This Privacy Policy was updated on, and its effective date is: May 15, 2023.

Welcome to the Chronic Care Advocates website, https://myhana.io (the “Website”).

This Privacy Policy describes the types of information that Chronic Care Advocates, Inc., a Delaware corporation (“CCA,” “Company,” “we,” “our” or “us”) may collect from you, or that you may provide when you visit the Website, the CCA Platform, myHana® and any other related features, contents, applications, products or services including our advertising and applications on third-party websites and services, if those applications or advertising include links to this Privacy Policy (collectively, the "Service or “Services") and our practices for collecting, using, maintaining, disclosing, and protecting that information.

In this Privacy Policy, all references to CCA include its subsidiaries or affiliates involved in providing the Service. As used in this Privacy Policy, the words “Subscriber,” “you” and “your” refer to each individual or entity that has entered into a Subscription with us to establish a MyHana Account for a Care Recipient through the Service as the Care Recipient’s guardian or representative, and the term “Subscription” consists of this Privacy Policy, our Terms of Service and the transactional rates and certain other terms and conditions related to the creation of your MyHana Account, which are incorporated herein by reference. Additionally, as instructed by the context and nature of the provision contained herein, the words “you” and “your” may also apply to each Care Recipient, Authorized User, Provider, Wisdom Caregiver, and other visitors of the Website who, when visiting the Website, is bound by the Terms of Service, except for such provisions that implicate a Subscription, or Subscriber or Authorized User status.

“Authorized User” refers to any individual or entity (including, without limitation, any Care Recipient, Provider or Wisdom Caregiver) whom you authorize to receive a user ID (“User ID”) in order to access, use and/or upload information to your MyHana Account. Any references to “you” and “your” in these Terms of Service shall be construed as including Authorized Users, based on the context and nature of the provision contained herein. Each Subscriber will be responsible and liable for all acts and omissions of his or her Authorized Users in connection with their use of the Services and compliance with the underlying Subscription.

This Privacy Policy is incorporated by reference into CCA’s Terms of Service, which you may review below. Please review this Privacy Policy and the Terms of Service carefully. If you have any questions about our privacy practices, please refer to the end of this Privacy Policy for information on how to contact us.

If you do not agree with our practices, do not access or use any part of the Service. We reserve the right to change the Privacy Policy in our sole discretion. In such case, we will post the new Privacy Policy on the Website and the effective date of the new Privacy Policy will be clearly marked.


2. Definitions

“Activity Logs” are the Company’s and its CCA Service Contractors' records of when PHR Data is created, accessed, modified, deleted, released, or exported from and/or within your myHana PHR.

“Aggregate Data” is PHR Data that is: (1) grouped so it does not connect to you as an individual and (2) has names and other identifiers removed or altered. In other words, Aggregate Data is de-identified data and cannot be used to identify you as an individual.

“Authorized User” is any individual or entity authorized designated by you to receive a User ID in order to access and/or provide information to a myHana Account, including without limitation, any Subscriber, Care Recipient, Provider, or Wisdom Caregiver.

“myHana Account” is the account created by you in connection with your free or paid Subscription to the Service.

“Care Recipient” is a minor child or other individual over whom a Subscriber has legal authority or who has consented to the Subscriber’s caregiving and opening of a MyHana Account on his or her behalf.

“CCA Platform” is the care management platform for which you may obtain a free or paid Subscription to use in connection with your myHana Account.

“CCA Service Contractor” is a person or entity that is hired to perform certain functions for us to support the development, maintenance, and implementation of the Service. CCA Service Contractors may include software or website designers and data storage providers.

“PHR” means Personal Health Record. A PHR is an electronic health data application that can help you collect, manage, and share health information. As a Subscriber, your myHana Account features a PHR, referred to herein as your “myHana PHR.”

“PHR Data” means information you provide and/or authorize all or some of your Authorized Users to provide to your myHana PHR. Any information in your myHana PHR is considered PHR Data. PHR Data might include, but is not limited to, the following:

• Your name and contact information, such as your address, phone number, or email address
• Your medical history, conditions, treatments, and medications
• Your healthcare claims, health plan account numbers, bills, and insurance information
• Demographic information, such as your age, gender, ethnicity, and occupation
• Computer information, such as your IP address and "cookie" preferences

As described further below, we may use your PHR Data to achieve the following:

• Operate and manage the myHana PHR platform, software, and website
• Maintain and protect our computer systems
• Comply with the law, such as responding to subpoenas and search warrants

PHR Data includes Personal Information and Aggregate Data.

“Personal Information” means information about you that reasonably can be linked to you such as your name, health information, and other identifiers. Personal Information may also include but is not limited to your health information, financial information or social security number.

“Provider” means a provider of Third-Party Services, such as products, services or resources.

“Reporting” refers to any activity whereby CCA and our CCA Service Contractors might report about business activities and customers (you) to others, such as investors, auditors, potential business partners, or public communities. Reports will not include Personal Information without your specific permission or as permitted or required by law.

“Security Measures” may include computer safeguards, secured files, and employee security training. In addition, we may be required by law to notify you about particular data breaches.

“Third Party Services” are websites, services and Providers available on the Internet that are operated and controlled by organizations other than CCA, but may be linked to the CCA website.

“User Generated Content” is content that a Subscriber or Authorized User generates, and may include visual images, messages, posts, PHR Data, and Personal Information.

“Wisdom Caregiver” is a person that supports and assists one or more Subscribers in using the Services and with whom CCA has contracted to facilitate the provision of Services to Subscribers.

3. What Information We Collect

3.1 Before you become a Subscriber, we may collect your information in the following ways:

(a) If you contact us through the Internet and provide us with your contact information (e.g., name, mailing address, email address and other information). We will use such information for the sole purpose of informing you about the Service and inviting you to register for the Service.

(b) You post and share User Generated Content with others at your own risk. Although we limit access to certain pages, you may set certain privacy settings and alerts for such information by logging into your account profile upon subscribing to the Service. Please be aware that no Security Measures are perfect or impenetrable. Additionally, we cannot control the actions of other users of the Website with whom you may choose to share your User Generated Content. Therefore, we cannot and do not guarantee that your User Generated Content will not be viewed by unauthorized persons.

3.2 In order to create a myHana Account, you must be a Subscriber. As part of the Subscription process, you may be asked to provide certain Personal Information. You also may be asked to confirm the information that you provided to CCA prior to your Subscription, if any. As part of the Subscription process, you will also have the opportunity to provide additional information to CCA that may enhance your use of the Service.

3.3 In general, we collect all your User Generated Content. As a Subscriber, you can add information to your myHana Account. You may choose to provide Personal Information, and you may opt to upload PHR Data to your myHana PHR. You may also choose to include Personal Information about others in your profile by providing us with names and contact information for emergency contacts and Authorized Users. You must have legal authority or have obtained authorization from the Care Recipient in order to share his or her data and User Generated Content with CCA and other Authorized Users. You represent and warrant that you have such legal authority or authorization. We also may collect User Generated Content from any Authorized User whom you expressly authorize to access or send information (including PHR Data and Personal Information) to your myHana Account. If you choose to request that an Authorized User add or upload health records or other PHR Data, it is your responsibility to obtain authorization from the Care Recipient that complies with the requirements of the Health Insurance Portability and Accountability Act of 1996, as amended.

3.4 We passively collect information from you as you navigate through our Service. We may track IP addresses, use industry standard tracking devices (e.g., session and persistent cookies, flash cookies, web beacons), and electronically gather information about the technology you use to access the Service and the areas of the Service you utilize. We passively collect this information for operational purposes such as evaluating, updating and improving the Service.

3.5 Cookies help us in many ways to make your visit to our websites more enjoyable and meaningful to you. Cookies are text information files that your web browser places on your computer when you visit a website. We may use such "cookie" technology to obtain non-personal information from you as an online visitor. As an example, this might entail recognizing several web page requests coming from the same computer and therefore the same visitor. Most browsers accept cookies automatically, but can be configured not to accept them or to indicate when a cookie is being sent. If you do not wish for us to collect cookies, you may set your browser to refuse cookies, or to alert you when cookies are being sent. If you do so, please note that some parts of the Service may then be inaccessible and you may not receive the full benefits of the Service.

4. How We Use Your Information

4.1 We use your information to provide the Service as described on the Website and Terms of Service, as well as to enhance the performance of the Service and/or to create new services. We may use Personal Information for product development or product enhancement.

4.2 If you choose to designate any Authorized User to participate in the Service with you, then we may use your information to facilitate the exchange of information and communication between you and such Authorized User.

4.3 Depending on your myHana Account settings (as described in Section 6 below), communications between you and your Authorized Users may be initiated by you or your Authorized User. You are under no obligation to initiate or respond to such communications. By participating in such communications, as directed by you, you agree that some or all of your PHR Data contained in your myHana PHR may be shared with your Authorized Users through the Service. Additionally, your myHana PHR may be shared, at your election, through interfaces with a health care provider’s information systems (so long as such health care provider is an Authorized User), and you agree that such PHR Data may be incorporated into your health care record maintained by your Authorized Users who provide health care services and maintain health records. We will not alter the content of User Generated Content. However, we may remove or block any content that we deem offensive, indecent, or otherwise objectionable or in violation of the Terms of Service. We may keep a record of all communications between you and your Authorized Users. We will not share the content of such communications except as permitted under this Privacy Policy, the Terms of Service, or as required by law, unless you expressly consent to or authorize disclosure.

4.4 We will not sell or rent, your Personal Information or PHR Data without your written consent. We will not use or disclose your Personal Information or PHR Data, except as described in this Privacy Policy, the Terms of Service, or as permitted or required by law.

5. Sharing Your Information With Third Parties

5.1 We may make your Personal Information available to Authorized Users or as necessary to complete transactions you authorize.

5.2 We may disclose your Personal Information to our CCA Service Contractors that provide technical support, electronic file storage, payment processing, or other services to us related to the Service. All such CCA Service Contractors are subject to confidentiality obligations and may only access and utilize your data for purposes of fulfilling their obligations to CCA. The following are all operators that may collect or maintain personal information from you through the Service:

CircleCo, Inc dba Circle.so 228 Park Ave S
PMB 52933
New York, NY 10003 legal@circle.so

Flodesk, Inc 2093 Philadelphia Pike #3380
Claymont, DE 19703
 legal@flodesk.com

Frill Group Pty Ltd Bondi Junction 2022
New South Wales,
Australia gdpr@frill.co

Google LLC 1600 Amphitheatre Parkway
Mountain View, California 94043
USA N/A

Intercom Inc 55 2nd Street, 4th Fl., San Francisco, CA 94105 https://preferences.intercom.com/privacy

Stripe, Inc Attn: Stripe Legal
354 Oyster Point Blvd.
South San Francisco, CA 94080 privacy@stripe.com

Typeform Data Protection Officer
calle de Pallars 108 (Aticco)
08018 – Barcelona (Spain) gdpr@typeform.com

Zapier Inc Attn: Legal Department/Privacy
548 Market St. #62411, San Francisco, CA 94104-5401; Attn: Legal. privacy@zapier.com

Please direct inquiries about any third-party operator's privacy practices and use information to the individual operator using the contact information provided above.

5.3 We may provide or sell Aggregate Data that is de-identified to third parties. However, Aggregate Data will not include any of your Personal Information or be individually identifiable.

5.4 We may access, preserve and disclose your Personal Information, other account information, and User Generated Content if we believe doing so is required or appropriate in order to comply with law enforcement requests and legal process, such as a court order or subpoena; defend against legal claims; respond to your requests; protect the rights, property and safety of you, CCA, or others; or as otherwise required by law.

5.5 If a third party acquires the assets or equity of CCA related to the Service (whether by sale, merger, change of control, bankruptcy or otherwise), your Subscription and User Generated Content, including but not limited to Personal Information and PHR Data may be transferred to the new owner(s). In such case, your Personal Information would remain subject to the provisions of the CCA privacy policy that was in effect immediately prior to the transfer, unless we provide you notice otherwise. You may, however, terminate your Subscription at any time.

6. Choices You Have About How We Use Your Information

CCA offers you a number of ways to control collection and use of your information when you use the Service. Your options include:

6.1 Managing Your Account. You can review User Generated Content that has been shared with Authorized Users by logging into your MyHana Account. You can modify or delete any User Generated Content at any time. You may also choose to modify or delete User Generated Content that others have shared with you. Modifications to your myHana PHR are not automatically communicated to your Authorized Users. If you want your Authorized User to know of changes or additions within your myHana PHR, you must inform the Provider or third-party of such changes or set alerts in your account to notify them of changes and additions.

6.2 Modifying Your Account Settings. Your MyHana Account settings are designed to provide you with control over the information that you share. We encourage you to review your Account settings and adjust them in accordance with your preferences. You may customize and control each Authorized User’s scope of access to your MyHana Account, as well as the information and data available to such Authorized User. You may permit each Authorized User to: (a) have the same level of access to your MyHana Account as you have, i.e., the Authorized User will be authorized to access your MyHana Account (including your myHana PHR) and to communicate with you and other Authorized Users to the same extent that you are able using the Service; and/or (b) have "read-only" access to all or certain types of information in your MyHana Account, i.e., the Authorized User will be authorized only to access and read those types of information that you allow, but will NOT be authorized to communicate with other Authorized Users or to upload information to your MyHana Account. You acknowledge and agree that: (a) you are solely responsible for verifying the identity of, and monitoring the use by, any Authorized User you designate to receive a User ID and password; and (b) CCA has no responsibility or liability in connection with any access to, or use of, your MyHana Account and information by any such Authorized User or by a person to whom the Authorized User has provided his username and password.

6.3 Deactivating an Authorized User. You may revoke any Authorized User’s authorization to access your MyHana Account through your account settings. Once revoked, such Authorized User may no longer access and use the Service with respect to you and your User Generated Content including, but not limited to, Personal Information and PHR Data. Any disclosure of your PHR Data or Personal Information made prior to the revocation cannot be recalled, removed, or retrieved by us. By using the Service, you agree that we cannot, and have no obligation to, remove User Generated Content, including but not limited to Personal Information or PHR Data from the records of an Authorized User previously disclosed.

6.4 Terminating Your Account. As a Subscriber, you may terminate your Care Circle Subscription at any time by notifying us in accordance with the Terms of Use. Upon termination of the Subscription, we will maintain all User Generated Content associated with your MyHana Account for a period of ninety (90) days, at which time we may destroy the User Generated Content, or in accordance with our then current document retention and destruction policies. Please note that copies of your User Generated Content may remain in the records of your Authorized Users as described in Section 6.3, above.

7. Data from Care Recipients Under the Age of 16

7.1 Our Website is not intended for children under 16 years of age. No one under age 16 may provide any personal information to the Website. We do not knowingly collect personal information from children under 16. If you are under 16, do not use or provide any information on this Website or through any of its features, register on the Website, make any purchases through the Website, use any of the interactive or public comment features of this Website, or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us at support@myhana.io.

7.2 Parents or Legal Guardians of an individual under the age of 18, may elect to become Subscribers and establish a MyHana Account for that Care Recipient. By establishing a MyHana Account for Care Recipient who is a minor, the Parent or Legal Guardian expressly consent to CCA utilizing such information as set forth in this Privacy Policy and the Terms of Service. In such a case, the Subscriber represents and warrants that the Subscriber is authorized to establish the MyHana Account for the Care Recipient who is a minor.

 7.2 A Care Recipient’s myHana PHR will be linked to a Subscriber’s MyHana Account until the earlier of the following to occur: (i) CCA receives written instruction from a Care Recipient to remove the information; (ii) CCA receives written instruction from the Parent Legal Guardian, or other legally authorized agent of the Care Recipient to remove the information; or, (iii) CCA receives formal instruction from a court of law or agency or as otherwise required by law to remove the Care Recipient’s myHana PHR from the Subscriber’s account.

8. How We Protect Your Information

8.1 We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. All information you provide to us is stored on secured servers behind firewalls. Further, the Service encrypts all PHR Data during transmission between you or your Authorized User and CCA. Within your MyHana Account, all Personal Information and PHR Data is encrypted at three levels: (i) each individual has a unique encryption key; (ii) demographic information is encrypted; and, (iii) clinical data is separately encrypted. Any payment transactions will be encrypted using SSL technology.
8.2 The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to your MyHana Account, you are responsible for keeping this password confidential. We ask you not to share your password with anyone and to log out of your MyHana Account after each session. Notify us immediately if you believe your password has been breached.
8.3 We urge you to be careful about giving out information in public areas of the Website like message boards. The information you share in public areas may be viewed by any user of the Website.
8.4 Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Website. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website.

9. Security Breach Notification Requirements

Pursuant to applicable law, we may be required to send you notice of security breaches or suspected security breaches that impact your Personal Information. In the unlikely event that we must provide you a notice of a security breach, we will send you security breach notices to the e-mail address contained in your account information, unless we are otherwise required by law. Please note: many e-mail systems have built in SPAM filters. If you have one in place, you should check with your system administrator or the available instructions to confirm that e-mails from CCA are not blocked by the filter e.g., by confirming that the service domain name www.myhana.io is a permitted domain name.

10. Your Rights and Choices

State consumer privacy laws may provide their residents with additional rights regarding our use of their personal information. For instance, Colorado, Connecticut, Virginia, and Utah each provide their state residents with rights to:
· Confirm whether we process their personal information.
· Access and delete certain personal information.
· Data portability.
· Opt-out of personal data processing for targeted advertising and sales.
Additionally, Colorado, Connecticut, and Virginia provide their state residents with rights to:
· Correct inaccuracies in their personal information, taking into account the information's nature processing purpose.
· Opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.

10.1 Right to Know and Data Portability

Depending on your residency, you have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months (the "right to know"). Once we receive your request and confirm your identity, we will disclose to you:

· The categories of personal information we collected about you.

· The categories of sources for the personal information we collected about you.

· Our business or commercial purpose for collecting or selling that personal information.

· The categories of third parties with whom we share that personal information.

· If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:

· sales, identifying the personal information categories that each category of recipient purchased; and

· disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

· The specific pieces of personal information we collected about you (also called a data portability request).

 We do not provide a right to know or data portability disclosure for B2B personal information.

10.2 Right to Delete

Depending on your residency, you have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions (the "right to delete"). Once we receive your request and confirm your identity, we will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

1. Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.

2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.

3. Debug products to identify and repair errors that impair existing intended functionality.

4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.

5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.) or other similar state laws.

6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.

7. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.

8. Comply with a legal obligation.

9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We will delete or deidentify personal information not subject to one of these exceptions from our records and will direct our service providers to take similar action.

We do not provide these deletion rights for B2B personal information.

10.3 Exercising Your Rights to Know or Delete

To exercise your rights to know or delete described above, please submit a request by either:

· Emailing us at support@myhana.io.

· Visiting myhana.io

· Logging onto your MyHana Account.

Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information or on behalf of your child. To designate an authorized agent, please email support@myhana.io and submit the Designation of an Authorized Agent form or other documentation demonstrating that a third party is legally authorized to act on your behalf.

You may only submit a request to know twice within a 12-month period. Your request to know or delete must:

· Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. If you are an Authorized User, we will verify your identity through existing authentication practices for the MyHana Account (e.g., login and password). If you are not an Authorized User, we will verify your identity by matching two or three data points that you provide with data points that we maintain and have determined to be reliable for the purposes of verification. For instance, the data points we may request that you provide could be a government issued identification care, birth certificate, or other identifying documentary evidence.

· Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

You do not need to create an account with us to submit a request to know or delete. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account.

We will only use personal information provided in the request to verify the requestor's identity or authority to make it.

10.4 Response Timing and Format

We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please contact support@myhana.io.

We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

 10.5 Personal Information Sales Opt-Out and Opt-In Rights

Depending on your residency, if you are age 16 or older, you have the right to direct us to not sell your personal information at any time (the "right to opt-out"). We do not sell the personal information of consumers we actually know are less than 16 years old, unless we receive affirmative authorization (the "right to opt-in") from either the consumer who is between 13 and 15 years old, or the parent or guardian of a consumer less than 13 years old. Consumers who opt-in to personal information sales may opt-out of future sales at any time.

To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by visiting the following Internet Web page link: Do Not Sell My Personal Information

Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize personal information sales. However, you may change your mind and opt back in to personal information sales at any time by: https://myhana.io/opt-in

You do not need to create an account with us to exercise your opt-out rights. We will only use personal information provided in an opt-out request to review and comply with the request.

11. Additional Notice to California Residents.

This Privacy Policy notice for California Residents supplements the information contained in this Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California ("consumers" or "you"). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (the “CCPA”) and any terms defined in the CCPA have the same meaning when used in this Privacy Policy.

This Policy does not apply to workforce-related personal information collected from California-based employees, job applicants, contractors, or similar individuals.

Information We Collect

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device ("personal information"). Personal information does not include:

· Publicly available information from government records.

· Deidentified or aggregated consumer information.

· Information excluded from the CCPA's scope, like health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), clinical trial data, or other qualifying research data.

In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

Category Examples Collected
A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
Some personal information included in this category may overlap with other categories. YES
C. Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
 YES
D. Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. NO
E. Biometric information. Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. YES
F. Internet or other similar network activity. Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement. YES
G. Geolocation data. Physical location or movements. YES
H. Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information. YES
I. Professional or employment-related information. Current or past job history or performance evaluations. NO
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. YES
K. Inferences drawn from other personal information. Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. YES

We obtain the categories of personal information listed above from the following categories of sources:

· Directly from you. For example, from forms you complete or products and services you purchase.

· Indirectly from you. For example, from observing your actions on our Website.

· Directly from Care Recipients, Providers or Wisdom Caregivers.

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following purposes:

· To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a price quote or ask a question about our products or services, we will use that personal information to respond to your inquiry. If you provide your personal information to purchase a product or service, we will use that information to process your payment and facilitate delivery. We may also save your information to facilitate new product orders or process returns.

· To provide, support, personalize, and develop our Website, products, and services.

· To create, maintain, customize, and secure your account with us.

· To process your requests, purchases, transactions, and payments and prevent transactional fraud.

· To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.

· To personalize your Website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our Website, third-party sites, and via email or text message (with your consent, where required by law).

· To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.

· For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.

· To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.

· As described to you when collecting your personal information or as otherwise set forth in the CCPA.

· To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our consumers is among the assets transferred.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

We may share your personal information by disclosing it to a third party for a business purpose. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, and prohibit using the disclosed information for any purpose except performing the contract. In the preceding twelve (12) months, Company has disclosed personal information for a business purpose to the categories of third parties indicated in the chart below.

We do not sell personal information. In the preceding twelve (12) months, the Company has not sold personal information.

Personal Information Category Category of Third-Party Recipients
 Business Purpose Disclosures Sales
A: Identifiers. None None
B: California Customer Records personal information categories. None None
C: Protected classification characteristics under California or federal law. None None
D: Commercial information. None None
E: Biometric information. None None
F: Internet or other similar network activity. None None
G: Geolocation data. None None
H: Sensory data. None None
I: Professional or employment-related information. None None
J: Non-public education information. None None
K: Inferences drawn from other personal information. None None

Deidentified Patient Information

We do disclose deidentified patient information exempt from the CCPA to third parties. To deidentify the patient information, we followed the HIPAA expert determination method and the HIPAA safe harbor method.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights, including those rights set-forth in Section 10 of this Privacy Policy. Unless permitted by the CCPA, we will not:

· Deny you goods or services.

· Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.


· Provide you a different level or quality of goods or services.

· Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information's value and contain written terms that describe the program's material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

CCPA Rights Request Metrics

Metrics regarding the consumer rights requests we received from all individuals from January 1, 2023 to December 31, 2023 appear in the following chart:

Request Type Received Granted (in whole or in part) Denied Mean Days to Respond
Requests to Know 0 0 0 0
Requests to Delete 0 0 0 0
Requests to Opt-Out of Personal Information Sales 0 0 0 0

Other California Privacy Rights

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to support@myhana.io.

11. Changes to this Privacy Policy

We reserve the right to change the Privacy Policy in our sole discretion. In such case, we will post the new Privacy Policy on the Website and the effective date of the new Privacy Policy will be clearly marked. If we update this Privacy Policy, your continued use of the Service (following the posting of the revised Privacy Policy) means that you accept and agree to the terms of the revised Privacy Policy. Remember, by using any part of the Service, you accept and agree to our Privacy Policy and privacy practices.

11. More information

If you have additional questions, please contact myHana™ any time. Or email us at:

support@myhana.io

This policy is in a form that is accessible to consumers with disabilities. However, if you need to access this Policy in an alternative format due to having a disability, please contact support@myhana.io.