Online Services Privacy Policy

We recognize that the privacy of your information is important. This Online Services Privacy Policy ("Privacy Policy" or "Policy") describes our practices in connection with information we collect through the online and mobile websites, platforms, services, and applications owned or operated by FollowMyDoctor.com, a division of United Valuecare, Inc. ("FollowMyDoctor", "we", "us", or "our") that contain a link to this Privacy Policy (collectively, "Online Services").

Our Online Services are intended for a United States audience, including licensed healthcare professionals and patients. Any information you provide, including any personal information, will be transferred to and processed by servers located within the United States in compliance with applicable law.

By using the Online Services, you consent to our collection, use, disclosure, and storage of information as described in this Privacy Policy.

1 When This Privacy Policy Applies

This Policy applies to Online Services that we own or operate and that contain a link to this Privacy Policy. It does not apply to information collected through other means — such as by telephone, through Online Services that do not link to this Privacy Policy, or in person — although that information may be protected by other privacy policies, including our HIPAA Notice of Privacy Practices.

This Policy does not apply to the practices of other companies, websites, or software applications that may be linked from or made available through our Online Services. The inclusion of a link on our Online Services does not imply endorsement of, or responsibility for, the privacy or security practices of that third party.

Some of our products and services are regulated by certain state and federal laws, including the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), and applicable state digital health laws. Where specific Product Privacy Notices exist — such as our HIPAA Notice of Privacy Practices — those notices govern with respect to Protected Health Information (PHI).

2 What Information We Collect About You

We may collect two basic types of information through the Online Services: (1) information you provide directly to us, and (2) information that is automatically provided to us through your use of our Online Services.

Information You Provide Directly

When you use the Online Services, you may provide certain information directly to us, including:

• Account registration data — name, email address, professional credentials (NPI number, specialty, license state), institution or practice name
• Clinical queries — questions and prompts submitted to our AI platform (processed ephemerally and never retained in identifiable form)
• Profile information — specialty preferences, AI model preferences, display settings
• Patient health information — if you choose to enter patient context into clinical tools such as AI Scribe (governed by our HIPAA Notice)
• Communications — messages sent through our support chat, contact forms, or email
• Payment information — processed securely through PCI-compliant third-party payment processors; we do not store raw card numbers

Information Automatically Collected

We also obtain information that is automatically collected through the Online Services, including:

• Device and technical data — IP address, browser type, operating system, device identifiers, screen resolution
• Usage data — pages visited, features used, time on site, referring URLs, click patterns
• Location data — general geographic region inferred from IP address (not precise GPS unless you grant permission in a mobile app)
• Cookies and tracking data — see our Cookie Policy and Section 11 of this Policy for full details

Mobile Application Data

If you use the FollowMyDoctor mobile application, we may additionally collect:

• Camera access (if granted) — for document scanning within the Scribe feature
• Microphone access (if granted) — for AI Scribe ambient recording during patient visits
• Push notification permissions — to deliver urgent clinical alerts and app updates
• Device identifiers — to maintain secure session authentication

3 How We Use Your Information

We may use your information for the following purposes:

• To respond to requests — clinical queries, support messages, account requests, and contact form submissions
• To operate and improve the platform — including the Medical AI, AI Scribe, HIPAA Dialer, and Patient Health Testing services
• To authenticate you on the platform and verify professional credentials where required
• To personalize your experience — remembering your specialty, preferred AI models, and platform settings
• To communicate with you — account updates, platform announcements, security alerts, and — with your consent — educational content and product updates
• To process payments for Patient Health Testing subscriptions and enterprise licenses
• To perform analytics and improve our products, platform features, and clinical accuracy
• To maintain security — detecting, preventing, and investigating fraudulent activity, unauthorised access, and security incidents
• To comply with legal obligations — including HIPAA audit trail requirements, CCPA disclosure obligations, and court or regulatory orders
• To protect rights and safety — ours, our users', and the public's
• As otherwise permitted by law or with your explicit consent

We do not use your information to train AI models without your explicit opt-in consent. We do not sell your personal information to third parties.

4 How We Share Your Information

We will only share your information with third parties as outlined in this Policy and as otherwise permitted by law or with your consent.

Service Providers and Business Associates

We share information with third-party companies that perform services on our behalf, including cloud hosting, AI model providers, analytics, payment processing, and clinical support. All such providers are bound by contractual data processing agreements (DPAs). Where they may access PHI, they have signed HIPAA-compliant Business Associate Agreements (BAAs).

AI Model Providers

Queries submitted to our Medical AI platform are routed to third-party AI model providers (including Anthropic, OpenAI, Google, and others) under data processing agreements that prohibit the use of your queries for model training. No patient-identifiable information is transmitted unless you explicitly include it in a query.

Legal and Regulatory Disclosure

We may share information in response to a court order, subpoena, search warrant, or legal process, or to comply with applicable law or regulation. We may cooperate with law enforcement in investigating illegal activities or violations of our Terms of Service.

Business Transfers

If all or part of FollowMyDoctor or United Valuecare, Inc. is sold, merged, acquired, or reorganised, information may be transferred as part of that transaction, subject to the same privacy protections described in this Policy.

Affiliates

We may share information within the United Valuecare, Inc. family of companies, including affiliated entities operating under the same privacy standards, for the purposes described in this Policy.

5 How to Manage Your Information

You have several options for managing the information we hold about you:

Account and Profile Settings

You can view and update your account information, specialty preferences, notification settings, and AI model preferences at any time through your FollowMyDoctor account settings page after logging in.

Communication Preferences

You can opt out of non-essential communications (such as newsletters and product updates) at any time by clicking "unsubscribe" in any email or by updating your communication preferences in your account settings. Transactional communications — such as account security alerts and HIPAA-related notices — cannot be opted out of while your account is active.

Cookie Preferences

You can manage your cookie preferences at any time using the preference centre in our Cookie Policy. See also Section 11 of this Policy.

Data Access and Deletion

You may request a copy of the personal information we hold about you, or request deletion of your account and associated data, by contacting us at privacy@followmydoctor.com. We will respond within 30 days. Note that certain data may be retained to comply with legal obligations or HIPAA audit requirements.

6 Protecting Your Information

We take the security of your information seriously and implement administrative, physical, and technical safeguards designed to protect it:

• Encryption — All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256.
• Zero PHI retention — Clinical queries processed through our AI platform are never written to persistent storage in identifiable form.
• Access controls — Role-based access controls restrict data access to authorised personnel only. All access is audit-logged.
• SOC 2 Type II — Our infrastructure undergoes independent annual security audits against the SOC 2 Type II standard.
• Penetration testing — We conduct regular third-party penetration tests and vulnerability assessments.
• HIPAA compliance — Our security program is designed and maintained to comply with the HIPAA Security Rule (45 CFR Part 164).
• Breach notification — In the event of a breach of unsecured PHI, we will notify affected individuals within 60 days as required by the HIPAA Breach Notification Rule.

7 HIPAA & Health Data

FollowMyDoctor is a HIPAA-regulated platform. When we create, receive, transmit, or maintain Protected Health Information (PHI) on behalf of clinicians or patients, we do so as a HIPAA Business Associate in compliance with 45 CFR Parts 160 and 164.

Our HIPAA Notice of Privacy Practices describes in detail:

• How we use and disclose PHI for treatment, payment, and healthcare operations
• Your rights as a patient with respect to your PHI
• Our obligations and safeguards under HIPAA
• How to file a complaint with the HHS Office for Civil Rights

8 Children Under 13

FollowMyDoctor's Online Services are intended exclusively for licensed healthcare professionals and adult patients. We do not knowingly collect personal information from children under the age of 13. If you are a parent or guardian and believe that a child under 13 has provided personal information to us, please contact us immediately at privacy@followmydoctor.com and we will delete that information as soon as practicable.

9 Additional Rights for California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights with respect to your personal information:

• Right to Know — You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete — You have the right to request deletion of personal information we have collected from you, subject to certain legal exceptions.
• Right to Correct — You have the right to request correction of inaccurate personal information we maintain about you.
• Right to Opt Out of Sale or Sharing — We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.
• Right to Limit Use of Sensitive Personal Information — We limit our use of sensitive personal information (including health data) to the purposes required to provide our services.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, please submit a verifiable request to privacy@followmydoctor.com or call us at the number listed in Section 13. We will respond within 45 days of a verified request.

10 Your Privacy Rights

Regardless of your location, you have the following rights with respect to your personal information:

To exercise any of these rights, contact us at privacy@followmydoctor.com. We will verify your identity before processing any request and respond within 30 days.

11 Cookies & Tracking Technologies

We use cookies and similar technologies — including web beacons, local storage, and session storage — to operate our Online Services, remember your preferences, and understand how our platform is used.

Our cookies fall into four categories:

You can manage your cookie preferences at any time through our Cookie Policy preference centre, or through your browser settings. Please note that we do not currently respond to browser "Do Not Track" signals, as there is no agreed industry standard for their interpretation.

For full details on every cookie we use, durations, providers, and how to manage them, please read our complete Cookie Policy.

12 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last reviewed" date at the top of this page
• Display an in-platform notification to logged-in users for significant changes
• Request fresh consent where required by applicable law (e.g., for new uses of personal data under GDPR or CCPA)

Your continued use of the Online Services after any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Policy periodically.

13 Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or want to report a privacy concern, please contact us: