Privacy & Security Notice

Applies to: Sandwych, Inc. (Sandwych, “we”, “our” or “us”) 
Last Updated: APRIL 16, 2026 


Your privacy is important to Sandwych, Inc. (“Sandwych,” “we,” “our,” or “us”). This Notice describes how Sandwych collects, uses, stores, discloses, and processes your personal information when you access or use Sandwych products and services, including https://www.sandwych.com, related websites, mobile applications (“Sites”), and other offerings (collectively, the “Services”). 

Sandwych also provides Individual Access Services (“IAS”) under the Trusted Exchange Framework and Common Agreement (“TEFCA”). When you request or receive your health information through TEFCA Exchange, this Notice explains how Sandwych protects, uses, and discloses Individually Identifiable Information specific to IAS. 

By using our Sites, Services, or IAS features, you acknowledge and agree to this Privacy & Security Notice and provide your express documented consent as required under TEFCA. Sandwych provides this Notice before your first use of IAS and is publicly available on our website and within our user‑facing applications where IAS features are offered. 

Sandwych will proactively notify Individuals of any Material Change to this Notice, highlight the changes so they are easy to identify, and provide updated versions consistent with your communication preferences. Sandwych bears the burden of proving that a change was not material. 

Information We Collect from You 

Personal Information We Collect About You from Other Sources

We also may periodically obtain personal information about you from affiliated entities, partners and other third-party sources. For example, we may receive information about your interaction with advertisements on third party websites, including updated postal addresses and demographic information. We may also authorize third-party vendors to collect information on our behalf, including, as necessary, to operate features of the Sites and Services, facilitate the delivery of orders, or provide online advertising tailored to your interests. 

Personal Information as You Navigate Our Sites

We automatically collect certain personal information through your use of our Sites and our use of cookies and other tracking technologies. This information helps us operate, secure, and improve the Sites and Services. This may include: 

  • Usage Information: For example, the pages on the Sites you access, the frequency of access, and what you click on while on the Sites. 

  • Device Information: For example, hardware model, operating system, application version number, and browser. 

  • Mobile Device Information: Aggregated information about whether the Sites are accessed via a mobile device or tablet, the device type, and mobile carrier.

  • Location Information: Location information from visitors to the Sites on a city-regional basis. 

These categories relate only to your general use of the Sites and are collected through standard web technologies. 

Information Collected When You Use IAS 

When you use Sandwych’s Individual Access Services (“IAS”), we collect and maintain Individually Identifiable Information necessary to verify your identity, retrieve your health information through TEFCA Exchange, and operate IAS. This may include: 

  • Identity proofing information, such as government‑issued identification, liveness checks, or other verification data. 

  • Clinical information returned through TEFCA Exchange in response to your request. 

IAS‑specific information is not collected through cookies or tracking technologies and is handled in accordance with TEFCA requirements and this Privacy & Security Notice. 

Cookies and Tracking Technologies 

Like many other companies, we use cookies and other tracking technologies (collectively, “Cookies”). Cookies are small files of information that are stored by your web browser software on your computer hard drive, mobile or other devices (e.g., smartphones or tablets). 

We use Cookies to: 

  • Estimate audience size and usage patterns; 

  • Understand and save your preferences for future visits, allowing us to customize the Sites and Services to your individual needs; 

  • Keep track of advertisements and search engine results; 

  • Compile aggregate data about site traffic and site interactions to resolve issues and offer better site experiences and tools in the future; and 

  • Recognize when you return to the Sites. 

We set some Cookies ourselves, while separate entities set other Cookies. We use Cookies other entities set to provide us with useful information, to help us improve our Sites and Services, to conduct advertising, and to analyze the effectiveness of advertising. For example, we use Cookies from Google and other similar companies. 

Browser Settings

You can block Cookies by changing your Internet browser settings to refuse all or some Cookies. If you choose to block all Cookies (including essential Cookies), you may not be able to access all or parts of the Sites. The Sites are not designed to recognize or respond to “do not track” signals received from browsers.

You can find out more about Cookies and how to manage them by visiting www.AboutCookies.org or www.allaboutcookies.org

Platform Controls. You can opt-out of Cookies set by specific entities by following the instructions found at these links: 

Google: https://adssettings.google.com

Advertising Industry Resources

You can understand which entities have currently enabled Cookies for your browser or mobile device and how to opt-out of some of those Cookies by accessing the Network Advertising Initiative’s website or the Digital Advertising Alliance’s website. For more information on mobile specific opt-out choices, visit the Network Advertising Initiative’s Mobile Choices website. 

Please note these opt-out mechanisms are specific to the device or browser on which they are exercised. Therefore, you will need to opt-out on every browser and device that you use. 

Google Analytics

We use Google Analytics, a web analytics service provided by Google, Inc. Google Analytics uses Cookies to help us analyze how users interact with the Sites, compile reports on their activity, and provide other services related to their activity and usage. The technologies used by Google may collect information such as your IP address, time of visit, whether you are a returning visitor, and any referring website. The information generated by Google Analytics will be transmitted to and stored by Google and will be subject to Google’s privacy policies. To learn more about Google’s partner services and to learn how to opt-out of tracking of analytics by Google, click here. 

Hotjar

Some of our Sites use Hotjar to better understand our users’ needs and to optimize the service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g., how much time they spend on which pages, which links they choose to click, what users do and do not like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses Cookies to collect data on our users’ behavior and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our Sites. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf. For more information, please view Hotjar’s privacy page by clicking here. 

FullStory

Some of our Sites use a third-party analytics provider, FullStory, to enable us to monitor and improve the user experience. FullStory uses Cookies to collect information, such as IP address, referring URL, device information (e.g., operating system), and information on user behavior (e.g., pages visited, links clicked, information entered, and mouse movements). For further details, please see FullStory’s privacy policy available here. To opt-out, FullStory provides this link. 

HIPAA Protected Health Information 

The personal information we receive or obtain through your use of the Sites and Services may be protected health information (“PHI”) subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”). Where we collect, create, maintain, use or disclose PHI, we may be subject to HIPAA and certain agreements, including with health plans (“plan”) or health care providers (“provider”). In those cases, our collection, creation, maintenance, use and disclosure of PHI will be done in accordance with your health plan’s or health care provider’s Notice of Privacy Practices, where applicable. For official notices concerning or for more information or questions about the use and disclosure of your PHI, please refer to your plan or provider’s Notice of Privacy Practices, as applicable. 

How We Use Your Information 

We process your personal information with your consent or as needed to provide you with our Sites and Services. We may also use your personal information to comply with legal obligations, operate our business, protect the vital interests of you, our customers, or the public, or for other legitimate interests of Sandwych as described in this Privacy & Security Notice. 

Use of Information for IAS 

Sandwych is required to act in conformance with this Privacy & Security Notice and must protect the security of all Individually Identifiable Information it maintains in accordance with the applicable TEFCA Framework Agreements. When providing IAS, Sandwych may access, use, exchange, or disclose your Individually Identifiable Information only for: 

  • Providing IAS and retrieving your health information 

  • Operating and improving IAS 

  • Complying with TEFCA permitted and required uses 

  • Complying with applicable law 

  • Collecting fees you owe (if applicable) 

Sandwych will not use your Individually Identifiable Information to assert any claim against you, except for the collection of fees. 

Use of Information for General Sites and Services 

We may use your personal information (other than IAS‑restricted Individually Identifiable Information) to: 

  • Optimize and improve the Sites and Services – We continually try to improve the Sites and Services based on the information and feedback we receive from you, including by optimizing the content on the Services. 

  • Personalize the user experience – We may use your information to measure engagement with the Sites and Services, and to understand how you and our other users interact with and use the Sites and Services and other resources we provide. 

  • Improve customer service – Your information helps us to more effectively develop the Sites and Services and respond to your support needs. 

  • Process transactions – We may use the information you provide about yourself to fulfill your requests and product orders. We do not share this information with outside parties except to the extent necessary to provide the Sites and Services, fulfill orders, and related activities. 

  • To send periodic communications – The information you provide through our contact forms will be used to send information and updates pertaining to the Sites and Services. It may also be used to respond to your inquiries or other requests. If you opt in to our mailing list, you may receive emails that include Sandwych news, updates, related product offerings and service information, and marketing material. If at any time you would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email or you may contact us via the contact information below. 

  • Protect the security and integrity of our Sites and Services. 

  • Investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or violations of our Terms of Use, and to otherwise fulfill our legal obligations. 

  • Monitor compliance with and enforce this Privacy & Security Notice 

  • Defend our legal rights and the rights of others. 

  • Fulfill any other purposes for which you provide it. 

  • Carry out any purpose that is reasonably necessary to or compatible with the original purpose for which we collected the personal information as disclosed to you. 

  • Comply with applicable law. 

TEFCA- Required Disclosures 

Sandwych complies with all disclosure obligations under the Trusted Exchange Framework and Common Agreement (“TEFCA”). These include: 

  • Encryption: All Individually Identifiable Information is encrypted in transit and at rest. 

  • Compulsory Legal Demands: Sandwych will notify you within 3 business days of receiving a subpoena, court order, search warrant, or other compulsory legal demand for your information, unless prohibited by law. 

  • Law Enforcement Disclosures: Sandwych will notify you within 3 business days if we disclose your information to law enforcement, unless prohibited by law. 

  • Permitted and Required Uses: All disclosures through TEFCA Exchange are made only in accordance with the permitted and required uses in the Common Agreement and applicable HHS guidance. 

Your Rights Under IAS 

As an IAS user, you have the right to: 

  • Request deletion of all Individually Identifiable Information maintained by Sandwych in connection with IAS (except audit logs or where prohibited by law). 

  • Access all Individually Identifiable Information Sandwych maintains in connection with IAS. 

  • Receive an export of your information in a machine‑readable format, including instructions for interpreting the format. 

  • Be notified if your information is reasonably believed to have been affected by an IAS Incident. 

  • Control disclosures: Choose whether Sandwych may disclose your information in response to TEFCA Exchange requests. 

Sandwych will honor your choices within a reasonable time.

Bidirectional IAS Provider 

Sandwych provides bidirectional IAS services, allowing you to: 

  • Request access to your health information via TEFCA Exchange; and 

  • Choose to share your health information with other TEFCA Participants. 

Consent Requirements 

Sandwych will obtain express, documented, and informed consent before providing Individual Access Services (“IAS”). Your consent authorizes Sandwych to: 

  • Verify your Identity 

  • Retrieve your health information through TEFCA Exchange at your direction 

  • Disclose your information to TEFCA Participants only when you choose to do so 

  • Maintain the information necessary to operate IAS 

Before you provide consent, Sandwych will clearly explain: 

  • What information will be accessed or exchanged 

  • The purpose of the access or exchange 

  • Any optional disclosures you may choose to authorize 

  • Your right to revoke consent at any time 

  • Any Material Changes that require new consent 

Sandwych will obtain your consent: 

  • Before your first use of IAS 

  • Before using your information in any materially different manner 

  • Before any Material Change to this Notice 

  • Before any sale or targeted advertising use (“Consent to Sale”), if ever applicable 

No Sale of Individually Identifiable Information 

Sandwych does not sell Individually Identifiable Information collected through IAS and does not use IAS information for targeted advertising. If Sandwych ever seeks to use your information in a way that constitutes a “sale” under applicable law, Sandwych will first obtain your separate, express, documented Consent to Sale. No IAS features require or depend on such consent. 

Sandwych maintains all consents in a secure, auditable log, including the date, time, method, and content of the consent provided. 

Revoking Consent 

You may revoke your consent at any time. 

Revocation: 

  • Must be easy and electronic 

  • Must include step‑by‑step instructions 

  • Will be available on our website and app (link to create an account) 

  • Ends your ability to use IAS 

  • Does not affect actions taken before revocation 

After revocation, Sandwych will retain only the information required by law or necessary for audit, security, or compliance purposes.

IAS Incident Notification 

If your information is affected by an IAS Incident, Sandwych will notify you with: 

  • What happened 

  • What information was involved 

  • Steps you should take 

  • What Sandwych is doing to mitigate harm 

  • How to contact us 

Fees for IAS 

Sandwych may charge fees for certain IAS features. If fees apply, Sandwych will provide clear and advance notice of: 

  • What services incur fees 

  • When fees are charged 

  • How fees must be paid 

  • Any applicable grace periods 

  • The amount of current fees 

Any introduction or update of fees will be communicated in accordance with TEFCA requirements and this Privacy & Security Notice. 

How We Share Your Information 

Sharing Related to the Sites and Services 

Sandwych requires all third‑party service providers who receive Individually Identifiable Information to use commercially reasonable safeguards, protect confidentiality, limit use to services performed on our behalf, and comply with applicable law. 

We share your information with our partners, service providers, contractors, agents and third-party vendors as needed to provide the Sites and Services. Please note that our partners may contact you as necessary to obtain additional information about you, facilitate any use of the Services, fulfill orders, or respond to a request you submit. 

Third-party vendors who provide products, services, or functions on our behalf may include business analytics companies, customer service vendors, communications service vendors, marketing vendors, delivery, parcel, and transportation vendors, and security vendors. 

We also may share your information: 

  • In response to subpoenas, court orders, or other legal process; to establish or exercise our legal rights; to defend against legal claims; or as otherwise required by law. In such cases we reserve the right to raise or waive any legal objection or right available to us. 

  • When we believe it is appropriate to investigate, prevent, or take action regarding illegal or suspected illegal activities; 

  • To protect and defend the rights, interests, or safety of our company or the Sites and Services, our customers, or others; or in connection with our Terms of Use and other agreements. 

  • With any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information. 

  • In connection with a corporate transaction, such as a divestiture, merger, consolidation, or asset sale, or in the unlikely event of bankruptcy. 

  • With any other person or entity where you consent to the disclosure. 

  • For any other purpose disclosed by us when you provide the personal information or for any other purpose we deem necessary, including to protect the health or safety of others. 

Sharing Related to IAS 

When you use Individual Access Services (“IAS”), Sandwych shares Individually Identifiable Information only as permitted under TEFCA and applicable law. IAS disclosures are strictly limited to: 

  • Retrieving your health information through TEFCA Exchange at your direction 

  • Disclosing your information to TEFCA Participants only when you choose to do so 

  • Complying with TEFCA‑required disclosures, including notifications related to compulsory legal demands or law enforcement requests, unless prohibited by law 

  • Operating IAS, including identity verification, audit logging, security, and compliance 

Sandwych does not use IAS‑related Individually Identifiable Information for: 

  • Marketing 

  • Advertising 

  • Analytics unrelated to IAS 

  • Sale of information 

  • Any purpose not permitted under TEFCA 

Any IAS disclosure is logged in accordance with TEFCA requirements. 

Aggregated and De- Identified Information 

Sandwych may de‑identify Individually Identifiable Information collected through IAS. De‑identified information: 

  • Will be created and maintained using methods that prevent re-identification 

  • May be used for analytics, research or product improvement consistent with applicable law 

  • May be aggregated with information from other users in a manner that does not allow the data to be linked back to you. 

Sandwych may publish, share, or distribute aggregated or de‑identified information with third parties, including partners, sponsors, or advertisers. This information does not identify you and may be used to understand usage trends, improve the Sites and Services, or support research and analytics. Aggregated or de‑identified information may also be used to report how many users viewed or interacted with certain content, features, or materials on the Sites and Services. 

How We Store and Secure Your Information 

Sandwych will retain your information as long as necessary for the purposes outlined in this Privacy and Security Notice and for the purposes for which we collected it, such as providing you with the services you have requested, and for the purposes of satisfying any legal, accounting, contractual, or reporting requirements that apply to us, as well as for backup, archival, fraud prevention or detection or audit purposes. 

We maintain commercially reasonable security measures to protect the personal information we collect and store from loss, misuse, destruction, or unauthorized access. However, no security measure or modality of data transmission over the Internet is 100% secure. Although we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. 

Retention of IAS Information 

Sandwych retains Individually Identifiable Information collected through IAS only for as long as necessary to provide IAS or as required by applicable law. IAS-related Individually Identifiable Information is not retained for analytics, marketing, product development, or any purpose unrelated to the operations of IAS. Retention and deletion of IAS information follow TEFCA requirements, including audit logging and security obligations. 

Additional Privacy Information 

Data Transfer. For individuals located outside the United States (US), in particular in Switzerland, the United Kingdom (UK) and the European Economic Area (EEA), please note that we are based in the US and transfer information to the US for the purposes described in this Privacy Policy. If you use the Sites and Services, all information, including personal information, will be transferred to us in the US. The US may have privacy and data protection laws that differ from, and are potentially less protective than, the laws of your country. Your personal information can be subject to access requests from governments, courts, or law enforcement in the US according to the laws of the US. 

We do not market to or solicit customers from outside the US via the Sites and Services, therefore, users of the Sites and Services should not expect to avail themselves of the rights provided under the European Union’s General Data Protection Regulation (“GDPR”). 

If you access the Sites and Services from outside the United States, you are consenting to the transfer of your personal information from your location to the United States. Further, you acknowledge that our US-based Services are not subject to the GDPR or similar international privacy laws, and, therefore, you will be unable to claim the privacy rights provided in those laws. You are solely responsible for complying with all local laws, rules and regulations regarding online conduct and access to the Sites and Services. 

Collection of Data from Children. The Sites and Services are not directed to or intended for use by children under the age of 18. We do not knowingly collect, use, or disclose personal information from children under 18. 

California Shine the Light. California Civil Code Section 1798.83 permits our customers who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please email us or write to us at the addresses below. 

Accessibility. We are committed to ensuring this Privacy and Security Notice is accessible to individuals with disabilities. If you wish to access this Privacy and Security Notice in an alternative format, please contact us as described below. 

How to Contact Us. Sandwych maintains a process for documenting privacy‑related complaints, including our responses and final disposition, in accordance with IAS requirements. You can call us at (409) 207-0368 or email us at hello@sandwych.com