This Privacy Policy explains how Remitz, Inc. and its affiliates (“Remitz,” “we,” “us,” or “our”) collect, use, disclose, and protect information related to visitors to our public websites, marketing properties, and other general online services (the “Website & Services”). This Privacy Policy also explains how our practices differ when Remitz provides patient-facing applications and related services on behalf of healthcare providers that are HIPAA covered entities (the “Portal”).

Not a HIPAA Notice of Privacy Practices. When we handle Protected Health Information (PHI) as a Business Associate to a healthcare provider, our use and disclosure of PHI is governed by the Business Associate Agreement (BAA) with that provider and by applicable law. This Privacy Policy does not replace a provider’s Notice of Privacy Practices and does not govern PHI where the BAA applies.

Carequality interoperability framework. Remitz participates in the Carequality interoperability framework to support secure, standards-based health information exchange among participating networks and organizations. Exchanges occur under Carequality Framework policies, participation agreements, technical and security requirements, and applicable law. PHI flows through Carequality occur in our role as a Business Associate and are governed by HIPAA and the applicable BAA.

1. Scope and roles

• Website & Services. This Privacy Policy covers Website & Services visitors, event and marketing contacts, and other non-PHI interactions with Remitz. We act as an independent business for these activities.

• Portal and PHI. When you use Remitz’s Portal offered on behalf of your healthcare provider, HIPAA and the BAA govern Remitz’s handling of PHI. Portal use is also governed by our Terms of Use (see Annex A in the Terms for Portal-specific terms). For Portal activities, we act as a Business Associate to your provider under a BAA.

2. Information we collect

Depending on how you interact with us and the Website & Services, we may collect the following categories of information (examples are illustrative):

• Identifiers. Name, email address, postal address, phone number, online identifiers, device identifiers, IP address.

• Professional or employment information. Company, role, specialty, resume or application details if you apply for a job.

• Commercial data. Records of products or services considered or obtained, support history, preferences.

• Internet or network activity. Browsing history, pages viewed, referring/exit pages, timestamps, clickstream data, and interactions with our sites or emails.

• Geolocation data. General location information derived from your IP address.

• Sensitive information (non‑PHI). If you choose to provide information about health interests or similar data in non‑clinical contexts on the Website, we treat it as sensitive. PHI used in the Portal is governed by the BAA and HIPAA.

• Inferences. Inferences drawn from the above to personalize or improve the Website & Services; and

• Other information you choose to provide. Content of communications, survey responses, event registrations, or newsletter sign‑ups.

3. Sources of information

We collect information from: you (e.g., forms, events, content downloads, interactions with our Website & Services); automatic collection via cookies, pixels, SDKs, and similar technologies; service providers and partners (analytics, hosting, marketing, events); affiliates and entities under common control; and public or third-party sources that provide business contact information or enrichments.

4. How we use information

We use information to operate and improve the Website & Services; communicate with you; personalize content and measure engagement (including analytics); plan and run events, demos, pilots, surveys, and programs you choose to join; detect, investigate, and help prevent security incidents, abuse, or fraudulent activity; enforce our Terms of Use and other agreements; comply with legal obligations and exercise or defend legal claims; and de-identify and aggregate information for research, reporting, and improvement. We do not engage in automated decision-making or profiling that produces legal or similarly significant effects; if that changes, we will provide required notices and any applicable opt-outs.

Portal and interoperability uses. When acting as a Business Associate and where permitted by HIPAA and the BAA, Remitz may use and disclose PHI for treatment, payment, and healthcare operations (TPO), to support interoperability and data exchange through frameworks such as Carequality, and for other purposes permitted by law and the BAA.

De-identified and aggregated data. Where we create de-identified or aggregated data, we do not attempt to re-identify it and we maintain safeguards designed to prevent re-identification.

5. How we disclose information

We may disclose information as follows: service providers (e.g., hosting, analytics, communications, security, marketing) under appropriate contracts; affiliates for the purposes described in this Policy; Carequality and other interoperability participants (on behalf of a provider and as permitted by HIPAA, participation agreements, and the BAA); business transfers (e.g., merger, acquisition, financing, or sale of assets); legal, safety, and compliance (to comply with laws or requests and to protect rights, property, and safety); and with your direction or consent.

No selling of personal information. We do not sell personal information.

Cross-context behavioral advertising. We may disclose limited Website & Services data to advertising or analytics partners to provide interest-based ads or measure campaigns. Where this disclosure is considered “sharing,” “targeted advertising,” or similar under applicable state privacy laws, you may opt out as described in Sections 6 and 7. We recognize browser- or device-based universal opt-out signals where required by law (for example, Global Privacy Control in California and Colorado, and Texas beginning January 1, 2025 and thereafter), and we apply them to the browser or device where they are set.

Portal tracking technologies. The Portal does not use advertising pixels or cross-context ad technologies. Any analytics or other tools on the Portal are configured not to receive PHI, are covered by a BAA, or are not used.

6. Your privacy choices and rights (United States)

Depending on your state of residence and the context, you may have the following rights with respect to personal information we handle outside of HIPAA/BAA contexts: access and data portability; correction; deletion (subject to exemptions); opt out of “sale,” “sharing,” targeted advertising, and certain profiling; limit the use of sensitive personal information where applicable; and non-discrimination for exercising your rights. These rights may be available under laws in states including, as applicable, CA, CO, CT, VA, UT, TX, OR, MT, TN, IA, IN, FL, DE, and others, as updated from time to time.

Submitting a request or appeal. To exercise your rights or to appeal a decision, contact us at support@remitz.com or +1 (937) 209-2158. You may also write to Remitz, Inc., 53 Calle Las Palmeras, Suite 601, San Juan, PR 00901, USA. If you submit a request through an authorized agent, we may require proof of authorization and verify your identity. We will respond as required by applicable law. Requests related to PHI should be directed to your healthcare provider, who manages HIPAA rights.

Minors. We do not sell or share personal information of individuals we know are under 16 and, where required by law, we obtain opt-in consent for any targeted advertising involving teens.

Sensitive personal information (Website context). We treat certain categories as “sensitive” under state laws and either obtain consent or limit use as required. We do not use or disclose sensitive personal information for purposes that would require offering a “Limit the Use” opt-out under California law, except as permitted by law.

Universal opt-out signals. We honor recognized universal opt-out mechanisms (such as Global Privacy Control) where required by law. These signals apply to the specific browser or device where they are set and may not persist across contexts unless you also use site-level controls.

7. Cookies and similar technologies

We use cookies and similar technologies to operate the Website, remember preferences, understand usage, and, in some cases, provide interest-based advertising. Essential cookies enable core functionality. Analytics cookies help us understand how visitors use our Website. Advertising cookies may be used to deliver or measure ads; where required, we request your consent. You can manage preferences through your browser settings and via our Cookie Preferences or Your Privacy Choices link (if available). Some browsers support Global Privacy Control (GPC) to communicate privacy preferences; we treat GPC and other recognized universal signals as opt-out requests where required by law and apply them to the browser or device where they are set. If you block or disable cookies, some site features may not function.

8. Security

We maintain administrative, technical, and physical safeguards designed to protect information, such as industry-standard encryption in transit and at rest, OAuth 2.0 for API authorization, role-based access controls, security monitoring, and audit logging. We align our practices with applicable participation requirements for frameworks such as Carequality. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

9. Retention

We retain information only for as long as reasonably necessary for the purposes described in this Policy or as required by law, regulation, or contract, including to resolve disputes and enforce agreements. Retention periods may vary based on the nature of the information and our obligations. Where required, we disclose retention periods or the criteria used to determine them at or before the point of collection (see “Notice at Collection”). PHI retention is governed by the BAA and applicable law.

10. International visitors

The Website & Services are operated in the United States. If you access the Website from outside the United States, information may be processed in countries that may not provide the same level of data protection as your home jurisdiction. Where required, we implement appropriate transfer safeguards.

11.  Children’s privacy

The Website & Services are not intended for children under 13 and we do not knowingly collect personal information from children under 13 through the Website. If you believe a child has provided information to us, contact us and we will take appropriate steps. The Portal may allow authorized proxy access in coordination with a provider, subject to provider policies and applicable law.

12.  Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated Policy with a new Last Updated date. Your continued use of the Website & Services after an update means you accept the changes.

13.  Contact us

• Email: support@remitz.com

• Phone: +1 (937) 209‑2158

• Mailing Address: Remitz, Inc., 53 Calle Las Palmeras, Suite 601, San Juan, PR 00901, USA 

Carequality and security event monitoring. For exchanges facilitated through Carequality or other trusted frameworks, Remitz may support automated security event monitoring and reporting to the appropriate party consistent with applicable participation rules and law. These activities occur primarily within our role as a Business Associate to healthcare providers and are governed by the BAA and HIPAA.