Privacy & Security Notice

Your privacy is important to Sandwych, Inc. (“Sandwych,” “we,” “our,” or “us”). This Notice describes how Sandwych collects, uses, stores, discloses, and processes your personal information when you access or use Sandwych products and services, including https://www.sandwych.com, related websites, mobile applications (“Sites”), and other offerings (collectively, the “Services”).

Sandwych also provides Individual Access Services (“IAS”) under the Trusted Exchange Framework and Common Agreement (“TEFCA”). When you request or receive your health information through TEFCA Exchange, this Notice explains how Sandwych protects, uses, and discloses Individually Identifiable Information specific to IAS.

By using our Sites, Services, or IAS features, you acknowledge and agree to this Privacy & Security Notice and provide your express documented consent as required under TEFCA. Sandwych provides this Notice before your first use of IAS and makes it publicly available on our website and within our user-facing applications where IAS features are offered.

Sandwych will proactively notify Individuals of any Material Change to this Notice, highlight the changes so they are easy to identify, and provide updated versions consistent with your communication preferences. Sandwych bears the burden of proving that a change was not material.

Information We Collect from You

Personal Information We Collect About You from Other Sources

We may periodically obtain personal information about you from affiliated entities, partners, and other third-party sources. For example, we may receive information about your interaction with advertisements on third-party websites, including updated postal addresses and demographic information. We may also authorize third-party vendors to collect information on our behalf as necessary to operate features of the Sites and Services, facilitate the delivery of orders, or provide online advertising tailored to your interests.

Personal Information as You Navigate Our Sites

We automatically collect certain personal information through your use of our Sites and our use of cookies and other tracking technologies. This may include:

• Usage Information: Pages accessed, frequency of access, and interactions.
• Device Information: Hardware model, operating system, browser, and application version.
• Mobile Device Information: Device type, carrier, and aggregated mobile usage data.
• Location Information: City/regional-level location signals.

Information Collected When You Use IAS

When you use Sandwych’s Individual Access Services (“IAS”), we collect and maintain Individually Identifiable Information necessary to verify your identity, retrieve your health information through TEFCA Exchange, and operate IAS. This may include:

• Identity proofing information, such as government-issued identification, liveness checks, or other verification data.
• Clinical information returned through TEFCA Exchange in response to your request.

IAS-specific information is not collected through cookies or tracking technologies and is handled in accordance with TEFCA requirements and this Privacy & Security Notice.

Cookies and Tracking Technologies

We use cookies and other tracking technologies (“Cookies”) to estimate audience size, understand preferences, track advertisements, analyze site interactions, and recognize returning visitors. Cookies may be set by us or by third-party providers such as Google, Hotjar, and FullStory.

You may block Cookies through your browser settings; however, blocking all Cookies may limit your ability to use certain features of the Sites. The Sites are not designed to recognize or respond to “do not track” signals.

Opt-Out Resources

• https://adssettings.google.com
• https://www.networkadvertising.org/choices
• https://optout.aboutads.info

Google Analytics

We use Google Analytics to analyze user interactions. Information collected may include IP address, time of visit, referring website, and whether you are a returning visitor. Learn more at https://policies.google.com/technologies/partner-sites.

Hotjar

Hotjar helps us understand user behavior. More information is available at https://www.hotjar.com/privacy.

FullStory

FullStory provides session analytics. See their privacy policy at https://www.fullstory.com/legal/privacy.

HIPAA Protected Health Information

Some personal information collected through the Sites and Services may be protected health information (“PHI”) under HIPAA. Where applicable, our handling of PHI will comply with your health plan’s or provider’s Notice of Privacy Practices.

How We Use Your Information

We process your personal information with your consent or as needed to provide you with our Sites and Services. We may also use your personal information to comply with legal obligations, operate our business, protect vital interests, or pursue other legitimate interests.

Use of Information for IAS

When providing IAS, Sandwych may access, use, exchange, or disclose your Individually Identifiable Information only for:

• Providing IAS and retrieving your health information
• Operating and improving IAS
• Complying with TEFCA permitted and required uses
• Complying with applicable law
• Collecting fees you owe (if applicable)

Sandwych will not use your Individually Identifiable Information to assert any claim against you, except for the collection of fees.

Use of Information for General Sites and Services

We may use your personal information (other than IAS-restricted Individually Identifiable Information) to optimize and improve the Sites and Services, personalize your experience, improve customer service, process transactions, send communications, protect security, investigate fraud, comply with legal obligations, and more.

TEFCA-Required Disclosures

Sandwych complies with all TEFCA disclosure obligations, including encryption, compulsory legal demand notifications, law enforcement notifications, and permitted/required uses.

Your Rights Under IAS

As an IAS user, you have the right to:

• Request deletion of all IAS-related Individually Identifiable Information
• Access all IAS-related information Sandwych maintains
• Receive an export of your information in a machine-readable format
• Be notified of IAS Incidents
• Control disclosures to TEFCA Participants

Bidirectional IAS Provider

Sandwych provides bidirectional IAS services, allowing you to request access to your health information and choose to share it with other TEFCA Participants.

Consent Requirements

Sandwych will obtain express, documented, and informed consent before providing IAS. Your consent authorizes identity verification, retrieval of your health information, disclosures you choose to authorize, and maintenance of IAS-related information.

No Sale of Individually Identifiable Information

Sandwych does not sell IAS-related Individually Identifiable Information or use it for targeted advertising.

Revoking Consent

You may revoke your consent at any time. Revocation ends your ability to use IAS but does not affect actions taken before revocation.

IAS Incident Notification

If your information is affected by an IAS Incident, Sandwych will notify you with details, steps to take, and mitigation actions.

Fees for IAS

Sandwych may charge fees for certain IAS features and will provide clear advance notice of any fees.

How We Share Your Information

We share your information with partners, service providers, contractors, agents, and third-party vendors as needed to provide the Sites and Services. We may also share information in response to legal process, to investigate illegal activities, to protect rights and safety, in corporate transactions, or with your consent.

Sharing Related to IAS

IAS-related sharing is strictly limited to TEFCA-permitted disclosures, including retrieving your health information, disclosures you authorize, required legal notifications, and operational needs.

Aggregated and De-Identified Information

Sandwych may de-identify IAS information and use or share aggregated data for analytics, research, or product improvement.

How We Store and Secure Your Information

We retain your information as long as necessary for the purposes outlined in this Notice and maintain commercially reasonable security measures. No method of transmission is 100% secure.

Retention of IAS Information

IAS-related information is retained only as long as necessary to provide IAS or as required by law.

Additional Privacy Information

Data Transfer

If you access the Sites from outside the United States, you consent to the transfer of your personal information to the United States. Our Services are not subject to GDPR or similar international privacy laws.

Collection of Data from Children

The Sites and Services are not directed to children under 18, and we do not knowingly collect personal information from children.

California Shine the Light

California residents may request information regarding our disclosure of personal information to third parties for direct marketing purposes.

Accessibility

If you need this Privacy & Security Notice in an alternative format, please contact us.

How to Contact Us

You can call us at (409) 207-0368 or email us at hello@sandwych.com.