FUNCTION HEALTH: PRIVACY POLICY

Effective Date: March 4th, 2025

Last Updated Date: March 4th, 2025

California Notice at Collection:  See the California Privacy Notice section below for information about your rights, to the extent applicable, under governing law.

FUNCTION’S GUIDING PRIVACY PRINCIPLES

Function Health was built for our families, ourselves, and you. Your privacy is one of our top priorities. We empower you to take control of your health, and that includes having control of certain aspects of your Personal Information. Please read the Privacy Policy in full to understand all of our Personal Information practices as we set out our guiding privacy principles immediately below.

• Your identity is not for sale for money. We do not disclose your Personal Information to third parties in exchange for money.                                      
• We limit the information we collect and retain. We collect Personal Information to provide you with our products and Services. We retain your information for the period of time necessary to fulfill the purposes for which we collected it, including delivering requested products and Services, protecting the interests of our members, and for the period of time required by law.
• We limit the manners in which we share your test results with third parties. In order to deliver our product and services to you, it may be necessary for us to provide certain information to our Lab and Provider Partners. We will do so when such recipients agree to limitations regarding the use of your personal information.  

We encourage you to review the rest of this Privacy Policy to learn more about Function’s transparent privacy practices.

PRIVACY POLICY

This Privacy Policy governs how Function Health, Inc. (“Function”, “Company”, “we”, “our”, “us”) collects, stores, and uses your Personal Information (as defined below), as well as other data and information arising out of and/or relating to you and/or your use of our Services – which include without limitation your use of the website www.functionhealth.com (the “Site”) and any other technologies, features, websites, mobile applications, content, and other services we offer (collectively, the “Services”). We may also provide you with “just-in-time” disclosures, supplemental terms and/or clarifications, further options, and additional information pertaining to our collection, storage, and usage of Personal Information, and other data and information.

Function may also collect, store, and use Personal Information regarding you that is linked or reasonably linkable to you and that identifies your past, present, or future health status or mental health status, as may be applicable (“Consumer Health Data”).  This Privacy Policy provides information about how we collect Consumer Health Data, how we use it, what sources it is derived from, to whom we disclose it and how we otherwise process it.  In addition, if you are a resident of Connecticut, Nevada, or Washington, we provide further information about your Consumer Health Data, as well as the rights you may have related to this data, in our Consumer Health Data Privacy Policy which is hereby incorporated by reference into this Privacy Policy as though herein completely stated.

This Privacy Policy does not apply to third-party websites, applications, products, services, or other properties, even if they may link to our Site or our Site may link to them. We recommend you review the privacy practices of those third parties before connecting with and/or accessing third-party offerings, and before sharing any Personal Information with those third parties .

To keep things simple, we use the same capitalized terms as those set forth in our Terms of Service, linked here, unless otherwise indicated herein. In the event of a conflict between our Privacy Policy and our Terms of Service, the latter will control.

Contents. It is important that you read and understand the entire Privacy Policy before using our Services. For ease of review, below is a table of contents that links to each section. Please note that the complete provisions and not the headings shall govern. You can click on the headings to be taken to the full explanation. You can download a printable copy of this Privacy Policy here.

‍

1. Personal Information We May Collect, Use, and Disclose
   We collect, use, and disclose information that may be used to uniquely identify you in various ways in accordance with applicable law.

2. Sources of Personal Information
   We may collect Personal Information from various sources.

3. Disclosure of Personal Information
   In limited circumstances, we may disclose your Personal Information to certain third parties.  We describe those circumstances and related protections below.  Please Note: under no circumstances will we disclose your Lab Results or certain of your Self-Reported Health Information to any third-party for its own advertising or marketing purposes.

4. Aggregated, Deidentified, or Anonymized Information
   We may create aggregated, deidentified, or anonymized information from Personal Information by removing certain components of your information.

5. Cookies and Tracking Technologies
   Certain cookie data may be shared with third parties for advertising or other purposes, and we give you certain options, as applicable, to opt-out of such sharing on our website.      

6. Data Security
   We use technical and organizational measures designed to protect your Personal Information.

7. Data Retention
   We will retain your Personal Information only for as long as is necessary for the purposes set out in this Privacy Policy.

8. International Transfers of Your Personal InformationYour Personal Information may be transferred to the U.S. and other countries.

9. Children's Privacy
   Our Site and Services are not intended for use by children under the age of 18

10. Your Privacy Rights
    We provide additional disclosures and rights to residents of certain U.S. states.

11. California Privacy Notice
    We provide additional disclosures and rights to California residents.

12. Nevada Privacy Notice
    We provide additional disclosures and rights to Nevada residents.

13. Privacy Notice for Residents of Other U.S. States
    We provide additional disclosures and rights to residents of certain other U.S. states.

14. Changes to This Privacy Policy
    Changes to this Privacy Policy will become effective on the date identified in the Privacy Policy.

15. Contact Us
    You may contact us for comments or questions in various ways.^[f]

1. Personal Information We May Collect, Use, and Disclose

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identifiable individual. Personal Information includes “personal data” as that term is defined in applicable privacy laws. Personal Information does not include “Publicly Available Information”; lawfully obtained, truthful information that is a matter of public concern; information that has been de-identified; or aggregate consumer information. “Publicly Available Information” includes: information that is made available from federal, state, or local government records; information that a business has a reasonable basis to believe is lawfully available to the general public, either through widely distributed media, or by the consumer; and information that is made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.  “Self-Reported Health Information” refers to Personal Information that relates to your physical or mental health and that you provide directly to us when you complete electronic forms designed for you to self-report your physical or mental health status, upload medical records, or link a wearable or Internet of Things device to our Services. For clarity, Self-Reported Health Information does not include other information such as (i) purchase data; or (ii) information collected via tracking technologies (e.g. cookies, web beacons) on unauthenticated pages on our websites.

We may disclose non-Personal Information, such as aggregated user statistics, to third parties.

In the table below, we set out the categories of Personal Information that we may collect, how we may use such Personal Information, and the categories of third parties to whom we may disclose such Personal Information where such disclosure may be considered a “sale” or “share” of Personal Information.

Please note that because of the overlapping nature of certain of the categories of Personal Information identified above, which may be required by state law, some of the Personal Information we collect may be reasonably classified under multiple categories. Further, we may disclose all Personal Information, for our business purposes, to (i) service providers; (ii) professional advisors (such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us); (iii) authorities and others (such as law enforcement, government authorities and private parties, as we believe in good faith to be necessary or appropriate); and (iv) business transferees (such as in the context of actual or prospective business transactions). For more information on to whom we may disclose your Personal Information, please see the section Disclosure of Personal Information.

2. Sources of Personal Information

We may collect Personal Information about you from the following categories of sources:  

• Directly from you through self-reported information, i.e. directly from you through your interactions with us, including without limitation when you use the Site or Services (e.g. creating an account with us, completing electronic forms, uploading medical records, linking a wearable device to our Services) or otherwise contact us via chat, email, phone, or text.
• Through cookies and other tracking technologies, as discussed in more detail in Cookies and Other Tracking Technologies (Section 5 of this Policy). 
• Through linked wearable devices connected to our Services (which may include historical data related to your use of the wearable devices).
• From third party healthcare service providers, laboratory service providers, and other providers of medical and medical-adjacent services (our “Lab and Provider Partners”), with your permission and in accordance with applicable law and the context in which you provided the data.  
• From other third parties, including our third party service providers, business and marketing partners, affiliates, analytics providers, ad network providers, ad agencies, and advertisers.
• From third parties that you choose (such as lab providers). 
• From government agencies or public records.
• From social media and other content platforms.

3. Disclosure of Personal Information

Below is a simple chart designed to help you understand, at a general level, what information we will and will not share with third party tracking technology partners (including third party advertising platforms), followed by more details about our disclosure of your Personal Information: 

In full, we may disclose Personal Information that we collect, generate or that you provide, to the following:

• Our affiliates. We may share Personal Information among our affiliates to provide our Services, and for internal administrative purposes. 
• Our service providers. We share certain Personal Information with our service providers to provide services on our behalf, such as payment processing, analytics, hosting, marketing, customer and technical support (including online chat functionality providers that leverage generative AI technologies), professional advisors (such as our lawyers, auditors, bankers and insurers) and other services.
• Our payment processing platforms. Payment card information you use to make a purchase on the Service is collected and processed directly by our payment processors such as Stripe. Stripe may use your payment-related data in accordance with its privacy policy, https://stripe.com/privacy.
• Our Lab and Provider Partners. We have engaged with various third-party Lab and Provider Partners in connection with various facets of our Services. Such partnership may involve receiving and sharing Personal Information, including without limitation Consumer Health Data, with your permission in accordance with applicable law and the context in which you provided the data. 
• Third party platform advertisers. We will not disclose your Lab Results or Self-Reported Health Information without your express, affirmative consent. We may otherwise share certain information gathered through tracking technologies like cookies and web beacons with third-party platform providers . We also partner with third parties who use cookies to serve interest-based advertising and content on their respective third-party platforms that may be based on your preferences, location, and/or interests.  As noted elsewhere, our websites implement measures designed not to collect or share interest-based advertising personal information for individuals accessing our Services who are located in Connecticut, Nevada, or Washington.
• Third parties related to compliance and harm prevention. Under certain circumstances, we may be required to disclose your Personal Information if required to do so by law or in response to valid requests by public authorities, and/or in response to a threat of harm involving an individual’s health and/or safety. This may include law enforcement, government authorities and private parties.
• Third parties related to a change of ownership or other corporate transformation. Notwithstanding anything to the contrary in this Privacy Policy or our Consumer Health Data Privacy Policy, if we or our subsidiaries are involved in an actual or potential merger, acquisition, asset sale, or other corporate transformation, your Personal Information – including without limitation your Lab Results and any and all other Self-Reported Health Information – may be transferred to the prospective, acquiring or surviving entity (and their respective representatives).
• At your request, other persons or entities that are relevant to your care.  At your request, we may also share Personal Information, such as your Lab Results (as defined in our Terms of Service), with your general practitioner, your specialist, or your provider’s health system.
• Third parties designated by you. We may share your Personal Information with third parties where you have instructed us or provided your consent to do so such as when you choose to share results.
• Other users and the public. If you choose to make your Personal Information available to others and the public through the Service, such as when you provide comments, reviews, survey responses or share other content, that Personal Information will be available to other users of the Service and the public. This information can be seen, collected and used by others, including being cached, copied, screen captured or stored elsewhere by others (such as search engines) and we are not responsible for any such use of this information.  

We do not disclose your Personal Information to third parties in exchange for money. 

4. Aggregated, Deidentified, or Anonymized Information

We may create aggregated, de-identified, or anonymized information from Personal Information by removing certain data components (such as your name, email address, or linkable tracking ID) that makes the data identifiable, or through aggregation, obfuscation or other means.  For example, we may de-identify any information and data provided and/or generated in connection with your use of our Services (including without limitation your Lab Results and other Personal Information), in compliance with applicable law. 

5. Cookies and Other Tracking Technologies

We use cookies and similar tracking technologies and analytics services to track activity on the Site and Services.

a. Cookies

Cookies are files with a small amount of data which may include unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies we may use include web beacons to track information and analyze the Services.  Beacons (also known as pixel tags, clear GIFs) are small objects that are embedded in an image on a website; they can transmit information directly to Function, or to another person or entity of our designation.  For the purposes of this Privacy Policy, cookies, beacons, and other such tracking technologies shall, collectively, be embraced by the term “Cookies.” You can instruct your browser to refuse certain Cookies or to indicate when a Cookie is being sent. However, if you do not accept certain Cookies, you may not be able to use some portions of our Service.

Examples of Cookies we use: 

• Strictly Necessary. We may use Cookies that we consider are strictly necessary to allow you to use and access our website, including Cookies required to prevent fraudulent activity, improve security or allow you to make use of shopping cart functionality.
• Performance. We may use Cookies that are useful in order to assess the performance of our website, including as part of our analytic practices or otherwise to improve the content, products or Services offered through our website.
• Functionality. We may use Cookies that are required to offer you enhanced functionality when accessing our website, including identifying you when you sign in to our website or keeping track of your specified preferences, including in terms of the presentation of content on our website.
• Advertising. We may use Cookies to deliver content, including ads, relevant to your interests on our website and third party sites based on how you interact with advertisements or content.

**Although Function generally uses Cookies as described above, our websites implement measures designed to limit the types of Cookies (excluding Strictly Necessary Cookies) for individuals accessing our Services who are located in Connecticut, Nevada, or Washington.

b. Analytics

We may use Google Analytics or other service providers for analytics services. These analytics services may use Cookies and other tracking technologies to help us analyze how users use the Services. Information generated by these services (e.g., your IP address and other usage information) may be transmitted to and stored by Google Analytics and other service providers on servers in the U.S. (or elsewhere) and these service providers may use this information for purposes such as evaluating your use of the Service, compiling statistic reports on the Service’s activity, and providing other services relating to Service activity and other Internet usage. You may exercise choices regarding the use of Cookies from Google Analytics by going to https://tools.google.com/dlpage/gaoptout or downloading the Google Analytics Opt-out Browser Add-on. 

c. Third-Party Ad Networks. 

Certain companies may participate in the Digital Advertising Alliance ("DAA") AdChoices Program and may display an Advertising Option Icon for Interest-based Ads that links to an opt-out tool which allows you to exercise certain choices regarding targeting. You can learn more about the DAA AdChoices Program at http://www.youradchoices.com/ and its opt-out program for mobile apps at http://www.aboutads.info/appchoices. 

In addition, certain advertising networks and exchanges may participate in the Network Advertising Initiative (“NAI”). NAI has developed a tool that allows consumers to opt out of certain Interest-based Ads delivered by NAI members' ad networks. To learn more about opting out of such targeted advertising or to use the NAI tool, see http://www.networkadvertising.org/choices/. Please be aware that, even if you are able to opt out of certain kinds of Interest-based Ads, you will continue to receive non-targeted ads. Opting out of one or more NAI or DAA members only means that those selected members should no longer under the DAA / NAI rules deliver certain targeted ads to you. This will affect this and other services, but does not mean you will no longer receive any targeted content and/or ads (e.g., from other ad networks). If your browsers are configured to reject Cookies when you visit this opt-out page, or you subsequently erase your Cookies, use a different device or web browser(s), or use a non-browser-based method of access (e.g., mobile app), your NAI / DAA browser-based opt-out may not, or may no longer, be effective. Mobile device opt-outs will not affect browser-based Interest-based Ads even on the same device, and you must opt-out separately for each device. We are not responsible for the effectiveness of, or compliance with, any third-parties’ opt-out options or programs or the accuracy of their statements regarding their programs.

d. Chat and other artificial intelligence (“AI”) technologies. 

We use services such as those provided by Intercom and other generative AI platform providers such as Meta and Decagon that leverage cookies and software code to operate the chat and interact with your inputs and prompts. This allows you to communicate with us including to input your prompts and other data through the Services. We, the providers referenced previously, and other third parties may access and use information about your webpages visited on our website, your IP address, your general geographic information (such as city, state) and other Personal Information you share and receive through the chat to facilitate the provision of the Services and as otherwise described in this Privacy Policy.

‍

6. Data Security

The security of your data is important to us but remember that no method of transmission over the Internet or method of electronic storage is completely secure. Function uses certain safeguards designed to protect the security and integrity of your Personal Information.  If you complete a purchase with us, your financial information (as defined in Personal Information We May Collect, Use, and Disclose) will be processed by our payment processor. 

7. Data Retention

We will retain your Personal Information  for as long as is necessary to provide you with Services, to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. We will also retain certain Personal Information for internal analysis purposes. This information is generally retained for a shorter period but may be retained for longer periods of time when this data, for example, is used to strengthen the security or to improve the functionality of our Services, or we are legally obligated to retain this data for longer time periods. Our determination of precise retention periods will be based on (i) the length of time we have an ongoing relationship with you; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position, including regard to applicable statutes of limitations, litigation or regulatory investigations.

8. International Transfers of Your Personal Information

Your information, including Personal Information, may be transferred to – and maintained on – information systems located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction. If you are located outside of the United States and choose to provide information to us, please note that we transfer the data, including Personal Information, to the United States and process it there. 

9. Children’s Privacy 

Function’s Services are not intended for children under the age of eighteen (18) years and we do not knowingly collect Personal Information from such persons. If you become aware that a child has provided us with Personal Information, please contact us at legal@functionhealth.com, with the subject line “Minor Access”. If we become aware that we have collected Personal Information from children without verification of parental consent, we take steps to remove that information from our information systems.

10. Your Privacy Rights  

You may have certain rights and choices regarding our collection, use, and disclosure of your Personal Information based on applicable laws (such as due to your location or place of residency). 

a. Opting out of promotional electronic communications from us. We may use your Personal Information to send you updates regarding existing products and Services, information about new products and Services, upcoming events, surveys, and other announcements and inquiries. Please note that Function may send you marketing and advertising messages on behalf of a third party (including subject to a paid arrangement); provided, under such a circumstance, Function will not disclose your Personal Information to said third party. If you no longer wish to receive promotional email communications from us, you may opt out via the unsubscribe link included in such emails or communicate your opt-out request using the information below. We will comply with your request as soon as reasonably practicable. Please note that if you opt out of receiving promotional emails from us, we may still send you administrative messages that are required in order to provide you with the Service or for other reasons disclosed in this Policy.

b. Deleting your content or closing your account. You may be able to delete certain content through your account. If you wish to request to close your account, please contact us.

c.  Additional rights available in certain states and jurisdictions. Certain U.S. jurisdictions provide residents with certain rights with respect to their Personal Information or “personal data” as defined under applicable law. These rights are subject to the specific laws of that jurisdiction as applicable to Function and that certain other rights or obligations might apply. Please review our California Privacy Notice; Nevada Privacy Notice; Privacy Notice for Residents of Other US States; and Consumer Health Data Privacy Policy for more information on rights and terms potentially applicable to you.

d.  Mobile location data. You can disable our access to your device’s precise geolocation in your mobile device settings.

e.  Exercising your privacy rights.  Please use the following information to exercise your rights as applicable. Please note that any request you submit to us is subject to an identification and residency verification process as permitted under applicable law, as well as certain other procedural requirements that may be noted in the sections below. Additionally, all requests are subject to certain exceptions under applicable law, which may vary. If you are a visually-impaired customer, a customer who has another disability or a customer who seeks support in other language, you may access your privacy rights by emailing us at legal@functionhealth.com.

We do not charge a fee to process or respond to your verifiable consumer request unless its excessive, repetitive, manifestly unfounded, or in accordance with applicable law.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Depending on applicable law, you may be limited in how many verifiable or authenticated consumer request you make within a twelve (12) month period. If we have inadvertently collected information on your minor child, you may exercise the above rights on behalf of your minor child. Additionally, in some jurisdictions, you may designate an authorized agent to submit a request on your behalf, and if so, we may require proof of the agent’s authorization by you and/or verification of the agent’s own identity. Generally, a rights request must include:

• Sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative, which must include, at a minimum, your first and last name and email address.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to the request.

We cannot respond to your request or provide you with Personal Information if we cannot verify or authenticate your identity or authority to make the request and confirm that the Personal Information relates to you. We will only use Personal Information provided in a verifiable or authenticated consumer request to verify your (or your authorized agent’s as applicable) identity or authority to make the request.

You are not required to create an account with us to submit a verifiable or authenticated consumer request. However, we do consider requests made through your password protected account sufficiently verified when the request relates to Personal Information associated with that specific account. If you have an account with us, we will deliver our written response to that account.  If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please contact legal@functionhealth.com. Except where otherwise noted, we will respond to your request within forty-five (45) days after receipt and we reserve the right to extend the response time by an additional forty-five (45) days when reasonably necessary and provided consumer notification of the extension is made within the first forty-five (45) days. As described below, in some jurisdictions, an authorized agent may submit a request to exercise your rights on your behalf.

How to submit a request. To exercise any of the rights described in this Privacy Policy, please send your request(s) using one of the following methods:

• Emailing us at legal@functionhealth.com
• Visiting the contact page at our Site at https://www.functionhealth.com/contact
• Calling us at (512) 814-6593.

11. California Privacy Notice

This California Privacy Notice applies to any California residents about whom we collect Personal Information (for the purposes of this Article 11, “consumers”). The provisions contained within this section are intended to provide notices in compliance with the California Consumer Privacy Act of 2018 (“CCPA”) and other relevant California laws and regulations. 

For the purposes of this California Privacy Notice, except where a different definition is noted, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. Personal Information does not include Publicly Available Information, information that has been de-identified or aggregated, or other information subject to certain federal and state regulation, such as protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA).

If you are a visually-impaired customer, a customer who has another disability or a customer who seeks support in other language, you may access your privacy rights by emailing us at legal@functionhealth.com.

a. Personal Information We Collect

We may collect, or have collected, the following categories of Personal Information about you:

• Identifiers
• Commercial information
• Financial information
• Internet or other electronic activity information
• Geolocation data
• Professional or employment-related information
• Audio, electronic, visual, or similar information
• Characteristics of protected classifications under California or federal law
• Inferences drawn from any of the above

Certain of the Personal Information that we collect may constitute “Sensitive Personal Information” as defined by California law. This may include: 

• Your account login information
• Payment information
• Content of messages sent through the Site or Services
• Personal Information collected and analyzed concerning your health
• Precise geolocation data

b. How We Use Your Personal Information

We use the Personal Information we collect about you for the following purposes:  

• Contact you and provide information
• Provide customer service
• Perform identity and age verification as required under applicable law
• Provide and maintain the Site and Services
• Facilitate interactive features 
• Internal analytics
• Market our products and Services directly to you
• Market the products and services of others directly to you
• Promotions and sweepstakes
• Internal business purposes, including general business administration
• Develop new products or services
• Audit, compliance, legal, policy, procedure, and regulatory obligations
• Customer claims and fraud investigation and prevention
• Systems and data security 
• Protecting the safety of our employees and others
• Targeted Advertising
• Profiling

c. Sources of Personal Information

We may collect Personal Information about you from the following categories of sources.  

• Directly from you through your interactions with us, such as when we collect self-reported information. 

• Through Cookies and other tracking technologies, as discussed in more detail in Cookies and Other Tracking Technologies (Section 5 of this Policy). 
• Through linked wearable devices connected to our Services (which may include historical data related to your use of the wearable devices).
• From our Lab and Provider Partners, with your permission and in accordance with applicable law.  
• From other third parties, including our third party service providers, business and marketing partners, affiliates, analytics providers, ad network providers, ad agencies, and advertisers. 
• From third parties that you choose (such as lab providers). 
• From government agencies or public records.
• From social media and other content platforms. 

We may supplement such information with information we obtain from other sources, including from both online and offline information providers.

d. To Whom We Disclose Personal Information

We limit our disclosure of the categories of Personal Information above to our affiliates, service providers, payment processors, advertising partners, professional advisors, authorities and others, business transferees for one or more business purposes. “Business purposes,” for the purposes of this California Privacy Notice,  means the reasonably necessary and proportionate use of Personal Information for our operational purposes, other purposes described in this Privacy Policy, for the operational purposes of our service providers and contractors, as well as other purposes compatible with the context in which the Personal Information was collected.

We do not and have not “sold” (as that term is defined under applicable law) Personal Information to third parties for any monetary value.  We do gather Personal Information from consumers via Cookies as part of our targeted advertising initiatives, which is technically considered a “sale” and/or “share” of Personal Information under California law, even though we do not receive monetary payment for sharing or disclosing Personal Information to these third parties. In this connection, during last 12 months (from the last updated date listed at the top of this Privacy Policy), we have “sold” or “shared” the following categories of Personal Information as those terms are defined under the CCPA:

• Identifiers
• Commercial information
• Internet or other electronic network activity information 

If you wish to opt-out of the “sale”/“sharing” of Personal Information that is gathered via Cookies when you visit our websites and/or use our Services, please exercise your preferences to do so using “Your Privacy Choices” link that is available at the bottom of our websites or by following the further instructions at Section 11(f) below.

As those terms are defined by California law, we do not “sell” or “share” your Lab Results or any other Self-Reported Health Information without your express, affirmative consent.

e. Your California Privacy Rights

If you are a California resident, you may have the following rights under applicable California law subject to applicable law:

• Right to know and access. You have the right to know what Personal Information we collect, use, disclose, and sell and/or share, as those terms are defined under applicable law. You may ask us to provide you a portable copy of this information up to two times in a rolling twelve-month period.
• Right to delete and erase. You have the right to request under certain circumstances that we, as well as our service providers and contractors, delete the Personal Information that we collect about you.
• Right to correct inaccurate Personal Information. You have the right to request the correction of inaccurate Personal Information.
• Right to non-discrimination. You have the right not to receive discriminatory treatment for the exercise of the privacy rights described above.
• Right to opt out of sale and/or sharing. You have the right to opt-out of the sale and/or sharing of your Personal Information by a business. 
• Right to limit use and disclosure. You have the right to limit the use or disclosure of your sensitive Personal Information to only the uses necessary for us to provide goods or services to you. We will not use or disclose your sensitive Personal Information after you have exercised your right unless you subsequently provide consent for the use of your sensitive Personal Information for additional purposes. 
• Sharing with third parties for their own direct marketing purposes. We do not disclose Personal Information to third parties for their own purposes without your consent.  If you wish to request information regarding such practices under California’s “Shine the Light” Law, please Contact Us. You must include your full name, email address, and postal address in your email or mail request so that we can verify your California residence and respond.
  
  

How to exercise your rights. You may exercise any of the rights described in this section by following the instructions in Section 10, supra (“Your Privacy Rights”).

f. Notice of Right to Opt-Out of Sale/Sharing

You have the right to opt-out of the sale and/or sharing of your Personal Information by a business. As noted above, we may “sell” and/or “share” your Personal Information for purposes of cross-context behavioral advertising. You may opt-out by following the instructions in Section 10, supra (“Your Privacy Rights”).

You can opt out of such sale or sharing by clicking the Your Privacy Choices link at the bottom of our website and selecting your preferences. You may also opt out by broadcasting an Opt-Out Preference Signal, such as the Global Privacy Control (GPC). To download and use a browser supporting the GPC browser signal, click here or visit: https://globalprivacycontrol.org/orgs. Please note that if you do not have an account with us or if you are not logged into your account, your opt out request will be linked to your browser identifier only and not linked to any account information, because the connection between your browser and your account is not known to us. 

We also encourage you to utilize the Cookie preferences options that appear in the Cookie banner on the Services.  Finally, you may also visit the websites of the Network Advertising Initiative and the Digital Advertising Alliance's Self-Regulatory Program for Online Behavioral Advertising for more information about opting out of seeing targeted digital advertisements and how to opt bank in if desired. You may also learn about your options to opt-out of mobile app tracking by certain advertising networks through your device settings.

We do not knowingly sell or share the Personal Information of minors under 16 years of age without legally-required affirmative authorization. If you are a parent or guardian and you believe that your child has provided us with information without your consent, please review the Children’s Privacy section and contact us by email at legal@functionhealth.com.  

g. Retention of Personal Information

We will retain your Personal Information only for as long as is necessary for the purposes set out in this Policy. We will retain and use your Personal Information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. 

We will also retain certain Personal Information for internal analysis purposes. This information is generally retained for a shorter period, except when this data is used to strengthen the security or to improve the functionality of our Services, or we are legally obligated to retain this data for longer time periods. 

Our determination of precise retention periods will be based on (i) the length of time we have an ongoing relationship with you; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position, including regard to applicable statutes of limitations, litigation or regulatory investigations.

h. Do Not Track

Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

12. Nevada Privacy Notice

While we do not “sell” Personal Information as defined by Nevada Law, Nevada residents nonetheless have the right to request to opt out of any future “sale” of their Personal Information under Nevada SB 220 and SB 370. If you are a Nevada resident and would like to make such a request, please follow the instructions in Section 10, supra (“Your Privacy Rights”). You must include your full name, email address, and postal address in your email or mail request so that we can verify your Nevada residence and respond. In the event we sell your Personal Information after the receipt of your request, we will make reasonable efforts to comply with such request.

Additionally, SB 370 provides Nevada residents with rights to receive certain disclosures and access regarding the collection, use, sale, and sharing of Consumer Health Data. For information regarding the Consumer Health Data that we collect, how we use it, what sources it is derived from, to whom we disclose it, as well as the rights of Nevada residents and our responsibilities under SB 370, please see our Consumer Health Data Privacy Policy.   

13. Privacy Notice for Residents of Other U.S. States

This Privacy Notice contains additional information for residents of Colorado, Connecticut, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia about personal data that we collect, how we use it, what sources it is derived from, and who we disclose it to, and provides information regarding your rights, and our responsibilities, under applicable laws and regulations to the extent such laws and regulations govern Function Health. For the purposes of this section, “personal data” means information that is linked or reasonably linkable to an identified or identifiable individual. Personal data does not include de-identified data or publicly available information. This section does not apply to (i) the extent Function Health is not governed by privacy laws in these states or (ii) personal data that is already subject to certain federal and state regulations, such as protected health information, where such laws do not apply to such data.  

The provisions contained within this section are intended to provide notices under the Colorado Privacy Act, the Connecticut Data Privacy Act, the Delaware Personal Data Privacy Act, the Iowa Consumer Data Protection Act, the Montana Consumer Data Privacy Act, the Nebraska Data Privacy Act, the New Hampshire Privacy Act, the New Jersey Privacy Act, the Oregon Consumer Data Privacy Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act (collectively, the “State Privacy Laws”) to the extent any such State Privacy Law applies to Function Health. 

The State Privacy Laws provide or will provide rights to residents of Colorado, Connecticut, Delaware (beginning January 1, 2025), Iowa (beginning January 1, 2025), Montana (beginning October 1, 2024), Nebraska (beginning January 1, 2025), New Hampshire (beginning January 1, 2025), New Jersey (beginning January 15, 2025), Oregon, Texas, Utah, and Virginia respectively, to receive certain disclosures and access regarding collection, use, sale, and sharing of personal data.

a. Our Personal Data Practices

The State Privacy Laws provide rights to residents of those states, to receive certain disclosures and access regarding collection, use, sale, and sharing of personal data.  Detail about what kinds of personal data we may collect or have collected, how we collect it, why we collect it, and who we may disclose it to is found in the “Personal Information We May Collect, Use, and Disclose”; “Sources of Personal Information”; and “Disclosure of Personal Information” sections of this policy.  

We do not and have not sold Personal Information to third parties for any monetary value.  We do gather Personal Information via Cookies for the purposes targeted advertising; however, we do not sell or share your Lab Results or any other Self-Reported Health Information without your express, affirmative consent.

b. Your Privacy Rights 

If you are a resident Colorado, Connecticut, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia, you may have the following rights under applicable law in relation to your personal data, subject to certain exceptions: 

• Right to know and access. You have the right to know what personal data we collect, use, disclose, and/or sell or share as those terms are defined under applicable law. You may ask us to provide you a portable copy of this information up to two times in a rolling twelve-month period.
• Right to delete and erase. You have the right to request under certain circumstances that we, as well as our service providers and contractors, delete the personal data that we collect about you.
• Right to correct inaccurate personal data. You have the right to request the correction of inaccurate personal data.
• Right to non-discrimination. You have the right not to receive discriminatory treatment for the exercise of the privacy rights described above.
• Right to opt out. You have the right to opt-out of targeted advertising, the sale of your personal data, and profiling decisions that could produce legal or similarly significant effects concerning the consumer.
• Rights concerning sensitive personal data. If you are a Connecticut, Colorado, Delaware, Montana, Nebraska, New Jersey, Oregon, Texas, or Virginia resident, we cannot and will not process your sensitive data (as defined by applicable law) or your sensitive data inferences, or use your personal data for certain purposes without your affirmative consent. If you are an Iowa or Utah resident, you have the right to opt out of having your sensitive personal data processed and/or used. 

The CTDPA provides Connecticut residents with additional rights to receive certain disclosures and access regarding the collection, use, sale, and sharing of Consumer Health Data, as defined below. For information regarding the Consumer Health Data that we collect, how we use it, what sources it is derived from, to whom we disclose it, as well as the rights of Connecticut residents and our responsibilities under the CTDPA, please see our Consumer Health Data Privacy Policy.

How to exercise your rights. You may exercise any of the rights described in this section by following the instructions in Section 10, supra (“Your Privacy Rights”)

How to appeal decisions about your rights. You can appeal our decisions concerning privacy rights requests, as follows:

• Colorado residents. If you are a Colorado resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within forty-five (45) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Colorado’s Office of the Attorney General by phone at (720) 508-6000 or by submitting a form here.  

• Connecticut residents. If you are a Connecticut resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Connecticut’s Office of the Attorney General by phone at (860) 808-5420 or by submitting a form here.  
• Delaware residents. If you are a Delaware resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Delaware’s Department of Justice by phone at (302) 683-8800 or by submitting a form here.  
• Iowa residents. If you are an Iowa resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Iowa’s Office of the Attorney General by phone at (888) 777-4590 or by submitting a form here.  
• Montana residents. If you are a Montana resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Montana’s Office of the Attorney General by phone at (406) 444-4500 or by submitting a form here.  
• Nebraska residents. If you are a Nebraska resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Nebraska’s Office of the Attorney General by phone at (402) 471-2683 or by submitting a form here.  
• New Hampshire residents. If you are a New Hampshire resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact New Hampshire’s Office of the Attorney General by phone at (603) 271-3658 or by submitting a form here.  
• New Jersey residents. If you are a New Jersey resident and want to appeal our decision with regard to a request that you have made, please Contact Us.  Within forty-five (45) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact New Jersey’s Office of the Attorney General by phone at (800) 242-5846 or by submitting a form here.  
• Oregon residents. If you are an Oregon resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within forty-five (45) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision.  If the appeal is denied, you may contact Oregon’s Office of the Attorney General by phone at (877) 877-9392 or by submitting a form here.  
• Texas residents. If you are a Texas resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision.  If the appeal is denied, you may contact Texas’s Office of the Attorney General by phone at (800) 621-0508 or by submitting a form here.  
• Virginia residents. If you are a Virginia resident and want to appeal our decision with regard to a request that you have previously made, please Contact Us or notify the Office of the Attorney General of Virginia online here. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Virginia’s Office of the Attorney General by phone at (804) 786-2071, written correspondence to 202 North 9th Street, Richmond, Virginia 23219, or online here.

14. Changes to This Privacy Policy 

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page or other appropriate means.      Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). We recommend reviewing this Privacy Policy periodically for any changes.      Your use of the Service after the effective date of any modified Privacy Policy indicates your acknowledging that the modified Privacy Policy applies to your interactions with the Service and our business.

You may view the prior version of our Privacy Policy here.

15. Contact Us 

Please contact legal@functionhealth.com if you have any questions about this Privacy Policy. We are open to feedback around our privacy policies and practices. Because email communications are not always secure, please do not include any sensitive information in your email to us. You can also write to us at: 600 Congress Ave, 14th Floor, Austin, TX 78701.