Privacy Statement for California Residents

This Privacy Statement for California Residents (“Statement”) supplements our Privacy Policy and applies solely to visitors, users, and others who are residents of the State of California (“consumers” or “you”). We adopt this Statement to comply with the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), and other applicable California privacy laws. Any terms defined in the CCPA or CPRA have the same meaning when used in this Statement.

Blue Oak Services LLC dba Prescriva is a California limited liability company. As a California-based business, we take our obligations under California privacy law seriously and are committed to transparency about our data practices.

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“Personal Information”).

We have collected the following categories of Personal Information from California consumers within the preceding twelve (12) months:

• Category A:Identifiers. Name, email address, phone number, mailing address, date of birth, account username, IP address, cookie identifiers, and device identifiers. Collected: Yes
• Category B:Personal information under Cal. Civ. Code §1798.80(e). Name, address, telephone number, medical information, health insurance information, and financial information (payment card details processed via Stripe). Some information in this category may overlap with other categories. Collected: Yes
• Category C:Protected classification characteristics under California or federal law. Age, sex/gender, disability status, and medical conditions as provided during health assessments. Collected: Yes
• Category D:Commercial information. Records of products or services purchased, subscription history, payment information, and transaction records. Collected: Yes
• Category E:Biometric information. Health data, vital signs, and medical information provided during clinical intake and health assessments. Collected: Yes
• Category F:Internet or other electronic network activity. Browsing history on our Platform, search history, interactions with our website, device information, browser type, IP address, and cookie data. Collected: Yes
• Category G:Geolocation data. Approximate location based on IP address. We do not collect precise geolocation data (GPS coordinates). Collected: Yes (approximate only)
• Category H:Sensory data. Audio recordings from customer service calls, if applicable. Collected: Yes (limited)
• Category I:Professional or employment-related information. Occupation or job title, if voluntarily provided during health assessment intake. Collected: Yes (if provided)
• Category J:Non-public education information (per FERPA). Education records directly related to a student maintained by an educational institution. Collected: No
• Category K:Inferences drawn from other Personal Information. Inferences drawn from the above categories to create a profile reflecting health preferences, treatment suitability, and consumer preferences. Collected: Yes

We obtain the categories of Personal Information listed above from the following categories of sources:

• Directly from you: Information you provide when you create an account, complete a health assessment, make a purchase, communicate with us, or otherwise interact with our Platform
• Indirectly from you: Information collected automatically through cookies, web beacons, pixel tags, and similar technologies when you use our Platform, and from activity on our website during the course of providing services to you
• From third parties: Healthcare providers within our Provider Network (OpenLoop Health), compounding pharmacies, analytics providers, identity verification services, payment processors (Stripe), and other service providers who interact with us in connection with the services we perform

Personal Information under the CCPA does not include:

• Information that is lawfully made available from federal, state, or local government records (“Publicly Available Information”)
• De-identified or aggregated consumer information (as defined in the CCPA)
• Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the California Confidentiality of Medical Information Act (“CMIA”), or clinical trial data
• Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), the California Financial Information Privacy Act (“FIPA”), and the Driver's Privacy Protection Act (“DPPA”)

Under the CPRA, “sensitive personal information” includes certain categories of data that require additional protections. The following categories of sensitive personal information may be collected through our Services:

• Social Security number or government-issued identifiers (if required for identity verification)
• Financial account information with required security or access codes, passwords, or credentials allowing access to the account
• Racial or ethnic origin (if provided during health assessment)
• Health information, including data collected through health assessments, telehealth consultations, and treatment
• Genetic data (if provided for treatment purposes)

We use sensitive personal information only for the following purposes:

• Performing the healthcare-related services you have requested
• Ensuring the security and integrity of your personal information
• Performing services on behalf of our business
• Verifying or maintaining the quality and safety of our Services

We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the Services, and we do not use sensitive personal information for cross-context behavioral advertising. You have the right to limit the use and disclosure of your sensitive personal information as described in Section VIII below.

We may use or disclose the Personal Information we collect for one or more of the following business or commercial purposes:

• To fulfill or meet the reason for which the information was provided, including facilitating healthcare services and telehealth consultations
• To process transactions, fulfill medication orders, and manage subscriptions
• To provide customer support and technical assistance
• To communicate with you about your account, orders, services, and care-related notifications
• To improve our Platform, Services, and present content effectively
• For testing, research, analysis, and product development
• To detect, prevent, and respond to security incidents, fraud, and illegal activity
• To enforce our Terms and Conditions and other agreements
• To respond to regulatory and law enforcement requests as required by applicable law, court order, or governmental regulation
• As otherwise described to you when collecting your Personal Information or as set forth in the CCPA

We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

We may disclose your Personal Information to the following categories of third parties for a business purpose:

• Healthcare providers (OpenLoop Health and affiliated medical professional corporations)
• Licensed compounding pharmacies
• Payment processors (e.g., Stripe)
• Website hosting and cloud infrastructure providers
• Analytics and performance monitoring providers
• Customer support service providers
• Identity verification services
• Our affiliates, service providers, and vendors
• Third parties to whom you or your authorized agent authorize disclosure in connection with services we provide
• Entities as required or permitted by law, regulation, or legal process

Sale of Personal Information

We do not sell your Personal Information to anyone. We have not sold Personal Information in the preceding twelve (12) months.

Sharing for Cross-Context Behavioral Advertising

We do not share Personal Information for cross-context behavioral advertising purposes. If either of these practices change in the future, we will provide a “Do Not Sell or Share My Personal Information” link on our Platform and update this Statement accordingly.

As a California resident, you have the following rights under the CCPA/CPRA:

Right to Know and Data Portability

You have the right to request that we disclose certain information about our collection and use of your Personal Information. Once we receive and verify your request, we will disclose to you:

• The categories of Personal Information we collected about you
• The categories of sources from which we collected your Personal Information
• Our business or commercial purpose for collecting or selling that Personal Information
• The categories of third parties with whom we share that Personal Information
• The specific pieces of Personal Information we collected about you (a “data portability request”), if specifically requested
• If we sold or disclosed your Personal Information for a business purpose, two separate lists identifying: (a) the Personal Information categories that each category of recipient purchased (sales), and (b) the Personal Information categories that each category of recipient obtained (disclosures for a business purpose)

For data portability requests, we will provide your Personal Information in a format that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.

Right to Delete

You have the right to request that we delete any Personal Information we have collected from you, and to direct our service providers to delete your Personal Information from their records, subject to certain exceptions.

We may deny your deletion request if retaining the information is necessary to:

• Complete the transaction for which the Personal Information was collected, provide a good or service you requested, take actions reasonably anticipated within our ongoing business relationship, or otherwise perform a contract with you
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities
• Debug products to identify and repair errors that impair existing intended functionality
• Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law
• Comply with the California Electronic Communications Privacy Act (Cal. Penal Code §1546 et seq.)
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest when deletion may render the research impossible or seriously impair it, if you previously provided informed consent
• Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us
• Comply with a legal obligation
• Make other internal and lawful uses of that information that are compatible with the context in which you provided it

Right to Correct

You have the right to request that we correct inaccurate Personal Information that we maintain about you. After we receive and verify your request, we will evaluate the requested correction considering the nature of the Personal Information and the purposes for which it was collected, and will disclose to you the actions taken pursuant to your request.

Right to Opt Out of Sale or Sharing

We do not sell your Personal Information and do not share it for cross-context behavioral advertising. If either practice changes, we will provide a conspicuous “Do Not Sell or Share My Personal Information” link on our Platform and update this Statement.

Right to Limit Use of Sensitive Personal Information

You have the right to request that we limit the use and disclosure of your sensitive personal information to only those uses necessary to perform the Services you request, subject to certain exceptions permitted by the CPRA for service performance, security, and quality verification.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

• Deny you goods or services
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties
• Provide you a different level or quality of goods or services
• Suggest that you may receive a different price, rate, level, or quality of goods or services

To exercise any of the access, data portability, deletion, correction, or other rights described above, please submit a verifiable consumer request to us by:

• Email: help@prescriva.com
• Website: prescriva.com

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf (an “authorized agent”), may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child. If you use an authorized agent, we may require: (a) proof that you have provided the agent written permission to submit the request, and (b) that the agent verify their own identity directly with us.

You may make a verifiable consumer request for access or data portability no more than twice within a twelve (12) month period.

The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information, or that you are an authorized representative
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. Personal Information provided in a verifiable consumer request will only be used to verify the requestor's identity and/or authority to make the request.

Response Timing and Format

We will respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to an additional 45 days, for a maximum of 90 days total), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the twelve (12) month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will provide you with a cost estimate and rationale before completing your request. We also reserve the right to deny excessive, repetitive, or manifestly unfounded requests.

Certain health information collected through our Platform may be protected under the Health Insurance Portability and Accountability Act (“HIPAA”) and the California Confidentiality of Medical Information Act (“CMIA”). To the extent that any Personal Information is subject to HIPAA or CMIA, it is exempt from the CCPA/CPRA.

Your rights regarding HIPAA-protected health information are described in our Notice of Privacy Practices. If you have questions about which privacy rights apply to your specific information, please contact us at help@prescriva.com.

We reserve the right to amend this Privacy Statement for California Residents at any time and at our discretion. When we make changes, we will post the updated Statement on our Platform, update the “Last Updated” date at the top of this page, and may notify you via email or a prominent notice on the Platform. Your continued use of the Services after any changes constitutes your acceptance of the revised Statement.

If you have any questions or comments about this Statement, our Privacy Policy, the ways in which we collect and use your Personal Information, your choices and rights regarding such use, or wish to exercise your rights under California law, please contact us:

• Email: help@prescriva.com
• Website: prescriva.com
• Entity: Blue Oak Services LLC dba Prescriva