Privacy Policy

Effective Date: April 27, 2026 | Last Updated: April 27, 2026

PREAMBLE AND DEFINED TERMS

This Privacy Policy ("Policy") describes how Fine Wines Health LLC ("Company," "we," "us," or "our") collects, uses, discloses, retains, and protects information obtained through www.finewineshealth.com and any related mobile applications or digital platforms (collectively, the "Platform"). This Policy applies to all users of the Platform ("you," "your," or "User").

All clinical services are provided exclusively by Online Medical Care, PC ("PC"), a licensed professional corporation. Throughout this Policy, "Company" and "PC" refer to the entities defined above. The PC's collection and use of protected health information in connection with clinical care is governed separately by the PC's Notice of Privacy Practices, which is available on the Platform.

By using the Platform, you acknowledge that you have read and understood this Policy and consent to the collection, use, and disclosure of your information as described herein. If you do not agree with this Policy, do not use the Platform.

1. ORGANIZATIONAL STRUCTURE AND ROLES UNDER APPLICABLE LAW

The Company is a management services organization ("MSO") that provides technology infrastructure, scheduling tools, payment processing, and administrative support services to the PC. The Company is not a licensed healthcare provider and does not provide clinical services.

The PC is a licensed professional corporation through which contracted licensed clinicians ("Providers") deliver clinical services to patients via telehealth. The PC is a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA") with respect to protected health information ("PHI") created or maintained in connection with clinical services. The Company may act as a Business Associate of the PC to the extent it handles PHI in the course of performing administrative services, pursuant to a Business Associate Agreement.

This Policy governs the Company's data practices with respect to the Platform and administrative operations. It does not govern the PC's clinical use and disclosure of PHI, which is addressed in the PC's Notice of Privacy Practices. The two documents should be read together.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

We collect information you provide when you create an account, complete intake forms, schedule appointments, make payments, or communicate with us through the Platform. This may include:

Identity information: full name, date of birth, gender, and government-issued identification information (where required for identity verification);
Contact information: email address, mailing address, telephone number, and emergency contact details;
Account credentials: username, password, and security questions;
Intake and health information: health history, current symptoms, medications, allergies, prior diagnoses, and other clinical intake information submitted through intake forms, questionnaires, or onboarding tools ("Health Information");
Payment information: credit card numbers, debit card numbers, HSA/FSA card numbers, billing address, and other financial information (processed and stored by our payment processors — the Company does not store full payment card numbers);
Communications: messages, chat logs, feedback, support requests, and other content you submit through the Platform.

2.2 Information Collected Automatically

When you access or use the Platform, we and our service providers may automatically collect certain technical information, including:

Device information: device type, operating system, browser type and version, unique device identifiers, and mobile network information;
Usage data: pages visited, features used, time spent on pages, links clicked, and navigation paths;
Log data: IP address, access times, referring and exit URLs, and error logs;
Location data: general geographic location inferred from IP address (we do not collect precise GPS location without your express consent);
Cookies and similar tracking technologies: as described in Section 8 of this Policy.

2.3 Health Information and Intake Data

When you submit Health Information through the Platform, the Company collects this information on behalf of the PC as part of its administrative intake services. Health Information submitted through intake forms and clinical onboarding tools is transmitted to the PC and its Providers for purposes of delivering clinical care. The Company processes intake information as an administrative service provider and may act as a Business Associate under HIPAA with respect to this information.

Health Information submitted to the Platform becomes part of the patient record maintained by the PC and is subject to the PC's Notice of Privacy Practices and applicable state and federal healthcare privacy laws. To the extent any Health Information constitutes PHI under HIPAA, it will be used and disclosed only as permitted by HIPAA and applicable state law.

2.4 Sensitive Health Information

The Company may collect certain categories of Sensitive Personal Information as defined under applicable privacy laws, including the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”). This may include Health Information, identification data, payment information, account credentials, and communications submitted through the Platform.

The Company uses Sensitive Personal Information only as necessary to provide and operate the Platform, support the PC’s administrative functions, comply with legal obligations, and ensure security and fraud prevention.

The Company does not use or disclose Sensitive Personal Information for cross-context behavioral advertising or other purposes that would require a right to limit such use under applicable law. Users may exercise applicable rights as described in Section 11.

2.5 Information from Third Parties

We may receive information about you from third parties, including identity verification services, payment processors, and analytics providers. We may also receive information when you connect third-party accounts (such as health apps or pharmacy records) to the Platform, to the extent you authorize such connections.

3. HOW WE USE YOUR INFORMATION

The Company uses information collected through the Platform for the following purposes:

Platform operations: to operate, maintain, authenticate, and improve the Platform;
Appointment and care coordination: to schedule, manage, and facilitate appointments and communicate administrative information to you and the PC;
Payment processing: to process and collect fees for services rendered through the PC;
Communications: to send appointment reminders, account notifications, service updates, and other administrative communications;
Legal compliance: to comply with applicable laws, regulations, and professional obligations, including HIPAA, state privacy laws, and court orders;
Safety and fraud prevention: to detect, investigate, and prevent fraudulent, unauthorized, or illegal activity;
Research and analytics: to analyze Platform usage, improve service quality, and conduct de-identified or aggregated research and analytics;
Marketing (with consent): to send promotional communications about our services, subject to your right to opt out as described in Section 10.

The Company does not use Health Information for advertising, marketing to third parties, or any purpose inconsistent with clinical care and administrative services without your express consent.

4. HOW INFORMATION FLOWS THROUGH THE PLATFORM

When you submit information through the Platform, including intake forms, health questionnaires, secure messages, and appointment details, that information may be transmitted to and accessed by the PC and its licensed Providers for purposes of delivering clinical care and coordinating treatment.

The Company uses HIPAA-compliant service providers and implements safeguards designed to support the secure transmission and storage of information, including Health Information. All service providers who handle PHI on behalf of the Company or the PC are required to enter into appropriate Business Associate Agreements or equivalent data protection agreements.

The Company does not access, review, or use the substance of clinical communications between you and your Provider except to the limited extent necessary for platform maintenance, security, technical support, legal compliance, or as otherwise required to provide administrative services to the PC. Access to such information, when necessary, is restricted to authorized personnel and subject to appropriate safeguards.

5. DISCLOSURE OF YOUR INFORMATION

5.1 Disclosure to the PC and Providers

The Company shares information you submit through the Platform with the PC and its contracted Providers as necessary to facilitate the scheduling, coordination, and delivery of clinical services. This sharing is a core administrative function of the Platform.

5.2 Service Providers and Business Associates

We may disclose your information to third-party vendors, contractors, and service providers ("Service Providers") who perform services on our behalf, including hosting and infrastructure providers, payment processors, identity verification services, scheduling tools, electronic health record systems, analytics providers, and telehealth technology vendors. Where required, we enter into written agreements with Service Providers that restrict their use and disclosure of your information and require them to implement appropriate safeguards. Service Providers who handle PHI are required to execute Business Associate Agreements.

5.3 Legal Requirements and Safety

We may disclose your information to the extent required or permitted by applicable law, including in response to a subpoena, court order, or other legal process; to comply with a legal obligation; to protect the rights, property, or safety of the Company, the PC, users, Providers, or the public; or to prevent or investigate suspected fraud, violations of our Terms and Conditions, or illegal activity.

5.4 Business Transfers

If the Company undergoes a merger, acquisition, bankruptcy, dissolution, reorganization, or sale of all or substantially all of its assets, your information may be transferred to a successor or acquiring entity as part of that transaction. We will provide notice of any such transfer and any material changes to this Policy in accordance with Section 14.

5.5 De-Identified and Aggregated Information

We may use and disclose de-identified or aggregated information that does not identify you individually for any lawful purpose, including research, analytics, product improvement, and business development. De-identified information is not subject to this Policy.

5.6 No Sale of Personal Information

The Company does not sell your personal information or Health Information to third parties for monetary consideration. The Company also does not share Health Information or Protected Health Information with third parties for cross-context behavioral advertising. However, the Company may use certain analytics and advertising technologies that could be considered a “sharing” of personal information under applicable state privacy laws, including the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), where such technologies involve the disclosure of identifiers or device information to third-party service providers for purposes such as analytics, performance measurement, or limited advertising on unauthenticated portions of the Platform.

Any such sharing:

does not involve Health Information or Protected Health Information;

is limited to non-sensitive technical and usage data;

is subject to contractual restrictions with service providers; and

may be controlled by you through available opt-out mechanisms, including Global Privacy Control signals and other tools described in Section 8 and Section 11.

Users have the right to opt out of such sharing as described in Section 11.

6. HIPAA, PROTECTED HEALTH INFORMATION, AND CLINICAL PRIVACY

6.1 HIPAA Roles

The PC is the HIPAA Covered Entity responsible for the privacy and security of PHI generated in connection with clinical services. The Company may function as a Business Associate of the PC with respect to PHI it handles in the course of providing administrative services, pursuant to a Business Associate Agreement between the Company and the PC.

It is important to understand that HIPAA does not apply to all health-related information simply because health information is involved. Information that you submit through the Platform that is not used solely for the provision of clinical services by the PC and its Providers may not constitute PHI subject to HIPAA. Such information may be subject to this Policy and other applicable state privacy laws.

6.2 Notice of Privacy Practices

The PC has adopted a Notice of Privacy Practices that describes in detail how the PC uses and discloses PHI, your rights with respect to your PHI, and how to exercise those rights. The Notice of Privacy Practices is available on the Platform and will be provided to you at the time of your first clinical encounter. For questions about the PC's clinical privacy practices, please refer to the Notice of Privacy Practices or contact the PC directly.

6.3 State Healthcare Privacy Laws

In addition to HIPAA, certain state laws provide additional protections for health information. The Company and the PC comply with applicable state healthcare privacy laws, including the California Confidentiality of Medical Information Act ("CMIA") and other state laws that may provide protections beyond those required by HIPAA. Where state law provides greater privacy protections than HIPAA, the Company and the PC will comply with the more protective standard.

7. CONSUMER HEALTH DATA AND EMERGING STATE PRIVACY LAWS

Several states have enacted consumer health data privacy laws that apply to health-related information held by entities that may not be subject to HIPAA, or that extend protections beyond HIPAA. These laws may apply to certain data practices of the Company with respect to non-PHI health information collected through the Platform.

Depending on your state of residence, you may have additional rights with respect to your consumer health data, including rights regarding collection, sharing, and use of health-related information. Key state laws that may apply include:

Washington State: The My Health My Data Act (MHMDA) broadly regulates consumer health data, restricts geofencing near healthcare facilities, and provides a private right of action;
Nevada: SB 370 imposes consent, notice, and security requirements for consumer health data and restricts geofencing;
Connecticut: State law prohibits geofencing near healthcare facilities and restricts the collection and use of health data;
California: AB 352 and related regulations impose segmentation and access controls for sensitive health services.

To the extent these laws apply to the Company's data practices, the Company will comply with the applicable requirements. If you have questions about your rights under state consumer health data laws, please contact us using the information in Section 15.

8. COOKIES, TRACKING TECHNOLOGIES, AND ONLINE ADVERTISING

8.1 Types of Tracking Technologies

The Platform uses cookies and similar technologies, which may include:

Essential cookies: necessary for the Platform to function, including session management and authentication;
Analytics cookies and technologies: used to understand how users interact with the Platform, identify errors, and improve performance (e.g., Google Analytics or similar tools);
Advertising and targeting technologies: used to measure the effectiveness of our marketing and, in limited circumstances, to deliver relevant advertising (subject to your opt-out rights described below).

8.2 Third-Party Tracking and Advertising Pixels

The Platform may use third-party advertising and analytics technologies, including tracking pixels, conversion APIs, and similar tools ("Tracking Technologies") provided by third parties such as advertising networks and analytics companies. These Tracking Technologies may collect certain information about your interactions with the Platform — such as pages visited, actions taken, and device identifiers — and transmit that information to third parties for analytics and advertising purposes.

IMPORTANT: THE COMPANY DOES NOT USE TRACKING TECHNOLOGIES TO TRANSMIT YOUR PROTECTED HEALTH INFORMATION OR SENSITIVE HEALTH DATA TO THIRD-PARTY ADVERTISERS OR SOCIAL MEDIA PLATFORMS FOR ADVERTISING PURPOSES. WE DO NOT SHARE HEALTH INFORMATION WITH ANY ADVERTISING NETWORK, SOCIAL MEDIA COMPANY, OR MARKETING PLATFORM WITHOUT YOUR EXPRESS CONSENT. UNAUTHENTICATED PAGES OF THE PLATFORM (SUCH AS PUBLIC MARKETING PAGES) MAY USE STANDARD WEB ANALYTICS. AUTHENTICATED PAGES (SUCH AS YOUR PATIENT PORTAL) ARE NOT USED TO COLLECT INFORMATION FOR ADVERTISING PURPOSES.

This disclosure is provided in accordance with guidance from the Federal Trade Commission ("FTC") and the U.S. Department of Health and Human Services regarding the use of online tracking technologies by healthcare and telehealth companies, and in light of recent regulatory enforcement actions regarding unauthorized disclosure of health information to third-party advertising platforms.

8.3 Cookie Controls

You may manage cookies through your browser settings or by using a Global Privacy Control ("GPC") signal, which the Company honors for residents of states where such signals are legally required. Most browsers allow you to refuse cookies, delete existing cookies, or be notified when cookies are set. Note that disabling certain cookies may affect the functionality of the Platform.

8.4 Do Not Track

Some browsers offer a "Do Not Track" setting. Because there is no uniform standard for how websites should respond to Do Not Track signals, the Platform does not currently respond to Do Not Track browser signals. However, the Company honors Global Privacy Control signals for applicable users as described above.

9. DATA RETENTION

The Company retains personal information only for as long as necessary to fulfill the purposes described in this Policy, including providing the Platform, supporting the PC’s administrative operations, complying with legal obligations, resolving disputes, and enforcing agreements. Retention periods are based on the type of information and applicable legal and regulatory requirements.

Account information: retained for the duration of the account and a reasonable period thereafter for legal, compliance, and operational purposes;

Health Information and PHI: retained in accordance with applicable federal and state healthcare records retention laws, including state medical records retention requirements (which in many states require retention for a minimum of 5 to 10 years);
Payment information: retained as required by applicable tax and financial regulations, and as necessary to resolve billing disputes;
Usage and technical data: retained for a period generally not to exceed 24 months, unless a longer period is required for legal or compliance purposes;
Communications: retained for the period necessary to fulfill your requests, provide services, and comply with legal obligations.

When personal information is no longer needed for the purposes for which it was collected or as required by law, the Company uses commercially reasonable efforts to delete or de-identify such information in a secure manner.

10. DATA SECURITY

The Company implements reasonable and appropriate administrative, technical, and physical safeguards designed to protect personal information and Health Information against unauthorized access, use, disclosure, alteration, and destruction. These safeguards include, without limitation:

Encryption of data in transit using industry-standard Transport Layer Security (TLS) protocols;
Encryption of sensitive data at rest;
Access controls limiting data access to authorized personnel on a need-to-know basis;
Regular security assessments and vulnerability testing;
Employee training on data privacy and security practices;
Business Associate Agreements with service providers who handle PHI.

Despite these measures, no electronic data transmission or storage system can be guaranteed to be 100% secure. The Company cannot warrant or guarantee the absolute security of any information you transmit to or through the Platform. In the event of a security incident affecting your information, the Company and the PC will comply with applicable breach notification obligations under HIPAA, the FTC Health Breach Notification Rule, and applicable state breach notification laws.

11. YOUR PRIVACY RIGHTS

11.1 General Rights

Depending on your jurisdiction, you may have rights with respect to your personal information held by the Company. These rights may include:

Right to access: the right to request information about the personal information the Company holds about you;
Right to correction: the right to request that the Company correct inaccurate or incomplete personal information;
Right to deletion: the right to request that the Company delete your personal information, subject to applicable legal exceptions;
Right to data portability: the right to receive your personal information in a portable, machine-readable format;
Right to restrict processing: the right to request that the Company restrict certain uses of your personal information;
Right to opt out of advertising: the right to opt out of the sharing or sale of your personal information for advertising purposes.

To exercise any of these rights, please contact us using the information in Section 15. We will respond to verified requests within the timeframe required by applicable law. Please note that certain information may be exempt from these rights, including information subject to HIPAA (which is governed by the PC's Notice of Privacy Practices) and information we are required to retain by law.

11.2 HIPAA Patient Rights

With respect to PHI held by the PC, you have rights under HIPAA that are separate from and in addition to your rights under state privacy laws, including the right to access your medical records, request amendments, receive an accounting of disclosures, and restrict certain uses and disclosures. These rights are addressed in the PC's Notice of Privacy Practices and must be exercised directly with the PC.

11.3 California Residents — CCPA/CPRA Rights

If you are a California resident, you have the following additional rights under the CCPA/CPRA:

Right to know: the right to request disclosure of the categories and specific pieces of personal information collected, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom the Company shares personal information;
Right to delete: the right to request deletion of personal information, subject to certain exceptions;
Right to correct: the right to request correction of inaccurate personal information;
Right to opt out: the right to opt out of the sale or sharing of personal information, including for cross-context behavioral advertising;
Right to limit sensitive personal information: the right to limit the use of sensitive personal information to purposes necessary for providing services;
Right against discrimination: the right not to be discriminated against for exercising your CCPA/CPRA rights.

Note that certain health information subject to HIPAA or CMIA may be exempt from CCPA/CPRA rights. To submit a California privacy rights request, contact us at the information in Section 15 or visit our Privacy Center at https://finewineshealth.com/pages/your-privacy-choices. We will not discriminate against you for exercising your rights.

11.4 Other State Residents

Residents of Virginia, Colorado, Connecticut, Texas, Nevada, and other states with comprehensive consumer privacy laws may have rights similar to those described above. To the extent applicable state law grants you privacy rights with respect to personal information held by the Company, you may exercise those rights by contacting us using the information in Section 15.

11.5 Verification of Requests

To protect your privacy, we are required to verify your identity before responding to privacy rights requests. We may ask you to provide identifying information sufficient to confirm that you are the individual about whom the request is made, or to confirm authorization if you are submitting a request on behalf of another individual.

12. COMMUNICATIONS AND MARKETING OPT-OUT

You may opt out of marketing and promotional communications from the Company at any time by: (i) following the unsubscribe link in any marketing email; (ii) replying STOP to any marketing SMS; or (iii) contacting us at the information in Section 15. Even after opting out of marketing communications, you will continue to receive transactional, administrative, and legally required communications necessary to provide services and maintain your account.

13. THIRD-PARTY LINKS AND SERVICES

The Platform may contain links to third-party websites, services, or applications. This Policy does not apply to third-party websites or services, and the Company is not responsible for the privacy practices of any third party. We encourage you to review the privacy policies of any third-party services you access through the Platform.

14. CHILDREN'S PRIVACY

The Platform is not directed to children under the age of 13, and the Company does not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete that information. If you are a parent or guardian and believe your child under 13 has provided information to the Company, please contact us immediately using the information in Section 15. Clinical information regarding minors receiving care through the PC is handled in accordance with applicable state minor consent laws and the PC's Notice of Privacy Practices.

15. CHANGES TO THIS PRIVACY POLICY

The Company may update this Policy periodically to reflect changes in our data practices, applicable law, or business operations. When we make material changes to this Policy, we will notify you by posting the updated Policy on the Platform with a new effective date and, where appropriate, by providing additional notice by email or prominent notice on the Platform. Your continued use of the Platform after the effective date of any material change constitutes your acceptance of the updated Policy. We encourage you to review this Policy periodically.

16. CONTACT INFORMATION AND PRIVACY REQUESTS

For questions about this Privacy Policy, to exercise your privacy rights, to submit a complaint, or to contact our privacy team, please reach out to:

FINE WINES HEALTH, LLC

Attn: Privacy / Legal Compliance

Address: 8900 Columbia 100 Pkwy, Ste. E
Columbia, MD 21045

Email: info@finewineshealth.com

We will respond to all privacy rights requests within the timeframe required by applicable law. For requests related to PHI maintained by the PC, please contact the PC directly as described in the PC's Notice of Privacy Practices.