Privacy & HIPAA

1.Introduction

This Privacy Policy ("Policy") explains how FigID Health, Inc., a Delaware corporation ("FigID," "we," "us," or "our"), collects, uses, discloses, and protects personal information in connection with our website located at fig.id, our mobile application, and our related products and services (collectively, the "Services"). By accessing or using the Services, you agree to the practices described in this Policy.

This Policy applies to information we collect online through the Services. It does not apply to information collected by third parties that are not under our control, except as described below. Additional notices may apply to specific features or jurisdictions; where they do, they are referenced by name in the relevant section.

2.Information We Collect

We collect personal information in three ways: (a) directly from you, (b) automatically as you interact with the Services, and (c) from service providers that help us operate the Services.

Information you provide.

• Waitlist form. Your email address, so we can notify you when FigID becomes available to you.
• Ambassador application form. First name, email address, school, year in school, campus involvement, and the written responses you submit.
• Direct communications. Anything you send us by email or through other channels we make available.
• Future clinical features. Once the FigID Health Pass launches, we will collect additional identifiers and authorizations required to retrieve your clinical test results on your behalf. See Section 12 for how Protected Health Information ("PHI") will be handled under HIPAA.

Information we collect automatically. When you visit the Site, we and our service providers collect technical information including IP address, browser type and version, device type and operating system, pages viewed, referring URL, and the date and time of each visit. This information is collected through cookies, web beacons, server logs, and similar technologies, as described in Section 5.

Information from third parties. We receive information from the service providers that operate the Services and process form submissions. We do not purchase personal information from data brokers.

3.How We Use Your Personal Information

We use the personal information we collect for the following purposes:

• Operate the Services. Provide and maintain the Site and its features, respond to inquiries, and evaluate ambassador applications.
• Communicate with you. Send transactional and informational messages about FigID, including pre-launch updates to waitlist subscribers and follow-up correspondence to ambassador applicants.
• Analytics and improvement. Understand how visitors use the Site and improve its performance, content, and reliability.
• Security and integrity. Detect, prevent, and respond to fraud, spam, abuse, security incidents, and violations of our Terms of Service.
• Legal and compliance. Comply with applicable law, regulations, and lawful requests from government authorities.

We do not use personal information for advertising, for marketing products unrelated to FigID, or for automated decision-making that produces legal or similarly significant effects about you.

4.Disclosure of Your Information

We do not sell, rent, or license personal information to third parties for their own marketing purposes. We have not sold or shared personal information for cross-context behavioral advertising in the preceding twelve (12) months.

We disclose personal information only in the following limited circumstances:

• Service providers. We share information with vendors that process data on our behalf under contractual obligations of confidentiality and purpose limitation. The categories of service providers we use include:
  • A productivity-suite provider that stores waitlist and ambassador-application submissions we receive through the Site;
  • A product-analytics provider that measures site usage;
  • A web-hosting provider that delivers the Site and retains standard request logs;
  • A content-delivery network that serves web fonts used by the Site.
  Each provider receives only the categories of information necessary to perform its function, and is prohibited from using that information for any purpose other than providing services to us.
• Business associates. Once the FigID Health Pass launches, a HIPAA-compliant technology partner will retrieve, store, and process clinical test results on our behalf under a Business Associate Agreement as required by HIPAA. See Section 12.
• Legal and safety. We may disclose information to comply with applicable law, to respond to valid legal process, to enforce our Terms, or to protect the rights, property, or safety of FigID, our users, or others.
• Business transfers. In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred to the successor entity, subject to this Policy.

5.Our Use of Tracking Technology

We and our service providers use cookies and similar technologies to operate the Site, measure its usage, and remember your preferences.

• Strictly necessary cookies. Required to operate the Site (for example, remembering that you have dismissed a notice). These cannot be disabled while the Site is in use.
• Analytics cookies. Set by our product-analytics provider to associate your activity on the Site — pageviews, button clicks, modal opens, and form submissions — with an anonymous identifier scoped to the .fig.id domain. Analytics cookies do not track you across other websites and are not shared with advertisers.

We do not use third-party advertising cookies or participate in cross-site behavioral advertising.

6.Your Rights and Privacy Choices

Subject to applicable law and verification of your identity, you have the right to:

• Request access to the personal information we hold about you;
• Request correction of inaccurate or incomplete personal information;
• Request deletion of your personal information;
• Request a portable copy of your personal information;
• Opt out of marketing or informational emails at any time using the unsubscribe link in each message or by contacting us.

To exercise any of these rights, email us at hello@fig.id. We will respond within the timeframe required by applicable law and will not discriminate against you for exercising a right.

Additional rights may be available to residents of specific U.S. states. See Section 11.

7.Our Retention of Your Information

We retain personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, to comply with our legal, accounting, or reporting obligations, or to resolve disputes and enforce our agreements. When personal information is no longer needed, we delete or anonymize it. You may request earlier deletion as described in Section 6, subject to our legal right to retain certain records.

8.Our Protection of Your Information

We maintain administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, and vetted infrastructure providers. Data we process today is stored in the United States. No system can be guaranteed to be fully secure, and we do not warrant that unauthorized access, loss, alteration, or disclosure will not occur. If we experience a security incident that affects your personal information, we will notify you as required by applicable law.

9.Children

The Services are directed to adults. We do not knowingly collect personal information from individuals under the age of 18, and the Services are not intended for children under 13. If you believe we have collected personal information from someone under 18, please contact us at hello@fig.id and we will promptly delete it.

10.Do Not Track Features

The Site honors the "Do Not Track" (DNT) signal sent by your browser. When DNT is enabled, analytics capture is suppressed for your session and no analytics identifier is set. You may additionally opt out at any time by contacting hello@fig.id; on request we will remove any existing analytics profile associated with you.

11.Notices for U.S. State Residents

Depending on where you reside, you may have additional rights under state privacy laws, including the California Consumer Privacy Act ("CCPA"), Colorado Privacy Act, Connecticut Data Privacy Act, and Virginia Consumer Data Protection Act. These rights may include the right to know the categories and specific pieces of personal information we collect, the right to correct inaccurate information, the right to delete personal information, the right to opt out of the "sale" or "sharing" of personal information, the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising any of these rights.

As described in Section 4, FigID does not sell or share personal information for cross-context behavioral advertising. To exercise any state-law right available to you, email hello@fig.id, identify the right you are asserting, and provide sufficient information for us to verify your identity. Authorized agents may submit a request on your behalf with written authorization.

12.HIPAA and Protected Health Information

The Services currently offered — the waitlist form and the ambassador application — do not collect Protected Health Information. This Section describes how PHI will be handled once the FigID Health Pass launches.

Our commitments regarding PHI:

• Authorized disclosure only. No party will view your PHI unless you have explicitly authorized the disclosure through a share link you create or another action you take within the Services.
• Encryption. PHI will be encrypted in transit and at rest.
• Access limitation. Only authorized personnel bound by HIPAA obligations will have access to PHI, and only to the minimum extent necessary to operate the Services.
• No sale of PHI. We will not sell PHI to advertisers, insurers, employers, or any other party.
• Purpose limitation. We will not use PHI for any purpose beyond what is necessary to provide the Services to you.
• Breach notification. We will provide notice of any breach affecting your PHI in accordance with HIPAA's Breach Notification Rule.

A full Notice of Privacy Practices describing your specific rights under HIPAA — including rights to access, amend, request restrictions on, and receive an accounting of disclosures of your PHI — will be published before the features that handle PHI become available.

13.Updates to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes — including changes that expand the categories of information we collect or the purposes for which we use it — we will provide notice by posting a revised Policy on the Site and, where appropriate, by email. The "Last updated" date above reflects the date of the most recent revision. Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised Policy.

14.Contacting Us

If you have any questions, concerns, or requests regarding this Policy or your personal information, please contact us at hello@fig.id.

Written correspondence and legal notices may be sent to:

FigID Health, Inc.
c/o Registered Agents Inc. (Attn: David Roberts)
7901 4th St N, STE 300
St. Petersburg, FL 33702
USA