HARVEST BIO LLC, AND AFFILIATES
RESET PRIVACY POLICY AND NOTICE

This Privacy Policy was last modified on July 12th, 2024.

THIS PRIVACY POLICY AND NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Harvest Bio LLC and its affiliates (“PursueCare”, “we” or “us”) provide prescription
digital therapeutics (“PDTs”) authorized by U.S. Food & Drug Administration. We also operate a website for Health Care Providers and Clinical Partners at https://patient-dashboard.digitalcbt.pursuecare.com/ (the “Website” or “Site”) through which Health Care Providers and Clinical Partners view End User (“End User”, “you” or “user”) information and monitor End User use of the PDT and the Service. The Site and the PDTs (which together describe the digital prescription therapies designed to improve health outcomes), and the analytics collection, data collection, storage, analysis and reporting tools, functions and related services, are collectively referred to in this Privacy Policy as the Service.

This Privacy Policy covers how PursueCare collects, receives, uses, retains, and discloses Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) on its PDTs or the Site. PII includes information about you that is personally identifying such as your name, email address, and phone number and which is not otherwise publicly available. PHI includes information relating to your health, for example medical history, test and laboratory results, insurance information and other data that a health care professional collects to identify an individual and determine appropriate care. PII and PHI may include other types of information depending on the legal definition that applies in your physical location. Only the legal definitions of PII and PHI that apply in your location will apply to you under this Privacy Policy. PII and PHI are referred to collectively in this Privacy Policy as “Personal Data.”

Clinical Partners are hospitals, clinics, practices or other medical groups or health care systems that have contracted with PursueCare to permit use of the Service by their respective Health Care Providers and End Users; Health Care Providers are practitioners, patient advocates, coaches or other individuals who (as employees of or contractors to a Clinical Partner) provide health care or related services to Patients; Service Partners are service partners that have contracted with PursueCare to facilitate the use of the Service by their respective Health Care Providers and End Users; and End Users are individual patients of the Clinical Partner who receive medical treatments or other health care services from one or more Health Care Providers, or individuals who are properly authorized representatives of any such End User.

Health Care Providers, Clinical and Service Partners provide your Personal Data to PursueCare in order to register you as a user of the Service. As you use the PDT and the Service, the information you provide through the PDT and Service will be viewed by your Health Care Provider and Clinical Partner on the Site to enable your health care team to provide therapy and treatment.

The PDT is available only to End Users who have been given the necessary password or similar credential to access the Service. In order to receive access to and use the Service, End Users must have given their consent to a Clinical or Service Partner or Health Care Provider to the use and disclosure of their information as described in this Privacy Policy. Users must also provide their consent to PursueCare, as described below.

Agreement

By using the PDT or the Service, and/or by providing Personal Data to PursueCare, you accept and hereby expressly consent to our collection, use, retention, and disclosure of your Personal Data in accordance with the terms of this Privacy Policy. If you choose not to provide the requested information you will not be able to access the Service.

PursueCare’s Obligations

PursueCare is required to maintain the privacy of PHI, to provide End Users with notice of its legal duties and privacy practices with respect to PHI, and to notify affected individuals following a breach of unsecured PHI.

PursueCare is required to abide by the terms of this Privacy Policy currently in effect. However, this Privacy Policy may change from time to time, so please check back periodically to check the most recent modification date to ensure that you are aware of any changes in our processing of your Personal Data. Your continued use of the PDT or the Service after any changes signifies your express, explicit, voluntary and unambiguous consent to any such changes. If you do not agree to such changes, you must immediately stop using the PDT, the Service, and the Site.

Uses and Disclosures

End Users must be registered on the PDT and have an active account in order to use the Service. We receive Personal Data about End Users from a Health Care Provider, Clinical or Service Partner in order to establish an account and for you to be able to register for and use the Service and identify you as an authorized Patient. PursueCare may collect Personal Data when End Users are registered through the Site and confirmed within the PDT.

When registering on the PDT, we collect your email address and password which must be eight (8) characters in length and must include at least three (3) of the following categories of characters: numbers, uppercase letters, lowercase letters and special characters. We combine this information with the Personal Data about you that we receive from the applicable Health Care Provider, Clinical or Service Partner to create your user profileandprovideyouwiththeService.

When you use the PDT, we may also collect information from you relating to your treatment for and use of controlled substances. It is always your choice whether or not to provide us with such information, which we will share with the Health Care Provider, Clinical or Service Partner. In sum, PursueCare uses Personal Data and information you provide to us through the PDT and the Service to:

  1. Provide the Service and treatment, for example PursueCare may use or PHI for the purpose of allowing it, Health Care Provider, Clinical, and Service Partners to provide treatment, contact you about reminders and treatment effectiveness and alternatives;

  2. Communicate with you, for example to reset password or reminders;

  3. Communicate with your Health Care Providers, Service and Clinical Partners as applicable to review the functionality and effectiveness of treatment including this and other prescriptions provided by Health Care Provider;

  4. For payment – we may use/disclosure your information for the purpose of allowing us as well as our partners to secure payment for services provided to you;

  5. For health care operations – we may compile information and Analytics about you, your use of the PDT and other treatments and share those with our Partners;

  6. Create user profiles;

  7. Create de-identified analytical information about the effectiveness of the Services and overall improvement thereof; and

  8. Reply to your request for information or comments.

Analytics

When you use the PDT or the Service, we collect and de-identify information relating to your browser or device type, the time and date you use the Service, operating system, identification of Site or PDT page views, use of particular Service features, geographic location and other statistical information relating to your use of the PDT or the Service but which does not identify you. This information is referred to in this Privacy Policy as “Analytics.” We use Analytics to develop, improve, extend and test the Service (and underlying technology platforms); and we disclose, distribute and transmit Analytics to Clinical and Service Partners for their use.

Authorization for Disclosures to Third Parties

PursueCare obtains your authorization regarding gift rewards vendors. PursueCare or reSET does not disclose your information (name, PHI) to gift card vendors. However, by providing the End User with a gift card from a gift card vendor, the gift card vendor can potentially trace the End User to PursueCare or reSET. Additionally, the End User may be required to provide the gift card vendor with the End User’s name and contact information such as email. This will permit the gift card vendor to trace the End User to PursueCare or reSET and may identify End User as having applied to or receiving alcohol, drug abuse or mental health treatment.

A separate authorization would also be required for

Use and disclosure of PHI for marketing purposes
Use and disclosure of psychotherapy notes
Uses and disclosures not described in this Privacy Policy

Withdrawing Consent

You may withdraw your consent to further use of your Personal Data by discussing this request with your Health Care Provider or emailing a request to us at care@pursuecare.com We will respond to your request in accordance with the law that applies to you. Your Personal Data which we processed prior to your request may not be deleted from our Site or Service system records but will be blocked from further processing without your permission. A request to withdraw consent may not apply to information collected by tracking technologies or used internally to recognize you and/or facilitate your visits to the Site, or information we may keep to comply with legal requirements. Any such requests that relate to Personal Data or similarly PHI will be addressed consistent with the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rules or other applicable laws.

A Health Care Provider may access, change, or modify your information, according to the privacy policy of that Clinical Partner. If you wish to access, amend, or modify your information in any way, please discuss this change with your Health Care Provider.

Protecting Your Information

Certain health and medical information about you is protected under HIPAA and applicable state law. This information may be provided by you online or offline, or may be collected by us from other methods such as through a health care provider. We protect covered health and medical information as required by HIPAA and applicable state law. Similarly, we may use covered health and medical information as permitted by HIPAA and applicable state law.

PursueCare uses secure server software (SSL), firewalls, and end-to-end encryption to protect your Personal Data from unauthorized access, disclosure, alteration, or destruction. All Personal Data is transmitted, stored, and processed in a secure environment in accordance with the Privacy and Security Rules under HIPAA and related guidance. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its security.

We will retain Personal Data for as long as necessary to provide our services, but in no case later than six (6) years following termination of Services or withdrawal of your consent, unless otherwise required by law. We will retain and use Personal Data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Information Sharing and Disclosure

Your Personal Data will be shared with your health care team, including Health Care Providers, Clinical and Service Partners, which they will access and view through the Site. We disclose your Personal Data and non- Personal data to third party vendors who help us operate the Site. These third parties are contractually obligated to maintain the confidentiality of your Personal Data consistent with the terms of this Privacy Policy and to comply with the applicable data protection laws.

We will disclose your information in response to valid legal process, for example, in response to a court order, a subpoena or other legal request for information, and/or to comply with applicable legal and regulatory reporting requirements. We also may disclose your information in response to a law enforcement agency’s request or other request for information from the U.S. or other government entities, or where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or to verify or enforce compliance with the policies governing our products and/or services and with applicable laws, or as otherwise required or permitted by law or consistent with legal requirements. In addition, we may, upon notice to you and/or your Clinical Partner, transfer your information to an entity or individual that acquires, buys, or merges with PursueCare, or our other business units.

We share Analytics with Health Care Providers, Clinical and Service Partners for their internal use.

Links to Other Sites; Third Party Apps; Transactions with Third Parties

The Site may contain links to other sites that are not owned or controlled by PursueCare. Please be aware that we are not responsible for the privacy practices of these other sites. We encourage you to review the privacy policies and statements of other sites to understand their information practices. Our Privacy Policy applies only to information collected by our Site and Services.

You may be able to obtain an PDT, access the Service and/or communicate with the Service from (and link or communicate from the Service to), applications, devices, distribution platforms and websites owned and operated by Clinical or Service Partners and/or by Apple, Google or other third-party distribution platform operators (“Channel Partners”). These other applications, devices, platforms and websites belong to third parties and are not operated or controlled by PursueCare. Our Privacy Policy does not apply to any information collected, received, used, processed, transferred or disclosed by such third parties. Additional or different terms and conditions (including without limitation, privacy and security practices) apply when you access and use third party applications, devices, platforms and websites, which are not the responsibility of PursueCare.

PursueCare is not responsible for and will not be a party to any transactions between you and a third- party provider of products, information or services. PursueCare does not monitor such transactions or ensure the confidentiality of your Personal Data, including credit card information, for any third-party transaction. Any separate charges or obligations you incur in your dealings with these third parties linked to PursueCare are solely your responsibility.

Children

Our Service is intended for individuals who are over the age of 18. If you believe a child who is under age 13 has used the Service and entered personal health information, please contact us using one of the options provided below.

End User Rights Regarding Protected Health Information

Under HIPAA, you have certain rights with respect to PHI, including:

  • request restrictions on certain uses and disclosures of PHI; however, PursueCare is not required to agree with the requested restriction and due to technical and administrative limitations, PursueCare reserves the right to terminate Services;
  • receive confidential communications of PHI; inspect and copy PHI;
  • amend PHI;
  • receive an accounting of disclosures of PHI;
  • and obtain a paper copy of the notice upon request.

Your California Privacy Rights; California Do Not Track Disclosures

If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal information, as defined in California Civil Code Section 1798.83(e)(7), by PursueCare or its subsidiaries to a third party for the third party’s direct marketing purposes. Since we do not make such disclosures, we are exempt from these reporting requirements.

Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites and web applications and services (including behavioral advertising services) that you do not wish such operators to track certain of your online activities, over time and across different websites. We do not honor “Do Not Track” signals.

Accessing Your Information

Your Health Care Provider may access, review, change, or update your Personal Data through the Site, and you should speak to your Health Care Provider to make changes on your behalf. You may reset your password through the PDT by following the password reset instructions.

Contact Us About this Privacy Policy

PursueCare commits to resolving complaints about your privacy and our collection or use of your Personal Data. If you believe your privacy rights have been violated or you disagree with any action PursueCare has taken with regard to your Personal Data, you may file a complaint with PursueCare by calling our compliance hotline at (866) 787-7887. If you feel PursueCare has violated your health

information privacy rights, you may also file a complaint under HIPAA with the U.S. Department of Health and Human Services, Office of Civil Rights (OCR). PursueCare will not take any action against you for making a complaint to OCR.

If you would like more information about your privacy rights, this Privacy Policy or if you have related questions or suggestions, please email us at legal@pursuecare.com. You may also contact us at:

Harvest Bio LLC
Attn: Legal
101 Centerpoint Drive, Suite 105 Middletown, CT 06457

Terms of Service

Please also visit the Terms of Service, accessible from the PDT menu, establishing, among other provisions, the use, disclaimers, and limitations of liability governing the use of our PDT and Website.