Privacy Policy

Privacy Policy v2.0

Effective Date: March 19, 2026 Last Revised: March 2026 Entity: Hoot Health Inc. (Delaware) Privacy Officer: privacy@gethoot.com

Hoot Health Inc. (“Hoot,” “we,” “us,” or “our”) operates a physician-led digital health education and patient engagement platform to assist health care providers in managing various health conditions, including myopia care (the “Services”). This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information and your rights regarding that information.

This Privacy Policy applies to all users of our Services, including patients, parents and guardians of minor patients, and health care provider customers (“Providers”). It does not apply to the independent data practices of Providers or third parties.

Important — Please Read This Privacy Policy contains important information about your rights, including state-specific rights for California, Illinois, New York, Texas, and New Jersey residents. Your use of the Services is subject to this Privacy Policy and our Terms of Use. Use of the Services does not, by itself, constitute consent to uses of your personal information that require your affirmative opt-in consent under applicable law.

  1. Personal Information We Collect

1.1 What Is Personal Information

Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked — directly or indirectly — with a particular individual or household. Personal information does not include: publicly available information from government records; genuinely anonymous, de-identified, or aggregated data (even if derived from personal information); or information about businesses or their employees acting in a purely commercial capacity.

1.2 Categories of Personal Information We Collect

Sensitive Personal Information We collect categories of personal information that are considered “sensitive” under California law (CCPA/CPRA) and analogous state laws, including health and medical information, government identifying numbers, financial information, and precise geolocation data. Your rights with respect to sensitive personal information are described in Sections 12 and 13.

We collect, process, and store the following categories of personal information in order to provide and improve our Services.

Category | Examples | Sensitive?

Identifiers and Contact Information | Full name, postal address, email address, phone number, username, account credentials | No

Health and Medical Information | Medical conditions, medical history, family medical history, diagnoses, treatments, prescriptions, vision measurements, myopia care records, clinical assessments, and treatment plans | Yes — Sensitive

Protected Health Information (PHI) | Health information collected on behalf of Providers that is subject to HIPAA. See Section 5 for details. | Yes — Sensitive; HIPAA-Regulated

Communications Content | Mail, email, and text message contents exchanged through the Services between patients and Providers; customer service communications | No

Provider Professional Information | Information about a Provider’s practice, employees, contractors, prescribing history, and professional credentials | No

Government Identifying Numbers | National Provider Identifier (NPI) and similar professional licensing numbers | Yes — Sensitive

Financial and Payment Information | Credit card and payment information (processed by third-party payment processors Stripe or PayPal) | Yes — Sensitive

Internet and Device Information | Device type, browser and operating system, IP address, device identifiers, referring webpage, crash data, cookie data, and interaction statistics | No

Services Usage Data | Log-on activity, date and time of visits, search terms, content views, clicks, downloads, and feature interactions | No

Approximate Geolocation | City/region-level location derived from IP address when using the Services | No (approximate only)

Sensory Data | Voice recordings made in connection with the Services | No

Communication Preferences | Marketing, privacy, and communication preferences, including SMS/text consent records | No

Biometric Information (if applicable) | If your Provider’s use of the Services involves collection of biometric data (such as iris imaging for myopia assessment), we collect such data on behalf of your Provider. See Section 5 and 13.2 (Illinois BIPA). | Yes — Sensitive

AI-Derived Inferences | Profiles, preferences, and characteristics inferred from the above categories using automated processing or AI/machine learning systems | No

Other Voluntarily Provided Information | Information you provide when submitting support queries, providing feedback, or otherwise communicating with us | No

Text Messaging and SMS Consent Data

Notwithstanding anything else in this Privacy Policy, all of the above categories exclude text messaging originator opt-in data and consent. Text messaging originator opt-in data and consent will not be shared, sold, rented, disclosed, or otherwise provided to any third parties for their own marketing, advertising, promotional, analytics, or independent business purposes. Such information may only be shared with aggregators and providers of the text messaging services solely for the purpose of delivering and managing those messaging services.

1.3 Sources of Personal Information

  • Directly from you: When you access or use the Services, create an account, or communicate with us by mail, email, phone, text, webchat, QR code, or social media.
  • Indirectly from your device: Automatically through cookies, pixels, web beacons, and similar tracking technologies when you use the Services. See Section 7.
  • From your Provider: Your Provider may share information about you in connection with providing the Services, including appointment scheduling, clinical records, and educational content requests.
  • From third-party vendors: Analytics providers, data enrichment providers, and technology partners. See Section 3.
  • From AI and automated systems: Inferences generated by Hoot’s AI/machine learning systems based on the above categories. See Section 2.5.

1.4 Text Message Opt-In Data

Text messaging originator opt-in data, consent records, and phone numbers provided for SMS messaging will not be sold, shared, rented, disclosed, or otherwise provided to any third parties for their own marketing, advertising, promotional, analytics, or independent business purposes. This information is used solely to deliver and manage the SMS messaging services you have requested. See Section 8 for full SMS privacy details.

  1. How We Use Personal Information

We use personal information only for the purposes described below and only to the extent consistent with applicable law, including HIPAA (with respect to PHI). We do not use personal information for purposes incompatible with those stated here without first obtaining your consent or providing you with notice and the opportunity to object.

2.1 Providing and Improving the Services To deliver, operate, maintain, and improve the Services; develop new services and products; prevent or address errors, security issues, and technical problems; analyze usage trends; and respond to requests and inquiries from Providers, patients, and third parties.

2.2 Personalization and User Experience To personalize your experience, remember your preferences, and deliver content of interest to you. We use cookies and device information to improve navigation and reduce repetitive data entry. See Section 7.

2.3 Marketing and Communications To market relevant health care products and services to you, subject to your consent and opt-out rights described in Sections 12 and 13. We distinguish between: (a) first-party marketing — communications about Hoot’s own services, for which you may opt out at any time; and (b) third-party paid marketing — communications for which we receive financial remuneration from third parties, which require your separate written authorization under HIPAA (45 C.F.R. § 164.508(a)(3)) if involving PHI, and your affirmative opt-in consent under applicable state law.

2.4 De-identification and Analytics To de-identify PHI in accordance with 45 C.F.R. § 164.514 and to aggregate and anonymize personal information such that it no longer constitutes personal information or PHI. De-identified and anonymized data may be used for research, analytics, product improvement, and commercial purposes without restriction. See Section 5.3.

2.5 Artificial Intelligence and Machine Learning We use automated processing, including artificial intelligence (AI) and machine learning (ML) systems, to: (a) generate or augment educational content and patient communications (“AI Content”); (b) create profiles of individual preferences and characteristics (“profiling”) for service personalization; and (c) train, validate, and improve Hoot’s AI models using de-identified or aggregated data. We do not use identifiable PHI to train AI models without a lawful basis under HIPAA. You have the right to object to automated profiling that produces legal or similarly significant effects by contacting privacy@gethoot.com. AI Content is for informational purposes only and does not constitute medical advice.

2.6 Business Operations To operate our business, including engaging third-party vendors and service providers for hosting, technology, communications, analytics, and support; managing payments; and conducting audits.

2.7 Legal, Safety, and Compliance To perform audits and monitoring; support security and anti-fraud operations; investigate and respond to disputes; exercise and defend legal claims; protect the rights, property, or safety of you, Hoot, or third parties; respond to legal process (including subpoenas); comply with and enforce applicable laws, regulations, and agreements; and respond to governmental, court, or law enforcement requests.

2.8 Business Transactions In connection with a merger, acquisition, sale, financing, bankruptcy, or other business transaction in which a third party invests in or acquires control of Hoot’s business or assets (in whole or in part), your personal information may be disclosed or transferred as part of that transaction. We will provide notice of any such transaction that materially changes how your personal information is used.

  1. How We Share Personal Information

3.1 Providers We collect and process certain personal information on behalf of Providers as their service provider. With respect to information collected on behalf of a Provider, that Provider is considered the “controller” (or “covered entity” under HIPAA) of such personal information, and Hoot acts as a “processor” (or “business associate”). This Privacy Policy does not govern how Providers use your personal information independently of Hoot’s Services. Please consult your Provider’s privacy notice or Notice of Privacy Practices for information about their independent data practices.

3.2 Service Providers and Vendors We share personal information with third-party service providers who assist us in providing the Services or performing business functions on our behalf, including:

  • Hosting, cloud infrastructure, and technology providers;
  • Analytics providers (including Google Analytics — see Section 7);
  • Customer support and communications providers;
  • Payment processors: Stripe, Inc. (stripe.com/privacy) and PayPal, Inc. (paypal.com privacy policy);
  • SMS messaging aggregators and providers (solely for delivering messaging services);
  • Legal, financial, and professional advisors (attorneys, auditors, accountants); and
  • Pharmaceutical and health care industry partners who support delivery of physician-led patient education programs.

Service providers who process PHI on our behalf are required to execute HIPAA Business Associate Agreements and are contractually prohibited from using your PHI for their own purposes.

3.3 Third Parties You Authorize We may share personal information with third parties you access, authorize, or authenticate through the Services. Information shared with such third parties is subject to their privacy policies. Please review applicable third-party privacy policies before authorizing access.

3.4 Legal and Regulatory Disclosures We may disclose personal information to governmental authorities, law enforcement, courts, regulators, or other third parties when required by applicable law, court order, subpoena, legal process, or when we reasonably believe disclosure is necessary to: protect the rights, property, or safety of Hoot, you, or others; detect, prevent, or respond to fraud or security incidents; or enforce our Terms of Use or other agreements.

3.5 Business Transactions Personal information may be disclosed or transferred in connection with a merger, acquisition, asset sale, financing, bankruptcy, or similar business transaction. We will notify you of any such transaction that materially affects your personal information rights.

3.6 Pharma and Health Industry Partners Hoot partners with pharmaceutical and health care industry companies (including Johnson & Johnson Vision and similar partners) to deliver physician-led patient education programs. We may share de-identified or aggregated patient data with such partners in connection with program analytics and improvement. We do not share identifiable patient PHI with pharma or industry partners without a valid HIPAA authorization from the individual. We may share Provider professional information (such as prescribing data and NPI numbers) with industry partners, subject to Provider opt-out rights described in Section 4.2.

3.7 Text Messaging Data Restriction Text messaging originator opt-in data, consent records, and mobile phone numbers provided for SMS communications will not be shared with any third party for their own marketing, advertising, or analytics purposes. Such information may only be shared with SMS aggregators and messaging providers for the sole purpose of delivering and managing the messaging services you have requested.

All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties for their own purposes. This information may only be shared with aggregators and providers of the text messaging services solely for the purpose of delivering and managing those messaging services.

  1. Sale of Personal Information; Targeted Advertising

For purposes of this Privacy Policy, “sale” means the disclosure of personal information to a third party in exchange for money or other valuable consideration, as defined under the CCPA/CPRA and analogous state laws.

4.1 Patient Personal Information — No Sale Without Authorization

Patient Data Protection Unless a patient (or the patient’s parent or guardian) has provided separate written consent that meets applicable legal requirements — including HIPAA authorization for PHI — Hoot does NOT sell, share for third-party direct marketing, or share for cross-contextual behavioral advertising or targeted advertising purposes the personal information of patients.

We may sell or otherwise use De-identified Data derived from patient health information, including for marketing and advertising purposes. De-identified Data is not PHI and is not personal information under applicable privacy law, provided it meets the applicable de-identification standard.

4.2 Provider Personal Information — Opt-Out Available Unless a Provider opts out, Hoot:

  • May sell the personal information of Providers (including professional information, prescribing data, and contact information) to third parties;
  • May share Provider personal information with third parties for those third parties’ direct marketing purposes; and
  • May share Provider personal information with third parties for cross-contextual behavioral advertising and targeted advertising purposes.

Providers may opt out of the above at any time by submitting a Valid Request as described in Section 12.2. Text messaging opt-in data and consent records are excluded from all of the above and will not be sold or shared for third parties’ own purposes.

4.3 Sensitive Personal Information — Limited Use We do not use or disclose sensitive personal information (as defined under the CCPA/CPRA, including health information, government IDs, financial information, and biometric data) for purposes beyond those necessary to provide the Services, except as required by law or with your express consent. You have the right to limit our use of sensitive personal information as described in Section 13.1 (California Residents).

  1. Protected Health Information (PHI) and HIPAA

5.1 Hoot’s Role as a Business Associate When Hoot collects or processes Protected Health Information (PHI) in connection with services provided to your health care Provider, Hoot acts as a Business Associate of your Provider under HIPAA (45 C.F.R. § 160.103). Your Provider is the Covered Entity and controls how your PHI is used and disclosed. Hoot’s processing of your PHI is governed by: (a) a HIPAA Business Associate Agreement between Hoot and your Provider; (b) applicable HIPAA Privacy and Security Rules; and (c) any HIPAA authorization you have separately provided.

5.2 How We Use and Disclose PHI Hoot may use and disclose PHI only as permitted by HIPAA and the applicable Business Associate Agreement, including:

  • To provide the Services on behalf of your Provider;
  • For Hoot’s proper management, administration, and legal responsibilities, as permitted under 45 C.F.R. § 164.504(e)(4);
  • As required by law;
  • As authorized in a valid HIPAA authorization you have signed; and
  • To de-identify PHI in accordance with 45 C.F.R. § 164.514 (see Section 5.3).

Hoot will not sell or disclose identifiable PHI to third parties for financial remuneration without a valid, written HIPAA authorization as required by ARRA § 13405(d) and 45 C.F.R. § 164.508(a)(3).

5.3 De-identification of PHI Hoot may de-identify PHI in accordance with the standards of the HIPAA Privacy Rule (45 C.F.R. § 164.514), using either the Expert Determination Method or the Safe Harbor Method. Once de-identified, data is no longer PHI and is not subject to HIPAA restrictions. Hoot owns all De-identified Data it creates and may use, license, sell, or otherwise commercialize such data, including for research, analytics, and commercial purposes.

5.4 AI/ML Use of PHI Hoot may use de-identified data derived from PHI to train, validate, and improve AI and machine learning models used in the Services. Hoot does not use identifiable PHI to train AI models without a specific lawful basis under HIPAA and applicable law. Hoot retains sole and exclusive ownership of all AI models and derived insights developed using de-identified data.

5.5 Your HIPAA Rights As a patient whose PHI is processed by Hoot, you have the following rights under HIPAA, exercisable primarily through your Provider:

  • Right to Access: Request a copy of your PHI (45 C.F.R. § 164.524);
  • Right to Amendment: Request correction of inaccurate PHI (45 C.F.R. § 164.526);
  • Right to Accounting of Disclosures: Request a list of disclosures of your PHI (45 C.F.R. § 164.528);
  • Right to Request Restrictions: Request restrictions on uses and disclosures of your PHI (45 C.F.R. § 164.522);
  • Right to a Notice of Privacy Practices: Receive your Provider’s Notice of Privacy Practices;
  • Right to Revoke Authorization: Revoke any authorization you have provided; and
  • Right to File a Complaint: File a complaint with HHS Office for Civil Rights at hhs.gov/ocr/privacy/hipaa/complaints or by calling 1-800-368-1019. Hoot will not retaliate against you for filing a complaint.

To exercise HIPAA rights with respect to PHI held by Hoot, contact our Privacy Officer at privacy@gethoot.com. We will coordinate with your Provider as appropriate.

5.6 Security of PHI Hoot maintains administrative, physical, and technical safeguards designed to protect PHI consistent with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), including encryption of PHI at rest and in transit, role-based access controls, audit logging, and annual risk assessments. See Section 10.

  1. Children’s Privacy

6.1 Account Age Requirement You must be at least 18 years of age to create an account or independently access the Services. The Services are not directed to individuals under 18 who are acting independently.

6.2 COPPA — Children Under 13 Hoot does not knowingly collect personal information directly from children under 13 years of age, consistent with the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq. If Hoot discovers that it has inadvertently collected personal information directly from a child under 13 without verifiable parental consent, Hoot will delete that information as promptly as possible.

If you believe a child under 13 may have provided personal information to Hoot without parental consent, please contact our Privacy Officer at privacy@gethoot.com.

6.3 Parental Collection of Children’s Health Data Because Hoot provides myopia care services that frequently involve minor patients, parents and legal guardians may provide personal information — including health information — about their minor children through the Services. By providing such information, you represent that:

  • You are the parent or legal guardian of the child;
  • You have the legal authority to provide the child’s personal information and health data; and
  • You consent to Hoot’s collection and use of your child’s personal information as described in this Privacy Policy and any applicable HIPAA authorization.

6.4 No Sale of Children’s Data Under 16 Hoot does not sell or share for cross-contextual behavioral advertising or targeted advertising purposes the personal information of individuals under 16 years of age, consistent with applicable state law (including California’s CCPA/CPRA and similar statutes).

6.5 Third Parties’ Personal Information You may not disclose another individual’s personal information to Hoot, or make it available through the Services, unless: (a) you are a parent or guardian providing your own child’s information; or (b) you are providing the information of an individual 18 years of age or older who has given you prior written consent to do so. You are solely responsible for compliance with all applicable laws regarding personal information you provide about others.

  1. Cookies and Tracking Technologies

7.1 What We Use The Services use cookies and similar tracking technologies — including pixel tags, web beacons, clear GIFs, and JavaScript — to collect data about your use of the Services, analyze trends, and improve the Services. We categorize cookies as follows:

Category | Purpose | Required?

Strictly Necessary | Essential for the Services to function (login sessions, security). Cannot be disabled without affecting Service availability. | Yes

Functional / Preference | Remember your preferences and settings (language, saved information). Improve user experience. | No

Analytics and Performance | Collect anonymous usage data to understand how users interact with the Services and improve performance. Includes Google Analytics. | No

Advertising and Targeting | Track browsing activity across websites to deliver targeted advertising and measure campaign effectiveness. | No

7.2 Third-Party Cookies: Google Analytics We use Google Analytics to analyze usage of the Services. Google collects data as described at support.google.com/analytics/answer/11593727. To opt out of Google Analytics data collection, install the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout. You may also manage Google’s personalized ads at myadcenter.google.com.

7.3 Managing Cookies You may control cookies through your browser settings. Most browsers allow you to refuse new cookies, delete existing cookies, or receive alerts before a cookie is placed. Disabling non-essential cookies will not prevent you from using the Services, but may affect personalization and certain features. For information about managing cookies, visit allaboutcookies.org.

To opt out of targeted advertising from participating third parties, visit the Network Advertising Initiative or the Digital Advertising Alliance.

7.4 Do Not Track Our Services do not currently respond to browser-level “Do Not Track” (DNT) signals because no industry-wide standard for DNT response has been established. However, you may exercise opt-out rights through your browser settings and the methods described in Section 12. We will update this disclosure if our practices change.

  1. SMS / Text Message Communications

Hoot operates an SMS messaging program to deliver health care-related and educational communications to patients and Providers. Participation is voluntary and requires your affirmative opt-in.

8.1 What We Send Educational health tips, appointment reminders, wellness updates, myopia care-related communications, and other health care-related messages.

8.2 Opt-In You must actively opt in to receive SMS messages by providing your mobile phone number and express written consent, consistent with the Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227. Your consent to receive marketing text messages is not a condition of purchasing any goods or services from Hoot. Message and data rates from your mobile carrier may apply.

8.3 Message Frequency Patients who opt in may receive up to 3 messages per month. Frequency may vary based on your health care needs, treatment plan, and the programs you participate in.

8.4 Opt-Out You may opt out of SMS messages at any time by replying STOP to any message. After opting out, you will receive a single confirmation message. For help, reply HELP or contact hello@gethoot.com.

8.5 Data Use and Sharing We use your mobile phone number solely to send the messages you have requested. Text messaging originator opt-in data, consent records, and phone numbers will not be sold, shared, rented, disclosed, or otherwise provided to any third parties for their own marketing, advertising, promotional, analytics, or business purposes. This information may only be shared with SMS aggregators and messaging providers for the purpose of delivering and managing your messaging services.

8.6 Data Retention We retain your phone number and SMS consent records for as long as you remain opted in to the program, and for a reasonable period thereafter as required by our legal obligations or as needed to document your consent.

  1. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, to provide the Services, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Retention periods vary by category:

Category | Retention Period

PHI and HIPAA-regulated records | Minimum 6 years from date of creation or last effective date, as required by 45 C.F.R. § 164.530(j). Longer periods may apply under state law.

Patient account and health data | Duration of the patient’s active relationship with their Provider plus applicable legal retention periods. Hoot may retain de-identified versions indefinitely.

Provider account and professional data | Duration of the Provider’s active account plus reasonable post-termination period for legal, audit, and compliance purposes (generally up to 7 years).

SMS consent records | Duration of opt-in period plus a minimum of 4 years post-opt-out, consistent with TCPA statute of limitations.

HIPAA authorization records | Minimum 6 years from date of signature, as required by 45 C.F.R. § 164.530(j).

Website and device analytics data | As configured in applicable analytics tools (typically 26 months for Google Analytics data), subject to applicable law.

Legal and compliance records | As required by applicable law, typically 7 years for financial records and contract-related data.

You may request deletion of your personal information (where not required to be retained by law) by contacting privacy@gethoot.com. Hoot will respond within 30 days, subject to applicable legal exceptions including HIPAA retention requirements.

  1. Data Security and Breach Notification

10.1 Security Safeguards Hoot maintains administrative, physical, and technical safeguards designed to protect personal information and PHI from unauthorized access, use, disclosure, alteration, or destruction. These safeguards include, but are not limited to:

  • Encryption of PHI and sensitive personal information at rest (AES-256 or equivalent) and in transit (TLS 1.2 or higher);
  • Multi-factor authentication for access to systems processing PHI;
  • Role-based access controls limiting access to personal information on a need-to-know basis;
  • Comprehensive audit logging of access to and modifications of PHI;
  • Annual third-party penetration testing and regular vulnerability scanning; and
  • A documented incident response plan and workforce security training program.

10.2 Limitations Despite our efforts, no method of electronic transmission or storage is 100% secure. Hoot cannot guarantee that personal information will never be accessed, acquired, disclosed, altered, or destroyed by an unauthorized party. You are encouraged to use strong passwords, not share account credentials, and log out of your account when using a shared or unsecured device.

10.3 Breach Notification In the event of a data breach affecting your PHI, Hoot will notify affected individuals, your Provider, and the U.S. Department of Health and Human Services in accordance with HIPAA’s Breach Notification Rule (45 C.F.R. §§ 164.400–414) within the required timeframes (generally 60 days of discovery for individuals; promptly for HHS). In the event of a breach affecting non-PHI personal information, Hoot will provide notification in accordance with applicable state breach notification laws, including those of New Jersey (N.J.S.A. 56:8-161), California (Cal. Civ. Code § 1798.29), and other applicable jurisdictions.

  1. International Data Transfers

Hoot operates from the United States and the personal information we collect is stored and processed primarily in the United States. If you access the Services from outside the United States, your personal information will be transferred to, stored, and processed in the United States, which may not have the same data protection laws as your country of residence.

By providing personal information to Hoot, you acknowledge that your information may be transferred to and processed in the United States and other jurisdictions. For PHI, international transfers are subject to applicable HIPAA requirements and our Business Associate Agreements with Providers. Hoot does not transfer PHI outside the United States without appropriate safeguards.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland and have questions about international data transfers, please contact our Privacy Officer at privacy@gethoot.com.

  1. Your Privacy Rights and Choices

12.1 Your Rights Subject to applicable law and certain exceptions, you have the following rights with respect to your personal information:

Right to Know / Access Request information about the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the third parties with whom we have shared it.

Right to Delete Request deletion of personal information we have collected about you, subject to legal exceptions (including HIPAA retention requirements).

Right to Correct Request correction of inaccurate personal information we maintain about you.

Right to Opt Out of Sale Direct us not to sell your personal information to third parties. This right applies to Provider personal information; patient PHI is not sold without a valid HIPAA authorization.

Right to Opt Out of Targeted Advertising Direct us not to share your personal information for cross-contextual behavioral advertising or targeted advertising purposes.

Right to Opt Out of Third-Party Marketing Request that we no longer share your personal information with third parties for their direct marketing purposes. You may also request disclosure of the types of personal information shared and the identities of such third parties (once per calendar year).

Right to Revoke PHI Authorizations If you have authorized Hoot to sell your PHI or use it for marketing, you may revoke that authorization at any time. Revocation does not apply to uses/disclosures already made.

Right to Non-Discrimination Hoot will not discriminate against you for exercising your privacy rights, including by denying services, charging different prices, or providing a different level of service, except as permitted by applicable law.

12.2 How to Submit a Request To exercise the rights described above, you or your authorized agent must submit a Valid Request that: (1) provides sufficient information to verify your identity; and (2) describes your request in sufficient detail for Hoot to understand, evaluate, and respond to it.

Submit requests by:

  • Email: privacy@gethoot.com (for HIPAA and privacy rights requests)
  • Email: hello@gethoot.com (for general account and data requests)
  • Account Portal: You may update or correct account information directly by logging into your account.

We may request identity verification information (name, email, account identifier) before processing your request. We will only use verification information to verify your identity and process your request.

12.3 Response Timeframes

Request Type | Initial Response | Maximum Extension

Access, deletion, correction | 45 days (CCPA); 30 days (TX, VA, CO) | 45 additional days with notice

Opt-out of sale / targeted advertising | 15 business days | None

HIPAA-related PHI requests | 30 days | 30 additional days with written notice

Hoot will not charge a fee for Valid Requests unless they are excessive, repetitive, or manifestly unfounded. If we cannot honor a request, we will explain why in our response. We will not honor requests where prohibited by applicable law (including HIPAA).

12.4 Authorized Agents You may authorize an agent to exercise your privacy rights on your behalf. Your authorized agent must provide written authorization from you (or proof of power of attorney), and Hoot may verify your authorization directly with you before fulfilling the request.

12.5 Appeal Process If Hoot declines to take action on a Valid Request, you may appeal that decision within 30 days by emailing privacy@gethoot.com with the subject line “Privacy Rights Appeal.” Hoot will respond to your appeal within 45 days (or as required by applicable state law) and will provide information about your right to contact the applicable state Attorney General or privacy regulator if your appeal is denied.

  1. State-Specific Privacy Rights

13.1 California Residents — CCPA/CPRA and CMIA

If you are a California resident, the California Consumer Privacy Act of 2018 and the California Privacy Rights Act (collectively, “CCPA/CPRA”) provide you with the following rights in addition to those in Section 12:

  • Right to Know (Categories and Specific Pieces): Request information about the categories of personal information collected, sources, business purposes, and third-party recipients, as well as specific pieces of personal information collected about you.
  • Right to Limit Use of Sensitive Personal Information: Direct Hoot to limit use of sensitive personal information (including health data, government IDs, and financial information) to purposes necessary to provide the Services, rather than for additional commercial or inferential purposes. To exercise this right, contact privacy@gethoot.com.
  • “Shine the Light” Request (Cal. Civ. Code § 1798.83): California residents may request information about third parties to whom Hoot has disclosed personal information for their direct marketing purposes in the immediately preceding calendar year. Submit requests to privacy@gethoot.com.
  • California Confidentiality of Medical Information Act (CMIA): Your medical information is additionally protected under Cal. Civ. Code § 56 et seq. Hoot complies with CMIA requirements applicable to business associates of health care providers. Unauthorized disclosures of medical information may result in statutory penalties of $1,000 per negligent violation and $3,000 per intentional violation.

Hoot does not discriminate against California residents for exercising CCPA/CPRA rights. You will not receive inferior service, be charged higher prices, or receive different benefits for exercising your rights.

13.2 Illinois Residents — BIPA

If you are an Illinois resident and Hoot collects or processes your biometric data — such as iris scans, retinal images, or eye measurements used in myopia care — on behalf of your Provider, you have rights under the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., including:

  • The right to receive a written release form before biometric data is collected;
  • The right to receive a written policy establishing a retention schedule and destruction guidelines for biometric data;
  • The right to be informed of the specific purpose and duration for which biometric data is collected; and
  • The right to prohibit sale of your biometric data — Hoot does not sell, lease, trade, or profit from biometric data.

Contact privacy@gethoot.com for information about Hoot’s biometric data practices and retention schedules applicable to Illinois residents.

13.3 New York Residents — SHIELD Act and NYHIPA

If you are a New York resident, you have rights under the New York SHIELD Act (N.Y. Gen. Bus. Law § 899-aa et seq.) and the New York Health Information Privacy Act (NYHIPA), including rights to be notified of data breaches affecting your private information and rights related to health data processed by covered businesses. Hoot maintains a data security program that complies with the SHIELD Act’s reasonable security requirements. Contact privacy@gethoot.com for more information.

13.4 Texas Residents

If you are a Texas resident, you have rights under the Texas Medical Records Privacy Act (Tex. Health & Safety Code § 181 et seq.) and the Texas Data Privacy and Security Act (TDPSA), including rights to access, correct, delete, and opt out of the sale or processing of your personal data, as well as the right to appeal a decision to deny your request. Violations of the Texas Medical Records Privacy Act can result in civil penalties of up to $5,000 per day. Contact privacy@gethoot.com to exercise your Texas rights.

13.5 New Jersey Residents

If you are a New Jersey resident, you have rights under the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-161 et seq.) and related data protection statutes, including the right to be notified of security breaches affecting your personal information. Hoot maintains safeguards as required by New Jersey law. Contact privacy@gethoot.com for more information.

13.6 Other States

Residents of Colorado, Connecticut, Virginia, Utah, and other states with enacted comprehensive privacy laws may have additional rights, including rights to access, delete, correct, and opt out of the processing of their personal data. Hoot honors these rights on a state-by-state basis as applicable law requires. Contact privacy@gethoot.com to exercise state-specific rights.

  1. Changes to This Privacy Policy

Hoot may update this Privacy Policy from time to time. When we make material changes, we will: (a) post the revised Privacy Policy on the Services with a new “Effective Date” and “Last Revised” date; and (b) notify you of material changes by email to your registered address or by conspicuous notice on the Platform at least 30 days before the changes take effect, where required by applicable law.

Your continued use of the Services after the effective date of a revised Privacy Policy constitutes your acknowledgment of the changes. We encourage you to review this Privacy Policy periodically. Non-material changes (typographical corrections, clarifications, reorganization) may be made without advance notice and take effect upon posting.

If we make changes that materially affect how we use your PHI, we will obtain a new HIPAA authorization from you if required by applicable law.

  1. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal information, please contact us using the appropriate channel below:

Purpose | Contact

HIPAA rights, PHI requests, data breaches, privacy rights appeals | HIPAA Privacy Officer privacy@hootmyopiacare.com

General privacy questions, account support, data requests | support@gethoot.com

Postal mail | Hoot Health Inc. 3495 US Highway 1, STE 34 #1126 Princeton, NJ 08540

Disability access to this Privacy Policy in alternative format | support@gethoot.com

File a HIPAA complaint with HHS OCR | hhs.gov/ocr/privacy/hipaa/complaints 1-800-368-1019 (toll-free)

NON-RETALIATION COMMITMENT Hoot will not retaliate against you in any way for exercising your privacy rights, filing a complaint with a regulatory authority, or contacting Hoot’s Privacy Officer.

Hoot Health Inc. — Privacy Policy v2.0 — Effective March 2026