Subscribili: Privacy Policy (Global)

Effective Date: September 26, 2025

Subscribili: Privacy Policy

Subscribili, Inc. and its affiliates (“Subscribili,” “Subscribili UK Private Limited”, “we,” “us,” or “our”) respect your privacy. This Privacy Policy explains how our websites, mobile applications, and software tools (the “Services”) collect, use, disclose, and protect personal information.

By using the Services, you agree to this Privacy Policy. If you do not agree, please discontinue use. We may update this Policy from time to time and will post the latest version on our website; where required by law, we will provide notice of material changes. Subscribili is a service provider/processor/administrator for healthcare providers and excludes Patient Data from its privacy policy, directing patients to their healthcare provider for rights.

What This Privacy Policy Covers

This Privacy Policy explains how Subscribili collects, uses, discloses, and safeguards Personal Information when you access or use our websites, mobile applications, and software tools (the “Services”) or otherwise interact with us (for example, when you contact support). Personal Information (also called Personal Data) means information that identifies or relates to an identifiable individual and includes what may be called “personal information,” “personally identifiable information,” or similar terms under applicable laws, including the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018, as well as the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Montana Consumer Data Privacy Act (MCDPA), the Oregon Consumer Privacy Act (OCPA), the Texas Data Privacy and Security Act (TDPSA), the Utah Consumer Privacy Act (UCPA), and the Virginia Consumer Data Protection Act (VCDPA). For cookies and similar technologies, our practices also align with applicable EU/UK e-privacy rules (for example, UK PECR) regarding consent.

What is not covered

This Privacy Policy does not apply to Patient Data that we process on behalf of healthcare providers or plan sponsors in our role as a processor/service provider. For rights or choices regarding Patient Data, please contact your provider. See Section 1 (Scope and Roles).
This Privacy Policy does not cover the practices of companies we do not own or control or people we do not manage. Their handling of your information is governed by their own privacy policies.
Where applicable, information about job applicants, employees, contractors, and other personnel may be covered by separate notices.

Capitalized terms used but not defined here have the meanings given elsewhere in this Privacy Policy.

1. Scope and Roles

Subscribili provides a platform that enables healthcare providers and plan sponsors to offer membership and subscription based services.

When we are a controller/business. For most personal information collected through our consumer facing Services, Subscribili determines the purposes and means of processing and acts as a controller (EU/UK GDPR) / business(CCPA/CPRA).
When we are a processor/service provider (Patient Data). For certain patient information we receive from providers to deliver our Services—such as information related to the provision of health care, health status, or payment for health care (“Patient Data”)—Subscribili acts as a processor (EU/UK GDPR) / service provider (U.S. state laws). This Privacy Policy does not apply to Patient Data processed on behalf of a provider. To exercise rights in Patient Data, please contact your provider directly. Where we act as a HIPAA business associate, we comply with HIPAA and applicable Business Associate Agreements.

2. What We Mean by “Personal Information”

“Personal Information” (or “Personal Data”) means information that identifies or relates to an identifiable individual and includes what may be called “personal information,” “personally identifiable information,” or similar terms under applicable laws (including CCPA/CPRA, CPA, CTDPA, MCDPA, OCPA, TDPSA, UCPA, and VCDPA).

3. Information We Collect

We collect information directly from you, from providers, and automatically through your use of the Services.

Category of Personal Information	Examples We Collect	Primary Sources	Why We Use It (Key Purposes)	Who We Share With	EU/UK Lawful Basis
Identifiers and Contact Data	Name, email, phone, mailing address, date of birth	You (forms, portals, support); Providers/plan sponsors	Account set-up, communications, service notices, plan administration	Service providers (hosting, comms, support); parties you authorize (providers, plan sponsors)	Contract (Art.6(1)(b)); Legitimate interests (f) for service ops; Legal obligation (c) as applicable
Account and Subscription Data	Plan selected, dependents, activity, renewal/cancellation status, preferences	You; Providers/plan sponsors; automatically from the Services	Enroll and manage subscriptions, enable providers to administer plans, customer support	Service providers; parties you authorize	Contract (b); Legitimate interests (f)
Payment and Transaction Data	Tokenized card data, last 4 digits, billing address, transaction IDs/timestamps, refunds (we do not store full card numbers)	You; payment processor	Take payments, billing, renewals/cancellations, fraud prevention, bookkeeping	Payment processors (e.g., Stripe); fraud/security vendors; service providers	Contract (b); Legal obligation (c) for tax/accounting; Legitimate interests (f) for fraud prevention
Commercial Data	Purchase/subscription history, customer profile attributes related to your plan	You; Providers/plan sponsors; automatically from the Services	Reporting, analytics, improving Services, support, eligibility and benefits administration	Service providers; analytics partners; parties you authorize	Legitimate interests (f)
Technical and Device Data	IP address, device ID, device type, OS and browser, app version, domain server, logs, error reports	Automatically via the Services and cookies/SDKs	Operate and secure the Services, debug, prevent abuse/fraud	Service providers; security/fraud vendors; analytics partners; advertising partners (if enabled)	Legitimate interests (f); Consent (a) where non-essential cookies/SDKs require it under PECR/e-privacy
Usage and Interaction Data	Pages viewed, clicks, feature usage, session duration, referral URLs, timestamps	Automatically via the Services and cookies/SDKs	Analytics, R&D, improving and personalizing Services; measuring performance	Analytics partners; service providers; advertising partners (if enabled)	Legitimate interests (f) for first-party analytics; Consent (a) for analytics/marketing cookies where required
Communication Data	Support tickets, emails, portal messages, call notes	You (email, forms, chat); automatically from support tools	Respond to requests, troubleshoot, quality assurance, train support models/tools	Service providers (support tools/CRM); parties you authorize	Contract (b); Legitimate interests (f)
Provider and Staff Data	Provider/staff contact details, role and credentials, organization info	Providers/plan sponsors; you (if you are staff)	Authenticate and authorize access, account administration, security	Service providers; security/fraud vendors	Contract (b); Legitimate interests (f)
Limited Health-related Administrative Data	Scheduling, eligibility status, non-clinical treatment codes (no clinical notes) for plan administration	Providers/plan sponsors; you	Administer memberships and benefits; verify eligibility; support operations	Providers/plan sponsors; service providers under appropriate agreements (e.g., BAA where applicable). Not shared with advertising partners.	Processor/service provider role for Patient Data (see Scope and Roles); when acting as controller for related account tasks: Contract (b); Legal obligation (c)
Approximate Location Data	Country/region/city inferred from IP; precise location only if you enable it	Automatically (IP); your device/browser if you allow location	Content localization, fraud detection, compliance	Service providers; security/fraud vendors; analytics partners	Legitimate interests (f); Consent (a) for precise device location
De-identified or Aggregated Data	Analytics that do not identify you	Derived from other data using de-identification	Analyze, improve, and promote the Services	Service providers and partners (analytics/improvement). We do not attempt to re-identify.	Not Personal Data under GDPR/CCPA once properly de-identified

Categories of Sources of Personal Information

You

When you provide information directly to us (for example, forms, sign up flows, support requests).
When you use our interactive tools and Services or enter free form text.
When you contact us by email or other channels.

Automatically through the Services

Through cookies and similar technologies (see Cookies, Analytics, and Targeted Advertising).
From your device or browser (for example, IP address, device type, operating system, and usage logs).
From a location enabled browser or device if you allow location access.
From our mobile or desktop applications if installed, including technical events needed to provide the Services.

Providers and plan sponsors

Information needed to enroll you, administer subscriptions, verify eligibility, and support plan operations you select.

Third parties and vendors

Analytics providers that help us understand use of the Services.
Support vendors that help us serve you.
Payment processors that handle payments on our behalf.
Where permitted by law, vendors that supply public or partner provided data for security, anti fraud, or sales operations.

Our Commercial or Business Purposes for Collecting Personal Information

Providing, customizing, and improving the Services

Provide the products, services, or information you request and fulfill the reason you provided information.
Provide support and assistance; test, research, conduct internal analytics, and develop new features.
Personalize content and communications based on your preferences.
Prevent, detect, and investigate fraud and security incidents; debug; ensure service reliability.
Carry out other purposes described at the time of collection or as otherwise permitted by applicable law.

Marketing the Services

Market and sell the Services and send information that may be of interest, with consent where required by law.

Corresponding with you

Respond to your correspondence; contact you when needed or requested; send service notices and reminders in line with your preferences.

Meeting legal requirements and enforcing legal terms

Comply with laws, regulations, court orders, or other legal processes.
Protect the rights, property, or safety of you, Subscribili, or others; enforce agreements; respond to claims; and resolve disputes.

We will not collect additional categories of Personal Information or use the Personal Information we collect for materially different, unrelated, or incompatible purposes without providing notice and, where required, obtaining consent.

Right to object (EU/UK). Where we rely on legitimate interests, you may object at any time (see Your Rights and How to Exercise Your Rights). For direct marketing, you always have an absolute right to object or unsubscribe.

Special category data. As a controller, we do not intentionally process special category data (for example, health data) via the consumer facing Services. Any such Patient Data is handled in our processor/service provider role for providers under appropriate agreements (see Scope and Roles).

Cookies and PECR (EEA/UK). We obtain prior consent before setting Statistics or Marketing cookies or SDKs and provide an easy way to withdraw consent at any time via Cookie Settings / Privacy Choices. Strictly necessary cookies do not require consent.

International transfers. See International Data Transfers for our safeguards (Standard Contractual Clauses with UK Addendum or UK International Data Transfer Agreement; EU US Data Privacy Framework and UK Extension where applicable).

Our Commercial or Business Purposes for Collecting Personal Information

Providing, customizing, and improving the Services

Provide the products, services, or information you request and fulfill the reason you provided information.
Provide support and assistance; test, research, conduct internal analytics, and develop new features.
Personalize content and communications based on your preferences.
Prevent, detect, and investigate fraud and security incidents; debug; ensure service reliability.
Carry out other purposes described at the time of collection or as otherwise permitted by applicable law.

Marketing the Services

Market and sell the Services and send information that may be of interest, with consent where required by law.

Corresponding with you

Respond to your correspondence; contact you when needed or requested; send service notices and reminders in line with your preferences.

Meeting legal requirements and enforcing legal terms

Comply with laws, regulations, court orders, or other legal processes.
Protect the rights, property, or safety of you, Subscribili, or others; enforce agreements; respond to claims; and resolve disputes.

4. How We Use Personal Information

We process Personal Information for:

Subscription and care management (enroll patients, manage subscriptions, enable providers to administer plans).
Payments and billing (process payments via third party processors; manage renewals and cancellations).
Support and communications (respond to inquiries, send reminders, notify you of service changes).
Analytics, research and development, and improvement (generate reports for providers, improve and develop features, maintain security).
Personalization (tailor content and communications based on preferences).
Fraud protection, security, and debugging.
Compliance and legal obligations (including HIPAA where applicable).
Marketing (with consent where required by law).
Other purposes described at the time of collection or with your consent.

We will not use Personal Information for materially different, unrelated, or incompatible purposes without providing notice (and, where required, obtaining consent). We do not sell your Personal Information for money and do not share it with third parties for their own direct marketing.

5. How We Disclose Your Personal Information

We disclose Personal Information to:

Service providers: hosting/cloud, payments, communications, customer support, analytics, security/fraud, and similar vendors (contractually required to use it only to provide services and to protect it).
Analytics partners: to understand usage and improve the Services.
Advertising/retargeting partners: only as described in Cookies, Analytics, and Targeted Advertising below.
Parties you authorize: your provider and, where applicable, your employer/plan sponsor or other third parties you access via the Services.
Legal/compliance: to comply with law, protect rights/safety, and respond to lawful requests.
Business transfers: as part of mergers, acquisitions, financing, or similar transactions.
Aggregated or de identified data: see below.

Aggregated, de identified, or anonymized data. We may create and use aggregated, de identified, or anonymized data to analyze, improve, and promote the Services. We will not attempt to re identify such data or share it in a way that could reasonably identify you.

Legal Obligations

We may disclose Personal Information to third parties as necessary to comply with laws, regulations, legal process, or enforceable governmental requests, and to protect the rights, property, or safety of you, Subscribili, our users, or others (see Meeting legal requirements and enforcing legal terms).

Business Transfers

We may transfer Personal Information in connection with a merger, acquisition, reorganization, sale of assets, financing, or bankruptcy. Where required by law, we will provide notice (for example, by posting on our website) before your information becomes subject to a different privacy policy. Any successor will be obligated to respect this Privacy Policy or a policy with materially similar protections.

Data that is Not Personal Information

We may create aggregated or de-identified data (and, where applicable, anonymized data under EU/UK standards) from Personal Information by removing information that reasonably identifies you. We use and share such data for lawful business purposes including analyzing, improving, and promoting the Services, and we will not attempt to reidentify it or permit recipients to do so.

6. Third Party Content, Analytics, and Social Features

Our Services may include content and applications provided by third parties—such as analytics providers, advertising partners, embedded videos, SDKs, and social features (for example, “Like” or “Share” buttons). These parties may set cookies, pixels, tags, or SDKs to collect information about your use of the Services and, in some cases, about your activity over time and across other websites and online services. Their use of tracking technologies is governed by their own privacy policies.

Analytics. We use Google Analytics (GA4) to help analyze usage and improve the Services. Learn more at https://www.google.com/policies/privacy/partners/ and opt out via the Google Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/gaoptout/.

Advertising/remarketing (if enabled). We may use Google Ads/Analytics Advertising Features. Google and other vendors may use first party and third party cookies together to serve ads based on past visits. Control this in Cookie Settings / Privacy Choices (Cookiebot) and/or Google Ads Settings at https://adssettings.google.com/.

Your choices. Manage non necessary categories (for example, Statistics and Marketing) any time through Cookie Settings / Privacy Choices or the Do Not Sell or Share My Personal Information link in our footer. Where required, we honor Global Privacy Control (GPC) signals.

7. Cookies, Analytics, and Targeted Advertising (Cookiebot)

We use cookies and similar technologies (“Cookies”) to operate, secure, and improve the Services and—where enabled—to personalize content and measure or deliver advertising. Consent and preferences are managed by Cookiebot by Usercentrics.

Categories (Cookiebot)

Necessary – core functionality (for example, authentication, security).
Preferences – remember settings (for example, language or region).
Statistics – analytics and performance to understand usage and improve features.
Marketing – advertising and remarketing, including measurement across sites.

Regional controls

EEA/UK: we do not set Statistics or Marketing Cookies (or comparable SDKs) until you give consent. You can withdraw consent any time via Cookie Settings / Privacy Choices in the footer.
U.S. state laws (for example, CA/CO/CT/MT/OR/TX/UT/VA): disclosures via advertising or analytics Cookies may be treated as a sale, share, or targeted advertising. You can opt out at any time through Cookie Settings / Privacy Choices or the Do Not Sell or Share My Personal Information footer link. We honor GPC where required.

Manage or withdraw at any time: Open Cookie Settings in the footer to accept, reject, or change non essential categories. Select “Show details” to view the current list of cookies, providers, purposes, and lifespans. You may also control cookies in your browser; some features require Necessary Cookies.

Analytics and ads: We may use Google Analytics 4 for Statistics. Learn more at https://www.google.com/policies/privacy/partners/ and opt out via the Google Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/gaoptout/. If Marketing Cookies are enabled, third parties may receive information about your activity on our Services associated with your browser or device to provide advertising or measurement across sites; control this in Cookie Settings (and, if you wish, via your Google Ads settings).

Signals: The Services are not currently configured to respond to Do Not Track (DNT) signals. We honor GPC where required.

8. Security

We use appropriate technical, administrative, organizational, and physical measures to protect Personal Information against unauthorized access, use, disclosure, alteration, or destruction, taking into account the nature of the data and the risks of processing. Measures include access controls and least privilege, encryption in transit and at rest where appropriate, network and application security, logging and monitoring, vulnerability management, employee training, and vendor due diligence with contractual protections.

No method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security. Where required by law, we will notify the relevant supervisory authority and affected individuals of a personal data breach within applicable timeframes. For EU and UK residents, this includes notifying the supervisory authority without undue delay and, where required, within seventy two hours under EU GDPR and UK GDPR.

When we engage service providers or subprocessors, we require them by contract to protect Personal Information and to process it only for the services requested and consistent with this Privacy Policy and applicable law.

9. Data Retention

We retain Personal Information only for as long as necessary to fulfill the purposes described in this Privacy Policy, including to provide the Services, comply with legal and regulatory obligations, resolve disputes, secure and maintain our systems, and enforce agreements. This reflects the storage limitation principle under EU GDPR and UK GDPR.

When determining retention periods we consider factors such as what information we collect, who provided it, the purpose of collection, the sensitivity of the information, our legal and contractual obligations (for example tax, accounting, or health privacy obligations where applicable), and operational needs including security and fraud prevention.

When Personal Information is no longer needed for the stated purposes, we will delete it or take steps to de-identify it in a manner that does not identify you. Aggregated or de-identified information may be retained and used for lawful purposes. Please note that copies in backups or archival systems may persist for a limited period and are deleted on a scheduled basis.

Patient Data (processor role). Where we process Patient Data on behalf of a provider, we retain and delete such information according to our agreement with that provider and applicable law, including any Business Associate Agreement where HIPAA applies.
Your rights. You may request deletion in accordance with the rights described in Section 10 (Your Rights) and submit requests using Section 11 (How to Exercise Your Rights). We may retain certain information where permitted or required by law, including to comply with legal obligations, resolve disputes, or enforce our agreements.

10. Your Rights

These rights apply to Personal Information we control. For Patient Data that we process on behalf of a provider, please contact your provider directly.

A. EU/UK (GDPR / UK GDPR)

Lawful bases. We process Personal Information on the bases of consent, performance of a contract, legal obligations, and legitimate interests. We do not use solely automated decision making (including profiling) that produces legal or similarly significant effects.

Your rights. You may: access your Personal Information; rectify inaccurate data; erase data (“right to be forgotten”); restrict processing in certain cases; port data in a structured, commonly used, machine readable format; object to processing (including where based on legitimate interests); and withdraw consent where processing relies on consent.

To exercise GDPR/UK GDPR rights, contact our DPO at security@subscribili.co.uk. You may also complain to the UK ICO or your local EU data protection authority.

International transfers. For EU/UK residents, data may be processed in the EEA and/or transferred to the United States using Standard Contractual Clauses and other safeguards. Subscribili participates in the EU US Data Privacy Framework and the UK Extension to the Data Privacy Framework.

B. U.S. State Privacy Rights

If you reside in one of the states below, you may have the rights described for that state. Please see Section 11 (How to Exercise Your Rights) for how to submit requests. We may process Personal Information as a service provider/processor on behalf of Providers; when we do, please direct requests to the entity that collected your information. These rights are subject to applicable conditions and exceptions under the law, which may allow or require us to deny a request in whole or in part.

If there is a conflict between this subsection and another part of this Privacy Policy and you are a resident of the state at issue, the portion that is more protective of Personal Information controls to the extent of the conflict.

California Resident Rights (CCPA/CPRA)

Access / Right to Know. You may request the following for the past 12 months: (a) the categories of Personal Information collected about you; (b) the categories of sources; (c) the business or commercial purposes; (d) the categories of third parties to whom we disclosed Personal Information; (e) the specific pieces of Personal Information we collected about you; and (f) for disclosures for a business purpose, the categories disclosed and the categories of recipients. Where applicable, we will also identify categories sold or shared and to whom.

Deletion. You may request deletion of Personal Information we collected from you, subject to statutory exceptions (for example, to provide requested services, detect security incidents, or comply with law).

Correction. You may request correction of inaccurate Personal Information, taking into account the nature of the information and our purposes.

Personal Information “Sales” and “Shares” Opt-Out. “Sell” and “share” have meanings under the CPRA that include certain cookie-based disclosures. We do not sell Personal Information for money. We may “sell” or “share” (as defined by CPRA) Technical/Device Data and Web Analytics to ad networks and marketing providers through advertising and analytics cookies. Opt out any time via Cookie Settings / Privacy Choices in our footer or the Do Not Sell or Share My Personal Information link. We will not ask you to reauthorize for at least 12 months after your opt-out. We honor Global Privacy Control (GPC) where required.

Sensitive Personal Information & Right to Limit. We do not intentionally collect Sensitive Personal Information via our consumer-facing Services. If any Sensitive Personal Information is processed, we limit its use to permitted purposes (for example, service provision or security) and do not use it to infer characteristics; therefore a separate Right to Limit mechanism is not offered.

Non-Discrimination. We will not discriminate against you for exercising CPRA rights.

Colorado Resident Rights (CPA)

You may request: access (confirmation and access), correction, deletion, and data portability (a copy in a portable format, to the extent technically feasible; up to twice per year).

Sales and Targeted Advertising Opt-Out. “Sale” under Colorado law can include certain cookie-based disclosures. We may disclose Technical/Device Data and Web Analytics to ad networks and marketing providers for targeted advertising. Opt out any time via Cookie Settings / Privacy Choices or the Do Not Sell or Share link; we honor GPC where required. We do not knowingly sell or process for targeted advertising the Personal Information of children under 13.

Appealing a Denial. If we decline to take action on your request, you may appeal by emailing privacy@subscribili.com with the subject “CPA Appeal.” We will respond within 45 days. If denied, you may contact the Colorado Attorney General.

Connecticut Resident Rights (CTDPA)

You may request: access (confirmation and access), correction, deletion, and data portability (for data processed by automated means, to the extent technically feasible).

Sales and Targeted Advertising Opt-Out. You may opt out of “sale” and targeted advertising (which can include cookie-based disclosures). Use Cookie Settings / Privacy Choices or the Do Not Sell or Share link; we honor GPC where required. We do not sell or process targeted advertising the Personal Information of children under 13.

Profiling Opt-Out. You may opt out of profiling in furtherance of solely automated decisions producing legal or similarly significant effects. We do not engage in solely automated decision-making that produces such effects, but you may still submit an opt-out request.

Teen Consent (ages 13–15). Where required, we obtain opt-in consent from teens age 13 to 15 before “selling” Personal Information or processing it for targeted advertising. We do not currently engage in such processing for this age group.

Appeals. If we deny your request, you may appeal as described in Section 11; we will respond within 45 days.

Montana Resident Rights (MCDPA)

You may request: access, correction, deletion, and data portability (to the extent technically feasible).

Sales and Targeted Advertising Opt-Out. You may opt out of sale and targeted advertising (including certain cookie-based disclosures) via Cookie Settings / Privacy Choices or the Do Not Sell or Share link; we honor GPC where required. We do not sell or process targeted advertising of the Personal Information of children under 13.

Profiling. We do not engage in profiling to make decisions that produce legal or similarly significant effects about you.

Teen Consent (ages 13–15). Where required, we obtain opt-in consent before “selling” Personal Information or processing it for targeted advertising or profiling. We do not currently engage in such processing for this age group.

Appeals. If we deny your request, you may appeal as described in Section 11.

Oregon Resident Rights (OCPA)

You may request: access (confirmation and access) and a copy of Personal Information, including a list of specific third parties (other than natural persons) to whom we have disclosed your Personal Information; correction; deletion; and data portability (to the extent technically feasible; up to twice per year).

Sales and Targeted Advertising Opt-Out. You may opt out of sale and targeted advertising (including certain cookie-based disclosures) via Cookie Settings / Privacy Choices or the Do Not Sell or Share link; we honor GPC where required. We do not sell or process targeted advertising of the Personal Information of children under 13.

Profiling Opt-Out. You may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in such profiling.

Teen Consent (ages 13–15). Where required, we obtain opt-in consent before “selling” Personal Information or processing it for targeted advertising or profiling. We do not currently engage in such processing for this age group.

Appeals. If we deny your request, you may appeal as described in Section 11.

Texas Resident Rights (TDPSA)

You may request: access (confirmation and access), correction, deletion, and data portability (to the extent technically feasible).

Sales and Targeted Advertising Opt-Out. You may opt out of sale and targeted advertising (including certain cookie-based disclosures) via Cookie Settings / Privacy Choices or the Do Not Sell or Share link; we honor GPC where required. We do not sell or process for targeted advertising the Personal Information of children under 13.

Profiling. You may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in such profiling.

Sensitive Data. Where required, we obtain consent before processing sensitive data. We do not intentionally collect Sensitive Personal Information via our consumer-facing Services.

Appeals. If we deny your request, you may appeal as described in Section 11.

Utah Resident Rights (UCPA)

You may request: access (confirmation and access), data portability (to the extent technically feasible), and deletion of Personal Information you provided to us.

Targeted Advertising Opt-Out. You may opt out of processing Personal Information for targeted advertising via Cookie Settings / Privacy Choices. We do not sell Personal Information as defined by UCPA and do not process Sensitive Personal Information via our consumer-facing Services.

(Utah does not require a correction right or a profiling opt-out at this time.)

Virginia Resident Rights (VCDPA)

You may request: access (confirmation and access), correction, deletion, and data portability (to the extent technically feasible).

Opt-Outs. You may opt out of targeted advertising, sale of Personal Information, and profiling in furtherance of decisions that produce legal or similarly significant effects. We do not sell Personal Information as defined by VCDPA and do not engage in such profiling, but you may still submit an opt-out request. Control cookie-based targeted advertising via Cookie Settings / Privacy Choices; we honor GPC where required.

Appeals. If we deny your request, you may appeal as described in Section 11.

Nevada Resident Rights

Opt-Outs. If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. You can exercise this right by contacting us at legal@subscribili.com with the subject line “Nevada Do Not Sell Request” and providing us with your name. Please note that we do not currently sell your Personal Data as sales are defined in Nevada Revised Statutes Chapter 603A.

Reminder on cookies and signals: Across all states above, disclosures made via advertising or analytics cookies may constitute a sale, share, or targeted advertising under certain laws. You can manage these settings any time via Cookie Settings / Privacy Choices in our footer or the Do Not Sell or Share My Personal Information link. Where required, we honor Global Privacy Control (GPC). We do not sell Personal Information for money.

11. How to Exercise Your Rights

These instructions apply to Personal Information we control (not Patient Data we process for a provider; for Patient Data requests, please contact your provider).

EU/UK (GDPR / UK GDPR)

How to submit. Email our DPO at security@subscribili.co.uk. You may also contact our EU/UK Representative at contact@gdprlocal.com.

What to include. Provide enough information to identify and verify you, and a clear description of your request (for example, access, rectification, erasure, restriction, portability, objection, or withdrawal of consent).

Verification and data minimization. We may request only the minimum additional information needed to verify your identity and will use it solely for that purpose.

Response time. We will respond without undue delay and in any event within one month of receipt. We may extend by up to two further months if the request is complex or numerous; if so, we will notify you within one month and explain why.

Fees. Requests are free of charge. We may charge a reasonable fee or refuse to act only where a request is manifestly unfounded or excessive and we will explain why.

Format. For portability, we provide data in a structured, commonly used, machine readable format.

Complaints. You may lodge a complaint with the UK ICO or your local EU supervisory authority.

United States (State Privacy Laws)

How to submit. Email privacy@subscribili.com. If your state allows, an authorized agent may submit on your behalf.

You do not need an account to submit a request.

What to include.

Enough information for us to verify your identity (for example, the email you used with us). Please do not send sensitive documents unless we ask.
A clear description of the right you wish to exercise (for example, access or deletion) and your state of residence.

Verification. We may request limited additional information to verify your identity. If we cannot verify your identity with a reasonable degree of certainty, we may be unable to fulfill the request and will explain why.

Authorized agents. Where permitted, we may require proof of authorization (for example, signed permission or a power of attorney) and may ask you to verify your identity directly with us.

Response time. We will respond within 45 days of receiving your request. Where permitted, we may extend by an additional 45 days; we will notify you and explain why.

Fees. We do not charge a fee unless a request is excessive, repetitive, or manifestly unfounded; if a fee applies, we will tell you before we complete the request.

Opting out of sale, share, and targeted advertising (cookies and identifiers).

Use Cookie Settings / Privacy Choices in the site footer to opt out of Marketing cookies and adjust Statistics where applicable.
Use the Do Not Sell or Share My Personal Information link (if shown) to reach the same controls.
We recognize Global Privacy Control (GPC) signals where required as a request to opt out of sale or share and targeted advertising for that browser.
Cookie choices are browser and device specific and may reset if you clear cookies.
If you wish to opt out of marketing that uses non cookie identifiers (for example, an email hash), email privacy@subscribili.com with subject Opt Out Request.

Appeals. If we decline your request, you may appeal by emailing privacy@subscribili.com with subject Appeal. We will respond within 45 days as required in states with an appeals process (including Colorado, Connecticut, Montana, Oregon, Texas, and Virginia). If we deny your appeal, we will provide information on how to contact your state regulator where applicable.

Other state notices.

California Shine the Light. Request information about our disclosure of Personal Information to third parties for their direct marketing by emailing privacy@subscribili.com with subject Shine the Light.

Nevada. Nevada residents may opt out of the sale of certain Personal Information by emailing privacy@subscribili.com with subject Nevada Do Not Sell Request. We do not currently sell Personal Information as defined under Nevada law.

12. International Data Transfers

Subscribili is headquartered in the United States. When we transfer personal data from the European Economic Area or the United Kingdom to a country that has not been found to provide an adequate level of protection, including the United States, we use appropriate safeguards. These include the European Union Standard Contractual Clauses together with the United Kingdom Addendum or the United Kingdom International Data Transfer Agreement, as applicable. Where the recipient is certified, we also rely on our participation in the EU US Data Privacy Framework and the UK Extension to the Data Privacy Framework. We implement supplementary technical and organizational measures where necessary.

13. Children’s Privacy

The Services are not directed to children under 13 (United States) or under 16 (EU/UK). We do not knowingly collect Personal Information from children without appropriate consent. If you believe a child has provided Personal Information, please contact us and we will delete it as required by law.

14. Do Not Track

The Services are not currently configured to respond to browser Do Not Track (DNT) signals.

Where required by law, we recognize browser-based opt-out signals such as Global Privacy Control (GPC) as a request to opt out of sale/share of Personal Information and targeted advertising for that specific browser. To manage preferences across devices and for other cookie categories, use Cookie Settings / Privacy Choices in the site footer; you can change or withdraw consent at any time. If you clear cookies or use a different browser or device, you may need to reapply your choices.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our Services or legal, technical, or business developments. When we update it, we will post the revised Policy on the Services and update the Effective Date at the top.

If we make material changes that affect your rights or how we process Personal Information, we will provide additional notice as required by law (for example, by email to account holders, an in-product message, or a prominent notice on our website) and, where required, seek your consent (for example, for new non-essential cookies in the EEA/UK).

Your continued use of the Services after the revised Policy becomes effective means you acknowledge the updated terms, except where your consent is required. If you do not agree, you should discontinue use of the Services and adjust your preferences (for example, via Cookie Settings / Privacy Choices). Prior versions may be available upon request. Use of information we collect is subject to the Policy in effect at the time such information is collected, unless otherwise permitted by law.

16. Contact Information

If you have questions about this Privacy Policy, how we collect and use Personal Information, or your privacy choices and rights, please contact us:

Global and U.S. privacy inquiries

Email: privacy@subscribili.com

Data Protection Officer (Global)

Email: security@subscribili.co.uk

EU/UK Representative (Article 27 GDPR)

Instant EU GDPR Representative Ltd Office 2, 12A Lower Main Street, Lucan, Co. Dublin K78 X5P8, Ireland Email: contact@gdprlocal.com

Notes

For Patient Data we process on behalf of a provider, please contact your provider directly.
For state law opt outs of sale, share, or targeted advertising, use Cookie Settings / Privacy Choices in our footer or the Do Not Sell or Share My Personal Information link (where provided).
To appeal a decision on a state privacy request, email privacy@subscribili.com with the subject “Appeal.”
Please do not include sensitive documents unless we ask for them for verification.