At Trove Health, we believe your health information belongs to you. We are committed to maintaining your trust and protecting your privacy through strict adherence to HIPAA, TEFCA, and other applicable laws. This document combines our Privacy and Security Notice and our general Privacy Policy to explain how we handle your information, your rights as an individual, and the measures we take to protect your data.

For clarity, the following termsare used in this Notice:
‍
‍Individually IdentifiableInformation (III): Information that can be used to identify you, includinghealth information.
‍IAS Provider: Anorganization (like Trove Health) that offers Individual Access Services.
‍TEFCA Exchange: TheTrusted Exchange Framework and Common Agreement, which enables the secureexchange of health data.
‍Material Change: A changeto this Notice that significantly affects how your data is used or shared.
‍IAS Incident: A securityevent that affects or is reasonably believed to affect the confidentiality,integrity, or availability of Individually Identifiable Information.
‍Applicable Law: Anyfederal, state, or local law, rule, or regulation applicable to the collection,use, or disclosure of Individually Identifiable Information.
‍Framework Agreement: TheTEFCA Common Agreement and any applicable Qualified Health Information Network(QHIN) Technical Framework agreements governing data exchange.

This Notice applies to all Individual Access Services (IAS) offered by Trove Health. It explains how we handle Individually Identifiable Information (III) that we collect, access, exchange, use, or disclose in connection with providing our services, including through the TEFCA exchange. This Notice is publicly available, kept current, updated when materially changed, and written in plain language for clarity.

We may collect information directly from you, your healthcare providers, health information networks, and other authorized third parties. This includes name, contact information, health records, claims data, and information entered in our application or received through the TEFCA exchange.

We use your Individually Identifiable Information for the following specific purposes:
•       To provide, operate, and maintain our Individual AccessServices, including retrieving and displaying your health records;
•       To enable secure access to your health information viathe TEFCA exchange;
•       To communicate with you regarding your account, yourdata, or our services (including SMS with your consent);
•       To comply with legal obligations, including HIPAA,TEFCA, and other Applicable Law;
•       To protect against unauthorized access, misuse, ordisclosure of information; and
•       To respond to lawful requests from regulatoryauthorities or law enforcement as required by Applicable Law.

Important: Trove Healthwill not use your Individually Identifiable Information to assertany type of claim against you, except for the collection of fees owed forservices rendered.

Trove Health attests that it will not:
1. Sell Individually Identifiable Information at any time, now or in the future;
2. Receive remuneration in exchange for Individually Identifiable Information; or
3. Use Individually Identifiable Information for targeted advertising, marketing, or any other commercial purpose unrelated to providing Individual Access Services.
‍
If Trove Health ever intends to change this attestation, we will provide conspicuous prior notice and obtain your express, documented consent before any such change takes effect.

We may share your Individually Identifiable Information in the following circumstances:

• Directly with you, upon your request;
• With healthcare providers and health information networks as part of TEFCA exchange, in accordance with the Common Agreement;
• With trusted third-party service providers who perform services on our behalf (see Section 12 below for the privacy and security practices we require of these parties);
• With law enforcement agencies or in response to legal process, as described in Section 9 below; and
• As otherwise required or permitted by Applicable Law.
‍
Types of third-party recipients may include: cloud hosting and infrastructure providers, identity verification services, communication platforms (e.g., email and SMS), analytics providers (using de-identified data only), and healthcare data networks participating in TEFCA. Some of these third parties may further process information in ways that are outside of Trove Health’s direct control; however, all such parties are contractually required to protect your information in accordance with Applicable Law.

Trove Health may de-identify Individually Identifiable Information in accordance with Applicable Law and TEFCA guidance. De-identified data no longer contains information that can be used to identify you. Trove Health may use or disclose such de-identified data for analytics, research, product improvement, or public-health purposes, provided that the information cannot be used to re-identify you.

Trove Health participates in TEFCA to enable the secure exchange of health information. All Uses and Disclosures of Individually Identifiable Information through TEFCA are performed strictly in accordance with the permitted and required Uses and Disclosures defined in the TEFCA Common Agreement and applicable guidance issued by the U.S. Department of Health and Human Services (HHS).

Trove Health Inc. is subject tothe Health Insurance Portability and Accountability Act (HIPAA Rules), as amatter of law, when performing Individual Access Services as a BusinessAssociate of Covered Entities. We adhere to all applicable HIPAA Privacy, Security,and Breach Notification Rules.

If Trove Health receives a civil or criminal subpoena, court order, search warrant, or other demand for compulsory disclosure of Individually Identifiable Information, we will—unless prohibited by Applicable Law—provide written or electronic notice to the affected Individual(s) within three (3) business days of receipt. This notice will allow affected Individuals the opportunity to object, seek a protective order, or pursue other appropriate remedies consistent with Applicable Law.

Similarly, if Trove Health makes Individually Identifiable Information available to any law-enforcement agency (including through sale of such data, though Trove Health attests that it does not and will not sell III), we will—unless prohibited by Applicable Law—provide written or electronic notice to the affected Individual(s) within three (3) business days of doing so.

We follow additional protections for reproductive health and gender-affirming care data. If legally required to disclose, we comply with applicable law and notify you when allowed.

Trove Health is required to act in full conformance with this Privacy and Security Notice and must protect the security of the information it holds in accordance with the applicable Framework Agreement.

Specifically, Trove Health:
• Uses commercially reasonable efforts to protect Individually Identifiable Information from unauthorized or illegal access, modification, Use, or destruction;
• Encrypts all Individually Identifiable Information held by Trove Health, both in transit and at rest, regardless of whether such data are TEFCA Information;
• Maintains SOC 2 Type II certified infrastructure and HITRUST e1 certification;
• Maintains and enforces secure access controls; and
• Maintains incident response procedures to promptly detect, investigate, and remediate security incidents.

If your Individually Identifiable Information has been or is reasonably believed to have been affected by an IAS Incident, Trove Health will notify you in accordance with the timeframes and requirements of Applicable Law. Such notification will include the nature of the incident, the type of information involved, steps you should take to protect yourself, and the actions we are taking to prevent future occurrences.

Trove Health’s obligations under this Privacy and Security Notice will continue for as long as Trove Health maintains Individually Identifiable Information, even after an Individual’s account or participation ends.

Trove Health requires all third parties that provide services on its behalf and with whom Trove Health shares Individually Identifiable Information to:
• Enter into written agreements that require protection of Individually Identifiable Information consistent with this Notice and Applicable Law;
• Implement administrative, technical, and physical safeguards to protect against unauthorized access, use, or disclosure;
• Encrypt Individually Identifiable Information in transit and at rest;
• Limit their use of Individually Identifiable Information to only the purposes necessary to perform the contracted services;
• Promptly notify Trove Health of any security incident or breach affecting Individually Identifiable Information; and
• Return or securely destroy Individually Identifiable Information upon termination of the service relationship.

As an Individual using Trove Health’s Individual Access Services, you have the following rights regarding your Individually Identifiable Information:
‍
Right to Access: You may access your Individually Identifiable Information maintained by Trove Health in connection with IAS at any time through your PatientChart account or by contacting us.
‍
Right to Export: You may obtain an export of your Individually Identifiable Information in a machine-readable format (such as JSON FHIR, C-CDA XML, or CSV). Trove Health will provide the means to interpret such machine-readable format upon request.
‍
Right to Correction: You may request correction of inaccurate Individually Identifiable Information.
‍
Right to Deletion: You may request that all Individually Identifiable Information maintained by Trove Health in connection with IAS be deleted completely, to the extent technically feasible, with respect to any future Uses or Disclosures, unless such deletion is prohibited by Applicable Law. Please note that Individually Identifiable Information contained in audit logs is not subject to deletion.
‍
Right to Restrict Use: You may request that Trove Health restrict the use or disclosure of your Individually Identifiable Information.
‍
Right to Opt Out of TEFCA Exchange: Prior to your first use of IAS, Trove Health will provide you with a choice regarding whether or not Trove Health will Disclose your Individually Identifiable Information via TEFCA Exchange. You may change this choice at any time. Trove Health will implement and adhere to processes to ensure that your choice is honored.

Trove Health obtains your express, documented consent to the terms of this Privacy and Security Notice prior to the access, exchange, Use, or Disclosure of your Individually Identifiable Information, other than Disclosures that are required by Applicable Law.

If our practices change materially, we will notify you and obtain new consent if required by Applicable Law or the TEFCA Common Agreement. You may revoke consent at any time (see Section 15 below), which may limit or end your ability to use our services.

You may revoke your consent to the terms of this Privacy and Security Notice at any time. To revoke consent, follow these steps:

1. Send an email to privacy@trovehealth.io with the subject line “Revoke Consent.”
2. Include your full name, registered mobile number, and a statement that you wish to revoke your consent.
3. Trove Health will confirm receipt within two (2) business days and process your revocation within five (5) business days.

Upon revocation of consent, Trove Health will cease accessing, exchanging, using, or disclosing your Individually Identifiable Information except as required by Applicable Law. Please note that revocation of consent may limit or end your ability to use Trove Health’s Individual Access Services.

You have the following choices regarding the collection, Use, deletion, and Disclosure of your Individually Identifiable Information:
• You may choose whether or not to create an account and use Trove Health’s Individual Access Services;
• You may choose whether or not Trove Health Discloses your Individually Identifiable Information via TEFCA Exchange (see Section 13);
• You may revoke your consent at any time (see Section 15);
• You may request access to, export of, correction of, or deletion of your Individually Identifiable Information (see Section 13);
• You may opt out of non-essential communications at any time; and
• You may manage cookie and tracking preferences through your browser settings.

Trove Health retains Individually Identifiable Information for a period of three (3) years after the Individual’s last activity on the platform, or as otherwise required by Applicable Law, whichever is longer. After this retention period, Individually Identifiable Information will be securely deleted or de-identified, except as required for compliance with legal obligations or as contained in audit logs.

Trove Health does not currentlycharge fees for Individual Access Services or for the exercise of anyIndividual privacy rights described in this Notice, including access, export,correction, or deletion requests. If Trove Health introduces fees in the future,such fees will be clearly disclosed in this Notice prior to taking effect.

Material changes to this Notice will be:
• Posted prominently on our website at trovehealth.io/privacy-policy;
• Communicated directly to enrolled Individuals; and
• Clearly marked so that Individuals can readily identify what has changed from the previous version.

The effective date of the most recent update will always be displayed at the top of this Notice.

The following material updates were made in this version (effective March 23, 2026) to comply with the IAS Provider Requirements SOP:
• Added effective date;
• Added Request-Only IAS Provider statement;
• Added No Sale of Information Attestation;
• Expanded detail on specific purposes for III use;
• Added explicit statement that III cannot be used to assert claims against Individuals;
• Added types of third-party recipients and uses outside Trove Health’s control;
• Specified data retention period (3 years after last activity);
• Added step-by-step consent revocation instructions;• Added TEFCA Exchange opt-out choice for Individuals;
• Added machine-readable export format details;
• Added audit log exception to deletion right;
• Added third-party service provider privacy practices section;
• Added Individual choices section;
• Strengthened conformance and continuing obligations language;
• Added ‘as a matter of law’ language to HIPAA status statement.

In addition to our TEFCA Privacy and Security Notice, this section describes how Trove Health collects and uses information through its website and applications for service improvement, security, and communication purposes. 

‍Cookies and Website Tracking: We may use cookies and similar technologies to enhance user experience, analyze traffic, and improve services. You can control cookies through your browser settings.
‍Log Data and Analytics: We may collect technical information such as IP address, browser type, device identifiers, and usage patterns. This information helps us monitor performanceand secure our services.
‍Third-party ServiceProviders: We may use trusted third-party providers for hosting, communications, or identity verification. These providers are contractually obligated to protect your information (see Section 12).
‍International Data Transfers:If data is transferred outside the United States, we ensure appropriate safeguards are in place in accordance with Applicable Law.
‍Marketing Communications: Wedo not sell or share personal information for marketing purposes. If this changes, we will update this Notice and obtain your consent where required.
‍Children’s Privacy: Thereis no age restriction to use our service. However, it is primarily intended forpatients and their designated representatives. We comply with applicable laws related to children’s privacy and protect all user data with the samestandards.
‍Your Choices and Control: Youcan manage privacy preferences, including cookies and communication preferences, through your account settings or by contacting privacy@trovehealth.io.

HIPAA (Health Insurance Portability and Accountability Act)
TEFCA (Trusted Exchange Framework and Common Agreement)
IAS Provider Requirements SOP v2.0 (July 1, 2024)
Federal Plain Language Guidelines

If English is not your primary language, this Notice is available in other languages upon request. Please contact admin@trovehealth.io for translated versions or accessible formats.

If you have any questions about this Privacy Policy, please contact us at:
Trove Health Inc.
A Delaware Corporation
Phone: +1 415-800-4442
Email: privacy@trovehealth.io