Privacy Policy

Ex 360 is operated by Existential Inc. (“Ex 360,” “we,” “us,” or “our”). We care deeply about your privacy and have designed this Privacy Policy to explain, in plain language, what information we collect about you, how we use it, who we share it with, and the rights and choices you have.

This policy applies to information we collect through our website at ex360.org, our forthcoming telehealth platform, mobile applications, and any related services that link to this policy (together, the “Services”).

1. About this policy and our pre-launch status

Ex 360 is currently in a pre-launch phase. The Services available today are limited to this website, an early-access waitlist, and direct communications with our team. We do not yet provide medical consultations, store patient health records, or process payments. This policy describes both what happens today and what will happen when the full telehealth Services become available.

When we begin providing healthcare services, additional notices — including our HIPAA Notice of Privacy Practices (summarized in Section 5 below) — will apply to your protected health information (“PHI”).

2. Information we collect

We collect information in three ways: information you give us directly, information we collect automatically when you interact with the Services, and information we receive from third parties acting on your behalf.

Information you give us directly

• Waitlist information. When you request early access, we collect your name, email address, the role you indicated (patient or medical professional), and — if you indicated you are a medical professional — your medical specialty.
• Contact information. When you contact us through our contact form or by email, we collect your name, email address, and the contents of your message.
• Account information (once Services launch). When you create an account, we will collect identifiers such as your full name, date of birth, mailing address, phone number, and password, along with any other information you choose to provide.
• Health and clinical information (once Services launch). To provide consultations and coordinate care, we will collect health-related information you share with us or your provider: symptoms, conditions, medications, allergies, vaccination history, family history, lifestyle factors, vital signs, lab results, and any other clinical information shared in the course of care. This information is PHI and is protected under HIPAA.
• Payment information (once Services launch). When you pay for a consultation or service, our payment processor will collect your card or bank details. We do not store full payment card numbers on our own systems.
• Communications. Records of messages, calls, and consultations conducted through the Services, including content, recordings (with notice and where clinically appropriate), and metadata.

Information we collect automatically

• Device and connection information. Your IP address, browser type and version, operating system, device identifiers, language settings, and the pages you view on the Services.
• Cookies and similar technologies. Small data files we (or our processors) store on your device to operate the Services, remember preferences, keep you signed in, and — once we add analytics — understand how the Services are used. You can control cookies through your browser settings. See Section 7 for more.

Information from third parties

With your consent, we may receive information about you from your existing healthcare providers, insurance plans, pharmacies, laboratories, or other parties to help your care team treat you. We may also receive limited information from authentication providers if you sign in using a third-party account.

3. How we use information

We use the information we collect to:

• Operate, maintain, and improve the Services;
• Manage the early-access waitlist and notify you when the Services become available;
• Respond to your inquiries, support requests, and feedback;
• Facilitate consultations, coordinate care, and communicate with you and your providers about your health (once Services launch);
• Process payments, handle billing, and prevent fraud (once Services launch);
• Send transactional messages (appointment reminders, account notifications, service updates) and, only where permitted, marketing communications you can opt out of at any time;
• Detect, investigate, and prevent abuse, security incidents, and violations of our terms;
• Comply with applicable laws, regulations, and legal process;
• Conduct internal research and analytics in a way that, where feasible, uses aggregated or de-identified information.

4. Legal bases for processing (EU / UK users)

If you are located in the European Union, European Economic Area, or United Kingdom, we process your personal data under one or more of the following legal bases under the GDPR or UK GDPR: your consent, the performance of a contract with you, our legitimate interests (in operating, securing, and improving the Services), and compliance with legal obligations. Where we process special-category data such as health information, we will rely on your explicit consent or another legally available ground, such as the provision of healthcare.

5. HIPAA and your protected health information

Once the Services launch, Ex 360 will function as a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) with respect to the PHI we collect, use, and disclose. The following summarizes the Notice of Privacy Practices that will govern that information; we will provide a full Notice at the time you create an account.

How we may use and disclose your PHI

We may use and disclose your PHI for treatment (to provide and coordinate your care, including sharing with your treating providers, pharmacies, and laboratories), payment (to obtain reimbursement and handle billing), and health care operations(such as quality assessment, credentialing, and care management). We may also use or disclose PHI when required by law, for public health activities, to avert a serious threat to health or safety, or in connection with certain workers' compensation or government health programs. Other uses and disclosures will require your written authorization, which you may revoke at any time.

Your rights with respect to PHI

• Inspect and obtain a copy of your PHI;
• Request that we amend information you believe is incorrect or incomplete;
• Request an accounting of certain disclosures we have made of your PHI;
• Request restrictions on certain uses and disclosures;
• Request that we communicate with you about your PHI by alternative means or at an alternative location;
• Receive a paper copy of our full Notice of Privacy Practices upon request, even if you have agreed to receive it electronically;
• Be notified following a breach of unsecured PHI, as required by law.

To exercise any of these rights, email privacy@ex360.org. If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate against you for filing a complaint.

We will never sell your health data.

6. How we share information

We share information only as described below. We do not sell personal information, and we do not sell or share health information for cross-context behavioral advertising.

• With your treating providers — including independently licensed healthcare professionals, pharmacies, laboratories, and other care partners who need the information to treat you.
• With service providers and processors — vendors who help us operate the Services, including hosting, infrastructure, payment processing, identity verification, communications, analytics, customer support, and (during pre-launch) waitlist management. These vendors are contractually required to handle your information only on our instructions and, where they handle PHI, to comply with HIPAA under a Business Associate Agreement.
• For legal, safety, and security reasons — when required by law, subpoena, or court order; to enforce our terms; to protect the rights, property, or safety of Ex 360, our users, or others; or in the event of a credible threat of harm.
• In connection with a business transaction — if Ex 360 (or substantially all of its assets) is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale, your information may be transferred to the successor entity, subject to the protections of this policy.
• With your consent — when you have asked us to or directed us to share your information.

7. Cookies and tracking

Today, the Services use a minimal set of cookies needed to operate the site and to provide bot-protection on our forms. We do not use advertising cookies, and we do not permit third-party advertising networks to track you across the Services.

When we add analytics in the future, we will choose providers configured for privacy (for example, IP-address anonymization and short retention periods), document them here, and, where required by law, ask for your consent before activating them.

8. Data retention and deletion

We retain personal information only as long as we need it for the purposes described in this policy, subject to legal, regulatory, accounting, and reporting obligations. Some specifics:

• Waitlist data is retained until we launch and have notified you, or for up to twenty-four months from the date of submission, whichever comes first, unless you ask us to delete it sooner.
• Contact-form messages are retained for as long as needed to respond to and follow up on your inquiry, and then for up to twenty-four months for our records.
• Medical records and PHI (once Services launch) are retained in accordance with applicable state-law minimum-retention requirements for medical records, and only for as long as needed thereafter for continued care, legal compliance, billing, and audit.

You may request deletion of your information at any time by emailing privacy@ex360.org. We will honor your request unless retention is required by law (for example, mandatory medical-record retention).

9. Your privacy rights and choices

Depending on where you live, you may have additional rights with respect to your personal information. We honor the rights of all our users to the fullest extent required by applicable law, including:

• The right to access the personal information we hold about you and receive a copy in a portable format;
• The right to correct inaccurate or incomplete information;
• The right to delete your personal information, subject to legal exceptions;
• The right to opt out of marketing communications at any time by following the unsubscribe instructions in any message or by emailing us;
• The right to opt out of “sale” or “sharing” of your personal information (California Consumer Privacy Act). We do not sell or share personal information as those terms are defined under the CCPA;
• The right to non-discrimination for exercising your privacy rights;
• The right to lodge a complaint with your local data-protection authority (for EU / UK / Swiss residents) or with the U.S. Department of Health and Human Services Office for Civil Rights (for HIPAA-related complaints).

To exercise any of these rights, email privacy@ex360.org. We will respond within the time periods required by applicable law. We may ask you to verify your identity before fulfilling certain requests.

10. How we protect your information

We use administrative, technical, and physical safeguards designed to protect your information, including encryption of data in transit using TLS, encryption of data at rest, role-based access controls, audit logging, regular security reviews of our code and infrastructure, and training of personnel who handle personal information.

No system can be guaranteed perfectly secure. If we ever learn of a security incident affecting your information, we will notify you and any relevant regulators as required by law, and we will work quickly to investigate, contain, and remediate the issue.

11. Children's privacy

The Services are not directed to children under the age of 13, and we do not knowingly collect personal information from anyone under 13. If you are between 13 and 17 years old, you may only use the Services with the involvement and consent of a parent or guardian once the Services launch. If you believe we have collected information from a child under 13, please email us at privacy@ex360.org and we will delete it.

12. International users and data transfers

Ex 360 is operated from the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States and other countries where we or our service providers operate. These countries may have data-protection laws different from those in your country.

Where required, we use appropriate safeguards for international transfers, including Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum.

13. Third-party links and services

The Services may contain links to websites or services we do not control. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to the Services, our practices, or applicable law. When we make material changes, we will post the updated policy on this page, revise the “Last updated” date at the top, and — where required — notify you by email or through the Services. Your continued use of the Services after the effective date of any updated policy means you accept the updated terms.

15. How to contact us

If you have any questions about this Privacy Policy or our privacy practices, please contact our privacy team:

Existential Inc.
Attn: Privacy Team
Email: privacy@ex360.org
Mailing address: pending

For HIPAA-related complaints, you may also contact the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr.