Forum Health Privacy Policy

• Personal Information: Such as your name, address, email, phone number, date of birth, payment information, and health-related details you provide when booking appointments, creating an account, or receiving care.
• Health Information: Protected health information (“PHI”) collected in connection with medical consultations, diagnoses, treatments, and related services, consistent with HIPAA. This includes information such as genetic test results, nutritional assessments, lifestyle tracking data, and environmental exposure histories to support personalized treatment planning.
• Usage Data & Device Information: Including IP address, browser type, operating system, referring URLs, device identifiers, clickstream data, and analytics through cookies, pixels, and similar technologies.
• Communications: Records of your communications with us, including customer service and telehealth consultations.
• Marketing & Engagement Data: Information collected from online appointment platforms, reviews, or interactions with third-party sites (e.g., Google, Yelp, Zocdoc).
• Wearable, Nutrigenomic, or Lifestyle Data: Information collected from data from wearable devices, fitness trackers, nutrigenomic reports, and lifestyle assessments.

• Providing Care & Services: To schedule appointments, deliver telehealth services, issue prescriptions, and manage treatment plans.
• Customer Support: Responding to inquiries and resolving service issues.
• Payment Processing & Insurance Coordination
• Marketing & Communications: Sending you educational content, promotional offers, reminders, and updates.
• Analytics & Service Improvement: Understanding patient trends, optimizing appointment scheduling, improving patient outcomes, and enhancing user experience. We may use de-identified or limited datasets for retrospective analyses, population health initiatives, or clinical research, in accordance with applicable IRB approvals or waiver of authorization under HIPAA
• Research & Product Development: Developing new programs, technologies, and treatments.
• Compliance & Legal Obligations: Meeting HIPAA and other regulatory requirements.
• Anonymized Data Sharing: We may sell, license, or distribute aggregated and de-identified information that does not identify you personally, consistent with HIPAA de-identification standards. Forum Health uses the Safe Harbor method under HIPAA, removing all 18 identifiers, or engages a qualified statistical expert to ensure data is not individually identifiable.
• By providing your name, email address, physical address, or other data you agree that we may use it to communicate with you. Providing your telephone number constitutes consent to use automated dialing equipment and prerecorded voices or messages in such communication. Providing cellular telephone numbers constitutes consent to receipt of text messages from us. Providing your telephone number(s) or email address(es) waives any claim under the Telephone Consumer Protection Act or the CAN-SPAM Act.

• With Healthcare Providers & Partners: Physicians, nurses, pharmacists, and other providers involved in your care.
• With Service Providers: Vendors supporting our technology, marketing, analytics, call centers, billing, and communications. These parties are bound by agreements with us to keep your information confidential.
• With Insurance Companies & Payment Processors: To manage claims and billing.
• For Marketing & Analytics: With third-party platforms (such as Google, Yelp, Zocdoc, and WebMD) for advertising and patient acquisition.
• For Legal, Regulatory, or Safety Reasons: As required by law, regulation, or court order.
• In Business Transactions: In the event of a merger, acquisition, financing, or sale of a business or assets.
• With Third Parties in De-Identified Form: We may sell, license, or distribute anonymized and aggregated data for research, analytics, and commercial purposes in accordance with federal law. This data cannot reasonably be used to identify you.

• Track website performance and patient appointment conversions (e.g., Google Ads, Yelp, Zocdoc).
• Measure marketing campaign effectiveness and optimize ad spend.
• Provide tailored advertising across websites, social media, and streaming platforms.
• Collect analytics on patient engagement, including booking behavior, star ratings, and reviews.

You can manage cookies through your browser settings or opt out of interest-based advertising via industry programs like the Digital Advertising Alliance. You may not be able to fully use all webpages if cookies are disabled.

• Access & Correct Your Information: Request copies of or updates to your personal data.
• Opt Out of Marketing: Unsubscribe from promotional emails, texts, or calls.
• Restrict or Delete Data: Request deletion of your data where legally permitted.
• Limit PHI Sharing: Request restrictions under HIPAA.
• Opt Out of Data Sales (Where Applicable): While we do not sell personal information in a way that directly identifies you, you may opt out of anonymized data sales where required by state law.

To exercise your rights, contact us at privacy@forumhealth.com.

We use administrative, technical, and physical safeguards to protect your data. While we take reasonable steps to secure your information, no method of transmission is 100% secure. Forum Health utilizes a proprietary Electronic Medical Record (EMR) system to store, manage, and secure your health information. Access to this system is role-based and encrypted. Where applicable, third-party apps or integrations may access limited data through secure APIs. While we cannot guarantee your information will not be viewed by unauthorized persons, we employ role-based access, end-to-end encryption, regular access audits, and mandatory workforce HIPAA training. Our EMR and supporting infrastructure are hosted in HIPAA-compliant environments.

• Parental/Guardian Consent: If you are under 18, a parent or legal guardian must provide consent before you may use our Services.
• No Services for Children Under 13: We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected such information, we will delete it promptly.
• Removing Minor Information: Parents or guardians may request that we delete their child’s information by contacting privacy@forumhealth.com. Certain information may need to be retained to comply with legal or medical record-keeping requirements.

• Medical Records: As required by law and medical record-keeping standards (typically 7–10 years).
• Payment and Billing Information: As long as necessary for accounting, audits, and tax compliance.
• Marketing and Engagement Data: Typically no longer than 48 months after your last interaction unless you continue to receive services.
• De-Identified Data: Retained indefinitely, as it cannot be used to identify you.
• Legal and Regulatory Obligations: We may retain data as required to resolve disputes, enforce agreements, or comply with applicable laws.

When data is no longer required, we securely delete or anonymize it.

Our Services are operated in the United States and intended for U.S. residents. By using our Services, you understand that your information may be stored and processed in the U.S., where privacy protections may differ from those in other countries.

If you access our Services from outside the U.S., you consent to the transfer, storage, and processing of your information in the U.S. We comply with U.S. federal and state healthcare privacy regulations, including HIPAA, and where applicable, with state consumer privacy laws such as the California Consumer Privacy Act (CCPA/CPRA).

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated “Effective Date.” By using our website(s) or providing any information you consent to the collection of your personal information as described in this Privacy Policy.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). This section explains your rights and how to exercise them.

Personal Information We Collect

In the last 12 months, we have collected the following categories of personal information about California consumers:

• Identifiers: Such as name, email, phone number, address, and account information.
• Protected Classifications: Such as age, sex, and medical conditions (as permitted by law).
• Health Information: Medical history, treatment records, prescriptions, and related PHI.
• Commercial Information: Records of products or services purchased, obtained, or considered.
• Internet or Electronic Activity: Browsing history, search history, and interaction with our websites, patient portals, and apps.
• Geolocation Data: When you use location-enabled services.
• Inferences: Information drawn from other data to create a profile reflecting your preferences or health interests.

We collect this information directly from you, from your healthcare providers, and from third-party sources (such as online booking platforms like Google, Yelp, and Zocdoc).

Use of Personal Information

We use personal information for the business purposes described in Section 2 above, including providing healthcare services, managing your account, billing, marketing, and improving our Services.

Disclosure of Personal Information

We may disclose your personal information to:

• Healthcare providers, insurance companies, and service partners.
• Technology and marketing vendors (e.g., Google, Yelp, Zocdoc, WebMD).
• Law enforcement or regulators when legally required.

We do not sell personal information that directly identifies you. However, we may sell, license, or distribute de-identified and aggregated information, which is not considered “personal information” under CCPA.

Your Privacy Rights

As a California resident, you have the right to:

• Know: Request the categories and specific pieces of personal information we have collected, used, or disclosed about you.
• Delete: Request deletion of personal information we collected from you, subject to certain exceptions (such as legal or medical record-keeping obligations).
• Correct: Request correction of inaccurate personal information.
• Opt Out of Data Sales/Sharing: You may opt out of the sale or sharing of your personal information. While we do not sell data that identifies you, you may opt out of the use of anonymized data where required by state law.
• Limit Use of Sensitive Personal Information: You can request that we limit our use of sensitive personal information (such as health data) to only those uses necessary to provide you services.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

How to Exercise Your Rights

You may submit requests by phone, mail, or email (see section 12. Contact Us)

We will verify your identity before fulfilling requests. You may also designate an authorized agent to act on your behalf.

Shine the Light Law

California law also permits residents to request information once per year about categories of personal information we shared with third parties for their own direct marketing purposes and the identities of those third parties. To make a request, email privacy@forumhealth.com with “Shine the Light Request” in the subject line.

Forum Health Privacy Office

Email: privacy@forumhealth.com

Phone: (833) 510-1463

Address: 2300 Cabot Dr., Suite 125, Lisle, IL 60532