Privacy Policy

AskMD Privacy Policy

This Privacy Policy (or "Privacy Policy") explains the collection and use of personally identifiable information by Sharecare in connection with its AskMD® services (the "Services"). Sharecare is a U.S.-based corporation, organized under the laws of the State of Delaware, and is headquartered at 255 East Paces Ferry Road NE, Suite 700, Atlanta, Georgia, 30305. Our privacy department can be reached by emailing privacy@sharecare.com.

What Information We Collect

"Personal information" means information that identifies, relates to, or could reasonably be linked with a particular consumer or household. It does not include data where your identity has been removed and is incapable of reidentification (i.e. deidentified data). If applicable to your use of our services, we may collect, store, and use the following categories of personal information about you:

Protected Health Information ("PHI") is your Personal Information that is protected under the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Sharecare may offer certain Services to you based on your relationship with employer health plans, healthcare providers, governmental insurers, or other entities (each an "Enterprise Organization") with which Sharecare has a contract to provide services ("Enterprise Programs"). If such Enterprise Organizations are Covered Entities as defined by HIPAA, Sharecare must comply with HIPAA in connection with the corresponding Enterprise Program. PHI is considered a subset of Personal Information.

Health Information that is Not PHI. If you are engaging with AskMD as a consumer, i.e. not as a member or patient of a Covered Entity as defined by HIPAA, we may collect health-related information such as your health conditions, symptoms, measurements (e.g. height, weight), diagnoses, treatments, and other similar information as would be typical of one’s personal health history. We may also collect information related to health topics you are researching on our sites, which or may or may not be indicative of your own health-related information. We may also collect information identifying your attempts to seek healthcare services (including, in limited cases and only with your express consent via your device, specific location information) through your use of provider-search or similar tools. Identifiable health information is considered a subset of Personal Information.

How We Collect Information About You

We collect information in the following ways:

• Information You Give Us Upon Registration. Some of our Services require you to sign up for an account. When you do, we’ll ask for Personal Information like your name, date of birth, email address, telephone number, and/or member number.
• Information from Your Health Plan or Health Provider with which Sharecare has a Contract. When you are eligible to participate in an Enterprise Program, an Enterprise Organization may provide us with Personal Information (potentially including PHI) such as your name, date of birth, gender, mailing address, health coverage details, and member number, among other things. In connection with certain services, we may receive claims and other health-specific information from your health plan and/or its carriers. We use this information to provide services to you on behalf of the Enterprise Organization.
• Information You Authorize Us to Receive from Your Health Plan or Health Provider with which Sharecare Does Not Have a Contract. Depending on your use of our Services, you may choose to retrieve health information from other sources to improve your AskMD experience, using third-party tools which require your authentication (e.g. Flexpa). These services use patient access APIs to pull information from participating health plans and providers and will only provide us with data to the extent you authorize the data transfer within their portal. Please know that health information which may be PHI when held by the health plan or provider, may not remain PHI once you’ve authorized its release; while such information may no longer be governed by HIPAA, it may be governed by state privacy laws depending on your state of residence. In any event, it will be governed by this Privacy Policy.
• Information from Other Sources. We may obtain information about you from other third parties to improve the Services. We may combine the information we obtain from third parties with information that we have collected about you. Sharecare is not responsible for inaccurate or incomplete information received from third parties.
• Information We Get from Your Use of Services. We may collect information about the Services that you use and how you use them. This information includes:
  • Information You Provide. We may collect information provided by you while using our Services. For example, your engagement with the AskMD AI chatbot results in our collection of the information you provide in the chat.
  • Computer, Tablet, or Mobile Telephone information. We may collect device-specific information such as your hardware model, operating system version, unique device identifiers, device sensors and mobile network information including phone number. Sharecare may associate your device identifiers or phone number with your account. We will comply with the usage/license restrictions and requirements applicable to the device from which the information comes.
  • Log Information. When you use our Services or view content provided by Sharecare, we may automatically collect and store certain information in server logs. This may include:
    • details of how you used our service;
    • Internet protocol address;
    • device event information such as crashes, system activity, hardware settings; browser type, browser language, the date and time of your request and referral URL; and
    • cookies that may uniquely identify your browser or your account.
  • Location Information. The large majority of Services do not depend on your location; however, some Services are location-enabled. When you use a location-enabled Sharecare service, we may collect and process information about your actual location, like GPS signals sent by a mobile device. We may also use various technologies to determine location, such as sensor data from your device that may, for example, provide information on nearby Wi-Fi access points and cell towers.
  • Unique Application Numbers. Certain Services include a unique application number. This number and information about your installation (for example, the operating system type and application version number) may be sent to Sharecare when you install or uninstall that service or when that service periodically contacts our servers, such as for automatic updates.
  • Local Storage. We may collect and store information (including Personal Information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches.
  • Cookies and Anonymous Identifiers. We use various technologies to collect and store information when you visit a Sharecare service, and this may include sending one or more cookies, pixels, tags or other anonymous identifiers to your device, pursuant to our Cookie Policy. We also use cookies and anonymous identifiers when you interact with Services we offer to our partners, such as Sharecare features that may appear on other sites.

How We Use Your Information

We may use or disclose the personal information we collect for one or more of the following business and commercial purposes:

• To provide you with information, products or services that you request from us.
• To provide you with email alerts, event registrations and other notices concerning our products or services that may be of interest to you. You will have the option to unsubscribe.
• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections.
• To improve our website and present its contents to you.
• For testing, research (e.g. population statistical analysis and well-being trend information), analytics and product development, including training our artificial intelligence models.
• As necessary or appropriate to protect the rights, property or safety of us, our clients or others.
• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations. We will always do what is in our power to respect your privacy with respect to government and court-related requests.
• To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.
• In some circumstances, we may also personalize your experience on our sites and third-party sites by showing you advertisements from Sharecare or our advertising partners that are tailored to your interests. Use our privacy webform and our cookie consent tools to opt out of advertising to the extent it is applicable to you. Because the information provided by you in the course of using such products could be deemed sensitive health information, this use is a use you may specifically opt out of using the "Limit the Use of My Sensitive Information" button in the privacy webform.

How We Protect Your Information

We work hard to protect Sharecare and our users from unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold. Sharecare is committed to using industry-leading security practices such as ISO27001 and HITRUST. In particular:

• We comply with HIPAA’s security rule, where applicable.
• Replication or export is technically restricted through network segmentation, IAM policies, and encryption controls.
• We review our information collection and storage and processing practices, including physical security measures, to guard against unauthorized access to systems.
• We restrict access to Personal Information to Sharecare employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

We keep Personal Information housed on servers in the United States. If you are located outside of the United States, information we collect is processed and stored in the United States. By using the Services and providing information to us, you consent to the transfer to and processing of the information in the United States, which currently lacks an adequacy decision with the European Commission.

Disclosure of Personal Information

Sharecare may disclose your personal information in the following circumstances:

• We may, from time to time, outsource some or all of the operations of our business to third-party service providers. In such cases, it may be necessary for us to disclose your data to those service providers. In some cases, the service providers may collect data directly from you on our behalf. We restrict how such service providers may access, use and disclose your data. You may view our current list of service providers here.
• As we continue to develop our business, we might sell or buy companies, subsidiaries, or business units. In such transactions, data generally is one of the transferred business assets but remains subject to the promises made in any pre-existing privacy statement (unless, of course, the person consents otherwise).
• We release data when we believe release is appropriate to comply with the law or a court order; prevent fraud; enforce or apply our policies and other agreements; or protect the rights, property, or safety of Sharecare, our clients, or others.
• Please be advised that Sharecare does not sell, and has not sold personal information in the last twelve (12) months. For purposes of this policy, sold means the disclosure of Personal Information to a third-party for monetary or other valuable consideration. Likewise, Sharecare does not have any future plans to sell personal information. As discussed above, Sharecare has advertising arrangements with certain third-party advertisers, but these arrangements do not involve personal data being sold to or shared with advertisers. Under these arrangements, Sharecare administers the ad-targeting through our own service providers (including but not limited to LiveRamp) without selling or sharing personal information with our clients or other third parties. Nonetheless, we offer the ability to opt out of sharing or selling personal information (see “PRIVACY REQUESTS AND CHOICES” below) for users who want to opt out of these arrangements, to the extent they are applicable.
• To the extent third-party advertisers placing cookies, pixels, and similar technologies on Sharecare’s websites through a third-party ad network (sometimes known as a ‘supply-side platform’) is deemed “sharing” our visitors’ personal information with such third parties under applicable law, Sharecare has shared such information in the last twelve (12) months where visitors to our websites have affirmatively opted into targeting cookies. The only information available to such third parties is comprised of anonymized identifiers used by such third parties to track the visitor’s browsing activity. These downstream entities may resell or reshare such information for the purpose of delivering ads tailored to your interests. View the companies which have signed the IAB Multi-State Privacy Agreement here.
• We do not knowingly collect or solicit personal information from minors under the age of 16. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us at privacy@sharecare.com.

Legal Grounds for Processing

We rely on the following legal grounds to process your Personal Information:

• Consent. We may use your Personal Information as described in this Privacy Policy based on your consent. To withdraw your consent for any uses of Personal Information described above, please review the section below titled “Privacy Requests and Choices” or contact us at privacy@sharecare.com.
• Performance of Services. We may need to collect and use your Personal Information to enter into and perform under an agreement with you or an organization of which you are a part.
• Legitimate Interests. We may use your Personal Information for our legitimate interests, including but not limited to provide our Services and to improve our Services and the content on our sites.

Access to Personal Information We Collect

You can ask to see the personal information that we hold about you. If you want to review, verify or correct your personal information, please go to our request form or submit a request via email to privacy@sharecare.com.

When requesting access to your personal information, please note that we may request specific information from you to enable us to confirm your identity and right to access, as well as to search for and provide you with the personal information that we hold about you. If you hold an account with us, you may be asked to reauthenticate to before receiving a copy of your personal information. If you do not hold an account with us, you may be asked to provide a driver’s license and/or a signed declaration before receiving a copy of your personal information. You may designate an authorized agent to request information on your behalf, provided that the authorized agent complies with our verification procedures to ensure your permission has been obtained.

Your right to access the personal information that we hold about you is not absolute. There are instances where applicable law or regulatory requirements allow or require us to refuse to provide some or all of the personal information that we hold about you. In addition, the personal information may have been destroyed, erased or made anonymous. In the event that we cannot provide you with access to your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

Correction of Collected Personal Information

We endeavor to ensure that personal information in our possession is accurate, current and complete. If an individual believes that the personal information about him or her is incorrect, incomplete or outdated, he or she may request the revision or correction of that information. We reserve the right not to change any personal information we consider is accurate.

If it is determined that personal information is inaccurate, incomplete or outdated, we will use reasonable efforts to revise it and, if necessary, use reasonable efforts to inform agents, service providers or other third parties, which were provided with inaccurate information, so records in their possession may be corrected or updated.

Retention and Deletion of Collected Information

Except as otherwise permitted or required by applicable law or regulatory requirements, we will retain your personal information only for as long as we believe it is necessary to fulfill the purposes for which the personal information was collected (including, for the purpose of meeting any legal, accounting or other reporting requirements or obligations). Where there is no legal, fiscal, administrative, or contractual requirement to retain information for a longer or shorter period, information will be destroyed within five (5) years of its collection.

You may request that we delete the personal information about you that we hold. There are instances where applicable law or regulatory requirements allow or require us to refuse to delete this personal information. If we cannot delete your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions. We may require that you verify your identity, either through reentering your username and password (if applicable, for self-service features) or through email confirmation, before we delete your personal information.

Privacy Requests and Choices

Please submit requests to access, delete, or correct your personal information, to limit the use of your sensitive information, or to opt out of any potential sales or sharing of your personal information, using our privacy webform.

In certain circumstances you may have provided express consent in connection with your providing certain personal information to us of for a specific use of your personal information. Please submit requests to withdraw your consent to privacy@sharecare.com.

If you use the Global Privacy Control through your browser or operating system, and you are visiting our websites, we will receive that signal and treat it as a valid request to opt out of the sale or sharing of your personal information, to the extent the signal conveys sufficient information for us to treat it as such.

International Jurisdictions

You may choose to use our services if you reside outside of the U.S. We comply with any applicable laws and regulations based on the geographical location you select during your registration. Other jurisdictions, including but not limited to the European Economic Area (“EEA”), provide certain rights regarding Personal Information. Nothing in this Privacy Policy limits or attempts to limit your rights under applicable laws, including your ability, depending on your country of residence, to file a complaint with your local Data Protection Authority.

It is necessary for us to perform our obligations in accordance with any contract or engagement that we may have with you. It is in our legitimate interest or a third party’s legitimate interest to use Personal Information in such a way to ensure that we provide the Services in the best way that we can.

Sharecare is located in the United States. When you submit Personal Information to us, or when others provide Personal Information to us, we will receive it and process it in the United States.

As detailed above, we sometimes provide Personal Information to third parties to perform services. If we transfer Personal Information received from the EEA to a third party, the third party’s access, use, and disclosure of the Personal Information must also be in compliance with our Data Processing Addendum, including but not limited to the Standard Contractual Clauses contained therein.

Without limiting any other rights contained in this Privacy Policy, privacy rights under European Data Protection law, which may be exercised by all users, include:

• Transparency and the right to information. Through this policy we explain how we use and share your Personal Information. However, if you have questions or need additional information you can contact us any time.
• Right of access, restriction of processing, erasure. See the above sections of this Privacy Policy dealing with such rights.
• Right to withdraw your consent at any time. See the above section of this Privacy Policy dealing with such right.
• Right to object at any time. You have the right to object at any time to receiving marketing or promotional materials from us by either following the opt-out instructions in commercial e-mails or by contacting us, as well as the right to object to any processing of your Personal Information based on your specific situation.
• Right to data portability. You have the right to data portability of your own personal data by contacting us.
• Right not to be subject to an automated decision, including profiling. We do not make automated decisions using your personal data that may negatively impact you.
• Right to lodge a complaint with the competent Personal Data supervisory authority, if you believe that the processing of your Personal Information does not comply with legal requirements.

If you reside or otherwise find yourself outside of the U.S., we are committed to facilitating the exercise of your rights granted by the European Data Protection law and/or the laws of your country. If you have any inquiries or complaints about our handling of your Personal Information or about our privacy practices generally, please contact us (including our Data Protection Officer) at: privacy@sharecare.com. We will respond to your inquiry promptly.

Our EEA representative is Sharecare Digital Health International Limited, 88 Harcourt Street, Dublin 2 D02 DK18.

Resolving Concerns

If you have questions or concerns regarding the handling of your personal information, or want to report concerns or complaints, including information about potential data breaches involving personal information to the Legal Department, please contact privacy@sharecare.com. If you have questions or do not fully understand this notice, please contact Sharecare’s Privacy and Data Protection Officer by phone at 1-800-619-8949 or by email at privacy@sharecare.com.

When This Privacy Policy Applies

This Privacy Policy applies specifically to users of our AskMD® platform. For more general information on Sharecare’s privacy practices, including the Sharecare Digital Platform and other services, please see our general privacy policy.

Changes to This Privacy Policy

This Privacy Policy is reviewed periodically to ensure it accurately captures all types of data collected or any additional or different processing of such data. We may, therefore, change this Privacy Policy at any time. We will alert you to any change that materially impacts your privacy. The effective date of each version of this Privacy Policy is listed below.

Non-Discrimination

We will not discriminate against you for exercising any of your rights. Except as may be permitted by applicable law, we will not take any of the following actions in response to your exercising your privacy rights:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Effective Date: 04/28/2026