Privacy Policy

Prescience, Inc. ("Prescience," "we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website, use our platform, or otherwise interact with our services related to health benefits administration and related financial services.

This policy applies to employers, brokers, plan administrators, and individuals whose information we process in connection with our services. It does not apply to third-party websites or services that we do not control.

We may collect the following categories of information:

• Contact and account information — name, email address, phone number, company name, job title, and login credentials.
• Employer and benefits data — workforce information, plan enrollment details, claims summaries, and other data necessary to administer or support self-funded health benefit programs.
• Protected health information (PHI) — where we act as a business associate or service provider, health information subject to HIPAA and applicable state privacy laws.
• Financial and payment information — billing details and transaction records processed through our banking and payment partners.
• Technical and usage data — IP address, browser type, device identifiers, pages viewed, and similar analytics collected through cookies and similar technologies.

We use collected information to:

• Provide, operate, and improve our platform and services;
• Administer health benefit programs and process related transactions;
• Communicate with you about your account, support requests, and product updates;
• Comply with legal obligations and enforce our agreements;
• Detect, prevent, and address fraud, security incidents, and technical issues; and
• Analyze usage trends to improve user experience and product performance.

We do not sell your personal information. We may share information with:

• Service providers — vendors who assist with hosting, analytics, customer support, payment processing, and benefits administration, under contractual confidentiality and security obligations.
• Banking and financial partners — institutions that provide banking, payment, or card services on our behalf.
• Professional advisors — lawyers, auditors, and insurers as needed.
• Legal and safety — when required by law, regulation, legal process, or to protect rights, safety, and security.
• Business transfers — in connection with a merger, acquisition, or sale of assets, subject to appropriate safeguards.

We retain information for as long as necessary to provide services, meet legal and contractual obligations, and resolve disputes. We implement administrative, technical, and physical safeguards designed to protect information, including encryption in transit, access controls, and monitoring. No method of transmission or storage is completely secure.

Prescience operates a security and compliance program informed by the SOC 2 Trust Services Criteria. Our controls are designed to protect customer data through documented policies and procedures covering security, availability, confidentiality, vendor oversight, access management, change management, incident response, and ongoing monitoring. We assess and refine these practices through internal risk reviews, workforce training, and regular testing of our technical and administrative safeguards.

Alignment with the SOC 2 framework does not mean we have completed a SOC 2 Type I or Type II examination or received an independent attestation. We do not claim certification or audit status unless we expressly state otherwise in writing. Customers and prospective customers may request additional information about our security program under appropriate confidentiality terms.

Prescience is committed to protecting the privacy and security of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and applicable state laws.

When we create, receive, maintain, or transmit PHI on behalf of covered entities or other business associates, we do so subject to appropriate Business Associate Agreements (BAAs) and administrative, physical, and technical safeguards.

Depending on the services provided, Prescience may act as a business associate to a covered entity, such as an employer-sponsored health plan, or as a subcontractor to another business associate. Our specific obligations are defined in the applicable BAA with each customer.

• Covered entities — health plans, healthcare clearinghouses, and certain healthcare providers that transmit health information electronically.
• Business associates — persons or entities that perform functions or activities involving PHI on behalf of a covered entity.
• Subcontractors — entities to whom a business associate delegates functions involving PHI, who must agree to the same restrictions and safeguards.

We maintain a comprehensive security program designed to protect PHI, including:

• Administrative safeguards — security risk assessments, workforce training, access management policies, incident response procedures, and vendor management.
• Physical safeguards — facility access controls and secure disposal of media containing PHI.
• Technical safeguards — encryption in transit, access controls, authentication, audit logging, and regular security testing.

Our platform is designed to support HIPAA compliance in addition to the SOC 2-aligned security controls described above.

We use and disclose PHI only as permitted or required by our BAAs and applicable law, including:

• To perform services for our customers under a BAA;
• For our proper management and administration, subject to appropriate protections;
• To report violations of law to appropriate authorities as required; and
• As otherwise authorized in writing by the covered entity or individual.

We do not use PHI for marketing purposes or sell PHI without appropriate authorization.

In the event of a breach of unsecured PHI, we will notify affected customers without unreasonable delay and in accordance with the timing and content requirements of HIPAA and our BAAs. We will cooperate with customers in investigating and mitigating incidents.

Requests from individuals to access, amend, or receive an accounting of disclosures of their PHI should generally be directed to the covered entity, such as the employer or health plan. Prescience will assist our customers in fulfilling such requests as required by our BAAs.

We may engage subprocessors to support our services. Subprocessors that handle PHI are bound by agreements requiring HIPAA-compliant safeguards substantially similar to those in our BAAs.

Depending on your location and relationship with us, you may have rights to access, correct, delete, or restrict certain processing of your personal information. California residents may have additional rights under the CCPA/CPRA. To exercise rights, contact us at privacy@getprescience.com. We will respond in accordance with applicable law.

You may opt out of marketing emails by using the unsubscribe link in our messages. You may manage cookie preferences through your browser settings.

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children.

We may update this Privacy Policy from time to time. We will post the revised policy on this page with an updated "Last updated" date. Material changes may be communicated through email or a notice on our platform.

Questions about this Privacy Policy may be directed to Prescience, Inc. at privacy@getprescience.com or info@getprescience.com.