PRIVACY POLICY

Last Updated: April 5, 2026

This Privacy Policy describes how GetMedKits ("we," "us," or "our") collects, uses, discloses, retains, and protects personal information when you visit our website (getmedkits.us), use our services, or communicate with us by any means. This policy applies to all visitors, users, and patients regardless of geographic location within the United States, and is intended to comply with all applicable federal and state privacy laws including, without limitation, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Washington My Health My Data Act (MHMDA), the Texas Data Privacy and Security Act (TDPSA), and the comprehensive privacy laws of Colorado, Connecticut, Virginia, Oregon, Montana, Delaware, New Jersey, New Hampshire, Iowa, Indiana, Tennessee, Minnesota, Maryland, Nebraska, Kentucky, and Rhode Island.

We take the privacy and security of your personal and health information seriously. Please read this policy carefully. By using our website or services, you acknowledge that you have read and understood this policy. If you do not agree with our practices, do not use our website or services.

Our designated privacy contact is available at: [email protected]

- - - - - - - - - - - - - - - - - - - -

1. WHO THIS POLICY APPLIES TO

This policy applies to all individuals who visit getmedkits.us or any associated web pages, book or participate in consultations, submit intake forms or other health information, communicate with us by phone, text message, email, or online chat, receive prescriptions or medications through our service, or act as a caregiver or authorized representative on behalf of a patient.

- - - - - - - - - - - - - - - - - - - -

2. INFORMATION WE COLLECT

We collect the following categories of personal information. Where applicable, each category below corresponds to the categories enumerated in California Civil Code Section 1798.140(v).

A. Identifiers (CCPA Category A)

Full legal name, date of birth, age, gender, email address, phone number, mailing address, billing address, and shipping address.

B. California Customer Records (CCPA Category B)

Name, address, telephone number, and financial information (payment card data processed through secure third-party gateway).

C. Health and Medical Information (Sensitive Personal Information)

Health history, symptoms, medical diagnoses, current medications and supplements, current cancer treatments (chemotherapy, radiation, immunotherapy, hormonal therapy, targeted therapy), consultation notes, treatment plans, prescription records, and any health-related information you voluntarily provide in free-text form fields on our website (such as the "health goal" field on our booking page). Health information constitutes "sensitive personal information" under the CCPA/CPRA, "sensitive data" under the TDPSA, CPA, CTDPA, VCDPA, and other state laws, and "consumer health data" under Washington's MHMDA.

D. Financial and Transaction Data (CCPA Category D)

Payment card information (processed through our third-party payment processor; we do not store full card numbers on our servers), purchase and transaction history, refund and chargeback records, and billing records.

E. Internet or Network Activity (CCPA Category F)

IP address, browser type and version, operating system, device identifiers, pages visited on our website, time spent on pages, referring URLs, click behavior, cookie identifiers, pixel data, and advertising identifiers collected by analytics and advertising tools deployed on our website (see Section 7, "Tracking Technologies," below).

F. Geolocation Data (CCPA Category G)

Approximate geographic location inferred from your IP address. We do not collect precise GPS-based geolocation data.

G. Sensory Data (CCPA Category H)

Audio recordings of telephone calls placed to or received from our business phone number. Calls may be recorded for quality assurance, training, treatment documentation, and compliance purposes (see Section 9, "Call Recording," below).

H. Inferences (CCPA Category K)

Inferences drawn from any of the above categories to create a profile reflecting your preferences, health characteristics, or service needs.

I. Communication Data

Text messages (SMS/MMS) sent to or from our business number (346-220-0227), email correspondence, feedback, reviews, survey responses, and support communications.

- - - - - - - - - - - - - - - - - - - -

3. SOURCES OF PERSONAL INFORMATION

We collect personal information directly from you (when you submit forms, communicate with us, or use our website), from your authorized representatives or caregivers, from our technology platforms (CRM, payment processor, advertising and analytics tools), from our healthcare provider partners (independently licensed physicians and physician networks), and from our pharmacy partner (licensed U.S. compounding pharmacy).

- - - - - - - - - - - - - - - - - - - -

4. HOW WE USE YOUR INFORMATION

We use the information we collect for the following business and commercial purposes:

Providing and coordinating telehealth services, including connecting you with independently licensed healthcare providers.

Facilitating independent physician review of your intake and clinical information.

Processing and fulfilling prescriptions through licensed compounding pharmacies.

Processing payments, issuing refunds, and managing billing and accounting.

Communicating with you about appointments, prescriptions, shipping, and support inquiries.

Sending service-related notifications including appointment reminders, shipping updates, and prescription status.

Measuring advertising effectiveness and optimizing marketing campaigns through Meta Pixel and Google Analytics.

Improving our website, services, and user experience.

Detecting and preventing fraud, unauthorized access, and misuse of our services.

Complying with legal, regulatory, licensing, and tax obligations.

Responding to lawful requests from government authorities, law enforcement, and courts.

Enforcing our Terms of Service and protecting our legal rights.

- - - - - - - - - - - - - - - - - - - -

5. HOW WE SHARE YOUR INFORMATION

We disclose personal information to the following categories of third parties for the purposes described below. We do not sell your personal information for monetary consideration. See Section 12 ("State-Specific Privacy Rights") for how "sale" and "sharing" are defined under applicable state laws.

Licensed Healthcare Providers: We share your health and personal information with the independently licensed physicians and nurse practitioners who review your intake and make prescribing decisions. This sharing is necessary to provide the medical services you requested. These providers exercise independent clinical judgment and are not employees of GetMedKits.

Compounding Pharmacies: When a physician writes a prescription, your name, address, prescription details, and relevant health information are shared with the dispensing pharmacy to prepare and ship your medications. The pharmacy is a licensed U.S. compounding pharmacy that operates independently and is solely responsible for compounding quality and dispensing compliance.

Payment Processor: Payments are processed over the phone through our third-party payment processor's invoicing system. Your payment card information is transmitted directly to the payment processor during the call. We do not store full credit card numbers on our servers. The payment processor may collect transaction data and device information in connection with its fraud prevention services.

Customer Relationship Management Platform: We use a HIPAA-compliant CRM and communications platform to process your name, contact information, appointment data, form submissions, call recordings, text messages, and communication history. We have executed a Business Associate Agreement (BAA) with our CRM provider, and the HIPAA compliance features are active on our account.

Advertising and Analytics Platforms (Meta Platforms, Inc. and Google LLC): We use Meta Pixel and Google Analytics on certain pages of our website for measuring advertising performance and optimizing our marketing campaigns. See Section 7 ("Tracking Technologies") for complete details on what data these tools collect and how to opt out.

Shipping Carriers: Your name and shipping address are shared with our shipping carrier to deliver your medications. Carrier and shipping method may vary.

Legal Authorities: We may disclose your information when required by law, subpoena, court order, or government investigation, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others, or to prevent illegal activity.

Business Transfers: In the event of a merger, acquisition, bankruptcy, or sale of all or substantially all of our assets, your information may be transferred as part of the transaction. We will notify you of any such change by updating this policy or by direct communication.

With Your Explicit Consent: We may share your information for any other purpose with your express, informed consent.

- - - - - - - - - - - - - - - - - - - -

6. CATEGORIES OF PERSONAL INFORMATION DISCLOSED IN THE PRECEDING TWELVE MONTHS

In the preceding twelve months, we have disclosed the following categories of personal information for business purposes:

Identifiers (name, email, phone, address) disclosed to: healthcare providers, pharmacy, payment processor, CRM platform, shipping carriers.

Health and medical information disclosed to: healthcare providers, pharmacy, CRM platform.

Financial and transaction data disclosed to: payment processor.

Internet or network activity (page views, clicks, IP address, cookies) disclosed to: Meta Platforms, Inc. (via Meta Pixel) and Google LLC (via Google Analytics).

Sensory data (call recordings) disclosed to: CRM platform.

We have not sold personal information for monetary consideration in the preceding twelve months. Our use of Meta Pixel may constitute "sharing" of personal information for cross-context behavioral advertising purposes as defined under the CCPA/CPRA (see Section 12).

- - - - - - - - - - - - - - - - - - - -

7. TRACKING TECHNOLOGIES

A. Cookies

We use cookies (small text files stored on your device) to maintain session state, remember preferences, and analyze website usage. You can control cookies through your browser settings. Disabling cookies may limit certain website functionality.

B. Meta Pixel (Facebook Pixel)

We use Meta Pixel (Pixel ID: 283112507743262) on our landing page (getmedkits.us/start), booking page (getmedkits.us/start-booking-page), and thank-you page. Meta Pixel is NOT installed on our patient intake form or any page where clinical health information (diagnoses, medications, health history) is submitted. Meta Pixel collects the following data on the pages where it is installed: pages visited, page view events, button clicks, IP address, browser type and version, operating system, device identifiers, referring URLs, and Facebook cookie identifiers (fbp, fbc). Meta Pixel does NOT collect the content of free-text form fields on our booking page through our implementation. We do NOT use Meta's Automatic Advanced Matching feature. All Advanced Matching parameters (email address, phone number, first name and surname, gender, location, country, date of birth, and external ID) are disabled. We do NOT use Meta's "Track events automatically without code" feature. We do NOT configure custom events with health-indicating names or descriptors. Meta uses the data it receives to measure ad performance, build advertising audiences, and optimize ad delivery in accordance with Meta's own data policies. Data transmitted to Meta may be used by Meta for its own purposes as described in Meta's Privacy Policy (facebook.com/privacy/policy). To opt out of Meta's advertising tracking, visit facebook.com/adpreferences.

C. Meta Conversions API (CAPI)

We use Meta's server-side Conversions API to send certain event data (such as scheduling confirmations and purchase confirmations) from our server to Meta for conversion tracking and ad optimization. CAPI data is sent server-side and is not blocked by browser-based ad blockers. CAPI events are deduplicated with browser pixel events to avoid double-counting. The data transmitted via CAPI includes event type, event time, and hashed or anonymized identifiers as configured in our server-side workflows.

D. Google Analytics

We use Google Analytics to understand how visitors interact with our website. Google Analytics collects pages visited, session duration, bounce rate, traffic source, browser and device information, and approximate geographic location based on IP address. Google may use this data in accordance with Google's Privacy Policy. We do not enable Google Analytics Advertising or Remarketing features in connection with health-related data. For information about how Google uses data, visit google.com/policies/privacy/partners. To opt out of Google Analytics, install the Google Analytics Opt-Out Browser Add-on at tools.google.com/dlpage/gaoptout.

E. Payment Processing

We use a third-party payment processor for payment processing. Payments are processed over the phone through our payment processor's invoicing system, not through our website. No payment processing tools are installed on or embedded in our website. Our payment processor may collect transaction data and device information in connection with its fraud prevention services.

F. How to Opt Out of Tracking

You can control cookies through your browser settings. You can opt out of Meta's advertising tracking at facebook.com/adpreferences. You can opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-on at tools.google.com/dlpage/gaoptout. If your browser or device sends a Global Privacy Control (GPC) signal or similar universal opt-out preference signal, we will honor that signal as a valid opt-out request for the sale or sharing of your personal information and for targeted advertising, as required by applicable state law (see Section 11, "Global Privacy Control").

- - - - - - - - - - - - - - - - - - - -

8. DATA RETENTION

We retain personal information only as long as reasonably necessary for the purposes described in this policy, subject to the following minimum retention periods:

Active patient records (health history, prescriptions, intake forms): retained while your account is active and for a minimum of seven (7) years from the date of your last service, consistent with HIPAA requirements and applicable state medical records retention laws (whichever is longer).

Financial and transaction records: retained for a minimum of seven (7) years for tax, accounting, and regulatory compliance.

Marketing and analytics data (cookie data, pixel data, website usage logs): retained for up to twenty-four (24) months from the date of collection, unless you request earlier deletion. Meta Pixel data is retained by Meta for up to 180 days. Google Analytics data is retained for up to 26 months.

Communication records (call recordings, text messages, emails): retained for up to three (3) years from the date of the communication.

If longer retention is required by applicable law, regulation, legal hold, or active legal proceeding, we will retain the applicable data for the required period.

You may request deletion of your personal information subject to the exceptions described in Section 10. Certain data, including medical records, prescription records, and transaction records, cannot be deleted where retention is required by law.

- - - - - - - - - - - - - - - - - - - -

9. CALL RECORDING AND TELEPHONE COMMUNICATIONS

We record telephone calls placed to and received from our business phone number for quality assurance, staff training, treatment documentation, dispute resolution, and regulatory compliance purposes. Calls are recorded through our HIPAA-compliant CRM platform. Call recordings containing protected health information (PHI) are treated as electronic PHI (ePHI) under the HIPAA Security Rule and are subject to encryption, access controls, and audit trail requirements under our Business Associate Agreement with our CRM provider.

Twelve states require all-party consent before recording a telephone call: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. If you are located in any of these states, you will hear a verbal disclosure at the beginning of your call that the call may be recorded. By continuing the call after hearing this disclosure, you consent to the recording. If you do not consent to recording, you may request that the call not be recorded or you may end the call.

We retain call recordings for up to three (3) years. Access to call recordings is restricted to authorized personnel on a need-to-know basis.

- - - - - - - - - - - - - - - - - - - -

10. YOUR PRIVACY RIGHTS

Depending on your state of residence, you may have some or all of the following rights regarding your personal information:

Right to Know / Access: Request the specific pieces of personal information we have collected about you, the categories of information collected, the sources, the business purposes, and the categories of third parties with whom we have shared your information.

Right to Correction: Request that we correct inaccurate personal information we maintain about you.

Right to Deletion: Request that we delete personal information we have collected from you, subject to legal retention requirements and other exceptions permitted by law.

Right to Data Portability: Request a copy of your personal information in a structured, commonly used, machine-readable format that can be transmitted to another entity.

Right to Opt Out of Sale/Sharing: Request that we stop selling or sharing your personal information for targeted advertising purposes. Our use of Meta Pixel may constitute "sharing" under the CCPA/CPRA. You may opt out by using Global Privacy Control (see Section 11), by contacting us, or by adjusting your browser and Meta advertising settings.

Right to Limit Use of Sensitive Personal Information: Request that we limit the use and disclosure of your sensitive personal information (including health information) to what is necessary to provide the services you requested.

Right to Opt Out of Targeted Advertising: Request that we stop processing your personal data for targeted advertising.

Right to Opt Out of Profiling: Request that we stop profiling you in furtherance of decisions that produce legal or similarly significant effects.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights, including by denying services, charging different prices, or providing a different quality of service.

Right to Appeal: If we deny your privacy request, you have the right to appeal our decision. To submit an appeal, email [email protected] with the subject line "Privacy Rights Appeal." We will respond to your appeal within the time required by applicable law (typically 45-60 days). If your appeal is denied, we will provide information about how to contact your state Attorney General to submit a complaint.

Authorized Agents: You may designate an authorized agent to submit privacy requests on your behalf. We may require the authorized agent to provide signed written permission from you, a valid power of attorney, or other documentation sufficient to verify the agent's authority. We may also contact you directly to verify the request.

When We May Deny or Limit a Privacy Request:

We may deny or limit a privacy request in whole or in part if: (a) we cannot verify the identity of the person making the request after reasonable efforts to do so; (b) the request is manifestly unfounded, excessive, or repetitive; (c) the information requested is not readily retrievable and the burden or cost of providing it would be disproportionate to the nature of the request; (d) fulfilling the request would compromise the privacy, confidentiality, or safety of another individual; (e) retention or non-disclosure of the information is required or permitted by applicable law, including but not limited to HIPAA medical records retention requirements, state medical records retention laws, tax and financial recordkeeping obligations, and active legal holds; (f) the information is needed to complete a transaction or provide a service you requested; (g) the information is needed to detect, investigate, or prevent fraud or illegal activity; or (h) an applicable legal exemption under federal or state law permits denial. Where a request is denied in whole or in part, we will provide the specific reason for the denial in writing and inform you of your right to appeal the decision. To protect vulnerable populations, we reserve the right to verify communications, including with your healthcare provider, before taking action on any request.

How to Submit a Request:

To exercise any privacy right, contact us using any of the following methods:

Email: [email protected]

Phone: +1 (346) 220-0227

Mail: GetMedKits, 4523 Marilee Chris Ct, Sugar Land, TX 77479

We will acknowledge your request within ten (10) business days and respond within forty-five (45) days. If we require additional time (up to 45 additional days), we will notify you of the extension and the reason. We may ask you to verify your identity before fulfilling your request.

- - - - - - - - - - - - - - - - - - - -

11. GLOBAL PRIVACY CONTROL (GPC) AND UNIVERSAL OPT-OUT

We recognize and honor the Global Privacy Control (GPC) signal as a valid universal opt-out preference signal. If your browser or device transmits a GPC signal when you visit our website, we will treat it as a request to opt out of the sale or sharing of your personal information for cross-context behavioral advertising and targeted advertising, as required by applicable law in California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, and any other state that mandates recognition of universal opt-out mechanisms.

For information about enabling GPC in your browser, visit globalprivacycontrol.org.

We do not currently respond to Do Not Track (DNT) browser signals, as there is no industry-standard protocol for DNT. However, we do honor GPC signals as described above.

- - - - - - - - - - - - - - - - - - - -

12. STATE-SPECIFIC PRIVACY RIGHTS

California (CCPA/CPRA)

If you are a California resident, you have the rights described in Section 10 above, plus the following additional rights and disclosures. Under the CPRA, "sharing" includes disclosing personal information to a third party for cross-context behavioral advertising, even without monetary exchange. Our deployment of Meta Pixel may constitute "sharing" under this definition. You may opt out by using GPC, contacting us, or clicking the "Do Not Sell or Share My Personal Information" link on our website. We do not sell personal information for monetary consideration. In the preceding twelve (12) months, we have collected, used, and disclosed the categories of personal information listed in Section 2 and Section 6 of this policy for the purposes described in Section 4. Health information is classified as "sensitive personal information" under Section 1798.140(ae). You have the right to limit our use of your sensitive personal information to what is necessary to provide the services you requested. We do not use or disclose sensitive personal information for purposes other than those permitted under Section 1798.121. We do not offer financial incentives or price differences related to the collection, retention, or sale of personal information. We do not knowingly sell or share the personal information of consumers under 16 years of age.

Washington (My Health My Data Act)

If you are a Washington resident, your consumer health data is subject to the Washington My Health My Data Act (RCW 19.373). We maintain a separate, standalone Consumer Health Data Privacy Policy as required by MHMDA. This document is linked in the footer of our website under "Consumer Health Data Privacy Policy." The Consumer Health Data Privacy Policy describes the specific categories of consumer health data we collect, the purposes of collection, the categories of third parties and specific affiliates with whom consumer health data is shared, and how you may exercise your rights, including the right to withdraw consent and request deletion. We collect consumer health data only with your affirmative consent and use it only for the purposes disclosed in the Consumer Health Data Privacy Policy. We do not sell consumer health data. We do not engage in geofencing within 1,750 feet of any health facility for the purpose of collecting consumer health data or targeting advertising.

Texas (TDPSA)

If you are a Texas resident, you have the right to know whether we process your personal data, to access your personal data, to correct inaccuracies, to delete your personal data, to obtain a portable copy, and to opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. Health data is classified as sensitive data under the TDPSA. We process health data only after obtaining your consent. We honor Global Privacy Control (GPC) signals as valid opt-out requests effective January 1, 2025. We do not sell your sensitive personal data. To exercise your rights, contact us using the methods listed in Section 10. If we deny your request, you may appeal by emailing [email protected] with the subject line "Privacy Rights Appeal."

Colorado (CPA)

If you are a Colorado resident, you have the right to opt out of targeted advertising, the sale of personal data, and profiling. We recognize GPC as a universal opt-out mechanism as required by the Colorado Attorney General. We obtain opt-in consent before processing sensitive data, including health data. We conduct data protection assessments for processing activities that present a heightened risk of harm, including targeted advertising and processing sensitive data.

Virginia (VCDPA)

If you are a Virginia resident, you have the right to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising, the sale of personal data, and profiling. If we deny your request, you may appeal within 30 days. If the appeal is denied, you may contact the Virginia Attorney General at oag.state.va.us.

Connecticut (CTDPA)

If you are a Connecticut resident, you have the right to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising, the sale of personal data, and profiling. We obtain opt-in consent before processing sensitive data. We honor GPC signals. Consumer health data (as defined by Connecticut SB 3) is subject to additional protections including opt-in consent with no entity-size threshold. For privacy inquiries, you may contact us at [email protected] (active electronic mail address as required by Connecticut law). We do not engage in geofencing within 1,750 feet of any mental health or health care facility.

Oregon (OCPA) and Minnesota (MCDPA)

If you are a resident of Oregon or Minnesota, you have all of the rights described in Section 10 above. In addition, you have the right to obtain the specific identities (not merely categories) of all third parties to whom we have disclosed your personal data. Upon verified request, we will provide you with the complete list of specific third parties by name. Minnesota residents may also request the name and contact information of our designated privacy-responsible individual ([email protected]). We honor GPC signals in both states. Oregon's universal opt-out requirement took effect January 1, 2026.

Maryland (MODPA)

If you are a Maryland resident, Maryland law prohibits the sale of sensitive data, including health data, regardless of consent. We do not sell your health data. Any data transmitted to advertising and analytics platforms (Meta, Google) is limited to non-health technical data (page views, clicks, device information, cookie identifiers) and does not include your health information, diagnoses, medical history, or prescription records. We comply with Maryland's data minimization standard, collecting only data that is reasonably necessary and proportionate to provide the specific services you requested. Maryland's enforcement period begins April 1, 2026.

Delaware, New Jersey, New Hampshire, Iowa, Indiana, Tennessee, Nebraska, Kentucky, Rhode Island, Montana, Nevada

If you are a resident of any of these states, you have rights under your state's comprehensive privacy law, which may include the right to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising and the sale of personal data. Health data is classified as sensitive data requiring affirmative consent before processing in most of these states. We honor GPC signals where mandated by your state's law. Rhode Island residents have the right to know all third parties to whom we have sold or may sell personally identifiable information. Nevada residents may submit opt-out-of-sale requests to [email protected]. To exercise any right, contact us using the methods listed in Section 10.

- - - - - - - - - - - - - - - - - - - -

13. HIPAA AND PROTECTED HEALTH INFORMATION

Certain health information collected through our service may constitute protected health information (PHI) governed by the Health Insurance Portability and Accountability Act (HIPAA). Our separate HIPAA Notice of Privacy Practices, available on our website, describes in detail how PHI is used and disclosed, your rights under HIPAA (including the right to access, amend, and receive an accounting of disclosures of your PHI), our breach notification obligations, and how to file a complaint. Where any conflict exists between this Privacy Policy and our HIPAA Notice of Privacy Practices regarding PHI, the HIPAA Notice of Privacy Practices controls.

This Privacy Policy addresses the broader collection and use of personal information that may not constitute PHI under HIPAA, including website browsing data, analytics data, marketing data, cookie data, and information collected outside the clinical encounter. We maintain Business Associate Agreements with applicable vendors that handle PHI, including our CRM and communications platform, our healthcare provider network, and our compounding pharmacy.

- - - - - - - - - - - - - - - - - - - -

14. SMS AND TEXT MESSAGE COMMUNICATIONS

We use text messaging (SMS/MMS) to communicate with you about appointments, prescriptions, shipping updates, and support inquiries through our HIPAA-compliant CRM platform. By providing your phone number and booking a consultation, you consent to receive service-related text messages from GetMedKits at the number you provided. Standard text messaging is not encrypted and carries a risk of interception. We will not send protected health information (PHI) via unencrypted SMS without first informing you of the risks and receiving your acknowledgment that you prefer text communication. You may request alternative communication methods (phone call or email) at any time by contacting us. You may opt out of text messages at any time by replying STOP to any message. Reply HELP for assistance. Message frequency varies. Message and data rates may apply. Consent to receive text messages is not a condition of purchasing any service or product from GetMedKits.

- - - - - - - - - - - - - - - - - - - -

15. EMAIL COMMUNICATIONS

We send transactional emails related to appointments, prescriptions, intake forms, shipping notifications, and customer support. We may also send informational or marketing emails if you have opted in. You may unsubscribe from marketing emails at any time by clicking the unsubscribe link in any email or by contacting us. Transactional emails related to active services cannot be opted out of while services are active.

- - - - - - - - - - - - - - - - - - - -

16. DATA BREACH NOTIFICATION

In the event of a data breach involving your personal or health information, we will notify affected individuals in accordance with all applicable federal and state laws, including the FTC Health Breach Notification Rule (16 CFR Part 318), HIPAA breach notification requirements (45 CFR 164.400-414), and applicable state data breach notification statutes. Notifications will be provided within the timeframes required by applicable law (generally 60 days for federal requirements; state timelines vary). Notifications will describe the nature of the breach, the types of information involved, the steps we are taking in response, and what you can do to protect yourself. For breaches affecting 500 or more individuals, we will also notify the FTC and/or HHS as required.

- - - - - - - - - - - - - - - - - - - -

17. CHILDREN AND MINORS

Our services are primarily intended for individuals 18 years of age and older. In limited circumstances, a licensed physician may determine that prescribing medications to a patient under 18 is medically appropriate. In such cases, the parent or legal guardian must provide consent on behalf of the minor patient, and we will collect and process the minor's personal and health information only with verified parental or guardian consent and physician authorization. We do not knowingly collect personal information from children under 13 without verified parental consent as required by the Children's Online Privacy Protection Act (COPPA). We do not market or advertise our services to minors. If you believe we have collected information from a minor without appropriate parental consent, please contact us immediately at [email protected] and we will take appropriate action.

- - - - - - - - - - - - - - - - - - - -

18. GEOGRAPHIC SCOPE AND INTERNATIONAL ACCESS

Our services are intended solely for residents of the United States. We do not target or direct our services to individuals located outside the United States, including residents of the European Union, European Economic Area, United Kingdom, Canada, or any other jurisdiction outside the United States. Our website is in English only, prices are in US dollars, and we ship exclusively to US addresses. If you access our website from outside the United States, you do so at your own risk and are responsible for compliance with your local laws.

- - - - - - - - - - - - - - - - - - - -

19. THIRD-PARTY LINKS AND CONTENT

Our website may contain links to third-party websites, including research publications (PubMed, medical journals), pharmacy websites, provider credential verification pages, and other external resources. We do not control the content, privacy practices, or security of any third-party website. Inclusion of any link does not imply endorsement, affiliation, or sponsorship. We encourage you to review the privacy policy of every third-party website you visit.

- - - - - - - - - - - - - - - - - - - -

20. DATA SECURITY

We implement reasonable administrative, technical, and physical safeguards to protect your personal information, including: SSL/TLS encryption for all data transmitted to and from our website, secure hosting infrastructure, firewalls and intrusion detection, role-based access controls limiting data access to authorized personnel, HIPAA-compliant data handling and storage for protected health information, Business Associate Agreements with all vendors that process PHI, encryption of electronic protected health information (ePHI) at rest and in transit, and regular review of security practices.

No method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your information using commercially reasonable measures, we cannot guarantee absolute security. If you have reason to believe your interaction with us is no longer secure, contact us immediately.

- - - - - - - - - - - - - - - - - - - -

21. DATA MINIMIZATION

We collect only the personal information that is reasonably necessary and proportionate to provide the specific services you have requested, to comply with legal obligations, and to pursue the legitimate business purposes described in this policy. We do not collect personal information for purposes unrelated to our telehealth services without your consent.

- - - - - - - - - - - - - - - - - - - -

22. DE-IDENTIFICATION

When we de-identify personal information (removing identifiers so the data can no longer reasonably be linked to you), we commit to maintaining de-identified data in de-identified form and will not attempt to re-identify it, except as permitted by law for purposes of determining whether our de-identification processes are effective.

- - - - - - - - - - - - - - - - - - - -

23. DO NOT SELL OR SHARE MY PERSONAL INFORMATION

We do not sell your personal information for monetary consideration. Our use of Meta Pixel may constitute "sharing" of personal information for cross-context behavioral advertising purposes under the CCPA/CPRA. To opt out:

Use a browser with Global Privacy Control (GPC) enabled (see globalprivacycontrol.org).

Email [email protected] with the subject line "Do Not Sell or Share."

Adjust your Meta advertising preferences at facebook.com/adpreferences.

We will process opt-out requests within 15 business days.

- - - - - - - - - - - - - - - - - - - -

24. FINANCIAL INCENTIVES

We do not offer financial incentives, price differences, or service differences related to the collection, retention, sale, or sharing of personal information.

- - - - - - - - - - - - - - - - - - - -

25. DISPUTE RESOLUTION

Any disputes arising from or related to this Privacy Policy or our data practices are subject to the dispute resolution provisions set forth in our Terms of Service, including mandatory binding arbitration and class action waiver, to the extent permitted by applicable law. Note: Washington MHMDA private right of action claims cannot be waived by arbitration agreement.

- - - - - - - - - - - - - - - - - - - -

26. REGULATORY COMPLIANCE

GetMedKits operates in compliance with applicable federal and state telehealth laws and regulations. This service has been reviewed and certified by LegitScript, an independent third-party certification body for healthcare merchant legitimacy. LegitScript certification does not constitute government approval, endorsement, or guarantee of compliance with any specific federal or state law.

- - - - - - - - - - - - - - - - - - - -

27. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy at any time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where required by law, provide additional notice (such as a prominent website notice or direct communication). Your continued use of our website or services after any update constitutes acceptance of the revised policy. We encourage you to review this policy periodically. Prior versions of this policy are available upon request.

- - - - - - - - - - - - - - - - - - - -

28. CONTACT US

If you have questions about this Privacy Policy, wish to exercise any privacy right, or have concerns about how your information is handled, contact us:

Email: [email protected]

Phone: +1 (346) 220-0227

For HIPAA-specific inquiries, please refer to our HIPAA Notice of Privacy Practices.

For Washington consumer health data inquiries, please refer to our Consumer Health Data Privacy Policy.

For privacy rights appeals, email [email protected] with the subject line "Privacy Rights Appeal."