Privacy Policy

1. Overview and key principles

Sound City Ventures, LLC ("Sound City Ventures," "we," "our," or "us") operates the Veritell application (which may also be known as "Veritell Care") and related services (collectively, the "Service"). This Privacy Policy explains how we handle information about you and your health when you use the Service, whether as an individual patient or as a caregiver or patient advocate managing someone else's information. References to "Veritell" in this Privacy Policy include Veritell Care and any successor names under which the Service is offered.

2. What this policy covers

This Privacy Policy applies to information we handle in connection with the Veritell application and any associated services we provide directly. It does not apply to:

• Your healthcare providers (hospitals, clinics, doctors), the MyChart portal, or any other patient portals, which have their own privacy policies and legal obligations;
• Third-party services that you access through links or integrations from the Service.

You should review the privacy policies of your Providers and any portals you connect to Veritell to understand how they handle your information.

3. Types of information we handle

Because Veritell is designed as a patient-hosted application with local storage, it is helpful to distinguish between:

• "Personal Data" – information that identifies or can reasonably be linked to you as an individual (such as your name or email address); and
• "Health Data" – information about your physical or mental health, medical history, test results, diagnoses, or care, including data that may be considered Protected Health Information ("PHI") under U.S. law.

3.1 Account and contact information

• Name
• Email address
• Account identifiers or subscription status
• Basic settings and preferences

3.2 Billing and transaction information

If you purchase a subscription or other paid features, our payment processors (for example, Apple) may collect billing-related information such as:

• Billing name and contact details
• Payment method details (e.g., card type, last 4 digits)
• Transaction dates and amounts

Payment details are typically handled directly by our third-party payment providers; we do not store full payment card numbers on our own systems.

3.3 Device, diagnostics, and usage information

To keep the Service secure and reliable, we may collect limited technical information, such as:

• Device type, operating system, and app version
• Logs or error reports (for example, when a sync or summary fails)
• Basic usage metrics (such as feature usage, performance, or frequency of sync events)

Where practicable, we configure diagnostics so that they do not include raw Health Data or other unnecessary personal details.

3.4 Health Data stored on your device

When you connect Veritell to your MyChart or other patient portal, the application can store and process Health Data such as:

• Lab and test results and associated details
• Clinical notes and visit summaries
• Diagnostic codes, medications, and care plans
• AI-generated summaries, explanations, and "master overviews" derived from your records

Consistent with how we have designed the Service, this Health Data is intended to be stored in an encrypted data store on your device and accessed locally by the app.

By default and where technically feasible, we design the Service so that this Health Data remains on your device. Certain features of the Service, such as AI-generated summaries, require your Health Data to be transmitted to our servers and third-party AI providers for processing, as described in Section 5.

3.5 Cookies, analytics, and tracking technologies

Our website and Service may use cookies, local storage, and similar technologies for essential purposes such as authentication, session management, and security. We may also use privacy-respecting analytics tools to understand aggregate usage patterns (such as which features are used most frequently).

Within the Veritell application, we do not use third-party advertising cookies, cross-site tracking pixels, or behavioral advertising technologies. We do not permit third parties to collect your browsing or usage data through the application for advertising purposes. We do not use analytics tools that process Health Data. Our marketing website and other promotional channels may use standard advertising and analytics technologies, but these do not have access to your Health Data or application usage data.

4. How we use your information

We use the information described above for the following purposes:

• Providing and maintaining the Service – to run the application, facilitate sync with your portals, generate AI-based summaries, manage your subscription, and keep your local data usable.
• Communicating with you – to send service-related messages such as onboarding guidance, feature updates, or subscription notices.
• Security and reliability – to detect, investigate, and prevent fraudulent or malicious activity and to maintain the integrity of the Service.
• Improving the Service – to understand how features perform, troubleshoot issues, and inform product improvements, using aggregated, de-identified, or non-Health Data.
• Data minimization in AI processing – when Health Data is transmitted to a cloud-hosted AI model for processing, we apply data-minimization principles and transmit only the specific data elements reasonably necessary to generate the requested output. Where technically feasible, we strip or redact direct personal identifiers (such as your name) before transmitting Health Data to AI providers.
• Legal and compliance – to comply with applicable legal obligations, enforce our Terms of Use, and protect our rights and the safety of users.

5. Local-first design and when data may leave your device

5.1 Local storage by default

Veritell is designed so that your Health Data and associated AI summaries are stored in an encrypted data store on your device, with encryption keys managed via your operating system's keychain or similar secure mechanism where available. This local-first design is intended to minimize how often your sensitive Health Data needs to leave your device.

5.2 Cloud-based features

Certain features of the Service rely on secure cloud services, including:

• Cloud-hosted AI models that process Health Data to generate summaries;
• Telemetry or diagnostics that you choose to share with us for support.

Where such features involve Health Data or PHI, we apply safeguards appropriate to the sensitivity and legal status of the data involved. If we process PHI in a context where HIPAA requires Business Associate Agreements, we use HIPAA-eligible infrastructure and enter the required agreements with relevant service providers. In consumer-directed workflows that are not subject to HIPAA BAA requirements, we use contractual privacy and security controls appropriate to Health Data.

When you use a feature that requires secure cloud processing, you direct us to transmit the Health Data involved in that feature request to our cloud infrastructure and trusted service providers as described in Section 5.3.

5.3 AI processing of Health Data

When you use features that involve AI-generated summaries, explanations, or analysis of your health records, the following applies:

What data is sent for AI processing. When you request an AI-generated summary or explanation, Health Data included in that summary request is transmitted from your device to our cloud infrastructure for processing.

Trusted service providers and model provider relationship. Veritell Care currently uses Anthropic's Claude model through Amazon Bedrock. Your Health Data is not shared with Anthropic.

No use for model training. Your Health Data is not used to train, fine-tune, or improve any AI model — whether operated by us or by our third-party providers.

Logging and monitoring. We may log metadata about AI processing requests (such as request timestamps, feature used, and error codes) for service reliability and troubleshooting. These logs do not contain your Health Data.

5.4 Consent for AI processing of Health Data

AI processing of Health Data is a core part of the Service. By connecting your patient portal and using the Service, you direct us to transmit and process your Health Data using cloud-hosted AI models as described in this Privacy Policy. This Privacy Policy, together with any in-app disclosures presented during setup, constitutes our notice to you regarding: (a) what Health Data will be sent, (b) the purpose of the transmission (e.g., generating a plain-language summary), and (c) how the data will be handled during and after processing.

If you are a Washington consumer, or where otherwise required by applicable law, we will request any legally required consent for collection and sharing of consumer health data through clear in-app prompts. Where applicable law requires separate consent for sharing consumer health data, we will request that separate consent before sharing occurs.

If you do not wish to have your Health Data processed by AI models, you should not connect your patient portal to the Service. You may discontinue use of the Service at any time and disconnect your app from any given health system. Deleting the app will delete the local copy of your data.

6. How we share information

We do not sell your Personal Data, and we do not share Personal Data from the Veritell application with third parties for their own advertising or marketing purposes. Our website and promotional channels may use separate advertising and analytics technologies as described in Sections 3.5 and 9.1.

We may share information as described below, in each case limited to what is reasonably necessary:

• Service providers – with companies that help us operate the Service, such as payment processors (for example, Apple), cloud infrastructure providers, or analytics tools. These providers are required to use the information only to perform services for us and not for their own unrelated purposes.
• Providers that process Health Data – when we use cloud-based AI or backup services that process Health Data, we do so under contractual safeguards (such as Business Associate Agreements where required and data processing agreements with security obligations in other contexts) that restrict their use of that information. See Section 5.3 for details about AI processing.
• With your direction or consent – for example, when you choose to export summaries, share data with a caregiver, or send us logs for troubleshooting.
• Legal and safety – to comply with law, regulation, legal process, or governmental request; to protect our rights or the rights, property, or safety of our users or others; or to detect, prevent, or address fraud, security, or technical issues.
• Business transfers – in connection with a merger, acquisition, financing, reorganization, or sale of all or a portion of our business, subject to appropriate confidentiality and data protection commitments. Because Health Data is stored locally on your device and is not retained in our cloud systems, it would not be included in such a transfer. Only account and usage data held by us would be affected.

If we were ever involved in a transaction that materially changes how your information is handled, we will provide notice and any choices you may have using the contact information you have provided us, if any.

6.1 Sub-processors

We use the following categories of third-party service providers (sub-processors) that may process your personal information or Health Data on our behalf:

• Cloud infrastructure providers – for encrypted storage, compute services, and AI model hosting
• Payment processors – for subscription billing (these providers do not receive Health Data)
• Analytics providers – for aggregated, de-identified usage analytics
• Customer support tools – for responding to your inquiries

Any sub-processor that handles Health Data is subject to contractual protections requiring it to safeguard that data, use it only for permitted purposes, report relevant security incidents, and return or destroy data when the relationship ends. Where required by HIPAA and applicable contractual relationships, these protections include a Business Associate Agreement.

7. HIPAA and health privacy

Veritell is a consumer health technology application. Sound City Ventures, LLC is not a healthcare provider, health plan, or healthcare clearinghouse, and is generally not a "covered entity" under the Health Insurance Portability and Accountability Act ("HIPAA"). When you choose to import your health records into Veritell, you are directing us to process that information on your behalf as a consumer technology service.

However, we recognize that the information you entrust to us may include data that qualifies as Protected Health Information under HIPAA or sensitive health data under other applicable laws. We therefore apply the following safeguards regardless of our formal HIPAA classification:

• Where we act as a HIPAA business associate, we maintain Business Associate Agreements with required service providers that process, store, or transmit PHI on our behalf. In consumer-directed contexts where HIPAA BAAs are not required, we use contractual privacy and security protections appropriate for Health Data.
• We implement administrative, technical, and physical safeguards consistent with the HIPAA Security Rule standards, including encryption of Health Data in transit and at rest.
• We limit the use and disclosure of Health Data to the minimum necessary for the purposes described in this Privacy Policy.
• We do not use or disclose Health Data for marketing, advertising, or any purpose unrelated to providing and improving the Service without your explicit consent.

If you received access to Veritell through a healthcare provider or health plan, that entity may have a separate Business Associate Agreement with us governing the use and protection of your PHI under HIPAA.

8. Data retention

We retain different categories of information for different periods, depending on the purpose for which it was collected, legal requirements, and technical constraints:

In plain terms: account and billing records are kept while your account is active and for a reasonable period after; technical logs are kept for shorter troubleshooting and security periods; your Health Data generally remains on your device; and temporary server-side copies used for AI processing are deleted automatically as described below.

• Account and subscription records – kept while your account or subscription is active and for a reasonable period afterward (for example, to respond to questions, maintain records for financial or audit purposes, or comply with legal obligations).
• Logs and diagnostics – kept for shorter periods needed to troubleshoot and improve the Service, unless longer retention is required for security, legal, or audit reasons.
• Health Data on your device – stored locally as long as you keep it there. You can delete this data through the app, or by uninstalling the application from your device.
• Health Data temporarily stored on our servers – when you use cloud-based AI features, Health Data involved in that request may be temporarily stored on our servers during processing. All such data is encrypted at rest and is automatically deleted after processing completes. As a failsafe, any data that is not successfully deleted after processing is automatically purged within 24 hours.

9. Your rights and choices

Depending on where you live, you may have certain rights regarding your Personal Data. Regardless of location, we aim to offer clear choices where practicable.

• Access and update – you can review and update basic account information through the app or by contacting us.
• Local data control – you control the Health Data stored on your device. You can remove Health Data by clearing data within the app (where supported) or uninstalling the application.
• Deletion of server-side data – you may request deletion of certain Personal Data we hold on our servers, subject to legal or operational requirements (for example, we may retain non-medical records necessary for accounting or legal compliance).
• Marketing communications – if we send non-essential marketing emails, you can opt-out using the unsubscribe link in those emails or by contacting us.

9.1 California privacy disclosures

If you are a resident of California, you may have additional rights under the California Consumer Privacy Act (CCPA/CPRA) or similar state privacy laws, including:

• The right to request that we disclose what categories of Personal Data we collect, use, and disclose;
• The right to request deletion of certain Personal Data we hold about you, subject to exceptions;
• The right to correct inaccurate Personal Data we hold about you;
• The right not to be discriminated against for exercising these rights.

We do not sell your Personal Data, and we do not share Health Data for cross-context behavioral advertising. As noted in Section 3.5, our marketing website and promotional channels may use advertising and analytics technologies that are separate from the Veritell application and do not have access to Health Data. To the extent those technologies constitute "sharing" under the CCPA/CPRA, we will honor applicable opt-out rights.

To exercise California privacy rights, you may contact us using the contact details at the end of this Policy and indicate that you are a California resident making a privacy request. We may need to verify your identity before responding.

To help us process your request faster, please include: (1) the email address associated with your account, (2) your state of residence, and (3) the type of request (access, deletion, correction, or opt-out). We may ask for additional information to verify your identity before we complete the request.

9.2 Washington state – My Health My Data Act

Sound City Ventures is based in Washington state. If you are a Washington consumer, the Washington My Health My Data Act ("MHMDA") provides you with specific rights regarding your consumer health data, including Health Data processed by the Service.

• Consent. For collection and sharing activities that require consent under the MHMDA, we request consent through clear disclosures and in-app prompts that describe the categories of consumer health data involved, the purpose of the processing, and the categories of recipients. Where required, we request separate consent for sharing.
• Right to withdraw consent. You may withdraw your consent to the collection or sharing of your consumer health data at any time by discontinuing use of the Service, disconnecting portal integrations, deleting the app, or contacting us using the details below. Withdrawal of consent will not affect the lawfulness of processing performed before withdrawal where permitted by law.
• Right to know. You have the right to request confirmation of whether we are collecting, sharing, or selling your consumer health data, and to request a list of all third parties and affiliates with whom we have shared your consumer health data during the prior 12 months.
• Right to delete. Because your consumer health data is stored locally on your device, you can delete it by deleting data in-app (where available) or deleting the app. You may also request deletion of consumer health data we maintain on our systems. If we cannot delete certain data right away, we will tell you why. This can happen only in limited cases where the law requires temporary retention (for example, for security investigations, fraud prevention, or compliance with court/legal obligations), and we will delete it once that legal requirement ends.
• No sale of health data. We do not sell consumer health data as defined under the MHMDA.
• No geofencing. We do not use geofencing technology around healthcare facilities to collect, process, or share consumer health data.

To exercise your rights under the MHMDA, contact us at help@veritellcare.com.

9.3 Washington appeals process

If we decline to act on your request under the MHMDA, you may appeal our decision by replying to our response email or contacting us at help@veritellcare.com with the subject line "MHMDA Appeal" within thirty (30) days of our decision. We will review and respond to your appeal within forty-five (45) days, unless a lawful extension applies.

If your appeal is denied, or if you have concerns about the outcome, you may contact the Washington State Attorney General through its consumer complaint process.

9.4 Other state privacy laws

Residents of Connecticut, Colorado, Virginia, Oregon, Texas, Montana, and other states with comprehensive privacy laws may have additional rights regarding their personal data, including health data. These rights may include the right to access, correct, delete, and port your data, and the right to opt out of certain processing activities. To exercise any state-specific privacy rights, please contact us at help@veritellcare.com. We will respond to verified requests within the timeframes required by applicable law.

10. Children's privacy

The Service is intended for use by adults. We do not knowingly collect Personal Data directly from children under the age of 13. If you are a parent, guardian, or other legally authorized representative using Veritell to help manage a minor's health information, you are responsible for ensuring you have the legal authority to do so and for supervising the use of the Service.

If we learn that we have collected Personal Data directly from a child under 13 without appropriate consent, we will take reasonable steps to delete that information.

11. Data security

We take reasonable and appropriate measures to help protect your information, including using encryption for local Health Data storage and leveraging operating-system-level key management where available. However, no method of transmission or storage is completely secure.

You play an important role in keeping your data safe. This includes:

• Using strong device passwords or passcodes;
• Keeping your operating system and app up to date with security patches;
• Limiting who has physical or remote access to your devices;
• Being cautious before sharing screenshots, exports, or other outputs that may contain Health Data.

While we strive to protect your information, we expressly disclaim any representation or warranty, express or implied, that your data will be completely secure from unauthorized access, breach, or disclosure. You acknowledge that you provide your health information and other personal data at your own risk. Our general liability terms are set forth in our Terms of Use.

11.1 Breach notification

In the event of a security incident that results in unauthorized access to, or disclosure of, your personal data or Health Data, we will notify affected individuals and applicable regulatory authorities as required by law. Where legally required, we will provide notification without unreasonable delay and no later than the timeframes mandated by applicable federal and state laws.

Our breach notification will include, to the extent known at the time of notification: a description of the incident, the types of information involved, the steps we are taking in response, steps you can take to protect yourself, and contact information for further questions.

Where permitted by law, we generally provide breach notifications by email to the address on file and/or by in-app notice. Please keep your contact information current so we can reach you.

We will also notify applicable regulatory authorities, including the Federal Trade Commission, state attorneys general, and the U.S. Department of Health and Human Services, as required by applicable law. Where applicable, we will comply with the FTC Health Breach Notification Rule (16 CFR Part 318) and the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

12. Geographic scope

The Service is intended solely for use by individuals located in the United States. We do not offer, direct, or market the Service to users outside the United States. If you access the Service from outside the United States, you do so at your own risk and are solely responsible for compliance with any applicable local laws. We make no representation that the Service is appropriate, available, or compliant with laws in any jurisdiction other than the United States.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. For material changes, we will use reasonable efforts to notify you, such as by displaying a notice in the app or on our website.

Your continued use of the Service after any changes take effect means that you accept the updated Privacy Policy. If you do not agree, you should stop using the Service and may uninstall the application.

14. Contact us

If you have any questions about this Privacy Policy or our privacy practices, or if you wish to exercise your privacy rights, please contact Sound City Ventures, LLC at help@veritellcare.com .