Privacy Policy

Rebirthealth Inc. ("Rebirthealth," "we," "us," or "our") is committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, how we use it, and what rights you have in relation to it.

This policy applies to all information collected through our platform (rebirthealth.com), mobile applications, and any related services (collectively, the "Services"). Our Services connect individuals seeking health advisory opinions with qualified advisors through a structured, tiered matching system.

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use our Services.

We comply with applicable data protection laws including the General Data Protection Regulation (GDPR) for users in the European Economic Area, and the Personal Information Protection Law of the People's Republic of China (PIPL) for users in China.

The personal information processor (data controller) responsible for your data is:

Rebirthealth Inc. San Francisco, CA, United States Email: privacy@rebirthealth.com

For users located in the People's Republic of China, our designated representative for personal information protection matters can be contacted at: Email: privacy@rebirthealth.com Phone: Available upon request via the above email

For users in the European Economic Area, our Data Protection Officer (DPO) can be reached at: Email: dpo@rebirthealth.com

We process your personal information based on the following legal grounds:

- Consent: When you voluntarily submit health information, register an account, or opt into specific features. You may withdraw consent at any time without affecting the lawfulness of prior processing. - Contract Performance: Processing necessary to provide our Services, including account management, case matching, advisor communication, and payment processing. - Legitimate Interests (GDPR): Processing necessary for platform security, fraud prevention, service improvement, and analytics. - Legal Obligation: Processing required to comply with applicable laws and regulations.

For users in China (PIPL): We primarily rely on your informed consent and contract performance as the legal basis for processing your personal information. Before collecting sensitive personal information (such as health data), we will obtain your separate consent as required by PIPL Article 29.

We collect personal information that you voluntarily provide to us when you register for an account, submit a case, apply as an advisor, or otherwise interact with our platform. This includes:

- Account Information: Email address, phone number, encrypted password, and profile details (display name, avatar, preferred language). - Health Information: Medical conditions, symptoms, treatment history, and health-related descriptions that you voluntarily provide as part of a case submission. This is classified as sensitive personal information. - Financial Information: Payment details are processed securely through our third-party payment processors (WeChat Pay, Alipay, PayPal). We do not store your full payment credentials on our servers. - Communication Data: Messages exchanged within interaction pools, advisor proposals, and support communications. - Advisor Credentials: Professional licenses, certifications, evidence files, institutional affiliations, and verification documents submitted during the advisor application and verification process.

We also automatically collect certain information when you access our platform: - IP address and approximate geolocation - Device type, operating system, and browser information - Pages viewed, interaction patterns, and session duration - Cookies and similar tracking identifiers - Referral source and search terms

We use the information we collect for the following purposes:

- Task Matching & Advisor Visibility: Based on the service tier you select, your de-identified case information is made visible to a specific number of advisors (e.g., 50, 200, 1000, or all advisors on the platform). Higher tiers provide broader visibility to increase the likelihood of finding specialized expertise. - AI Analysis: For service tiers that include AI-powered analysis, we use your case information to generate structured reports and insights. AI processing is conducted on secured infrastructure with strict access controls. - Interaction Pool Communications: To facilitate structured communication between you and advisors who have been matched to your case, within a controlled interaction environment. - Peer Scoring System: To enable anonymous, aggregated quality scoring of advisor proposals by peer advisors. Individual scores are never attributed to specific reviewers. - Payment Processing: To facilitate secure transactions through WeChat Pay, Alipay, or PayPal based on your selected payment method. - Platform Improvement: To analyze aggregate usage patterns, optimize matching algorithms, improve service quality, and develop new features. - Communication: To send service notifications, case updates, and support responses. - Legal Compliance: To comply with applicable laws, regulations, and legal processes.

We share your information only in the following circumstances:

- With Advisors (De-identified): Based on your selected service tier, de-identified case information is shared with a limited number of advisors (50, 200, 1000, or all). Advisors receive case descriptions with personally identifiable information removed. They do not receive your real name, precise location, or other directly identifying details unless you explicitly choose to share them. - Interaction Pool Participants: Once you enter an interaction pool with selected advisors, all participating advisors in that pool can see messages exchanged within it. This is necessary for collaborative advisory services. - Peer Scoring: Anonymized proposal content is shared with peer review advisors for quality scoring. No individual attribution is made — scores are aggregated and reviewers remain anonymous to all parties. - Payment Processors: Transaction data is shared with WeChat Pay, Alipay, or PayPal as necessary to process your payments. These processors operate under their own privacy policies. - Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request in any applicable jurisdiction. - Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred as part of the business assets, subject to the same privacy protections.

We do NOT sell your personal data to any third party. We do NOT share your health information with insurance companies, employers, or any parties outside the platform ecosystem.

Our Services operate globally, and your personal information may be transferred to, stored, and processed in countries other than your country of residence, including the United States and other jurisdictions where our servers and service providers are located.

For users in China: In accordance with PIPL requirements, we inform you that your personal information may be transferred outside the People's Republic of China for the purposes of providing our Services. We take the following measures to protect your data during cross-border transfers: - We conduct personal information protection impact assessments before any cross-border transfer. - We ensure the overseas recipient meets the personal information protection standards required by Chinese law. - We obtain your separate consent for cross-border data transfers as required. - We implement contractual and technical measures to ensure the overseas recipient provides a level of protection not lower than that required by PIPL.

For users in the EEA: We use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection for cross-border data transfers outside the EEA.

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, or as required by applicable law. Specific retention periods are as follows:

- Account Information: Retained for the duration of your account, plus 30 days after account deletion to allow for recovery. - Case Data & Health Information: Retained for 3 years after case completion for service quality and legal compliance purposes. You may request earlier deletion. - Communication Records (Interaction Pool): Retained for 2 years after the associated case is completed. - Payment Records: Retained for 7 years as required by financial regulations. - Advisor Credential Documents: Retained for the duration of the advisor's active status, plus 3 years after deactivation. - Automatically Collected Data (logs, analytics): Retained for 1 year. - Cookies: Session cookies expire when you close your browser; persistent cookies expire within 12 months.

When data is no longer needed, it is securely deleted or anonymized so that it can no longer be associated with you.

We implement comprehensive security measures to protect your personal information:

- Encryption at Rest: All stored data is encrypted using AES-256 encryption. - Encryption in Transit: All data transmitted between your device and our servers is protected by TLS 1.3. - Role-Based Access Control (RBAC): Strict access controls ensure that only authorized personnel can access specific categories of data based on their role and necessity. - Data Isolation: Each case is logically isolated — advisors can only access cases they are matched to, and case data is segregated between different users and advisors. - Audit Logging: Comprehensive audit trails record all access to personal data. - Regular Security Assessments: Periodic vulnerability assessments and security reviews. - Secure Development Practices: Code review, dependency scanning, and security testing in our development lifecycle.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security but are committed to implementing industry-standard protections.

Depending on your location and applicable law, you have the following rights regarding your personal information:

Rights under both GDPR and PIPL: - Right to Access: Request a copy of the personal information we hold about you. - Right to Correction: Request correction of inaccurate or incomplete personal information. - Right to Deletion: Request deletion of your personal information when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent. - Right to Data Portability: Request your personal information in a structured, commonly used, machine-readable format, or request transfer to another processor. - Right to Withdraw Consent: Withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal. - Right to Restrict/Object to Processing: Request that we limit or cease processing your data for certain purposes.

Additional rights under PIPL (for users in China): - Right to Explanation: Request an explanation of the rules governing the processing of your personal information. - Right to Refuse Automated Decision-Making: Object to decisions made solely through automated processing (including AI analysis) that significantly affect your rights, and request human review. - Right to Request Deletion in Specific Circumstances: If we process your information beyond the agreed purpose, or if the processing purpose has been achieved or is no longer achievable.

Additional rights under GDPR (for users in the EEA): - Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority. - Right to Object to Profiling: Object to automated decision-making and profiling that produces legal or similarly significant effects.

To exercise any of these rights, contact us at privacy@rebirthealth.com. We will respond within 15 business days (PIPL) or 30 days (GDPR). We may verify your identity before processing your request.

Certain service tiers include AI-powered analysis of your case information. This section explains how automated processing works on our platform:

- Purpose: AI analysis is used to generate structured health advisory reports based on the case information you provide. It does not make medical decisions or diagnoses. - Scope: AI processing only applies to service tiers that explicitly include this feature. You are informed before purchase which tiers include AI analysis. - Human Oversight: AI-generated reports are provided as supplementary information alongside human advisor opinions. They do not replace professional judgment. - Your Right to Object: You have the right to request human review of any AI-generated output, or to opt out of AI processing entirely by selecting a service tier that does not include it.

We do not use your personal information for automated decision-making that produces legal effects or similarly significant effects on you without appropriate safeguards and your right to contest such decisions.

We use cookies and similar tracking technologies to collect information about your browsing activities. The types of cookies we use include:

- Essential Cookies: Required for basic platform functionality, authentication, and security. These cannot be disabled. - Analytics Cookies: Help us understand how visitors interact with our platform. These collect anonymized usage data. - Preference Cookies: Remember your language, locale, and display preferences. - Marketing Cookies: Used to deliver relevant content and measure campaign effectiveness. These are only set with your explicit consent.

You can manage cookie preferences through your browser settings or through our cookie consent mechanism. Disabling essential cookies may impair platform functionality. For users in China, we process cookie data in accordance with PIPL requirements and obtain consent where necessary.

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If a parent or guardian submits a case on behalf of a minor, the parent or guardian is the data subject for the purposes of this policy.

In accordance with PIPL Article 31, if we become aware that we have collected personal information from a person under the age of 14 without verifiable parental consent, we will take steps to delete such information promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

- We will post the updated policy on our website and update the "Last updated" date. - For significant changes that affect how we process your data, we will notify you via email or prominent in-platform notification at least 14 days before the changes take effect. - Where required by applicable law (including PIPL), we will obtain your renewed consent for material changes to how we process your personal information.

We encourage you to review this policy periodically to stay informed about how we protect your data.

If you have questions about this Privacy Policy, your personal data, or would like to exercise your data rights, please contact us through the following channels:

- Privacy Inquiries: privacy@rebirthealth.com - Data Protection Officer (EEA users): dpo@rebirthealth.com - General Support: support@rebirthealth.com - Personal Information Protection Contact (China users): privacy@rebirthealth.com - Mailing Address: Rebirthealth Inc., San Francisco, CA, United States

Response Times: - PIPL requests (China users): Within 15 business days - GDPR requests (EEA users): Within 30 calendar days - General inquiries: Within 5 business days

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority: - EEA users: Your local data protection authority - China users: The Cyberspace Administration of China or other competent authorities