How we handle your information.

1. Who this policy covers.

This policy applies to FareRx LLC and all of its services, including farerx.com, its subdomains (trust, outcomes, kitchen, fimintel, brand, forhelen, readtherule), our grocery delivery, nutrition counseling, teaching kitchen programs, cardiometabolic care, and any other product we operate under the FareRx name.

We act in two capacities depending on the context:

• Covered Entity — when we provide healthcare services directly (Medical Nutrition Therapy, DSME, DPP, Remote Patient Monitoring, Chronic Care Management) and bill insurance under our own NPI (1740031988).
• Business Associate — when we provide services on behalf of a health plan or another covered entity (eligibility file processing, member outreach, grocery delivery tied to a benefit). In these cases, we operate under a Business Associate Agreement (BAA) with that entity.

2. HIPAA Notice of Privacy Practices.

As a HIPAA Covered Entity and Business Associate, we are required by law to maintain the privacy of your Protected Health Information (PHI), provide you with this Notice, and follow the terms of the Notice currently in effect.

What we use and disclose PHI for (without your authorization).

• Treatment— coordinating your care with your physicians, pharmacists, and other providers.
• Payment— billing your health plan or Medicare for services rendered.
• Healthcare Operations— quality improvement, training, accreditation, credentialing, audit, and similar activities.
• Required by law— when disclosure is required by federal, state, or local law, including public health reporting, abuse reporting, judicial orders, and law enforcement requests that meet HIPAA standards.
• Health oversight— audits, investigations, inspections, and licensure.

When we need your written authorization.

• Use or disclosure of psychotherapy notes (we generally don't create these, but if we do).
• Use or disclosure for marketing purposes, except limited face-to-face communications or a promotional gift of nominal value.
• Any sale of PHI ( we do not and will not sell your PHI).
• Most other uses or disclosures not described elsewhere in this Notice.

You may revoke any authorization at any time by notifying us in writing. Revocation will not apply to disclosures already made.

3. Information we collect.

A. Information you give us.

• Contact details (name, address, phone, email).
• Demographics (date of birth, gender, household size, language preference).
• Insurance information (plan, member ID, group number).
• Dietary preferences, allergies, cultural and religious food restrictions.
• Clinical information you share (conditions, medications, labs, height, weight, goals).
• Information about your home or delivery environment (gate codes, building access, pets).

B. Information we receive from your health plan or provider.

• Eligibility files (who qualifies for which benefit).
• Referral information (diagnosis codes, treatment history, care team).
• Claims and utilization data (when authorized under a BAA).

C. Information from connected devices (RPM).

• Blood pressure, blood glucose, weight, pulse oximetry readings when you use a device we provide.
• Device usage telemetry (battery, last sync, software version).

D. Information we collect automatically from the Site.

• IP address, browser type, device type, operating system, referring URL.
• Pages visited, buttons clicked, time spent, and similar analytics.
• Cookies and similar technologies (see section 9).

We do not use PHI for advertising and we do not allow third-party advertising trackers on pages that collect PHI. Our member-facing intake, eligibility, and account pages do not use Meta Pixel, Google Ads conversion tags, or similar surveillance advertising technologies.

4. How we use information.

• To provide and coordinate your care (deliveries, dietitian sessions, clinical follow-up, RPM review).
• To verify eligibility and bill your health plan or Medicare.
• To communicate with you about your program, upcoming deliveries, appointments, and benefits.
• To improve our service (aggregated, de-identified analytics only — no PHI leaves our systems for product analytics).
• To meet our legal, regulatory, and accreditation obligations.
• To prevent fraud, investigate abuse, and maintain the security of our systems.

5. When we share information.

We share information only as described in this policy and only as permitted by HIPAA and other applicable law.

Business Associates and Sub-Processors.

We use a small set of vetted vendors to run our service — for example, infrastructure hosting, payment processing, and communications. Every vendor with access to PHI has signed a Business Associate Agreement that binds them to HIPAA's requirements. A current list of our sub-processors is available on request to privacy@farerx.com.

Your care team and health plan.

We share PHI with your physicians, clinicians, and health plan as needed for treatment, payment, and healthcare operations — and only at the level required for the task.

Legal and regulatory.

• In response to a subpoena, court order, or other lawful legal process that meets HIPAA standards.
• To public health authorities for mandatory reporting.
• To health oversight agencies (CMS, state licensing boards, accrediting bodies).
• To law enforcement in narrow circumstances allowed under HIPAA.

What we do NOT do.

• We do not sell PHI. We do not sell Personal Information as that term is defined under state privacy laws.
• We do not share PHI for third-party advertising or marketing.
• We do not allow advertising trackers on pages where you enter health information.

6. How we protect information.

FareRx maintains a SOC 2 Type II certified information security program. Our live trust center — with current certifications, policies, and sub-processor list — is at trust.farerx.com.

Administrative safeguards.

• Designated HIPAA Privacy Officer and Security Officer.
• Annual workforce training on HIPAA, security, and fraud/waste/abuse.
• Role-based access with least-privilege controls.
• Monthly exclusion list screening (OIG LEIE, SAM).
• Incident response runbook with defined escalation paths.

Technical safeguards.

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Multi-factor authentication required for all workforce access to PHI systems.
• Audit logs retained for seven (7) years and regularly reviewed.
• Annual third-party penetration testing and ongoing vulnerability management.
• Endpoint protection, full-disk encryption, and mobile device management on every workforce device.

Physical safeguards.

• Secure facilities at our Philadelphia Teaching Kitchen and fulfillment center.
• Visitor sign-in, access logs, and camera monitoring of sensitive areas.
• Secure disposal of paper PHI and decommissioned media.

Insurance.

FareRx maintains $5M in cyber liability coverage. A current Certificate of Insurance is available on request for partner diligence.

No system is perfectly secure. We commit to doing the work of making ours as close as reasonably possible — and telling you fast if something goes wrong (see Breach Notification below).

7. Your rights.

Under HIPAA, you have the following rights regarding your PHI. To exercise any of them, contact privacy@farerx.com. We respond within 30 days (with the option of one 30-day extension where HIPAA permits).

• Right to access.Inspect and get a copy of the PHI we hold about you. We'll provide it in the format you reasonably request (electronic when possible).
• Right to amend.Ask us to correct information you believe is wrong or incomplete. We may deny the request in limited cases; if we do, you can submit a statement of disagreement.
• Right to an accounting of disclosures.A list of certain disclosures we've made in the past six years (excludes disclosures for treatment, payment, operations, and a few other categories).
• Right to request restrictions.Ask us to limit how we use or share PHI. We'll agree where HIPAA requires (for example, restrictions on disclosures to your health plan for services you paid for out of pocket in full).
• Right to confidential communications.Ask us to contact you at a specific address, phone, or by a specific method.
• Right to a paper copy of this Notice.Even if you received it electronically.
• Right to file a complaint.With us directly, or with the U.S. Department of Health and Human Services, Office for Civil Rights. We will never retaliate against you for filing a complaint.

8. Cookies and tracking.

We use a minimal set of cookies and similar technologies on the Site:

• Strictly necessary— session cookies that let the Site function (load balancing, CSRF protection, authenticated session). These cannot be disabled.
• Functional— remembers your language preference, form state, and similar. Used to make the Site more usable.
• Analytics— privacy-preserving, aggregated analytics (no PHI, no cross-site tracking). Used to understand which pages are useful.

We do not use advertising cookies, retargeting pixels, or cross-site tracking. We honor Global Privacy Control (GPC) signals where applicable. You can instruct your browser to refuse cookies, but some functionality may break if you do.

9. State privacy rights.

If you live in California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or another state with a comprehensive privacy law, you have specific rights over the Personal Information we hold about you. These rights typically include:

• The right to know what Personal Information we collect and how we use it.
• The right to access a copy of your Personal Information.
• The right to delete your Personal Information, subject to exceptions.
• The right to correct inaccurate Personal Information.
• The right to opt out of the sale or sharing of Personal Information (we do not sell or share).
• The right to opt out of targeted advertising (we do not engage in targeted advertising).
• The right to limit use of Sensitive Personal Information.
• The right to non-discrimination for exercising these rights.

Most information we hold is PHI governed by HIPAA and is exempt from most state privacy laws — but the rights above still apply to information not covered by HIPAA. To exercise any of these rights, email privacy@farerx.com. We may need to verify your identity before fulfilling the request.

California residents have additional rights under the CCPA and CPRA, including the right to know the categories of Personal Information collected in the past 12 months, the sources of that information, the purposes for collecting it, and the categories of third parties with whom it was shared. That information is available in the collection and sharing sections above.

10. International (GDPR).

FareRx operates in the United States and primarily serves U.S. residents. We do not target services to residents of the European Economic Area, United Kingdom, or Switzerland. If you nonetheless interact with us from one of those jurisdictions, you may have rights under GDPR / UK GDPR including access, rectification, erasure, restriction, objection, and data portability. Our lawful basis for processing is typically your consent or the performance of a contract; for PHI, we rely on the vital interests or healthcare-delivery bases where applicable. Contact privacy@farerx.com to exercise any of these rights. You may also contact your local supervisory authority.

11. Children's privacy.

The Site is not directed to children under 13 and we do not knowingly collect information from children under 13 without verifiable parental consent. We do provide pediatric and maternal nutrition services through parent or guardian enrollment; in those cases, the parent or guardian provides consent and manages the minor's account. If you believe a child under 13 has provided us information without parental consent, contact privacy@farerx.com and we will delete it promptly.

12. How long we keep information.

We retain information only as long as needed to deliver care, meet our legal obligations, or maintain accurate records.

• Medical records and billing records:retained for the longer of (a) seven (7) years from the date of last service or (b) any longer period required by applicable state law, CMS, or our accreditation bodies.
• Audit logs:retained for seven (7) years.
• Account and contact information:retained while your account is active and for a reasonable period after closure to handle follow-up, disputes, and legal hold requirements.
• Eligibility and claims data processed as Business Associate:retained and deleted per the BAA with the relevant health plan.

When information is no longer needed, we delete, destroy, or de-identify it using methods that meet HIPAA de-identification standards.

13. Breach notification.

If a breach of unsecured PHI occurs, we will notify affected individuals, the U.S. Department of Health and Human Services, and (for breaches affecting 500 or more individuals in a state or jurisdiction) prominent media outlets, consistent with the HIPAA Breach Notification Rule. Individual notifications go out without unreasonable delay and in no case later than 60 days from discovery. Where a health plan partner is the Covered Entity and we are the Business Associate, we notify the partner promptly so they can meet their own notification obligations.

14. Changes to this policy.

We may update this policy to reflect changes in our services, the law, or our practices. When we make material changes, we will update the effective date at the top of the policy and, for material changes, notify you through the Site or by email. Your continued use of FareRx after the effective date constitutes acceptance of the updated policy. Prior versions are available on request.

15. Contact us.

Questions, requests, or complaints about this policy or about your PHI: