Beacon Consumer Health Policy

Effective Date: April 6, 2026 | Last Updated: April 6, 2026

Heyday Health, Inc. (“Heyday Health,” “we,” “us,” or “our”) is committed to processing, using, transferring, and managing personal information in accordance with applicable privacy laws and this Policy.

This Consumer Health Data Privacy Policy (“Policy”) details how Heyday Health collects, uses, transfers, and shares your “Consumer Health Data” as defined by the Washington My Health My Data Act (“MHMDA”), the Nevada Consumer Health Data Privacy Act (“NCHDPA”), the Connecticut Data Privacy Act (“CDPA”), or other applicable US state health privacy laws. This Policy supplements and amends our general Privacy Policy. In the event of a conflict between our Privacy Policy and this Policy, this Policy applies to the extent that it is consistent with applicable state law.

This Policy applies to the Consumer Health Data we obtain when you interact with the Beacon care navigation application (including its iOS, Android, and web versions), our websites at beaconhealthapp.com, www.heydayhealth.com, and its subdomains, our marketing activities, and other activities described in this Policy (collectively, the “Services”).

In this Policy, “we,” “us,” and “our” refers to Heyday Health, and “you” refers to any individual about whom we collect personal information.

1. Categories of Consumer Health Data We Collect

Beacon’s Services are health-related in nature and rely on you providing us with your Consumer Health Data. When you use our Services, we may collect the following categories of Consumer Health Data:

Consumer Health Data You Provide

• Contact data, such as your first and last name, email address, mailing address, and phone number.

• Basic demographic data, such as your gender, city, state, country of residence, postal code, and age.

• Account information, such as the username and password that you may set to establish an account on the Service, date of birth, biographical details, photographs, and any other information that you add to your account profile.

• Health record data, such as medical records, lab results, clinical notes, imaging reports, discharge summaries, pathology reports, medication lists, care plans, appointment histories, and other health-related documents that you upload, import, or synchronize through the Services, including data imported through our integration with third-party health record services (such as Fasten Health).

• Care navigation data, such as your interactions with the Beacon care navigator chatbot, including messages you send, questions you ask, topics you explore, and appointment preparation notes.

• Audio and transcription data, such as recordings of medical appointments you choose to make through the Services and any transcriptions generated from those recordings.

• Health condition and treatment data, such as types of care or treatment, medication, diagnoses, health conditions, fertility status, pregnancy status, health goals, and other information relating to your past, present, or future physical or mental health.

• Communications data, based on our exchanges with you, including when you contact us through the Services, communicate with us via chat features, email, social media, or otherwise.

• Relationship data, such as familial or caregiver relationships to third parties or users whose personal information you may provide to us.

• Content you share, such as comments, questions, messages, responses to questionnaires or surveys, and other content or information that you generate or make available through the Services, including associated metadata.

• Marketing data, such as your preferences for receiving our marketing communications and details about your engagement with them.

• Payment information, such as payment card information or bank account numbers.

Consumer Health Data Collected Automatically

When you use our Services, we collect some information through technical tracking technologies that may be considered Consumer Health Data:

• Device data, such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, device type, IP address, unique identifiers, language settings, mobile device carrier, and general location information such as city, state, or geographic area.

• Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, access times, and duration of access.

• Communication interaction data, such as your interactions with our email, text, or other communications (e.g., whether you open and/or forward emails).

Consumer Health Data We Create, Infer, or Generate

We may create, infer, or generate Consumer Health Data from other data we collect, including using artificial intelligence and automated means to generate information such as AI-powered care navigation insights, health record summaries, appointment transcriptions, and other content based on your input. Based on data you provide, the Beacon care navigator may generate additional Consumer Health Data such as suggested questions for your care team, treatment timeline summaries, or other informational content about your health condition.

2. Sources of Consumer Health Data

We collect Consumer Health Data from the following sources:

• Directly from you through your use of the Services, including information you enter into your account profile, health records you upload or sync, messages you send to the care navigator chatbot, appointment recordings you make, and other content you provide.

• Third-party health record services(such as Fasten Health) that facilitate the import and synchronization of your medical records with your consent.

• Authentication providers(such as Clerk) that manage your account login and identity verification.

• AI platforms(such as Anthropic) that process your inputs and generate responses through the care navigator chatbot.

• Automatically through technical tracking technologies when you interact with our Services.

• Generated by us based on data you provide, including through AI-powered analysis and inference.

3. Purposes for Collecting Your Consumer Health Data

Heyday Health collects and uses Consumer Health Data for the following purposes:

Purpose of Use - Categories of Consumer Health Data

To provide the Services: providing the Beacon care navigation application, enabling health record import and synchronization, powering the care navigator chatbot, generating appointment transcriptions, establishing and maintaining your account, communicating with you about the Services, and providing support - Contact data, demographic data, account information, health record data, care navigation data, audio and transcription data, health condition and treatment data, communications data, relationship data, content you share, payment information, device data, online activity data

Service personalization: understanding your needs and interests, personalizing your experience with the Services, tailoring care navigator responses and health insights based on your health records and care journey, and remembering your preferences - Contact data, demographic data, account information, health record data, care navigation data, health condition and treatment data, content you share, device data, online activity data

Research and development: analyzing and improving the Services and our business, developing new products and services, and improving the quality of AI-generated content - Contact data, demographic data, account information, health record data, care navigation data, audio and transcription data, health condition and treatment data, communications data, content you share, device data, online activity data

Service improvement and analytics: analyzing your usage of the Services, understanding which features are most and least used, improving the performance and accuracy of the Services, and developing new products and services - Contact data, demographic data, account information, care navigation data, content you share, device data, online activity data, communication interaction data

Direct marketing: communicating with you about new services, updates, and other information relevant to your care journey - Contact data, demographic data, account information, health condition and treatment data, marketing data, communication interaction data

Compliance and protection: complying with applicable laws, lawful requests, and legal process; protecting our, your, or others’ rights, privacy, safety, or property; auditing our internal processes; enforcing the terms and conditions that govern the Services; and preventing, identifying, investigating, and deterring fraudulent, harmful, or illegal activity - All categories of Consumer Health Data listed in Section 1

To create aggregated, de-identified, and/or anonymized data: We may create aggregated, de-identified, and/or anonymized data from your Consumer Health Data. We make Consumer Health Data into de-identified and/or anonymized data by removing information that makes the data identifiable to you. Except as required or permitted by applicable law, we do not attempt to re-identify such data - All categories of Consumer Health Data listed in Section 1

Heyday Health will obtain consent for any uses of Consumer Health Data to the extent required under applicable law.

4. How We Share Your Consumer Health Data

4.1 General

We do not sell your Consumer Health Data. We will make your Consumer Health Data available to our service providers acting as processors to Heyday Health for the purposes listed above. These service providers include:

• Amazon Web Services (AWS) — cloud hosting and infrastructure

• Anthropic — AI platform powering the care navigator chatbot

• Fasten Health — health record import and synchronization

All our service providers have signed data processing agreements ensuring processing occurs only in accordance with Heyday Health’s instructions and applicable law.

We reserve the right to disclose your Consumer Health Data as required by law, when we believe disclosure is necessary or appropriate to comply with a regulatory requirement, judicial proceeding, court order, government request, or legal process served on us, or to protect the safety, rights, or property of our customers, the public, us, or others.

We reserve the right to transfer the Consumer Health Data we maintain in the event we sell or transfer all or a portion of our business or assets. If we engage in such a sale or transfer, we will make reasonable efforts to direct the recipient to use your Consumer Health Data in a manner that is consistent with this Policy. After such a sale or transfer, you may contact the recipient with any inquiries concerning the recipient’s privacy practices.

4.2 Targeted Advertising

Heyday Health does not use your Consumer Health Data for targeted advertising purposes. We do not create advertising segments based on your health information, and we do not sell or share your Consumer Health Data with advertising partners or ad networks.

5. Your Rights Regarding Your Consumer Health Data

As a resident of Washington, Nevada, Connecticut, or any other state whose health data privacy laws apply to Heyday Health’s Services, you may have certain rights regarding the processing of your Consumer Health Data:

• Right to confirm and access. You have the right to confirm whether Heyday Health is collecting, sharing, or selling your Consumer Health Data, and to access this data, including a list of all third parties and affiliates with whom we have shared or sold the Consumer Health Data and active contact information for those third parties.

• Right to withdraw consent. You have the right to withdraw consent from the collection and sharing of your Consumer Health Data, where applicable.

• Right to correction. You have the right to ask us to correct inaccuracies in your Consumer Health Data.

• Right to deletion. You have the right to ask us to delete your Consumer Health Data.

• Right to appeal. You have the right to appeal our denial of a request you have made to exercise your rights. We will provide details on how to appeal in connection with any such denial.

How to Exercise Your Rights

To exercise your rights and make a Consumer Health Data rights request, please email us at privacy@heydayhealth.com. We may need to verify your identity in order to process your request. To confirm your identity, we may ask you to verify personal information we already have on file for you. If we cannot verify your identity based on the information we have on file, we may request additional information from you, which we will only use to verify your identity and for security or fraud-prevention purposes.

Declining to Provide Information

We need to collect Consumer Health Data to provide certain Services. If you do not provide the information we identify as required or mandatory, or if you request that any required Consumer Health Data be deleted, or withdraw your consent for future collection or sharing of any required Consumer Health Data, we may not be able to provide those Services.

How to File a Complaint

If your request to exercise your rights is denied and your appeal is unsuccessful, you can file a complaint with the relevant government body in your state, including:

• Washington State Attorney General at https://www.atg.wa.gov/file-complaint

• Nevada State Attorney General at https://ag.nv.gov/Complaints/CSU_Complaints___FAQ/

• Connecticut Attorney General at https://www.dir.ct.gov/ag/complaint/

6. Updates to This Policy

Heyday Health may amend this Policy from time to time. We reserve the right to modify this Policy at any time. If we make material changes to this Policy, we will notify you by updating the date of this Policy and posting it on the Services, or through other appropriate means such as email notification. In all cases, your use of the Services after the effective date of any modified Policy indicates your acknowledgment that the modified Policy applies to your interactions with the Services.

7. Contact Us

If you have any questions about this Policy or wish to exercise your rights, you may contact us at:

Heyday Health, Inc.

Email: privacy@heydayhealth.com

1 Mifflin Place, Suite 400, Cambridge MA 02138