Last Modified: March 27, 2026

Expion Health LP and its subsidiaries and affiliates (“Expion Health,” “Company,” “we,” “us,” or “our”) respect your privacy and are committed to protecting it through the practices described in this Website Privacy Notice.

This Website Privacy Notice describes how we collect, use, protect, and disclose personal data collected through the Website when you visit Expion Health’s public website or other Company controlled digital properties that link to this notice (collectively, the “Website”).

By accessing or using this Website, you acknowledge the terms of this notice.

Scope (Website Only)

This Website Privacy Notice applies only to the collection and use of personal data through the Website (for example, through Website forms, cookies and similar technologies, and technical logs generated when you access the Website).

This notice does not apply to personal data processed in connection with Expion Health’s customer, client, vendor, or partner relationships, which are governed by separate written agreements (including confidentiality, data use, and data protection provisions in those contracts).

Third-Party Websites

The Website may contain links to third party websites or services. We do not control those third parties and are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party websites you access through links on our website.

Personal Data We Collect Through the Website

Expion Health collects limited categories of personal data through the Website, including:

1. Business Contact Information

Information that identifies you in a professional or business capacity, such as: Name, email address, telephone number, job title, organization or company name, message content you submit through Website forms (including free text fields)

• Technical and Usage Information

Information automatically collected when you access or use the Website, such as internet protocol (IP) address, browser type and version, device type, operating system, and settings, time zone and general location information (approximate), pages visited, referring/exit pages, and general Website usage patterns, date/time stamps and basic diagnostic logs.

• Communications

Information you voluntarily provide when contacting us through Website inquiry forms, email links, or similar communications.

• Aggregated or De-Identified Data.

We may create aggregated or de-identified data derived from Website usage. Where we maintain data in de-identified or aggregated form, we will maintain and use it in that form and will not attempt to re-identify it, except as permitted by law (for example, to test whether de identification processes are effective). We also require service providers who process such data on our behalf to follow contractual restrictions consistent with this commitment.

No PHI / Sensitive Data Through the Website

The Website is not designed to collect Protected health information (“PHI”), health plan member data, medical information, Social Security numbers or government IDs, payment card information, or other sensitive personal data.

Please do not submit PHI or sensitive personal data through Website forms or contact fields.

If You Submit PHI or Sensitive Personal Data

If you submit PHI or sensitive personal data through the Website (for example, in a free text field), Expion Health will treat it as not requested and will take reasonable steps, as appropriate and where feasible, to limit access to the information, remove or delete the information where feasible, and use it only to respond to your communication, address security concerns, comply with law, or otherwise handle it appropriately.

Collection, Use, and Sharing of Information

Expion Health collects limited data from you through the Website.  Some information is provided directly by you when you use the Website or communicate with us, while other information may be collected automatically through your use of the Website and related technologies.

Information collected may be used for purposes such as operating and improving our Website, conducting Website analytics, protecting the security and integrity of the Website and our systems, responding to inquiries and communicating with you, complying with legal obligations, and other purposes consistent with this notice. 

Expion Health does not sell personal data and does not use personal data collected through the Website for targeted advertising, cross-site behavioral tracking, or profiling.

Data Retention

We retain your personal data for as long as reasonably necessary for the purposes described in this notice, unless a longer retention period is required or permitted by applicable law.

Cookies, Pixels and Similar Technologies

We use cookies, pixels, web beacons, software development kits (SDKs), and similar tracking technologies (collectively, “Tracking Technologies”) to operate, maintain, and improve our Website.

What Are Cookies and Similar Technologies?

Cookies are small text files stored on your device when you visit a website. They help remember your preferences, enable core functionality, and support analytics.

Pixels / Web Beacons are small pieces of code embedded in webpages or emails that allow us to understand engagement, such as whether a page was viewed or an email was opened.

SDKs and Local Storage are technologies used within mobile or web applications to support functionality, performance monitoring, and analytics.

Third‑Party Technologies

Some Tracking Technologies may be provided by third‑party service providers that support analytics, security, or service delivery. These providers may collect information from your browser or device in connection with providing their services. We configure and use these tools for analytics and website performance purposes.

How We Use These Technologies

We use third-party Tracking Technologies such as Google Analytics and LinkedIn for the following purposes:

1. Strictly Necessary / Essential

To enable core functionality such as security, authentication, load balancing, and fraud prevention. These technologies are required for the Website to function properly.

• Performance and Analytics

To understand how users interact with our Website, measure usage patterns, diagnose technical issues, and improve performance and user experience.

• Functionality

To remember user preferences and settings (such as language or region) to provide a more personalized experience.

• Communications and Engagement

To evaluate the effectiveness of our communications and content.

We do not use Tracking Technologies to collect sensitive personal data such as PHI, financial account numbers, or government identifiers. We do not use Tracking Technologies for targeted advertising, or sharing personal data for cross-context behavioral advertising at this time.

Your Choices and Controls

You have several options to manage or limit cookies and similar technologies:

1. Browser Controls

Most browsers allow you to control cookies through their settings, including blocking or deleting cookies.

• Consent Management

Where required by law, we provide mechanisms to accept or decline non‑essential cookies.

• Do Not Track / Global Privacy Controls

Some browsers support signals that communicate your privacy preferences. While there is no universal standard, we honor such signals where legally required.

Please note that disabling certain cookies may impact the availability or functionality of the Website.

Your Rights and Choices (Website Data)

1. Unsubscribe From Non-Transactional Emails

If you receive non-transactional emails from us (for example, informational updates), you can opt out at any time by using the “unsubscribe” link in the email or by contacting us at [email protected] with “Unsubscribe” in the subject line.

• Manage Cookies

You can manage cookies through your browser settings as described in this notice.

• Submit a Privacy Request (Website Data Only)

Depending on applicable law and your circumstances, you may have the right to request access to personal data collected about you through the Website; correction of inaccurate Website collected personal data; and deletion of Website collected personal data, subject to legal exceptions and legitimate retention needs.

These rights apply only to personal data collected through the Website and do not apply to personal data processed under Expion Health’s contractual relationships, which are governed by separate agreements.

Submitting Privacy Requests (Website Data Only)

To submit a request regarding personal data collected through the Website, contact [email protected], with subject line “Website Privacy Request.”

Verification

To protect your information, we may need to verify your identity before responding. Verification steps may include confirming access to an email account, requesting additional information, or other reasonable measures depending on the nature of the request and the sensitivity of the data.

Response Timing

We will respond to applicable requests within the timeframes required by applicable law, and we may request additional time where permitted by law.

Authorized Agent

Where permitted or required by applicable law, you may designate an authorized agent to submit a request on your behalf. We may require proof of authorization and may still need to verify your identity directly.

Appeals (Where Required)

Where required by applicable law, you may have the right to appeal a decision we make regarding your request. If an appeal right applies, we will provide instructions in our response.

When We May Deny a Request

We may deny requests where permitted by law, including when we cannot verify your identity (or the agent’s authority), the request is outside the scope of Website collected personal data, or an exemption applies (for example, maintaining data for security, fraud prevention, legal compliance, or to exercise or defend legal claims).

Data Security

Expion Health maintains reasonable administrative, technical, and physical safeguards designed to protect personal data collected through the Website against unauthorized access, disclosure, alteration, or destruction. These measures may include access controls, encryption in transit where appropriate, security monitoring, and vendor oversight.

However, no system can be guaranteed to be completely secure, and any transmission of information via the Website is at your own risk.

Children’s Privacy

The Website is not directed to children, and Expion Health does not knowingly collect personal data from individuals under 16 years of age.

Changes to This Notice

We may update this Website Privacy Notice from time to time. Updates will be posted on this page with a revised “Last Modified” date. Your continued use of the Website after changes become effective constitutes acceptance of the updated notice.

Privacy Questions or Comments

For questions, comments and requests regarding this Website Privacy Notice, please contact our Privacy Officer at Expion Health LP, 915 Meeting Street, Suite 1030, North Bethesda MD 20852 or email [email protected]. To help us respond, please include your name and contact information, a description of your request, and the webpage involved (if applicable). We will review and respond within a reasonable period, consistent with applicable law.

State Privacy Rights Addendum (Website Only)

This State Privacy Rights Addendum (“Addendum”) supplements the Expion Health Website Privacy Notice and applies only to personal data collected through Expion Health’s public Website. It does not apply to personal data processed under Expion Health’s customer, client, vendor, or partner agreements, which are governed by separate written contracts.

Applicability

Certain U.S. state privacy laws provide residents of those states with privacy rights. This Addendum describes rights that may be available to residents of such U.S. states, including (as applicable) California and other states with comprehensive privacy laws. This Addendum applies only to the extent such laws are applicable to Expion Health and to personal data collected through the Website.

Rights (Subject to Applicable Law)

Depending on your state of residence and applicable law, you may have the right to request access to personal data collected about you through the Website, request correction of inaccurate Website collected personal data, request deletion of Website collected personal data, and subject to legal exceptions and retention needs, opt out of certain processing where required by law. Depending on applicable law, you may also have the right to obtain a portable copy of certain personal data and to not be discriminated against for exercising your rights.

Expion Health does not sell personal data and does not use Website collected personal data for targeted advertising as defined under applicable state privacy laws.

Submitting Requests; Verification; Appeals

Requests may be submitted to Expion Health LP, 915 Meeting Street, Suite 1030, North Bethesda MD 20852 or [email protected]. We may take steps to verify your identity before processing a request. We will respond within the timeframes required by applicable law. Where required by law, you may appeal a decision; instructions will be provided in our response if applicable.

Limitations

This Addendum does not create rights beyond those provided by applicable law. We may deny requests where permitted by law, including where we cannot verify identity, the request is outside Website collected data, or an exemption applies. information will be used, the choice affected individuals have regarding the use of that information, and the ability of affected individuals to correct that information. This Privacy Policy applies to all Personally Identifiable Information (PII) and Protected Health Information (PHI) received, whether in electronic, paper, or verbal format. All data handling activities conducted by Expion Health are intended to be consistent with all applicable legal requirements in the jurisdictions where Expion Health does business. This includes, but is not limited to, compliance with federal Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws.

PURPOSE

The purpose of these standards is to protect the privacy of all personal and protected information owned, received, created, maintained, transmitted or used by Expion Health and its Business
Associates.

POLICY

All Expion Health employees must complete training on Expion Health’s privacy and confidentiality policies, participate in other privacy education required by Expion Health, including security and awareness training, and demonstrate adherence to policy standards while completing business operations. The Privacy Policy includes the standards listed below and all documented procedures provided for existing and future business processes. All employees of Expion Health will be held to these standards. A paper copy of the Privacy Policy is available upon written request made to: Privacy Officer, Expion Health Holdings, Inc., 915 Meeting Place Suite 1030, North Bethesda, MD 20852.

Definitions

1. “Personal Information” refers to all information owned, received, created, maintained, and transmitted by Expion Health that may be deemed by a regulatory organization to be Personally Identifiable Information (PII) or Protected Health Information (PHI), defined as
   follows:
   
   • Personally Identifiable Information (PII) refers to any information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. Pll includes, but is not limited to, the following:

• Name
• Address
• Phone/Fax Number
• E-mail Address
• Social Security Number
• Employment Data
• Credit Card Information
• May include medical and health information, as defined by each state

Pll does not include information that is collected anonymously or demographic information
not connected to an identified individual.

• Personal Health Information (PHI) is information (1) that Expion Health creates, receives, maintains or transmits that relates to the past, present or future: (a) physical or mental condition of an individual; (b) provision of health care to an individual; or (c) payment for the provision of health care for the individual, including incentive qualification; and (2) that identifies or can be reasonably used to identify an individual. PHI includes, but is not limited to, the following:

• Personally Identifiable Information
• Biometric Data
• Address (postal and e-mail)
• Date of Service
• Date of Birth
• Diagnosis
• Effective Date
• Family History
• Name
• Privacy ID
• Service Provider
• Termination Date
• Social Security Number

2. A “Business Associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
3. Staff includes Expion Health employees, whether in an office or home-based.

Standards

1. Compliance with the Law. Expion Health complies with all laws regulating the use and disclosure of Personal Information in each of the jurisdictions where it does business.
2. Confidentiality Acknowledgement. All employees must acknowledge their responsibilities for the safeguard and protection of Personal Information by signing a confidentiality acknowledgement at the time of employment.
3. Use and Release of Information. Access to Personal Information is restricted to the minimum necessary information needed for employees to perform their job duties. The Privacy Officer conducts regular reviews of the Personal Information used to ensure only the minimum necessary information is disclosed.
4. Protecting Personal Information. Expion Health is committed to protecting the Personal Information of all customers, employees, and employees’ dependents. Employees may not use or disclose Personal Information, except as permitted or required by applicable law and in accordance with the provisions of any applicable Business Associate Agreements. Employees in a Expion Health Office.
   
   Office-based staff must restrict inappropriate viewing of Personal Information stored and accessed at their workstations. Paper PHI should be locked up when leaving workstations and all systems should be locked up when employees are away. Employees in an open or public area will be provided a privacy screen by the Privacy Officer. If an employee has not been provided a privacy screen and believes it is needed, a request may be made to the Privacy Officer.
   
   Home-based Staff. Home-based staff must ensure that their workspace is private. This includes ensuring that phone conversations that include Personal Information are not overheard by friends and family, printing Personal Information only when necessary, and keeping Personal Information locked up when not in use. Employees may not download and/or store Personal Information on non-Expion Health devices.
5. Breach of Information. Employees are required to promptly report any improper uses or
   disclosures of Personal Information to the Privacy Officer via e-mail at [email protected]. Expion Health follows all applicable laws related to breach notification and mitigation.
6. Lost or Stolen Equipment. All occurrences of lost or stolen equipment must be immediately reported to Expion Health management. If Personal Information is stored on the lost equipment, the event must also be immediately reported to the Privacy Officer via e-mail at [email protected].
7. Secured Physical and Electronic Personal Information. Personal information possessed by Expion Health is appropriately secured through restricted access to business areas and placement in locked storage when not in use.
   
   Electronic Personal information is encrypted while in transit through publicly-accessible networks. Information Security Officers review encryption processes of systems that move information. Standards for encryption are included in Expion Health’s Security Policy.
   
   Personal Information is encrypted when copied to a CD, jump drive, etc. and sent or carried outside the Company. Additionally, a security review is performed on data at rest and encryption is applied, as needed. This includes Personal Information stored on laptops and other mobile devices.Personal information sent through the Postal Service should be scrubbed to remove any Personal Information other than the minimum required. First Class mail is not traceable and should only be used for mailings that include less than 50 individual’s Personal Information. Certified mail should be used to send large volumes of Personal Information (over 50 individuals).
   
   To the extent possible, employees should not remove or transport Personal Information outside of their workspace or home office. If a business reason exists to transport Personal Information, employees must ensure all electronic Personal Information is encrypted and paper PHI is appropriately secured while in transit and locked up when not in use.
8. Personal Information Received from Customers. Expion Health advises customers not to send Personal Information to Expion Health via e-mail unless encrypted. Expion Health encourages its customers to send any necessary Personal Information to Expion Health through the U.S. Postal Service, by secure fax, via telephone (speaking directly to Expion Health representatives), or by using a secure ftp connection.
9. Use of Non-Expion Health Devices. Staff may use non-Expion Health equipment to access e-mail. All mobile devices accessing e-mail should be password protected. E-mail will be remotely wiped by Expion Health if a personal device is lost or stolen or if staff leave the organization. Web-based applications may be used from non-Expion Health devices only when an encrypted connection, such as SSL, is established. Personal Information accessed on non-Expion Health devices may not be downloaded or stored.
10. Use of Social Security Numbers (SSN). Expion Health believes in the importance of appropriately safeguarding Social Security Numbers obtained during the normal course of conducting business. To the extent possible, an alternate ID, such as an employer identification number or a Expion Health-generated privacy identification number will be used for individual identification. However, if business needs require the use of a SSN, it is Expion Health’s practice not to disclose SSNs (all or part) unless a compelling business need is identified or if legally required. Access to SSNs is limited to staff with a business need to know SSNs.
    a. Third Parties. In order to ensure the security of SSNs if a business need requires the disclosure of the full SSN to a third party, notification must be submitted in writing to the Privacy Officer [email protected]. The Privacy Officer approves all requests prior to sharing any SSNs with a third party.
    b. Printed Materials. Any information or documents which are mailed or faxed to clients, customers, or other individuals should not include SSNs. Exceptions are allowed only when a state or federal law requires SSNs to be in the document. If the law requires inclusion of a SSN, it must not be viewable through the window of an envelope.
    c. E-mail. Messages and any attachments sent via e-mail must not contain SSNs. A business exception may be made with Privacy Officer approval for internal e-mails if necessary to transact business.
11. Digital Certificates. Digital certificates may only be obtained from certified authorities licensed to meet international privacy and electronic commerce requirements. Online transactions must be reviewed and secured through certificate validation where appropriate. Examples of how digital certificates are used at the Company include ensuring web pages are not changed without correct authorization, as well as providing encryption capabilities.
12. Data Retention. Records containing Personal Information are retained for 10 years from the termination of the client under which the information was gathered.
13. Shredding and Disposal. Once retention requirements are met, all Personal Information (in paper form) is shredded. Personal Information on diskettes, tapes, CDs, etc. is erased per NIST Guidelines for Media Sanitation if the device will be reused or destroyed in accordance with Information Security policies.
14. Recording of Telephone Conversations. Recording of telephone conversations may only be done with notice to or consent of all parties. Parties to non-business calls on recorded lines must also be notified of the recording. Recording features may only be added with Privacy Officer approval.
15. Taking Photos and Use of Audio Recording Devices. Employees are prohibited from using audio recording devices, taking photos of, or video recording images that put privacy at risk.
16. Leaving Information on Answering Machines. Messages left by employees should include the employee’s first name, company name, and phone number (including extension, if applicable). Personal Information should not be left on an answering machine.
17. Texting. Personal Information should never be texted to a mobile device.
18. User IDs and Passwords. Passwords for user IDs are encrypted in storage. No one may ask to obtain or change a user ID or password other than the person associated with the user ID and password. Users will be required to positively identify themselves prior to password changes.
19. Faxing Information. Faxes require the party’s consent or an established business relationship. Any time documents are faxed, only the minimum amount of Personal Information should be included. Social Security Numbers may not be sent via fax.
20. Marketing Restrictions. Sharing PHI with affiliated companies and non-affiliated third parties for marketing purposes requires the individual’s consent. Additionally, the use of Personal Information (other than PHI) by another affiliated company for marketing purposes is restricted by various laws and must meet certain guidelines. Contact Marketing or the Privacy Officer at [email protected] for additional information or usage review.
21. Credit and Debit (Payment) Card Data. The acceptance of credit, debit, or purchasing card data for payment of services must be approved by the Controller and Privacy Officer. Usage must be in compliance with Payment Card Industry (PCI) Data Security Standards.
22. Privacy Training. All employees are required to complete a privacy training course upon hire and at least annually thereafter and in accordance with changes in law.
23. Privacy Officer Duties. Expion Health’s Privacy Officer is responsible for:
    a. Ensuring Expion Health compliance with federal and state privacy laws.
    b. Creating a risk assessment (reviewed as needed) of business processes, systems, and
    users to identify potential exposure or misuse of Personal Information.
    c. Identifying and documenting the minimum required Personal Information needed to
    complete business processes and provide customer service.
    d. Creating a written procedure for identifying and handling inappropriate uses and
    disclosure of Personal Information; reviewing all breaches of Personal Information;
    providing notice of breaches of unsecured PHI to the impacted individuals and the
    Department of Health and Human Services or state agencies, as required by law; and
    managing any efforts to mitigate breaches to the extent practicable.
    e. Participating in any federal or state audit conducted in relationship to personal
    information.
    f. Facilitating the creation and maintenance of policies and procedures required by federal
    and state law to protect Personal Information.

Enforcement

Expion Health uses a self-assessment approach to ensure compliance with this Privacy Policy and verifies periodically that the Policy is accurate and comprehensive for the information intended to be covered. The Policy shall be prominently displayed, completely implemented, and accessible to individuals required to comply with the policies and standards included.

Management is responsible for ensuring that their direct reports understand the scope and implications of the Policy. Human Resources must also ensure that all employees have acknowledged this policy and keep a copy of their acknowledgement in the employee’s file.

Failure to adhere to the requirements of the Privacy Policy is cause for disciplinary action up to and including termination, as determined by Expion Health Management, using guidelines defined by the Human Resources Department.