Privacy Policy

Introduction

This Privacy Policy explains how personal and health information may be collected, used, and disclosed by SpicyRx and the affiliated medical groups that provide care through the SpicyRx telehealth platform. This policy applies to the SpicyRx website, mobile applications, and all related services (collectively, the "Services").

The Notice of Privacy Practices describes how protected health information may be used and disclosed and how you can access this information.

Who We Are

SpicyRx and its subsidiaries own and operate the Services. The platform connects patients with healthcare providers for telehealth consultations, prescription services, and related healthcare solutions.

HIPAA Compliance Statement

SpicyRx is committed to protecting the privacy and security of health information. While SpicyRx may not itself be a "covered entity" under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the affiliated medical groups and healthcare providers that deliver care through the Services are "covered entities."

SpicyRx may function as a "business associate" to these covered entities in certain contexts. As such, SpicyRx adheres to applicable HIPAA regulations and state privacy laws to protect health information.

Information We Collect

Several types of information are collected from users of the Services:

1. Personal Information. Information that can identify you, such as name, email address, postal address, telephone number, date of birth, payment information, and government-issued identification.
2. Protected Health Information (PHI). Health information created or received by a healthcare provider, health plan, or healthcare clearinghouse that relates to past, present, or future physical or mental health or condition, healthcare provision, or payment for healthcare services.
3. Usage Information. Information about your interaction with the Services, including browser type, IP address, pages visited, time spent on pages, links clicked, and conversion information.

How We Use Your Information

For Treatment

Health information may be used and disclosed to provide, coordinate, or manage healthcare and related services. This includes sharing information with physicians, specialists, pharmacies, and other healthcare providers involved in your care.

For Payment

Information may be used and disclosed to bill and receive payment for services provided. This may include disclosures to health insurers or other entities responsible for billing and collection.

For Healthcare Operations

Information may be used and disclosed for operational activities such as quality assessment, performance evaluation, training, and business management.

Other Permitted Uses

• Appointment reminders and follow-up communications
• Health-related benefits and services
• Research (with proper authorization)
• Legal requirements and public health activities
• To prevent a serious threat to health or safety
• For specialized government functions
• Workers' compensation cases
• Business associates who perform functions on behalf of SpicyRx

Your Health Information Rights

Under HIPAA and applicable state laws, you have the following rights regarding protected health information:

• Right to access and receive a copy of your records. You have the right to inspect and obtain a copy of healthcare records maintained by SpicyRx, with limited exceptions. A written request must be submitted to the Privacy Officer. A reasonable, cost-based fee may be charged for copies.
• Right to request an amendment. If you believe information in your records is incorrect or incomplete, you have the right to request an amendment. Your request must be in writing and include a reason supporting the amendment.
• Right to an accounting of disclosures. You have the right to request a list of certain disclosures made of your health information during the six years prior to your request.
• Right to request restrictions. You have the right to request restrictions on certain uses and disclosures of your health information. SpicyRx is not required to agree to all restriction requests but must comply with requests to restrict disclosure to a health plan for payment or healthcare operations purposes when you have paid in full out-of-pocket for the item or service.
• Right to request confidential communications. You have the right to request that SpicyRx communicate with you about medical matters in a certain way or at a certain location (e.g., only by mail or at a specific address).
• Right to a paper copy of this notice. You have the right to receive a paper copy of this Notice of Privacy Practices upon request.
• Right to notification of a breach. You have the right to be notified if unsecured protected health information has been accessed, acquired, used, or disclosed in a manner not permitted under HIPAA that compromises the security or privacy of your PHI.
• Right to file a complaint. If you believe your privacy rights have been violated, you may file a complaint with the SpicyRx Privacy Officer or with the U.S. Department of Health and Human Services Office for Civil Rights. You will not be penalized or retaliated against for filing a complaint.

Exercising Your Rights

To exercise any of the rights described above, submit your request through the contact form on the SpicyRx website. The Privacy Officer will review and respond to your request.

State-Specific Privacy Rights

In addition to HIPAA rights, certain state residents may have additional privacy rights under state law:

California Residents

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have additional rights, including:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of the sale of personal information
• Right to non-discrimination for exercising these rights
• Right to correct inaccurate personal information
• Right to limit use and disclosure of sensitive personal information

Other States

Residents of Virginia, Colorado, Connecticut, and Utah may have similar rights under their respective state privacy laws. Contact the Privacy Officer for specific details.

Information Security

SpicyRx maintains physical, technical, and administrative safeguards to protect your information, including:

• Encryption of electronic protected health information
• Secure user authentication protocols
• Access control measures
• Regular security assessments
• Staff training on privacy and security practices
• Business Associate Agreements with third parties who access PHI

Changes to This Privacy Policy

This Privacy Policy may be updated periodically to reflect changes in practices or legal requirements. The revised policy will be posted on the Services with the effective date, and significant changes will be communicated as required by law.

Complaints

If you believe your privacy rights have been violated, you may file a complaint by:

1. Submitting the contact form on the website and selecting "Privacy Complaint."
2. Filing a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at:
   • hhs.gov/ocr/privacy/hipaa/complaints
   • 1-877-696-6775

SpicyRx will not retaliate against you for filing a complaint.

Contact Information

If you have questions about this Privacy Policy or our privacy practices, contact the SpicyRx Privacy Officer by emailing support@spicyrx.com with the subject line "Privacy Policy Question."

Effective date: May 27, 2026