Privacy Policy

Multi-state US — Version 2

CardioMetaboliQ Labs LLC dba CMiQHealth

187 Calle Magdalena, Suite 210, Encinitas, CA 92024

support@cmiqhealth.com

Effective Date: May 6, 2026

How to read this policy: This Privacy Policy explains what personal information we collect, why we collect it, who we share it with, how long we keep it, and the rights you have under U.S. state privacy laws. We are based in the United States and serve U.S. customers. If you are outside the U.S., do not submit personal information to CardioMetaboliQ Labs LLC dba CMiQHealth.

1. Who We Are

CardioMetaboliQ Labs LLC dba CMiQHealth ("we," "us," or "our") is the controller of personal information collected through the Site at https://cmiqhealth.com (the "Site") and the Services described in our Terms & Conditions. Contact us at support@cmiqhealth.com or 187 Calle Magdalena, Suite 210, Encinitas, CA 92024.

2. Scope and Special Cases

This Policy applies to personal information we collect from licensed healthcare practitioners and from visitors to the Site. It does not apply to:

• Protected Health Information (PHI) we receive, create, maintain, or transmit on behalf of a practitioner customer. PHI is governed by the federal HIPAA Privacy and Security Rules and our Statement of HIPAA Practices, and is handled under a Business Associate Agreement (BAA) with the practitioner.

• Information we process on behalf of a practitioner where the practitioner is the controller of that information.

3. Information We Collect

We collect the following categories of personal information, organized using the categories defined in California Civil Code § 1798.140:

3.1 Identifiers

Name, postal address, professional address, email address, telephone number, account username, IP address, device identifiers, and online identifiers.

3.2 Customer Records

Billing and shipping addresses, professional license number, National Provider Identifier (NPI), payment-card information (processed by our payment processor; we do not store full card numbers), and order history.

3.3 Commercial Information

Records of products and services purchased, considered, or returned; usage history within the Site.

3.4 Internet or Network Activity

Browsing history, interaction with the Site and emails, referrer URLs, and similar log data collected via cookies, pixels, server logs, and analytics tools.

3.5 Geolocation

Approximate location derived from IP address. We do not collect precise geolocation.

3.6 Professional or Employment-Related Information

Practice name, specialty, credentials, license issuing state, and verification metadata.

3.7 Inferences

Inferences derived from the categories above, used to personalize content and improve the Services.

3.8 Sensitive Personal Information (CPRA)

In limited circumstances, we may receive sensitive personal information as defined under the California Privacy Rights Act, including:

• Government-issued identifiers, such as professional license numbers.

• Account log-in credentials.

• Information concerning health, where it is necessary to verify Practitioner-account-related communications.

We use sensitive personal information only as reasonably necessary to provide the Services and as otherwise permitted by California Civil Code § 1798.121. We do not use or disclose sensitive personal information for purposes that require an opt-out under that section. PHI is handled separately under HIPAA and the BAA, not under this Policy.

4. Sources of Information

We collect personal information from:

• You directly, when you create an account, place an order, contact support, or interact with our communications.

• Automatically, through cookies, pixels, server logs, and analytics tools, when you use the Site.

• Service providers and partners, including payment processors, license-verification vendors, shipping carriers, and analytics providers.

• Public records and publicly available sources, including state license registries and the NPPES NPI registry.

5. Why We Use Personal Information

We use personal information for the following business and commercial purposes:

• To provide, maintain, and improve the Services, including verifying Practitioner credentials, processing orders, generating Reports, and providing customer support.

• To process payments through our payment processor.

• To communicate with you about your account, orders, security, and changes to our terms or policies.

• With your consent, to send you marketing communications. You can unsubscribe at any time.

• To analyze use of the Services, monitor performance, and develop new features.

• To detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms.

• To comply with legal, regulatory, accounting, audit, and reporting obligations, and to enforce our agreements.

6. How We Share Personal Information

We share personal information with the following categories of recipients, under written agreements that restrict their use of the data to the purposes for which it was provided:

• Service providers, including hosting, IT, customer support, license-verification, analytics, email delivery, payment processing, and shipping carriers.

• Professional advisors, including attorneys, accountants, auditors, and insurers.

• Affiliates, in connection with corporate operations or any merger, acquisition, reorganization, financing, or sale of assets.

• Government authorities, regulators, and other parties, where reasonably necessary to comply with applicable law, court order, or lawful process; to protect our rights or those of others; or to investigate fraud or wrongdoing.

We do not sell personal information for monetary consideration. Whether the use of certain analytics or advertising cookies constitutes "sharing" or "selling" under the broad definitions in CPRA and similar laws depends on configuration; see Section 8 (Cookies) and Section 11 (Your Rights) for the controls we provide.

7. Retention

We retain personal information for as long as needed for the purposes described, then delete or anonymize it. Specific retention periods include:

• Practitioner account information: for the life of the account plus seven (7) years after closure, to support audit and tax obligations.

• Order and transaction records: seven (7) years from the transaction date, to comply with tax and financial-recordkeeping requirements.

• Marketing preference data: until you unsubscribe, plus one (1) year for suppression-list purposes.

• Web analytics and server logs: up to twenty-six (26) months, then aggregated or deleted.

• PHI: governed by HIPAA, the BAA with the practitioner, and applicable laboratory-recordkeeping rules under CLIA and state law.

8. Cookies, Analytics, and Online Tracking

We use cookies, pixels, and similar technologies to operate the Site, remember preferences, measure performance, and understand usage. Some cookies are essential. Others are optional and require consent where local law requires it. We honor browser-level "Do Not Track" signals where reasonably feasible, and we honor the Global Privacy Control (GPC) signal as a valid opt-out request from California, Colorado, and Connecticut residents.

You can manage cookie preferences through our cookie banner or the "Cookie Settings" link in the Site footer. You can also clear cookies through your browser settings. Disabling certain cookies may affect Site functionality.

We do not knowingly use cookies for cross-context behavioral advertising. If we begin doing so, we will provide a "Do Not Sell or Share My Personal Information" link and update this Policy.

9. Security

We use administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, alteration, disclosure, or destruction, including encryption in transit and at rest, access controls, logging, and vendor due diligence. No system is fully secure, and we cannot guarantee absolute security. PHI is protected under additional safeguards required by the HIPAA Security Rule (45 CFR Part 164, Subpart C).

10. Children's Privacy

The Services are intended for licensed adult healthcare professionals. We do not knowingly collect personal information directly from children under sixteen (16). If you believe we have inadvertently collected personal information from a child, contact us at support@cmiqhealth.com and we will take steps to delete it.

11. Your Rights Under U.S. State Privacy Laws

Depending on the state in which you reside, you may have one or more of the following rights with respect to your personal information:

• Right to know or access. Request a copy of the personal information we hold about you and information about our processing.

• Right to correct. Request correction of inaccurate personal information.

• Right to delete. Request deletion of personal information we hold about you, subject to legal exceptions.

• Right to opt out of sale or sharing. Direct us not to sell or share your personal information for cross-context behavioral advertising.

• Right to limit use of sensitive personal information.

• Right to opt out of certain profiling and automated decision-making.

• Right to data portability. Receive a copy of your personal information in a portable, structured format.

• Right to non-discrimination. We will not discriminate against you for exercising your rights.

• Right to appeal. Where state law provides, you may appeal our denial of a rights request.

These rights are recognized under, among others, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), the Montana Consumer Data Privacy Act (MCDPA), the Iowa Consumer Data Protection Act (ICDPA), the Delaware Personal Data Privacy Act (DPDPA), the New Hampshire Privacy Act (NHPA), the Nebraska Data Privacy Act (NDPA), the New Jersey Data Privacy Law (NJDPL), the Minnesota Consumer Data Privacy Act (MCDPA), the Maryland Online Data Privacy Act (MODPA), the Tennessee Information Protection Act (TIPA), and the Indiana Consumer Data Protection Act (ICDPA).

11.1 How to Submit a Request

Submit a rights request by emailing support@cmiqhealth.com with the subject line "Privacy Rights Request," or by mail to 187 Calle Magdalena, Suite 210, Encinitas, CA 92024. Authorized agents may submit requests on your behalf with verifiable written authorization.

11.2 Verification

To protect your information, we will verify your identity before fulfilling a rights request. We may ask you to confirm information we already hold about you (such as recent order details or your registered email address). For deletion requests or requests involving sensitive personal information, we may apply heightened verification.

11.3 Response Times

We will acknowledge your request within ten (10) business days and provide a substantive response within forty-five (45) days. We may extend the response period by an additional forty-five (45) days where reasonably necessary, in which case we will notify you of the extension and the reasons for it.

11.4 Appeal

If we deny your request and your state of residence provides an appeal right, you may appeal by replying to our denial or emailing support@cmiqhealth.com with the subject line "Privacy Rights Appeal."

12. California-Specific Disclosures

• Notice at Collection. This Policy serves as our Notice at Collection under CCPA. The categories of personal information we collect, the purposes for collection, and the categories of recipients are described in Sections 3, 5, and 6.

• Shine the Light. California Civil Code § 1798.83 permits California residents to request a list of personal information disclosed to third parties for direct-marketing purposes. We do not disclose personal information for third-party direct marketing.

• Sensitive Personal Information. Our use of sensitive personal information is limited as described in Section 3.8.

• Do Not Sell or Share. We do not sell or share personal information for cross-context behavioral advertising. If we begin doing so, we will add a "Do Not Sell or Share My Personal Information" link to our Site footer.

13. Nevada Residents

Nevada residents may submit a request not to sell their covered personal information to support@cmiqhealth.com.

14. HIPAA and Personal Information

This Policy does not govern PHI processed by us as a Business Associate of a practitioner. PHI is governed by HIPAA, by the BAA between us and the practitioner, and by our Statement of HIPAA Practices. If your communication with us about a rights request implicates PHI, we may direct you to the appropriate practitioner.

15. International Visitors

The Services are intended for U.S. customers. If you access the Site from outside the U.S., your information will be transferred to and processed in the U.S., where data protection laws may differ from those of your country. We do not market the Services to residents of the European Economic Area, the United Kingdom, or other regions outside the U.S.

16. Changes to this Policy

We may update this Policy from time to time. The "Effective Date" at the top of this Policy reflects the most recent version. Material changes will be highlighted on the Site, and active customers will receive notice by email at least thirty (30) days before the changes take effect. Prior versions are available on request.

17. Contact

Questions about this Policy or your information? Contact CardioMetaboliQ Labs LLC dba CMiQHealth at support@cmiqhealth.com or 187 Calle Magdalena, Suite 210, Encinitas, CA 92024.