Privacy Policy

This Privacy Policy describes how Arden Health, Inc., doing business as "Arden Bio" ("Arden," "we," "us," or "our"), collects, uses, and shares information through our web applications — including the Arden Bio Portal at portal.arden.bio — and other software ("Software"). If you have a Client Services Agreement ("CSA") with Arden, this Policy supplements, but does not replace, the privacy and confidentiality provisions in the CSA, and the CSA controls to the extent of any conflict. If you do not have a CSA, this Policy and the Terms of Service govern your use of the Software and our handling of your information. Portal Users accept this Privacy Policy by completing a submission through the Arden Bio Portal, as described in the Terms of Service.

1. Information We Collect

• Account Information. Name, email address, phone number, and other identifiers you provide when creating or managing your account.
• Health Data. Medical records and related health information obtained through patient access API connections, the Trusted Exchange Framework and Common Agreement ("TEFCA") Individual Access Services ("IAS"), uploads you submit through the Arden Bio Portal, and other authorized channels. This may include diagnoses, lab results, medications, treatment history, and similar clinical data.
• Resulting Data. Data, reports, analyses, and visualizations that Arden generates from your health information in the course of performing Services or processing information you submit through the Portal.
• Usage Data. Information about how you interact with the Software, such as pages viewed, features used, and actions taken.
• Device and Technical Information. IP address, browser type, operating system, and device identifiers collected automatically when you use the Software.

2. How We Collect Information

• Directly from you. When you create an account, submit information, upload records through the Arden Bio Portal, or communicate with us through the Software.
• From healthcare providers and data sources. Through authorized patient access API pulls and TEFCA IAS connections, based on authorizations you provide under the CSA (Section 5), through the Arden Bio Portal, or otherwise. When we retrieve health data through TEFCA or patient access APIs, we do so on your behalf under your individual right of access. We comply with applicable use restrictions that attach to data obtained through these channels.
• Automatically. Through server logs and similar technologies when you use the Software. We do not currently use third-party advertising or cross-site tracking cookies.

3. How We Use Information

We use the information we collect to:

• Perform Services. Gather, organize, and compile medical records; generate informational summaries and data presentations; facilitate communication; and otherwise fulfill our administrative and operational obligations under the CSA or in connection with information you submit through the Arden Bio Portal.
• Operate and improve the Software. Maintain functionality, fix issues, and enhance performance and user experience.
• Generate de-identified insights. Create de-identified data for scientific, educational, and commercial development purposes, including Secondary Uses as described in CSA Section 6 (or, for users without a CSA, as described in this Policy). We de-identify data in accordance with recognized standards (e.g., the HIPAA Safe Harbor or Expert Determination methods) so that the data cannot reasonably be used to identify you.

We do not use your confidential information for purposes beyond those described in the CSA (if applicable) and this Policy.

4. How We Share Information

• Arden personnel. With employees, contractors, and scientific advisors who need access to perform Services, subject to confidentiality obligations.
• Third-party service providers. With vendors engaged to support Services as described in the CSA or applicable Proposals (if any), and only to the extent necessary for them to assist us.
• De-identified data. De-identified data may be used and shared for Secondary Uses (scientific, educational, and commercial purposes) as permitted under CSA Section 6 or, for users without a CSA, as described in this Policy.
• Legal requirements. When required by law, regulation, or legal process, or to protect the rights, safety, or property of Arden or others.

We never sell your personal information or health data.

5. Data Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect your information. Data is encrypted in transit using industry-standard protocols. Arden is not a HIPAA covered entity; we receive your health information directly from you or on your behalf under your individual right of access, not from covered entities under a business associate agreement. Nonetheless, we handle your health information with care equivalent to HIPAA standards. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law.

6. Data Retention

We retain your information for the duration of the CSA (or, for users without a CSA, for so long as your account remains active or as needed to provide the services you requested) and for such additional period as reasonably necessary to fulfill our obligations, resolve disputes, and comply with applicable law. Consistent with CSA Section 6 or this Policy (as applicable), de-identified data may be retained indefinitely for Secondary Uses.

7. Your Rights

Subject to applicable law and the terms of the CSA (if applicable), you may:

• Access your Resulting Data by written request as provided in CSA Section 9, or by contacting us at the address in Section 11 below.
• Request copies of your personal information we hold about you.
• Request corrections to inaccurate personal or health information.
• Withdraw authorization for future collection of health data, to the extent permitted by applicable law. Withdrawal does not affect data already collected or any de-identified data.

We will respond to verified requests within 30 days, or as otherwise required by applicable law. To exercise these rights, contact us using the information in Section 11 below.

California Residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"), including:

• Right to know what personal information we have collected, used, and disclosed.
• Right to delete personal information we hold, subject to applicable exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. We do not sell or share (as defined by CCPA/CPRA) your personal information.
• Right to non-discrimination for exercising your privacy rights.

To the extent any of your health information qualifies as "medical information" under the California Confidentiality of Medical Information Act ("CMIA"), the protections of the CMIA also apply.

8. Children's Privacy

The Software is not intended for use by individuals under the age of 13. Users between 13 and 18 may access the Software only through an authorized representative (consistent with CSA Section 2, where applicable) and must have an account created by that representative. We do not knowingly collect personal information from children under 13.

9. TEFCA and Health Data Access

When we connect to healthcare data sources on your behalf through TEFCA IAS or patient access APIs, we act as your authorized representative to retrieve your health records. We use this data solely for the purposes described in the CSA (if applicable) and this Policy. We comply with applicable provisions of the 21st Century Cures Act and ONC information blocking regulations as they pertain to individual access. Any re-disclosure limitations that attach to data obtained through these channels are honored.

10. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will notify you through the Software or by other reasonable means. Your continued use of the Software after such notice constitutes acceptance of the updated Policy. No change to this Policy will modify or override any provision of your CSA, if you have one.

11. Contact Information

If you have questions about this Privacy Policy or wish to exercise your rights, please contact:

Arden Health, Inc. (DBA "Arden Bio")
Email: privacy@ardenbio.com

Arden is not a medical provider. The Software and any information provided through it do not constitute medical advice, diagnosis, or treatment.