PRIVACY POLICY

Paloma Health (Butterfly Technologies, Inc.)
‍palomahealth.com | app.palomahealth.com
Last Updated: 03/26/2026

1. Introduction

Butterfly Health, Inc., doing business as Paloma Health ("Paloma Health," "we," "us," or "our"), respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect information when you visit or use our website at palomahealth.com, our patient portal at app.palomahealth.com, our mobile application, and any related services (collectively, the "Services").

This Privacy Policy also covers pages and features through which one or more affiliated medical practice entities (collectively, "The Medical Practice") offer health or healthcare-related products and services.

By using our Services, you acknowledge that you have read and understand this Privacy Policy. If you do not agree, please discontinue use of the Services.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide, including:

• Account information: name, email address, phone number, date of birth, gender, username, and password
• Health information: medical history, questionnaire responses, lab results, prescription information, and other health data provided through The Medical Practice pages (subject to our HIPAA Notice of Privacy Practices)
• Payment information: billing address, credit card or debit card number, and related payment details processed through our third-party payment processor, Stripe
• Communications: messages, feedback, support requests, and any other content you send to us
• Referral information: names and contact information of individuals you refer to us
• Form submissions: information submitted through embedded forms powered by Typeform and Jotform (HIPAA-compliant), including intake questionnaires, scheduling requests, and feedback surveys

2.2 Information Collected Automatically

When you use our Services, we and our third-party partners automatically collect certain information, including:

• Device and browser information: IP address, device type, operating system, browser type, screen resolution, and unique device identifiers
• Usage data: pages visited, links clicked, time spent on pages, referring and exit URLs, and interaction patterns
• Location data: approximate location based on IP address; precise geolocation only with your express consent on mobile devices
• Cookie and tracking data: information collected through cookies, pixels, web beacons, scripts, and similar technologies (see Section 7 below)

2.3 Information from Third Parties

We may receive information about you from third-party sources, including social media platforms (when you interact with our content or log in via a social account), analytics providers, advertising partners, and healthcare partners.

3. Tracking Technologies We Use

We use the following specific tracking technologies on our Services. Each is subject to our cookie consent mechanism described in Section 7.

3.1 Analytics

• Google Analytics (via Google Tag Manager): We use Google Analytics (measurement ID: G-WX9WREPQNF) through Google Tag Manager (container: GTM-5BL27MV) to measure website traffic, user behavior, and conversion events. Google may collect your IP address, browser information, and interaction data. Google's privacy policy: policies.google.com/privacy
• Segment (by Twilio): We use Segment to collect and route analytics data across our platforms. Segment processes usage data, device information, and interaction events. Twilio's privacy policy: twilio.com/legal/privacy
• Amplitude: We use Amplitude on both palomahealth.com and app.palomahealth.com to analyze product usage, user behavior, and feature engagement. Amplitude may collect device information, usage patterns, and interaction data. Amplitude's privacy policy: amplitude.com/privacy
• Mixpanel: We use Mixpanel on both palomahealth.com and app.palomahealth.com for product analytics, event tracking, and user journey analysis. Mixpanel may collect device data, interaction events, and behavioral patterns. Mixpanel's privacy policy: mixpanel.com/legal/privacy-policy

3.2 Advertising and Remarketing

• Meta Pixel (Facebook Pixel): We use the Meta Pixel to measure the effectiveness of our advertising on Meta platforms (Facebook, Instagram), to create custom audiences for ad targeting, and to track conversion events. The Meta Pixel may collect your IP address, browser information, page URL, and actions you take on our site. This data is transmitted to Meta Platforms, Inc. and may be used by Meta to serve you targeted advertisements. Meta's privacy policy: facebook.com/privacy/policy
• Google Ads: We use Google Ads conversion tracking (account: AW-794281822) to measure the effectiveness of our advertising campaigns. Google may receive information about your interactions with our ads and website. Google's privacy policy: policies.google.com/privacy
• LinkedIn Insight Tag: We use the LinkedIn Insight Tag to measure campaign performance, retarget website visitors, and gain insights about our audience. LinkedIn may collect your IP address, device and browser information, and page interactions. LinkedIn's privacy policy: linkedin.com/legal/privacy-policy
• Bing Ads (Microsoft Advertising): We use Bing Ads conversion tracking (loaded through Segment) to measure the effectiveness of our advertising campaigns on Microsoft's advertising network. Microsoft may receive information about your interactions with our ads and website. Microsoft's privacy policy: privacy.microsoft.com

3.3 Communication and Engagement

• Klaviyo: We use Klaviyo for email marketing and customer communications. Klaviyo may collect your email address, interaction data, and browsing behavior on our site. Klaviyo's privacy policy: klaviyo.com/legal/privacy
• Chatbase: We use Chatbase to provide automated chat support on our website. Chatbase may collect your chat messages and interaction data.

3.4 Embedded Content and Forms

• Typeform: We use Typeform to power embedded forms, surveys, and intake questionnaires on our website. Typeform may collect your responses, IP address, and browser information. Typeform's privacy policy: typeform.com/privacy-policy
• Jotform (HIPAA-compliant): We use Jotform to collect information through embedded forms, including health-related data. Our Jotform account is configured for HIPAA compliance with a signed Business Associate Agreement. Jotform's privacy policy: jotform.com/privacy
• YouTube (privacy-enhanced mode): We embed YouTube videos using YouTube's privacy-enhanced mode (youtube-nocookie.com), which limits data collection until you interact with the video player. YouTube (Google) may collect your IP address and viewing data when you play a video. Google's privacy policy: policies.google.com/privacy
• Vimeo: We embed Vimeo videos for educational and informational content. Vimeo may collect your IP address and viewing data when you play a video. Vimeo's privacy policy: vimeo.com/privacy
• Self-hosted video content: Certain video content on our site is hosted on our own infrastructure and does not involve third-party tracking or data collection.

3.5 Community Platform

• Circle: We use Circle to operate our patient community at community.palomahealth.com. Circle operates as a CNAME subdomain and manages its own GDPR and CCPA compliance independently. Circle may collect account information, community interactions, and usage data. Circle's privacy policy: circle.so/privacy

3.6 How These Technologies Work

These tools operate by placing small pieces of code (pixels, scripts, or tags) on our website that collect and transmit data to the respective third-party platforms. This data may include your IP address, browser fingerprint, pages visited, actions taken (such as form submissions, button clicks, or purchases), and the content you view --- including health-related page content.

For healthcare-related pages: We take additional steps to limit the data transmitted by tracking technologies on pages where users may be browsing sensitive health information. However, because tracking pixels can capture URL paths and page metadata, visiting health-condition-specific pages on our site may result in that browsing activity being associated with your device or profile by third-party advertising platforms.

4. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Services
• Process transactions and send related communications
• Facilitate telehealth consultations, lab test orders, prescription fulfillment, and other healthcare services
• Send you marketing communications (with your consent or as permitted by law)
• Personalize your experience and deliver relevant content and advertisements
• Measure advertising effectiveness and optimize campaigns
• Analyze usage patterns and improve our website and products
• Detect, prevent, and address fraud, security issues, and technical problems
• Comply with legal obligations, including healthcare regulations
• Enforce our Terms of Service and protect our rights

5. How We Share Your Information

We may share your information with the following categories of recipients:

• The Medical Practice and healthcare providers: Employed or contracted physicians, nurses, nutritionists, and other providers who deliver care through our platform, subject to our HIPAA Notice of Privacy Practices
• Service providers: Companies that help us operate our business, including web hosting, payment processing (Stripe), email delivery (Klaviyo), form processing (Typeform, Jotform), customer support, community management (Circle), and data analytics (Segment, Amplitude, Mixpanel)
• Advertising and analytics partners: Third-party platforms (Meta, Google, LinkedIn, Microsoft) that receive data through the tracking technologies described in Section 3, for purposes of ad targeting, measurement, and optimization
• Pharmacies and lab partners: To fulfill prescription orders and lab test requests
• Professional advisors: Attorneys, accountants, and other advisors as needed
• Legal and regulatory: When required by law, regulation, legal process, or governmental request
• Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets
• With your consent: When you direct us to share your information

We do not sell your personal information in exchange for monetary consideration. However, sharing data with advertising partners through tracking technologies may constitute a "sale" or "sharing" under certain state privacy laws (see Section 8).

6. Data Retention

We retain your personal information for as long as necessary to provide our Services, comply with legal obligations (including healthcare record retention requirements), resolve disputes, and enforce our agreements. When personal information is no longer needed for these purposes, we securely delete or de-identify it.

Healthcare records are retained in accordance with applicable federal and state medical record retention laws.

7. Cookie Consent and Your Choices

7.1 Our Consent Mechanism

We use a cookie consent banner powered by Finsweet Consent Pro to give you control over tracking technologies on our site. Our consent mechanism operates as follows:

• Essential cookies (such as those required for site functionality, embedded forms, and our chat support) load automatically and are necessary for the site to function.
• For visitors in California and the European Union: Marketing and analytics cookies are blocked by default. These cookies will only load after you affirmatively opt in through our cookie consent banner (opt-in model).
• For visitors in other U.S. states: Marketing and analytics cookies are active by default but you may opt out at any time using our cookie consent banner or by clicking "Cookie Settings" in the footer of any page (opt-out model).
• Marketing and analytics cookies subject to consent include: Meta Pixel, Google Ads, Google Analytics, Segment, Amplitude, Mixpanel, Bing Ads, LinkedIn Insight Tag, and Klaviyo tracking.
• When you decline or opt out, the associated tracking scripts are blocked from loading and no further data is transmitted to those third parties from your browser.

7.2 Cross-Subdomain Consent

Your consent preferences are shared between palomahealth.com and app.palomahealth.com, so you only need to set your preferences once.

7.3 Browser Controls

Most web browsers allow you to manage cookies through browser settings. You can typically set your browser to refuse cookies, delete cookies, or alert you when cookies are being sent. Note that disabling cookies may affect the functionality of our Services.

7.4 Do Not Track

Our Services do not currently respond to "Do Not Track" browser signals, as there is no industry-standard protocol for this. However, you can manage your tracking preferences through our cookie consent banner as described above.

8. Your Privacy Rights

8.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to Know: You may request the categories and specific pieces of personal information we have collected about you, the sources of that information, our purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete the personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
• Right to Opt Out of Sale/Sharing: You may opt out of the "sale" or "sharing" of your personal information. Because our use of tracking technologies described in Section 3 may constitute "sharing" under the CPRA, you can exercise this right by opting out of marketing cookies via our cookie consent banner or by clicking "Cookie Settings" in our website footer.
• Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information to purposes necessary to provide the Services.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise these rights, contact us at privacy@palomahealth.com with the subject line "California Privacy Rights Request," or call us at 434-248-7508.

We will verify your identity before processing your request. We will respond within 45 days, with the possibility of a 45-day extension if necessary.

8.1.1 CCPA Disclosure Categories

A. Identifiers

• Examples: Name, email address, phone number, mailing address, date of birth, username, password, IP address, unique device identifiers
• Sources: Directly from you (account registration, forms); automatically (device/browser data); Typeform and Jotform submissions
• Business Purpose: Provide and maintain Services; account creation and authentication; communications and customer support; process transactions
• Third Parties Receiving: The Medical Practice (healthcare providers), Stripe (payment processing), Klaviyo (email marketing), Typeform, Jotform (form processing), Circle (community platform)
• Sold? No
• Shared? Yes — identifiers (e.g., IP address, device IDs) are transmitted to Meta, Google, LinkedIn, and Microsoft through tracking pixels for advertising purposes

B. Personal Records (Cal. Civ. Code § 1798.80(e))

• Examples: Name, address, telephone number, credit/debit card number, billing information, health insurance information
• Sources: Directly from you (account registration, payment, intake forms)
• Business Purpose: Process payments and transactions; facilitate healthcare services; insurance verification; billing and fulfillment
• Third Parties Receiving: Stripe (payment processing), The Medical Practice, Pharmacies and lab partners, Jotform (HIPAA-compliant forms)
• Sold? No
• Shared? No

C. Protected Classifications

• Examples: Gender, date of birth, medical conditions (thyroid-related health information)
• Sources: Directly from you (intake questionnaires, health forms)
• Business Purpose: Provide healthcare services; personalize treatment recommendations
• Third Parties Receiving: The Medical Practice (healthcare providers), Pharmacies and lab partners
• Sold? No
• Shared? No

D. Commercial Information

• Examples: Membership/subscription records, purchase history, lab test orders, prescription records
• Sources: Directly from you (transactions); generated through use of Services
• Business Purpose: Fulfill orders and subscriptions; process payments; improve Services
• Third Parties Receiving: Stripe (payment processing), Pharmacies and lab partners, The Medical Practice
• Sold? No
• Shared? No

F. Internet / Electronic Network Activity

• Examples: Browsing history, pages visited, links clicked, search terms, time on page, referring/exit URLs, interaction patterns, form submissions, button clicks
• Sources: Automatically via cookies, pixels, and tracking scripts
• Business Purpose: Analyze usage patterns and improve Services; measure advertising effectiveness; personalize content; detect fraud and security issues
• Third Parties Receiving: Google Analytics / GTM (analytics), Segment (analytics routing), Amplitude (product analytics), Mixpanel (product analytics), Meta Pixel (advertising), Google Ads (advertising), LinkedIn Insight Tag (advertising), Bing Ads via Segment (advertising), Klaviyo (email marketing), Chatbase (chat support)
• Sold? No
• Shared? Yes — browsing activity, interaction data, and page URLs are transmitted to Meta, Google, LinkedIn, and Microsoft through tracking technologies for targeted advertising and campaign measurement

G. Geolocation Data

• Examples: Approximate location from IP address; precise geolocation on mobile (with consent)
• Sources: Automatically (IP-based); with consent (mobile GPS)
• Business Purpose: Comply with geographic consent requirements (opt-in for CA/EU); deliver location-relevant content; analytics and fraud prevention
• Third Parties Receiving: Google Analytics (analytics), Meta Pixel (advertising), Google Ads (advertising)
• Sold? No
• Shared? Yes — approximate geolocation (from IP) may be transmitted through tracking pixels to advertising platforms

H. Sensory Data

• Examples: Chat messages and inputs to automated chatbot
• Sources: Directly from you (chat interactions)
• Business Purpose: Provide automated chat support; improve chat quality
• Third Parties Receiving: Chatbase (chat support provider)
• Sold? No
• Shared? No

I. Professional / Employment Information

• Examples: Not actively collected through our Services
• Sources: N/A
• Business Purpose: N/A
• Third Parties Receiving: N/A
• Sold? No
• Shared? No

K. Inferences

• Examples: Health interests inferred from pages viewed (e.g., hypothyroidism, thyroid testing), predicted user preferences, engagement scores, conversion likelihood
• Sources: Generated from browsing activity and interaction data
• Business Purpose: Personalize experience; optimize advertising campaigns; improve Services
• Third Parties Receiving: Meta (advertising lookalike/custom audiences), Google (advertising audiences), Amplitude, Mixpanel (product analytics)
• Sold? No
• Shared? Yes — inferences derived from browsing behavior may be created by Meta and Google based on tracking data transmitted through their pixels

L. Sensitive Personal Information

• Examples: Health information (medical history, lab results including thyroid panels/TSH/T3/T4/antibodies, prescriptions, diagnosis information, questionnaire responses), clinical vitals (height, weight, BMI, blood pressure, heart rate, temperature), reproductive and hormonal data (menstrual cycle, menopause status, fertility data, hormone levels), insurance and claims information, precise geolocation (mobile, with consent)
• Sources: Directly from you (health intake forms, consultations, questionnaires); The Medical Practice (treatment records, clinical encounters); Labs and pharmacies (lab results, prescription records); Jotform (HIPAA-compliant forms)
• Business Purpose: Provide telehealth and healthcare services; facilitate lab test orders and interpret results; fulfill prescriptions and coordinate care with pharmacies; process insurance claims and verify eligibility; subject to HIPAA Notice of Privacy Practices
• Third Parties Receiving: The Medical Practice (healthcare providers), Pharmacies and lab partners, Labs (lab test processing), Insurance companies (eligibility and claims), Jotform (HIPAA BAA in place)
• Sold? No
• Shared? No — sensitive health information is NOT transmitted through advertising pixels. However, browsing health-related page URLs may be captured by tracking technologies (see Section 3.6 of Privacy Policy)

Definitions and Notes"Sold": Under the CPRA, "sale" means sharing personal information with a third party for monetary or other valuable consideration. Paloma Health does not sell personal information for monetary consideration.

"Shared": Under the CPRA, "sharing" means making personal information available to a third party for cross-context behavioral advertising, whether or not for monetary consideration. The use of advertising pixels (Meta Pixel, Google Ads, LinkedIn Insight Tag, Bing Ads) constitutes "sharing" under this definition.

Consent Mechanism

Paloma Health uses Finsweet Consent Pro to manage cookie consent:

California and EU visitors: Opt-in model. Marketing and analytics cookies are blocked by default until the visitor affirmatively consents.

Other U.S. visitors: Opt-out model. Marketing and analytics cookies are active by default; visitors may opt out at any time via the cookie banner or "Cookie Settings" footer link.

When a visitor opts out (or does not opt in), no data is transmitted to the advertising and analytics platforms listed in category F above.

8.2 Other State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have similar rights to access, delete, correct, and opt out of certain data processing. To exercise your rights, contact us at privacy@palomahealth.com.

8.3 California Invasion of Privacy Act (CIPA) Compliance

We are committed to complying with California's Invasion of Privacy Act. Our cookie consent mechanism provides California visitors with an opt-in model: no marketing or analytics tracking scripts load until the visitor affirmatively consents through our cookie banner. Visitors may withdraw consent at any time through the "Cookie Settings" link available in the footer of every page.

9. Health Information and HIPAA

Certain health information collected through our Services is protected under the Health Insurance Portability and Accountability Act (HIPAA) and applicable state health privacy laws. Our use and disclosure of protected health information (PHI) is governed by our separate HIPAA Notice of Privacy Practices, which is available at https://www.palomahealth.com/legal-doc/hipaa-privacy-policy.

Our cookie consent mechanism is configured so that advertising and analytics tracking technologies do not fire on our patient portal (app.palomahealth.com) without appropriate consent. Depending on the state of the patient, we may use either an opt-in or opt-out approach to cookie consent, in accordance with applicable privacy laws. For example, in California and other states with stricter privacy requirements, visitors must affirmatively opt in before any marketing or analytics tracking scripts are activated. In other states, patients may be provided with an option to opt out of such technologies. This ensures compliance with state-specific privacy standards and protects patient preferences regarding data collection.

10. Consumer Health Data

Several U.S. states, including Washington (My Health My Data Act), Nevada, and Connecticut, have enacted laws that impose specific requirements on the collection, sharing, and deletion of "consumer health data." Consumer health data is broadly defined and may include information that identifies or is reasonably linkable to a consumer and relates to health conditions, treatments, or health-related browsing activity --- even outside of HIPAA-covered interactions.

10.1 What Qualifies as Consumer Health Data on Our Services

Because Paloma Health provides thyroid-related healthcare services, certain information collected through our Services may constitute consumer health data under these laws. This includes:

• Browsing activity on health-related pages (e.g., pages about hypothyroidism, Hashimoto's, thyroid testing, or treatment options)
• Interactions with health-related content, even if you have not created an account or become a patient
• Lab results, diagnoses, medications, treatment history, and symptoms provided through our platform
• Biometric and reproductive data such as height, weight, BMI, menstrual cycle, menopause status, and hormonal data
• Inferred or derived data generated through analytics, such as engagement levels or patterns in lab results

10.2 How We Handle Consumer Health Data

We collect and use consumer health data for the purposes described in Section 4 of this Privacy Policy and in our Consumer Health Data Privacy Policy. We do not sell consumer health data without your consent.

We may share consumer health data with the categories of recipients described in Section 5, including healthcare providers, labs and pharmacies, insurance companies, and service providers operating under contracts with confidentiality obligations. We may also use or share de-identified or aggregated data (which cannot reasonably be linked back to you) for analytics, research, or service improvement.

10.3 Consent for Tracking Technologies

For visitors in California, Washington, and the European Union, our opt-in cookie consent mechanism (described in Section 7.1) requires affirmative consent before any marketing or analytics tracking scripts load. This means that health-related browsing activity on our site is not transmitted to third-party advertising platforms unless you have opted in.

For visitors in other U.S. states, marketing and analytics cookies are active by default under an opt-out model. You may opt out at any time using our cookie banner or the "Cookie Settings" link in the footer of any page.

10.4 Your Rights Regarding Consumer Health Data

Depending on your state of residence, you may have the right to:

• Access the consumer health data we hold about you
• Correct inaccuracies in your consumer health data
• Delete your consumer health data, subject to medical and legal recordkeeping obligations
• Withdraw consent for certain uses of your consumer health data
• Request a portable copy of your consumer health data in a usable format
• Appeal a denied rights request

To exercise these rights, contact us at privacy@palomahealth.com.

10.5 Consumer Health Data Privacy Policy

For a complete description of how we collect, use, share, and protect consumer health data, please see our standalone Consumer Health Data Privacy Policy. That policy supplements this Privacy Policy and our HIPAA Notice of Privacy Practices.

11. Children's Privacy

Our Services are intended for adults aged 18 and older. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child under 13, please contact us at privacy@palomahealth.com.

12. Data Security

We implement administrative, technical, and physical security measures designed to protect your personal information from unauthorized access, use, alteration, and disclosure. These measures include encryption of data in transit (SSL/TLS), access controls, and regular security assessments.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

If you become aware of any unauthorized access to your account, please notify us immediately at privacy@palomahealth.com.

13. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not operated by us, including our patient community hosted on Circle (community.palomahealth.com). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you interact with.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on our website with a new "Last Updated" date. For significant changes, we may also notify you by email or through a notice on our Services.

Your continued use of our Services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Paloma Health (Butterfly Health, Inc.)

386 Park Avenue South, 5th Floor

New York, NY 10016

Email: privacy@palomahealth.com

Phone: 434-248-7508

Fax: (213) 340-5870

For questions specifically about The Medical Practice or protected health information, please contact us at privacy@palomahealth.com with the subject line "Medical Practice --- Privacy Policy."

‍