Consumer Health Data Privacy Policy — Alpha v1.0

Effective date: May 13, 2026 Company: Care Core, Inc. (“CareCore,” “we,” “us,” or “our”) Contact: legal@carecore.io

This Consumer Health Data Privacy Policy describes how CareCore collects, uses, shares, and protects Consumer Health Data in connection with our websites, applications, creator storefronts, products, services, health-related intake flows, checkout flows, communications, and related online or offline services (collectively, the “Service”).

This Policy supplements our general Privacy Policy. If this Policy conflicts with our general Privacy Policy with respect to Consumer Health Data, this Policy controls to the extent required by applicable law.

For purposes of this Policy, “Consumer Health Data” means personal information that is linked or reasonably linkable to you and that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be used to infer your past, present, or future physical or mental health status, where applicable law treats that information as consumer health data or similar health-related information.

1. When this Policy applies

This Policy may apply when you:

  • Visit or interact with a CareCore website, app, landing page, checkout flow, creator storefront, condition-specific page, or health-related product page.
  • Create an account or complete a health-related profile, questionnaire, eligibility screen, or intake flow.
  • Purchase, request, or consider a health-related product or service, including products or services that may involve supplements, wellness protocols, prescription medications, laboratory or diagnostic testing, or clinical consultations.
  • Communicate with CareCore, a creator, a Clinical Partner, a pharmacy, a laboratory, or support personnel through the Service.
  • Use CareCore tools that generate health-related recommendations, content, personalization, routing, reminders, or other health-related outputs.

Certain medical, pharmacy, laboratory, or clinical services may be provided by independent licensed clinicians, professional medical corporations, pharmacies, laboratories, or other regulated entities (“Clinical Partners”), not by CareCore. Clinical Partners may provide their own notices and may be subject to HIPAA or other healthcare privacy laws. CareCore’s role and applicable privacy obligations may vary depending on the workflow and data relationship.

2. Categories of Consumer Health Data we may collect

Depending on your interaction with the Service, we may collect the following categories of Consumer Health Data:

  • Health goals, interests, preferences, and requested outcomes.
  • Health conditions, symptoms, diagnoses, medical history, family history, and risk factors that you choose to provide.
  • Prescription medication, supplement, treatment, protocol, allergy, contraindication, adverse-event, and medication-history information.
  • Laboratory, diagnostic, biomarker, genetic, biometric, wearable, physiologic, or test-result information that you provide or authorize us to receive.
  • Lifestyle and wellness information, such as nutrition, exercise, sleep, stress, recovery, reproductive health, sexual health, gender-affirming care, weight, body composition, or similar information, if collected through the Service.
  • Information about health-related purchases, subscriptions, reorder history, product interests, storefront interactions, or abandoned health-related checkout flows.
  • Communications with CareCore, creators, support teams, or Clinical Partners that reveal health status, health goals, symptoms, treatments, or care needs.
  • Technical, device, online-activity, interaction, location, or inference data when that information reveals or is used to infer health status, health interests, care-seeking behavior, or interaction with health-related pages or services.
  • Derived or inferred health data, such as inferred protocol interests, product categories, eligibility signals, personalization outputs, or health-related segmentation, where applicable law treats those inferences as Consumer Health Data.

We do not intend to collect more Consumer Health Data than is reasonably necessary for the Service you request or authorize.

3. Sources of Consumer Health Data

We may collect Consumer Health Data from:

  • You, including through accounts, forms, questionnaires, purchases, uploads, messages, support requests, and consent flows.
  • Creators, when they use CareCore to operate storefronts or provide content, only to the extent permitted by law, our contracts, and the applicable user-consent flow.
  • Clinical Partners, pharmacies, laboratories, fulfillment partners, or other healthcare-related vendors, where you have requested or authorized a workflow involving those parties and applicable law permits the exchange.
  • Service providers or processors that support hosting, security, customer support, analytics, payments, communications, identity verification, scheduling, fulfillment, or compliance.
  • Devices, browsers, cookies, pixels, SDKs, logs, and similar technologies, subject to the restrictions in this Policy and applicable consent choices.
  • Information we create, derive, infer, or generate from your use of the Service, such as personalization outputs or eligibility/routing information.

4. How we use Consumer Health Data

We may use Consumer Health Data for the following purposes:

  • To provide, operate, maintain, secure, and improve the Service.
  • To create and manage your account, profile, preferences, orders, subscriptions, communications, and support requests.
  • To process purchases, payments, refunds, chargebacks, shipping, fulfillment, tax, fraud-prevention, and dispute workflows.
  • To support health-related intake, routing, eligibility, scheduling, pharmacy, laboratory, diagnostic, or Clinical Partner workflows that you request or authorize.
  • To personalize your experience, recommend content or products, and display creator storefronts or health-related information, where permitted by law and consistent with your choices.
  • To communicate with you about your account, orders, Service updates, safety notices, product changes, policy changes, and support issues.
  • To conduct quality, safety, security, fraud-prevention, debugging, analytics, compliance, and audit activities.
  • To comply with legal, regulatory, tax, accounting, recordkeeping, safety, law-enforcement, professional, or dispute-resolution obligations.
  • To create aggregated, de-identified, or anonymized information that does not identify you and is not reasonably linkable to you, subject to applicable law.

5. Advertising, pixels, and health-event data

We do not share Consumer Health Data with third-party advertising platforms for interest-based advertising, retargeting, lookalike audiences, custom-audience matching, ad optimization, or cross-context behavioral advertising unless we have obtained consent or authorization required by applicable law and implemented appropriate restrictions.

Operationally, we do not send the following to Meta, TikTok, Google, or similar advertising platforms from health-related surfaces:

  • Health intake answers, symptoms, diagnoses, lab values, medication/Rx information, supplement history, condition interests, protocol eligibility, product/SKU health category, creator-store health category, order details, checkout events, user identifiers tied to health events, or clinical/Rx/lab workflow events.
  • URLs, page titles, event names, custom parameters, hashed identifiers, or audience lists that reveal or allow inference of health status, treatment interest, medication interest, lab testing, or condition-specific care-seeking.

Where we use analytics on health-related surfaces, we configure analytics to minimize collection, avoid health-event parameters, and operate under service-provider/processor restrictions where feasible.

6. When we may share Consumer Health Data

We may share Consumer Health Data only as described in this Policy, as directed or authorized by you, or as otherwise permitted by applicable law.

Recipient categories may include:

  • Clinical Partners, pharmacies, laboratories, and healthcare vendors: to support clinical, prescription, laboratory, diagnostic, eligibility, scheduling, fulfillment, safety, or related workflows that you request or authorize.
  • Service providers and processors: to host, secure, operate, support, analyze, communicate, process payments, prevent fraud, fulfill orders, and maintain the Service, subject to appropriate contractual restrictions.
  • Creators: only when the sharing is minimum necessary for the creator to provide a requested non-clinical Service function, when information is aggregated/de-identified, or when you have given explicit consent for identifiable Consumer Health Data sharing for a documented purpose. Creators should not receive clinical notes, prescription details, lab results, contraindications, medical history, or other clinical/Rx/lab details by default.
  • Professional advisors and legal/compliance recipients: such as lawyers, auditors, insurers, banks, tax advisors, and compliance consultants, where necessary for business, legal, accounting, insurance, or compliance purposes.
  • Business transaction recipients: in connection with an actual or prospective merger, financing, acquisition, reorganization, bankruptcy, or sale of assets, subject to applicable law and appropriate protections.
  • Authorities or required recipients: where we believe disclosure is necessary to comply with law, legal process, professional obligations, safety obligations, or to protect rights, safety, security, and integrity.

7. Creators and creator dashboards

Creators are not Clinical Partners merely because they operate storefronts or create content on CareCore. Creator access to information is limited by role, purpose, and need.

By default, creator dashboards show only minimum-necessary information, such as aggregate performance metrics, non-health order status, attribution, payout status, and support-safe contact or transaction information where needed.

Creator access to identifiable Consumer Health Data requires:

  • Explicit consumer consent or another legally appropriate basis.
  • A documented purpose tied to a requested Service function.
  • Role-based access controls.
  • Audit logging.
  • Contractual restrictions on reuse, export, targeting, downstream disclosure, sale, and independent health profiling.
  • Prohibitions on using Consumer Health Data for clinical referral fees, prescribing incentives, patient steering, or health-condition targeting outside the approved workflow.

8. Sale of Consumer Health Data

We do not sell Consumer Health Data unless CareCore first obtains a separate written authorization that satisfies applicable law. “Sale” may be defined broadly under some laws and may include exchanges of Consumer Health Data for monetary or other valuable consideration.

9. Your Consumer Health Data rights

Depending on where you live and how you interact with the Service, you may have the right to:

  • Confirm whether we collect, share, or sell your Consumer Health Data.
  • Access or receive a copy of your Consumer Health Data.
  • Receive a list of categories of third parties or specific third parties with whom Consumer Health Data has been shared or sold, where required by law.
  • Withdraw consent for certain collection, use, or sharing of Consumer Health Data.
  • Request deletion of Consumer Health Data, subject to legal, safety, transactional, clinical, tax, accounting, dispute, or compliance exceptions.
  • Appeal a denial of a rights request, where required by law.

To exercise rights, contact legal@carecore.io. We may need to verify your request before fulfilling it. We will respond within the time required by applicable law.

10. Deletion, withdrawal, and propagation

If you request deletion or withdraw consent, CareCore will evaluate the request and, where required, take reasonable steps to delete applicable Consumer Health Data from active systems and instruct relevant service providers/processors to delete or restrict the data, subject to legal exceptions.

Some data may be retained where necessary for:

  • Completing transactions you requested.
  • Clinical, pharmacy, laboratory, or professional obligations handled by Clinical Partners.
  • Legal, tax, accounting, fraud-prevention, security, safety, dispute, regulatory, or audit obligations.
  • Exercising or defending legal claims.
  • Maintaining de-identified, aggregated, or anonymized information.

11. Security

We use administrative, technical, and organizational measures designed to protect Consumer Health Data. No system is perfectly secure. Access to Consumer Health Data is limited to personnel, service providers, Clinical Partners, creators, or other recipients with a legitimate need and appropriate restrictions.

12. Children and minors

CareCore is not intended for children under 18 years old. CareCore does not knowingly collect Consumer Health Data from children without any consent required by law.

13. Changes to this Policy

We may update this Policy from time to time. The updated Policy will be posted with a new effective date. If required by law, we will provide additional notice or obtain additional consent.

14. Contact

Care Core, Inc. Email: legal@carecore.io Mail: 6704 Myrtle Ave, #1514, Glendale, NY 11385