Privacy Statement

Introduction

Sword Health takes your privacy seriously. This Privacy Statement describes our practices for collecting, storing, and processing the personal information of users of our Services in the United States.

We offer wellness and physical therapy services by virtually connecting our users to doctors of physical therapy or other professionals. We do this through our websites, including, but not limited to, www.swordhealth.com, www.hibloom.com, and their related sites, (the “Sites”), the Sword or Bloom mobile applications, the Sword Health Digital TherapistⓇ, the Bloom Pod, SWORD or Bloom motion sensors, biofeedback technology and exercise monitoring equipment, and other electronic means such as video conferencing, chat, phone, and online events (together, the “Services”). The Services are owned by Sword Health, Inc. and its affiliates (“Sword”).

Sword provides the Services through which you can access telehealth, musculoskeletal care, pelvic health care, and other wellness services provided by a professional (“Clinical Services”). Sword Health, Inc. does not provide Clinical Services. SWORD Health, Inc.' contracts with separate entities, including but not limited to Sword Health Care Providers, P.A., Sword Health Care Providers of NJ, P.C., Sword Health Care Physical Therapy Providers of CA, P.C., other professional practices, companies and individuals (the “Sword Professionals”) to engage independent doctors of physical therapy and other professionals (each a “Professional” or together, the “Professionals”) to provide Clinical Services to you.

Some of the information we collect relating to the Clinical Services may be Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), such as your medical records that we receive from your healthcare provider, your lab results, your initial assessments, or device readings. PHI is covered by a separate policy called the HIPAA Notice of Privacy Practices. The HIPAA Notice of Privacy Practices describes how Sword uses and shares PHI and contains more information about your rights under HIPAA. This Privacy Statement may provide additional detail on how PHI is collected, processed, or stored, but if there is a conflict between this Privacy Statement and the HIPAA Notice of Privacy Practices with respect to PHI, the HIPAA Notice of Privacy Practices will solely apply.

We encourage you to read both the Privacy Statement and the HIPAA Notice of Privacy Practices carefully. If you have any questions about this policy or our practices, please send an email to [email protected]. Please note, capitalized terms used in this Privacy Statement but not defined here have the definition given to them in the Sword Terms and Conditions.

California Residents - See “Additional Information for California Residents” below for additional information about your rights.

International Users - If you are accessing the Services from the United Kingdom or European Union click here.

To help you read this Privacy Statement, we have organized it into the following sections:

Personal Information We Collect - Information You Provide to Us - Information Collected While Using Our Services - Information Collected from Other Sources

How We Use and Share Personal Information - Use of Personal Information - Sharing Personal Information - Retention of Personal Information

How To Review, Modify, and Delete Personal Information - Right to Know/Access - Right to Modify - Right to Request Deletion - How to Exercise Your Privacy Rights

Additional Information for California Residents

How We Protect Personal Information

Tracking Technologies - Cookies and Other Tracking Technologies - Managing Your Tracking Technology Preferences

Children’s Information External Websites Changes to This Privacy Statement Contact Us

Personal Information We Collect

We may collect information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular user or household (“Personal Information”) as further described in the following categories below. We collect Personal Information from you, from your use of the Services, when you visit the Sites, and from certain third-party sources. By using the Services, and visiting the Sites, you agree that we can collect and use your Personal Information as described in this Privacy Statement.

Information You Provide To Us

Sword collects information that you provide to us, including when you enroll, give updates about your condition, respond to a survey, or contact us. Some examples of this information include:

Contact or other Identifying Information, such as your name, address, email address, telephone number, username and password; Professional or employment-related information, such as the name of your employer, company, and other professional or employment information you provide to us; Mental and physical condition information, such as height, weight, general health, feelings of pain and fatigue, exercise patterns, personal motivations, information about pregnancies and childbirth, and feelings of anxiety or depression; Medical information such as current or former injuries, medical diagnoses, and whether you are cleared by a physician to exercise; and Communications with Sword, including with the Professionals.

Information Collected While Using Our Services

Sword may also collect certain information when you access, browse, and use our Services. This information is generated by the computer, tablet, mobile app, or electronic sensors used in the Services. Some examples include:

Internet and other electronic activity data, such as the name of the domain and host from which you access the internet; the browser software you use and your operating system; the date and time you access the service; how often you access the Services, and the internet address of the website from which you directly linked to Sword; Log and Troubleshooting Information: We collect information about how our Services are performing when you use them, like service related diagnostic and performance information. This information includes log files, timestamps, diagnostic or crash data, website/app performance logs and error messages or reports. Identifiers or Geolocation data, such as Internet Protocol (IP) address; Sensor data, the type and order of exercises, number of repetitions, duration, manner, and individual performance including range of motion, movement errors, and compliance with the assignment movement; and Data from Tracking Technologies, such as information from cookies, web beacons, tags or other tracking technologies, as further described below.

**Sword will not record video or audio of your sessions without explicit consent from you prior to each recording. Any recording will be handled in accordance with this Privacy Statement and Sword's HIPAA Notice of Privacy Practices.

Information Collected from Other Sources

In connection with your use of the Services, we may combine or compare data we have collected from you with information collected from a third party. Some examples of information we may receive from a third party include:

Eligibility Information: If you are participating in a program sponsored by your employer, insurance provider, or healthcare provider, information contained in an eligibility file such as whether you are enrolled in the plan, your name, email, and some related health information; Information We Obtain From Your Health Care Providers and Other Sources: In connection with your treatment, we may collect medical records from your past, current, and future health care providers. This may include past or present diagnoses, previous treatments, general health, test results and reports, any family history of illness, and records of communications related to your health; and Information Collected From Third Parties: We may collect information available about you from third party service providers to improve the Services, such as identifying health factors related to your treatment to better tailor the Services to you.

How We Use and Share Personal Information

Use of Personal Information

We may use the Personal Information we collect for one or more of the following business purposes:

  • To provide, personalize, improve, update, and expand our Services, including: - For product testing and development, data analysis, and survey purposes; and, - For scientific, statistical, and historical research;
  • To communicate with you about the Services, including: - To respond to your inquiries and concerns; - Provide you with information or request action in response to technical, security and other operational issues; or - To follow-up with you regarding your enrollment process. - To create de-identified information (for example, aggregated statistics) related to the use of the Services or for scientific research;
  • To comply with laws and regulations, including to respond to law enforcement or a government request(s) as required by applicable law, court order, or governmental regulations and to monitor our compliance with those obligations;
  • To protect the integrity and maintain the security of our Services;
  • To enforce our Terms and Conditions; and
  • For any other purpose for which you may provide consent or as disclosed to you when you provide information to us.

When we use the term “de-identified information,” we mean information that is neither used, nor intended to be used, to identify an individual. We may use de-identified information without restriction and may share it with unaffiliated third parties.

Sharing Personal Information

Sword does not share your Personal Information with third parties except as described in this Privacy Statement, the HIPAA Notice of Privacy Practices, or with your additional consent (if required).

Sword may share Personal Information with the following categories of third parties for the following purposes:

Service Providers: We may share your Personal Information with service providers, such as contractors and other third parties we use to support our organization and provide us with services. These companies are subject to contractual obligations governing privacy, data security, and confidentiality consistent with applicable laws. These companies include our cloud services infrastructure providers, vendors that assist us in marketing and consumer research analytics, fraud prevention, security, communications infrastructure providers, vendors that help us provide some support functions, like phone support or survey tools, and third party partners for analytics and advertising purposes; Corporate Affiliates: We may share your Personal Information with our subsidiaries, affiliates, and associated organizations; Research Partners: We may share your Personal Information with research partners if you provide us with your express consent or if otherwise permitted by law. Research partners include commercial or non-profit organizations that conduct or support scientific research, the development of therapeutics, medical devices or related material to treat, diagnose, or predict health conditions. In some circumstances, a research partner or SWORD may have a financial interest in the research arrangement. Health Care Providers, Health Plans, and Similar Organizations: Personal Information that we create or obtain about you may be shared with health care providers, health plans, or other similar health care organizations as permitted by law or pursuant to your consent. Law Enforcement, Government Agencies or Other Third Parties: From time to time, we may be required to provide Personal Information to a third party in order to comply with a subpoena, court order, government investigation, or other similar legal process. If we disclose your Personal Information in this way, we will reasonably attempt to provide you with advance notice, unless we are prohibited from doing so. We may share your Personal Information if we believe it is reasonably necessary to: - Comply with valid legal process (e.g., subpoenas, warrants); - Respond to a government request; - Enforce or apply the Sword Terms and Conditions; - Investigate fraud; - Protect the security or integrity of the Services; - Protect the rights, property, or safety of Sword, our employees, members, or users; or - At your direction or with your permission.

Corporate Transaction: If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of all or a portion of our assets, we may share or transfer your Personal Information as part of such corporate transaction.

Sword will not disclose/share any information obtained through the short code program to third parties for their own marketing purposes.

Retention of Personal Information

Sword will retain the Personal Information you provide while creating your account and your profile until such time as you delete your account or you request deletion provided you are entitled to request deletion under applicable law. Any clinical records created as a result of your use of the Services will be securely maintained by Sword for a period that is no less than the minimum number of years such records are required to be maintained under applicable law, which is typically at least six years. Sword may also retain certain information as reasonably necessary to comply with our legal obligations (including law enforcement requests), resolve disputes, maintain security, prevent fraud and abuse, as well as to comply with tax, securities, and regulatory compliance requirements.

How to Review, Modify, and Delete Personal Information

Some applicable laws provide individuals with specific privacy rights and you may have certain privacy rights with respect to the Personal Information we collect and maintain about you, such as the following:

Right to Know/Access

You may have a right to request access to your Personal Information and to be provided with a copy of certain information in a readily useable format, including:

  • The categories of Personal Information we collected about you;
  • The categories of sources from which we have collected your Personal Information;
  • Our business or commercial purpose for collecting or selling that Personal Information;
  • The categories of your Personal Information that we have shared with third parties;
  • The categories of third parties with whom we share your Personal Information; or,
  • The specific pieces of Personal Information we collected about you.

Right to Modify

You may have the right to request that we modify the Personal Information we have collected and maintain about you. To request to modify your Personal Information, email us at [email protected]. We may request additional information from you in order to verify your identity and update your Personal Information per your request.

Right to Request Deletion

You may have the right to request that we delete the Personal Information that we have collected and maintain about you subject to applicable law. We may deny your request under certain circumstances, such as if we need your Personal Information to respond to your inquiries. If we deny your request for deletion, we will let you know the reason why. There may be some latency in deleting your Personal Information from our backup systems after it has been deleted from our primary production and development systems.

How to Exercise Your Privacy Rights

If applicable, you may exercise your right to know/access and your right to request deletion twice a year free of charge. To exercise your rights to know/access and request deletion, please contact us at [email protected]. We will take steps to verify your identity before processing your request. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify that you are the individual about whom we collected Personal Information. When submitting your request, please provide us with your name and contact information for purposes of enabling us to begin verifying your identity. We may request additional information about you if needed to verify your identity. Unless you have previously provided us your Personal Information for another purpose, we will only use the Personal Information provided in the verification process to verify your identity or authority to make a request, and to track and document your request to meet our obligations. We do not discriminate against individuals for exercising any of the above privacy rights. These rights may not be available to you and certain exceptions and exemptions may apply that will limit your ability to exercise these rights.

Authorized Agents: If required under applicable law, you may use an authorized agent to submit a request to know/access or a request to delete on your behalf. Even if you use an authorized agent, you will still need to communicate directly with Sword to verify your identity and address. We require that your agent be registered to do business with the appropriate Secretary of State and/or that your agent provide us with a signed document from you that authorizes your agent to make the request on your behalf. To protect your Personal Information, we reserve the right to contact you directly if we have any questions or concerns about the request from your agent.

Additional Information for California Residents

If you are a California resident, California law provides you with additional rights regarding our collection, use and disclosure of your Personal Information under the California Consumer Privacy Act, as amended (“CCPA”), the Shine the Light law, and the Do Not Track law. The CCPA does not cover PHI collected by a covered entity or business associate that is governed by HIPAA. For information on how Sword uses and shares your PHI please refer to our HIPAA Notice of Privacy Practices. Additionally, under certain circumstances the CCPA will not apply to Sword.

Within the preceding 12 months:

  • We have collected the categories of Personal Information described above in “Personal Information We Collect” from the sources described therein for the purposes described in “How We Use and Share Your Personal Information.”
  • We have shared categories of Personal Information to Service Providers, Corporate Affiliates, and Other Third Parties (as described further in “How We Use and Share Your Personal Information”).
  • We have not sold your Personal Information.

How We Protect Personal Information

We take great care to protect the Personal Information we maintain about you. Sword has a broad information security program designed to protect your Personal Information using administrative, physical, and technical safeguards. We have measures in place to protect against inappropriate access, loss, misuse, or alteration of Personal Information under our control. For example, Personal Information is stored on encrypted servers. While we strive to protect your Personal Information, we cannot guarantee the security of information you provide to us. This is especially true for information you transmit to us via email because email may not have the security features that are commonly built into websites. To the fullest extent permitted by applicable law, we do not accept liability for unintentional disclosure of your Personal Information. Additionally, please be aware that we have no control over the information collected by your internet service provider or information that you disclose over a public network. We are not responsible for any information collected by third parties not within our control or how such information is used or maintained.

Tracking Technologies

We may use technologies such as cookies, web beacons or pixels, tags, scripts, and other storage technologies (collectively “Tracking Technologies”) to collect or receive information on the Sites. These Tracking Technologies may help us save your preferences, understand how you navigate through the Sites, and improve your experience.

Cookies and Other Tracking Technologies

Cookies are small data files that we transfer to your device to collect information about your use of the Sites. Cookies can be recognized by the website that downloaded them or other websites that use the same cookies. This helps websites know if your browsing device has visited them before. We may use both first-party and third-party cookies on the Sites for the following purposes: to make the Sites function properly, to improve the Sites, to track your interaction with the Sites, to enhance your experience with the Sites, to remember information you have already provided, to collect information about your activities over time and across third party websites or other online services in order to deliver content tailored to your interests; and to provide a secure browsing experience during your use of the Sites. The length of time a cookie will stay on your browsing device depends on whether the cookie is a “persistent” or “session” cookie. Session cookies will only stay on your device until you stop browsing. Persistent cookies stay on your browsing device until they expire or are deleted. The following types of cookies may be used on the Sites:

  • Strictly Necessary Cookies. These cookies are essential because they enable you to use the Sites. For example, strictly necessary cookies allow you to access secure areas of the Sites and for us to provide the Sites. These cookies do not gather information about you for marketing purposes. This category of cookies would be essential for the Sites to work and they cannot be disabled.
  • Functional or Preference Cookies. We may use functional cookies to remember your choices so we can tailor the Sites to provide you with enhanced features and personalized content. For example, these cookies can be used to remember your name or preferences on the Sites. We would not use functional cookies to target you with online marketing. While these cookies can be disabled, this may result in less functionality during your use of the Sites.
  • Performance or Analytic Cookies. These cookies collect passive information about how you use the Sites, including webpages you visit and links you click. We would use the information collected by such cookies to improve and optimize the Sites. We would not use these cookies to target you with online marketing. You would be able to disable these cookies.
  • Targeting or Advertising Cookies. These cookies are used to drive online advertising that is relevant to you by building up a picture of what you are interested in from your use of the internet. The cookies can limit the number of times you see an advert and help to measure the effectiveness of any advertising. They remember that you have visited a website and this information may be shared with other organizations or advertisers. We may use these cookies in limited circumstances associated with our public-facing sites.

We may also use tracking technologies to collect “clickstream” data, such as the domain name of the service providing you with Internet access, your device type, IP address used to connect your computer to the Internet, your browser type and version, operating system and platform, the average time spent on the Sites, web pages viewed, content searched for, access times and other relevant statistics, and assign unique identifiers to the device or other credentials you use to access the Sites for the same purposes. Pages of the Sites and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).

Managing Your Tracking Technology Preferences

When viewing the Sites, you can accept or reject the use of cookies. In addition, many browsers allow you to manage your cookie preferences at the individual browser level. You can set your browser to reject and/or delete some or all cookies. If you reject or delete cookies, please be aware that you may not be able to use some or all portions or functionalities of the Sites.

Do Not Track. Some Internet browsers (e.g. Internet Explorer, Mozilla Firefox, and Safari) include the ability to transmit “Do Not Track” or “DNT” signals. Since uniform standards for “DNT” signals have not been adopted, the Sites currently do not process or respond to “DNT” signals.

Location Information. You may be able to adjust the settings of your device so that information about your physical location is not sent to us or third parties by: (a) disabling location services within the device settings; or (b) denying certain websites or mobile applications permission to access location information by changing the relevant preferences and permissions in your mobile device or browser settings. Please note that your location may be derived from your WiFi, Bluetooth, and other device settings. Please see your device settings for more information.

Analytics Tools. We may use tools such as Google Analytics, Facebook, and LinkedIn to help analyze how individuals use the Sites. Such third parties may use cookies, APIs, and SDKs on our Sites to enable them to collect and analyze user and device related data and information on our behalf. These tools use cookies to collect information such as how often users visit the Sites, what pages they visit, and what other websites they used prior to coming to the Sites. We use the information we get to improve our Sites and to tailor the Sites to you.

  • We may use Google Analytics to obtain information about your visits to the Sites. Google’s ability to use and share information collected by Google Analytics about your visits to the Sites is restricted by Google Analytics Terms of Service and the Google Privacy Policy. You may prevent your data from being used by Google Analytics by downloading and installing the Google Analytics Opt-out Browser Add-on .
  • Our Sites may utilize the Conversion Tracking Pixel service of Meta Platforms. This tool allows us to follow the actions of users after they click on a Facebook advertisement and allows us to record the efficacy of Facebook advertisements for statistical and market research purposes. The collected data remains deidentified which means we cannot see the personal data of any individual user. However, the collected data is saved and processed by Facebook and Facebook may be able to connect the data with your Facebook account and use the data for their own advertising purposes in accordance with Facebook’s Data Use Policy. Facebook Conversion Tracking also allows Facebook, and its partners, to show you advertisements on and outside Facebook. You can manage your preferences regarding how Facebook uses your data through your Facebook account settings.

Regarding Targeted Advertising

For more information about the collection and use of your information for online behavioral advertising generally, and how you can opt-out of having your data used for certain online behavioral advertising, please visit the Digital Advertising Alliance’s opt-out tool available at https://youradchoices.com/ and the Network Advertising Initiative’s Opt-Out Tool available at: https://networkadvertising.org/choices/.

Children’s Information

As we are committed to protecting the privacy of children, we do not collect Personal Information directly from anyone who is, to our knowledge, under the age of 13. If you are under the age of 13, please do not provide any Personal Information to us through the Sites or Services. If you become aware that an individual under age 13 has provided Personal Information directly to us, please contact us as described in the “Contact Us” section, so that we can delete the information.

A parent or guardian of children aged 13 to 18 years may create an account on behalf of their child, provided that the parent assumes full responsibility for the account and for the interpretation and use of any information provided through the Services. Further, the parent or guardian agrees to supervise their child’s use of the Services. Once a child reaches the age of 18, their Personal Information becomes theirs to control and the parent or guardian no longer has the ability to control the account.

External Websites

The Sites may contain links to other websites, including, but not limited to, investor relations sites, job applicant information gathering, assessment, and testing sites. These third party sites have their own privacy practices and measures to secure and protect your information. This Privacy Statement does not apply to any third party sites. We encourage you to review the privacy statement of any other third party website you may visit.

Changes to This Privacy Statement

This Privacy Statement is effective as of the date stated at the bottom of this Privacy Statement. We may change this Privacy Statement from time to time. Please be aware that, to the extent permitted by applicable law, our use of your information is governed by the Privacy Statement in effect at the time we collect the information. If you visit the Sites or use the Services after a change to this Privacy Statement is posted on the Sites, you will be bound by such change.

Contact Us

If you have any questions or comments regarding this Privacy Statement, please contact us at:

Sword Health, Inc. ATTN: Privacy Office 13937 Sprague Lane, Suite 100 Draper, UT 84020 385-308-8034 [email protected]

Last Updated and Effective Date: July 1, 2022