Privacy Policy

Arboretum Privacy Policy

Last Updated: 05/04/2026

Arboretum LifeSciences, Inc. (“Arboretum,” “we,” “our,” and/or “us”) values the privacy of individuals who use our websites, research platforms and related services (collectively, our “Services”), including the Research Participant Platform and the Research Analysis Environment, each as further described in the Terms of Service. This Privacy Policy explains how we collect, use, and disclose information from users of our Services.

If you create an account with the Services, you are an “Individual User.” If you opt into one or more research studies (“Research Studies”), you are a “Research Participant.” Research study coordinators and healthcare providers who access the Services are “Research Affiliates.” By using our Services, you acknowledge the collection, use, disclosure, and procedures this Privacy Policy describes. Beyond the Privacy Policy, your use of our Services is also subject to our Terms of Service, and informed consents as applicable.

Research Participant data collected and processed through our Services is governed by research protocols approved by an Institutional Review Board (IRB) and conducted in accordance with the Federal Policy for the Protection of Human Subjects (the “Common Rule,” 45 C.F.R. Part 46). Research Participants provide informed consent prior to data collection. Nothing in this Privacy Policy limits the rights afforded to Research Participants under their informed consent.

Scope of Notice

Data protection laws sometimes differentiate between “controllers” and “processors” of personal data. A “controller” determines the purposes and means (the why and how) of processing personal data. A “processor,” which is sometimes referred to as a “service provider,” or, under the Health Insurance Portability and Accountability Act (“HIPAA”), a “business associate,” processes personal data on behalf of a controller subject to the controller’s instructions. This Privacy Policy does not cover or address how our customers may process personal data when they use our Services, or how we may process personal data on their behalf in accordance with their instructions where we are acting as their processor (or business associate under HIPAA). As a result, we recommend referring to the privacy notice (or HIPAA Notice of Privacy Practices) of our customer with whom you have a relationship for information on how they engage processors, like us, to process personal data on their behalf.

This Privacy Policy describes our privacy practices where we are acting as the controller of personal data.

Information We Collect

We may collect a variety of information from or about you or your devices from various sources, as described below.

A. Information You Provide to Us.

User Registration Data. When you sign up for an Individual User account, we collect your name, email address, and/or phone number. You may also provide additional information such as your date of birth, address, gender, demographic information, which may include health-related information collected for the purpose of determining your eligibility for a Research Study (collectively, “User Registration Data,” as defined in the Terms of Service). Your User Registration Data cannot be viewed by other Individual Users.

When you set up an Individual User account with Arboretum, you are creating a relationship with Arboretum that enables you to access and utilize the Services, regardless of whether you become a Research Participant. As an Individual User, we will send you information about research studies, clinical trials, and research opportunities as part of our Services.

Research Affiliate accounts will be provisioned by Arboretum. In order to provision those accounts we collect your name, email address, and/or phone number.

Your Research Data. If you enroll in a Research Study, we collect information as described in the applicable research consent (also referred to as informed consent) and HIPAA authorization, including survey responses, participant-reported outcomes, medical records shared pursuant to a HIPAA authorization, genetic information, and biospecimen-derived data (collectively, “Your Research Data,” as defined in the Terms of Service). Your Research Data may be shared with your healthcare providers or Research Affiliates in accordance with the study’s informed consent.

Biospecimen Information. As a Research Participant, you may be invited to provide a biospecimen for testing as described in the relevant consent documentation. We collect this information to facilitate research; we do not share it in response to general third-party inquiries (e.g., requests from your employer or insurance provider). Please see “How We Disclose the Information We Collect” for more information about our information disclosure practices.

Communications. If you contact us directly, we may receive additional information about you, such as your name, email address, phone number, the contents of messages or attachments that you may send to us, and other information you choose to provide. When you communicate with us online, third-party vendors may receive and store these communications on our behalf. When we send you emails, we may use embedded pixels or other technologies to track information about your receipt and interaction with our emails, such as whether and when you open them, whether you access any links included in our emails, how long you read our emails, whether you forward our emails and to whom, and your Device Information (described below), to learn how to deliver a better experience and improve our Services.

Event Information. If you register to attend one of our events such as a webinar or attend a conference where we are in attendance, we may collect contact information such as your name, position, organization name, email address, and other information that you choose to provide.

B. Information We Collect When You Use Our Services.

Consents. As a Research Participant, when you complete a consent form via our Services, we receive the information that you have included in the consent form.

Information from Third Parties. We, and our third-party partners, automatically collect information you provide to us and information about how you access and use our Services when you engage with us. We typically collect this information through the use of a variety of our own and our third-party partners’ automatic data collection technologies, including (i) cookies or small data files that are stored on an individual’s computer and (ii) other, related technologies, such as web beacons, pixels, embedded scripts, mobile SDKs, location-identifying technologies and logging technologies. Information we collect automatically about you may be combined with other personal information we collect directly from you or receive from other sources.

We, and our third-party partners, use automatic data collection technologies to automatically collect the following data when you use our Services or otherwise engage with us:

• Information About Your Device and Network, including the device type, manufacturer, and model, operating system, IP address, browser type, Internet service provider, and unique identifiers associated with you, your device, or your network (including, for example, a persistent device identifier or advertising ID). We employ third- party technologies designed to allow us to recognize when two or more devices are likely being used by the same individual and may leverage these technologies (where permitted) to link information collected from different devices.

• Information About the Way Individuals Use Our Services and Interact With Us, including the site from which you came, the site to which you are going when you leave our Services, how frequently you access our Services, whether you open emails or click the links contained in emails, whether you access our Services from multiple devices, and other browsing behavior and actions you take on our Services (such as the pages you visit, the content you view, videos you watch, the communications you have through our Services, and the content, links and ads you interact with). We employ third-party technologies designed to allow us to collect detailed information about browsing behavior and actions that you take on our Services, which may record your mouse movements, scrolling, clicks, and keystroke activity on our Services and other browsing, search or purchasing behavior. These third-party technologies may also record information you enter when you interact with our Services, or engage in chat features or other communication platforms we provide.

‍ • Information About Your Location, including general geographic location that we or our third-party providers may derive from your IP address.

‍

All of the information collected automatically through these tools allows us to improve your customer experience. For example, we may use this information to enhance and personalize your user experience, to monitor and improve our Services, and to improve the effectiveness of our Services, offers, advertising, communications and customer service. We may also use this information to: (a) provide custom, personalized content and information, including targeted content and advertising; (b) identify you across multiple devices; (c) provide and monitor the effectiveness of our Services; (d) monitor aggregate metrics such as total number of visitors, traffic, usage, and demographic patterns on our website; (e) diagnose or fix technology problems; and (f) otherwise to plan for and enhance our products and services.

‍C. Information We Receive from Other Sources.

Affiliates. We may receive information from our current or future affiliates for any of the purposes described in this Privacy Policy.

Research Affiliates. We may receive information from our Research Affiliates who work with us when conducting research studies. The use and disclosure of Your Research Data received from Research Affiliates is governed by the applicable research consent and HIPAA authorization.

Information from Third-party Services. If you choose to link our Services to a third-party account (e.g., an account with your third-party healthcare provider), we may receive information about you, including your profile information, contact information, and health information.

Clinical Trial Participant Information. If we receive information about your participation in a clinical trial from a third party (e.g., the trial sponsor) in accordance with your informed consent, we may link that information to your account.

‍

How We Use the Information We Collect

A. How We Use Information Through the Services

We use User Registration Data and information collected through the Services to:

• Operate, maintain, improve, and enhance the Services;

• Personalize your experience, such as by providing tailored content and recommendations;

• Communicate with you, including operational messages about your use of the Services. Sending information about research studies, clinical trials, and research opportunities is core to our Services and, as such, are transactional or operational messages. We may also send, and subject to your consent if required, messages about products and services offered by Arboretum, its affiliates, or third-party partners that Arboretum believes may be relevant to you.

• Understand and analyze how you use the Service and develop new products, services, features, and functionality;

• For compliance purposes, including enforcing our Terms of Service or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency.

B. How Arboretum Uses Your Research Data

Arboretum uses Your Research Data as described in the applicable research’s informed consent, including to:

• Return Research Results to Research Participants, including results such as genetic information and diagnostic information (where eligible);

• Identify ways in which genes and other health factors may affect disease risk or treatment response;

• Train, develop, and improve artificial intelligence, including generative artificial intelligence, machine learning, and other algorithmic or computational models that support our Services, including models used for variant interpretation, risk stratification, research analytics, and participant matching, subject to the following practices:

• Arboretum uses de-identified data for AI model training by default. Individual-level data may be used for model training where necessary to support research objectives, and only in accordance with the applicable informed consent.

• The Service uses artificial intelligence, including generative artificial intelligence, machine learning, and other algorithmic or computational models to support research analytics, participant matching, and communications about research opportunities and products and services. These uses are informational in nature and do not constitute decisions regarding your medical care or treatment. Artificial intelligence does not autonomously make decisions regarding your medical care or treatment or any other consequential or significant decisions.

• All AI-generated outputs related to Research Results are reviewed by qualified personnel before being communicated to you or your healthcare provider. Where generative artificial intelligence is used to draft communications containing your research information, such communications are reviewed prior to delivery.

• Assess your eligibility for and match you to Research Studies, research opportunities, and products or services offered by Arboretum, its affiliates, or third-party partners that may be relevant to you;

• Generate de-identified or aggregated data sets that cannot reasonably be used to identify individual Research Participants, which information we may use for purposes outside the scope of this Privacy Policy, including but not limited to, scientific research, data analysis, quality improvement, or other lawful business purposes including commercialization. If such data is shared with third parties, this will be subject to a data sharing agreement.

C. Other Purposes

For other purposes for which we provide specific notice at the time the information is collected.

How We Disclose the Information We Collect

Affiliates. We may disclose any information we receive to our current or future affiliates for any of the purposes described in this Privacy Policy.

Vendors and Service Providers. We may disclose any information we receive to vendors and service providers retained in connection with the provision of our Services.

Healthcare Providers. For Research Participants eligible to receive Research Results that include clinical information, those results may be reported to the healthcare provider(s) involved in your care.

Research Affiliates. We may disclose information about you, such as account registration information, to our Research Affiliates who work with us when conducting research studies.

Promotions. With your prior express consent, we may disclose your contact information to third parties so that they can contact you directly regarding their products and services. You may revoke this consent at any time within your Research Participant account settings or by emailing support@arboretum.bio.

Analytics Partners. We may use analytics services such as Google Analytics to collect and process certain analytics data.

Advertising Partners. We may work with third-party advertising partners to collect and process your information in order to show you ads that we think may interest you.

As Required By Law and Similar Disclosures. We may access, preserve, and disclose your information if we believe doing so is required or appropriate to: (a) comply with law enforcement requests and legal process, such as a court order or subpoena; (b) respond to your requests; or (c) protect your, our, or others’ rights, property, or safety. For the avoidance of doubt, the disclosure of your information may occur if you post any objectionable content on or through the Services.

Merger, Sale, or Other Asset Transfers. We may transfer your information to service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell, liquidate, or transfer all or a portion of our assets. Also, in the unlikely event of our bankruptcy, receivership, or insolvency, your personal information may be disclosed, transferred, or assigned to third parties in connection with the proceedings or disposition of our assets. The use of your information following any of these events will be governed by the provisions of this Privacy Policy in effect at the time the applicable information was collected.

Consent. We may also disclose your information with your permission.

Your Choices

The following privacy choices are made available to all individuals with whom we interact.

A. Communication Preferences

• Email Communication Preferences: You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in any of our email communications. Please note you cannot opt-out of service-related email communications (such as, account verification, transaction confirmation, or service update emails).

• Phone Communication Preferences: You can stop receiving promotional phone communications from us by informing the caller you no longer wish to receive promotional phone calls from us, following the instructions provided on the call for opting out of promotional phone calls (where available), or replying STOP to any one of our promotional text messages.

B. Automatic Data Collection Preferences

Certain of our Services may provide you with the ability to adjust your preferences regarding our use of automatic data collection technologies. For example, there is a “Cookie Preferences” manager linked in the footer of our websites that allows you to adjust your preferences regarding certain automatic data collection technologies on the specific website you are visiting for the specific device and browser you are using at that time (which means you will need to change your preferences on each device and browser you use to interact with the specific website you are visiting).

Where an Arboretum-specific preference manager or privacy setting is not available, you may be able to utilize third-party tools and features to further restrict our use of automatic data collection technologies. For example, (i) most browsers allow you to change browser settings to limit automatic data collection technologies on websites, (ii) most email providers allow you to prevent the automatic downloading of images in emails that may contain automatic data collection technologies, and (iii) many devices allow you to change your device settings to limit automatic data collection technologies for device applications. Please note that blocking automatic data collection technologies through third-party tools and features may negatively impact your experience using our services, as some features and offerings may not work properly or at all. Depending on the third-party tool or feature you use, you may not be able to block all automatic data collection technologies or you may need to update your preferences on multiple devices or browsers. We do not have any control over these third-party tools and features and are not responsible if they do not function as intended.

C. Targeted Advertising Preferences

We engage third parties to help us facilitate targeted advertising designed to show you personalized ads based on predictions of your preferences and interests developed using personal data we maintain and personal data our third-party partners obtain from your activity over time and across nonaffiliated websites and other services. The data we and our third-party partners use for purposes of facilitating targeted advertising, as well as to provide advertising-related services such as reporting, attribution, analytics, and market research, are primarily collected through the use of a variety of automatic data collection technologies, including cookies, web beacons, pixels, embedded scripts, mobile SDKs, location-identifying technologies and logging technologies. We may share a common account identifier (such as a hashed email address or user ID) with our third-party advertising partners to help link the personal data we and our third-party partners collect to the same person, or otherwise target advertising to an individual on a third-party website or platform.

You may be able to exercise control over the advertisements that you see by leveraging one or more targeted advertising opt-out programs. For example:

• Device-Specific Opt-Out Programs: Certain devices provide individuals the option to turn off targeted advertising for the entire device (such as Apple devices through their App Tracking Transparency framework or Android devices through their opt out of ads personalization feature). Please refer to your device manufacturer’s user guides for additional information about implementing any available device-specific targeted advertising opt- outs.

• Digital Advertising Alliance: The Digital Advertising Alliance allows individuals to opt out of receiving online interest-based targeted advertisements from companies that participate in their program. Please follow the instructions at https://optout.aboutads.info/?c=2&lang=EN for browser-based advertising and https://www.youradchoices.com/appchoices for app-based advertising to opt out of targeted advertising carried out by our third-party partners and other third parties that participate in the Digital Advertising Alliance’s self- regulatory program.

• Network Advertising Initiative: The Network Advertising Initiative similarly allows individuals to opt out of receiving online interest-based targeted advertisements from companies that participate in their program. Please follow the instructions at https://optout.networkadvertising.org/?c=1 to opt out of browser-based targeted advertising carried out by our third-party partners and other third parties that participate in the Network Advertising Initiative’s self-regulatory program.

• Platform-Specific Opt-Out Programs: Certain third-party platforms provide individuals the option to turn off targeted advertising for the entire platform (such as certain social media platforms). Please refer to your platform provider’s user guides for additional information about implementing any available platform-specific targeted advertising opt-outs.

Please note that when you opt out of receiving interest-based advertisements through one of these programs, this does not mean you will no longer see advertisements from us or on our Services. Instead, it means that the online ads you do see from relevant program participants should not be based on your interests. We are not responsible for the effectiveness of, or compliance with, any third parties’ opt-out options or programs or the accuracy of their statements regarding their programs. In addition, program participants may still use automatic data collection technologies to collect information about your use of our Services, including for analytics and fraud prevention as well as any other purpose permitted under the applicable advertising industry program.

D. Partner-Specific Preferences

Certain of our third-party providers and partners offer additional ways that you may exercise control over your personal information, or automatically impose limitations on the way we can use your personal information in connection with the Services they provide:

• Device-Specific / Platform-Specific Preferences: The device and/or platform you use to interact with us (such as your mobile device), may provide you with additional choices with regard to the data you choose to share with us. For example, many mobile devices allow you to change your device permissions to prevent our Services from accessing certain types of information from your device (such as your contact lists or precise geolocation data). Please refer to your device or platform provider’s user guides for additional information about implementing any available platform-specific targeted advertising opt-outs.

• Google Analytics: Google Analytics allows us to better understand how our customers interact with our Services. For information on how Google Analytics collects and processes data, as well as how you can control information sent to Google, review Google's website here: www.google.com/policies/privacy/partners/. You can learn about Google Analytics’ currently available opt-outs, including the Google Analytics Browser Add-On here: https://tools.google.com/dlpage/gaoptout/. We may also utilize certain forms of display advertising and other advanced features through Google Analytics. These features enable us to use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick advertising cookie) or other third-party cookies together to inform, optimize, and display ads based on your past visits to our Services. You may control your advertising preferences or opt-out of certain Google advertising products by visiting the Google Ads Preferences Manager, currently available at https://myadcenter.google.com/?ref=help-center.

Third Parties

Our Services may contain links to other websites, products, or services that we do not own or operate. We are not responsible for the privacy practices of these third parties. Please be aware that this Privacy Policy does not apply to your activities on these third-party services or any information you disclose to these third parties. We encourage you to read their privacy policies before providing any information to them.

Security

We make reasonable efforts to protect your information by using physical and electronic safeguards designed to improve the security of the information we maintain. However, because no electronic transmission or storage of information can be entirely secure, we can make no guarantees as to the security or privacy of your information.

Retention of Personal Data

We will usually retain the personal data we collect about you for no longer than reasonably necessary to fulfil the purposes for which it was collected, and in accordance with our legitimate business interests and applicable law. If necessary, we may retain personal data for longer periods of time as required under applicable law or as needed to resolve disputes or protect our legal rights.

Children's Privacy

We do not knowingly collect or solicit personal information from children under 18, and no part of our Service is directed to children. If an individual is under the age of 18, they should not use our Service or otherwise provide us with any personal information. If a parent or guardian learns that a child has provided us with personal information in violation of this Privacy Notice, then they may alert us at privacy@arboretum.bio and request that we remove the personal information from our systems. If we learn that any personal information we collect has been provided by a child under the age of 18, we will promptly delete the personal information.

International Visitors

Our Services are hosted in the United States and intended for visitors located within the United States. If you choose to use the Services from the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that you are transferring your personal information outside of those regions to the U.S. for storage and processing. We may also transfer your data from the U.S. to other countries or regions in connection with storage and processing of data, fulfilling your requests, and operating the Services. By providing any information, including personal information, on or to the Services, you consent to such transfer, storage, and processing.

Update Your Information

You can update your account and profile information within your Arboretum account, using the Services we provide to you. To close your Research Participant account, you must first withdraw as a participant in the study by contacting the study team listed in your Research Participant account profile, then email support@arboretum.bio to request account closure. To close your Research Affiliate account, email support@arboretum.bio.

Access to Research Data

As a Research Participant, you may request your research data or test results in accordance with the terms of the study’s informed consent. Research data requests should be directed to the study team listed in your Research Participant’s account profile.

Changes to this Privacy Policy

This policy will be amended from time to time. We will post any adjustments to the Privacy Policy on this page, and the revised version will be effective when it is posted. If we materially change the ways in which we use or disclose personal information previously collected from you through the Services, we will notify you through the Services, by email, or other communication.

Contact Information

If you have any questions, comments, or concerns about our processing activities, please email us at privacy@arboretum.bio.

‍

Arboretum Clinical Privacy Policy

Last Updated: 05/04/2026

Arboretum Clinical (“Arboretum Clinical,” “we,” “our,” and/or “us”) values the privacy of individuals who use our website at arboretum.bio/clinical (the “Site”) and other websites we own and operate that link to this Privacy Policy, and the related content, platform, services, products, and other functionality offered on or through our services (collectively, our “Services”). This privacy policy (the “Privacy Policy”) explains how we collect, use, and disclose information from users of our Services (“Users”).

By using our Services, you acknowledge the collection, use, disclosure, and procedures this Privacy Policy describes. Beyond the Privacy Policy, your use of our Services is also subject to the Arboretum Clinical Terms of Service.

Scope of Notice

This Privacy Notice does not apply to our collection and processing of Protected Health Information as defined by the Health Insurance Portability and Accountability Act (“HIPAA”). Arboretum Clinical maintains a separate Notice of Privacy Practices, pursuant to HIPAA, that applies to Protected Health Information that we collect from individuals.

Additionally, data protection laws sometimes differentiate between “controllers” and “processors” of personal data. A “controller” determines the purposes and means (the why and how) of processing personal data. A “processor,” which is sometimes referred to as a “service provider,” or, under HIPAA, a “business associate,” processes personal data on behalf of a controller subject to the controller’s instructions. This Privacy Notice does not cover or address how our customers may process personal data when they use our services, or how we may process personal data on their behalf in accordance with their instructions where we are acting as their processor. As a result, we recommend referring to the privacy notice of the health care provider with whom you have a relationship for information on how they engage processors, like us, to process personal data on their behalf.

This Privacy Notice describes our privacy practices where we are acting as the controller of personal data.

Information We Collect

We may collect a variety of information from or about you or your devices from various sources, as described below.‍

A. Information You Provide to Us.

User Registration Data. When you create an Arboretum Clinical account, we collect your name, email address, phone number and/or other identifying information. You may also provide additional information such as your date of birth, address, gender, and demographic information.

Communications. If you contact us directly, we may receive information about you, such as your name, email address, phone number, the contents of messages or attachments that you may send to us, and other information you choose to provide. When you communicate with us online, third party vendors receive and store these communications on our behalf. When we send you emails, our email service providers may collect information about whether and when you open them and whether you access links included in our emails.

Event Information. If you register to attend one of our events such as a webinar or attend a conference where we are in attendance, we may collect contact information such as your name, position, organization name, email address, and other information that you choose to provide.

Payment Information. If you make a payment on our Services, your payment-related information, such as credit card or other financial information, is collected by our third-party payment processor, Square, on our behalf. To view Square’s privacy policy, please click here.‍

B. Information We Collect When You Use Our Services.

Information from Third Parties. We, and our third-party partners, automatically collect information you provide to us and information about how you access and use our Services when you engage with us. We typically collect this information through the use of a variety of our own and our third-party partners’ automatic data collection technologies, including (i) cookies or small data files that are stored on an individual’s computer and (ii) other, related technologies, such as web beacons, pixels, embedded scripts, mobile SDKs, location-identifying technologies and logging technologies. Information we collect automatically about you may be combined with other personal information we collect directly from you or receive from other sources.

We, and our third-party partners, use automatic data collection technologies to automatically collect the following data when you use our Services or otherwise engage with us:

• Information About Your Device and Network, including the device type, manufacturer, and model, operating system, IP address, browser type, Internet service provider, and unique identifiers associated with you, your device, or your network (including, for example, a persistent device identifier or advertising ID). We employ third- party technologies designed to allow us to recognize when two or more devices are likely being used by the same individual and may leverage these technologies (where permitted) to link information collected from different devices.

• Information About the Way Individuals Use Our Services and Interact With Us, including the site from which you came, the site to which you are going when you leave our Services, how frequently you access our Services, whether you open emails or click the links contained in emails, whether you access our Services from multiple devices, and other browsing behavior and actions you take on our Services (such as the pages you visit, the content you view, videos you watch, the communications you have through our Services, and the content, links and ads you interact with). We employ third-party technologies designed to allow us to collect detailed information about browsing behavior and actions that you take on our Services, which may record your mouse movements, scrolling, clicks, and keystroke activity on our Services and other browsing, search or purchasing behavior. These third-party technologies may also record information you enter when you interact with our Services, or engage in chat features or other communication platforms we provide.

• Information About Your Location, including general geographic location that we or our third-party providers may derive from your IP address.

All of the information collected automatically through these tools allows us to improve your customer experience. For example, we may use this information to enhance and personalize your user experience, to monitor and improve our Services, and to improve the effectiveness of our Services, offers, advertising, communications and customer service. We may also use this information to: (a) provide custom, personalized content and information, including targeted content and advertising; (b) identify you across multiple devices; (c) provide and monitor the effectiveness of our Services; (d) monitor aggregate metrics such as total number of visitors, traffic, usage, and demographic patterns on our website; (e) diagnose or fix technology problems; and (f) otherwise to plan for and enhance our products and services.‍

C. Information We Receive from Other Sources.

Affiliates. We may receive information from our current or future affiliates for any of the purposes described in this Privacy Policy.

Information from Third-party Services. If you choose to link our Services to a third-party account, we may receive information about you from that account, including your profile information, contact information, and other information.

How We Use the Information We Collect

How We Use Information Through the Services

We use User Registration Data and information collected through the Services to:

• Operate, maintain, improve, and enhance the Services;

• Personalize your experience, such as by providing tailored content and recommendations;

• Communicate with you, including transactional or operational messages about your use of the Services. Sending information about research studies, clinical trials, and research opportunities is core to our Services and, as such, are transactional or operational messages. We may also send, subject to your consent if required, messages about products and services offered by Arboretum Clinical, its affiliates, or third-party partners that Arboretum Clinical believes may be relevant to you.

• Understand and analyze how you use the Service and develop new products, services, features, and functionality;

•To facilitate transactions and payments;

• Find and prevent fraud and abuse, and respond to trust and safety issues that may arise;

• For compliance purposes, including enforcing our Terms of Service or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency.

• Create aggregated or de-identified information that cannot reasonably be used to identify you, which information we may use for purposes outside the scope of this Privacy Notice.

• To develop, operate, improve, maintain, protect, and provide the features and functionality of our Services, including by training or fine-tuning artificial intelligence and machine learning models.

• For other purposes for which we provide specific notice at the time the information is collected.

How We Disclose the Information We Collect

Affiliates. We may disclose any information we receive to our current or future affiliates for any of the purposes described in this Privacy Policy.

Vendors and Service Providers. We may disclose any information we receive to vendors and service providers retained in connection with the provision of our Services.

Analytics Partners. We may use analytics services such as Google Analytics to collect and process certain analytics data.

Advertising Partners. We may work with third-party advertising partners to collect and process your information in order to show you ads that we think may interest you.

As Required By Law and Similar Disclosures. We may access, preserve, and disclose your information if we believe doing so is required or appropriate to: (a) comply with law enforcement requests and legal process, such as a court order or subpoena; (b) respond to your requests; or (c) protect your, our, or others’ rights, property, or safety. For the avoidance of doubt, the disclosure of your information may occur if you post any objectionable content on or through the Services.

Merger, Sale, or Other Asset Transfers. We may transfer your information to service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell, liquidate, or transfer all or a portion of our assets. Also, in the unlikely event of our bankruptcy, receivership, or insolvency, your personal information may be disclosed, transferred, or assigned to third parties in connection with the proceedings or disposition of our assets. The use of your information following any of these events will be governed by the provisions of this Privacy Policy in effect at the time the applicable information was collected.

Consent. We may also disclose your information with your permission.

Your Choices

The following privacy choices are made available to all individuals with whom we interact.

• Communication Preferences

• Email Communication Preferences: You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in any of our email communications. Please note you cannot opt-out of service-related email communications (such as, account verification, transaction confirmation, or service update emails).

•Phone Communication Preferences: You can stop receiving promotional phone communications from us by informing the caller you no longer wish to receive promotional phone calls from us, following the instructions provided on the call for opting out of promotional phone calls (where available), or replying STOP to any one of our promotional text messages.

• Automatic Data Collection Preferences

Certain of our Services may provide you with the ability to adjust your preferences regarding our use of automatic data collection technologies. For example, there is a “Cookie Preferences” manager linked in the footer of our websites that allows you to adjust your preferences regarding certain automatic data collection technologies on the specific website you are visiting for the specific device and browser you are using at that time (which means you will need to change your preferences on each device and browser you use to interact with the specific website you are visiting).

Where an Arboretum Clinical-specific preference manager or privacy setting is not available, you may be able to utilize third-party tools and features to further restrict our use of automatic data collection technologies. For example, (i) most browsers allow you to change browser settings to limit automatic data collection technologies on websites, (ii) most email providers allow you to prevent the automatic downloading of images in emails that may contain automatic data collection technologies, and (iii) many devices allow you to change your device settings to limit automatic data collection technologies for device applications. Please note that blocking automatic data collection technologies through third-party tools and features may negatively impact your experience using our services, as some features and offerings may not work properly or at all. Depending on the third-party tool or feature you use, you may not be able to block all automatic data collection technologies or you may need to update your preferences on multiple devices or browsers. We do not have any control over these third-party tools and features and are not responsible if they do not function as intended.

• Targeted Advertising Preferences

We engage third parties to help us facilitate targeted advertising designed to show you personalized ads based on predictions of your preferences and interests developed using personal data we maintain and personal data our third-party partners obtain from your activity over time and across nonaffiliated websites and other services. The data we and our third-party partners use for purposes of facilitating targeted advertising, as well as to provide advertising-related services such as reporting, attribution, analytics, and market research, are primarily collected through the use of a variety of automatic data collection technologies, including cookies, web beacons, pixels, embedded scripts, mobile SDKs, location-identifying technologies and logging technologies. We may share a common account identifier (such as a hashed email address or user ID) with our third-party advertising partners to help link the personal data we and our third-party partners collect to the same person, or otherwise target advertising to an individual on a third-party website or platform.

You may be able to exercise control over the advertisements that you see by leveraging one or more targeted advertising opt-out programs. For example:

• Device-Specific Opt-Out Programs: Certain devices provide individuals the option to turn off targeted advertising for the entire device (such as Apple devices through their App Tracking Transparency framework or Android devices through their opt out of ads personalization feature). Please refer to your device manufacturer’s user guides for additional information about implementing any available device-specific targeted advertising opt- outs.

• Digital Advertising Alliance: The Digital Advertising Alliance allows individuals to opt out of receiving online interest-based targeted advertisements from companies that participate in their program. Please follow the instructions at https://optout.aboutads.info/?c=2&lang=EN for browser-based advertising and https://www.youradchoices.com/appchoices for app-based advertising to opt out of targeted advertising carried out by our third-party partners and other third parties that participate in the Digital Advertising Alliance’s self- regulatory program.

• Network Advertising Initiative: The Network Advertising Initiative similarly allows individuals to opt out of receiving online interest-based targeted advertisements from companies that participate in their program. Please follow the instructions at https://optout.networkadvertising.org/?c=1 to opt out of browser-based targeted advertising carried out by our third-party partners and other third parties that participate in the Network Advertising Initiative’s self-regulatory program.

• Platform-Specific Opt-Out Programs: Certain third-party platforms provide individuals the option to turn off targeted advertising for the entire platform (such as certain social media platforms). Please refer to your platform provider’s user guides for additional information about implementing any available platform-specific targeted advertising opt-outs.

Please note that when you opt out of receiving interest-based advertisements through one of these programs, this does not mean you will no longer see advertisements from us or on our Services. Instead, it means that the online ads you do see from relevant program participants should not be based on your interests. We are not responsible for the effectiveness of, or compliance with, any third parties’ opt-out options or programs or the accuracy of their statements regarding their programs. In addition, program participants may still use automatic data collection technologies to collect information about your use of our Services, including for analytics and fraud prevention as well as any other purpose permitted under the applicable advertising industry program.

• Partner-Specific Preferences

‍Children’s Privacy

• Device-Specific / Platform-Specific Preferences: The device and/or platform you use to interact with us (such as your mobile device), may provide you with additional choices with regard to the data you choose to share with us. For example, many mobile devices allow you to change your device permissions to prevent our Services from accessing certain types of information from your device (such as your contact lists or precise geolocation data). Please refer to your device or platform provider’s user guides for additional information about implementing any available platform-specific targeted advertising opt-outs.

• Google Analytics: Google Analytics allows us to better understand how our customers interact with our Services. For information on how Google Analytics collects and processes data, as well as how you can control information sent to Google, review Google's website here: www.google.com/policies/privacy/partners/. You can learn about Google Analytics’ currently available opt-outs, including the Google Analytics Browser Add-On here: https://tools.google.com/dlpage/gaoptout/. We may also utilize certain forms of display advertising and other advanced features through Google Analytics. These features enable us to use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick advertising cookie) or other third-party cookies together to inform, optimize, and display ads based on your past visits to our Services. You may control your advertising preferences or opt-out of certain Google advertising products by visiting the Google Ads Preferences Manager, currently available at https://myadcenter.google.com/?ref=help-center.

Certain of our third-party providers and partners offer additional ways that you may exercise control over your personal information, or automatically impose limitations on the way we can use your personal information in connection with the Services they provide:

Third Parties

Our Services may contain links to other websites, products, or services that we do not own or operate. We are not responsible for the privacy practices of these third parties. Please be aware that this Privacy Policy does not apply to your activities on these third-party services or any information you disclose to these third parties. We encourage you to read their privacy policies before providing any information to them.

Security

We make reasonable efforts to protect your information by using physical and electronic safeguards designed to improve the security of the information we maintain. However, because no electronic transmission or storage of information can be entirely secure, we can make no guarantees as to the security or privacy of your information.

We will usually retain the personal data we collect about you for no longer than reasonably necessary to fulfil the purposes for which it was collected, and in accordance with our legitimate business interests and applicable law. If necessary, we may retain personal data for longer periods of time as required under applicable law or as needed to resolve disputes or protect our legal rights.

Retention of Personal Data

We do not knowingly collect or solicit personal information from children under 18, and no part of our Service is directed to children. If an individual is under the age of 18, they should not use our Service or otherwise provide us with any personal information. If a parent or guardian learns that a child has provided us with personal information in violation of this Privacy Notice, then they may alert us at privacy@arboretum.bio and request that we remove the personal information from our systems. If we learn that any personal information we collect has been provided by a child under the age of 18, we will promptly delete the personal information.

International Visitors

Our Services are hosted in the United States and intended for visitors located within the United States. If you choose to use the Services from the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that you are transferring your personal information outside of those regions to the U.S. for storage and processing. We may also transfer your data from the U.S. to other countries or regions in connection with storage and processing of data, fulfilling your requests, and operating the Services. By providing any information, including personal information, on or to the Services, you consent to such transfer, storage, and processing.

Changes to this Privacy Policy

We will post any adjustments to the Privacy Policy on this page, and the revised version will be effective when it is posted. If we materially change the ways in which we use or disclose personal information previously collected from you through the Services, we will notify you through the Services, by email, or other communication.

Contact Information

If you have any questions, comments, or concerns about our processing activities, please email us at privacy@arboretum.bio.

‍

Arboretum Clinical Privacy Notice

Last Updated: 05/01/2026

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice of Privacy Practices (the “Notice”) is being provided by Arboretum Clinical, LLC (“Arboretum Clinical,” “we,” “our,” and/or “us”) under provisions of the federal law known as the Health Insurance Portability and Accountability Act of 1996, or HIPAA.

This Notice applies to protected health information (“PHI”) created, received, maintained, or transmitted by Arboretum Clinical in its capacity as a “covered entity” under HIPAA in connection with Arboretum Clinical’s software platform for genetic test ordering, results, and payment processing, software for family health history documentation and pedigree chart generation, genetic testing services, genetic counseling services, and related products and services (“Services”).

In accordance with HIPAA, a “business associate” is an entity that uses or discloses PHI on behalf of a covered entity. This Notice of Privacy Practices describes our practices where we are acting as a covered entity. However, this Notice of Privacy Practices does not cover or address how our healthcare provider customers may use or disclose medical information when they use our Services, or how we may use or disclose PHI on their behalf when we are acting as a service provider. As a result, we recommend referring to the Notice of Privacy Practices and/or Privacy Notices of the health care provider with which you have a relationship for information on how they engage service providers like us to use or disclose medical information on their behalf.

In this Notice of Privacy Practices, “Healthcare Affiliates” means healthcare providers and staff who access the Services, including those who order or coordinate Services on behalf of patients. “Genetic Testing” means the isolation of DNA from a biological sample provided by you to perform genetic sequencing. “Genetic Counseling” means the analysis and discussion of information about your genes and other health factors, including your biological samples, genetic information, and other health information. “Pedigree Software” means Arboretum Clinical’s software tools for documenting family health history and generating pedigree charts for use in genetic risk assessment. “Generated Data” means raw data, intermediate data, audio and video recordings of counseling or consultation sessions, and clinical results produced by Genetic Testing, the Pedigree Software, and Genetic Counseling, all of which are the sole and exclusive property of Arboretum Clinical.

YOUR HEALTH INFORMATION

We at Arboretum Clinical understand that your health information is personal. We are committed to protecting health information about you.

Moreover, HIPAA imposes numerous requirements on health care providers concerning the use and disclosure of protected health information (“PHI”). PHI is health information that can be clearly linked to a specific individual, including deceased individuals for fifty (50) years after death, as required by 45 CFR § 164.502(f). It includes, for example, information about the health care received by an individual and the amounts paid for such care. This Notice will tell you about the ways in which we may use and disclose your PHI. It also describes certain obligations we have regarding the use and disclosure of your PHI and your rights.

We are required by law to:

• Make sure that PHI is kept private;

• Give you this Notice of our legal duties and privacy practices with respect to your PHI;

• Follow the terms of this Notice as currently in effect;

• Follow any more stringent applicable federal or state privacy laws that relate to the use and disclosure of health information; and

• Notify affected individuals following a breach of unsecured PHI.

HOW WE MAY USE AND DISCLOSE YOUR PHI

The following categories describe different ways that we may use and disclose PHI. For each category of uses or disclosures this Notice will describe the category and try to give some examples. Not every use or disclosure in a category will be listed. However, each of the ways in which we are permitted to use and disclose PHI will fall within one of the categories.

For Treatment. We may use and disclose your PHI in order to provide health care services and treatment for you, including to assess your eligibility for, and match you to, research studies, clinical trials, and research opportunities. We may disclose your PHI to doctors, nurses, pharmacies, or other medical personnel who are involved in treating you. For example, if our hereditary cancer screening reveals that you carry a BRCA1 mutation associated with increased breast and ovarian cancer risk, we may share these results with your physician and genetic counselor to help them develop an appropriate surveillance and prevention plan, such as enhanced screening protocols or discussions about risk-reducing procedures.

Biological Samples. Genetic Testing requires the collection of a biological sample from you, such as a buccal (cheek) swab or saliva sample. By providing a biological sample to Arboretum Clinical, you transfer all right, title, and interest in the physical sample to Arboretum Clinical upon our receipt of the sample to the maximum extent permitted by applicable law. Biological samples will not be returned to you or your healthcare provider. Following completion of testing, Arboretum Clinical will destroy remaining biological samples in accordance with our specimen retention policy. Arboretum Clinical retains and uses Generated Data from biological samples, including in identified form, as reference, validation, or quality control materials for laboratory test development, validation, and ongoing quality assurance purposes.

For Payment. We may use and disclose your PHI for payment purposes, such as to bill you and receive payment from health plans or other entities. For example, we may give your health information, such as diagnosis or treatment, to your health insurance plan so that it will pay for services that you receive from us.

For Health Care Operations. We may use and disclose your PHI for our operations. These uses and disclosures are necessary to run our organization. For example, we may use your PHI for activities such as:

• To manage your clinical treatment.

• To improve the clinical services that we provide.

• For business management and general administration of the organization, including but not limited to legal services, audit services, fraud and abuse detection programs, and cost management.

• For customer service, internal grievance resolution, or certain transfers related to a merger or acquisition.

• For test development, validation, and ongoing quality assurance of our genetic testing methodologies, including the use of your PHI in identified form as reference or control materials, and for the training, development, testing, and improvement of artificial intelligence, machine learning, and other algorithmic or computational models used in healthcare operations.

To, From, and Between Business Associates. We may contract with business associates to provide certain services. We may disclose your PHI to our business associates, receive your PHI from our business associates, and our business associates may share PHI between themselves. For example, we may disclose your PHI to a data storage provider or other service providers. To protect your PHI, however, we require business associates to sign contracts agreeing to appropriately safeguard your PHI.

Affiliates. In accordance with HIPAA, we may disclose your PHI to our current or future affiliates for any of the purposes described in this Notice. Our affiliates include entities under common ownership or control with Arboretum Clinical.

For Health-Related Benefits and Services. Arboretum Clinical may use and disclose your PHI to tell you about other health-related benefits or services that we may offer from time to time, including information about research studies, clinical trials, research opportunities, new or existing products and services offered by Arboretum Clinical, healthcare services, treatment options, and other health, research, or wellness information that Arboretum Clinical reasonably believes may be of interest to you. Such communications are sent by Arboretum Clinical and, when required, only with your authorization. Arboretum Clinical may also use your PHI, including Generated Data, to assess your eligibility for and match you to research studies, clinical trials, or other opportunities that may be relevant to you.

As Required By Law. We will disclose your PHI when required to do so by federal, state, or local law.

By Written Authorization. Except as described herein or as permitted by law, we will disclose your PHI only with your prior written permission (called an “authorization” under HIPAA). Most uses of psychotherapy notes, certain uses and disclosures of your health information for marketing purposes, and any sale of your written medical information require your authorization. You may revoke an authorization, in writing, at any time, unless we have taken action relying on the authorization or if you signed the authorization as a condition of obtaining insurance coverage.

Deidentified Information. We may also de-identify your PHI in accordance with standards established by HIPAA. De-identified information is not considered PHI. De-identified information is not subject to this Notice, and we may use or disclose de-identified information for any lawful purpose.

Pedigree Software Data. If you or your Healthcare Affiliate provide family health history information through the Service, including through the Pedigree Software, the data entered into and outputs generated by the Pedigree Software constitute Generated Data owned by Arboretum Clinical to the maximum extent permitted by applicable law. Arboretum Clinical may use Pedigree Software data for treatment, healthcare operations, test development and validation, AI/ML model training, and the other purposes described in this Notice. If you receive Genetic Counseling through the Service, information generated during the session, including session notes, clinical interpretations, audio and video recordings of the session (if made with your consent), and any additional health information you provide, also constitutes Generated Data owned by Arboretum Clinical to the maximum extent permitted by applicable law.

Communications. Arboretum Clinical may contact you in connection with the Services. Such communications may consist of transactional or operational messages, or marketing messages. Where the communications are sent for marketing purposes, we will not send such communications without first obtaining your authorization in accordance with HIPAA.

Online Tracking Technologies. When you use the Service through a web browser or mobile device, we and our third-party partners may collect device information, usage data, and information through cookies, pixel tags, and similar tracking technologies. To the extent that such information is PHI, it is subject to this Notice. For information about our use of cookies and tracking technologies that do not involve PHI, including your choices regarding these technologies, please see the Arboretum Clinical Privacy Policy.

Health Information Exchanges. Arboretum Clinical may choose to participate in one or more health information exchanges (“HIE”). HIEs are designed to improve the quality of healthcare by facilitating the secure exchange of electronic health information between and among several healthcare providers or other healthcare entities. These HIEs contribute to improved and better-coordinated healthcare outcomes for patients, including in emergent care situations. This means we may share information we obtain or create about you with other healthcare providers or entities (such as hospitals, doctors’ offices, pharmacies, or insurance companies) or we may receive information they create or obtain about you (such as medication history, medical history, or insurance information). If you would like more information on your state health information exchange or any private HIE that we may participate in, or would like information on how to opt out of these HIEs, please contact us at privacy@arboretum.bio or 617-465-0969.

Artificial Intelligence. Arboretum Clinical uses artificial intelligence, including generative artificial intelligence, machine learning, and other algorithmic or computational models in connection with treatment, payment, and healthcare operations. These technologies may be used for variant interpretation, risk stratification, clinical decision support, participant matching, quality assurance and validation, generation of clinical reports, and other purposes described in this Notice.

We may use your PHI, including at the individual level, to train, develop, test, and improve artificial intelligence, including generative artificial intelligence, machine learning, and other algorithmic or computational models used in the delivery of our treatment, payment, and healthcare operations. These training uses are governed by the data use provisions described elsewhere in this Notice and in the Terms of Service.

SPECIAL SITUATIONS INVOLVING THE USE AND DISCLOSURE OF YOUR PHI

To Avert a Serious Threat to Health or Safety. We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.

Research. We may use and disclose your PHI for research purposes as permitted by HIPAA.

Military and Veterans. If you are a member of the armed forces, we may release your PHI as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate foreign military authority.

Workers’ Compensation. We may release your PHI for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.

Public Health Risks. We may disclose your PHI for public health activities (e.g., to prevent or control disease, injury or disability).

Victim of Abuse. We may notify the appropriate government authority if we believe you have been the victim of abuse, neglect, or domestic violence.

Health Oversight Activities. We may disclose PHI to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. We may also disclose your PHI in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.

Lawful Enforcement. We may disclose PHI in response to a lawful request to disclose by a law enforcement official, such as in response to a warrant, subpoena, court order, or other legitimate legal process.

Coroners, Medical Examiners and Funeral Directors. We may release PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release PHI about patients of the hospital to funeral directors as necessary to carry out their duties.

National Security and Intelligence Activities. We may release your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.

Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release your PHI to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.

Organ and Tissue Donation. We may use and disclose your PHI to facilitate organ and tissue donation and transplant.

To DHHS. We may release your PHI in response to investigations by the Department of Health and Human Services.

Other Situations. We may use and disclose your PHI in the following ways after giving you the opportunity to object: to share information with your family, close friends, or others involved in your care; to share information in a disaster relief situation; and to include your information in a hospital directory. To the extent that you object to such use or disclosure, we will not use or disclose your PHI in that manner. If you are not able to tell us your preference (for example, if you are unconscious), we may use or share your PHI if we believe doing so is in your best interest.

ADDITIONAL PRIVACY FOR SUBSTANCE USE DISORDER TREATMENT

Although we are not a substance use disorder treatment program subject to 42 CFR part 2, we may receive substance use disorder treatment records from such programs. Such records, or testimony relaying the content of such records, will not be used or disclosed in civil, criminal, administrative, or legislative proceedings against you unless based on your written consent, or a court order after notice and an opportunity to be heard is provided to you and/or Arboretum Clinical, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.

When your PHI is disclosed, it may no longer be protected by HIPAA and may be subject to re-disclosure.

YOUR RIGHTS REGARDING YOUR PHI

You have the following rights regarding PHI we maintain about you. Except as otherwise provided below, to exercise these rights, you must submit your request in writing to our HIPAA Privacy Officer at the address below:

91 1st Street - 425024

Cambridge, MA 02141
Attention: HIPAA Privacy Officer – Arboretum Clinical

Right to Inspect and Copy. With certain exceptions, you have the right to inspect and copy your PHI maintained in our “designated record set.” Our designated record set consists of enrollment, payment, case management records and claims processing, as well as other records we use to make health care decisions about individuals. The designated record set does not include psychotherapy notes and information compiled in anticipation of a criminal, civil, or administrative action or proceeding.

We will generally act on your written request within 30 days of receipt. Where appropriate, we may provide you with a summary of your PHI rather than access to, and copies of, it. To the extent we use or maintain this information in an electronic health record, you may request that we provide you with a copy of such information in an electronic format. We will provide access in the electronic form and format requested if it is readily reproducible in the requested format.

If you request a copy of the information, we may charge a reasonable fee for the costs of copying and, in some circumstances, summarizing the information and mailing it to you. If we and our business associates do not maintain the PHI, but know where it is maintained, you will be informed where to direct your requests.

We may deny your request to inspect and copy your PHI. In certain very limited circumstances, our denial will be unreviewable. Ordinarily, however, you may request within a reasonable period of time that the denial be reviewed. Except for unusual circumstances, 90 days will be deemed a reasonable period of time in which to review a request.

Right to Amend. If you feel that the PHI we have about you is incorrect or incomplete, you may ask us to amend the information. You must provide a reason that supports your request. You have the right to request an amendment for as long as the information is kept by or for us.

We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that is:

• Not part of the PHI kept by or for us;

• Not information that was not created by us, unless the person or entity that created the information is no longer available to make the amendment;

• Not part of the information which you would be permitted to inspect and copy; or

• Accurate and complete.

We must act on your request for an amendment of your PHI no later than 60 days after receipt of your request. We may extend the time for making a decision for no more than 30 days, but we must provide you with a written explanation for the delay. If we deny your request, we will keep your request on file. We will distribute your request (or a summary) with all future disclosures of the information to which it relates, but only if you ask us to do so. Further, you may submit a written statement disagreeing with the denial and we will keep it on file and distribute it (or a summary) with all future disclosures of the information to which it relates.

Right to an Accounting of Disclosures. You have the right to request an “accounting of disclosures.” This is a list of our disclosures of your PHI, with certain exceptions. These exceptions include disclosures:

• To you or to persons involved in your health care or payment for that care.

• Pursuant to your written authorization.

• For the purpose of carrying out treatment, payment or health care operations.

• That is incidental to another permissible use or disclosure.

• For disaster relief, national security or intelligence purposes.

• To correctional institutions or law enforcement officers who have you in custody at the time of the disclosure.

• As part of a limited data set.

• To a health oversight agency or lawful requests from law enforcement officials.

Your request must state a time period that may not be longer than six years. The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved, and you may choose to withdraw or modify your request at that time before any costs are incurred.

We must act on your request for an accounting of the disclosures of your PHI no later than 60 days after receipt of the request. We may extend the time for providing you an accounting by no more than 30 days, but we must provide you with a written explanation for the delay.

Right to Request Restrictions. You have the right to request a restriction or limitation on the PHI that we use or disclose about you for treatment, payment, or health care operations. You also have the right to request a limit on the health information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend.

We are required to grant your request to restrict or limit the PHI we use or disclose about you to a health plan for payment and/or health care operations, if not otherwise required by law, if such PHI relates only to a health care item or service for which you paid the health care provider in full, out-of-pocket. In all other circumstances, we are not required to agree to your request.

If we are required to grant your request, or elect to do so, a restriction may later be terminated by your written request, by agreement between you and us (including an oral agreement), or unilaterally by us for PHI created or received after you are notified that the restriction has been removed. We may also disclose your PHI if you need emergency treatment, even if we have provided for a restriction.

Any request for a restriction must indicate what information you want to limit, whether you want to limit our use, disclosure, or both, and to whom you want the limits to apply.

Right to Confidential Communications. You have the right to file a request to receive communications from us on a confidential basis by using an alternative means for receipt of information or by receiving the information at an alternative location, but only if you believe and state that the disclosure of all or part of your information could endanger you. All reasonable requests will be granted.

Right to a Paper Copy of This Notice. You have the right to a paper copy of this Notice. You may ask us to give you a copy of this Notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this Notice.

CHANGES TO THIS NOTICE

We are required to, and will, abide by the provisions of this Notice as currently in effect, but we reserve the right to change this Notice effective for PHI we already have about you as well as any information we receive in the future. We will provide you with a revised Notice as soon as practicable following any material revisions to the Notice. We will also post a copy of the Notice on our website. The Notice contains its effective date on the first page, in the top right-hand corner.

COMPLAINTS

If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, contact the Privacy Officer. All complaints must be submitted in writing. You will not be retaliated against for exercising any right or process described in this Notice, including the filing of a complaint or testifying, assisting, or participating in an investigation, compliance review, or hearing.

QUESTIONS

If you have any questions regarding this Notice, please feel to contact our Privacy at 617-465-0969, or write to 91 1st Street – 425024, Cambridge, MA 02141 or at privacy@arboretum.bio.

‍