Privacy Policy

1. Overview and key principles

Sound City Ventures, LLC ("Sound City Ventures," "we," "our," or "us") operates the Veritell application and related services (collectively, the "Service"). This Privacy Policy explains how we handle information about you and your health when you use the Service, whether as an individual patient or as a caregiver or patient advocate managing someone else's information.

2. What this policy covers

This Privacy Policy applies to information we handle in connection with the Veritell application and any associated services we provide directly. It does not apply to:

• Your healthcare providers (hospitals, clinics, doctors), the MyChart portal, or any other patient portals, which have their own privacy policies and legal obligations;
• Third-party services that you access through links or integrations from the Service.

You should review the privacy policies of your Providers and any portals you connect to Veritell to understand how they handle your information.

3. Types of information we handle

Because Veritell is designed as a patient-hosted application with local storage, it is helpful to distinguish between:

• "Personal Data" – information that identifies or can reasonably be linked to you as an individual (such as your name or email address); and
• "Health Data" – information about your physical or mental health, medical history, test results, diagnoses, or care, including data that may be considered Protected Health Information ("PHI") under U.S. law.

3.1 Account and contact information

• Name
• Email address
• Account identifiers or subscription status
• Basic settings and preferences

3.2 Billing and transaction information

If you purchase a subscription or other paid features, our payment processors may collect billing-related information such as:

• Billing name and contact details
• Payment method details (e.g., card type, last 4 digits)
• Transaction dates and amounts

Payment details are typically handled directly by our third-party payment providers; we do not store full payment card numbers on our own systems.

3.3 Device, diagnostics, and usage information

To keep the Service secure and reliable, we may collect limited technical information, such as:

• Device type, operating system, and app version
• Logs or error reports (for example, when a sync or summary fails)
• Basic usage metrics (such as feature usage, performance, or frequency of sync events)

Where practicable, we aim to configure diagnostics so that they do not include raw Health Data or other unnecessary personal details.

3.4 Health Data stored on your device

When you connect Veritell to your MyChart or other patient portal, the application can store and process Health Data such as:

• Lab and test results and associated details
• Clinical notes and visit summaries
• Diagnostic codes, medications, and care plans
• AI-generated summaries, explanations, and "master overviews" derived from your records

Consistent with how we have designed the Service, this Health Data is intended to be stored in an encrypted data store on your device and accessed locally by the app.

By default and where technically feasible, we design the Service so that this Health Data remains on your device and is not transmitted to our servers without your explicit choice to use an online feature that requires it.

4. How we use your information

We use the information described above for the following purposes:

• Providing and maintaining the Service – to run the application, facilitate sync with your portals, generate AI-based summaries, manage your subscription, and keep your local data usable.
• Communicating with you – to send service-related messages such as onboarding guidance, feature updates, or subscription notices.
• Security and reliability – to detect, investigate, and prevent fraudulent or malicious activity and to maintain the integrity of the Service.
• Improving the Service – to understand how features perform, troubleshoot issues, and inform product improvements, generally using aggregated, de-identified, or non-Health Data where possible.
• Legal and compliance – to comply with applicable legal obligations, enforce our Terms of Use, and protect our rights and the safety of users.

For U.S. users, these purposes align with common concepts such as providing the service you request, ensuring security, and meeting legal obligations.

5. Local-first design and when data may leave your device

5.1 Local storage by default

Veritell is designed so that your Health Data and associated AI summaries are stored in an encrypted data store on your device, with encryption keys managed via your operating system's keychain or similar secure mechanism where available. This local-first design is intended to minimize how often your sensitive Health Data needs to leave your device.

5.2 Optional cloud-based features

Certain optional features may rely on secure cloud services, such as:

• Cloud-hosted AI models that process Health Data to generate summaries;
• Encrypted cloud backup or sync of your locally stored data;
• Optional telemetry or diagnostics that you choose to share with us for support.

Where such features involve Health Data or PHI, we intend to use appropriately scoped safeguards (such as using HIPAA-eligible infrastructure under Business Associate Agreements, where applicable) and to clearly explain, within the feature or settings, what data is involved and how it is protected.

You will have the choice whether to enable these cloud-related features, and you can generally continue using the core local functionality without them.

6. How we share information

We do not sell your Personal Data, and we do not share your Personal Data with third parties for their own advertising or marketing purposes.

We may share information as described below, in each case limited to what is reasonably necessary:

• Service providers – with companies that help us operate the Service, such as payment processors, cloud infrastructure providers, or analytics tools. These providers are required to use the information only to perform services for us and not for their own unrelated purposes.
• Providers that may process Health Data – if and when we use cloud-based AI or backup services that process Health Data, we aim to do so under contractual safeguards (such as HIPAA-aligned Business Associate Agreements where appropriate) that restrict their use of that information.
• With your direction or consent – for example, when you choose to export summaries, share data with a caregiver, or send us logs for troubleshooting.
• Legal and safety – to comply with law, regulation, legal process, or governmental request; to protect our rights or the rights, property, or safety of our users or others; or to detect, prevent, or address fraud, security, or technical issues.
• Business transfers – in connection with a merger, acquisition, financing, reorganization, or sale of all or a portion of our business, subject to appropriate confidentiality and data protection commitments.

If we are ever involved in a transaction that materially changes how your information is handled, we will provide notice and any choices you may have.

7. Data retention

We retain different categories of information for different periods, depending on the purpose for which it was collected, legal requirements, and technical constraints:

• Account and subscription records – kept while your account or subscription is active and for a reasonable period afterward (for example, to respond to questions, maintain records for financial or audit purposes, or comply with legal obligations).
• Logs and diagnostics – kept for shorter periods needed to troubleshoot and improve the Service, unless longer retention is required for security, legal, or audit reasons.
• Health Data on your device – stored locally as long as you keep it there. You can delete this data by using in-app options (where available), deleting the app's data directory, or uninstalling the application from your device.

Where feasible, we may also de-identify or aggregate data so that it is no longer reasonably linked to an individual and may retain it for longer periods for analytics or product improvement.

8. Your rights and choices

Depending on where you live, you may have certain rights regarding your Personal Data. Regardless of location, we aim to offer clear choices where practicable.

• Access and update – you can review and update basic account information (such as your email address) through the app or by contacting us.
• Local data control – you control the Health Data stored on your device. You can remove Health Data by clearing data within the app (where supported) or uninstalling the application.
• Deletion of server-side data – you may request deletion of certain Personal Data we hold on our servers, subject to legal or operational requirements (for example, we may retain records necessary for accounting or legal compliance).
• Marketing communications – if we send non-essential marketing emails, you can opt-out using the unsubscribe link in those emails or by contacting us.

8.1 California privacy disclosures

If you are a resident of California, you may have additional rights under the California Consumer Privacy Act (CCPA/CPRA) or similar state privacy laws, including:

• The right to request that we disclose what categories of Personal Data we collect, use, and disclose;
• The right to request deletion of certain Personal Data we hold about you, subject to exceptions;
• The right to correct inaccurate Personal Data we hold about you;
• The right not to be discriminated against for exercising these rights.

We do not sell your Personal Data or share it for cross-context behavioral advertising as those terms are used in the CCPA/CPRA.

To exercise California privacy rights, you may contact us using the contact details at the end of this Policy and indicate that you are a California resident making a privacy request. We may need to verify your identity before responding.

9. Children's privacy

The Service is intended for use by adults. We do not knowingly collect Personal Data directly from children under the age of 13. If you are a parent, guardian, or other legally authorized representative using Veritell to help manage a minor's health information, you are responsible for ensuring you have the legal authority to do so and for supervising the use of the Service.

If we learn that we have collected Personal Data directly from a child under 13 without appropriate consent, we will take reasonable steps to delete that information.

10. Data security

We take reasonable and appropriate measures to help protect your information, including using encryption for local Health Data storage and leveraging operating-system-level key management where available. However, no method of transmission or storage is completely secure.

You play an important role in keeping your data safe. This includes:

• Using strong device passwords or passcodes;
• Keeping your operating system and app up to date with security patches;
• Limiting who has physical or remote access to your devices;
• Being cautious before sharing screenshots, exports, or other outputs that may contain Health Data.

While we strive to protect your information, we cannot guarantee absolute security.

11. International users

The Service is primarily designed for users in the United States. If you choose to use the Service from other jurisdictions, you understand that your information may be processed in the United States and other locations where we or our service providers operate, which may have different data protection laws than those in your home country.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. For material changes, we will use reasonable efforts to notify you, such as by displaying a notice in the app or on our website.

Your continued use of the Service after any changes take effect means that you accept the updated Privacy Policy. If you do not agree, you should stop using the Service and may uninstall the application.

13. Contact us

If you have any questions about this Privacy Policy or our privacy practices, or if you wish to exercise your privacy rights, please contact Sound City Ventures, LLC at veritell-help@soundcityventures.com .