Last Updated: March 27, 2025

AAVIA’S PRIVACY PRINCIPLES

At Aam Care, Inc. (dba Aavia) (“Aavia,” “we,” “us,” and “our”), we believe your body is your business. This should be the norm, not an exception.

We know privacy and security are important to you and that you are trusting us with intimate health information such as information about your body, menstrual cycle, birth control usage, and state of mind. We are committed to making Aavia the best platform to understand and optimize your health based on your hormone cycle. We will continue to be transparent about our privacy and security practices as we grow alongside our membership. As such, please carefully review our Privacy Principles and Privacy Notice below. We take your privacy seriously and want you to understand how we use, collect, share, or otherwise process your personal information, including your health information.

Please note that we may de-identify, aggregate, or anonymize your health information in such a way that it no longer identifies you. We may use and share this type of information for purposes we think will benefit our users, such as for research, to understand trends and habits, or to provide you with customized advice and offers. You can find more detailed information about ways in which we use, collect, and share personal information below. If you are interested in further details, please review our full Privacy Policy below.

At Aavia, we process your personal information according to our four core Privacy Principles:

1. AAVIA MEMBERS CONTROL THEIR PERSONAL INFORMATION

We believe you should be in control of your personal information. Consistent with this belief and our Privacy Notice:

• We will delete your personal information upon your written request (unless we are legally prohibited from doing so), including if requested when cancelling your membership.

We will provide you with access to your personal information upon your written request, including if requested when cancelling your membership.

• We will NOT share your health information with others unless it is necessary to run and improve our services or in a way that combines data from many users to offer helpful content and recommendations. For example, we may work with trusted brands to suggest products like tampons or iron supplements to groups of users with common hormonal symptoms. We will not share your individual health information with these brands.

• We will limit the sharing of your personal information, including your health information, to the extent possible. For instance, we will only share your personal information with law enforcement if we are legally required to do it, but we will first exhaust all legal remedies available to fight law enforcement requests regarding your personal information before responding to them.

2. AAVIA DOES NOT PROFIT FROM YOUR INDIVIDUAL HEALTH INFORMATION

Our business model is to provide highly valuable product experiences and services to our members in exchange for membership fees. We do not sell your identifiable health information to advertising platforms or data brokers. Our priority is protecting your privacy while delivering the best possible experience. This is our promise.

3. AAVIA PROTECTS YOUR PERSONAL INFORMATION

We believe your personal information and health information should be protected from unauthorized access to the fullest extent possible. We continually evaluate our privacy and security practices to ensure that we treat your personal information and health information in compliance with applicable privacy laws and protect it against foreseeable security risks. To that end, we have implemented security measures to protect your personal information in line with the highest industry standards, including encrypting your personal information at rest on our hosted servers, limiting access to and sharing of your personal information, and working with outside privacy and security experts to assess the security of our tech, data storage and privacy and security practices and to implement their recommendations.

4. AAVIA MAY SHARE AGGREGATED OR DE-IDENTIFIED HEALTH INFORMATION TO CREATE BETTER EXPERIENCES FOR OUR MEMBERS

We may de-identify, aggregate, or anonymize your personal information, including your health information, in such a way that it no longer identifies you. We may use and share this type of information for purposes we think will benefit our users - for example to conduct research, identify trends, or suggest relevant products for hormonal health.

We believe we have a responsibility to continuously improve your experience by identifying and sharing cutting edge insights with you. We will always look to provide new content and product features, to improve and customize our services, and to develop thought leadership in the area of hormone health without identifying you.

For more details on how we collect, use and share your personal and health information, please review our full Privacy Notice below.

Last Updated: March 27, 2025

This Privacy Notice is designed to help you understand how we collect, use, and share your personal information and to help you understand and exercise your privacy rights.

Disclosure Regarding the Supplemental Consumer Health Data Privacy Notice. For information on our processing of “consumer health data” that is subject to the Washington My Health My Data Act or Nevada Senate Bill 370, please see Annex A – Supplemental Consumer Health Data Privacy Notice.

1. SCOPE

2. PERSONAL INFORMATION WE COLLECT

3. HOW WE USE YOUR PERSONAL INFORMATION

4. HOW WE DISCLOSE YOUR PERSONAL INFORMATION

5. YOUR PRIVACY CHOICES AND RIGHTS

6. INTERNATIONAL DATA TRANSFERS

7. RETENTION OF PERSONAL INFORMATION

8. SUPPLEMENTAL NOTICE FOR EU/UK GDPR

9. CHILDREN’S PERSONAL INFORMATION

10. OTHER PROVISIONS

11. CONTACT US

ANNEX A – SUPPLEMENTAL CONSUMER HEALTH DATA PRIVACY NOTICE

This Privacy Notice applies to your personal information processed by Aam Care, Inc. (dba Aavia) (“Aavia,” “we,” “us,” and “our”) in the course of our business, including as collected on our websites, mobile applications, and other online and offline offerings that link to this Privacy Notice (collectively, the “Services”).

The categories of personal information we collect depend on how you interact with us, our Services, and the requirements of applicable law. We collect information that you provide to us, information we obtain automatically when you use our Services, and information from other sources such as third-party services and organizations, as described below.

A. Information You Provide to Us Directly

We may collect the following personal information that you provide to us.

• Account Creation. When you create an Account, you can sign up using an email and username, anonymously (as described below), or through other options such as through Google or Apple. In addition, to access certain features of the Services, we may ask you to provide your address and other user profile information.

• Anonymous Aavia Accounts. If you create an anonymous account with Aavia, then Aavia will not collect your email or name or other technical identifiers associated with your account. However, when you choose to create an anonymous account, some features of the Services may not be available to you since they use personal information to function. For instance, you will not be able to receive any emails from us.

• Aavia for Partners. If you select the Aavia for Partners service, you will allow certain information from your Aavia account to be shared with your partner. You can stop sharing at any time. Your partner will have read-only access to the information that you share. This means that they cannot download or edit your information. Your partner cannot see or edit any calendar information created before you chose to share it with them, your personal notes, or your interaction with other features of the Aavia Services. If you are a partner receiving information from the main Aavia user, we will collect your phone number to text you updates about the main Aavia user that the user has chosen to share with you. If you are a partner, we will not collect any Health Information (as defined below) relating to you.

• Health Information Collected in Connection with Your Use of the Services. When you use the Services, we may collect personal information related to your health including, but not limited to, the brand of birth control pill prescribed to you, the time of day each pill is taken, the number and nature of pills in each pack or packet of birth control pills, the refill schedule of your prescription, any conditions or symptoms you choose to provide via the Services (for instance, PCOS), and information about your body and state of mind, such as your menstrual cycle and mood (collectively, your “Health Information”).

• Payment Transaction Information. If you make a purchase with Aavia, we or our third-party service provider will record the personal information and details associated with the transaction. For example, if you place an order through the Services or sign up for Aavia VIP, our third-party service provider will collect your billing and shipping address, phone number, and payment information. Please note that we use a third-party service provider to collect and process payment card information. Aavia does not directly collect or store any payment card information, but it may receive information associated with your payment card information (e.g., your billing details).

• Your Communications with Us. We may collect personal information, such as your email address, phone number, or mailing address when you request information about our Services, register for our newsletter or loyalty program, request customer or technical support, apply for a job, message our chatbot, or otherwise communicate with us.

• Surveys. We may contact you to participate in surveys. If you decide to participate, you may be asked to provide certain information which may include personal information.

• Interactive Features. We and others who use our Services may collect personal information that you submit or make available through our interactive features (e.g., our Community Forum, our messaging and chat features, commenting functionalities, forums, blogs, and social media pages). Any information you provide using the public sharing features of the Services (referred to herein as “User Content”), including any questions your ask or post you make in our Community Forum, will be considered “public,” unless otherwise required by applicable law, and is not subject to the privacy protections referenced herein. Please exercise caution before revealing any information that may identify you in the real world to other users.

• Sweepstakes or Contests. We may collect personal information you provide for any sweepstakes or contests that we offer. In some jurisdictions, we are required to publicly share information of sweepstakes and contest winners.

• Conferences, Trade Shows, and Other Events. We may collect personal information from individuals when we attend conferences, trade shows, and other events.

• Campus Brand Ambassadors Program. We may collect personal information from individuals who sign up to serve as our Campus Brand Ambassadors, including name, email, shipping address, phone number, birth date, graduation year, university name and/or picture. We may also collect names, emails, phone numbers, school names, graduation year and Health Information from individuals who choose to participate in our campus health sessions hosted by our Campus Brand Ambassadors.

• Business Development and Strategic Partnerships. We may collect personal information from individuals who are not our members and other third parties to assess and pursue potential business opportunities. We will not collect any Health Information for these purposes.

• Job Applications. We may post job openings and opportunities on our Services. If you reply to one of these postings by submitting your application, CV and/or cover letter to us, we will collect and use your information to assess your qualifications.

B. Information Collected Automatically

We may collect personal information, including Health Information, automatically when you use our Services:

• Automatic Data Collection. We may collect certain information automatically when you use our Services, such as your Internet protocol (IP) address, user settings, MAC address, cookie identifiers, mobile carrier, mobile advertising and other unique identifiers, browser or device information, location information (including approximate location (country of location) derived from IP address), and Internet service provider. We may also automatically collect information regarding your use of our Services, such as pages that you visit before, during and after using our Services, information about the links you click, the types of content you interact with, the frequency and duration of your activities, and other information about how you use our Services. In addition, we may collect information that other people provide about you when they use our Services, including information about you when they refer you to our services or tag you on social media.

The information we collect automatically when you use the smart pill case and related Services may also include Health Information such as your pill-taking habits and the number of pills remaining in the smart pill case.

• Location Information. We may collect your mobile device location information to help connect your mobile device to the smart pill case. We do not save this device location information.

• Cookies, Pixel Tags/Web Beacons, and Other Technologies. We, as well as third parties that provide content, advertising, or other functionality on our Services, may use cookies, pixel tags, local storage, and other technologies (“Technologies”) to automatically collect information through your use of our Services.

• Cookies. Cookies are small text files placed in device browsers that store preferences and facilitate and enhance your experience.

• Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in our Services that collects information about engagement on our Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement. We may also include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.

Our uses of these Technologies fall into the following general categories:

• Operationally Necessary. This includes Technologies that allow you access to our Services, applications, and tools that are required to identify irregular website behavior, prevent fraudulent activity and improve security or that allow you to make use of our functionality;

• Performance-Related. We may use Technologies to assess the performance of our Services, including as part of our analytic practices to help us understand how individuals use our Services (see Analytics below);

• Functionality-Related. We may use Technologies that allow us to offer you enhanced functionality when accessing or using our Services. This may include identifying you when you sign into our Services or keeping track of your specified preferences, interests, or past items viewed;

• Advertising- or Targeting-Related. We may use first party or third-party Technologies to deliver content, including ads relevant to your interests, on our Services or on third-party websites.

See the “Your Privacy Choices and Rights” section below to understand your choices regarding these Technologies.

• Analytics. We may use Technologies and other third-party tools to process analytics information on our Services. Some of our analytics partners include:

• Google Analytics. We use Google Analytics to analyze how users interact with our e-commerce website. This includes monitoring traffic, conversions, acquisition channels, and more key metrics. For more information, please visit Google Analytics' Privacy Notice. To learn more about how to opt-out of Google Analytics’ use of your information, please click here.

• Mixpanel. We analyze the usage of the Aavia mobile application by using the services of Mixpanel. Mixpanel uses the collected data to create reports about user behavior, which help us to provide a better product. We do not share your Health Information with Mixpanel. You can find Mixpanel’s Privacy Policy here. To disable the collection of your data by Mixpanel please send an email to support@aavia.io.

• Branch. We use Branch to help us understand how user referral links sent to friends are being used—like how many times a link is clicked or where it’s shared. This helps us improve your referral experience and make sure friends’ rewards are tracked accurately. Branch collects limited data such as device type and click behavior, but it does not collect or store your Health Information or any other personal information. To learn more about Branch’s privacy practices, please refer to Branch’s Privacy Policy here.

• Social Media Platforms. Our Services may contain social media buttons such as TikTok, Facebook, Instagram, and Twitter (that might include widgets such as the “share this” button or other interactive mini programs). These features may collect your IP address, which page you are visiting on our Services, and may set a cookie to enable the feature to function properly. Your interactions with these platforms are governed by the privacy policy of the company providing it.

C. Personal Information Collected from Other Sources

We may obtain personal information, including Health Information, about you from other sources, including through third-party services and organizations. For example, if you access our Services through a third-party application, such as an app store, a third-party login service, or a social networking site, we may collect information about you from that third-party application that you have made available via your privacy settings.

We use your personal information, including Health Information, for a variety of business purposes, including to provide our Services, for administrative purposes, and to market our products and Services, as described below. However, we believe that your body is your business. This is why we put policies and procedures in place designed to limit the use of your Health Information only to provide you with the Services.

A. Provide Our Services or Products

We use your personal information, including Health Information, to fulfill our contract with you and provide you with our Services, such as:

• Managing your information and accounts;

• Providing access to certain areas, functionalities, and features of our Services;

• Answering requests for customer or technical support;

• Communicating with you about your account, activities on our Services, and policy changes;

• Processing your financial information and other payment methods for products or Services purchased;

• Processing applications if you apply for a job we post on our Services; and

• Managing and fulfilling orders.

B. Administrative Purposes

We use your personal information, including Health Information, for various administrative purposes, such as:

• Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;

• Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;

• Measuring interest and engagement in our Services;

• Short-term, transient use, such as contextual customization of ads;

• Improving, upgrading or enhancing our Services;

• Developing new products and Services;

• Ensuring internal quality control and safety;

• Authenticating and verifying individual identities, including requests to exercise your rights under this Notice;

• Debugging to identify and repair errors with our Services;

• Auditing relating to interactions, transactions and other compliance activities;

• Enforcing our agreements and policies; and

• Complying with our legal obligations.

C. Marketing and Advertising our Products and Services

We do not use any identifiable Health Information for advertising purposes. Your Health Information is yours. We may use your de-identified and/or aggregated Health Information, to tailor and provide you with content and advertisements from our brand partners. Aavia may use your de-identified Health Information on an aggregated basis to give you targeted recommendations based on your hormonal insights and provide you with customized content or offers in the Aavia mobile application. We will not share your identifiable Health Information with our brand partners or with any third-party advertisers.

Some of the ways we market to you include email campaigns and custom audiences advertising, and “interest-based” or “personalized advertising,” including through cross-device tracking.

If you have any questions about our marketing practices or if you would like to opt out of the use of your personal information for marketing purposes, you may contact us at any time as set forth in the “Contact Us” section below.

D. Other Purposes

We also use your personal information, including your Health Information, for other purposes as requested by you or as permitted by applicable law.

• Consent. We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information or with your consent.

• De-identified and Aggregated Information. We may use personal information and other information about you to create de-identified and/or aggregated information, such as de-identified Health Information, demographic information, information about the device from which you access our Services, or other analyses we create. This de-identified and aggregated information will not identify you and may be used for marketing and advertising purposes, and/or for research purposes.

• Share Content with Friends or Colleagues. Our Services may offer various tools and functionalities. For example, we may allow you to provide information about your friends through our referral services or through our Brand Ambassador Program. Our referral services may allow you to forward or share certain content with a friend or colleague, such as an email inviting your friend to use our Services. When you click on a referral link, our service provider Branch will allow us to track that you clicked on the link to join Aavia. Please only share with us contact information of people with whom you have a relationship (e.g., relative, friend, neighbor, or co-worker).

We disclose your personal information to third parties for a variety of business purposes, including to provide our Services, to protect us or others, or in the event of a major business transaction such as a merger, sale, or asset transfer, as described below.

1. Disclosures to Provide Our Services

The categories of third parties with whom we may share your personal information are described below.

• Service Providers. We may share your personal information, including your Health Information, with our third-party service providers who use that information to help us provide our Services. This includes service providers that provide us with IT support, hosting, payment processing, customer support service, and related services. In addition, personal information and customer chat communications may be disclosed to service providers that help provide our customer chat features.

• Brand Partners. We may share your de-identified and aggregated Health Information with our brand partners to provide you with recommendations thoughtfully curated by Aavia to support your hormonal health. Importantly, we do not share any individually identifiable Health Information with our partners. For example, Aavia may choose to present an offer from a vitamin brand partner to a group of members experiencing heavy menstruation. However, this offer will come directly from Aavia - not the partner - and the partner will not have access to your personal Health Information.

• Business Partners. We may share your aggregated and anonymized information with business partners who offer products or services via the Services. We do not share your identifiable Health Information with our business partners.

• Affiliates. We may share your personal information, including your Health Information, with our company affiliates.

• APIs/SDKs. We may use third-party Application Program Interfaces (“APIs”) and Software Development Kits (“SDKs”) as part of the functionality of our Services. Specifically, we use the OneSignal SDK to help us target the mobile application notifications we send you. Please refer to the OneSignal privacy policy for more information about the personal information OneSignal collects from you. For more information about our use of other APIs and SDKs, please contact us as set forth in the “Contact Us” section below.

• Aavia AI. If you are a premium Aavia VIP member, you will receive AI-powered hormonal insights and recommendations. To provide you with these insights and recommendations, we will need to share your logged information with the AI service providers providing the generative AI model for the tool.

B. Disclosures to Protect Us or Others

We may access, preserve, and disclose any personal information, including Health Information, we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity. We will exhaust all legal remedies available to fight law enforcement requests regarding your personal information before responding to them.

C. Disclosure in the Event of Merger, Sale, or Other Asset Transfers

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, your personal information, including your Health Information, may be sold or transferred as part of such a transaction, as permitted by law and/or contract.

Your Privacy Choices. The privacy choices you may have about your personal information, including Health Information, are determined by applicable law and are described below.

• Email and Telephone Communications. If you receive an unwanted promotional email from us, you can use the unsubscribe link found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails regarding products or Services you have requested. We may also send you certain non-promotional communications regarding us and our Services, and you will not be able to opt out of those communications (e.g., communications regarding our Services or updates to our Terms or this Privacy Notice).

We process requests to be placed on do-not-mail, do-not-phone, and do-not-contact lists as required by applicable law.

• Text Messages. You may opt out of receiving promotional text messages from us by following the instructions in the text message you have received from us or by otherwise contacting us.

• Mobile Devices. We may send you push notifications through our mobile application. You may opt out from receiving these push notifications by changing the settings on your mobile device. With your consent, we may also collect approximate location-based information about your mobile device via our mobile application to help connect your mobile device to the smart pill case. You may opt out of this collection by changing the settings on your mobile device.

• “Do Not Track.” Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.

• Cookies and Interest-Based Advertising. You may stop or restrict the placement of Technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, our Services may not work properly. Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt-out of personalized advertisements on some mobile applications by following the instructions for Android, iOS and others.

The online advertising industry also provides websites from which you may opt out of receiving targeted ads from data partners and other advertising partners that participate in self-regulatory programs. You can access these and learn more about targeted advertising and consumer choice and privacy by visiting the Network Advertising Initiative, the Digital Advertising Alliance, the European Digital Advertising Alliance, and the Digital Advertising Alliance of Canada.

Please note you must separately opt out in each browser and on each device.

• Access Personal Information about you, including: (i) confirming whether we are processing your personal information; (ii) obtaining access to or a copy of your personal information; and (iii) receiving an electronic copy of personal information that you have provided to us, or asking us to send that information to another company (the “right of data portability”);

• Request Correction of your personal information where it is inaccurate or incomplete. In some cases, we may provide self-service tools that enable you to update your personal information;

• Request Deletion of your personal information;

• Request Restriction of or Object to our processing of your personal information; and

• Withdraw your Consent to our processing of your personal information. Please note that your withdrawal will only take effect for future processing and will not affect the lawfulness of processing before the withdrawal.

If you would like to exercise any of these rights, please contact us as set forth in the “Contact Us” section below. We will process such requests in accordance with applicable laws.

Only you, or someone legally authorized to act on your behalf in certain jurisdictions, may make a request to exercise the rights listed above regarding your personal information. If your personal information is subject to a law that allows an authorized agent to act on your behalf in exercising your privacy rights and you wish to designate an authorized agent, please provide written authorization signed by you and your designated agent using the information found in the “Contact Us” section below and ask us for additional instructions.

To protect your privacy, we will take steps to verify your identity before fulfilling requests submitted under applicable privacy laws. These steps may involve asking you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. Examples of our verification process may include asking you to confirm the email address we have associated with you.

All personal information processed by us may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States or other countries, which may have data protection laws that are different from the laws where you live. We endeavor to safeguard your information consistent with the requirements of applicable laws. These countries may or may not have adequate data protection laws as defined by the data protection authority in your country.

If we transfer personal information from the European Economic Area, Switzerland, and/or the United Kingdom to a country that does not provide an adequate level of protection under applicable data protection laws, one of the safeguards we may use to support such transfer is the EU Standard Contractual Clauses.

For more information about the safeguards we use for international transfers of your personal information, please see the “Contact Us” section.

We store the personal information we collect as described in this Privacy Notice for as long as you use our Services or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

This Supplemental Notice for EU/UK GDPR only applies to our processing of personal information that is subject to the EU or UK General Data Protection Regulation.

In some cases, providing personal information may be a requirement under applicable law, a contractual requirement, or a requirement necessary to enter into a contract. If you choose not to provide personal information in cases where it is required, we will inform you of the consequences at the time of your refusal to provide the personal information.

Aavia’s processing of your personal information may be supported by one or more of the following lawful bases:

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 years old. If you learn that anyone under 13 is using the Services, you may contact us as set forth in the “Contact Us” section below and we will promptly take steps to delete such information and/or delete her account.

Third-Party Websites/Applications. The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing personal information to third-party websites or applications is at your own risk.

Changes to Our Privacy Notice. We may revise this Privacy Notice from time to time at our sole discretion. If there are any material changes to this Privacy Notice, we will notify you as required by applicable law. You understand and agree that you will be deemed to have accepted the updated Privacy Notice if you continue to use our Services after the new Privacy Notice takes effect.

If you have any questions about our privacy practices or this Privacy Notice, or to exercise your rights as detailed in this Privacy Notice, please contact us at:

228 Park Ave S

PMB 60414

New York, NY 10003

(332) 239-1002

support@aavia.io

 

This Supplemental Consumer Health Data Privacy Notice (“Consumer Health Data Privacy Notice”) supplements the Aavia Privacy Notice.

This Consumer Health Data Privacy Notice only applies to personal information that we process that is “consumer health data” subject to the Washington My Health My Data Act (“MHMDA”) or Nevada Senate Bill 370 (“NV SB 370”) (as applicable).

Terms used in this Consumer Health Data Privacy Notice that are defined in MHMDA or NV SB 370 will have the meaning set forth in those laws to the extent such laws are applicable.

I. CONSUMER HEALTH DATA WE COLLECT

Under the MHMDA, “consumer health data” is defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.”

Under NV SB 370, “consumer health data” is defined as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer.”

Because consumer health data is defined very broadly, many of the categories of personal information that we collect under our Privacy Notice may also be considered consumer health data.

Examples of consumer health data that you may provide to us, or that we may otherwise collect, may include:

• Information that could identify your attempt to seek health care services or information, including services that allow you to assess, measure, improve, or learn about your or another person’s health.

• Information about your health-related conditions, symptoms, status, diagnoses, disease, testing, treatments, or medication.

• Information about social, psychological, behavioral, and medical interventions.

• Information about use or purchase of prescribed medication.

• Information about measurements of bodily functions, vital signs, symptoms, or characteristics.

• Information about surgeries or other health-related procedures.

• Reproductive or sexual health information.

• Biometric information.

• Other information that may be used to infer or derive data related to the above or other consumer health data.

1. SOURCES OF CONSUMER HEALTH DATA

We collect consumer health data that you provide to us, consumer health data we collect automatically when you use the Services, and consumer health data from third-party sources, as described in our Privacy Notice and below.

2. WHY WE COLLECT AND USE CONSUMER HEALTH DATA

We collect and use consumer health data for the purposes and in the manner described in the “Personal Information We Collect” and the “How We Use Your Personal Information” sections of the Privacy Notice.

Primarily, we collect and use consumer health data as reasonably necessary to provide you with the products or Services you have requested or authorized. This may include delivering and operating the products or Services and their features, personalization of certain product or Services features, ensuring the secure and reliable operation of the products or Services and the systems that support them, troubleshooting and improving the products and Services, and other essential business operations that support the provision of the products and Services (such as analyzing our performance and meeting our legal obligations).

We may also use consumer health data for other purposes for which we give you choices and/or obtain your consent as required by law.

3. SHARING OF CONSUMER HEALTH DATA

We may share each of the categories of consumer health data described above for the purposes described above and in the “How We Use Your Personal Information” section of the Privacy Notice.

In particular, we may share consumer health data, with your consent or as reasonably necessary to complete any transaction or provide any product or Service you have requested or authorized, as described above.

4. THIRD PARTIES WITH WHICH WE SHARE CONSUMER HEALTH DATA

We may share consumer health data with the categories of third parties listed in the “How We Disclose Your Personal Information” section of the Privacy Notice.

5. HOW TO EXERCISE YOUR RIGHTS

MHMDA and NV SB 370 provide consumers with certain rights with respect to consumer health data.

Under MHMDA, consumers have the right to: (i) confirm whether Aavia is collecting, sharing, or selling consumer health data and to access such data; (ii) withdraw consent from Aavia’s collection and sharing of consumer health data; and (iii) request that Aavia delete consumer health data.

Under NV SB 370, consumers have the right to: (i) confirm whether Aavia is collecting, sharing or selling consumer health data; (ii) have Aavia provide the consumer with a list of all third parties with whom Aavia has shared consumer health data relating to the consumer or to whom Aavia has sold such consumer health data; (iii) request that Aavia cease collecting, sharing, or selling consumer health data relating to the consumer; and (iv) request that Aavia delete consumer health data.

The rights afforded to consumers under MHMDA and NV SB 370 are subject to certain exceptions.

You can request to exercise such rights by following the instructions found under the “Your Privacy Rights” section of the Privacy Notice.

If your request to exercise a right under MHMDA or NV SB 370 is denied, you may appeal that decision by contacting us at: support@aavia.io.

If your appeal is unsuccessful and your consumer health data is subject to MHMDA, you can raise a concern or lodge a complaint with the Washington State Attorney General at www.atg.wa.gov/file-complaint.

6. DISCLOSURE REGARDING THIRD PARTY COLLECTION OF CONSUMER HEALTH DATA UNDER NV SB 370

This section only applies to our processing of consumer health data that is subject to NV SB 370.

We do not allow third parties to collect consumer health data over time and across different internet websites or online services when the consumer uses any Internet website or online service of Aavia.

Nonetheless, please note that third parties may still be able to collect consumer health data from you over time and across different websites depending on your browser, browser add-ons, and associated permissions you set on your device.

This collection of consumer health data by those third parties is unrelated to Aavia’s collection of consumer health data from you, and we encourage you to view those third parties’ privacy notices for more information about their processing of consumer health data and the methods they provide to allow you to opt out of such processing.

7. UPDATES TO THIS CONSUMER HEALTH DATA PRIVACY NOTICE

We may update this Consumer Health Data Privacy Notice from time to time in our sole discretion. If we do, we’ll let you know by posting the updated Consumer Health Data Privacy Notice on our website, and/or we may also send other communications.