Fasten Connect - Privacy and Security Policy

Effective as of March 20, 2026

This Privacy and Security Policy (this “Policy”) explains how Fasten Health, Inc. (“Fasten Health,” “we,” “us,” or “our”) collects, uses, shares, and protects your personal information when you use Fasten Connect. This includes our website https://www.fastenhealth.com/connect, the Fasten Connect API https://api.connect.fastenhealth.com, the Fasten Connect Portal https://portal.connect.fastenhealth.com, and any related services (together, “Fasten Connect” or the “Services”).

Fasten Health respects your privacy and handles your personal information with care. This Policy applies only to Fasten Connect, not to other products or services we offer. This Policy will also apply to your information for as long as we hold it.

By visiting the Site or using the Services, you agree to the practices described in this Policy.

Before you connect your health records through Fasten Connect, you will see a brief, easy-to-understand summary of how your data will be used, stored, and shared. This summary includes:

What information is collected
Who it will be shared with (if anyone)
How long it will be stored
Your rights to revoke or delete data

You will be asked to consent to this information explicitly. You can view the full Policy at any time by following the provided link.

We Do Not Sell Your Personal Information

We don’t sell your personal information, ever. That includes your name, contact details, and any health-related data.

When you use Fasten Connect to link your health information with a third-party app, we only share the specific data you have agreed to share. This may include diagnostic, treatment, or billing information. That data is temporarily stored on secure Fasten Health servers to ensure reliable delivery of our services. This data is automatically deleted within 24 hours after successful transmission.

If we work with trusted third-party vendors, such as cloud storage or analytics services, it is solely to help deliver and improve Fasten Connect. These vendors are not allowed to use your data for their own marketing or advertising.

Definition of Personal Information

“Personal Information” means any information that can identify you. It includes:

Personally Identifiable Information (PII): This includes any information that can directly identify an individual or is capable of doing so when combined with other information. Examples include but are not limited to an individual’s name, address, email address, phone number, or social security number.
Protected Health Information (PHI): This includes any information in an individual’s medical record that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. It includes, but is not limited to, details such as the individual’s physical or mental health or condition, health care services that the individual receives, or a health plan’s payment for these services, such as the individual’s name, address, telephone number, health insurance information, Medicare Beneficiary number, or financial information related to payment for healthcare services.

We do not currently anonymize or de-identify your Personal Information. If we want to anonymize or de-identify your Personal Information in the future, then we will update this Policy and explain how that will happen.

The Information We Collect About You

Through our Site, fastenhealth.com

We collect Personal Information when you:

submit information through the “Contact” page of our website
register on our website
respond to our communications (such as responding to an email from us)
utilize features of our Site

The Personal Information that we collect can include your:

name
email address
phone number

Through our Fasten Connect Services

To use Fasten Connect, we need some personal information to provide our services:

Account Information: When you create a Fasten Connect account, we require details such as your first name, last name, telephone number, and email address.
Personal Health Information: Fasten Connect enables the linking of your Personal Health Information with third-party applications. When you use this feature, you will be asked to consent to share specific health information, which may include diagnostic, treatment, and billing information. This information is temporarily stored on secure Fasten Health servers to enhance service reliability and operation.
User Content: Includes all data, documents, or other content that you upload, input, or otherwise transmit while using Fasten Connect.

Voluntary Information You Provide to Us

You may also choose to give us more information, like when you:

Fill out a form
Update your account
Answer surveys
Join forums or promotions
Contact support

Information Collected Automatically

We also collect some information automatically:

Aggregated Data: Includes details of your interactions with the service, such as which features you use and how you use them. We may share your Personal Information with third-party service providers to analyze how our Services and features are being used.
Log Data and Device Information: We collect data related to your device and your use of our services, including IP address, device type, operating system, unique device identifiers, browser information, crash data, and other request information.
Cookies: We use cookies and similar tracking technologies to collect information about your interaction with our website, which helps us improve your user experience and tailor our services to your preferences. You can change cookie settings in your browser. Turning off cookies may limit some features.

How We Use Your Information

We will not sell, rent, license, or trade your Personal Information with third parties for their own direct marketing use. Unless you give us your permission, we will not share your Personal Information other than as stated in this Policy.

We collect and use your information to improve your experience and make Fasten Connect work better for you.

Communication: To contact you via email, phone, or postal mail about updates, security alerts, and product offerings related to Fasten Connect.
Customization: To tailor the content and features you see, ensuring a personalized experience on our platform.
Legal Compliance and Protection: To comply with legal obligations, prevent fraud, protect our digital and physical assets, and defend our legal rights or manage disputes where necessary.
Operational Necessities: To manage our services, including data storage, information security, and authentication. These actions are crucial for maintaining the integrity and accessibility of Fasten Connect.
Research and Development: To better understand your needs and interests, leading to enhanced features and new product development. This includes analyzing usage patterns and aggregating information to improve how our services integrate and function.
Security and Technical Support: To secure our services, address and resolve technical issues, and ensure the smooth functioning of Fasten Connect.
Service Delivery: To respond promptly to your requests, provide efficient customer support, and deliver the services you have signed up for.
Third-Party Services: We enable integration with third-party services upon your direction and with your explicit consent.
Consent-Based Activities: For any other purposes for which we have explicitly obtained your consent.

BIDIRECTIONAL IAS PROVIDER: FASTEN HEALTH PROVIDES BIDIRECTIONAL SERVICES. THIS GIVES YOU THE ABILITY TO REQUEST ACCESS TO YOUR HEALTH INFORMATION VIA TEFCA EXCHANGE AND TO HAVE THE OPTION TO SHARE YOUR HEALTH INFORMATION WITH OTHER PARTICIPANTS IN TEFCA.

We only share your information when it’s needed to run our services or meet legal requirements. Where applicable, all of our uses and disclosures that occur through the Trusted Exchange Framework and Common Agreement (“TEFCA”) will align with requirements stated in TEFCA and applicable guidance that may be issued by the federal Department of Health and Human Services.

Third-party service providers must safeguard the Personal Information we entrust to them and are permitted to use such information solely for fulfilling the services we have contracted them for. They are prohibited from using this personal information for their own direct marketing purposes.

The handling of shared information is subject to the privacy policies of these third-party providers, including any Personal Information accessed through them. These providers are also expected to guide you on how to adjust your privacy settings on their platforms.

Here are the ways we may share your information:

With affiliates that assist us in providing you with our Services, such as payment processors and cloud service providers, but we will require our affiliates to only use or disclose your information for the purposes of providing the services requested of them and in accordance with this Policy.
If we believe that the disclosure is reasonably necessary to (a) satisfy an applicable law, regulation, legal process, or enforceable governmental request; (b) detect, prevent, or otherwise address illegal or suspected illegal activities; or (c) protect the safety, rights, or property of Fasten Health, the public, or any person.
We may share your Personal Information with other businesses in connection with the sale, assignment, merger or other transfer of all or a portion of our business to those businesses. We will require those businesses to honor the rules of this Policy.
via TEFCA Exchange, when you authorize that disclosure and where the workflow supports such disclosure;

It is important to note that our third-party service providers have their own privacy policies, which may differ from ours. We encourage you to read their privacy policies to understand how they handle your information.

By using Fasten Connect, you agree to the practices described in this section. If you want to opt out of sharing your Personal Information, then you can notify us and you should stop using our Services. If you have any concerns about how we share your information, please contact us at [email protected].

We will not use your Personal Information to assert any form of claim or demand against you, unless you owe us a fee and we need to use your Personal Information to collect amounts owed to us.

Use Limitations

Fasten Connect allows you to share your health information with third-party apps of your choice. To protect your rights, we follow and require all customers to follow strict data use standards.

As a member of the CARIN Alliance and a signatory of its Code of Conduct, Fasten Health adheres to and enforces the following requirements on all customers:

Consent-Only Use: Your data may only be used or shared based on clear, informed consent provided by you.
Opt Out: You have the right to opt out of having your Personal Information disclosed. If you opt out, neither we nor a customer will be able to disclose your Personal Information.
No Marketing Without Opt-In: Any marketing or advertising use requires separate, explicit opt-in consent.
Children’s Data: We and our customers must follow all applicable laws, including COPPA, when handling data about minors.
Policy Changes: If we or a customer changes how we or they use your data, we or they must notify you and allow you to withdraw consent.
Withdraw Anytime: You must be able to revoke consent easily and stop future use of your data.
Third-Party Sharing: : We and our customers must disclose any third-party access to your data and let you control it.
AI/ML Use: Use of your data for AI or machine learning must be clearly disclosed.
Business Changes: We and our customers must explain what happens to your data in the event of a sale or shut down.

To report a potential violation, contact [email protected].

Your Individual Rights

As part of our compliance with TEFCA, we ensure that you have the following rights:

We will obtain your consent before we disclosure your individually identifiable data through TEFCA, which will be consistent with the statements in the Policy concerning the consent process. You can choose to consent to disclose your identifiable data for treatment, payment, health care operations, public health, individual access services, government benefits determinations, and any other exchange purpose permitted or required by an applicable law or government agency.
You can access to your individually identifiable information through our services by contacting us and following the instructions in the “How to Access, Update or Delete Your Information” section of this Policy.
Download your individually identifiable information in a machine-readable format. For example, we might send you an electronic copy of your personally identifiable information, such as in PDF format, when you use our services. That file can be downloaded by you.
Revoke your consent at any time by contacting us and following the instructions in the “How to Access, Update or Delete Your Information” section of this Policy The process for revoking consent is designed to be simple, electronic, and as prompt as reasonably possible. If you revoke your consent, then we will stop all further requests or disclosures of your individually identifiable information through our TEFCA connection, but does not undo any prior authorized requests or disclosures that were made in compliance with your consent. Revoking your consent also will not stop of uses or disclosures by us that are either required by applicable law or permitted by applicable law.
If you find an error with your information, you should contact the organization where the information came from to make any necessary correction.

How We Secure Your Information

The security of your Personal Information is important to us, and we strive to implement and maintain reasonable, commercially acceptable security procedures and practices appropriate to the nature of the information we store in order to protect it from unauthorized access, destruction, use, modification, or disclosure. One aspect of the security measures we take is to encrypt data both at rest and in transit.

However, please be aware that no method of transmission over the internet, or method of electronic storage, is 100% secure, and we are unable to guarantee the absolute security of the Personal Information we have collected from you.

In the unlikely event that our systems are breached, we will immediately fix any damage and add more protection to prevent it from happening again. If your Personal Information is compromised, we will notify you of what was compromised and any recommended actions you should take.

How to Access, Update or Delete Your Information

You may contact us to request access, updates or deletions of your Personal Information by contacting us at [email protected].

To help us verify your identity and process your request, your email must include the following:

First Name
Last Name
Birthdate
Gender
Address
The type of request you are making

You may submit any of the following requests:

Access to a copy of your Personal Information or Protected Health Information stored on our systems
Deletion of your data from our systems
Information about how your data is being used
Revocation of your consent for Fasten Health to maintain, use, or disclose your data, to the extent applicable to your relationship with us

If you want to revoke your consent, please follow these steps:

Send an email to [email protected]
Use a subject line such as “Revoke Consent Request”
In the body of your email, provide your First Name, Last Name, Birthdate, Gender, and Address.
Clearly state that you are revoking your consent and describe the scope of your request, including whether you are also requesting deletion of your data or access to a copy of your information.
If we need additional information to verify your identity or clarify your request, we will contact you using the email address from which the request was submitted.

Once we verify your identity and confirm your request, we will process it in accordance with applicable law and our data retention obligations.

We keep your information only as long as we need it for the reasons described in this Policy. If you ask for access to your Personal Information, we will provide you with an export of your Personal Information if it is still in our possession.

Upon your request, Fasten Health will permanently delete 100% of your personal information, including all associated data stored on our systems. This deletion is irreversible and applies to all identifiable data under your account, in accordance with applicable laws and data retention obligations.

Fasten Health will take action on an individual’s requests no later than 30 calendar days from the receipt of the request. In cases where, due to unforeseen circumstances, we are unable to meet this timeframe, Fasten Health will provide the individual, within the initial 30-day period, with a written statement explaining the reasons for the delay and the anticipated date by which we will complete the requested action.

Our Responsibilities and Obligations

As part of this Policy, we need to make you aware of certain responsibilities and obligations that we need to follow, including as an individual access service provider. Those obligations and responsibilities include:

We will tell you within three (3) business days if we receive a civil or criminal subpoena, court order, search warrant, or other demand or compulsory disclosure in accordance with applicable law for your Personal Information. Unless prevented by applicable law, we will give you the chance to object to any request for us to produce your Personal Information, which could be you seeking a protective order or other remedy available under applicable law.
We will notify you within three (3) business days of us making your Personal Information available to a law enforcement agency.
We will comply with the terms of this Policy and will protect the security of your Personal Information in accordance with the applicable Framework Agreement that applies to us.
We will not charge any fees to you if you seek to exercise any of your individual rights explained in this Policy.

Identity Verification

When submitting access, deletion, or consent revocation requests, we may verify your identity using contact details, device verification, or other appropriate means to protect your data.

Applicability of HIPAA

The Health Insurance Portability and Accountability Act and its implementing regulations (collectively, “HIPAA”) are U.S. federal privacy laws that protect health information when held by certain HIPAA regulated entities. Fasten Health is an IAS Provider, and is not directly subject to HIPAA. However, we follow TEFCA’s strict privacy and security requirements, which closely align with HIPAA’s privacy and security protections.

While we are not a covered entity under HIPAA, we may qualify as a business associate when providing services to some of our clients. When we are a business associate, we comply with the parts of HIPAA that apply to business associates. Regardless of the circumstances, we always adhere to the privacy and security requirements contained in TEFCA, which are fairly close to what HIPAA requires.

California Residents

If you are a California resident, specific rights are afforded to you under the California Consumer Privacy Act (CCPA). Fasten Health, Inc. respects these rights and provides you with the means to exercise them.

As a California resident, you have the right to request disclosure of the categories and specific pieces of personal information we have collected about you. You also have the right to ask us to delete any Personal Information we have about you, with certain exceptions as allowed by law.

Furthermore, you have the right to know about the Personal Information we collect, our purposes for processing that information, and if we share it with any third parties. Fasten Health does not sell Personal Information, and we will not discriminate against you for exercising any of your CCPA rights.

To make a request related to your rights under CCPA, or if you need further information regarding your rights, please contact us at [email protected]. We may require specific information from you to help verify your identity before processing your request.

Acknowledgments

It is important to acknowledge certain limitations around the scope of this Policy. The nature of our services does not subject us to compliance with the Health Insurance Portability and Accountability Act along with its implementing regulations.

Acceptance and Updates to this Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will revise the “Effective Date” at the top of the policy and, where appropriate, notify you via email, or by prominently posting a notice within the Fasten Connect Portal.

We encourage you to review this page regularly so you are aware of any changes. Continued use of the Services after the updated Policy becomes effective constitutes your agreement to the revised policy.

Contacting Us

If you have any questions or concerns about the Policy or Fasten Health, please email us at [email protected] or or call us at 415.373.2815.

Revision History

Date	Description of Changes
2026-03-20	Added “Applicability of HIPAA” and “Your Individual Rights” sections, required for TEFCA. Added Phone Number for contacting us. Clarified that “Use Limitations” apply to both Fasten & our Customers. Updated “How to Access, Update or Delete Your Information” with data required to complete a request.
2026-03-16	Added “BiDirectional Services” statement under how we share your information, required for TEFCA