Consumer Health Data Policy

1. Purpose and Scope

Effective Date: October 5, 2025

This Consumer Health Data & Biometric Privacy Policy ("Policy") is issued by Healsend Inc. ("Healsend"), a Management Services Organization (MSO) and technology facilitator. Healsend is not a medical provider, does not practice medicine, and does not independently function as a HIPAA-covered entity. The Professional Entities supported by Healsend's Platform are independent licensed healthcare providers who may be covered entities or business associates under HIPAA.

This Policy covers Consumer Health Data (CHD) and biometric data collected and processed by Healsend in its capacity as a technology platform and data controller — separate from PHI processed by Professional Entities under their own Notices of Privacy Practices and HIPAA Business Associate Agreements. This Policy supplements our Master Privacy Policy.

2. Definitions

Consumer Health Data (CHD): Personal information that identifies your past, present, or future physical or mental health status, including diagnoses, medications, health conditions, health-related payments, bodily functions, or characteristics regulated under WA MHMDA, NV SB370, or similar state laws.
Biometric Data: Data generated from physiological or behavioral characteristics used for identification, including fingerprints, voiceprints, iris scans, retinal scans, face geometry, and gait patterns.
Sensitive Health Data: A subset of CHD that includes reproductive and sexual health information, mental health status, substance use disorder information, and genetic data.
Personal Information: Information that identifies, relates to, or could reasonably be linked to an individual or household.
Professional Entity: Independent licensed physician groups, professional corporations, or PLLCs that use the Platform to deliver clinical care.
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
Service Provider/Contractor: Entities that process data on Healsend's behalf under contracts restricting them to performing services for us.
De-identified Data: Information from which all direct and reasonably linkable identifiers have been removed under HIPAA Expert Determination or Safe Harbor methods.
Business Associate: Healsend, in its capacity as a BA under 45 CFR §160.103, when processing PHI on behalf of a covered Professional Entity under a signed BAA.
Consumer Request: A verifiable request from you to exercise a privacy right listed in Section 8.

Consumer Health Data Policy

1. Purpose and Scope

2. Definitions

3. Applicability of Federal and State Law

4. Information We Collect

A. Directly from You

B. From Professional Entities & Pharmacies

C. Automatically

D. Biometric / Sensor Data

E. Derived / Inferred

5. How We Use Consumer Health and Biometric Data

5.1 Primary Uses (no additional consent required)

5.2 Secondary Uses (require your explicit consent)

5.3 Lawful Basis

6. When and Why We Share Data

6.1 Categories of Recipients

6.2 Safeguards for Vendors

6.3 No Cross-Border Transfers

6.4 No Sale of De-identified Data for Re-identification

7. Retention and Deletion of Data

7.1 Retention Schedule

7.2 Deletion Requests

7.3 Annual Review

8. Your Privacy Rights

8.1 Rights Available to You

8.2 How to Submit a Request

8.3 Fees

9. State-Specific Disclosures

9.1 California (CCPA/CPRA)

9.2 Washington (MHMDA — RCW 19.373)

9.3 Nevada (SB370 — NRS 603A)

9.4 Texas (HB300 — Tex. H&S Code §181)

9.5 Illinois (BIPA — 740 ILCS 14)

9.6 Colorado, Connecticut, Virginia, Utah, Iowa, Montana

10. Data Security and Incident Response

10.1 Administrative Safeguards

10.2 Technical Safeguards

10.3 Physical Safeguards

10.4 Incident Response

10.5 Audit

11. Contact, Complaints, and Dispute Resolution

11.1 Privacy Office

11.2 Officers

11.3 Complaint Process

11.4 No Retaliation

11.5 Governing Law

12. Changes to This Policy