to protect your information from unauthorized access, disclosure, or misuse. For instance, when Personal Information is transmitted over our networks, it is protected through the use of encryption using the Secure Sockets Layer (SSL) protocol. Despite these precautions, no security measures are perfect or impenetrable, and we do not warrant the safety or security of the information we collect. If you provide Personal Information to us, you do so at your own risk. You can help to protect your information by selecting strong, unique passwords when you use our Websites or Apps and any associated email addresses. If you have concerns about the security of your account or wish to alert us of any potential vulnerabilities, please contact us using any of the methods outlined in the “Contact Us” section of this policy.

9. Data Storage and Processing Locations

We are headquartered and offer our Services exclusively to individuals within the United States, including its territories and possessions, but we have employees and business partners all over the world. We process and store information in the United States and, to the extent permitted by law, may ourselves or through a Third Party allow access, transfer, storage, and processing of information outside of the U.S. When you provide Personal Information to us or use our Services, Websites, Apps, or Social Media Pages, you consent to the transfer to, and to the processing and storage of your information in, countries outside of the U.S.

10. Updates

We reserve the right to modify, alter, or otherwise update this Privacy Policy at any time. If we make any material changes to our privacy practices, we will update this Privacy Policy and change the effective date. We encourage you to periodically review this policy. Changes to this Privacy Policy are effective at the time they are posted, and your continued use of our Services, Websites, Apps, and Social Media Pages after posting will evidence your acceptance of, and agreement to be bound by, those changes.

11. Contact Us

For more information about the information in this Privacy Policy or if you have privacy-related questions, comments, or concerns, you may contact our Privacy Office by email at privacyoffice@medly.com, by phone at (833) 313-2050 (toll free), or by mail to: Medly Health Inc., Attn: Privacy Officer, 31 Debevoise Street, Brooklyn, NY 11206.

State Privacy Addendum

Effective Date: June 1, 2022

California

1. Privacy Rights of California Residents & California Consumer Privacy Act Statement

If you are a California resident, you have rights under the California Consumer Privacy Act, California Civil Code § 1798.100, et seq. (and any implementing regulations and as may be amended from time to time, “CCPA”), relevant to your Personal Information (as Personal Information is defined under the CCPA), as well as other laws. The rights described herein are subject to exemptions provided in the CCPA and other limitations under applicable law. California Consumer Rights Afforded by the CCPA: If your Personal Information is subject to the CCPA, you have certain privacy rights with regard to that information. Specifically, you have the right to: •Request that we provide you with access to the following no more than twice in a 12-month period: •The categories and specific pieces of Personal Information that we have collected about you; •The categories of sources from which the Personal Information is collected; •The business or commercial purpose for collecting or sharing your Personal Information; •The categories of third parties with whom we share your Personal Information; and •The categories of Personal Information that are sold (as defined under the CCPA) and the categories of third parties to whom the Personal Information was sold. •Request that we delete your Personal Information, subject to exceptions under the CCPA or other applicable law; and •Request that we not “sell” your Personal Information by opting out of the sale of your Personal Information. California residents also have the right not to receive discriminatory treatment for the exercise of any of the privacy rights conferred by the CCPA. We will not discriminate against you when you choose to exercise your rights under the CCPA.

2. How to Submit a Request

If you wish to exercise your rights to request access to, to request deletion of, or to opt-out of the sale of your Personal Information, you may submit a request to our Privacy Office by mail, email, or phone using the Contact Us information in this policy. You may also use our webform to opt-out of the sale of your Personal Information. If you choose to submit your request via email, please include “Privacy Rights Request” in the subject line and clearly explain the type of request you are making, the date or other parameters that apply to your request, if any, and provide your full name, email address, mailing address, and contact phone number. We are required to provide you with access to your Personal Information or accept your request to delete your Personal Information only in response to verifiable request. We will verify your request by comparing the information you provide by telephone or via email with any information we have in our possession. The information you provide must match the information we have about you. We may also contact you to request additional information to verify or confirm the nature and scope of your request. These measures are in place to help ensure that your Personal Information is not disclosed to anyone who does not have the right to receive it. The information collected through this process will be used for verification purposes only.

3. Authorized Agent

Please note that you may authorize an agent to exercise any of these rights on your behalf by contacting us by email at privacyoffice@medly.com. If you use an agent to request access or deletion of your Personal Information, we will take similar measures to verify your agent’s authorization as the verification process described above. However, we may require additional information to ensure proper verification of you and your agent’s identity and authorization.

4. Categories of Personal Information Sold for a Business Purpose

In the previous 12 months, we do not believe we have sold (as defined under the CCPA) any Personal Information of California Consumers. We also do not knowingly collect or sell the Personal Information of consumers under age 16. To opt out of future sales of Personal Information, see How to Submit a Request.

5. Categories of Personal Information Disclosed for a Business Purpose

We share Personal Information about you with service providers and third parties for business purposes, such as operational purposes and other purposes related to providing you with the products and Services you seek from us. For more information about the business purposes for which we disclose Personal Information, see How We Share Information with Service Providers and Third Parties and For What Purposes and see Types of Information We Collect for the types of information that may be shared.

6. Opting-In

If you have opted out of the sale of your Personal Information, you are welcome to opt back in at any time. To opt-in, contact us via email at privacyoffice@medly.com and clearly request to opt-in to the sale of your Personal Information.

7. Deidentified Patient Information.

We may also disclose information that does not identify an individual and cannot reasonably be used to identify an individual which is derived from a consumer’s Personal Information, as well as deidentified PHI that has been modified to remove individually identifiable information in accordance with HIPAA’s deidentification standards.

8. Notice of Financial Incentive

We also sometimes offer exclusive price discounts, rewards, offers, deals, coupons, or other perks for those: (1) participating in our loyalty or rewards programs; (2) recipients of our mailing lists who were presented with a financial incentive to sign up; and (3) app subscribers who were presented with a financial incentive to download the app (“Programs”). Under California law, participating in any of our Programs is considered a financial incentive provided in exchange for the collection and retention of Personal Information. Through our loyalty or rewards programs, consumers may provide us with any or all of the categories of information in the Types of Information We Collect section above. Participation in these programs is optional and consumers may opt out at any time. In addition to this disclosure, each program contains terms specific to that promotion. Your participation in any of these programs will be interpreted as affirmative consent to the terms of that particular program. We offer these Programs to, among other things, enhance our relationships with our customers. The value to our business, in the aggregate, of customers’ Personal Information depends on specific facts, such as whether and to what extent they take advantage of any offerings. We do not calculate the value of customers’ information for our accounting statements. To the extent we would, however, such valuation could be directly or reasonably related to the cost associated with acquiring or developing such information.

9. Additional California Privacy Rights

California residents may also ask us to provide them with (i) a list of certain categories of personal data that we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year, and (ii) the identity of those third parties. California residents may make one request per calendar year. In response to your written request, we are permitted to provide you with a cost-free means to opt-out of such sharing. To opt-out of such sharing cost free, email us at privacyoffice@medly.com. When you contact us, please include a subject line that states “CA Shine the Light Request,” state that you are a California resident, and identify that you would like to opt out of sharing your data with third parties for their direct marketing purposes. You can also opt out by sending this same information to us at: Medly Health Inc., Attn: Privacy Officer, 31 Debevoise Street, Brooklyn, NY 11206.