Privacy Policy

Effective Date: April 6, 2026 | Last Updated: April 6, 2026

Introduction

This Privacy Policy (“our Privacy Policy”) describes how Heyday Health, Inc. (“Heyday Health,” “we,” “our,” or “us”) collects and processes personal information about you through the use of the Beacon care navigation application (including its iOS, Android, and web versions), our website at beaconhealthapp.com, www.heydayhealth.com, and its subpages (collectively, our “Website”), as well as through other electronic communications between you and Heyday Health, our marketing activities, and other activities described in this Privacy Policy (collectively, the “Services”). This Privacy Policy also describes our practices for collecting, using, maintaining, protecting, and disclosing that information. We respect your privacy and are committed to protecting it through our compliance with this policy.

This Privacy Policy applies to information we collect: through the Beacon application; on our Website; in email, text, and other electronic messages between you and our Services; and when you interact with our advertising and applications on third-party websites and services, if those applications or advertising include links to this policy. It does not apply to information collected by: us offline or through any other means, including on any other website operated by us or any third party; or any third party, including through any application or content (including advertising) that may link to or be accessible from or through the Services. As this Privacy Policy covers different aspects of our Services and our personal information practices vary depending upon the particular Service aspect with which you interact, not all disclosures contained in this Privacy Policy may be relevant to you.

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Services. By accessing or using our Services, you agree to this Privacy Policy. This Privacy Policy may change from time to time (see below under “Changes to Our Privacy Policy”). Your continued use of our Services after we make changes is deemed to be acceptance of those changes, so please check this Privacy Policy periodically for updates.

Information We Collect About You

The nature of the information we collect about you depends on how you interact with the Services. For example, if you interact with our Website in comparison to interacting with the Beacon application, our personal data practices differ. In particular, Beacon users can choose much of the personal data that they provide to us. This is especially true around sensitive personal information below, which may not apply in all circumstances. Please keep these concepts in mind as you engage with the Services and read this Privacy Policy.

We collect, or may collect, several types of information from and about you, specifically:

• Contact data, such as your first and last name, email address, mailing address, and phone number.

• Demographic data, such as your city, state, country of residence, postal code, gender, age, and date of birth.

• Profile data, such as your username, password, photograph or avatar, biographical details, health interests, preferences, and any other information that you add to your account profile.

• Health record data, such as medical records, lab results, clinical notes, imaging reports, discharge summaries, pathology reports, medication lists, care plans, appointment histories, and other health-related documents that you upload, sync, or otherwise provide through the Services, including data imported through our integration with third-party health record services (such as Fasten Health).

• Care navigation data, such as your interactions with the Beacon care navigator chatbot, including messages you send, questions you ask, topics you explore, appointment preparation notes, and the AI-generated responses you receive.

• Audio and transcription data, such as recordings of medical appointments you choose to make through the Services and any transcriptions generated from those recordings.

• Transactional data, such as information relating to or needed to complete transactions through the Services, including order numbers and transaction history.

• Payment data, needed to complete transactions, including payment card information or bank account number. We use third-party vendors to directly collect and process your payment card information, as described further below.

• Communications data, based on our exchanges with you, including when you contact us through the Services, communicate with us via email, phone, in-app chat, social media, or otherwise.

• Marketing data, such as your preferences for receiving our marketing communications and details about your engagement with them.

• User-generated content data, such as comments, reviews, questions, messages, and other content or information that you generate, transmit, or otherwise make available through the Services, including associated metadata.

• Sensitive Personal Information, including racial, ethnic, or national origin; religious or philosophical beliefs; mental or physical health condition, diagnosis, history, treatment, or other health data; pregnancy and fertility status; sex life, sexuality, or sexual orientation; account login information; and financial information.

• Data about others. We may collect information from caregivers about individuals with whom they have a relationship. Please do not share contact details or other information about an individual with us unless you have their permission to do so.

We refer to this information collectively as “Personal Data” or “personal information” in this Privacy Policy.

How We Collect Information About You

We collect Personal Data directly from you when you provide it to us, automatically as you navigate through the Services, and from third parties.

Information You Provide Directly

The information we collect directly from you may include:

• Information that you provide by filling in forms on our Services, including information provided at the time of registering to use Beacon, completing a health profile or questionnaire, or requesting further services.

• Health records and medical documents that you upload, import, or sync through the Services, including through our integration with third-party health record services.

• Messages and interactions with the Beacon care navigator chatbot.

• Audio recordings of medical appointments that you choose to record through the Services.

• Records and copies of your correspondence (including email addresses), if you contact us.

• Your responses to surveys that we might ask you to complete.

• Details of transactions that may be tracked through our Services.

Information from Third-Party Sources

We may collect information about you through third-party sources, which we may combine with information we receive from you. These third-party sources include:

• Health record services (such as Fasten Health) that facilitate the import and synchronization of your medical records with your consent.

• Authentication providers (such as Clerk) that manage your account login and identity verification.

• Public sources, such as government agencies and publicly available sources.

• Data providers, such as information services and lead generators.

• Service providers that provide services on our behalf or help us operate the Services.

• Partners, such as joint marketing partners and event co-sponsors.

Information Collected Automatically

We may also collect information about you automatically, including:

• Device data, such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, and general location information such as city, state, or geographic area.

• Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times, and duration of access.

• Communication interaction data, such as your interactions with our email, text, or other communications (e.g., whether you open and/or forward emails).

The technologies we use for automatic data collection may include cookies, web beacons, analytics services, and similar technologies. You may refuse to accept cookies by adjusting your browser settings; however, some parts of our Services may then be inaccessible or not function properly.

How We Use Your Information

We use information that we collect about you or that you provide to us, including any Personal Data:

• To provide, personalize, and improve the Beacon care navigation Services, including the care navigator chatbot, health record organization, appointment recording and transcription, and appointment preparation features.

• To facilitate the import and synchronization of your health records from third-party services.

• To generate AI-powered insights, summaries, and guidance based on your health records and care journey.

• To communicate with you about our products and services.

• To register and service your account.

• To provide you with notices about your account.

• To develop and improve our Services for you.

• To derive de-identified, aggregated, or anonymized data and use such derived data for our own purposes (we will not attempt to re-identify de-identified data except as otherwise permitted or required by applicable law).

• To engage in direct marketing such as sending you personalized messages, newsletters, or promotional materials.

• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us.

• To comply with applicable laws, lawful requests, and legal process.

• To protect our, your, or others’ rights, privacy, safety, or property.

• To prevent, identify, investigate, and deter fraudulent, harmful, unauthorized, or illegal activity.

• For technical, functional, and analytics purposes.

• To engage in an actual or prospective corporate transaction.

• To notify you about changes to our Services.

• For any other purpose with your consent.

How We May Disclose Your Information

We may disclose your Personal Data:

• To our contractors and third-party service providers that we use to support our business and the Services, including cloud hosting and infrastructure providers (such as Amazon Web Services), authentication providers (such as Clerk), health record integration services (such as Fasten Health), AI platforms that power certain aspects of our Services (such as Anthropic), transcription service providers, email delivery providers, analytics providers, and customer support tools.

• To payment processors.

• To prospective or actual acquirers or investors of Heyday Health, such as in the context of a merger, acquisition, sale of assets, or bankruptcy.

• To affiliates.

• To third parties designated by you, such as where you have instructed us or provided your consent to do so.

• To our professional advisors (such as lawyers, auditors, bankers, and insurers).

• To authorities and others (such as law enforcement, government authorities, and private parties in litigation) as required by law or to protect rights and safety.

• To other users and the public (for example, if you choose to make certain Personal Data available through the Services).

• With your consent.

We do not sell your Personal Data to third parties for their own marketing purposes.

Key Service Providers and Data Processing

The following third-party service providers play key roles in the operation of Beacon and may process your Personal Data on our behalf:

Provider

Role

Data Processed

Amazon Web Services (AWS)

Cloud hosting and infrastructure

All data stored and processed through the Services

Anthropic

AI platform powering the care navigator chatbot

Care navigator conversations, health record content submitted for analysis

Fasten Health

Health record import and synchronization

Medical records, lab results, clinical documents synced with your consent

We maintain data processing agreements (DPAs) or equivalent contractual protections with each of these providers. Where applicable, we seek to enter into Business Associate Agreements (BAAs) with providers that handle protected health information.

Your Choices

We provide you with certain choices regarding your Personal Data:

• Tracking Technologies. You can set your browser or operating system to refuse all or some cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, some parts of our Services may be inaccessible or not function properly.

• Promotional Communications. If you do not wish to receive promotional communications from us, you can opt out at any time by following the unsubscribe instructions in our emails or by contacting us at the contact information below.

• Health Record Data. You may disconnect third-party health record integrations or request deletion of imported health records at any time through your account settings or by contacting us.

• Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to online services. We currently do not respond to “Do Not Track” signals.

State Privacy Rights

California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) may provide you with additional rights regarding your Personal Data, including the right to know, the right to delete, the right to correct, and the right to opt out of the sale or sharing of your Personal Data. To exercise these rights, please contact us at the contact information below.

California Civil Code Section 1798.83 (California’s “Shine the Light” law) permits users of our Services that are California residents to request certain information regarding our disclosure of Personal Data to third parties for their own direct marketing purposes. To make such a request, please contact us at the contact information below.

Washington My Health My Data Act

If you are a Washington state resident, the Washington My Health My Data Act may provide you with additional rights regarding your consumer health data, including the right to know what health data we collect, share, and sell; the right to withdraw consent for the collection and sharing of your health data; and the right to have your health data deleted. Heyday Health does not sell consumer health data. To exercise your rights under this law, please contact us at the contact information below.

Other State Privacy Laws

Residents of other states with comprehensive consumer privacy laws (such as Virginia, Colorado, Connecticut, and others) may have additional rights regarding their Personal Data. We are committed to complying with applicable state privacy laws and will honor valid requests submitted in accordance with those laws. To exercise any rights available to you, please contact us at the contact information below.

Health Breach Notification

To the extent that Heyday Health is subject to the Federal Trade Commission’s Health Breach Notification Rule (16 CFR Part 318), we will notify affected individuals, the FTC, and (where required) the media in the event of a breach of security involving unsecured personally identifiable health information, in accordance with the timeframes and procedures required by the Rule.

Data Retention

We will retain your information for as long as your account is active or as needed to provide you Services. If you wish to deactivate or delete your account, or request that we no longer use your information to provide you Services, please contact us at the contact information below. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Data Security

We have implemented technical, administrative, and physical measures designed to secure your Personal Data from accidental loss and from unauthorized access, use, alteration, and disclosure. These measures include encryption of data in transit and at rest, access controls, and monitoring of our systems for potential vulnerabilities. The safety and security of your information also depends on you. Where you have chosen a password for the use of our Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted to or otherwise processed by our Services. Any transmission of Personal Data is at your own risk.

Children Under the Age of 18

Our Services are not intended for children under 18 years of age. No one under age 18 may provide any information to or through the Services. We do not knowingly collect Personal Data from children under 18. If you are under 18, do not use or provide any information on our Services. If we learn we have collected or received Personal Data from a child under 18, we will delete that information. If you believe we might have any information from a child under 18, please contact us using the contact information below.

SMS/MMS Mobile Messaging

We may use your telephone number for the purpose of sending you SMS messaging related to the Services, including appointment reminders, care navigation notifications, and other service-related messages if you have opted in to receive such messaging. You may opt out from receiving SMS messaging from us at any time by responding STOP to any of our messages. We do not share your telephone number with third parties for the purposes of receiving third-party marketing messages. Text messaging originator opt-in data and consent will not be shared with any third parties.

Links to Other Websites and Services

Our Services may contain links to other websites and online services that have information we believe may be of interest. We do not endorse these sites and services. We are not responsible for the content of those sites or the privacy practices employed by other sites or services. We encourage you to read the privacy policy of each site or service you visit that may collect information or ask you to disclose Personal Data.

Storage of Personal Data

All of the information that you provide to us will be stored and processed in the United States using Amazon Web Services infrastructure. The laws in the United States may not offer the same degree of privacy protection as the laws in your jurisdiction.

Changes to Our Privacy Policy

We may change this Privacy Policy at any time. It is our policy to post any changes we make to our Privacy Policy on this page. If we make material changes to how we treat our users’ Personal Data, we will notify you by email to the email address you have provided to us and/or through a notice within the Beacon application. The date this Privacy Policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date, active, and deliverable email address for you, and for periodically reviewing this Privacy Policy to check for any changes.

Contact Information

If you have any questions about this Privacy Policy or would like to exercise any rights that may be available to you under applicable law in relation to your Personal Data, you may contact us at:

Heyday Health, Inc.

Email: privacy@heydayhealth.com

1 Mifflin Place, Suite 400, Cambridge MA 02138