Privacy Policy

This Privacy Policy describes how NeuroTap Health, Inc. ("NeuroTap Health," "we," "us," or "our") collects, uses, discloses, and protects information about you when you use our website, mobile application, and digital therapeutic program (collectively, the "Services"). Please read this policy carefully. By using our Services, you acknowledge that you have read and understood this Privacy Policy.

This policy applies in addition to our HIPAA Notice of Privacy Practices, which governs our use and disclosure of your Protected Health Information as a HIPAA-covered entity. In the event of a conflict between this Privacy Policy and our HIPAA Notice, the HIPAA Notice governs with respect to Protected Health Information.

1. Information We Collect

1.1 Protected Health Information (PHI)

As a HIPAA-covered entity providing a digital therapeutic program, we collect and process Protected Health Information, which may include:

• Personal identifiers such as your name, date of birth, and contact information
• Health and medical history information you provide during enrollment and program participation
• Assessment responses, including validated clinical scales (e.g., GAD-7, PHQ-9, PROMIS) completed at baseline, quarterly, and program end
• Micro-assessment and in-session ratings collected during your program, including before-and-after symptom ratings and session quality data
• Communications with your care team through our platform
• Clinician-generated notes and care team observations

1.2 Account and Registration Information

When you create an account, we collect:

• Email address and password
• Mobile phone number, where you choose to enable SMS-based two-factor authentication
• Name, date of birth, and contact details
• Insurance or payment information where applicable
• Referring provider information

1.3 Automatically Collected Information

When you use our Services, we automatically collect certain technical information, including:

• Device identifiers and operating system information
• IP address and approximate location (city/region level)
• App usage data, session duration, and feature interactions
• Log data and error reports

This information is collected to operate, maintain, and improve our Services and is not used to identify you for marketing purposes.

1.4 Information You Provide Voluntarily

• Free-text responses in weekly check-in fields
• Communications you initiate with our support team
• Survey or feedback responses

2. How We Use Your Information

2.1 To Provide and Personalize the Program

• Delivering your assigned tapping exercise sessions and program track (MSK Pain or Behavioral Health)
• Tailoring session recommendations based on your assessment data and in-session ratings
• Calculating trend data and progress visualizations in your patient-facing dashboard
• Enabling your care team to monitor your progress and make protocol adjustments

2.2 Clinical Operations

• Coordinating care between your clinicians, program coordinators, and care team
• Sending you reminders, check-in prompts, and care team communications
• Escalating safety concerns to your care team when clinical thresholds are met
• Conducting quality assurance reviews of program delivery

2.3 Research and Outcomes Reporting

With appropriate authorization or as permitted by applicable law, we may use de-identified or limited data sets derived from your information to:

• Conduct outcomes research to evaluate and improve the effectiveness of tapping-based interventions
• Publish aggregate, de-identified program outcomes in academic or industry contexts
• Report de-identified population-level outcomes to payers, health systems, or research partners

We will not use individually identifiable health information for research without your separate written authorization, except as permitted under the HIPAA Privacy Rule (e.g., preparatory research activities, waiver approved by an IRB).

2.4 Legal and Compliance

• Complying with applicable federal and state laws, including HIPAA
• Responding to lawful requests from government authorities
• Protecting the rights, property, and safety of NeuroTap Health, our users, and the public

3. How We Share Your Information

3.1 Your Care Team

Information you provide through the Services is shared with your treating clinicians and care team members as part of delivering your program. This includes your assessment results, session ratings, trend data, and any check-in responses you submit.

3.2 Third-Party Clinical Partners

We work with third-party clinical partners, including telehealth providers, supervising clinicians, and clinical operations vendors, who assist in delivering care. These partners are bound by Business Associate Agreements (BAAs) under HIPAA and may only use your PHI to perform services on our behalf.

3.3 Service Providers

We engage vendors and service providers who process data on our behalf, including cloud hosting, data analytics, customer support, and communications platforms. All such vendors who may access PHI are required to execute BAAs and maintain appropriate safeguards.

3.4 As Required by Law

We may disclose your information as required by law, including in response to subpoenas, court orders, or legal process; to report suspected child abuse or neglect; or to prevent a serious and imminent threat to health or safety, as permitted under the HIPAA Privacy Rule.

3.5 Business Transfers

If NeuroTap Health is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website prior to any such transfer and any choices you may have.

3.6 SMS / Text Messaging and Mobile Information

We use the mobile phone number you provide to send one-time verification codes for two-factor authentication, a security feature you may choose to enable for your NeuroTap Health account. Message frequency varies based on your login activity (typically one message per login attempt). Message and data rates may apply. Reply HELP for help, or reply STOP to opt out of SMS verification; if you opt out, you may use an alternative verification method.

No mobile information, including your phone number and your SMS opt-in and consent, will be shared with third parties or affiliates for marketing or promotional purposes. We may share mobile information only with the service providers that help us deliver these messages on our behalf, and only to the extent necessary to provide that service, under appropriate confidentiality obligations and Business Associate Agreements where applicable.

4. Data Retention

We retain your information for as long as necessary to provide our Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Medical records and PHI are retained in accordance with applicable state law, which typically requires retention for a minimum of seven (7) years from the date of last service, or longer for minors.

5. Security

We implement administrative, physical, and technical safeguards designed to protect your information against unauthorized access, use, disclosure, alteration, or destruction, consistent with the HIPAA Security Rule. These measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls limiting PHI access to authorized personnel
• Regular risk assessments and vulnerability testing
• Employee HIPAA training and confidentiality agreements
• Incident response procedures for potential breaches

No method of electronic transmission or storage is 100% secure. We cannot guarantee the absolute security of your information. In the event of a breach affecting your unsecured PHI, we will notify you as required by the HIPAA Breach Notification Rule.

6. Your Rights

Depending on your jurisdiction and the nature of the information, you may have the following rights. Rights specific to your PHI are described in greater detail in our HIPAA Notice of Privacy Practices.

• Access: Request a copy of the personal information or PHI we hold about you
• Amendment: Request correction of inaccurate information
• Restriction: Request limits on how we use or disclose your PHI in certain circumstances
• Accounting: Request a list of certain disclosures of your PHI
• Confidential Communications: Request that we communicate with you in a particular way or at a particular location
• Deletion: Request deletion of non-PHI personal data where applicable law permits

To exercise your rights, please contact us using the information in Section 9 below. We will respond to all verified requests within the timeframes required by applicable law.

7. Children's Privacy

Our Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent. If we become aware that we have collected personal information from a child under 13 without appropriate consent, we will take steps to delete that information. If you believe we have inadvertently collected information from a child, please contact us immediately.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email, through the app, or by posting a notice on our website at least 30 days before the changes take effect. Your continued use of our Services after any changes constitutes your acceptance of the revised policy. If we make changes to how we use your PHI, we will update our HIPAA Notice of Privacy Practices and provide you with a copy as required by law.

9. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy, please contact:

For concerns specific to your rights under HIPAA, please also refer to our HIPAA Notice of Privacy Practices at www.neurotaphealth.com/hipaa or contact our HIPAA Privacy Officer at hipaa@neurotaphealth.com.