Consumer Health Data Privacy Policy

Consumer Health Data Privacy Policy

This Consumer Health Data Privacy Policy is provided separately from our general Privacy Policy, as required by Washington State’s My Health My Data Act and Nevada’s Consumer Health Data Privacy Act, and describes specifically how BRAIN.ONE collects, uses, shares, and protects “consumer health data.” It supplements, and does not replace, our general Privacy Policy, available as a separate document.

1. What Is Consumer Health Data

“Consumer health data” means personal information that is linked or reasonably linkable to you and that identifies your past, present, or future physical or mental health status, including, without limitation: health conditions, symptoms, and diagnoses; cognitive, emotional, mental health, and substance use conditions; neural data, including EEG and other brainwave or neurotechnology sensor data; biometric data; self-assessment and screening responses; treatment and appointment information from the client portal; and any inferences drawn from the foregoing that identify your health status. The collection of consumer health data does not mean that BRAIN.ONE is a medical provider, mental health platform, medical device, or provider of medical advice.

2. Categories of Consumer Health Data We Collect

• Self-assessment and screening responses you submit through the Services.

• Neural data collected via EEG or other neurotechnology sensors used with the Services.

• Health history, symptoms, medications, and self-reported diagnoses.

• Client portal messages, appointment scheduling data, and related treatment information, where applicable and to the extent BRAIN.ONE has access to them.

• Precise location data, only if enabled, which could reveal attempts to seek health care services.

• Biometric identifiers, if you enable biometric login.

3. Purposes for Which We Collect and Process Consumer Health Data

We collect and process consumer health data to: provide and personalize the Services you request, including scoring assessments and displaying results; support educational protocols and self-tracking features; facilitate your use of the client portal and communications with clinicians you choose; maintain the security and integrity of the Services; and comply with legal obligations. We do not process consumer health data for any additional purpose without first obtaining your separate, opt-in consent, and you may withdraw that consent at any time as described in Section 6.

4. Sources of Consumer Health Data

We collect consumer health data directly from you, through assessments, device sensors, wearable or neurotechnology data sources you connect, and portal messages, and, if you separately authorize it, from a clinician or other third party you direct to share information with us.

5. Third Parties and Affiliates With Whom We Share Consumer Health Data, and Why

• Licensed clinicians you choose to connect with, for treatment or care-related purposes, at your direction.

• Service providers who host, store, or process data on our behalf under contracts limiting their use of it to providing services to us, such as cloud hosting and customer support providers.

• Parties to a corporate transaction (merger, acquisition, or asset sale), subject to the protections described in Section 8.

• Government authorities or other parties, only where required by law, such as in response to a valid subpoena or court order, or to protect against imminent harm to life or safety.

We do not sell consumer health data, and we do not share consumer health data for the purpose of advertising to you based on it.

6. Your Consent Rights

Before we collect or share consumer health data beyond what is strictly necessary to provide a product or service you have requested, we obtain your affirmative, opt-in consent, specific to that collection or sharing. You have the right to withdraw your consent at any time. If you withdraw consent, we will stop collecting or sharing your consumer health data for the relevant purpose going forward and, if you request, delete consumer health data collected on the basis of that consent, as described in Section 7.

7. Your Rights Regarding Consumer Health Data

You have the right to:

• Confirm whether we are collecting, sharing, or selling your consumer health data, and to access that data;

• Withdraw consent for the collection or sharing of your consumer health data;

• Request deletion of your consumer health data, which we will honor by deleting it from our records and directing our service providers, affiliates, and any third parties with whom we shared it to also delete it, absent a legal exception, within the timeframe required by applicable law;

• Appeal a denial of a request by contacting us at hello@brain.one; if we deny your appeal, we will provide information on further steps available to you, including how to contact your state attorney general.

To exercise these rights, email hello@brain.one with the subject line “Consumer Health Data Request.” We will respond within the timeframe required by applicable law, generally 45 days, extendable once by 45 additional days.

8. No Sale of Consumer Health Data Without Valid Authorization

We do not sell consumer health data. If this were ever to change, we would first obtain a valid, specific written authorization from you that meets the requirements of applicable law, separate from your general consent to this policy, and you could revoke that authorization at any time.

9. No Geofencing Around Health Care Facilities

We do not use geofencing — technology that establishes a virtual boundary around a physical location — within 2,000 feet of a health care facility to (a) identify, track, collect data from, or send notifications to consumers regarding their consumer health data, or (b) send messages or advertisements to consumers related to their consumer health data.

10. Data Security

We maintain administrative, technical, and physical safeguards designed to protect consumer health data, including encryption in transit and at rest, access controls limiting internal access on a need-to-know basis, and regular security reviews.

11. Changes to This Policy

We will not materially expand the categories of consumer health data we collect, or the purposes for which we use or share it, without first providing notice and, where required by law, obtaining your renewed consent. The “Last Updated” date on the cover of this document reflects the most recent revision to this policy.

12. Contact Us

Questions about this Consumer Health Data Privacy Policy, or requests to exercise your rights, can be sent to hello@brain.one.