PRIVACY POLICY

Last Updated: January 1, 2026

1. SCOPE OF POLICY

This Privacy Policy explains how Syntrillo, Inc (“Syntrillo”, “we”, “us”, or “our”) collects, uses, discloses, and protects information obtained through our website, patient portal, telehealth platform, scheduling tools, communications systems, mobile app, and related online services (collectively, the “Services”). Our HIPAA Notice of Privacy Practices governs the use and disclosure of protected health information (PHI) in connection with your care. If there is any conflict between this Privacy Policy and our HIPAA Notice of Privacy Practices with respect to protected health information, the HIPAA Notice controls.

Each User’s participation is also governed by the Terms and Conditions, which are entered into and agreed to by each User prior to using the Services. Unless we define a term in this Privacy Policy, all capitalized terms used in this Privacy Policy have the same meanings set forth in our Terms & Conditions. This Privacy Policy applies to Services based in the United States. Our Services are designed and intended solely for use by residents of the United States

Our Services are intended exclusively for individuals aged 18 and older. We strictly adhere to not knowingly collecting personal data from minors. If you suspect that a child has submitted information to us, please notify us without delay by contacting privacy@syntrillo.com.

2. INFORMATION WE COLLECT

We may collect information that you provide directly, such as your name, contact information, date of birth, insurance information, payment information, health-related information such as medical history and biometric data, and communications with our staff or clinicians. Routine collection of PHI is limited to the minimum necessary to deliver clinical care. We may also collect additional PHI for clinical trials and other research and development purposes only after consent has been obtained from you and, if applicable, from the appropriate research oversight bodies. You may withdraw this consent at any time.

Because we provide care virtually, we may also automatically and routinely collect information related to your telehealth visits, including your location at the time of the visit, device/browser data, connection quality, audio/video, chat, uploaded images, technical logs and other information necessary to deliver services and support the operation of our telehealth platform.

3. HOW WE USE INFORMATION

We use information to schedule and conduct visits, verify identity, determine eligibility for services, provide care, document encounters, process payments, communicate with you, maintain security, improve our services, and comply with legal and regulatory obligations. We may also use aggregated, de-identified health data (not considered PHI) for clinical trials, research and development, and quality improvement initiatives. You may request your data to not be used for clinical trials, research and development, or quality improvement initiatives, however we may be unable to remove any data already de-identified and/or aggregated.

We may also use information for administrative, quality assurance, troubleshooting, and operational purposes consistent with applicable law.

4. SHARING OF INFORMATION

We may share information with third-party service providers that help us operate our telehealth practice, including hosting providers, scheduling systems, messaging platforms, billing vendors, analytics providers, and security vendors. These service providers are authorized to use information only as necessary to provide services on our behalf and are subject to appropriate confidentiality and security obligations. We may also disclose information as required or permitted by law, including to comply with legal process, prevent fraud or abuse, protect safety, or respond to lawful requests.

5. ACCESS AND CONTROL

Subject to applicable law, you may request access to, correction of, or limited deletion of personal information we maintain about you. If your request involves protected health information or records we are legally required to retain, we will review the request under HIPAA and other applicable law and may limit or deny the request to the extent required.

6. TELEHEALTH COMMUNICATIONS

By using our services, you understand that telehealth may involve electronic communications that can include email, text messaging, portal messaging, audio, video, or other electronic transmission methods. When communicating PHI to you, we will use appropriate administrative, technical, and physical safeguards, including HIPAA-compliant communication tools where appropriate. While we use reasonable safeguards to protect information, no system is completely secure, and you should use secure devices, networks, and communication channels when interacting with us.

7. AUTOMATED TOOLS

To support the operation of the Services and related business activities, we may use automated tools, including artificial intelligence (AI) technologies. These tools may assist with functions such as data organization, analytics, quality improvement, administrative activities, and system management, and are used in accordance with applicable law. Where AI tools are used in conjunction with PHI, we will have proper administrative, technical, and physical safeguards (including a signed Business Associate Agreement) and only use the minimum required PHI.

8. SECURITY

We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, use, or disclosure. These safeguards may include access controls, encryption, audit logging, role-based permissions, and vendor oversight. You are responsible for maintaining the security of your own devices, accounts, passwords, and internet connections.

9. OTHER PLATFORMS

Our Services may contain links to third-party platforms and/or referrals to third-party services. We do not control these platforms and are not responsible for their content, privacy practices, or their use of your information. Any information you share directly with these third parties is governed by their privacy policies. We encourage you to review those policies before providing your information.

10. RETENTION

We retain information for as long as reasonably necessary to provide services, comply with legal and regulatory obligations, resolve disputes, maintain business records, and enforce agreements. Information subject to HIPAA, medical-record retention requirements, billing requirements, or other legal obligations may be retained even if you request deletion.

11. STATE-SPECIFIC NOTICES

Virginia Telehealth Privacy and Consent. If we provide telehealth services to you in Virginia, we may ask you to provide consent to receive care through telehealth before or during your first visit. Telehealth services are voluntary, and you may decline telehealth without losing the right to future care or treatment, subject to applicable law and clinical availability. Information collected, stored, transmitted, or retained through telehealth services, including communications, images, audio, video, and related records, will be handled in accordance with applicable federal and Virginia confidentiality requirements. We will identify the participants who may be present during a telehealth visit, and where required, we will not record telehealth consultations unless notice is provided and any necessary consent is obtained.

Utah Telehealth Notice. For patients in Utah, all telehealth encounters comply with HIPAA privacy and security measures, the HITECH Act, and industry standards to ensure your communications and records, including any recordings, remain secure and confidential. We use encryption, password protection, and authentication for transmissions. While we implement robust safeguards, no technology is risk-free; potential privacy risks may exist due to factors outside our control, such as your home or public environment (e.g., others overhearing or seeing your screen), third-party internet service interruptions, device security vulnerabilities on your end, or unauthorized access to your personal devices.

Privacy Notice for California Residents (and other states if applicable). If you are a California resident, certain personal information that we collect about you is subject to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Other states have similar laws that affect how we treat your personal information.

Please note that these laws may not apply to, among other things:

  • Information that is lawfully made available from federal, state, or local government records

  • Consumer information that is deidentified or aggregated

  • Protected health information that is collected by a covered entity or business associate governed by HIPAA

  • Medical information maintained by a provider of health care governed by California's Confidentiality of Medical Information Act (CMIA)

Collection of Personal Information

The Personal Information we collect, use, and share may fall into certain categories defined by CCPA and CPRA or other laws. Accordingly, we may collect:

  • Identifiers

  • Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))

  • Protected classification characteristics under California or federal law

  • Commercial information

  • Biometric information

  • Internet or other similar network activity

  • Geolocation data

  • Sensory data

  • Sensitive Personal Information

  • Professional or employment-related information

  • Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99))

California laws define “sale” broadly to include the sharing of information in exchange for anything of value. If you opt-in/consent to our use of advertising cookies and similar technologies, the use may be considered a “sale” of personal information under specific state consumer privacy law (including in California).

We collect personal information from the following categories of sources:

  • Directly and indirectly from you, including through your interaction with the Websites

  • Social media platforms

  • Third party partners such as analytics or marketing providers

  • Automatically through tracking technologies. Please note, if you have enabled a Global Privacy Control on your browser, our Websites are configured to recognize and respect those preferences with respect to Personal Information that falls under the CCPA/CPRA.

Your California Rights (and elsewhere if applicable) Include:

  • Right to know what personal information we collect

  • Right to delete personal information

  • Right to opt-out of sale or sharing

  • Right to correct inaccurate information

  • Right to limit use of sensitive personal information

  • Right to data portability

  • Non-discrimination for exercising rights

How can I exercise my privacy rights?

Depending on your state of residency, you may have some or all of the following rights:

  • Right to Know: The right to request details about the Personal Information we collect, use, or disclose, as well as information about our data practices. In some states, this may also include a list of third parties (as defined by applicable law) with whom we have shared your Personal Information

  • Right to Request Correction: The right to request correction of any inaccurate Personal Information we maintain about you

  • Right to Request Deletion: The right to request deletion of the personal information we have collected from or about you

  • Right to Opt-out of Targeted Advertising: The right to opt out of the use of your personal information for purposes considered “targeted advertising” under applicable U.S. privacy laws, including data collected from your activities on nonaffiliated websites or apps

  • Right to Non-Discrimination: The right not to be subject to discrimination for exercising your privacy rights

To exercise your rights and, as applicable, to appeal a consumer rights decision, please contact us at privacy@syntrillo.com

Retention of Personal Information

We will retain your personal information for as long as necessary or permitted in light of the purposes described in this Policy. However, some personal information may be retained for longer periods as required by law or to fulfill contract or auditing requirements. We also retain personal information for as long as necessary to establish, exercise, or defend legal claims, or as otherwise permitted by applicable law.

12. CONTACT INFORMATION

If you have questions about this Privacy Policy or wish to submit a request regarding your personal information, please contact us using the contact form on our website or by sending an email to privacy@syntrillo.com.