Privacy Policy

Veris Health, Inc. ("Veris Health," "we," "us," or "our") operates the Veris Health platform — a personal health data aggregation and intelligence service accessible through our website at verishealth.com and our mobile applications (collectively, the "Service" or "Platform"). This Privacy Policy describes how we collect, use, disclose, protect, and retain information about you when you use our Service.

We recognize that health information is among the most sensitive categories of personal data. We have designed our data practices from the ground up with privacy and security as core principles. This Policy applies to all users of the Service, regardless of their subscription tier, and covers both our web application and any mobile applications we operate.

HIPAA Applicability

To the extent that Veris Health processes Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations (45 CFR Parts 160 and 164), we act as a covered entity or business associate, as applicable, and comply with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule. Section 15 of this Policy serves as our HIPAA Notice of Privacy Practices.

Scope

This Privacy Policy applies to: (a) our web application hosted at verishealth.com and its subdomains; (b) our iOS and Android mobile applications; (c) our APIs accessed by authorized integrations; and (d) any other service or platform we operate that links to this Policy. It does not apply to third-party websites, applications, or services that you may access through links on our Platform.

Consent

By creating an account or using the Service, you consent to the data practices described in this Policy. If you do not agree with this Policy, you must not use the Service. Where required by applicable law, we will seek your explicit consent before processing specific categories of sensitive data.

We collect information in three ways: information you provide directly, information we collect automatically through your use of the Service, and information we receive from third-party integrations you authorize.

Information You Provide Directly

Account Information

When you create an account, we collect: your full name, email address, and a password (stored as a bcrypt hash — we never store your plaintext password). We do not require you to provide a phone number, mailing address, or government-issued identification to create a standard account.

Health Profile Information

To personalize your health experience, you may optionally provide: your date of birth (stored encrypted), biological sex, height, weight, health goals (e.g., weight loss, longevity, athletic performance), and any health conditions or medications you choose to disclose. This information is used to contextualize your health data and generate more relevant insights. All health profile fields are optional unless otherwise indicated.

Laboratory Results

You may upload laboratory result documents (PDF or image format) to the Platform. We use AI-powered processing to extract individual biomarker values and reference ranges from your uploaded documents. Both the original uploaded documents and the extracted biomarker data are stored as Protected Health Information and are subject to all PHI protections described in this Policy.

Nutrition Data

If you manually log meals or connect a nutrition tracking integration (such as MyFitnessPal), we collect nutrition data including meal names, caloric values, macronutrient breakdowns (protein, carbohydrates, fat, fiber), and micronutrient data where available.

AI Health Advisor Conversations

When you use the AI Health Advisor, your messages and the AI's responses are stored in our encrypted database. These conversations may contain health-related information you choose to share. See Section 5 for detailed information about how AI conversation data is processed.

Payment Information

If you subscribe to a paid plan, your payment information (including credit or debit card details) is collected and processed directly by Stripe, Inc., our third-party payment processor. Veris Health does not store your complete payment card number, CVV, or full billing address on its servers. We receive from Stripe a tokenized representation of your payment method and limited billing information (e.g., last four digits, card expiration date, billing zip code) necessary to manage your subscription.

Customer Support Communications

When you contact our support team, we collect the content of your communications, including any attachments, screenshots, or health information you choose to share with us in the course of seeking support.

Information Collected Automatically

Usage Data

We automatically collect information about how you interact with the Service, including: pages and features accessed, time spent on different sections of the Platform, features enabled or disabled, frequency of use, search queries within the Platform, and error events. This data helps us understand how the Service is used and identify areas for improvement.

Device and Technical Information

We collect technical information about the device and software you use to access the Service, including: browser type and version, operating system and version, device type (desktop, mobile, tablet), screen resolution, timezone, and the referring URL that brought you to our Service.

IP Address (Partially Redacted)

We collect your IP address for security and fraud prevention purposes. In compliance with our HIPAA logging requirements, IP addresses stored in audit logs are partially redacted (the last octet of IPv4 addresses is replaced with "0") to reduce identifiability while preserving enough information for security purposes. The full IP address may be retained for a short period in security-related contexts before redaction is applied.

HIPAA Audit Logs

As required by HIPAA's Security Rule (45 CFR § 164.312(b)), we maintain audit logs of every access to Protected Health Information. Audit log records include: your user ID (a non-guessable UUID), the action taken (e.g., "biomarker.view", "labresult.upload"), the resource type and ID accessed, a redacted IP address, your user agent (browser/OS), and a timestamp. Audit logs are retained for a minimum of 7 years as required by HIPAA.

Session Data

We maintain session data (stored as signed JWTs) to authenticate your identity across requests. Sessions expire automatically after 15 minutes of inactivity. Session tokens are not stored in localStorage or sessionStorage; they are managed as secure, HTTP-only cookies to prevent client-side script access.

Information Received from Third-Party Integrations

Wearable Device Data

When you connect a supported wearable device or fitness platform (such as Oura, WHOOP, Apple Health, or Google Fit), we retrieve health and activity data from that platform's API on your behalf. The specific data collected varies by platform and may include: daily step count, active calories burned, resting heart rate, heart rate variability (HRV), sleep duration and stages, respiratory rate, blood oxygen saturation (SpO2), body temperature, and other metrics provided by the respective platform's API.

OAuth access tokens and refresh tokens required to retrieve this data are stored in our database in encrypted form (AES-256-GCM). We request only the minimum OAuth scopes necessary to retrieve the health data you need.

Nutrition Platform Data

If you connect a nutrition tracking platform such as MyFitnessPal, we retrieve your logged nutrition data (meals, caloric intake, macronutrients) via the platform's API. Access tokens for nutrition integrations are stored encrypted in the same manner as wearable tokens.

No Data from Nutritionix

For food search functionality (used when manually logging meals), we send food name search queries to Nutritionix's API. These queries do not include your user ID, health data, or any other personal information. Nutritionix receives only the anonymous food search term.

We use the information we collect for the following purposes:

Providing and Maintaining the Service

We use your account information, health profile, and health data to create and maintain your account, authenticate your identity, display your health dashboard, and deliver the core functionality of the Platform.

Generating Health Insights and Scores

We analyze your aggregated health data — including biomarkers from lab results, wearable device metrics, and nutrition data — to calculate composite health scores, identify trends over time, detect potential correlations between different health metrics (such as correlations between dietary patterns and biomarker values), and generate the personalized health insights displayed on your dashboard.

Powering the AI Health Advisor

We use your health profile, recent biomarker data, wearable averages, and nutrition data to construct a system prompt that is included in conversations with the AI Health Advisor. This enables the AI to provide contextually relevant responses to your health questions. See Section 5 for full details on how AI processing works.

Curating Marketplace Recommendations

We use patterns in your health profile and biomarker data to generate personalized supplement recommendations displayed in the Marketplace. These recommendations are generated algorithmically and are for informational and convenience purposes only. See our Terms of Service, Section 9, for important disclaimers about supplement recommendations.

Physician Matching

We use your health profile, subscription tier, and stated health goals to identify independent healthcare practitioners who may be relevant to your needs. The matching algorithm uses anonymized health profile attributes and does not share your individually identifiable health data with practitioners unless you explicitly choose to do so during a consultation.

Health Alerts and Notifications

We may use your health data to generate health alerts for potentially significant changes in biomarkers or health metrics that may warrant attention. These alerts are informational only. All notifications reference health categories or general signals only — they do not include specific PHI values such as raw biomarker numbers in notification payloads, consistent with our HIPAA security obligations.

Service Improvement and Research

We analyze anonymized, aggregated usage data and de-identified health data to improve the Platform, develop new features, validate and refine our health scoring algorithms, and conduct population-level health research. This research uses data from which all direct identifiers (name, email, date of birth, etc.) have been removed and that has been aggregated with data from other users in a manner that does not permit re-identification.

You may opt out of contributing to anonymous research through "Settings → Privacy → Anonymous Research." Opting out does not affect your access to any feature of the Service.

Communications

We use your email address to send: account-related transactional communications (such as email verification, password reset, subscription confirmations, and billing receipts); health alerts and summaries; security notifications; and, with your consent, product updates, educational health content, and marketing communications. You may manage your communication preferences in "Settings → Notifications." You may unsubscribe from marketing emails at any time via the unsubscribe link in any marketing email.

Legal Compliance and Safety

We may use your information to: comply with applicable law and legal process, including HIPAA obligations; respond to lawful requests from government authorities; enforce our Terms of Service; protect the rights, property, or safety of Veris Health, our users, or the public; and detect, prevent, or investigate fraud, security incidents, or abuse of the Service.

What Constitutes PHI Under HIPAA

Under HIPAA, Protected Health Information (PHI) means individually identifiable health information — that is, health information that identifies or could reasonably be used to identify a specific individual and relates to: (a) the individual's past, present, or future physical or mental health or condition; (b) the provision of healthcare to the individual; or (c) the past, present, or future payment for healthcare. Electronic PHI (ePHI) refers to PHI that is created, received, transmitted, or maintained in electronic form.

PHI We Collect and Process

The following categories of data we process qualify as or are treated as PHI for the purposes of our HIPAA compliance program:

• Laboratory results: Uploaded lab documents and individually extracted biomarker values (e.g., LDL cholesterol, HbA1c, TSH, ferritin, testosterone, complete blood count components, and all other biomarkers extracted from lab reports).
• Health scores: Composite health scores and sub-scores calculated from your lab and wearable data, which are derived from and linked to your individual health information.
• Wearable health metrics: Heart rate, heart rate variability, sleep data, blood oxygen saturation, body temperature, respiratory rate, and other physiological metrics retrieved from connected wearable devices.
• Nutrition data: Detailed nutritional intake logs linked to your account.
• AI Health Advisor conversations: Chat messages in which you discuss your health, including any specific health concerns, symptoms, or conditions you choose to disclose.
• Health profile data: Date of birth, biological sex, height, weight, and any disclosed health conditions or medications.

PHI Encryption

All PHI stored by Veris Health is encrypted at rest using AES-256-GCM, a symmetric authenticated encryption algorithm. Encryption is performed at the application layer before data is written to the database. The encryption key ("HIPAA Encryption Key") is a 256-bit key stored as an environment secret, separate from the encrypted data, and is rotated on a regular schedule. In transit, all PHI is protected by TLS 1.3, the current industry standard for transport layer security.

PHI Access Controls

Access to PHI within our systems is governed by role-based access controls (RBAC) consistent with HIPAA's minimum-necessary standard. PHI is accessible only to: (a) authenticated users viewing their own data; (b) authorized engineering and support personnel with a documented need for access, subject to audit logging; and (c) approved automated systems performing the functions described in this Policy. All PHI access by personnel is logged in our HIPAA audit log system.

PHI Not in Logs, URLs, or Notifications

Veris Health enforces the following PHI containment rules throughout the Platform:

• No PHI in application logs: Our logging infrastructure applies automated sanitization ("sanitizeForLog()") that redacts PHI fields — including date of birth, biomarker values, health conditions, and access tokens — before writing any log entry.
• No PHI in URLs: All requests involving PHI use POST request bodies or authenticated GETs with no PHI in URL query parameters or path segments.
• No PHI in push notifications: Mobile and browser push notifications reference health alert categories only (e.g., "You have a new health insight") and do not include raw biomarker values, lab results, or other identifiable health data in the notification payload.
• No PHI caching: API responses containing PHI include Cache-Control: no-store headers, preventing any intermediate caching by CDNs, proxies, or browser caches.

Business Associate Agreements

Veris Health executes Business Associate Agreements (BAAs) with each third-party service provider that processes PHI on our behalf, as required by HIPAA (45 CFR § 164.308(b)). Current and pending BAA partners are identified in Section 6 of this Policy.

The AI Health Advisor is powered by Anthropic's Claude API. Understanding how your data is processed in this context is important for your informed use of this feature.

Data Transmitted to Anthropic

When you send a message to the AI Health Advisor, the following information is transmitted to Anthropic's Claude API:

• Your message — the text you typed in the chat interface.
• System context prompt — a structured summary of your health profile prepared by Veris Health, which may include: your stated health goals, a summary of recent biomarker values and their trend direction, 7-day wearable averages (e.g., average HRV, average sleep duration), and recent nutrition averages. This context enables the AI to provide personalized, relevant responses.
• Recent conversation history — a rolling window of recent messages from the current conversation session, enabling multi-turn dialogue.

This transmission occurs over an encrypted TLS 1.3 connection to Anthropic's API.

Anthropic's Data Use

Veris Health operates under Anthropic's API usage policies. Pursuant to those policies and our Business Associate Agreement with Anthropic:

• Anthropic does not use your conversation data to train or improve its AI models.
• Anthropic may process conversation data to provide the API service and to monitor for safety and policy compliance.
• Anthropic's data handling practices are governed by their Privacy Policy, available at anthropic.com/privacy.

Veris Health's Storage of Conversations

Conversation records are stored in our encrypted database (AES-256-GCM at rest) associated with your account. By default, conversation history is retained for 90 days, after which it is automatically and permanently deleted. You may:

• Adjust your retention period (down to 0 days to disable storage) in "Settings → Privacy → Chat History";
• Manually delete individual conversations or your entire chat history at any time; or
• Opt out of context sharing (see below).

Opt-Out of AI Data Analysis

You may disable health context sharing for the AI Health Advisor at any time in "Settings → Privacy → AI Data Analysis." When disabled:

• No health profile context, biomarker data, or wearable averages will be included in the system prompt sent to Anthropic;
• The AI Health Advisor will respond as a general wellness information tool without knowledge of your personal health data;
• Your conversation messages will still be transmitted to Anthropic to generate responses.

Opting out of AI data analysis does not affect your access to the AI Health Advisor or any other feature of the Service.

We share your data with third-party service providers only to the extent necessary to provide the Service. We do not sell, rent, or trade your personal information to any third party for their own marketing purposes. The following table identifies our current service providers, the data shared with them, the purpose of sharing, and whether a HIPAA Business Associate Agreement is in place.

Other Disclosures

In addition to the above, we may disclose your information: (a) to comply with a legal obligation, court order, or binding governmental directive; (b) to enforce our Terms of Service or protect the rights and safety of Veris Health and its users; (c) in connection with a merger, acquisition, or sale of all or substantially all of our assets, in which case we will notify you before your information is transferred to a successor entity and before new privacy terms apply; or (d) with your explicit prior consent for a specific purpose.

No Sale of Personal Data

Veris Health does not sell, rent, exchange, or otherwise transfer your personal information or Protected Health Information to third parties for monetary or other valuable consideration. We do not share your data with advertisers or data brokers.

We retain your data for only as long as necessary to provide the Service and comply with our legal obligations. The following table summarizes our data retention periods:

Account Deletion and Data Purge

When you delete your account, Veris Health will permanently and irreversibly remove your personal health data from all active production systems via cascade delete — meaning that deletion of your user record triggers automatic deletion of all associated health data records — within 30 days of account deletion confirmation. Backup copies may persist for up to an additional 30 days before being overwritten in the normal course of our backup rotation schedule.

The following categories of data are exempt from deletion upon account closure and will be retained for the periods specified above: HIPAA audit logs (7 years), financial and payment records (7 years), data subject to active legal hold, and anonymized, non-identifiable aggregated data.

Rights Available to All Users

Right to Access Your Data

You may access all of your health data stored on the Platform at any time through your account dashboard. For a complete machine-readable export of your data, use "Settings → Data Export." We will process export requests within 30 days.

Right to Correct Your Data

If any data in your health profile is inaccurate, you may correct it directly through the Platform. For extracted biomarker values that require correction, you may edit confirmed values or delete and re-upload the source lab document. If you encounter data you are unable to correct through the Platform, contact us at privacy@verishealth.com.

Right to Delete Your Account and Data

You may delete your account and all associated health data at any time through "Settings → Delete Account." This action is permanent and irreversible. Prior to deletion, we recommend exporting your data if you wish to retain a copy. See Section 7 for information about what data is retained after deletion and why.

Right to Disconnect Integrations

You may disconnect any wearable or nutrition integration at any time through "Settings → Integrations." Disconnecting an integration revokes our authorization to retrieve future data from that platform and deletes stored access tokens. Historical data already imported is not automatically deleted; you must separately delete that data if desired.

Right to Opt Out of AI Data Analysis

You may opt out of health context being shared with the AI Health Advisor at any time through "Settings → Privacy → AI Data Analysis."

Right to Opt Out of Anonymous Research

You may opt out of your anonymized data being used for research and product improvement purposes through "Settings → Privacy → Anonymous Research."

Right to Manage Notification Preferences

You may modify, reduce, or disable any category of notification through "Settings → Notifications." Transactional notifications (such as account security alerts) cannot be fully disabled as they are necessary for account security.

Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following additional rights:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purposes for which it was collected, and the categories of third parties with whom we have shared it.
• Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions permitted by law.
• Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
• Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. If our practices change, we will update this Policy and provide you with a mechanism to opt out.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information (including health data) to what is necessary to provide the Service. Our use of sensitive personal information is already limited to the purposes described in this Policy.
• Right to Non-Discrimination: You have the right to exercise your CCPA/CPRA rights without discrimination. We will not deny you services, charge different prices, or provide a diminished level of service because you exercised your rights.

To submit a CCPA/CPRA request, contact us at privacy@verishealth.com with the subject line "California Privacy Rights Request." We will respond within 45 days. We may require you to verify your identity before processing your request.

Additional Rights for European Economic Area and UK Residents (GDPR/UK GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR, as applicable, grants you the following rights with respect to your personal data:

• Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data, and if so, to receive a copy of that data along with information about how it is used.
• Right to Rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete personal data completed.
• Right to Erasure / "Right to be Forgotten" (Article 17): You have the right to request deletion of your personal data where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and there is no other legal basis for processing; (c) you object to processing and there are no overriding legitimate grounds; or (d) the data has been unlawfully processed.
• Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your data while a dispute about its accuracy or the lawfulness of processing is being resolved.
• Right to Data Portability (Article 20): Where processing is based on consent or contractual necessity, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to Object (Article 21): You have the right to object to processing of your personal data carried out on the basis of legitimate interests, including profiling based on those interests.
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your national data protection authority if you believe your rights have been violated.

To exercise any of the above GDPR/UK GDPR rights, contact us at privacy@verishealth.com. We will respond within 30 days of receiving a verifiable request. We may ask you to verify your identity before processing requests involving sensitive data.

Our legal bases for processing your personal data under the GDPR include: contract performance (delivering the Service you signed up for); consent (for health data processing and AI context sharing); legal obligation (HIPAA retention requirements); and legitimate interests (security, fraud prevention, service improvement) where those interests are not overridden by your rights.

We implement a comprehensive, multi-layered security program designed to protect your health information. Our security measures include the following technical and administrative safeguards:

Encryption

• At rest: All Protected Health Information is encrypted at the application layer using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode) before being written to the database. This provides both confidentiality and integrity protection for stored health data.
• In transit: All communications between your device and our servers are encrypted using TLS 1.3. Older, less secure protocol versions (TLS 1.0, 1.1, 1.2) are disabled. We do not permit plaintext HTTP connections to any part of the Service.
• Passwords: Passwords are hashed using bcrypt with a minimum cost factor of 12. We store only the hash — your plaintext password is never stored on our servers.
• OAuth tokens: OAuth access tokens and refresh tokens from wearable and nutrition integrations are stored encrypted (AES-256-GCM) in the database. They are decrypted only in memory, at the time of use, and are never written to logs.

Access Controls

• Authentication: Access to the Service requires authentication via email/password. All API routes (except public authentication endpoints) require a valid, signed session token.
• Session management: Sessions are implemented as signed JWTs with a maximum age of 15 minutes (900 seconds), consistent with HIPAA guidance for session timeout. Sessions are stored as secure, HTTP-only cookies inaccessible to client-side JavaScript.
• Role-based access: Access to features and health data is governed by user-specific access controls. No user can access another user's health data through the Platform.
• Internal access: Veris Health personnel with access to production systems or user data are subject to access controls, the principle of least privilege, and mandatory HIPAA training. All such access is audit logged.

Security Headers

Our web application implements the following security headers to reduce the attack surface:

• Strict-Transport-Security: Enforces HTTPS with a max-age of 31,536,000 seconds (1 year), including subdomains.
• Content-Security-Policy: Restricts resource loading to approved origins, reducing XSS attack vectors.
• X-Frame-Options: DENY: Prevents clickjacking attacks by disabling iframe embedding.
• X-Content-Type-Options: nosniff: Prevents MIME-type sniffing attacks.
• Referrer-Policy: strict-origin-when-cross-origin: Limits referrer information exposure.
• Permissions-Policy: Disables access to camera, microphone, geolocation, and other sensitive browser APIs.

Input Validation and API Security

• All API input is validated against strict Zod schemas before processing, rejecting malformed or unexpected data at the API boundary.
• Rate limiting is enforced on all API endpoints at the edge network layer.
• CSRF protection is implemented for all state-mutating requests.
• Webhook authenticity is verified using cryptographic signatures (e.g., Stripe webhook signatures).
• CORS policies restrict cross-origin requests to approved domains.

Ongoing Security Program

• Quarterly review of access logs and security configurations.
• Annual third-party penetration testing of all PHI-handling endpoints, with critical findings remediated within 30 days.
• Documented incident response and breach notification plan.
• HIPAA risk analysis conducted annually and updated as the threat landscape evolves.

No Absolute Security Guarantee

While we implement industry-leading security measures, no system connected to the internet can be guaranteed to be completely secure. In the event of a security incident affecting your data, we will follow the breach notification procedures described in Section 13 of this Policy. We encourage you to use a strong, unique password for your Veris Health account and to contact us immediately if you suspect your account has been compromised.

The Service is not directed to individuals under the age of 18, and we do not knowingly collect personal information from anyone under 18. If you are under 18 years of age, you are not permitted to create an account or use the Service.

If we become aware that we have inadvertently collected personal information from a user under the age of 18, we will take immediate steps to: (a) terminate the minor's account; (b) permanently delete all associated data; and (c) notify the parent or guardian if contact information is available.

If you believe that your child has created an account with Veris Health, please contact us immediately at privacy@verishealth.com so that we can take appropriate action. We take children's privacy seriously and are committed to protecting minors from inappropriate data collection.

This Policy is consistent with the requirements of the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq. Veris Health does not knowingly collect, use, or disclose personal information from children under 13 for any commercial purpose.

Essential Cookies Only

Veris Health uses only essential cookies that are strictly necessary for the operation of the Service. We do not use third-party advertising cookies, tracking pixels, or cross-site tracking technologies.

Cookies We Use

No Third-Party Tracking

We do not use: Google Analytics, Meta Pixel, or any other third-party behavioral analytics tools; advertising networks or demand-side platforms; cross-site tracking scripts; or session recording tools that would capture your interactions with the Platform and transmit them to third parties. We believe that health data platforms have a heightened responsibility to avoid surveillance capitalism practices.

Internal Analytics

Any usage analytics we collect for product improvement purposes are collected using our own first-party infrastructure and are processed in anonymized, aggregated form. This data is used only internally and is not shared with advertising or analytics platforms.

Veris Health may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or the features of the Service. We will provide advance notice of material changes as follows:

• Email notification: We will send an email to your registered email address at least 30 days before material changes take effect, describing the nature of the changes and providing a link to the updated Policy.
• In-app notice: We will display a prominent notice within the Platform informing you of the changes.
• Updated date: The "Last Updated" date at the top of this page will reflect the date of the most recent revision.

For non-material changes (such as typographical corrections, formatting updates, or clarifications that do not alter your substantive rights), we may update the Policy without advance notice beyond updating the "Last Updated" date.

Your continued use of the Service after the effective date of any revision constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you should stop using the Service and delete your account. Previous versions of this Policy are available upon request at privacy@verishealth.com.

Despite our robust security measures, no system is immune to security incidents. In the event of a security breach involving your Protected Health Information or personal data, Veris Health will respond in accordance with the following procedures and applicable legal requirements.

HIPAA Breach Notification

Under HIPAA's Breach Notification Rule (45 CFR § 164.400 et seq.), we are required to notify affected individuals without unreasonable delay and in no case later than 60 calendar days following discovery of a breach of unsecured Protected Health Information. Our breach notification obligations include:

• Individual notification: We will notify each affected individual by email (at their registered email address) or, if email is unavailable, by first-class mail. The notification will include: a description of the breach and the approximate date of discovery; a description of the types of PHI involved; steps you should take to protect yourself from potential harm; what Veris Health is doing to investigate, mitigate, and prevent recurrence; and contact information for questions and concerns.
• HHS notification: We will notify the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) of all breaches. For breaches affecting 500 or more individuals, we will notify HHS within 60 days of discovery and will also provide notice to prominent media outlets in affected states. For breaches affecting fewer than 500 individuals, we will maintain a log and report breaches to HHS annually.

Other Applicable Breach Notification Laws

In addition to HIPAA, many U.S. states have enacted data breach notification laws. Where a breach involves personal information of residents of a state with its own breach notification requirements (including California, New York, and others), we will comply with those requirements in addition to HIPAA, including any shorter notification timeframes mandated by state law.

Incident Response

Upon detecting or being notified of a potential security incident, Veris Health will immediately: (a) activate our incident response plan; (b) contain the incident and preserve evidence for investigation; (c) conduct a root cause analysis; (d) assess the scope of affected individuals and data; (e) implement remediation measures; and (f) provide notifications as required by law. We maintain a tested breach notification workflow and conduct annual end-to-end testing of our incident response procedures.

Reporting a Security Concern

If you discover or suspect a security vulnerability or incident involving Veris Health, please report it immediately to security@verishealth.com. We take all security reports seriously and will acknowledge receipt within 24 hours and provide an initial assessment within 72 hours.

For questions, concerns, or requests relating to this Privacy Policy or your personal health data, please contact us through the following channels:

We will respond to all privacy-related inquiries within 30 days of receipt. For requests related to GDPR rights, we will respond within the 30-day statutory period, with a possible one-time extension of an additional 60 days for complex requests (with notice provided within the initial 30 days). For California CCPA requests, we will respond within 45 days, with a possible extension of an additional 45 days for complex requests.