PRIVACY POLICY

PULZ HEALTH INC

Effective Date: March 17, 2026

PULZ Health Inc (“PULZ,” “Company,” “we,” “us,” or “our”), a Delaware C-Corporation with its principal offices at 47 S Pennsylvania St #700, Indianapolis, IN 46204, is committed to protecting the privacy and security of your information. This Privacy Policy (“Policy”) describes how we collect, use, disclose, retain, and protect your personal information and health data when you access or use our website at PULZ.care (the “Site”), applications, platforms, and related services (collectively, the “Services”).

BY ACCESSING OR USING THE SITE OR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS PRIVACY POLICY. IF YOU DO NOT AGREE TO THIS POLICY, DO NOT ACCESS OR USE THE SITE OR SERVICES.

This Policy applies to all visitors, users, members, and others who access or use the Site or Services. It supplements, and does not replace, any other privacy notices or disclosures we may provide, including any HIPAA Notice of Privacy Practices applicable to protected health information.

1. INFORMATION WE COLLECT

1.1 Information You Provide Directly

We may collect the following categories of information that you voluntarily provide to us:

Contact and Identification Information: name, email address, phone number, mailing address, date of birth, government-issued identification numbers where required by law
Account Information: username, password, account preferences, and communication preferences
Health and Wellness Information: health history, medical records, laboratory results, genomic and pharmacogenomic data, biometric data from wearable devices, fitness and activity data, dietary information, mental health and wellness assessments, and any other health-related information you provide or authorize us to access
Insurance and Benefits Information: health plan identifiers, coverage details, employer-sponsored plan information
Financial Information: billing information, payment method details as necessary for transactions
Communications: correspondence with PULZ, feedback, survey responses, support requests
Research Participation Data: consent forms, study enrollment information, research-related health data
Professional Information: employer details, job title, professional credentials (where applicable)

1.2 Information Collected Automatically

When you access the Site or Services, we automatically collect certain information, including:

Device and Technical Information: IP address, browser type and version, operating system, device identifiers, device type, screen resolution, and language preferences
Usage Data: pages visited, links clicked, time and date of access, duration of visit, referring URL, search queries within the Site, features used, and interaction patterns
Location Information: approximate geographic location inferred from IP address; precise geolocation data only with your explicit consent
Cookies and Tracking Technologies: information collected through cookies, web beacons, pixel tags, clear GIFs, local storage objects, and similar technologies as described in our Cookie Policy
Log Data: server logs, error reports, and diagnostic data

1.3 Information from Third-Party Sources

We may receive information about you from third-party sources, including:

Healthcare Providers and Electronic Health Records (EHR): clinical data, diagnoses, treatment histories, medication records, and laboratory results obtained through TEFCA-compliant, FHIR-standard data exchanges with your authorization
Health Plans and Insurers: enrollment data, claims data, and coverage information
Wearable Device and Health Application Providers: activity, biometric, and wellness data from connected devices and applications
Laboratory and Diagnostic Partners: test results, genomic data, and pharmacogenomic profiles
Business Partners and Data Providers: demographic, firmographic, and aggregated data for analytics purposes
Public Sources: publicly available information from government databases, professional registries, and public records

1.4 Sensitive Data

We recognize that certain categories of data we collect are highly sensitive, including but not limited to protected health information (PHI) as defined under HIPAA, genetic and genomic information, biometric data, and precise geolocation data. We apply heightened safeguards to the collection, use, storage, and disclosure of such data in accordance with applicable law and as described in this Policy.

2. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

Service Delivery: To provide, maintain, personalize, and improve the Site and Services, including health data management, population health analytics, wellness engagement features, and research connectivity
Account Administration: To create, manage, and authenticate your account and process your requests
Health Data Management: To aggregate, normalize, analyze, and present health and wellness data in accordance with your authorizations and applicable law
Research and Analytics: To facilitate approved research programs, clinical trials, real-world evidence studies, and population health analyses, subject to applicable consent requirements and de-identification standards
Wellness and Engagement: To deliver personalized wellness recommendations, engagement tools, and educational content (none of which constitute medical advice)
Communications: To send you transactional notifications, service updates, security alerts, administrative messages, and, with your consent, marketing communications
Compliance: To comply with applicable legal obligations, including HIPAA, HITECH, the FTC Health Breach Notification Rule, state health data privacy laws, and all other applicable regulations
Security and Fraud Prevention: To detect, investigate, and prevent security incidents, fraud, unauthorized access, and other harmful activities
Legal Proceedings: To establish, exercise, or defend legal claims, protect our rights and property, and respond to lawful requests from governmental authorities
Business Operations: To conduct internal audits, quality assurance, business planning, corporate transactions, and reporting
De-identification and Aggregation: To create de-identified, anonymized, or aggregated data sets that cannot reasonably be used to identify you, which we may use and disclose without restriction

3. HOW WE SHARE YOUR INFORMATION

PULZ does not sell your personal information or protected health information. We may share your information only in the following circumstances:

With Your Consent or Authorization: We share PHI and personal information only in accordance with your written HIPAA authorization or other explicit consent. You may revoke your authorization at any time.
Service Providers and Business Associates: We share information with trusted third-party service providers who perform services on our behalf, subject to Business Associate Agreements (BAAs) where PHI is involved, and contractual obligations requiring confidentiality and data protection
Enterprise Sponsors: Aggregated, de-identified population health data may be shared with enterprise sponsors (employers, health plans) for program analytics and reporting. Individual-level PHI is never shared with sponsors without your explicit authorization
Research Partners: With your explicit, informed consent, we may share data with pharmaceutical companies, clinical research organizations (CROs), and academic institutions for approved research programs, subject to Institutional Review Board (IRB) oversight where applicable
Healthcare Providers: With your authorization, we facilitate the exchange of health data with your healthcare providers through TEFCA-compliant, FHIR-standard interoperability channels
Legal Obligations: We may disclose information to comply with applicable laws, regulations, legal processes, subpoenas, court orders, or enforceable governmental requests
Protection of Rights: We may disclose information to enforce these Terms and this Policy, protect PULZ’s rights, property, or safety, or the rights, property, or safety of our users or others
Corporate Transactions: In connection with a merger, acquisition, reorganization, sale of assets, bankruptcy, or similar corporate event, your information may be transferred as a business asset, subject to applicable data protection obligations
De-identified and Aggregated Data: We may share data that has been de-identified in accordance with HIPAA Safe Harbor or Expert Determination standards, or aggregated in a manner that does not reasonably permit identification of individuals

4. HIPAA AND HEALTH INFORMATION PROTECTIONS

To the extent that PULZ acts as a Business Associate or covered entity under HIPAA, we comply with all applicable requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, as amended by HITECH and subsequent regulations. Our practices include:

Executing Business Associate Agreements (BAAs) with all entities that access or process PHI on our behalf
Implementing administrative, technical, and physical safeguards as required by the HIPAA Security Rule
Applying the minimum necessary standard to all uses and disclosures of PHI
Providing individuals with rights to access, amend, and receive an accounting of disclosures of their PHI
Maintaining immutable audit trails via our Consent Ledger for Identity and Permission (CLIP) blockchain infrastructure for all PHI access events
Issuing breach notifications in accordance with the HIPAA Breach Notification Rule within the required timeframes
Training all workforce members on HIPAA compliance requirements

If PULZ provides you with a separate HIPAA Notice of Privacy Practices (“NPP”), the NPP governs our use and disclosure of your PHI and prevails over this Policy to the extent of any conflict.

5. STATE AND FEDERAL PRIVACY LAW COMPLIANCE

5.1 California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), provides you with specific rights regarding your personal information. You have the right to: know what personal information we collect, use, and disclose about you; request deletion of your personal information, subject to certain exceptions; correct inaccurate personal information; opt out of the “sale” or “sharing” of personal information (PULZ does not sell personal information); limit the use and disclosure of sensitive personal information to purposes authorized by the CCPA/CPRA; and not be discriminated against for exercising your privacy rights. To exercise these rights, contact us at info@PULZ.care. We will verify your identity before processing your request.

5.2 Washington My Health My Data Act

If you are a Washington state resident, the Washington My Health My Data Act provides additional protections for consumer health data collected outside of HIPAA. We obtain affirmative consent before collecting or sharing your consumer health data as defined under this Act, and we honor all applicable rights including the right to withdraw consent and request deletion of consumer health data.

5.3 Other State Laws

PULZ complies with all applicable state privacy and data protection laws, including but not limited to the Colorado Privacy Act, Connecticut Data Privacy Act, Virginia Consumer Data Protection Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, Montana Consumer Data Privacy Act, and all other state laws that may apply to our processing of your personal information. We will honor your rights under any applicable state law upon verified request.

5.4 FTC Health Breach Notification Rule

To the extent applicable, PULZ complies with the FTC Health Breach Notification Rule, which requires notification in the event of a breach of unsecured, individually identifiable health information held by entities not covered by HIPAA. We maintain incident response procedures to ensure timely notification to affected individuals, the FTC, and, where required, the media.

6. DATA SECURITY

PULZ implements comprehensive administrative, technical, and physical security measures designed to protect your information against unauthorized access, alteration, disclosure, destruction, or loss. These measures include but are not limited to:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
Multi-factor authentication and role-based access controls
Continuous monitoring, intrusion detection, and vulnerability management
Regular security assessments, penetration testing, and compliance audits
Immutable blockchain-based audit trails through our CLIP infrastructure for comprehensive data provenance
SOC 2 Type II certification pathway and FedRAMP High compliance (via VSee Health ATO) for federal deployments
Workforce training and security awareness programs
Incident response and disaster recovery plans with 72-hour restoration capabilities

NOTWITHSTANDING THE FOREGOING, NO METHOD OF TRANSMISSION OVER THE INTERNET OR METHOD OF ELECTRONIC STORAGE IS COMPLETELY SECURE. WHILE WE STRIVE TO USE COMMERCIALLY REASONABLE MEANS TO PROTECT YOUR INFORMATION, PULZ CANNOT GUARANTEE AND DOES NOT WARRANT THE ABSOLUTE SECURITY OF ANY INFORMATION YOU TRANSMIT TO US OR THAT WE STORE. ANY TRANSMISSION OF PERSONAL INFORMATION IS AT YOUR OWN RISK. PULZ SHALL NOT BE LIABLE FOR ANY UNAUTHORIZED ACCESS TO, OR BREACH OF, YOUR PERSONAL INFORMATION EXCEPT TO THE EXTENT SUCH LIABILITY CANNOT BE EXCLUDED BY APPLICABLE LAW.

7. DATA RETENTION

We retain your personal information and health data for as long as necessary to fulfill the purposes for which it was collected, to comply with applicable legal, regulatory, and contractual obligations, to resolve disputes, to enforce our agreements, and to protect PULZ’s legitimate business interests. Specific retention periods vary based on the type of data, applicable laws, and the purposes for which the data was collected. When retention is no longer necessary, we will securely delete or de-identify your information in accordance with our data retention and destruction policies. Notwithstanding the foregoing, PULZ reserves the right to retain de-identified, anonymized, or aggregated data indefinitely for research, analytics, and business purposes.

8. YOUR RIGHTS AND CHOICES

Depending on your jurisdiction and the applicable laws, you may have the following rights with respect to your personal information:

Right to Access: Request information about the personal data we hold about you
Right to Correction: Request correction of inaccurate or incomplete personal data
Right to Deletion: Request deletion of your personal data, subject to certain legal exceptions and retention requirements
Right to Portability: Request a copy of your personal data in a structured, commonly used, machine-readable format
Right to Restrict Processing: Request that we restrict the processing of your personal data in certain circumstances
Right to Withdraw Consent: Withdraw your consent for processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal
Right to Opt Out: Opt out of certain data uses, including marketing communications
HIPAA Rights: Access, amend, and receive an accounting of disclosures of your PHI; request restrictions on uses and disclosures; and request confidential communications

To exercise any of these rights, please contact us at info@PULZ.care. We will respond to verified requests within the timeframes required by applicable law. We may deny or limit requests in accordance with applicable legal exceptions. We will not discriminate against you for exercising your privacy rights.

9. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to enhance your experience, analyze usage patterns, and deliver relevant content. Categories include strictly necessary cookies, performance and analytics cookies, functional cookies, and, with your consent, targeting and advertising cookies. You can control cookie preferences through your browser settings or through our cookie consent management tool. Disabling certain cookies may affect the functionality of the Site and Services. For detailed information about the cookies we use and your choices, please refer to our Cookie Policy.

PULZ does not use tracking technologies to collect or transmit protected health information to third-party advertising platforms. We maintain strict separation between health data and commercial tracking in compliance with HIPAA guidance and FTC enforcement standards.

10. CHILDREN’S PRIVACY

The Site and Services are not directed to children under the age of thirteen (13), and we do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take immediate steps to delete such information. If you believe that we may have collected information from a child under 13, please contact us immediately at info@PULZ.care. For users between the ages of 13 and 18, parental or guardian consent may be required for certain features of the Services.

11. INTERNATIONAL DATA TRANSFERS

PULZ is based in the United States and primarily processes data within the United States. If you access the Site or Services from outside the United States, your information may be transferred to, stored, and processed in the United States and other countries that may not provide the same level of data protection as your home jurisdiction. By using the Site or Services, you consent to the transfer of your information to the United States and to any other country where PULZ or its service providers operate. PULZ will take reasonable measures to ensure that your data is treated securely and in accordance with this Policy and applicable data protection laws.

12. DO NOT TRACK SIGNALS

Certain web browsers may transmit “Do Not Track” (DNT) signals. At this time, there is no universally accepted standard for how companies should respond to DNT signals. Accordingly, the Site does not currently respond to DNT signals. We will continue to monitor developments in DNT technology and may update this Policy if a uniform standard is adopted.

13. CHANGES TO THIS PRIVACY POLICY

PULZ reserves the right to modify, update, or replace this Privacy Policy at any time, in its sole discretion, and without prior notice. Changes will be effective immediately upon posting the revised Policy on the Site with an updated effective date. Your continued use of the Site or Services after the posting of changes constitutes your acceptance of such changes. PULZ strongly encourages you to review this Policy periodically. For material changes affecting the processing of your PHI, we will provide notice as required by applicable law.

14. DATA BREACH NOTIFICATION

In the event of a breach of unsecured protected health information or personal information, PULZ will notify affected individuals, applicable regulators, and, where required, the media, in accordance with HIPAA Breach Notification Rule requirements, state data breach notification laws, the FTC Health Breach Notification Rule, and any other applicable notification requirements. PULZ maintains comprehensive incident response procedures to ensure timely detection, investigation, containment, and remediation of security incidents.

15. CONTACT INFORMATION AND DATA PROTECTION INQUIRIES

If you have any questions, concerns, or requests regarding this Privacy Policy, your personal information, or our privacy practices, please contact us at:

PULZ Health Inc

Attn: Privacy Officer

47 S Pennsylvania St #700

Indianapolis, IN 46204

Email: info@PULZ.care

For HIPAA-related inquiries or to exercise your rights under HIPAA, please direct your request to our Privacy Officer at the address above. You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your HIPAA rights have been violated.