Privacy Policy

Rebirthealth Inc. ("Rebirthealth," "we," "us," or "our") is committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, how we use it, and what rights you have in relation to it.

This policy applies to all information collected through our platform (rebirthealth.com), mobile applications, and any related services, sales, marketing, or events (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use our Services.

We collect personal information that you voluntarily provide to us when you register for an account, submit a case, apply as an advisor, or otherwise contact us. This includes:

- Account Information: Name, email address, phone number, password, and profile details. - Health Information: Medical conditions, symptoms, treatment history, medical records, and health questionnaire responses that you voluntarily submit as part of a case. - Financial Information: Payment method details processed securely through our PCI-compliant payment processors (PayPal, Stripe). We do not store your full credit card numbers. - Communication Data: Messages exchanged through our platform, support tickets, and feedback. - Advisor Credentials: Professional licenses, certifications, institutional affiliations, and verification documents submitted during the advisor application process.

We also automatically collect certain information when you visit our platform, including your IP address, browser type, operating system, referring URLs, device information, pages viewed, and interaction patterns. We use cookies and similar tracking technologies to collect this data.

We use the information we collect for the following purposes:

- Service Delivery: To facilitate case matching, advisor bidding, peer review, and advisory services. - Case De-identification: To generate anonymized case summaries for advisor review, stripping personally identifiable information while preserving medically relevant details. - AI Matching: To power our AI-driven matching algorithms that connect patients with the most relevant advisors based on condition type, specialty alignment, and other factors. - Payment Processing: To facilitate secure escrow transactions, milestone releases, and commission distributions. - Communication: To send service updates, bidding notifications, milestone alerts, and support responses. - Platform Improvement: To analyze usage patterns, identify issues, and improve our services. - Legal Compliance: To comply with applicable laws, regulations, and legal processes.

Your data is stored on SOC 2 Type II certified cloud infrastructure with geographic redundancy. We implement the following security measures:

- Encryption: All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. - Access Controls: Strict role-based access controls with multi-factor authentication for all administrative access. - Audit Logging: Comprehensive audit trails for all data access and modifications. - Regular Assessments: Quarterly security assessments and annual penetration testing by independent third parties. - Data Isolation: Medical files and personal data are stored in isolated, encrypted containers. - Backup & Recovery: Automated daily backups with tested disaster recovery procedures.

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law. Medical records associated with completed cases are retained for 7 years in accordance with healthcare record retention best practices.

We share your information only in the following circumstances:

- With Advisors: De-identified case summaries are shared with matched advisors during the bidding process. Advisors never receive your real name, exact location, or other directly identifying information until you explicitly choose to share it. - Payment Processors: Transaction details are shared with our PCI-compliant payment processors (PayPal) to facilitate payments. - Peer Reviewers: Anonymized proposal content is shared with peer review advisors for scoring purposes. - Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request. - Business Transfers: In connection with any merger, acquisition, or sale of assets, your data may be transferred as part of the business assets.

We do NOT sell your personal data to third parties. We do NOT share your medical information with insurance companies, employers, or any parties outside the platform ecosystem.

Depending on your location, you may have the following rights regarding your personal data:

- Right to Access: You can request a copy of all personal data we hold about you. - Right to Rectification: You can request correction of inaccurate or incomplete data. - Right to Deletion: You can request deletion of your personal data ("right to be forgotten"). - Right to Data Portability: You can request your data in a structured, machine-readable format. - Right to Restrict Processing: You can request that we limit how we use your data. - Right to Object: You can object to processing of your data for certain purposes. - Right to Withdraw Consent: You can withdraw consent at any time where we rely on consent to process your data.

To exercise any of these rights, contact us at privacy@rebirthealth.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

For users in the European Economic Area (EEA), the United Kingdom, and Switzerland, we process your personal data under the following legal bases:

- Contract Performance: Processing necessary to provide our Services to you (e.g., case matching, payment processing). - Legitimate Interests: Processing necessary for our legitimate business interests, such as fraud prevention, platform improvement, and security. - Consent: Where you have given explicit consent (e.g., health data submission, marketing communications). - Legal Obligation: Processing necessary to comply with legal requirements.

We have appointed a Data Protection Officer (DPO) who can be reached at dpo@rebirthealth.com. We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities. For cross-border data transfers, we use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection.

We use cookies and similar tracking technologies to collect information about your browsing activities. The types of cookies we use include:

- Essential Cookies: Required for basic platform functionality, authentication, and security. These cannot be disabled. - Analytics Cookies: Help us understand how visitors interact with our platform (e.g., Google Analytics). These collect anonymized usage data. - Preference Cookies: Remember your language, locale, and display preferences. - Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness. These are only set with your consent.

You can manage cookie preferences through your browser settings or through our cookie consent banner. Note that disabling essential cookies may impair platform functionality.

If you have questions about this Privacy Policy, your personal data, or would like to exercise your rights, please contact us:

- Privacy Inquiries: privacy@rebirthealth.com - Data Protection Officer: dpo@rebirthealth.com - General Support: support@rebirthealth.com - Mailing Address: Rebirthealth Inc., San Francisco, CA, USA

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.