Privacy Policy

Last Updated: September 25, 2025

This Privacy Policy describes how MITO HEALTH INC. and its affiliates (collectively, “Mito,” “we,” “us,” or “our”) collect, use, disclose, retain, and protect personal information through our websites, mobile applications, and online services that link to this Privacy Policy (collectively, the “Services”), as well as marketing activities, events, and other activities described here. In some cases, we may provide additional or “just-in-time” notices or supplemental policies for specific products or features. If you do not agree with this Privacy Policy, please do not use the Services.

1) Scope & Relationship to Other Notices

• Not a healthcare provider. Mito is a technology platform and not a medical group, health care provider, laboratory, pharmacy, or insurer. Medical, laboratory, and pharmacy services accessible via the Services are provided by independent third parties (collectively, “Providers”).
• HIPAA carve-out. HIPAA does not apply to all personal information we process. When we act as a business associate to a HIPAA-covered entity (e.g., to support Provider services), we handle protected health information under applicable agreements; otherwise, this Privacy Policy applies.
• Consumer Health Data (CHD). Where state consumer health data laws apply, see our Consumer Health Data Privacy Notice (“CHD Notice”), which supplements this Privacy Policy. If you operate only in states without CHD laws, delete references to the CHD Notice.
• Controller and processor roles. For most activities, Mito determines the purposes and means of processing (acting as a “controller”). For certain Provider support functions where we process personal information on behalf of a covered entity or enterprise customer, we act as a “processor” or business associate under applicable agreements.
• Consumer Health Data guardrails. We do not use geofencing to target health care facilities in violation of applicable consumer health data (CHD) laws.

2) Personal Information We Collect

Categories of personal information (as applicable):

• Identifiers & contact data: name, email, postal address, phone, unique IDs, account credentials.
• Demographics: age, date of birth, gender/gender identity, race/ethnicity, sexual orientation (collect only if lawful/necessary and with appropriate disclosures/consent).
• Account/profile data: preferences, photos/avatars, social profiles, participation in surveys/promotions.
• Health-related data: health history/conditions, vitals, medications, clinical notes, lab orders/results, medical images/scans, biomarker data, care plans, self-reported health information, and other physical/mental health information you provide or that Providers/labs share as permitted.
• Genetic data: data related to inherited characteristics where tests produce such outputs. We obtain affirmative, opt-in consent where required before collecting or processing genetic data, and you may withdraw that consent at any time (see Section 7).
• Transactional & payment data: order details, transaction history, last-4 of card (payment processors collect and process full payment instrument details).
• Device & network data: IP address, device identifiers, OS, browser, network and general location (city/state/country).
• Online activity data: usage logs, pages/screens viewed, referring/exit pages, session timestamps, and interactions with emails or in-app messages.
• Communications & support data: chats, emails, SMS, call recordings (where permitted), and feedback.
• User-generated content: posts, stories, images, comments, testimonials submitted to public or shared areas.
• Inferences/derived data: insights we infer about your preferences, features you might use, or general location inferred from IP.

Sources of personal information include: you; your devices; Providers/labs and other third parties you authorize; wearables or connected apps you link; our service providers and analytics/advertising partners; public sources; enterprise customers (if applicable); and our affiliates.

3) How We Use Personal Information

We use personal information to:

• provide, operate, maintain, secure, and improve the Services;
• personalize the Services and communications;
• create, manage, and support accounts; authenticate users; and provide customer support;
• process orders and payments; fulfill and track services; coordinate with Providers/labs;
• verify eligibility and geographic availability; prevent fraud, abuse, and security incidents;
• conduct research, testing, quality assurance, and product development;
• send service-related announcements, security alerts, and administrative messages;
• market our Services (you may opt out of marketing communications); and
• comply with laws, enforce terms and policies, and protect rights, safety, and property.

De-identified/aggregated data. We may de-identify and/or aggregate personal information and use or disclose it for any lawful purpose, and we will not attempt to re-identify de-identified data except as required by law.

Research. We may use de-identified or aggregated information for internal research, quality assurance, and product development. We disclose identifiable information to external research partners only with your consent or under appropriate legal/ethical safeguards.

De-identification pledge. For de-identified information, we maintain it in de-identified form, do not attempt to re-identify it, and require recipients to do the same.

4) AI-Assisted and Automated Features

We may offer AI-assisted tools (e.g., automated chat, summarization, or non-clinical guidance). Outputs may be inaccurate or incomplete and are for informational purposes only. We do not use automated decision-making that has legal or similarly significant effects on you without human review. We may use interactions with these tools to operate, secure, and improve the Services subject to your choices and applicable law. Do not input protected health information unless requested by the relevant feature and permitted by our Privacy Policy/CHD Notice.

5) How We Disclose Personal Information

We may disclose personal information to:

• Providers & labs: to facilitate services you request (e.g., test ordering, sample collection, results delivery). Providers/labs set their own policies and may have their own notices.
• Service providers & contractors: hosting, EHR integrations, analytics, customer support, communications, security, payment processing, fulfillment, and similar.
• Payment processors: (e.g., Stripe) process payments directly and use your data per their privacy policies.
• Affiliates & business partners: for operations, research, and co-marketing (with lawful bases and choices provided).
• Advertising/analytics partners: to enable measurement and interest-based advertising (exclude health/genetic data from ad targeting; honor applicable laws).
• Research partners: for approved research under appropriate legal/ethical safeguards.
• Parties to a corporate transaction: actual/prospective buyers, investors, and their advisors.
• Authorities & others: to comply with law; protect rights, privacy, safety, or property; detect/prevent fraud, security, or technical issues; or enforce terms.
• Parties you authorize: other third parties where you instruct us to disclose.
• Advertising and analytics boundaries. We do not use health or genetic data for targeted advertising. We contractually prohibit service providers and advertising/analytics partners from using any health or genetic data for their own independent purposes, and we limit what identifiers we share to what is necessary for measurement and brand-level reach, subject to your choices.

We may also share de-identified/aggregated data that cannot reasonably be used to identify you.

6) Cookies, Mobile IDs & Similar Technologies

We and our partners use cookies, SDKs, pixels, local storage, and similar technologies to operate the Services, remember preferences, analyze usage, and (if enabled) tailor communications/ads. You can control cookies through browser settings and device-level settings for mobile advertising IDs. If you disable cookies, some features may not function.

Do Not Track. Some browsers transmit “Do Not Track” signals. We currently do not respond to such signals. If we do in the future, we will explain how in this Privacy Policy.

7) Your Choices & Controls

• Account info: access and update certain account details by contacting us.
• Marketing emails: opt out using unsubscribe links or by contacting us.
• SMS: reply STOP to opt out; reply HELP for help. Standard message/data rates may apply.
• Interest-based advertising: manage through browser settings, ad-blocking tools, platform settings (e.g., Google/Facebook), and industry opt-outs such as NAI/DAA. We do not use health/genetic data for interest-based advertising.
• Cookies & web beacons: manage via browser/device settings. Blocking images can limit tracking by clear GIFs.
• Linked devices/services: revoke connections in your device/app or third-party account.
• Withdraw consent. Where we rely on your consent (e.g., certain health/genetic processing or marketing), you may withdraw it at any time by contacting us or via in-app controls where available. Withdrawal does not affect prior processing.
• Portability & deletion. To request an export of your data (in a machine-readable format) or deletion of your account, email help@mitohealth.com or use in-app tools where available. We may retain limited records as required by law, to prevent fraud, or to defend legal claims.

8) Consumer Health Data (CHD) (If Applicable)

Where state CHD laws apply (e.g., WA, CO, NV, CT), we process CHD as described in our separate CHD Notice, including: categories collected; purposes; sources; disclosures; individual rights; appeals; and data security. We do not “sell” or “share” CHD as defined by applicable law, and we do not use geofencing to target health care facilities in violation of CHD laws.

9) HIPAA; Provider Data; Business Associate Agreements (If Applicable)

When Providers/labs disclose your health information to us to support care (e.g., EHR hosting, coordination, messaging), we act under a business associate agreement and handle such information per HIPAA and that agreement. Otherwise, this Privacy Policy governs.

10) Retention

We retain personal information as long as necessary to fulfill the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and for security/fraud prevention. We may retain de-identified data without a time limit. Where feasible, we apply criteria such as data type/sensitivity, purpose, legal requirements, and operational needs to determine retention.

Illustrative retention periods:

• Account & profile data: life of account + up to 3 years.
• Health/biomarker data: life of account + up to 7 years (or longer if required by law).
• Transactions: 7 years (tax/audit).
• Support chats/calls: up to 3 years.

Actual periods may vary based on legal, security, and operational needs.

11) Security

We employ administrative, technical, and physical safeguards designed to protect personal information appropriate to the nature of the data. No method of transmission or storage is completely secure. If we become aware of a security incident affecting personal information, we will investigate and notify affected individuals and/or authorities as required by law. If a data breach occurs, we will notify affected individuals and/or regulators without undue delay and within required timelines under applicable law.

12) Children’s Privacy

The Services are not intended for individuals under 18, and we do not knowingly collect personal information from children. If you believe a child has provided personal information, contact us and we will take appropriate steps to delete it.

Children under 13. We do not knowingly collect personal information from children under 13. If we learn that a child under 13 has provided personal information, we will delete it.

13) International Data Transfers (If Applicable)

We may process and store personal information in the United States and other countries with privacy laws that may differ from those where you live. Where required, we will implement appropriate transfer mechanisms.

14) State-Specific Privacy Rights (U.S.)

Opt-out of sale/share & targeted advertising. Where required, we provide a clear “Do Not Sell or Share My Personal Information” link and a universal opt-out mechanism for targeted advertising. We honor Global Privacy Control (GPC) and similar browser signals as opt-out requests.

Authorized agents & verification. You may designate an authorized agent to submit a request on your behalf. We may require proof of the agent’s authority and verification of your identity.

Appeals. If we deny your request, you may appeal by emailing help@mitohealth.com with “Appeal” in the subject line. We will respond within the timeframe required by applicable law.

Sensitive personal information. Where state law provides a “Limit the Use of My Sensitive Personal Information” right, we will provide a means to exercise it and will honor your request as required by law.

15) Third-Party Sites, Services & Social Features

The Services may link to or integrate with third-party websites, apps, devices (e.g., wearables), or services. Their practices are governed by their own policies, not this Privacy Policy. Provider/lab data practices are governed by their own notices.

16) Testimonials & User-Generated Content

If you submit content or testimonials, certain information may be public. Do not share information you prefer to keep private. We may use testimonials per the permissions you grant.

17) Changes to This Privacy Policy

We may modify this Privacy Policy from time to time. We will update the “Last Updated” date and, where required, provide additional notice. Your continued use of the Services after the effective date constitutes acceptance.

18) Contact Us

Questions or requests? Contact us at:

Email: help@mitohealth.com

19) Definitions

• “Personal information” means information that identifies, relates to, describes, or could reasonably be linked with a particular individual or household.
• “Sensitive personal information” includes data such as precise geolocation, health/genetic data, and similar categories defined by law.
• “Consumer health data (CHD)” is defined by applicable state law and may include personal information linked or reasonably linkable to an individual’s health.
• “Sell” and “Share” have the meanings given in applicable state privacy laws and generally refer to disclosing personal information to third parties for monetary or other valuable consideration (sell) or for cross-context behavioral advertising (share).
• “Consumer Health Data (CHD)” means personal information linked or reasonably linkable to an individual’s past, present, or future physical or mental health status as defined by applicable state law.

Consumer Health Data Privacy Notice

Last Updated: Sept 25, 2025

Applies to: Mito Health and its affiliated services

Mito Health (“Company,” “we,” “us,” or “our”) respects your privacy. This Consumer Health Data Notice (“Notice”) explains how we collect, use, share, and protect Consumer Health Data when you use our websites, mobile applications, and services (collectively, the “Services”).

This Notice supplements our Privacy Policy and applies specifically to Consumer Health Data as defined by applicable law.

1. What is Consumer Health Data?

Consumer Health Data includes personal information linked to you that identifies or is reasonably capable of being associated with your physical or mental health, medical treatments, wellness, biometric data, or health-related activities. Examples include:

• Information about your health conditions, diagnoses, or treatments
• Measurements or biometrics (e.g., heart rate, blood pressure, genetic data)
• Information about your use of medications, supplements, or healthcare services
• Information about reproductive, sexual, or mental health

2. Information We Collect

We may collect Consumer Health Data in the following ways:

• Directly from you when you provide information through our Services (e.g., account registration, self-reported health inputs, wearable integrations).
• Automatically through devices, cookies, or APIs that measure health-related activity.
• From third parties such as healthcare providers, labs, pharmacies, or other service partners (with your authorization where required).

3. How We Use Consumer Health Data

We use your Consumer Health Data only as permitted by law and for purposes including:

• Providing and improving our Services
• Personalizing your experience and health insights
• Research and analytics (in de-identified or aggregated form where possible)
• Communicating with you about your account or health goals
• Complying with legal obligations

We do not use Consumer Health Data for targeted advertising without your express consent.

4. How We Share Consumer Health Data

We may share your Consumer Health Data with:

• Service providers & vendors who support our operations (e.g., cloud hosting, analytics, customer support).
• Healthcare partners (if applicable) who provide services you request.
• Legal or regulatory authorities when required to comply with applicable law, regulation, or court order.
• Business transfers if we undergo a merger, acquisition, or sale of assets.

We do not sell your Consumer Health Data without your explicit authorization.

5. Your Privacy Rights

Depending on where you live, you may have rights such as:

• Access: Request a copy of your Consumer Health Data we hold.
• Correction: Request correction of inaccurate information.
• Deletion: Request deletion of your Consumer Health Data (subject to legal retention requirements).
• Consent withdrawal: Revoke your authorization for certain uses of your data.

To exercise your rights, contact us at:

Email: help@mitohealth.com

We will respond within the timelines required by law.

6. Data Security & Retention

We use technical, administrative, and organizational measures to protect Consumer Health Data from unauthorized access, disclosure, or misuse. We retain your data only as long as necessary to fulfill the purposes described in this Notice or as required by law.

7. International Users

Our Services are intended for use in the United States. If you use our Services from outside the U.S., you consent to the processing and storage of your information in the U.S. where privacy laws may differ.

8. Changes to This Notice

We may update this Notice from time to time. We will notify you of material changes by posting the updated Notice on our website and updating the “Last Updated” date above.

9. Contact Us

If you have questions about this Notice or our practices regarding Consumer Health Data, please contact us:

help@mitohealth.com