Effective Date: 3/1/26

Last Updated: 3/1/26

INTRODUCTION

Evera Health ("Evera," "we," "our," or "us") operates a consumer-facing mobile application (the "App") that allows adult users to upload, store, organize, and manage their personal health records in one place. We understand that the information you store in the App is among the most sensitive information you have, and we take our responsibility to protect it seriously. Evera is not a healthcare provider, health plan, or healthcare clearinghouse, and is not subject to the Health Insurance Portability and Accountability Act ("HIPAA") in connection with the services described in this Policy. However, because Evera maintains electronic records of identifiable health information drawn from multiple sources that are managed and controlled primarily for your benefit, Evera is subject to the Federal Trade Commission's Health Breach Notification Rule, 16 C.F.R. Part 318, as a vendor of personal health records. This means that in the event of a security breach affecting your health information, Evera has legal obligations to notify you and, where applicable, federal regulators and media outlets, as described further in Section 10 below. This Privacy Policy explains what information we collect, how we use and share it, how we protect it, how long we retain it, and what rights you have with respect to your information. Please read this Policy carefully before using the App. By creating an account or using the App, you agree to the practices described in this Policy. If you have questions about this Policy or our data practices, please contact us at support@everahealth.app.

SECTION 1: INFORMATION WE COLLECT

We collect information in the following categories. Health information, insurance information, government-issued identifiers, and certain other categories identified below constitute Sensitive Personal Information ("SPI") under applicable state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CPRA"), Cal. Civ. Code § 1798.140(ae), and Washington's My Health My Data Act ("MHMDA"), Wash. Rev. Code § 70.372.010(8). SPI is subject to heightened protections described throughout this Policy.

1.1 Information You Provide Directly

Account Information:

• Full name

• Email address

• Date of birth

• Password (stored in encrypted form)

Health and Medical Information (SPI):

• Medical records, clinical notes, and visit summaries you upload

• Laboratory results and diagnostic reports

• Vaccination and immunization records

• Prescription and medication information

• Health insurance information, including insurance cards and policy details

• Symptoms, health observations, and personal health notes you enter manually

• Appointment records and healthcare provider information

• Any other health-related information you choose to upload or enter

Voice Input (SPI): When you use the App's voice input feature, we collect audio recordings and the text transcribed from those recordings. Voice input may capture health-related information you speak aloud. By using this feature, you consent to the collection and processing of voice-derived health information as described in this Policy. You may disable microphone access at any time through your device settings, though doing so will disable the voice input feature.

Document Uploads: When you upload documents to the App, including medical records, insurance cards, prescription labels, and other health-related documents, we store the original document files in your account.

OCR-Extracted Data (SPI): We use optical character recognition ("OCR") technology to automatically extract and structure text from documents you upload, including text contained in insurance cards, prescription labels, laboratory reports, and medical records. This extracted text is stored separately as structured data within your account and is used to power search, organization, and AI-assisted features. OCR-extracted data is treated as health information and Sensitive Personal Information for all purposes under this Policy.

1.2 Information Collected Automatically

Authentication and Account Security Data:

• Authentication tokens (JWT) used to maintain your session

• Login method (email/password, Google OAuth, or Apple Sign-In)

• Authentication attempt logs for security monitoring purposes

App Usage and Analytics Data:

• App performance data, crash reports, and error logs

• General usage patterns and feature interaction data (e.g., which features are used and how frequently)

Our analytics tools are configured to exclude health information and Sensitive Personal Information from analytics data collection. We do not transmit your health records, uploaded documents, OCR-extracted data, or other health-related information to analytics providers as part of usage tracking.

Device and Technical Data:

• Device type, operating system, and App version

• IP address (used for security and fraud prevention purposes)

1.3 Information From Third-Party Services

Authentication Providers: If you create an account or log in using Google OAuth or Apple Sign-In, we receive limited profile information from those providers, typically your name and email address, solely for the purpose of creating and authenticating your account. We do not receive health information from Google or Apple through the authentication process.

Calendar Integration (If Enabled): If you choose to connect a third-party calendar service (such as Google Calendar) to the App, we will access your calendar data solely to enable health appointment reminders and scheduling features. Calendar integration is optional. We do not store calendar data beyond what is necessary to provide this feature, and we do not share calendar data with third parties.

1.4 Consent to Collection of Consumer Health Data (Washington Residents)

By creating an account, uploading health information, or entering health-related data into the App, you expressly consent to Evera’s collection, processing, storage, and use of your consumer health data for the purposes described in this Privacy Policy.

For residents of Washington State, this consent is provided in accordance with the Washington My Health My Data Act, Wash. Rev. Code § 70.372.030. The collection and processing of your consumer health data is necessary to provide the App’s core functionality, including health record storage, organization, search, reminders, and AI-assisted features.

You may withdraw your consent at any time by deleting your account or submitting a deletion request as described in Section 7. Withdrawal of consent will require deletion of your health data and may result in termination of your access to the App, as the App cannot function without processing your health information.

SECTION 2: HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes. Sensitive Personal Information is used only to the extent necessary to provide the services for which it was collected, consistent with our data minimization obligations under applicable law, including Cal. Civ. Code § 1798.121(a).

2.1 Providing and Operating the App

• Creating and maintaining your account

• Storing, organizing, and displaying your health records

• Enabling search and retrieval of your health information

• Powering AI-assisted summarization, search, and organization features (see Section 3)

• Providing Preventative Care Tracker reminders based on age-based health guidelines (see Section 2.5)

• Enabling document export and email sharing features (see Section 9)

2.2 Account Security and Fraud Prevention

• Authenticating your identity when you log in

• Detecting and preventing unauthorized access to your account

• Monitoring for suspicious authentication activity

• Enforcing our Terms of Service

2.3 App Improvement and Performance

We use aggregated, de-identified usage data to understand how the App is used and to improve its functionality and performance. We do not use your personal health information, Sensitive Personal Information, or individually identifiable information for product improvement unrelated to providing the App to you.

2.4 Legal Compliance

• Complying with applicable laws and regulations, including the FTC Health Breach Notification Rule

• Responding to lawful legal process, court orders, or government requests

• Establishing, exercising, or defending legal claims

2.5 Preventative Care Tracker

The Preventative Care Tracker provides general health reminders based on static, age-based clinical guideline mappings. Reminders are generated by matching your age and profile information against established public health guidelines. They are not generated by artificial intelligence and do not constitute personalized medical recommendations. The Preventative Care Tracker does not diagnose medical conditions, assess your individual health status, or recommend specific treatments or interventions. See Section 11 (Medical Advice Disclaimer) for additional information.

2.6 No Secondary or Commercial Use of Health Data

We do not use your health information or Sensitive Personal Information for advertising, marketing profiling, sale to third parties, or any commercial purpose beyond providing the App features described in this Policy.

SECTION 3: AI-POWERED FEATURES AND GOOGLE GEMINI

3.1 How AI Features Work

Evera uses artificial intelligence to power certain App features, including document summarization, intelligent search, and health record organization. These features are designed to help you find and understand your health information more easily.

3.2 Google Gemini API

Our AI features are powered by the Google Gemini API, provided by Google. When you use an AI-powered feature, relevant portions of your health information, which may include health records, notes, or OCR-extracted document content, are transmitted to Google's infrastructure for processing. This means your health data temporarily leaves Evera's servers and is processed by Google in order to generate the AI output you receive.

We want you to understand clearly what this means: your health information is shared with Google as a third-party service provider for the purpose of providing AI features. Google processes this information on our behalf and is contractually restricted from using it for its own commercial purposes or for AI model training.

3.3 AI Output Disclaimer

AI-generated summaries, search results, and organizational outputs are provided for your personal reference and convenience only. They are not medical advice, clinical assessments, or diagnostic outputs. AI features may produce errors, omissions, or inaccuracies. You should not rely on AI-generated content as a substitute for professional medical advice, diagnosis, or treatment. Always consult a qualified healthcare provider with questions about your health or medical records.

3.4 Opting Out of AI Features

If you prefer not to have your health information processed by our AI service provider, you may opt out of AI-powered features within the App's Settings. Opting out will disable AI-assisted summarization, search, and organization features, but will not affect your ability to upload, store, and manually organize your health records.

SECTION 4: HOW WE SHARE YOUR INFORMATION

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We share your information only in the limited circumstances described below.

4.1 Service Providers

We share personal information with third-party service providers that perform services on our behalf. These providers are permitted to use your personal information only to provide services to Evera and are prohibited from:

• Selling your personal information

• Using your personal information for their own commercial purposes

• Retaining, using, or disclosing your personal information outside the scope of services provided to Evera

• Combining your personal information with data obtained from other sources

Our current service providers include:

• Google (Gemini API): AI-powered summarization and search; Health records and document content (as described in Section 3)

• Neon: Database hosting and storage; All account and health data

• Render: Application hosting and deployment; All account and health data

• Google (OAuth): Authentication; Name and email address only

• Apple (Sign-In): Authentication; Name and email address only

• Google Analytics: App performance and usage analytics; Aggregated, de-identified usage data only — no health information

• Google Calendar: Calendar integration (if enabled); Appointment data (if enabled)

4.2 At Your Direction

We share your health information with third parties only when you explicitly direct us to do so. For example, when you choose to export your records and email them to a healthcare provider. When you share information at your direction, you are solely responsible for your choice of recipient and the security of that transmission. See Section 9 for important information about email export security.

4.3 Legal Requirements

We may disclose your information if we believe in good faith that disclosure is required by applicable law, regulation, or legal process, including a court order, subpoena, or government request. Where permitted by law, we will attempt to notify you before disclosing your information in response to legal process.

4.4 Business Transfers

If Evera is involved in a merger, acquisition, asset sale, or other business transaction, your personal information may be transferred as part of that transaction. In the event of such a transaction, we will provide notice to affected users by email or prominent in-App notice, and where required by applicable law, we will obtain your consent before your personal information is transferred to an entity whose privacy practices differ materially from this Policy.

4.5 Protection of Rights

We may disclose information where we believe it is necessary to prevent fraud, protect the safety of any person, or enforce our Terms of Service and other agreements.

4.6 Affirmative Statement — No Sale or Sharing

Evera does not sell your personal information. Evera does not share your personal information for cross-context behavioral advertising. These statements apply to all categories of personal information, including health information and Sensitive Personal Information, and are made consistent with the California Consumer Privacy Act, Cal. Civ. Code § 1798.140(ad) and § 1798.140(ah), and Washington's My Health My Data Act, Wash. Rev. Code § 70.372.040.

SECTION 5: DATA STORAGE AND SECURITY

5.1 Storage Infrastructure

Your health information is stored on secure cloud infrastructure located in the United States. [Current development infrastructure: PostgreSQL database hosted on Neon, deployed via Render (U.S. region). We maintain data residency within the United States and do not transfer your health information to servers located outside the United States.

5.2 Security Measures

We implement the following technical and organizational security measures to protect your information:

• Encryption in Transit: All data transmitted between the App and our servers, and between our servers and our database, is encrypted using HTTPS/TLS protocols.

• Encryption at Rest: Your health information is encrypted at rest using industry-standard encryption in our database infrastructure.

• Access Controls: Database access is restricted to authorized personnel only, following least-privilege principles and role-based access restrictions. There is no public-facing administrative dashboard exposing user data.

• User Data Isolation: All database queries are enforced server-side using unique user identifier scoping, ensuring that users cannot access another user's data.

• Authentication Security: We use JWT-based authentication with server-side token verification. OAuth tokens from Google and Apple are verified server-side before session tokens are issued.

• Secrets Management: API keys, credentials, and secrets are stored securely in environment variables and are never hardcoded or committed to source control.

• Logging and Monitoring: We maintain logs of authentication attempts and system errors for security monitoring purposes. Sensitive data including health information and authentication credentials is not included in system logs.

• Secure Development Practices: Our development team follows industry-standard secure coding practices, including OWASP guidelines, and performs server-side validation and authorization checks on all protected endpoints.

5.3 Important Limitation - Access to Your Data

Our security measures are designed to protect your information from unauthorized external access. However, please be aware that Evera's systems process your health information in order to provide App features, including AI-powered summarization and search. This means that your health data is accessible to Evera's systems in unencrypted form for the purpose of providing these services. Authorized Evera personnel may access account data only as necessary for security, technical support, and legal compliance purposes, subject to strict access controls and confidentiality obligations.

This architecture is different from "end-to-end encryption," in which data is encrypted on your device and cannot be accessed by the service provider. Evera does not currently offer end-to-end encryption.

5.4 Security Is a Shared Responsibility

While we implement strong security measures, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials, using a strong and unique password, and logging out of the App when using shared devices. Please notify us immediately at support@everahealth.app if you suspect unauthorized access to your account.

SECTION 6: DATA RETENTION

6.1 Account Data

We retain your account information and health records for as long as your account is active. If you delete your account, we will delete your personal information from our active systems within [30] days of account deletion, subject to the exceptions described in Section 6.3.

6.2 Backup Retention

Following deletion of your account or specific health records, residual copies of your data may remain in our secure backup systems for up to [90] days, after which they will be permanently purged. During this period, backup data is not accessible for active use and is maintained solely for system recovery purposes. Upon expiration of the backup retention period, your data will be permanently and irreversibly deleted from all backup systems.

6.3 Retention Exceptions

We may retain certain information beyond the periods described above where:

• Retention is required by applicable law, regulation, or legal process

• Retention is necessary to resolve a dispute, enforce our Terms of Service, or establish, exercise, or defend a legal claim

• Retention is necessary to detect or investigate a security incident

Where we retain data under one of these exceptions, we will retain only the minimum information necessary for the applicable purpose and for no longer than necessary.

6.4 De-Identified Data

We may retain de-identified, aggregated data from which all identifiers have been removed such that it cannot reasonably be used to identify you indefinitely for product improvement and analytics purposes.

6.5 Downstream Deletion

When you request deletion of your account or personal information, we will direct our service providers and subprocessors including database, hosting, and AI processing providers to delete your personal information consistent with their contractual obligations to Evera and applicable law.

SECTION : YOUR PRIVACY RIGHTS

Depending on your state of residence, you may have the following rights with respect to your personal information and health data. We do not discriminate against users who exercise their privacy rights.

7.1 Rights Available to All Users

Right to Access: You may request a copy of the personal information we hold about you, including the categories of information collected, the purposes for which it is used, and the categories of third parties with whom it is shared.

Right to Delete: You may request that we delete your personal information. Upon a verified request, we will delete your information from our active systems and direct our service providers to do the same, subject to the exceptions described in Section 6.3. You may also delete your account directly through the App's Account Settings, which will initiate the deletion process automatically.

Right to Correct: You may request that we correct inaccurate personal information we hold about you. For account profile information (such as your name, email address, or date of birth), you may update your information directly within the App's Account Settings. For health records and uploaded documents, which are user-generated, you may delete and re-upload corrected documents or edit manually entered information directly within the App.

Right to Data Portability: You may request a portable copy of your personal information in a commonly used, machine-readable format. The App also allows you to export your health records as PDF files directly from within the App. For a comprehensive data export including structured account data, please submit a request as described in Section 7.5.

Right to Non-Discrimination: We will not deny you services, charge you different prices, or provide a different quality of service because you exercised a privacy right.

7.2 Additional Rights for California Residents (CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act, Cal. Civ. Code §§ 1798.100–1798.199.100:

Right to Know (Expanded): You have the right to know the specific pieces of personal information we have collected about you, the categories of sources from which it was collected, and the business or commercial purpose for collection.

Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of your Sensitive Personal Information to the purposes for which it was collected. Specifically, to provide you with the App's health record storage, organization, and AI-assisted features. To exercise this right, you may use the "Limit the Use of My Sensitive Personal Information" option available in the App's Privacy Settings, or submit a request as described in Section 7.5. Please note that limiting our use of your Sensitive Personal Information may affect the availability of certain features, including AI-powered summarization and search.

Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. Accordingly, there is nothing to opt out of with respect to sale or sharing. If our practices change, we will update this Policy and provide you with opt-out rights as required by law.

7.3 Additional Rights for Washington Residents (My Health My Data Act)

If you are a Washington State resident, you have the following rights with respect to your consumer health data under Washington's My Health My Data Act, Wash. Rev. Code §§ 70.372.010–70.372.900:

Right to Confirm and Access: You have the right to confirm whether Evera collects, shares, or sells your consumer health data, and to access that data.

Right to Withdraw Consent: You have the right to withdraw your consent to Evera’s collection or sharing of your consumer health data at any time. Because the App’s core functionality depends on processing your consumer health data, withdrawal of consent will require deletion of your health data and may result in termination of your access to the App.

Right to Delete: You have the right to request deletion of your consumer health data collected or shared by Evera. We will honor verified deletion requests consistent with the process described in Section 7.5 and the retention exceptions described in Section 6.3.

Right to Be Free From Unlawful Discrimination: We will not discriminate against you for exercising your rights under the MHMDA.

7.4 Rights Available to Other State Residents

Residents of Connecticut, Nevada, Oregon, Texas, Montana, and other states with applicable consumer privacy laws may have rights similar to those described above, including rights to access, delete, correct, and port personal information, and to opt out of the sale of personal information. We will honor verified requests from residents of any state consistent with applicable law. Please contact us at support@everahealth.app to submit a request.

7.5 How to Submit a Privacy Rights Request

You may submit a privacy rights request by:

• Using the Privacy Settings or Data Rights section within the App

• Emailing us at support@everahealth.app with the subject line "Privacy Rights Request"

Verification: To protect your privacy and the security of your health information, we will verify your identity before processing your request. Verification will typically require you to authenticate your account through the App or to respond to a verification email sent to the address associated with your account. For requests involving Sensitive Personal Information, we may require additional verification steps.

Response Time: We will respond to verified requests within 45 days of receipt. If we require additional time due to the complexity or volume of requests, we will notify you within the initial 45-day period and may extend our response time by an additional 45 days, for a maximum total response period of 90 days. Cal. Civ. Code § 1798.145(b).

Authorized Agents: California residents may designate an authorized agent to submit privacy rights requests on their behalf. We may require proof of authorization and may verify your identity directly before processing a request submitted by an agent.

SECTION 8: CHILDREN AND MINOR PROFILES

8.1 Age Requirement

The App is intended solely for use by adults who are 18 years of age or older. Users under the age of 18 are not permitted to create accounts or use the App independently. During account registration, all users are required to affirmatively confirm that they are 18 years of age or older. We do not knowingly collect personal information directly from individuals under the age of 18.

8.2 Minor Health Profiles

Adult account holders may create health profiles for their minor children or dependents within their account. These minor profiles are managed exclusively by the adult account holder. Minor children do not have independent login credentials, do not interact with the App directly, and are not users of the App for purposes of the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. §§ 6501–6506.

By creating a minor health profile, the adult account holder represents and warrants that they are the minor's parent or legal guardian and have the authority to manage the minor's health information through the App.

8.3 Discovery of Underage Users

If we discover or receive credible notice that a user under the age of 18 has independently created an account without parental authorization, we will promptly terminate the account and delete all associated personal information. If you believe a minor has independently registered for the App, please contact us immediately at support@everahealth.app.

8.4 COPPA

Because minors do not independently register for or use the App, and because minor health profiles are managed solely by adult account holders, the App is not directed to children under 13 within the meaning of COPPA, and we do not knowingly collect personal information directly from children under 13. If you believe we have inadvertently collected personal information from a child under 13, please contact us at support@everahealth.app and we will promptly delete such information.

SECTION 9: DOCUMENT EXPORT AND EMAIL SHARING

9.1 Export Features

The App allows you to export your health records as PDF files and to share them via email with yourself or a healthcare provider of your choosing. These features are provided for your personal convenience and are initiated solely at your direction.

9.2 Important Security Warning - Email Export

Before initiating an email export, the App will display a notice informing you that email transmission is generally not encrypted end-to-end and that the security of exported health information in transit and at the recipient's email account is outside Evera's control. By proceeding with an email export, you acknowledge and accept responsibility for the security risks associated with email transmission of sensitive health information.

We strongly recommend that you:

• Export health records only to email addresses you control or to verified healthcare provider addresses

• Use secure email services where possible

• Be aware that exported health records may be stored, forwarded, or accessed by email service providers

9.3 Evera's Responsibility

Once health information has been exported from the App and transmitted via email, Evera is not responsible for the security, confidentiality, or use of that information by the recipient or any intermediate email service provider.

SECTION 10: SECURITY INCIDENTS AND BREACH NOTIFICATION

10.1 Our Commitment

We implement technical, administrative, and organizational security measures designed to protect your health information from unauthorized access, disclosure, alteration, or destruction, as described in Section 5. However, no security system is impenetrable, and we cannot guarantee that your information will never be accessed by an unauthorized party.

10.2 Breach Notification

In the event of a security breach affecting your personal health information, Evera will notify you in accordance with its obligations under the FTC Health Breach Notification Rule, 16 C.F.R. Part 318, and applicable state breach notification laws. Specifically:

• Individual Notice: We will notify affected users without unreasonable delay and within 60 calendar days of discovering the breach, by email to the address associated with your account or by prominent in-App notice.

• FTC Notice: For breaches affecting 500 or more individuals, we will notify the Federal Trade Commission within 10 business days of discovery. For smaller breaches, we will submit annual reports to the FTC as required.

• Media Notice: For breaches affecting 500 or more residents of a particular state or jurisdiction, we will provide notice to prominent media outlets serving that state or jurisdiction as required by applicable law.

10.3 Scope of Breach Notification Obligation

Under the FTC Health Breach Notification Rule as amended in 2023, a "breach of security" includes not only unauthorized acquisition of your health information but also unauthorized access to it. This means we take seriously any incident in which your health information may have been viewed or accessed by an unauthorized party, even if we have no evidence that it was copied or exfiltrated.

SECTION 11: MEDICAL ADVICE DISCLAIMER

Evera is not a healthcare provider, medical practice, or clinical service. The App is a personal health record organization tool only.

Nothing in the App including AI-generated summaries, document organization, search results, Preventative Care Tracker reminders, or any other App feature or output constitutes medical advice, a clinical assessment, a diagnosis, a treatment recommendation, or a substitute for professional medical care.

The Preventative Care Tracker provides general reminders based on age-based public health guidelines. These reminders are generated by static guideline mappings and do not reflect your individual health status, medical history, risk factors, or clinical circumstances. They are not personalized medical recommendations.

AI-generated content may contain errors, omissions, or inaccuracies. Do not make medical decisions based on AI outputs from the App.

Always consult a qualified and licensed healthcare provider for advice regarding your health, medical conditions, diagnoses, and treatment options. In a medical emergency, call 911 or your local emergency services immediately.

SECTION 12: THIRD-PARTY LINKS AND SERVICES

The App may contain links to third-party websites, services, or resources. This Privacy Policy does not apply to third-party services, and we are not responsible for the privacy practices of any third party. We encourage you to review the privacy policies of any third-party services you access through the App.

SECTION 13: INTERNATIONAL USERS

The App is intended for use by residents of the United States. If you access the App from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence. By using the App from outside the United States, you consent to the transfer and processing of your information in the United States.

SECTION 14: CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or App features. If we make material changes to this Policy, we will notify you by:

• Sending a notice to the email address associated with your account, and/or

• Displaying a prominent notice within the App prior to the change becoming effective

The updated Policy will be effective as of the date indicated at the top of the Policy. Your continued use of the App after the effective date of a material change constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you must discontinue use of the App and delete your account.

We encourage you to review this Policy periodically to stay informed about our data practices.

SECTION 15: CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Evera Health Privacy and Compliance support@everahealth.app.

For security incidents or suspected unauthorized access to your account, please contact us immediately at support@everahealth.app.

For privacy rights requests, please use the Privacy Settings section of the App or email us at support@everahealth.app with the subject line "Privacy Rights Request."