Privacy Policy

1. Overview and key principles

Sound City Ventures, LLC ("Sound City Ventures," "we," "our," or "us") operates the Veritell application (which may also be known as "Veritell Care") and related services (collectively, the "Service"). This Privacy Policy explains how we handle information about you and your health when you use the Service, whether as an individual patient or as a caregiver or patient advocate managing someone else's information. References to "Veritell" in this Privacy Policy include Veritell Care and any successor names under which the Service is offered.

2. What this policy covers

This Privacy Policy applies to information we handle in connection with the Veritell application and any associated services we provide directly. It does not apply to:

• Your healthcare providers (hospitals, clinics, doctors), the MyChart portal, or any other patient portals, which have their own privacy policies and legal obligations;
• Third-party services that you access through links or integrations from the Service.

You should review the privacy policies of your Providers and any portals you connect to Veritell to understand how they handle your information.

3. Types of information we handle

Because Veritell is designed as a patient-hosted application with local storage, it is helpful to distinguish between:

• "Personal Data" – information that identifies or can reasonably be linked to you as an individual (such as your name or email address); and
• "Health Data" – information about your physical or mental health, medical history, test results, diagnoses, or care, including data that may be considered Protected Health Information ("PHI") under U.S. law.

3.1 Account and contact information

• Name
• Email address
• Account identifiers or subscription status
• Basic settings and preferences

3.2 Billing and transaction information

If you purchase a subscription or other paid features, our payment processors (for example, Apple) may collect billing-related information such as:

• Billing name and contact details
• Payment method details (e.g., card type, last 4 digits)
• Transaction dates and amounts

Payment details are typically handled directly by our third-party payment providers; we do not store full payment card numbers on our own systems.

3.3 Device, diagnostics, and usage information

To keep the Service secure and reliable, we may collect limited technical information, such as:

• Device type, operating system, and app version
• Logs or error reports (for example, when a sync or summary fails)
• Basic usage metrics (such as feature usage, performance, or frequency of sync events)

Where practicable, we configure diagnostics so that they do not include raw Health Data or other unnecessary personal details.

3.4 Health Data stored on your device

When you connect Veritell to your MyChart or other patient portal, the application can store and process Health Data such as:

• Lab and test results and associated details
• Clinical notes and visit summaries
• Diagnostic codes, medications, and care plans
• AI-generated summaries, explanations, and "master overviews" derived from your records

Consistent with how we have designed the Service, this Health Data is intended to be stored in an encrypted data store on your device and accessed locally by the app.

By default and where technically feasible, we design the Service so that this Health Data remains on your device. Certain features of the Service, such as AI-generated summaries, require your Health Data to be transmitted to our servers and third-party AI providers for processing, as described in Section 5.

3.5 Cookies, analytics, and tracking technologies

Our website and Service may use cookies, local storage, and similar technologies for essential purposes such as authentication, session management, and security. We may also use privacy-respecting analytics tools to understand aggregate usage patterns (such as which features are used most frequently).

Within the Veritell application, we do not use third-party advertising cookies, cross-site tracking pixels, or behavioral advertising technologies. We do not permit third parties to collect your browsing or usage data through the application for advertising purposes. We do not use analytics tools that process Health Data. Our marketing website and other promotional channels may use standard advertising and analytics technologies, but these do not have access to your Health Data or application usage data.

4. How we use your information

We use the information described above for the following purposes:

• Providing and maintaining the Service – to run the application, facilitate sync with your portals, generate AI-based summaries, manage your subscription, and keep your local data usable.
• Communicating with you – to send service-related messages such as onboarding guidance, feature updates, or subscription notices.
• Security and reliability – to detect, investigate, and prevent fraudulent or malicious activity and to maintain the integrity of the Service.
• Improving the Service – to understand how features perform, troubleshoot issues, and inform product improvements, using aggregated, de-identified, or non-Health Data.
• Data minimization in AI processing – when Health Data is transmitted to a cloud-hosted AI model for processing, we apply data-minimization principles and transmit only the specific data elements reasonably necessary to generate the requested output. Where technically feasible, we strip or redact direct personal identifiers (such as your name) before transmitting Health Data to AI providers.
• Legal and compliance – to comply with applicable legal obligations, enforce our Terms of Use, and protect our rights and the safety of users.

5. Local-first design and when data may leave your device

5.1 Local storage by default

Veritell is designed so that your Health Data and associated AI summaries are stored in an encrypted data store on your device, with encryption keys managed via your operating system's keychain or similar secure mechanism where available. This local-first design is intended to minimize how often your sensitive Health Data needs to leave your device.

5.2 Cloud-based features

Certain features of the Service rely on secure cloud services, including:

• Cloud-hosted AI models that process Health Data to generate summaries;
• Telemetry or diagnostics that you choose to share with us for support.

Where such features involve Health Data or PHI, we use appropriately scoped safeguards, including HIPAA-eligible infrastructure under Business Associate Agreements for any service provider that processes Protected Health Information on our behalf. Where a particular feature does not involve PHI (for example, because Health Data has been de-identified before transmission), we apply alternative safeguards appropriate to the sensitivity of the data involved.

By using the Service and connecting to your patient portal, you acknowledge that your Health Data will be transmitted to cloud-hosted AI providers for processing as described in Section 5.3.

5.3 AI processing of Health Data

When you use features that involve AI-generated summaries, explanations, or analysis of your health records, the following applies:

What data is sent for AI processing. When you request an AI-generated summary or explanation, your Health Data is transmitted from your device to our cloud infrastructure for processing.

Third-party AI providers. We use AI models hosted by third-party cloud infrastructure providers to process Health Data. We maintain Business Associate Agreements or equivalent data processing agreements with the cloud infrastructure providers that host and run AI models on our behalf. A current list of our AI sub-processors is available upon request by contacting [email protected].

No use for model training. Your Health Data is not used to train, fine-tune, or improve any AI model — whether operated by us or by our third-party providers.

Logging and monitoring. We may log metadata about AI processing requests (such as request timestamps, feature used, and error codes) for service reliability and troubleshooting. These logs do not contain your Health Data.

5.4 Consent for AI processing of Health Data

AI processing of Health Data is a core part of the Service. By connecting your patient portal and using the Service, you consent to the transmission and processing of your Health Data by cloud-hosted AI models as described in this Privacy Policy. This Privacy Policy, together with any in-app disclosures presented during setup, constitutes our notice to you regarding: (a) what Health Data will be sent, (b) the purpose of the transmission (e.g., generating a plain-language summary), and (c) how the data will be handled during and after processing.

If you do not wish to have your Health Data processed by AI models, you should not connect your patient portal to the Service. You may discontinue use of the Service at any time. You also have the option to disconnect your app from a given health system. Deleting the app will delete the local copy of your data.

6. How we share information

We do not sell your Personal Data, and we do not share your Personal Data with third parties for their own advertising or marketing purposes.

We may share information as described below, in each case limited to what is reasonably necessary:

• Service providers – with companies that help us operate the Service, such as payment processors (for example, Apple), cloud infrastructure providers, or analytics tools. These providers are required to use the information only to perform services for us and not for their own unrelated purposes.
• Providers that process Health Data – when we use cloud-based AI or backup services that process Health Data, we do so under contractual safeguards (such as HIPAA-aligned Business Associate Agreements) that restrict their use of that information. See Section 5.3 for details about AI processing.
• With your direction or consent – for example, when you choose to export summaries, share data with a caregiver, or send us logs for troubleshooting.
• Legal and safety – to comply with law, regulation, legal process, or governmental request; to protect our rights or the rights, property, or safety of our users or others; or to detect, prevent, or address fraud, security, or technical issues.
• Business transfers – in connection with a merger, acquisition, financing, reorganization, or sale of all or a portion of our business, subject to appropriate confidentiality and data protection commitments. Because Health Data is stored locally on your device and is not retained in our cloud systems, it would not be included in such a transfer. Only account and usage data held by us would be affected.

If we were ever involved in a transaction that materially changes how your information is handled, we will provide notice and any choices you may have using the contact information you have provided us, if any.

6.1 Sub-processors

We use the following categories of third-party service providers (sub-processors) that may process your personal information or Health Data on our behalf:

• Cloud infrastructure providers – for encrypted storage, compute services, and AI model hosting
• Payment processors – for subscription billing (these providers do not receive Health Data)
• Analytics providers – for aggregated, de-identified usage analytics
• Customer support tools – for responding to your inquiries

Any sub-processor that handles Health Data is covered by a Business Associate Agreement (or equivalent protections) requiring it to safeguard that data, use it only for the purposes we specify, report any security incidents, and return or destroy it when the relationship ends.

For a current list of sub-processors that handle Health Data, contact [email protected].

7. HIPAA and health privacy

Veritell is a consumer health technology application. Sound City Ventures, LLC is not a healthcare provider, health plan, or healthcare clearinghouse, and is generally not a "covered entity" under the Health Insurance Portability and Accountability Act ("HIPAA"). When you choose to import your health records into Veritell, you are directing us to process that information on your behalf as a consumer technology service.

However, we recognize that the information you entrust to us may include data that qualifies as Protected Health Information under HIPAA or sensitive health data under other applicable laws. We therefore apply the following safeguards regardless of our formal HIPAA classification:

• We maintain Business Associate Agreements with all third-party service providers that process, store, or transmit Health Data or PHI on our behalf, including cloud infrastructure providers and AI model providers.
• We implement administrative, technical, and physical safeguards consistent with the HIPAA Security Rule standards, including encryption of Health Data in transit and at rest.
• We limit the use and disclosure of Health Data to the minimum necessary for the purposes described in this Privacy Policy.
• We do not use or disclose Health Data for marketing, advertising, or any purpose unrelated to providing and improving the Service without your explicit consent.

If you received access to Veritell through a healthcare provider or health plan, that entity may have a separate Business Associate Agreement with us governing the use and protection of your PHI under HIPAA.

8. Data retention

We retain different categories of information for different periods, depending on the purpose for which it was collected, legal requirements, and technical constraints:

• Account and subscription records – kept while your account or subscription is active and for a reasonable period afterward (for example, to respond to questions, maintain records for financial or audit purposes, or comply with legal obligations).
• Logs and diagnostics – kept for shorter periods needed to troubleshoot and improve the Service, unless longer retention is required for security, legal, or audit reasons.
• Health Data on your device – stored locally as long as you keep it there. You can delete this data through the app, or by uninstalling the application from your device.
• Health Data temporarily stored on our servers – when you use cloud-based AI features, your Health Data may be temporarily stored on our servers during processing. All such data is encrypted at rest and is automatically deleted as soon as processing completes. As a failsafe, any data that is not successfully deleted after processing is automatically purged within 24 hours.

9. Your rights and choices

Depending on where you live, you may have certain rights regarding your Personal Data. Regardless of location, we aim to offer clear choices where practicable.

• Access and update – you can review and update basic account information through the app or by contacting us.
• Local data control – you control the Health Data stored on your device. You can remove Health Data by clearing data within the app (where supported) or uninstalling the application.
• Deletion of server-side data – you may request deletion of certain Personal Data we hold on our servers, subject to legal or operational requirements (for example, we may retain non-medical records necessary for accounting or legal compliance).
• Marketing communications – if we send non-essential marketing emails, you can opt-out using the unsubscribe link in those emails or by contacting us.

9.1 California privacy disclosures

If you are a resident of California, you may have additional rights under the California Consumer Privacy Act (CCPA/CPRA) or similar state privacy laws, including:

• The right to request that we disclose what categories of Personal Data we collect, use, and disclose;
• The right to request deletion of certain Personal Data we hold about you, subject to exceptions;
• The right to correct inaccurate Personal Data we hold about you;
• The right not to be discriminated against for exercising these rights.

We do not sell your Personal Data or share it for cross-context behavioral advertising as those terms are used in the CCPA/CPRA.

To exercise California privacy rights, you may contact us using the contact details at the end of this Policy and indicate that you are a California resident making a privacy request. We may need to verify your identity before responding.

9.2 Washington state – My Health My Data Act

Sound City Ventures is based in Washington state. If you are a Washington consumer, the Washington My Health My Data Act ("MHMDA") provides you with specific rights regarding your consumer health data, including Health Data processed by the Service.

• Consent. By connecting your patient portal and using the Service, you provide your affirmative consent to the collection and sharing of your consumer health data as described in this Privacy Policy, including transmission of Health Data to third-party AI providers for processing. This consent is specific to the categories of health data and purposes described in this Privacy Policy.
• Right to withdraw consent. You may withdraw your consent to the collection or sharing of your consumer health data at any time by deleting the app from your device. Withdrawal of consent will not affect the lawfulness of processing performed before withdrawal.
• Right to know. You have the right to request confirmation of whether we are collecting, sharing, or selling your consumer health data, and to request a list of all third parties and affiliates with whom we have shared your consumer health data during the prior 12 months.
• Right to delete. Because your consumer health data is stored locally on your device, you can delete it by deleting the app.
• No sale of health data. We do not sell consumer health data as defined under the MHMDA.
• No geofencing. We do not use geofencing technology around healthcare facilities to collect, process, or share consumer health data.

To exercise your rights under the MHMDA, contact us at [email protected].

9.4 Other state privacy laws

Residents of Connecticut, Colorado, Virginia, Oregon, Texas, Montana, and other states with comprehensive privacy laws may have additional rights regarding their personal data, including health data. These rights may include the right to access, correct, delete, and port your data, and the right to opt out of certain processing activities. To exercise any state-specific privacy rights, please contact us at [email protected]. We will respond to verified requests within the timeframes required by applicable law.

10. Children's privacy

The Service is intended for use by adults. We do not knowingly collect Personal Data directly from children under the age of 13. If you are a parent, guardian, or other legally authorized representative using Veritell to help manage a minor's health information, you are responsible for ensuring you have the legal authority to do so and for supervising the use of the Service.

If we learn that we have collected Personal Data directly from a child under 13 without appropriate consent, we will take reasonable steps to delete that information.

11. Data security

We take reasonable and appropriate measures to help protect your information, including using encryption for local Health Data storage and leveraging operating-system-level key management where available. However, no method of transmission or storage is completely secure.

You play an important role in keeping your data safe. This includes:

• Using strong device passwords or passcodes;
• Keeping your operating system and app up to date with security patches;
• Limiting who has physical or remote access to your devices;
• Being cautious before sharing screenshots, exports, or other outputs that may contain Health Data.

While we strive to protect your information, we expressly disclaim any representation or warranty, express or implied, that your data will be completely secure from unauthorized access, breach, or disclosure. You acknowledge that you provide your health information and other personal data at your own risk. Our general liability terms are set forth in our Terms of Use.

11.1 Breach notification

In the event of a security incident that results in unauthorized access to, or disclosure of, your personal data or Health Data, we will notify affected individuals and applicable regulatory authorities as required by law. Where legally required, we will provide notification without unreasonable delay and no later than the timeframes mandated by applicable federal and state laws.

Our breach notification will include, to the extent known at the time of notification: a description of the incident, the types of information involved, the steps we are taking in response, steps you can take to protect yourself, and contact information for further questions.

We will also notify applicable regulatory authorities, including the Federal Trade Commission, state attorneys general, and the U.S. Department of Health and Human Services, as required by applicable law. Where applicable, we will comply with the FTC Health Breach Notification Rule (16 CFR Part 318) and the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

12. Geographic scope

The Service is intended solely for use by individuals located in the United States. We do not offer, direct, or market the Service to users outside the United States. If you access the Service from outside the United States, you do so at your own risk and are solely responsible for compliance with any applicable local laws. We make no representation that the Service is appropriate, available, or compliant with laws in any jurisdiction other than the United States.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. For material changes, we will use reasonable efforts to notify you, such as by displaying a notice in the app or on our website.

Your continued use of the Service after any changes take effect means that you accept the updated Privacy Policy. If you do not agree, you should stop using the Service and may uninstall the application.

14. Contact us

If you have any questions about this Privacy Policy or our privacy practices, or if you wish to exercise your privacy rights, please contact Sound City Ventures, LLC at [email protected] .