Privacy Policy - Hello Pediatrics

HELLO PEDIATRICS MEDICAL GROUP, PLLC

WEBSITE PRIVACY POLICY

Including AI-Augmented Services Notice

Effective Date	June 1, 2025
Last Revised	May 28, 2026
Version	3.0
Governing Entity	Hello Pediatrics Medical Group, PLLC ("HP," "we," "our," or "us")
Service URL	https://hellopediatrics.com
Compliance Contact	compliance@hellopediatrics.com
Mailing Address	13135 Route 50, Suite 300, Fairfax, Virginia 22033

⚠ PLEASE READ THIS POLICY CAREFULLY

This Privacy Policy governs your use of hellopediatrics.com and all related digital services. BY ACCESSING OR USING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS POLICY. IF YOU DO NOT AGREE, DO NOT USE OUR SERVICES.

HIPAA NOTICE

Health information you provide through Patient Services (telehealth visits, appointment booking, patient portal, billing) constitutes Protected Health Information ("PHI") governed separately by our HIPAA Notice of Privacy Practices, available at hellopediatrics.com/hipaa-notice. This Policy governs non-PHI website and digital interactions.

— Table of Contents on following page —

1. Introduction and Scope

Hello Pediatrics Medical Group, PLLC ("HP," "we," "our," or "us") is a pediatric telehealth and triage company dedicated to providing accessible, high-quality healthcare to children and their families. We are committed to protecting the privacy and security of your personal information. This Website Privacy Policy ("Policy") explains how we collect, use, disclose, and safeguard personal information obtained through our website at https://hellopediatrics.com and related digital services (collectively, the "Online Service Platform" or "Service").

This Policy is designed to comply with applicable federal and state privacy laws in the United States, the European Union General Data Protection Regulation ("GDPR") (EU 2016/679), the UK General Data Protection Regulation ("UK GDPR"), and other applicable international privacy frameworks.

1.1 Laws Governing This Policy

This Policy addresses requirements under, among others:

Federal: Health Insurance Portability and Accountability Act ("HIPAA") / HITECH Act; Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. § 6501 et seq.; Federal Trade Commission Act ("FTC Act"), 15 U.S.C. § 45; Americans with Disabilities Act ("ADA")
State: California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"); Virginia Consumer Data Protection Act ("CDPA"); Colorado Privacy Act ("CPA"); Connecticut Data Privacy Act ("CTDPA"); Utah Consumer Privacy Act ("UCPA"); Texas Data Privacy and Security Act ("TDPSA"); Florida Digital Bill of Rights ("FDBR"); Oregon Consumer Privacy Act ("OCPA"); Montana Consumer Data Privacy Act ("MCDPA"); Delaware Personal Data Privacy Act ("DPDPA"); Indiana Consumer Data Protection Act ("INCDPA"); Iowa Consumer Data Protection Act ("ICDPA"); Tennessee Information Protection Act ("TIPA"); New Hampshire Privacy Act ("NHPA"); Nevada SB 220; and all other enacted or effective state consumer privacy laws
International: EU GDPR (Regulation 2016/679); UK GDPR; EU AI Act (Regulation 2024/1689) as applicable to AI-augmented services; ePrivacy Directive 2002/58/EC

1.2 Applicability

This Policy applies to information collected through:

Our website at https://hellopediatrics.com and any subdomain thereof
Email, text, chat, and other electronic communications with us
Mobile and desktop applications provided by HP
AI-augmented features and tools embedded in our Service (see Section 10)
Third-party integrations where this Policy is referenced

This Policy does NOT apply to:

Protected Health Information ("PHI") collected through Patient Services, which is governed by our HIPAA Notice of Privacy Practices
Offline data collection or other HP websites not referencing this Policy
Third-party websites linked from our Service

2. Children's Privacy — Special Protections

IMPORTANT: PEDIATRIC SERVICES — SPECIAL PARENTAL NOTICE

We provide medical services to minors. All personal information about patients under 18 must be submitted by or with the verifiable consent of a parent, legal guardian, or authorized representative. We do not knowingly collect personal information directly from children under 13 without verifiable parental consent as required by COPPA.

2.1 COPPA Compliance — Children Under 13

Our Service is not directed to children under the age of 13 for independent use. Consistent with the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. § 6501, et seq., and the FTC's COPPA Rule, 16 C.F.R. Part 312:

We do not knowingly collect personal information directly from children under 13 without verifiable parental consent.
All registration, appointment booking, and clinical communications for patients under 13 must be completed by a parent or legal guardian.
We obtain verifiable parental consent before collecting, using, or disclosing personal information of children under 13 in contexts not covered by HIPAA.
Parents and legal guardians may review, request deletion of, and refuse further collection of their child's personal information by contacting compliance@hellopediatrics.com.
If we discover we have collected personal information from a child under 13 without appropriate consent, we will promptly delete it.
We do not condition a child's participation in our services on providing more personal information than is reasonably necessary.

2.2 Minors Ages 13–17

For patients ages 13 through 17:

Personal information must be submitted by or with the consent of the minor's parent, guardian, or legal representative.
We comply with applicable state minor privacy laws, including California's Privacy Rights for California Minors in the Digital World (Cal. Bus. & Prof. Code § 22580 et seq.).
We do not engage in targeted advertising based on the personal information of known minors.
We do not sell, share, or disclose the personal information of minors under 18 to third parties for commercial purposes without express parental/guardian consent.

2.3 State-Specific Protections for Minors

Several states impose heightened protections for minor consumers. We comply with all applicable requirements, including:

California: We do not sell or share the personal information of consumers we know to be under 16 years of age without opt-in consent (under 13: parental consent required). (CCPA/CPRA, Cal. Civ. Code § 1798.120(c))
Texas, Florida, Oregon, Montana, and other states: We comply with each state's requirements regarding sensitive data processing for minors.

3. Information We Collect

We collect personal information to operate, improve, and protect our Service. We collect only the minimum information necessary ("data minimization") for identified lawful purposes.

3.1 Information You Provide Directly

When you interact with our Service, you may provide:

Contact and identity information: name, postal address, email address, telephone number, date of birth, and government identification numbers (e.g., SSN when required for insurance)
Account credentials: username, password, and security questions
Health information submitted outside of covered Patient Services (e.g., symptom checker, AI triage questionnaire)
Insurance and financial information: insurance ID, group number, credit/debit card, and billing information
Communications: records of emails, chat messages, forms, and feedback you send us
Survey responses and research participation data
User Contributions: information you post to public areas or transmit to other users (posted at your own risk)

3.2 Information Collected Automatically

When you visit our Service, we and our third-party partners automatically collect:

Device and connection information: IP address, device identifiers, operating system, browser type and version, screen resolution
Usage data: pages visited, features used, links clicked, search queries, session duration, referring/exit pages
Location data: approximate geographic location derived from IP address; precise geolocation only with your express consent
Audio and visual data: camera and microphone data during telehealth sessions with your prior consent; this data is processed as PHI under HIPAA
Diagnostic data: crash reports, performance metrics

3.3 Information from Third Parties

We may receive information about you from:

Healthcare partners and referral sources (subject to applicable HIPAA Business Associate Agreements)
Insurance companies and payers (subject to applicable data sharing agreements)
Identity verification and fraud prevention services
Analytics providers (in aggregated or pseudonymized form)
Social media platforms if you connect such accounts to our Service

3.4 Sensitive Personal Information

To the extent we process "sensitive personal information" as defined under applicable law (including CCPA/CPRA, GDPR, and similar statutes), this includes:

Health and medical information (processed as PHI under HIPAA where applicable, and as sensitive data under state privacy laws)
Race, ethnicity, and national origin (collected when required by law for equitable healthcare delivery)
Government-issued identification numbers
Precise geolocation data (with consent)
Children's personal information

We use sensitive personal information only as necessary to deliver the Service, comply with legal obligations, or as otherwise permitted by applicable law. We do not use sensitive personal information to infer characteristics unrelated to the purpose for collection. California residents have the right to limit our use and disclosure of sensitive personal information (see Section 13).

3.5 Automatic Data Collection Technologies

We use the following technologies to collect information automatically:

Cookies: Small files stored on your device. You may refuse browser cookies by adjusting your browser settings, though some Service features may be unavailable. We use session cookies (deleted when you close your browser) and persistent cookies (retained for specified periods).
Web Beacons / Pixel Tags: Electronic files embedded in web pages or emails that allow us to count visitors, measure engagement, and assess service performance.
Local Storage and Session Storage: Browser-based storage for preferences and session state.
Software Development Kits (SDKs): In our mobile applications.
Server Logs: Our servers automatically record request and response data.

We honor Global Privacy Control ("GPC") signals and similar browser-based opt-out mechanisms where required by applicable law (including California, Colorado, Connecticut, and Oregon).

4. How We Use Your Information

We process personal information only for the lawful purposes described below. For each purpose, we identify the applicable legal basis under the GDPR where relevant.

Purpose	Legal Basis (GDPR)	US Lawful Basis
Provide, operate, and maintain the Service and Patient Services	Performance of contract; Vital interests (health)	Provision of healthcare services; Contract performance
Process appointments, telehealth visits, billing, and communications	Performance of contract; Legal obligation	HIPAA; State healthcare regulations
AI-augmented triage and clinical decision support (see Section 10)	Legitimate interests; Consent for high-risk processing	Consent; Healthcare operations
Detect and prevent fraud, security threats, and illegal activity	Legitimate interests; Legal obligation	FTC Act; State security laws
Comply with legal obligations and respond to legal process	Legal obligation	Federal/state law compliance
Improve and develop our Service through analytics and research	Legitimate interests	Consent where required; Legitimate interests
Send service communications, notices, and policy updates	Performance of contract; Legal obligation	Service relationship
Marketing and promotional communications (with consent)	Consent	CAN-SPAM Act; TCPA; State laws
Comply with HIPAA and respond to requests for PHI	Legal obligation; Vital interests	HIPAA
Create anonymized or de-identified data for research and analytics	Legitimate interests	Not personal information once de-identified

We do not use your personal information to make fully automated decisions that have legal or similarly significant effects without human review, except as described in Section 10 (AI-Augmented Services). We will never use your information to discriminate against you in violation of applicable law.

5. Disclosure of Your Information

We do not sell your personal information. We disclose personal information only as described below or with your consent.

5.1 Service Providers and Business Associates

We share personal information with vendors, contractors, and service providers who perform services on our behalf under written agreements that require them to protect your information and use it only for specified purposes. Categories of service providers include:

Healthcare IT and electronic health record ("EHR") vendors (as HIPAA Business Associates)
Telehealth platform providers (as HIPAA Business Associates)
AI and clinical decision support technology providers (subject to strict data processing agreements)
Payment processors and billing companies
Customer support software providers
Cloud infrastructure, hosting, and security providers
Analytics and performance measurement providers
Email, SMS, and communication service providers
Identity verification and fraud prevention services

5.2 Healthcare-Related Disclosures

Consistent with HIPAA and state healthcare laws, we may disclose health-related information to:

Your treating healthcare providers and care team
Consulting specialists with your authorization or as permitted by HIPAA
Insurance companies and payers for billing and claims adjudication
Public health authorities as required by law
Health oversight agencies

5.3 Legal and Regulatory Disclosures

We may disclose your information:

To comply with applicable law, regulation, or court order
To respond to lawful requests from government authorities
To enforce our Terms of Use or other agreements
To protect the rights, property, or safety of HP, our users, or the public
To prevent or investigate suspected fraud, security incidents, or illegal activity

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of HP's assets, personal information may be transferred to the successor entity. We will notify you via email or prominent notice on our Service at least 30 days prior to any such transfer resulting in a material change to this Policy. The successor entity must agree to protect your personal information in a manner consistent with this Policy.

5.5 Affiliates and Subsidiaries

We may share personal information with HP's corporate affiliates and subsidiaries under common ownership or control, subject to this Policy and applicable data sharing agreements.

5.6 Third-Party Advertising — Limited

We do not sell personal information to advertisers. We may use aggregate, de-identified, or pseudonymized data to measure advertising effectiveness. We do not permit third-party advertisers to collect personal information directly through our Service without your consent. We do not engage in cross-context behavioral advertising using the sensitive personal information or personal information of minors.

5.7 What We Do NOT Do

We do NOT sell personal information as defined under applicable state privacy laws.
We do NOT share personal information for cross-context behavioral advertising without providing an opt-out mechanism.
We do NOT disclose the personal information of minors under 18 for commercial purposes without parental/guardian consent.
We do NOT use personal information in ways inconsistent with the purposes for which it was collected.

6. Cookies, Tracking Technologies, and Your Choices

6.1 Cookie Categories

We use the following categories of cookies and similar technologies:

Strictly Necessary Cookies: Required for the Service to function (e.g., authentication, security). Cannot be disabled without breaking the Service.
Functional Cookies: Enable enhanced features such as remembering preferences and personalization. May be disabled with limited Service impact.
Analytics Cookies: Help us understand how users interact with our Service through aggregate statistics. May be disabled without affecting core functionality.
Marketing/Advertising Cookies: Used only with your consent; allow measurement of advertising campaigns. Disabled by default for users in opt-in consent jurisdictions (EU, UK, California where required).

6.2 Cookie Consent and Management

When you first visit our Service, we present a cookie consent banner that allows you to:

Accept all cookies
Reject non-essential cookies
Customize your preferences by category

You may update your cookie preferences at any time via the "Cookie Settings" link in the footer of our website. You may also manage cookies through your browser settings. Note that disabling certain cookies may limit Service functionality.

We honor Global Privacy Control ("GPC") signals as an opt-out of sale/sharing of personal information where required by California, Colorado, Connecticut, Oregon, and other applicable state laws.

6.3 Third-Party Analytics and Advertising

We use analytics services such as Google Analytics to understand Service usage. These services may collect data using their own cookies and tracking technologies, subject to their own privacy policies. You may opt out of Google Analytics at https://tools.google.com/dlpage/gaoptout. You may opt out of interest-based advertising through:

Digital Advertising Alliance (DAA): https://optout.aboutads.info
Network Advertising Initiative (NAI): https://optout.networkadvertising.org
Google Ad Settings: https://adssettings.google.com
Microsoft Privacy Settings: https://account.microsoft.com/privacy/ad-settings

We are not responsible for third-party data practices once your data leaves our Service through third-party links.

7. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Retention periods vary based on the type of information and applicable law:

Account and registration data	Duration of account plus 7 years after account closure, or as required by state healthcare records laws
Patient-related information	As required by HIPAA and applicable state medical records laws (minimum 6 years from creation or last effective date; some states require longer periods for pediatric records)
Telehealth session records	As required by HIPAA; minimum 6 years; some states up to age of majority plus additional years for pediatric patients
Financial/billing records	7 years per IRS requirements and applicable state law
Marketing and analytics data	Up to 2 years, or as limited by cookie expiration settings
Legal hold data	Duration of applicable proceeding plus applicable statute of limitations
AI interaction logs (non-PHI)	Up to 2 years for safety monitoring; anonymized thereafter
De-identified/aggregated data	May be retained indefinitely as it no longer constitutes personal information

When personal information is no longer needed, we securely delete or anonymize it consistent with NIST SP 800-88 and applicable standards. Backup copies may be retained for a reasonable transition period.

8. Data Security

We implement and maintain a comprehensive information security program designed to protect your personal information from unauthorized access, use, alteration, disclosure, and destruction, consistent with applicable law including HIPAA Security Rule requirements, NIST Cybersecurity Framework, and applicable state security laws.

8.1 Technical Safeguards

Transport Layer Security (TLS) 1.2 or higher for all data in transit
AES-256 encryption for data at rest
Multi-factor authentication ("MFA") for administrative access
Role-based access controls ("RBAC") limiting data access to authorized personnel
Intrusion detection and prevention systems
Vulnerability scanning and penetration testing
Secure Software Development Lifecycle ("SSDLC") practices
Web Application Firewall ("WAF")

8.2 Administrative and Organizational Safeguards

Written information security policies and procedures
Regular security training for all workforce members
Background checks for employees with access to personal information
Business Associate Agreements ("BAAs") with all vendors accessing PHI
Data Processing Agreements ("DPAs") with all processors handling personal information
Annual risk assessments and security audits

8.3 Incident Response

In the event of a data security incident involving personal information, we will:

Investigate promptly and take appropriate containment measures
Notify affected individuals as required under applicable law, including HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400-414), applicable state breach notification laws, and GDPR Article 33-34
Notify applicable regulatory authorities within required timeframes (GDPR: 72 hours to supervisory authority; state law: varies, typically 30-90 days)
Provide affected individuals with information about the incident, types of information affected, steps they may take to protect themselves, and our remediation measures

You are responsible for maintaining the confidentiality of your account credentials. Please notify us immediately at compliance@hellopediatrics.com if you suspect unauthorized access to your account.

No security system is impenetrable. We cannot guarantee absolute security. By using the Service, you acknowledge this inherent risk.

9. International Data Transfers

HP is based in the United States. If you access our Service from the European Union, United Kingdom, or other jurisdictions outside the United States, your information will be transferred to, processed, and stored in the United States, which may not provide the same level of data protection as your home jurisdiction.

9.1 Transfers from the EU/EEA and UK

For transfers of personal data from the EU/EEA and UK to the United States, we rely on the following transfer mechanisms:

EU-U.S. Data Privacy Framework ("DPF"): Where HP has certified or will certify to the DPF, transfers will be made pursuant to such certification.
Standard Contractual Clauses ("SCCs"): We use the European Commission-approved SCCs (2021/914/EU) in our Data Processing Agreements with EU/EEA-based processors and controllers. For UK transfers, we use the International Data Transfer Agreement ("IDTA") or UK SCCs as applicable.
Supplementary Measures: We implement supplementary technical and organizational measures (as required by the Schrems II decision, C-311/18) including encryption and pseudonymization where appropriate.

To obtain a copy of our transfer mechanisms or further information about international transfers, contact compliance@hellopediatrics.com.

9.2 Retention of EU/UK Personal Data

We retain personal data originating from EU/EEA/UK jurisdictions only for as long as necessary for the purposes described in this Policy and in compliance with GDPR Article 5(1)(e) and applicable UK data protection law.

10. Artificial Intelligence (AI) Augmented Services

AI SERVICES NOTICE

We may use artificial intelligence and machine learning technologies to support pediatric triage, symptom assessment, and clinical decision support. This section explains how we use AI, the limitations of AI tools, and your rights regarding AI-assisted decisions. AI tools do not replace the professional medical judgment of licensed healthcare providers.

10.1 How We Use AI

HP may deploy AI-augmented tools for the following purposes:

Symptom triage and acuity assessment: AI tools may assist in prioritizing patient consultations based on reported symptoms. All AI triage recommendations are reviewed and confirmed by licensed clinicians before any clinical action is taken.
Clinical decision support: AI may suggest differential diagnoses or evidence-based treatment guidelines to our clinicians as informational tools. Final clinical decisions are always made by licensed professionals.
Documentation and coding assistance: AI may assist clinicians with medical documentation and billing code suggestions.
Patient communication and scheduling: AI-powered chatbots may assist with appointment scheduling, FAQ responses, and routine administrative tasks.
Quality improvement and safety monitoring: AI may analyze de-identified or aggregated data to identify care quality trends.

10.2 Data Used by AI Systems

AI tools may process:

Information you voluntarily submit through symptom questionnaires, chat interfaces, and similar tools (non-PHI context)
PHI in clinical contexts, processed under HIPAA and our Notice of Privacy Practices
De-identified or aggregated Service usage data for model improvement

We do not use AI to make legally or clinically significant decisions based solely on automated processing without human review. All clinical AI outputs are subject to clinician oversight.

10.3 AI Vendor Oversight

Where we engage third-party AI providers:

All AI vendors processing PHI execute HIPAA Business Associate Agreements ("BAAs")
All AI vendors processing personal information execute Data Processing Agreements ("DPAs") meeting applicable legal requirements
We conduct due diligence on AI vendor security, data governance, and model training practices
We do not permit AI vendors to use your personal information or PHI to train general-purpose AI models without your explicit consent
For EU/UK services, we perform Data Protection Impact Assessments ("DPIAs") for high-risk AI processing as required by GDPR Article 35 and the EU AI Act

10.4 EU AI Act Compliance

To the extent any AI system deployed by HP falls within the scope of the EU AI Act (Regulation (EU) 2024/1689) as a "high-risk" AI system (including AI systems used for healthcare), we commit to:

Deploying only AI systems that meet EU AI Act conformity requirements when providing services to EU residents
Maintaining appropriate human oversight of AI-assisted clinical decisions
Providing meaningful information about AI systems to patients upon request
Logging and auditing AI system outputs for accuracy and safety
Implementing bias monitoring and fairness assessments for clinical AI tools

10.5 Your Rights Regarding AI

You have the right to:

Be informed when an AI tool has been used in a process that affects you
Request human review of any automated decision that has a significant effect on you
Opt out of non-essential AI processing to the extent technically feasible by contacting compliance@hellopediatrics.com
Receive an explanation of the logic involved in any AI-assisted decision that significantly affects you (GDPR Article 22; applicable state law)

11. Your Privacy Rights — General

Regardless of your location, you have the following rights with respect to your non-PHI personal information:

Access: Request a copy of the personal information we hold about you.
Correction/Rectification: Request correction of inaccurate or incomplete personal information.
Deletion: Request deletion of your personal information, subject to our legal obligations to retain certain information.
Objection: Object to certain processing of your personal information.
Portability: Request a machine-readable copy of personal information you provided to us.
Withdrawal of Consent: Where processing is based on your consent, withdraw consent at any time (without affecting prior lawful processing).
Lodge a Complaint: File a complaint with your applicable supervisory authority or state attorney general.

To exercise these rights, please contact us at compliance@hellopediatrics.com or by mail at 13135 Route 50, Suite 300, Fairfax, Virginia 22033. We will respond within the timeframe required by applicable law (generally 45 days, extendable by an additional 45 days with notice). We do not charge a fee for exercising your rights unless requests are manifestly unfounded, excessive, or repetitive.

We will verify your identity before processing requests. We may ask for information sufficient to confirm your identity. We will not discriminate against you for exercising your privacy rights.

12. Rights Under the GDPR (EU and UK Residents)

If you are located in the European Union, European Economic Area, or United Kingdom, you have the following additional rights under the GDPR and UK GDPR:

12.1 Your Rights

Right to be Informed (Articles 13-14): You have the right to receive clear, transparent information about how your personal data is processed. This Policy serves as our primary transparency notice.
Right of Access (Article 15): You may request access to your personal data and information about how it is processed.
Right to Rectification (Article 16): You may request correction of inaccurate personal data.
Right to Erasure — “Right to be Forgotten” (Article 17): You may request deletion of your personal data where there is no overriding legitimate reason for its continued processing.
Right to Restriction of Processing (Article 18): You may request restriction of processing in certain circumstances.
Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format.
Right to Object (Article 21): You may object to processing based on legitimate interests or for direct marketing purposes.
Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to solely automated decisions that produce legal or similarly significant effects, and to request human review.

12.2 Data Controller and Representative

HP acts as a data controller with respect to personal data of EU/UK residents processed through our Service. Our lawful bases for processing are set forth in Section 4 (Purpose Table). Our Data Protection contact is compliance@hellopediatrics.com.

For EU residents who do not reside in the United States, HP will designate an EU-based representative pursuant to GDPR Article 27 upon request. Please contact compliance@hellopediatrics.com for current representative contact information.

12.3 Supervisory Authority Complaints

EU residents have the right to lodge a complaint with their national data protection supervisory authority. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may contact the Information Commissioner’s Office (ICO) at https://ico.org.uk.

12.4 Retention (GDPR)

We retain EU/UK personal data consistent with the storage limitation principle (GDPR Article 5(1)(e)), retaining data no longer than necessary for its specified purposes. Retention schedules are set forth in Section 7.

13. Your State Privacy Rights (United States Residents)

Various U.S. states have enacted comprehensive consumer privacy laws providing residents with specific rights. We honor these rights regardless of whether a state’s law technically applies to our operations, as part of our commitment to privacy as a fundamental value.

13.1 California Residents

California residents have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA") (Cal. Civ. Code §§ 1798.100-1798.199.100):

Right to Know: Right to know what personal information we collect, use, disclose, and sell/share, including specific pieces and categories.
Right to Delete: Right to request deletion of your personal information, subject to exceptions.
Right to Correct: Right to request correction of inaccurate personal information.
Right to Opt Out of Sale/Sharing: Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising. HP does not sell personal information. To opt out of sharing, submit a request to compliance@hellopediatrics.com or use the "Do Not Sell or Share My Personal Information" link on our website.
Right to Limit Sensitive Personal Information: Right to limit use of sensitive personal information to permitted purposes. To exercise this right, submit a request to compliance@hellopediatrics.com.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
Authorized Agent: You may designate an authorized agent to submit requests on your behalf. We will verify the agent’s authority.

California’s “Shine the Light” law (Cal. Civ. Code § 1798.83): California residents may request information about disclosures of personal information to third parties for direct marketing by contacting compliance@hellopediatrics.com.

California Minor Eraser Rights (Cal. Bus. & Prof. Code § 22581): Minor users who registered with our Service may request removal of content or information they posted.

13.2 Virginia Residents (CDPA)

Virginia residents have rights under the Virginia Consumer Data Protection Act ("CDPA") (Va. Code § 59.1-575 et seq.) effective January 1, 2023:

Access, correction, deletion, and portability rights
Right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of solely automated decisions with legal or significant effects
Right to appeal a refusal of a rights request

To exercise Virginia rights, email compliance@hellopediatrics.com. Appeals: if we deny a request, you may appeal by emailing the same address with "CDPA APPEAL" in the subject line. If your appeal is denied, you may contact the Virginia Attorney General at https://www.oag.state.va.us.

13.3 Colorado Residents (CPA)

Colorado residents have rights under the Colorado Privacy Act ("CPA") (C.R.S. § 6-1-1301 et seq.) effective July 1, 2023:

Access, correction, deletion, and portability rights
Right to opt out of targeted advertising, sale of personal data, and profiling
Right to appeal

We honor GPC signals as opt-out of sale/targeted advertising for Colorado residents. To exercise rights, email compliance@hellopediatrics.com. For appeals, contact the Colorado Attorney General at https://coag.gov.

13.4 Connecticut Residents (CTDPA)

Connecticut residents have rights under the Connecticut Data Privacy Act ("CTDPA") (Conn. Gen. Stat. § 42-515 et seq.) effective July 1, 2023, including access, correction, deletion, portability, and opt-out rights. We honor GPC signals for Connecticut residents. Contact compliance@hellopediatrics.com to exercise rights.

13.5 Utah Residents (UCPA)

Utah residents have rights under the Utah Consumer Privacy Act ("UCPA") (Utah Code § 13-61-101 et seq.) effective December 31, 2023, including access, deletion, portability, and opt-out of sale and targeted advertising rights. Contact compliance@hellopediatrics.com to exercise rights.

13.6 Texas Residents (TDPSA)

Texas residents have rights under the Texas Data Privacy and Security Act ("TDPSA") effective July 1, 2024, including access, correction, deletion, portability, and opt-out rights for targeted advertising and sale of personal data. We honor universal opt-out mechanisms recognized by Texas. Contact compliance@hellopediatrics.com.

13.7 Florida Residents (FDBR)

Florida residents have rights under the Florida Digital Bill of Rights ("FDBR") effective July 1, 2024, for consumers whose personal data is processed by controllers exceeding applicable thresholds. Contact compliance@hellopediatrics.com for information about your rights.

13.8 Oregon Residents (OCPA)

Oregon residents have rights under the Oregon Consumer Privacy Act ("OCPA") effective July 1, 2024, including access, correction, deletion, portability, and opt-out rights. We honor GPC signals for Oregon residents. Contact compliance@hellopediatrics.com.

13.9 Montana Residents (MCDPA)

Montana residents have rights under the Montana Consumer Data Privacy Act ("MCDPA") effective October 1, 2024, including access, correction, deletion, portability, and opt-out rights. Contact compliance@hellopediatrics.com.

13.10 Additional States

Residents of Delaware, Indiana, Iowa, New Hampshire, New Jersey, Tennessee, and other states with enacted consumer privacy laws also have rights consistent with applicable law. Contact compliance@hellopediatrics.com for state-specific information, or refer to your state attorney general’s website:

Delaware (DPDPA): https://doj.delaware.gov
Indiana (INCDPA): https://www.in.gov/attorneygeneral
Iowa (ICDPA): https://www.iowaattorneygeneral.gov
New Hampshire (NHPA): https://www.doj.nh.gov
Tennessee (TIPA): https://www.tn.gov/attorneygeneral

13.11 Nevada Residents

Nevada residents may submit opt-out requests from the sale of covered personal information pursuant to Nevada SB 220 (NRS § 603A) by emailing compliance@hellopediatrics.com. Note: HP does not currently sell data as defined under the Nevada statute.

13.12 How to Submit a Request

To exercise any state privacy rights:

Email: compliance@hellopediatrics.com (include "PRIVACY REQUEST" and your state in the subject line)
Mail: Hello Pediatrics Medical Group, PLLC, 13135 Route 50, Suite 300, Fairfax, Virginia 22033, Attn: Privacy Officer

We will respond within the timeframe specified by applicable law (generally 45 days, with one possible 45-day extension). We will verify your identity before processing requests. We will not charge a fee unless requests are repetitive or manifestly unfounded.

14. Telehealth-Specific Privacy Provisions

As a pediatric telehealth provider, we are subject to additional privacy requirements specific to telemedicine services.

14.1 State Telehealth Privacy Laws

In addition to HIPAA, many states have enacted telehealth-specific privacy protections. We comply with the telehealth laws and regulations of each state in which we operate, including requirements regarding:

Informed consent for telehealth services
Security requirements for telehealth platforms
Cross-state telehealth licensing and privacy requirements
Documentation and retention requirements for telehealth encounters
Restrictions on recording telehealth sessions

14.2 Telehealth Session Data

Audio, video, and associated data from telehealth consultations constitute PHI and are governed by our HIPAA Notice of Privacy Practices. We use HIPAA-compliant, end-to-end encrypted telehealth platforms. We do not record telehealth sessions without your prior written consent, except where required by law.

14.3 California Confidentiality of Medical Information Act (CMIA)

For California patients, medical information collected through telehealth services is subject to the California Confidentiality of Medical Information Act ("CMIA"), Cal. Civ. Code §§ 56-56.37, which provides protections beyond HIPAA. We obtain required CMIA authorizations for disclosure of medical information.

15. Accessing, Correcting, and Deleting Your Information

You may access and update your personal information by:

Logging into your account and visiting your profile page on our Service
Emailing compliance@hellopediatrics.com
Writing to us at 13135 Route 50, Suite 300, Fairfax, Virginia 22033

Deletion Limitations: We may be unable to delete information required by law (including HIPAA retention requirements), necessary to complete a transaction, needed to detect fraud or illegal activity, needed to exercise our legal rights, or that is part of a legal hold. If we cannot fully honor a deletion request, we will explain the applicable limitation.

User Contributions: Copies of information you post publicly may persist in caches or have been copied by other users. We are not responsible for third-party copies of User Contributions.

16. Third-Party Links and Services

Our Service may contain links to third-party websites, applications, and services. We are not responsible for the privacy practices or content of these third parties. We encourage you to review the privacy policies of any third-party sites you visit. Our Policy applies only to our Service, not to any third-party sites or services.

17. Do Not Track

Some browsers offer a "Do Not Track" ("DNT") feature. We currently honor DNT signals by not engaging in cross-site behavioral tracking for users who have enabled DNT. We also honor Global Privacy Control ("GPC") signals as described in Section 6. We will update this Policy if our practices change.

18. Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to you by:

Posting the revised Policy on our website with an updated "Last Revised" date at the top
Sending an email notification to the email address associated with your account
Displaying a prominent notice on our Service home page

Material changes requiring your consent (e.g., new uses of sensitive personal information) will be communicated at least 30 days before they take effect, and we will seek your renewed consent where required by law.

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Policy, to the extent permitted by applicable law. If you do not agree to the changes, you should discontinue use of the Service.

Prior versions of this Policy are available upon request at compliance@hellopediatrics.com.

19. Contact Us — Privacy Inquiries and Complaints

For questions, concerns, or requests regarding this Privacy Policy, please contact our Privacy Officer:

Organization	Hello Pediatrics Medical Group, PLLC
Attn	Privacy Officer / Compliance Department
Mailing Address	13135 Route 50, Suite 300, Fairfax, Virginia 22033
Email	compliance@hellopediatrics.com
Response Time	Within 10 business days for general inquiries; within applicable statutory timeframe for rights requests

To register a formal complaint about our privacy practices, please email compliance@hellopediatrics.com with the subject line "FORMAL PRIVACY COMPLAINT" and include a detailed description of your concern.

You also have the right to lodge a complaint with your applicable data protection authority or state attorney general. See Section 12.3 (EU/UK) and Section 13 (U.S. states) for relevant authority information.

20. Glossary of Key Terms

Term	Definition
CCPA/CPRA	California Consumer Privacy Act, as amended by the California Privacy Rights Act
COPPA	Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.)
De-identified data	Information that cannot reasonably identify a natural person per applicable law
GDPR	General Data Protection Regulation (EU) 2016/679
GPC	Global Privacy Control — browser signal for opt-out of sale/sharing
HIPAA	Health Insurance Portability and Accountability Act of 1996 and HITECH Act
Personal Information	Information that identifies, relates to, or is reasonably linkable to an individual
PHI	Protected Health Information as defined by HIPAA (45 C.F.R. § 160.103)
Processing	Any operation performed on personal information, including collection, use, storage, disclosure, and deletion
Sale	Disclosure of personal information for monetary or other valuable consideration (definition varies by state law)
Sensitive Personal Information	Categories of personal information requiring heightened protection (health data, government IDs, biometrics, children's data, etc.)
Service Provider / Processor	Third party that processes personal information on HP's behalf under contract
SCC	Standard Contractual Clauses — EU-approved mechanism for international data transfers
UK GDPR	United Kingdom General Data Protection Regulation (retained EU law)