Function Health

Privacy Policy

Last Updated: August 1, 2025

This Privacy Policy describes how Function Health, Inc. and its corporate affiliates (collectively, “Function,” “we,” “us” or “our”) process personal information that we collect or otherwise generate through our digital or online properties or services that link to this Privacy Policy (including as applicable, our website, mobile applications, social media pages) as well as our marketing activities, live events and other activities described in this Privacy Policy (collectively, the “Service”). Function may provide to individuals supplemental or separate privacy policies for specific products or services that we offer including those at the time we collect personal information (also known as “just-in-time” disclosures). For example, for information about how our corporate affiliate Ezra AI, Inc. processes personal information, please see Ezra’s privacy policy, available at https://ezra.com/privacy.

Function may process personal information that identifies your past, present, or future health or mental health status, or that otherwise constitutes “consumer health data” or equivalent terms as defined by applicable US state laws (“Consumer Health Data”). To the extent such laws apply to your Consumer Health Data, please see our Consumer Health Data Privacy Policy, which supplements this Privacy Policy.

This Privacy Policy does not apply to personal information that we process on behalf of our enterprise customers while providing Function services to them. For example, to the extent that we receive your personal information from your employer related to your eligibility for our Service, our use of that personal information may be governed by our agreements (including, as applicable, a business associate agreement) with the relevant enterprise customer. If you have questions regarding your personal information that we process on behalf of an enterprise customer, please direct your questions to the relevant enterprise customer.

The personal information we collect may differ depending on your relationship with us. For example, if you are a representative of a prospective enterprise customer, we will collect limited personal information in comparison to if you were a Function member who obtains tests through Function. Please consider your relationship with us in the context of reading this Privacy Policy.

Index

Guiding Privacy Principles
Personal information we collect
How we use your personal information
How we share your personal information
Your choices
Other sites and services
Security
International data transfers
Retention
Children
Changes to this Privacy Policy
How to contact us

Guiding Privacy Principles

We built Function for families, ourselves and you. Your privacy is one of our top priorities. We empower you to take control of your health and that includes having control of certain aspects of your personal information. While Function and its corporate affiliates may operate as a “business associate” as the Health Insurance Portability and Accountability Act (“HIPAA”) defines that term, HIPAA does not apply to all personal information that we process. Regardless, we leverage measures designed to protect and process your personal information in accordance with our guiding privacy principles below and as otherwise stated in this Privacy Policy. Please read the Privacy Policy in full to understand our personal information practices.

Your identity is not for sale for money. In the ordinary course of our daily operations, we do not disclose your personal information to third parties in exchange for money. For more information on how we may disclose your personal information, please see the How we share your personal information.
We limit the information we collect and retain. We collect personal information to provide you with our products and Services. We retain your personal information for the period of time necessary to fulfill the purposes for which we collected it, including delivering requested products and Services, protecting the interests of our members, and for the period of time required by law.
We limit the manners in which we share your test results with third parties. In order to deliver our product and Services to you, it may be necessary for us to provide certain information to our lab and other provider partners. We limit how such recipients may use your personal information.

Personal information we collect

Information you provide to us or that we generate about you. Depending on how you interact with the Service, the personal information you may provide to us through the Service or that we generate about you or otherwise may include:

Contact data, such as your first and last name, salutation, email address, billing and mailing addresses, and phone number.
Demographic data, such as your city, state, country of residence, postal code, age, date of birth, gender or gender identity, racial or ethnic identity, assigned sex at birth, and sexual orientation.
Account data, such as the username and password that you may set to establish an online account on the Service, date of birth, biographical details, photograph or picture, links to your profiles on social networks, preferences, information about your participation in our promotions or surveys, and any other information that you add to your account profile.
Service-eligibility data, if you are accessing the Service as part of an enterprise customer-provided benefit, you may provide us with relevant information such as your employer or other enterprise customer name, eligibility data, and relevant enterprise customer identification number.
Health-related data, such as mental or physical history, conditions and diagnoses, treatments, medications, medical images, biomarkers, lab samples, lab results, clinical notes, and other physical or mental health information. This may include personal information that you provide directly to us when you complete electronic forms designed for you to self-report your physical or mental health status, upload medical records, or link a wearable or Internet of Things device to our Services.
Genetic data, certain of the lab tests available through the Service may produce data that relates to inherited characteristics.
Audiovisual recording data, such as video and audio recordings of you.
Transactional data, such as information relating to or needed to complete your orders on or through the Service, including order numbers and transaction history.
Communications data based on our exchanges with you, including when you contact us through the Service, chat features, social media, or otherwise.
Relationship data, such as familial or other relationship to third parties whose personal information you may provide to us.
Payment data needed to complete transactions, including payment card information or bank account number.
Marketing data, such as your preferences for receiving our marketing communications and details about your engagement with them.
User-generated content data, such as photos, images, music, videos, comments, questions, messages, and other content or information that you generate, transmit, or otherwise make available on the Service, as well as associated metadata. Metadata includes information on how, when, where and by whom a piece of content was collected and how that content has been formatted or edited. Metadata also includes information that users can add or can have added to their content, such as keywords, geographical or location information, and other similar data.
Derived data, such as inferences about you that we derive or otherwise infer from your personal information.
Other data not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

Third-party sources. We may combine personal information we receive from you with personal information we obtain from other sources, such as:

Public sources, such as government agencies, public records, social media platforms, and other publicly available sources.
Private sources, such as data providers and social media platforms.
Linked third-party services, such as Google or other third-party service that you use to log into, or otherwise link to, your Service account. This data may include your username, profile picture and other information associated with your account on that third-party service that is made available to us based on your account settings on that service.
Linked third-party devices, such as wearable or Internet of Things devices that you link to your Service account. This data may include your username, profile picture and other information associated with your account on that third-party service that is made available to us based on your account settings on that service. This may include your device’s health app information historical data related to your use of the wearable device.
Lab and provider partners, including third party healthcare services providers, laboratory services providers, and other providers of medical and medical-adjacent services.
Our enterprise customers, such as employers, gyms and other entities that may provide us with your personal information.
Our corporate affiliates.
Marketing partners, such as joint marketing partners.
Service providers that provide services on our behalf or help us operate the Service or our business.
Third parties that you designate such as lab providers with whom we do not have a contractual relationship.
Business transaction partners. We may receive personal information in connection with an actual or prospective business transaction. For example, we may receive your personal information from an entity we acquire or are acquired by, a successor, or assignee or any party involved in a business transaction such as a merger, acquisition, sale of assets, or similar transaction, and/or in the context of an insolvency, bankruptcy, or receivership.

Automatic data collection. We, our service providers, and our business partners may automatically log information about you, your computer or mobile device, and your interaction over time with the Service, our communications and other online services, such as:

Device data, such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such as city, state or geographic area.
Precise geolocation data when you authorize our mobile application to access your device’s location.
Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.
Communication interaction data such as your interactions with our email, text or other communications (e.g., whether you open and/or forward emails) – we may do this through use of pixel tags (which are also known as clear GIFs), which may be embedded invisibly in our emails.

Cookies and similar technologies. Some of the automatic collection described above is facilitated by the following technologies:

Cookies, which are small text files that websites store on user devices and that allow web servers to record users’ web browsing activities and remember their submissions, preferences, and login status as they navigate a site. Cookies used on our sites include both “session cookies” that are deleted when a session ends, “persistent cookies” that remain longer, “first party” cookies that we place and “third party” cookies that our third-party business partners and service providers place.
Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data on your device outside of your browser in connection with specific applications.
Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.
Chat technologies, such as those provided by Intercom and Decagon that employ software code to operate the chat features that you can use to communicate with us through the Service. Intercom, Decagon and other third parties may access and use information about webpages visited on our website, your IP address, your general geographic information (e.g., city, state), and other personal information you share through online chats for the purposes described in this Privacy Policy.

How we use your personal information

We may use your personal information for the following purposes or as otherwise described at the time of collection:

Service delivery and operations. We may use your personal information to:

provide, operate and improve the Service and our business;
personalizing the service, including remembering the devices from which you have previously logged in and remembering your selections and preferences as you navigate the Service;
establish and maintain your user profile on the Service;
enable security features of the Service, such as by sending you security codes via email, and remembering devices from which you have previously logged in;
communicate with you about the Service, including by sending Service-related announcements, updates, security alerts, and support and administrative messages;
communicate with you about events or contests in which you participate;
understand your needs and interests, and personalize your experience with the Service and our communications; and
provide support for the Service, and respond to your requests, questions and feedback.

Service personalization. We may use your personal information to personalize the Service for you, which may include using your personal information to:

understand your needs and interests;
personalize your experience with the Service and our Service-related communications; and
remember your selections and preferences as you navigate the Service.

Insights and development. We may use your personal information for insights (including research) and development purposes, including to analyze and improve the Service and our business and to develop new products and services.

Marketing and advertising. We, our service providers and our third-party advertising partners may collect and use your personal information for marketing and advertising purposes:

Direct marketing. We may send you direct marketing communications (including in relation to our products and those of others) and may personalize these messages based on your needs and interests. You may opt-out of our marketing communications as described in the Opt-out of marketing section below.
Interest-based advertising. Our third-party advertising partners may use cookies and similar technologies to collect information about your interaction (including the data described in the automatic data collection section above) with the Service, our communications and other online services over time, and use that information to serve online ads that they think will interest you. This is called interest-based advertising. We may also share information about our users with these companies to facilitate interest-based advertising to those or similar users on other online platforms. We do not use health-related information or genetic data for interest-based advertising.
Testimonials. We may use your feedback to post comments about your experience with any Service on the website, in our marketing and promotional materials.

Promotions and contests. We may use your personal information to administer promotions and contests and to communicate with you about any such promotions or contests in which you participate.

Service improvement and analytics. We may use your personal information to analyze your usage of the Service, improve the Service, improve the rest of our business, help us understand user activity on the Service, including which pages are most and least visited and how visitors move around the Service, as well as user interactions with our emails, and to develop new products and services.

Compliance and protection. We may use your personal information to:

comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas, investigations or requests from government authorities;
protect our, your or others’ rights, privacy, health, safety or property (including by making and defending legal claims);
audit our internal processes for compliance with legal and contractual requirements or our internal policies;
enforce the terms and conditions that govern the Service; and
prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.

Data sharing in the context of corporate events, we may share certain personal information in the context of actual or prospective corporate events.

With your consent. In some cases, we may specifically ask for your consent to collect, use or share your personal information, such as when required by law.

To create aggregated, de-identified and/or anonymized data. We may create aggregated, de-identified and/or anonymized data from your personal information and other individuals whose personal information we collect. We make personal information into de-identified and/or anonymized data by removing information that makes the data identifiable to you. Except as required or permitted by applicable law, we will not attempt to re-identify any data that has been aggregated, de-identified and/or anonymized. We may use this aggregated, de-identified and/or anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Service, promote our business, and for research purposes.

Cookies and similar technologies. In addition to the other uses included in this section, we may use the Cookies and similar technologies described above for the following purposes:

Technical operation. To allow the technical operation of the Service, such as by remembering your selections and preferences as you navigate the site, and whether you are logged in when you visit password protected areas of the Service.
Functionality. To enhance the performance and functionality of our services.
Analytics. To help us understand user activity on the Service, including which pages are most and least visited and how visitors move around the Service, as well as user interactions with our emails. For example, we may use Google Analytics for this purpose. You can learn more about Google Analytics and how to prevent the use of Google Analytics relating to your use of our sites here: https://tools.google.com/dlpage/gaoptout?hl=en.

How we share your personal information

We may share your personal information with the following parties and as otherwise described in this Privacy Policy, in other applicable notices, or at the time of collection.

Affiliates. Our corporate subsidiaries and affiliates.

Service providers. Third parties that provide services on our behalf or help us operate the Service or our business (such as online chat functionality providers (including those that leverage generative AI technologies), hosting, information technology, customer support, email delivery, marketing, consumer research and website analytics).

Payment processors. Any payment card information you use to make a purchase on the Service is collected and processed directly by our payment processors, such as Stripe. Stripe may use your payment data in accordance with its privacy policy, https://stripe.com/privacy.

Research partners. We may share personal information with research partners to conduct research.

Advertising partners. Third-party advertising companies for the interest-based advertising purposes described above. We do not provide health-related information or genetic data to such advertising partners.

Lab and provider partners. We may share your personal information with healthcare services providers, laboratory services providers, and other providers of medical and medical-adjacent services.

Enterprise customers. We may share certain limited personal information with the relevant enterprise customers through which you received access to the Services (i.e., if you redeemed the benefit). We do not provide health-related information or genetic data to enterprise customers.

Third parties designated by you. We may share your personal information with other third parties where you have instructed us or provided your consent to do so. For example, we may also share personal information, with your medical provider (and/or their affiliated organization).

Business and marketing partners. Third parties with whom we jointly offer products or services, or whose products or services may be of interest to you.

Linked third-party services or devices. If you log into the Service with a third-party service such as Google, or choose to link a wearable or Internet of Things device to your Service account, we may share your personal information with that third-party service. The third party’s use of the shared information will be governed by its privacy policy or other relevant terms and the settings associated with your account with the third-party service.

Professional advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.

Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the Compliance and protection purposes described above.

Business transferees. We may disclose personal information in the context of actual or prospective business transactions (e.g., investments in or financings of Function, public stock offerings, or the sale, transfer or merger of all or part of our business, assets or shares), for example, we may need to share certain personal information with prospective counterparties and their advisers. We may also disclose your personal information to an acquirer, successor, or assignee of Function as part of any merger, acquisition, sale of assets, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which personal information is transferred to one or more third parties as one of our business assets.

Other users and the public. Certain user-generated content and other data you submit to us may be visible to other users and the public, such as when you post comments in publicly accessible parts of the Service or provide a testimonial that is intended to be public. This information can be seen, collected and used by others, including being cached, copied, screen captured or stored elsewhere by others (e.g., search engines), and we are not responsible for any such use of this information.

Your choices

Access or update your information. If you have registered for an account with us through the Service, you may review and update certain account information by logging into the account.

Opt-out of communications. You may opt-out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us. Please note that if you choose to opt-out of marketing-related emails, you may continue to receive service-related and other non-marketing emails.

If you receive text messages from us, you may opt out of receiving further text messages from us by replying STOP to our message.

For marketing that you have consented to receive based on your health-related data and/or genetic data, you can control how we market to you by contacting us at privacy@functionhealth.com.

Cookies. Most browsers let you remove or reject cookies. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. Please note that if you set your browser to disable cookies, the Service may not work properly. For more information about cookies, including how to see what cookies have been set on your browser and how to manage and delete them, visit www.allaboutcookies.org. You can also configure your device to prevent images from loading to prevent web beacons from functioning.

Advertising choices. You may be able to limit use of your information for interest-based advertising through the following settings/options/tools:

Browser settings. Changing your internet web browser settings to block third-party cookies.
Privacy browsers/plug-ins. Using privacy browsers and/or ad-blocking browser plug-ins that let you block tracking technologies.
Platform settings. Google and Facebook offer opt-out features that let you opt-out of use of your information for interest-based advertising. You may be able to exercise that option at the following websites:
- Google: https://adssettings.google.com/
- Facebook: https://www.facebook.com/about/ads
Ad industry tools. Opting out of interest-based ads from companies that participate in the following industry opt-out programs:
- Network Advertising Initiative: http://www.networkadvertising.org/managing/opt_out.asp
- Digital Advertising Alliance: optout.aboutads.info.
Mobile settings. Using your mobile device settings to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.

You will need to apply these opt-out settings on each device and browser from which you wish to limit the use of your information for interest-based advertising purposes.

We cannot offer any assurances as to whether the companies we work with participate in the opt-out programs described above.

Blocking images/clear gifs: Most browsers and devices allow you to configure your device to prevent images from loading. To do this, follow the instructions in your particular browser or device settings.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Mobile location data. You can disable our access to your device’s precise geolocation in your mobile device settings.

Declining to provide information. We need to collect personal information to provide certain services. If you do not provide the information we identify as required or mandatory, we may not be able to provide those services.

Privacy rights. Depending on the applicable law, you may have certain rights with respect to your personal information (for example, if you reside in a state that provides you with rights in relation to genetic data). These rights may include rights to request access, delete and/or destroy genetic data and biological samples from which genetic data may be derived. To exercise potentially available privacy rights, please contact us at privacy@functionhealth.com. Not all rights are absolute and we may deny your requests to exercise such rights in accordance with applicable laws.

Linked third-party platforms. If you log into the Service with a third-party service such as Google, or choose to link a wearable or Internet of Things device to your Service account, you may be able to use your settings in your account with that platform to limit the information we receive from it. If you revoke our ability to access information from such third-party platform, that choice will not apply to information that we have already received from that third party.

Other sites and services

This Privacy Policy does not apply to third-party websites, applications, products, services or other properties even if they may link to our Service or we may refer you to such third parties as part of our Service. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links, relationships and other integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites, mobile applications or services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy policies of the other websites, mobile applications and services you use.

Security

We employ technical, organizational and physical safeguards designed to protect the personal information we collect. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal information.

International data transfer

We are headquartered in the United States and may use service providers that operate in other countries. Your personal information may be transferred to the United States or other locations where privacy laws may not be as protective as those in your state, province, or country.

Retention

We generally retain personal information to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes. To determine the appropriate retention period for personal information, we may consider factors such as the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

When we no longer require the personal information we have collected about you, we may either delete it, anonymize it, or isolate it from further processing.

Children

The Service is not intended for use by anyone under 18 years of age. If you are a parent or guardian of a child from whom you believe we have collected personal information in a manner prohibited by law, please contact us. If we learn that we have collected personal information through the Service from a child without the consent of the child’s parent or guardian as required by law, we will comply with applicable legal requirements to delete the information.

Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service or other appropriate means. Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Service after the effective date of any modified Privacy Policy indicates your acknowledging that the modified Privacy Policy applies to your interactions with the Service and our business.

How to contact us

If you have questions about our personal information practices or if you would like to exercise any privacy-related right that may be available to you, please contact us via the method listed below.

Email: privacy@functionhealth.com

‍

Privacy Policy

Effective Date: May 19th, 2025

Last Updated Date: May 19th, 2025

California Notice at Collection: See the California Privacy Notice section below for information about your rights, to the extent applicable, under governing law.

FUNCTION’S GUIDING PRIVACY PRINCIPLES

Function Health was built for our families, ourselves, and you. Your privacy is one of our top priorities. We empower you to take control of your health, and that includes having control of certain aspects of your Personal Information. Please read the Privacy Policy in full to understand all of our Personal Information practices as we set out our guiding privacy principles immediately below.

Your identity is not for sale for money. We do not disclose your Personal Information to third parties in exchange for money.
We limit the information we collect and retain. We collect Personal Information to provide you with our products and Services. We retain your information for the period of time necessary to fulfill the purposes for which we collected it, including delivering requested products and Services, protecting the interests of our members, and for the period of time required by law.
We limit the manners in which we share your test results with third parties. In order to deliver our product and services to you, it may be necessary for us to provide certain information to our Lab and Provider Partners. We will do so when such recipients agree to limitations regarding the use of your personal information.

We encourage you to review the rest of this Privacy Policy to learn more about Function’s transparent privacy practices.

PRIVACY POLICY

This Privacy Policy governs how Function Health, Inc. and its corporate affiliates (collectively, “Function”, “Company”, “we”, “our”, “us”) collects, stores, and uses your Personal Information (as defined below), as well as other data and information arising out of and/or relating to you and/or your use of our Services – which include without limitation your use of the website www.functionhealth.com (the “Site”) and any other technologies, features, websites, mobile applications, content, and other services we offer (collectively, the “Services”). We may also provide you with “just-in-time” disclosures, supplemental terms and/or clarifications, further options, and additional information pertaining to our collection, storage, and usage of Personal Information, and other data and information.

Function may also collect, store, and use Personal Information regarding you that is linked or reasonably linkable to you and that identifies your past, present, or future health status or mental health status, as may be applicable (“Consumer Health Data”). This Privacy Policy provides information about how we collect Consumer Health Data, how we use it, what sources it is derived from, to whom we disclose it and how we otherwise process it. In addition, if you are a resident of Connecticut, Nevada, or Washington, we provide further information about your Consumer Health Data, as well as the rights you may have related to this data, in our Consumer Health Data Privacy Policy which is hereby incorporated by reference into this Privacy Policy as though herein completely stated.

This Privacy Policy does not apply to third-party websites, applications, products, services, or other properties, even if they may link to our Site or our Site may link to them. We recommend you review the privacy practices of those third parties before connecting with and/or accessing third-party offerings, and before sharing any Personal Information with those third parties .

To keep things simple, we use the same capitalized terms as those set forth in our Terms of Service, linked here, unless otherwise indicated herein. In the event of a conflict between our Privacy Policy and our Terms of Service, the latter will control.

Contents. It is important that you read and understand the entire Privacy Policy before using our Services. For ease of review, below is a table of contents that links to each section. Please note that the complete provisions and not the headings shall govern. You can click on the headings to be taken to the full explanation. You can download a printable copy of this Privacy Policy here.

‍

Personal Information We May Collect, Use, and Disclose
We collect, use, and disclose information that may be used to uniquely identify you in various ways in accordance with applicable law.

Sources of Personal Information
We may collect Personal Information from various sources.

Disclosure of Personal Information
In limited circumstances, we may disclose your Personal Information to certain third parties. We describe those circumstances and related protections below. Please Note: under no circumstances will we disclose your Lab Results or certain of your Self-Reported Health Information to any third-party for its own advertising or marketing purposes.

Aggregated, Deidentified, or Anonymized Information
We may create aggregated, deidentified, or anonymized information from Personal Information by removing certain components of your information.

Cookies and Tracking Technologies
Certain cookie data may be shared with third parties for advertising or other purposes, and we give you certain options, as applicable, to opt-out of such sharing on our website.

Data Security
We use technical and organizational measures designed to protect your Personal Information.

Data Retention
We will retain your Personal Information only for as long as is necessary for the purposes set out in this Privacy Policy.

International Transfers of Your Personal InformationYour Personal Information may be transferred to the U.S. and other countries.

Children's Privacy
Our Site and Services are not intended for use by children under the age of 18

Your Privacy Rights
We provide additional disclosures and rights to residents of certain U.S. states.

California Privacy Notice
We provide additional disclosures and rights to California residents.

Nevada Privacy Notice
We provide additional disclosures and rights to Nevada residents.

Privacy Notice for Residents of Other U.S. States
We provide additional disclosures and rights to residents of certain other U.S. states.

Changes to This Privacy Policy
Changes to this Privacy Policy will become effective on the date identified in the Privacy Policy.

Contact Us
You may contact us for comments or questions in various ways.^[f]

1. Personal Information We May Collect, Use, and Disclose

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identifiable individual. Personal Information includes “personal data” as that term is defined in applicable privacy laws. Personal Information does not include “Publicly Available Information”; lawfully obtained, truthful information that is a matter of public concern; information that has been de-identified; or aggregate consumer information. “Publicly Available Information” includes: information that is made available from federal, state, or local government records; information that a business has a reasonable basis to believe is lawfully available to the general public, either through widely distributed media, or by the consumer; and information that is made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Self-Reported Health Information” refers to Personal Information that relates to your physical or mental health and that you provide directly to us when you complete electronic forms designed for you to self-report your physical or mental health status, upload medical records, or link a wearable or Internet of Things device to our Services. For clarity, Self-Reported Health Information does not include other information such as (i) purchase data; or (ii) information collected via tracking technologies (e.g. cookies, web beacons) on unauthenticated pages on our websites.

We may disclose non-Personal Information, such as aggregated user statistics, to third parties.

In the table below, we set out the categories of Personal Information that we may collect, how we may use such Personal Information, and the categories of third parties to whom we may disclose such Personal Information where such disclosure may be considered a “sale” or “share” of Personal Information.

Category of Personal Information	Processing Purposes	Categories of Third-Party Recipients to whom we “sell” or with whom “share” Personal Information
Identifiers, including ● Name ● Address ● Email address ● Phone number ● Date of birth ● Account username ● Certain social media account information including user ID ● IP address ● Unique device identifiers ● Mobile app identifiers ● Device operating system information	● Communicate with you and provide information ● Provide customer service ● Perform identity and age verification as required under applicable law ● Provide and maintain our Services ● Facilitate interactive features ● Develop new products or services ● Internal analytics ● Market our products and Services directly to you ● Market the products and services of others directly to you ● Promotions and sweepstakes ● Internal business purposes, including general business administration ● Audit, compliance, legal, policy, procedure, and regulatory obligations ● Customer claims and fraud investigation and prevention ● Systems and data security ● Protecting the safety and rights of our employees and others ● Targeted Advertising ● Profiling ● Sharing in the context of corporate events ●To create aggregated, de-identified and/or anonymized data ● Any other purpose consistent with your consent and expressed preferences	● Third party advertising platforms We do not provide Lab Results or Self-Reported Health Information to these recipients.
Commercial information, including ● Information about your interests and preferences	● Same purposes as noted for “Identifiers”	● Third party advertising platforms. We do not provide Lab Results or Self-Reported Health Information (defined below) to these recipients.
Financial information, including ● Bank account number ● Credit card number ● Debit card number ● Any other financial information	● Provide and maintain our Services ● Internal business purposes, including general business administration	● N/A
Internet or other electronic network activity information, including ● Browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages ● Content and information about your communications through the Services (including via chat features) ● Information using cookies and tracking technologies ● Mobile operating system information ● Mobile internet browser type ● Diagnostic data ● Cell network data	● Same purposes as noted for “Identifiers”	● Same third parties as noted for “Identifiers”
Geolocation Data, including ● Global Positioning System (“GPS”) data ● Locational information based upon your IP address	● Same purposes as noted for “Identifiers”	● N/A
Professional or employment-related information ● Employer name ● Employment history ● Professional licenses or registrations ● Employment identification number	● Facilitate interactive features ● Internal analytics ● Market our products and Services directly to you ● Market the products and services of others directly to you ● For internal business purposes, including general business administration	● The applicable employer and/or professional services provider to the extent that you receive access to our Services as an employment benefit. ● Third party advertising platforms. ● We do not provide Lab Results or Self-Reported Health Information to these recipients.
Audio, electronic, visual, or similar information, including ● Any original textual content, audio recordings, photos, videos, music, and other media you may share on our Services. ● Your name, voice, and/or likeness when you participate in sweepstakes, contests, promotions, and other Company programs	● Same purposes as noted for “Identifiers”	● N/A
Characteristics of protected classifications, including: ● Age ● Date of birth or age range ● Gender or gender identity ● Marital status ● Military or veteran status ● National origin ● Criminal history or records ● Income level ● Racial or ethnic origin ● Sexual orientation ● Disability status or necessary accommodations	● Same purposes as noted for “Identifiers”	● N/A
Sensitive Personal Information or sensitive data, including: ● Account log-in information ● Genetic data ● Mental or physical health condition or diagnosis ● Personal Information collected and analyzed concerning health ● Consumer Health Data (Residents of Connecticut, Nevada, and Washington should see our Consumer Health Data Privacy Policy for further terms and conditions applicable to Consumer Health Data.)	● Same purposes as noted for “Identifiers”	● N/A
Inferences about you using any of the above	● Any of the above purposes	● N/A

Please note that because of the overlapping nature of certain of the categories of Personal Information identified above, which may be required by state law, some of the Personal Information we collect may be reasonably classified under multiple categories. Further, we may disclose all Personal Information, for our business purposes, to (i) service providers; (ii) professional advisors (such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us); (iii) authorities and others (such as law enforcement, government authorities and private parties, as we believe in good faith to be necessary or appropriate); and (iv) business transferees (such as in the context of actual or prospective business transactions). For more information on to whom we may disclose your Personal Information, please see the section Disclosure of Personal Information.

2. Sources of Personal Information

We may collect Personal Information about you from the following categories of sources:

From corporate affiliates
Directly from you through self-reported information, i.e. directly from you through your interactions with us, including without limitation when you use the Site or Services (e.g. creating an account with us, completing electronic forms, uploading medical records, linking a wearable device to our Services) or otherwise contact us via chat, email, phone, or text.
Through cookies and other tracking technologies, as discussed in more detail in Cookies and Other Tracking Technologies (Section 5 of this Policy).
Through linked wearable devices connected to our Services (which may include historical data related to your use of the wearable devices).
From third party healthcare service providers, laboratory service providers, and other providers of medical and medical-adjacent services (our “Lab and Provider Partners”), with your permission and in accordance with applicable law and the context in which you provided the data.
From other third parties, including our third party service providers, business and marketing partners, affiliates, analytics providers, ad network providers, ad agencies, and advertisers.
From third parties that you choose (such as lab providers).
From government agencies or public records.
From social media and other content platforms.

3. Disclosure of Personal Information

Below is a simple chart designed to help you understand, at a general level, what information we will and will not share with third party tracking technology partners (including third party advertising platforms), followed by more details about our disclosure of your Personal Information:

We May Share:	We Won’t Share (Without Your Affirmative, Express Consent):
Internet or other electronic network activity information Browsing data	Lab Results
Click-based event data (such as purchase history, registration history, attempted log-ins to the Services and others)	Self-Reported Health Information
IP address Device information Hashed email addresses	Mental or physical health conditions or treatments Diagnoses or diagnostic testing, treatments, or medications Genetic data
	Clinical notes
	Any medical records you may provide us

In full, we may disclose Personal Information that we collect, generate or that you provide, to the following:

Our affiliates. We may share Personal Information among our affiliates to provide our Services, and for internal administrative purposes.
Our service providers. We share certain Personal Information with our service providers to provide services on our behalf, such as payment processing, analytics, hosting, marketing, customer and technical support (including online chat functionality providers that leverage generative AI technologies), professional advisors (such as our lawyers, auditors, bankers and insurers) and other services.
Our payment processing platforms. Payment card information you use to make a purchase on the Service is collected and processed directly by our payment processors such as Stripe. Stripe may use your payment-related data in accordance with its privacy policy, https://stripe.com/privacy.
Our Lab and Provider Partners. We have engaged with various third-party Lab and Provider Partners in connection with various facets of our Services. Such partnership may involve receiving and sharing Personal Information, including without limitation Consumer Health Data, with your permission in accordance with applicable law and the context in which you provided the data.
Third party platform advertisers. We will not disclose your Lab Results or Self-Reported Health Information without your express, affirmative consent. We may otherwise share certain information gathered through tracking technologies like cookies and web beacons with third-party platform providers . We also partner with third parties who use cookies to serve interest-based advertising and content on their respective third-party platforms that may be based on your preferences, location, and/or interests. As noted elsewhere, our websites implement measures designed not to collect or share interest-based advertising personal information for individuals accessing our Services who are located in Connecticut, Nevada, or Washington.
Third parties related to compliance and harm prevention. Under certain circumstances, we may be required to disclose your Personal Information if required to do so by law or in response to valid requests by public authorities, and/or in response to a threat of harm involving an individual’s health and/or safety. This may include law enforcement, government authorities and private parties.
Third parties related to a change of ownership or other corporate transformation. Notwithstanding anything to the contrary in this Privacy Policy or our Consumer Health Data Privacy Policy, if we or our subsidiaries are involved in an actual or potential merger, acquisition, asset sale, or other corporate transformation, your Personal Information – including without limitation your Lab Results and any and all other Self-Reported Health Information – may be transferred to the prospective, acquiring or surviving entity (and their respective representatives).
At your request, other persons or entities that are relevant to your care. At your request, we may also share Personal Information, such as your Lab Results (as defined in our Terms of Service), with your general practitioner, your specialist, or your provider’s health system.
Third parties designated by you. We may share your Personal Information with third parties where you have instructed us or provided your consent to do so such as when you choose to share results.
Other users and the public. If you choose to make your Personal Information available to others and the public through the Service, such as when you provide comments, reviews, survey responses or share other content, that Personal Information will be available to other users of the Service and the public. This information can be seen, collected and used by others, including being cached, copied, screen captured or stored elsewhere by others (such as search engines) and we are not responsible for any such use of this information.

We do not disclose your Personal Information to third parties in exchange for money.

4. Aggregated, Deidentified, or Anonymized Information

We may create aggregated, de-identified, or anonymized information from Personal Information by removing certain data components (such as your name, email address, or linkable tracking ID) that makes the data identifiable, or through aggregation, obfuscation or other means. For example, we may de-identify any information and data provided and/or generated in connection with your use of our Services (including without limitation your Lab Results and other Personal Information), in compliance with applicable law.

5. Cookies and Other Tracking Technologies

We use cookies and similar tracking technologies and analytics services to track activity on the Site and Services.

a. Cookies

Cookies are files with a small amount of data which may include unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies we may use include web beacons to track information and analyze the Services. Beacons (also known as pixel tags, clear GIFs) are small objects that are embedded in an image on a website; they can transmit information directly to Function, or to another person or entity of our designation. For the purposes of this Privacy Policy, cookies, beacons, and other such tracking technologies shall, collectively, be embraced by the term “Cookies.” You can instruct your browser to refuse certain Cookies or to indicate when a Cookie is being sent. However, if you do not accept certain Cookies, you may not be able to use some portions of our Service.

Examples of Cookies we use:

Strictly Necessary. We may use Cookies that we consider are strictly necessary to allow you to use and access our website, including Cookies required to prevent fraudulent activity, improve security or allow you to make use of shopping cart functionality.
Performance. We may use Cookies that are useful in order to assess the performance of our website, including as part of our analytic practices or otherwise to improve the content, products or Services offered through our website.
Functionality. We may use Cookies that are required to offer you enhanced functionality when accessing our website, including identifying you when you sign in to our website or keeping track of your specified preferences, including in terms of the presentation of content on our website.
Advertising. We may use Cookies to deliver content, including ads, relevant to your interests on our website and third party sites based on how you interact with advertisements or content.

**Although Function generally uses Cookies as described above, our websites implement measures designed to limit the types of Cookies (excluding Strictly Necessary Cookies) for individuals accessing our Services who are located in Connecticut, Nevada, or Washington.

b. Analytics

We may use Google Analytics or other service providers for analytics services. These analytics services may use Cookies and other tracking technologies to help us analyze how users use the Services. Information generated by these services (e.g., your IP address and other usage information) may be transmitted to and stored by Google Analytics and other service providers on servers in the U.S. (or elsewhere) and these service providers may use this information for purposes such as evaluating your use of the Service, compiling statistic reports on the Service’s activity, and providing other services relating to Service activity and other Internet usage. You may exercise choices regarding the use of Cookies from Google Analytics by going to https://tools.google.com/dlpage/gaoptout or downloading the Google Analytics Opt-out Browser Add-on.

c. Third-Party Ad Networks.

Certain companies may participate in the Digital Advertising Alliance ("DAA") AdChoices Program and may display an Advertising Option Icon for Interest-based Ads that links to an opt-out tool which allows you to exercise certain choices regarding targeting. You can learn more about the DAA AdChoices Program at http://www.youradchoices.com/ and its opt-out program for mobile apps at http://www.aboutads.info/appchoices.

In addition, certain advertising networks and exchanges may participate in the Network Advertising Initiative (“NAI”). NAI has developed a tool that allows consumers to opt out of certain Interest-based Ads delivered by NAI members' ad networks. To learn more about opting out of such targeted advertising or to use the NAI tool, see http://www.networkadvertising.org/choices/. Please be aware that, even if you are able to opt out of certain kinds of Interest-based Ads, you will continue to receive non-targeted ads. Opting out of one or more NAI or DAA members only means that those selected members should no longer under the DAA / NAI rules deliver certain targeted ads to you. This will affect this and other services, but does not mean you will no longer receive any targeted content and/or ads (e.g., from other ad networks). If your browsers are configured to reject Cookies when you visit this opt-out page, or you subsequently erase your Cookies, use a different device or web browser(s), or use a non-browser-based method of access (e.g., mobile app), your NAI / DAA browser-based opt-out may not, or may no longer, be effective. Mobile device opt-outs will not affect browser-based Interest-based Ads even on the same device, and you must opt-out separately for each device. We are not responsible for the effectiveness of, or compliance with, any third-parties’ opt-out options or programs or the accuracy of their statements regarding their programs.

d. Chat and other artificial intelligence (“AI”) technologies.

We use services such as those provided by Intercom and other generative AI platform providers such as Meta and Decagon that leverage cookies and software code to operate the chat and interact with your inputs and prompts. This allows you to communicate with us including to input your prompts and other data through the Services. We, the providers referenced previously, and other third parties may access and use information about your webpages visited on our website, your IP address, your general geographic information (such as city, state) and other Personal Information you share and receive through the chat to facilitate the provision of the Services and as otherwise described in this Privacy Policy.

‍

6. Data Security

The security of your data is important to us but remember that no method of transmission over the Internet or method of electronic storage is completely secure. Function uses certain safeguards designed to protect the security and integrity of your Personal Information. If you complete a purchase with us, your financial information (as defined in Personal Information We May Collect, Use, and Disclose) will be processed by our payment processor.

7. Data Retention

We will retain your Personal Information for as long as is necessary to provide you with Services, to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. We will also retain certain Personal Information for internal analysis purposes. This information is generally retained for a shorter period but may be retained for longer periods of time when this data, for example, is used to strengthen the security or to improve the functionality of our Services, or we are legally obligated to retain this data for longer time periods. Our determination of precise retention periods will be based on (i) the length of time we have an ongoing relationship with you; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position, including regard to applicable statutes of limitations, litigation or regulatory investigations.

8. International Transfers of Your Personal Information

Your information, including Personal Information, may be transferred to – and maintained on – information systems located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction. If you are located outside of the United States and choose to provide information to us, please note that we transfer the data, including Personal Information, to the United States and process it there.

9. Children’s Privacy

Function’s Services are not intended for children under the age of eighteen (18) years and we do not knowingly collect Personal Information from such persons. If you become aware that a child has provided us with Personal Information, please contact us at legal@functionhealth.com, with the subject line “Minor Access”. If we become aware that we have collected Personal Information from children without verification of parental consent, we take steps to remove that information from our information systems.

10. Your Privacy Rights

You may have certain rights and choices regarding our collection, use, and disclosure of your Personal Information based on applicable laws (such as due to your location or place of residency).

a. Opting out of promotional electronic communications from us. We may use your Personal Information to send you updates regarding existing products and Services, information about new products and Services, upcoming events, surveys, and other announcements and inquiries. Please note that Function may send you marketing and advertising messages on behalf of a third party (including subject to a paid arrangement); provided, under such a circumstance, Function will not disclose your Personal Information to said third party. If you no longer wish to receive promotional email communications from us, you may opt out via the unsubscribe link included in such emails or communicate your opt-out request using the information below. We will comply with your request as soon as reasonably practicable. Please note that if you opt out of receiving promotional emails from us, we may still send you administrative messages that are required in order to provide you with the Service or for other reasons disclosed in this Policy.

b. Deleting your content or closing your account. You may be able to delete certain content through your account. If you wish to request to close your account, please contact us.

c. Additional rights available in certain states and jurisdictions. Certain U.S. jurisdictions provide residents with certain rights with respect to their Personal Information or “personal data” as defined under applicable law. These rights are subject to the specific laws of that jurisdiction as applicable to Function and that certain other rights or obligations might apply. Please review our California Privacy Notice; Nevada Privacy Notice; Privacy Notice for Residents of Other US States; and Consumer Health Data Privacy Policy for more information on rights and terms potentially applicable to you.

d. Mobile location data. You can disable our access to your device’s precise geolocation in your mobile device settings.

e. Exercising your privacy rights. Please use the following information to exercise your rights as applicable. Please note that any request you submit to us is subject to an identification and residency verification process as permitted under applicable law, as well as certain other procedural requirements that may be noted in the sections below. Additionally, all requests are subject to certain exceptions under applicable law, which may vary. If you are a visually-impaired customer, a customer who has another disability or a customer who seeks support in other language, you may access your privacy rights by emailing us at legal@functionhealth.com.

We do not charge a fee to process or respond to your verifiable consumer request unless its excessive, repetitive, manifestly unfounded, or in accordance with applicable law. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Depending on applicable law, you may be limited in how many verifiable or authenticated consumer request you make within a twelve (12) month period. If we have inadvertently collected information on your minor child, you may exercise the above rights on behalf of your minor child. Additionally, in some jurisdictions, you may designate an authorized agent to submit a request on your behalf, and if so, we may require proof of the agent’s authorization by you and/or verification of the agent’s own identity. Generally, a rights request must include:

Sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative, which must include, at a minimum, your first and last name and email address.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to the request.

We cannot respond to your request or provide you with Personal Information if we cannot verify or authenticate your identity or authority to make the request and confirm that the Personal Information relates to you. We will only use Personal Information provided in a verifiable or authenticated consumer request to verify your (or your authorized agent’s as applicable) identity or authority to make the request.

You are not required to create an account with us to submit a verifiable or authenticated consumer request. However, we do consider requests made through your password protected account sufficiently verified when the request relates to Personal Information associated with that specific account. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please contact legal@functionhealth.com. Except where otherwise noted, we will respond to your request within forty-five (45) days after receipt and we reserve the right to extend the response time by an additional forty-five (45) days when reasonably necessary and provided consumer notification of the extension is made within the first forty-five (45) days. As described below, in some jurisdictions, an authorized agent may submit a request to exercise your rights on your behalf.

How to submit a request. To exercise any of the rights described in this Privacy Policy, please send your request(s) using one of the following methods:

Emailing us at legal@functionhealth.com
Visiting the contact page at our Site at https://www.functionhealth.com/contact
Calling us at (512) 814-6593.

11. California Privacy Notice

This California Privacy Notice applies to any California residents about whom we collect Personal Information (for the purposes of this Article 11, “consumers”). The provisions contained within this section are intended to provide notices in compliance with the California Consumer Privacy Act of 2018 (“CCPA”) and other relevant California laws and regulations.

For the purposes of this California Privacy Notice, except where a different definition is noted, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. Personal Information does not include Publicly Available Information, information that has been de-identified or aggregated, or other information subject to certain federal and state regulation, such as protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA).

If you are a visually-impaired customer, a customer who has another disability or a customer who seeks support in other language, you may access your privacy rights by emailing us at legal@functionhealth.com.

a. Personal Information We Collect

We may collect, or have collected, the following categories of Personal Information about you:

Identifiers
Commercial information
Financial information
Internet or other electronic activity information
Geolocation data
Professional or employment-related information
Audio, electronic, visual, or similar information
Characteristics of protected classifications under California or federal law
Inferences drawn from any of the above

Certain of the Personal Information that we collect may constitute “Sensitive Personal Information” as defined by California law. This may include:

Your account login information
Payment information
Content of messages sent through the Site or Services
Personal Information collected and analyzed concerning your health
Precise geolocation data

b. How We Use Your Personal Information

We use the Personal Information we collect about you for the following purposes:

Contact you and provide information
Provide customer service
Perform identity and age verification as required under applicable law
Provide and maintain the Site and Services
Facilitate interactive features
Internal analytics
Market our products and Services directly to you
Market the products and services of others directly to you
Promotions and sweepstakes
Internal business purposes, including general business administration
Develop new products or services
Audit, compliance, legal, policy, procedure, and regulatory obligations
Customer claims and fraud investigation and prevention
Systems and data security
Protecting the safety of our employees and others
Targeted Advertising
Profiling

c. Sources of Personal Information

We may collect Personal Information about you from the following categories of sources.

From our corporate affiliates
Directly from you through your interactions with us, such as when we collect self-reported information.

Through Cookies and other tracking technologies, as discussed in more detail in Cookies and Other Tracking Technologies (Section 5 of this Policy).
Through linked wearable devices connected to our Services (which may include historical data related to your use of the wearable devices).
From our Lab and Provider Partners, with your permission and in accordance with applicable law.
From other third parties, including our third party service providers, business and marketing partners, affiliates, analytics providers, ad network providers, ad agencies, and advertisers.
From third parties that you choose (such as lab providers).
From government agencies or public records.
From social media and other content platforms.

We may supplement such information with information we obtain from other sources, including from both online and offline information providers.

d. To Whom We Disclose Personal Information

We limit our disclosure of the categories of Personal Information above to our affiliates, service providers, payment processors, advertising partners, professional advisors, authorities and others, business transferees for one or more business purposes. “Business purposes,” for the purposes of this California Privacy Notice, means the reasonably necessary and proportionate use of Personal Information for our operational purposes, other purposes described in this Privacy Policy, for the operational purposes of our service providers and contractors, as well as other purposes compatible with the context in which the Personal Information was collected.

We do not and have not “sold” (as that term is defined under applicable law) Personal Information to third parties for any monetary value. We do gather Personal Information from consumers via Cookies as part of our targeted advertising initiatives, which is technically considered a “sale” and/or “share” of Personal Information under California law, even though we do not receive monetary payment for sharing or disclosing Personal Information to these third parties. In this connection, during last 12 months (from the last updated date listed at the top of this Privacy Policy), we have “sold” or “shared” the following categories of Personal Information as those terms are defined under the CCPA:

Identifiers
Commercial information
Internet or other electronic network activity information

If you wish to opt-out of the “sale”/“sharing” of Personal Information that is gathered via Cookies when you visit our websites and/or use our Services, please exercise your preferences to do so using “Your Privacy Choices” link that is available at the bottom of our websites or by following the further instructions at Section 11(f) below.

As those terms are defined by California law, we do not “sell” or “share” your Lab Results or any other Self-Reported Health Information without your express, affirmative consent.

e. Your California Privacy Rights

If you are a California resident, you may have the following rights under applicable California law subject to applicable law:

Right to know and access. You have the right to know what Personal Information we collect, use, disclose, and sell and/or share, as those terms are defined under applicable law. You may ask us to provide you a portable copy of this information up to two times in a rolling twelve-month period.
Right to delete and erase. You have the right to request under certain circumstances that we, as well as our service providers and contractors, delete the Personal Information that we collect about you.
Right to correct inaccurate Personal Information. You have the right to request the correction of inaccurate Personal Information.
Right to non-discrimination. You have the right not to receive discriminatory treatment for the exercise of the privacy rights described above.
Right to opt out of sale and/or sharing. You have the right to opt-out of the sale and/or sharing of your Personal Information by a business.
Right to limit use and disclosure. You have the right to limit the use or disclosure of your sensitive Personal Information to only the uses necessary for us to provide goods or services to you. We will not use or disclose your sensitive Personal Information after you have exercised your right unless you subsequently provide consent for the use of your sensitive Personal Information for additional purposes.
Sharing with third parties for their own direct marketing purposes. We do not disclose Personal Information to third parties for their own purposes without your consent. If you wish to request information regarding such practices under California’s “Shine the Light” Law, please Contact Us. You must include your full name, email address, and postal address in your email or mail request so that we can verify your California residence and respond.

How to exercise your rights. You may exercise any of the rights described in this section by following the instructions in Section 10, supra (“Your Privacy Rights”).

f. Notice of Right to Opt-Out of Sale/Sharing

You have the right to opt-out of the sale and/or sharing of your Personal Information by a business. As noted above, we may “sell” and/or “share” your Personal Information for purposes of cross-context behavioral advertising. You may opt-out by following the instructions in Section 10, supra (“Your Privacy Rights”).

You can opt out of such sale or sharing by clicking the Your Privacy Choices link at the bottom of our website and selecting your preferences. You may also opt out by broadcasting an Opt-Out Preference Signal, such as the Global Privacy Control (GPC). To download and use a browser supporting the GPC browser signal, click here or visit: https://globalprivacycontrol.org/orgs. Please note that if you do not have an account with us or if you are not logged into your account, your opt out request will be linked to your browser identifier only and not linked to any account information, because the connection between your browser and your account is not known to us.

We also encourage you to utilize the Cookie preferences options that appear in the Cookie banner on the Services. Finally, you may also visit the websites of the Network Advertising Initiative and the Digital Advertising Alliance's Self-Regulatory Program for Online Behavioral Advertising for more information about opting out of seeing targeted digital advertisements and how to opt bank in if desired. You may also learn about your options to opt-out of mobile app tracking by certain advertising networks through your device settings.

We do not knowingly sell or share the Personal Information of minors under 16 years of age without legally-required affirmative authorization. If you are a parent or guardian and you believe that your child has provided us with information without your consent, please review the Children’s Privacy section and contact us by email at legal@functionhealth.com.

g. Retention of Personal Information

We will retain your Personal Information only for as long as is necessary for the purposes set out in this Policy. We will retain and use your Personal Information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

We will also retain certain Personal Information for internal analysis purposes. This information is generally retained for a shorter period, except when this data is used to strengthen the security or to improve the functionality of our Services, or we are legally obligated to retain this data for longer time periods.

Our determination of precise retention periods will be based on (i) the length of time we have an ongoing relationship with you; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position, including regard to applicable statutes of limitations, litigation or regulatory investigations.

h. Do Not Track

Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

12. Nevada Privacy Notice

While we do not “sell” Personal Information as defined by Nevada Law, Nevada residents nonetheless have the right to request to opt out of any future “sale” of their Personal Information under Nevada SB 220 and SB 370. If you are a Nevada resident and would like to make such a request, please follow the instructions in Section 10, supra (“Your Privacy Rights”). You must include your full name, email address, and postal address in your email or mail request so that we can verify your Nevada residence and respond. In the event we sell your Personal Information after the receipt of your request, we will make reasonable efforts to comply with such request.

Additionally, SB 370 provides Nevada residents with rights to receive certain disclosures and access regarding the collection, use, sale, and sharing of Consumer Health Data. For information regarding the Consumer Health Data that we collect, how we use it, what sources it is derived from, to whom we disclose it, as well as the rights of Nevada residents and our responsibilities under SB 370, please see our Consumer Health Data Privacy Policy.

13. Privacy Notice for Residents of Other U.S. States

This Privacy Notice contains additional information for residents of Colorado, Connecticut, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia about personal data that we collect, how we use it, what sources it is derived from, and who we disclose it to, and provides information regarding your rights, and our responsibilities, under applicable laws and regulations to the extent such laws and regulations govern Function Health. For the purposes of this section, “personal data” means information that is linked or reasonably linkable to an identified or identifiable individual. Personal data does not include de-identified data or publicly available information. This section does not apply to (i) the extent Function Health is not governed by privacy laws in these states or (ii) personal data that is already subject to certain federal and state regulations, such as protected health information, where such laws do not apply to such data.

The provisions contained within this section are intended to provide notices under the Colorado Privacy Act, the Connecticut Data Privacy Act, the Delaware Personal Data Privacy Act, the Iowa Consumer Data Protection Act, the Montana Consumer Data Privacy Act, the Nebraska Data Privacy Act, the New Hampshire Privacy Act, the New Jersey Privacy Act, the Oregon Consumer Data Privacy Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act (collectively, the “State Privacy Laws”) to the extent any such State Privacy Law applies to Function Health.

The State Privacy Laws provide or will provide rights to residents of Colorado, Connecticut, Delaware (beginning January 1, 2025), Iowa (beginning January 1, 2025), Montana (beginning October 1, 2024), Nebraska (beginning January 1, 2025), New Hampshire (beginning January 1, 2025), New Jersey (beginning January 15, 2025), Oregon, Texas, Utah, and Virginia respectively, to receive certain disclosures and access regarding collection, use, sale, and sharing of personal data.

a. Our Personal Data Practices

The State Privacy Laws provide rights to residents of those states, to receive certain disclosures and access regarding collection, use, sale, and sharing of personal data. Detail about what kinds of personal data we may collect or have collected, how we collect it, why we collect it, and who we may disclose it to is found in the “Personal Information We May Collect, Use, and Disclose”; “Sources of Personal Information”; and “Disclosure of Personal Information” sections of this policy.

We do not and have not sold Personal Information to third parties for any monetary value. We do gather Personal Information via Cookies for the purposes targeted advertising; however, we do not sell or share your Lab Results or any other Self-Reported Health Information without your express, affirmative consent.

b. Your Privacy Rights

If you are a resident Colorado, Connecticut, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia, you may have the following rights under applicable law in relation to your personal data, subject to certain exceptions:

Right to know and access. You have the right to know what personal data we collect, use, disclose, and/or sell or share as those terms are defined under applicable law. You may ask us to provide you a portable copy of this information up to two times in a rolling twelve-month period.
Right to delete and erase. You have the right to request under certain circumstances that we, as well as our service providers and contractors, delete the personal data that we collect about you.
Right to correct inaccurate personal data. You have the right to request the correction of inaccurate personal data.
Right to non-discrimination. You have the right not to receive discriminatory treatment for the exercise of the privacy rights described above.
Right to opt out. You have the right to opt-out of targeted advertising, the sale of your personal data, and profiling decisions that could produce legal or similarly significant effects concerning the consumer.
Rights concerning sensitive personal data. If you are a Connecticut, Colorado, Delaware, Montana, Nebraska, New Jersey, Oregon, Texas, or Virginia resident, we cannot and will not process your sensitive data (as defined by applicable law) or your sensitive data inferences, or use your personal data for certain purposes without your affirmative consent. If you are an Iowa or Utah resident, you have the right to opt out of having your sensitive personal data processed and/or used.

The CTDPA provides Connecticut residents with additional rights to receive certain disclosures and access regarding the collection, use, sale, and sharing of Consumer Health Data, as defined below. For information regarding the Consumer Health Data that we collect, how we use it, what sources it is derived from, to whom we disclose it, as well as the rights of Connecticut residents and our responsibilities under the CTDPA, please see our Consumer Health Data Privacy Policy.

How to exercise your rights. You may exercise any of the rights described in this section by following the instructions in Section 10, supra (“Your Privacy Rights”)

How to appeal decisions about your rights. You can appeal our decisions concerning privacy rights requests, as follows:

Colorado residents. If you are a Colorado resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within forty-five (45) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Colorado’s Office of the Attorney General by phone at (720) 508-6000 or by submitting a form here.

Connecticut residents. If you are a Connecticut resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Connecticut’s Office of the Attorney General by phone at (860) 808-5420 or by submitting a form here.
Delaware residents. If you are a Delaware resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Delaware’s Department of Justice by phone at (302) 683-8800 or by submitting a form here.
Iowa residents. If you are an Iowa resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Iowa’s Office of the Attorney General by phone at (888) 777-4590 or by submitting a form here.
Montana residents. If you are a Montana resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Montana’s Office of the Attorney General by phone at (406) 444-4500 or by submitting a form here.
Nebraska residents. If you are a Nebraska resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Nebraska’s Office of the Attorney General by phone at (402) 471-2683 or by submitting a form here.
New Hampshire residents. If you are a New Hampshire resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact New Hampshire’s Office of the Attorney General by phone at (603) 271-3658 or by submitting a form here.
New Jersey residents. If you are a New Jersey resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within forty-five (45) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact New Jersey’s Office of the Attorney General by phone at (800) 242-5846 or by submitting a form here.
Oregon residents. If you are an Oregon resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within forty-five (45) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Oregon’s Office of the Attorney General by phone at (877) 877-9392 or by submitting a form here.
Texas residents. If you are a Texas resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Texas’s Office of the Attorney General by phone at (800) 621-0508 or by submitting a form here.
Virginia residents. If you are a Virginia resident and want to appeal our decision with regard to a request that you have previously made, please Contact Us or notify the Office of the Attorney General of Virginia online here. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Virginia’s Office of the Attorney General by phone at (804) 786-2071, written correspondence to 202 North 9th Street, Richmond, Virginia 23219, or online here.

14. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page or other appropriate means. Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). We recommend reviewing this Privacy Policy periodically for any changes. Your use of the Service after the effective date of any modified Privacy Policy indicates your acknowledging that the modified Privacy Policy applies to your interactions with the Service and our business.

You may view the prior version of our Privacy Policy here.

15. Contact Us

Please contact legal@functionhealth.com if you have any questions about this Privacy Policy. We are open to feedback around our privacy policies and practices. Because email communications are not always secure, please do not include any sensitive information in your email to us. You can also write to us at: 600 Congress Ave, 14th Floor, Austin, TX 78701.

5x more than the average physical.

Function includes over 100 tests to give you the complete picture of your health.

Join Function

What’s included?