Sarah Lynn Nutrition PLLC (“Practice”, “we”, “our”, or “us”) is committed to protecting your privacy and maintaining the confidentiality of your personal and health information. This privacy policy (“Privacy Policy” or “Policy”) describes how we collect, use, maintain, and disclose information about you in connection with our nutrition counseling, dietary consultation and related healthcare services, including telehealth services, and our website (“Services”).

This Policy works together with our HIPAA Notice of Privacy Practices (“Notice of Privacy Practices”), which specifically governs how we handle Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). For information that constitutes PHI, we use and disclose it only as permitted under HIPAA and our Notice of Privacy Practices. This Policy addresses personal information that may not be covered by HIPAA, as well as your rights under New York State privacy laws. The Notice of Privacy Practices is available on our website www.sarahlynnnutrition.com (“Website”).

This Privacy Policy also supplements, but does not replace, our Website Terms of Use, which govern your access to and use of our website. By using our Website, you agree to comply with both this Privacy Policy and the Website Terms of Use. In the event of any conflict between this Privacy Policy and the Website Terms of Use with respect to the handling of personal and health information, the provisions of this Privacy Policy will govern.

By receiving Services or using our Website, you acknowledge that you have read and understand this Privacy Policy.

Scope of the Privacy Policy

This Privacy Policy applies to information we collect:

• During the provision of the Services;
• Through our Website and patient portal;
• In communications between you and our Practice, including email, text, phone calls, and secure messaging;
• During telehealth consultations and remote monitoring;
• Through intake forms, assessments, and other documentation related to your care; or
• When you interact with our advertising and applications (including mobile apps) on third-party websites and services, if those applications or advertising include links to this policy.

This Privacy Policy does not apply to:

• Information collected by third-party websites or services that may be linked from our website;
• Information collected by your insurance company or other healthcare providers; or
• Information you choose to share on public forums or social media platforms.

The Personal Data That We Collect or Process

The types and categories of personal data we collect or process include:

• Personal Identification Information: account and contact information, including name, address (such as home address, work address, or other address), email address, phone number, Social Security and driver’s license numbers, if you have consented to such information collection, and other contact information you provide us;
• Health Information: Medical history, dietary habits, nutritional assessments, treatment plans;
• Payment Information: credit card or debit card information and information about the payment methods and services (such as PayPal or Venmo) you use in connection with the Services;
• Insurance Information: insurance carrier, policy numbers, and coverage details;
• Account History: information about your subscription, account, transactions, services history, scheduling preferences, appointment history, and communication preferences;
• Demographic Information: age, gender, income level, education, or family or marital status, if you have consented to such information collection;
• Location information: general geographic location such as country, state or province, or city and precise geolocation, if you have enabled and consented to location information collection by providing us with such information;
• Website and Technical Information: information about your interactions with the Services, including IP address, browser type, pages visited, time spent on site, device information, operating system and version, preferred language, clickstream information, page response times, download errors, length of visits, page interaction details (such as scrolling, clicks, and mouse-overs), and browsing methods;
• Profile Content: content and information you elect to provide as part of your profile or in any reviews you make through the Services or emails, chats, or other communications sent to us.
• Images, Voice, and Video: Images, voice recordings, and videos collected or stored in connection with the Services, if you have consented to such information collection.
• Biometric Information: fingerprints, faceprints, voiceprints, iris or retina scans, keystroke patterns, gait, or other physical characteristics, as well as sleep, health, or exercise data, if you have consented to such information collection.
• Sensitive Information: Some data (identification documents, precise geolocation, biometric information) may be considered sensitive. PHI is also sensitive by default under HIPAA. Non-PHI sensitive information is handled in accordance with applicable laws. If you choose not to provide certain information or allow its collection, we may be unable to provide requested features, services, or information.

California Residents: To access our supplemental California privacy statement, please visit the dedicated section below: California Residents – Your Privacy Rights.

We also collect:

• Statistics or Aggregated Information: this non-identifying data is derived from personal information to evaluate features, usage patterns and improve the Services. If we combine non-personal statistical or technical data with personal data so that it identifies an individual, it is treated as personal information.

How We Collect Data

You Provide Information to Us

We collect information about you when you interact with our Services, such as when you create or update an account, place an order, subscribe, or make a purchase, reservation, request, participate in surveys, sweepstakes, contests, or promotions, or create, upload, or post content to the Services, including reviews, media such as photos, videos, or audio recordings.

Automatically Through Our Services

As you use our Services, we may automatically collect certain information through data collection technologies. This may include personal data and non-identifiable information such as: usage details, IP addresses, operating system, and browser type, and information collected through cookies, web beacons, and other tracking technologies including details of your interactions with our Services, such as traffic data, location data, logs, and other communication data, and which resources and Services features that you access and use.

These technologies may also track your activities across third-party sites or services to improve our Services and provide a more personalized experience.

The technologies we use for this automatic data collection may include:

• Cookies. Small files placed on your device when you interact with our Services. You can disable cookies through your browser or device settings, but some features of the Services may not function properly if cookies are disabled.
• Web Beacons. Small electronic files in our Website or emails (also called clear gifs, pixel tags, or single-pixel gifs) that help measure user engagement, verify system integrity, and track the popularity of content.

Where applicable under law, if any of these technologies are used for personal data sales, targeted advertising, or profiling, you may opt out by submitting a written request to our Privacy Officer using the contact information provided in the Contact Information section. Please note that some features of the Services may be unavailable if you opt out.

Collected through Third-Party Sources

When you interact with the Services, there are third parties that may use automatic collection technologies to collect information about your or your device. These third parties may include:

• Advertisers, ad networks, and ad servers.
• Analytics companies.
• Your device manufacturer.
• Your internet or mobile service provider.

These third parties may collect information about your online activities across our Services and other websites, apps, platforms, or online services. This information may be linked to your personal data or collected as non-identifiable data and may be used to provide interest-based (behavioral) advertising or other targeted content.

We do not control the tracking technologies used by these third parties or how they use the information they collect. For questions about their practices, please contact the third party directly.

We may receive personal data about you from other sources and combine that with information we collect directly from you. For example, we may obtain information about you from service providers that we engage to perform services on our behalf, such as email platform providers, content delivery services, payment processors, promotions services, gift card program providers, analytics, security and anti-fraud services, and data brokers. We also may receive personal data from business partners that we engage to share consumer information with us, including your personal preferences and demographic information such as age, gender, and income level, so that we can better provide you with personalized experience, including personalized content/offers and services.

How We Use Your Information

We use information that we collect about you or that you provide to us, including any personal data, to:

• Provide Services, manage accounts, process payments, fulfill requests.
• Improve Services and personalize content.
• Promote our Services, business, and offerings by publishing advertising on our own Services and by placing ads on third parties’ services.
• Comply with legal obligations, enforcement of agreements, including billing and collection, and protection against fraud or harm.
• Notify you when Services updates are available and about changes to any products or services we offer or provide through them.
• In any other way we may describe when you provide the information.
• For any other purpose with your consent.

The usage information we collect, whether connected to your personal data or not, helps us improve our Services and deliver a better and more personalized experience by enabling us to:

• Estimate our audience sizes and usage patterns.
• Store information about your preferences, allowing us to customize the Services according to your individual needs and interests.
• Speed up your searches.
• Recognize you when you return to our Services.

We may use your information to contact you about goods or services that may be of interest to you, in compliance with the HIPAA and applicable New York State privacy laws. You may opt out of receiving these communications at any time by checking the relevant box on the form where you provide your information, adjusting your preferences in your account profile, or following the unsubscribe instructions in any communication you receive from us. For more information, please see Your Rights and Choices About Your Information section.

Who We Disclose Your Information To

We may disclose aggregated information about our users, and information that does not identify any individual, without restriction.

We may disclose personal data to:

• Our subsidiaries and affiliates for purposes consistent with this Privacy Policy.
• Contractors, vendors, and other service providers who perform services on our behalf and are contractually obligated to maintain the confidentiality of your personal data and use it only for the purposes for which it is disclosed.
• Successors in the event of a merger, acquisition, divestiture, or sale of all or part of our assets, where personal data held by the Practice is among the transferred assets.
• Third parties for our own marketing purposes only with your express written consent. These third parties are contractually required to keep personal data confidential and use it solely for the purposes for which we disclose it.
• Fulfill the purpose for which you provide the information. For example, if you submit your email address to sign up for our newsletter through our Services, we may use that information to send you the requested communications.
• Health information exchanges (HIEs) or other authorized healthcare providers for treatment coordination or as otherwise required by law.
• Fulfill any other purpose disclosed to you at the time the information is collected, or with your consent.

We may also disclose your personal data:

• To comply with any applicable law, regulation, court order, or governmental or regulatory request.
• To enforce our terms of service, agreements, or policies, including for billing and collections, and to protect the rights, property, or safety of our organization, our clients, or others. This may include sharing information with other companies and organizations for fraud prevention or credit risk mitigation.

Categories of Personal Data We May Disclose

• Account and contact information.
• Payment information.
• Account history, including information about your subscription, account, transactions, purchases, order history, or discounts.
• Demographic information.
• Location information, including general geographic location and precise geolocation.
• Device information.
• Content and information you elect to provide to us.
• Images, voice recordings, and videos collected or stored in connection with the Services, if you have consented to such information collection.
• Identity document information.
• Biometric information.

Your Rights and Choices About Your Information

This section explains the choices you have to control how we use and disclose your personal information, and your rights under applicable state and federal laws.

Advertising, marketing, cookies, and other tracking technologies choices:

• Cookies and Other Tracking Technologies. You can configure your browser or device to refuse some or all cookies or other tracking technologies, or to alert you when these files are being sent. You may also submit a written request to our Privacy Officer to restrict the collection or use of your information through other tracking technologies. Please note that disabling certain technologies may limit your ability to use some features of our Services. Some browsers provide a “Do Not Track” (DNT) option, but because there is no universal standard for DNT signals, we may not respond to all such signals.
• Promotions by the Practice. If you prefer that we do not use your information to promote our products or services, or those of third parties, you may opt out by submitting a written request to our Privacy Officer.
• Targeted Advertising by the Practice. If you do not want us to use information that we collect or that you provide to us to deliver advertisements according to our advertisers’ target audience preferences, you can opt out by submitting a written request to our Privacy Officer using the contact details provided in the Contact Information section.
• Disclosure of Your Information for Third-Party Advertising. You may opt out of receiving targeted or interest-based advertisements delivered using your information by submitting a written request to our Privacy Officer. Please note that some third parties may provide their own opt-out options. For example, you can manage targeted ad preferences through the Network Advertising Initiative (“NAI”) at https://thenai.org/how-to-opt-out/.

Location Information

You can choose whether or not to allow the Services to collect and use real-time information about your device’s location through the device’s privacy settings. If you block the use of location information, some Services features may become inaccessible or not function properly.

PHI for Marketing

Under HIPAA, we will not use your PHI for marketing purposes without your express written consent. Any such requests must be submitted through the authorization form provided in our Notice of Privacy Practices.

How We Protect Your Personal Data

We use commercially reasonable administrative, physical, and technical measures to protect your personal data from accidental loss, destruction, and unauthorized access, use, alteration, or disclosure.

However, no website, mobile application, system, electronic storage, or online service is completely secure, and we cannot guarantee the security of personal data transmitted through or in connection with our Services. In particular, emails, text messages, and chats sent to or from the Services may not be secure, so you should carefully consider what information you share through these channels. Any transmission of personal data is at your own risk.

The safety and security of your information also depends on you. You are responsible for taking steps to protect your personal data against unauthorized use, disclosure, and access.

We safeguard medical information in accordance with federal and New York State requirements, maintaining administrative, technical, and physical safeguards to prevent unauthorized access, use, or disclosure. Access to medical records is restricted to authorized personnel.

Telehealth Privacy Considerations

We provide telehealth services using secure, HIPAA-compliant platforms that include:

• End-to-end encryption for all video consultations and communications
• Secure patient authentication and identity verification procedures
• Protected messaging systems for communication between appointments
• Secure storage of any electronic health information transmitted during telehealth sessions

To protect your privacy during telehealth appointments:

• Ensure you are in a private location where others cannot overhear your conversation
• Use a secure internet connection (avoid public Wi-Fi when possible)
• Verify that no unauthorized persons can see your screen
• Close other applications and browser windows that might compromise privacy

We do not record telehealth sessions unless specifically requested for treatment purposes and with your written authorization. Any recordings made with your consent will be stored securely and treated as part of your medical record.

Children’s and Minors’ Data

Our Services are not intended for, and we do not knowingly collect any personal data from, children under the age of 18, except as permitted by applicable law. For minor patients, we collect and use personal information only after obtaining the necessary consent from a parent or legal guardian, unless such consent is not required under applicable law. Notwithstanding the foregoing, in accordance with New York law, we recognize that minors may independently consent to certain healthcare services, including but not limited to:

• Reproductive healthcare services
• Specific mental health services
• Substance use treatment
• HIV testing and treatment
• Prenatal care
• Sexually transmitted infection testing and treatment
• Nutrition counseling related to eating disorders (in certain circumstances)

When a minor independently consents to Services, we will not disclose information about that care to parents or guardians without the minor’s written consent, except as required by law or when necessary to prevent serious harm. We will discuss confidentiality protections with minor patients and, when appropriate, encourage communication with parents or guardians while respecting the minor’s privacy rights.

For minors receiving Services with parental consent, parents or guardians generally have the right to access their child’s health information, subject to the exceptions noted above and the minor’s developing capacity to make healthcare decisions.

Special Protection for Certain Types of Health Information

Certain types of health information receive special protection under New York law. This includes information related to HIV, mental health, substance use disorders, and genetic information. If your care involves any of these types of information, we will provide you with additional details about your rights and obtain any necessary authorizations before sharing or disclosing it.

How We Retain Your Personal Data

We retain health information in accordance with New York State requirements and professional standards:

• Adult Patient Records: Maintained for at least six years from the date of last service
• Minor Patient Records: Maintained until the patient reaches age 21, or for six years from the date of last service, whichever is longer
• Electronic Communications: Retained according to the same schedule as other medical records
• Billing and Insurance Records: Retained as required by applicable law and regulations

We maintain administrative, physical, and technical safeguards to protect your information in compliance with applicable law, including:

• Secure, encrypted storage systems for electronic records
• Limited access controls ensuring only authorized personnel can access your information
• Regular security training for all staff members
• Secure disposal procedures for paper and electronic records
• Business associate agreements with all third-party service providers, as required by law

Your State Privacy Rights

Depending on your state of residency, you may have certain rights related to your personal data, including:

• Access and Data Portability. You may confirm whether we process your personal data and access a copy of the personal data we process. To the extent feasible and required by state law, depending on your state, data will be provided in a portable format. Depending on your state, you may have the right to receive additional information and it will be included in the response to your access request.
• Correction. You may request that we correct inaccuracies in your personal data that we maintain, taking into account the information’s nature and processing purpose.
• Deletion. You may request that we delete personal data about you that we maintain, subject to certain exceptions under applicable law.
• Opt Out of Using Personal Data for Targeted Advertising, Profiling, and Sales. You may request that we do not use your personal data for these purposes.

Important: The exact scope of these rights vary by state. There are also several exceptions where we may not have an obligation to fulfill your request.

To exercise any of these rights or appeal a decision regarding a consumer rights request, please send a written request to our Privacy Officer using the contact details provided in Contact Information section.

Nevada Residents: Nevada provides its residents with a limited right to opt out of certain personal data sales. Residents who wish to exercise their sale opt-out rights may submit a written request to our Privacy Officer using the contact details provided in Contact Information section.

California Residents: Additional information applies to California residents. To access our supplemental California privacy statement and learn more about California residents’ privacy rights, visit the dedicated section below: California Residents – Your Privacy Rights.

Notice Regarding Balance Billing Protections

New York law protects patients from “surprise bills” and “balance billing” for emergency services and certain non-emergency services provided by out-of-network providers. If you believe you have received a surprise bill, you may contact the New York State Department of Financial Services at 1-800-342-3736 or the federal No Surprises Help Desk at 1-800-985-3059.

California Residents – Your Privacy Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These include the right to know what personal information we collect, use, disclose, and share; the right to request deletion or correction of your personal information; and the right to opt out of the sale or sharing of your personal data. We will not discriminate against you for exercising these rights. To submit a request, please write to our Privacy Officer using the contact details provided in the Contact Information section. We will respond within the timeframes required by law.

Under the Confidentiality of Medical Information Act (CMIA), as amended by AB 1184, California residents have additional rights regarding their health data. You may request confidential communications, inspect and correct medical records, and control disclosures of sensitive health information, including mental health, reproductive health, substance use treatment, and gender-affirming care. For detailed guidance and instructions on exercising these rights—including how to request amendments or confidentiality preferences—please contact our Privacy Officer in writing using the contact information provided in Contact Information section. Please find additional resources at the California Attorney General’s “Your Patient Privacy Rights” page: https://oag.ca.gov/privacy/facts/medical-privacy/patient-rights.

Changes to Our Privacy Policy

We may update this Policy from time to time, and we will provide notice of any such changes as required by law. Your continued use of the Services after we make changes as described here is deemed acceptance of those changes. Please check the Policy periodically for updates.

Contact Information

To exercise your rights or ask questions or comment about this privacy policy or our privacy practices, contact our Privacy Officer at: sarah@sarahlynnnutrition.com