Privacy Policy

Here is what you should know up front. This summary is for convenience only; the full Policy controls.

• We do not sell your personal information. We do not sell it, and we do not "share" it for cross-context behavioral advertising as those terms are defined under California law.
• We do not place third-party advertising or analytics trackers in your browser. We do not use third-party advertising pixels, third-party analytics, session-replay tools, or browser-fingerprinting technologies in our consumer experiences. For advertising measurement we use only server-side methods with hashed identifiers. See Sections 6 and our Cookie Policy.
• Your health information is handled with care. When you provide health information for an application, your responses are encrypted and kept only briefly while we deliver your application to the carrier. After the carrier confirms receipt, we purge our copy. No Epicare personnel, including staff and agents, can view your specific health questionnaire responses.
• You have privacy rights. Including, depending on where you live, the right to access, correct, delete, obtain a copy of, and limit the use of your personal information.
• We are implementing HIPAA controls and preparing for a SOC 2 audit. We continuously monitor our security controls.

2.1 Information you provide

When you use the Platform, you may provide:

• Identity information: name, date of birth, address, and contact information.
• Demographic information: age, sex assigned at birth, marital status, and household composition.
• Geographic information: ZIP code, state, and market.
• Application information: information needed for insurance applications, which for certain products may include health-related questions.
• Identity verification information: documents and data you provide for identity verification.
• Beneficiary information: names and relationships for applicable policies.
• Payment instrument information: tokenized through a PCI-compliant tokenization vault. We do not store your full payment card data.
• Communication content: messages you send through our in-app support.
• Preferences: notification preferences, language, and marketing consents.

2.2 Information collected automatically

When you use the Platform, we automatically collect:

• Device information: device type, operating system, and browser version.
• Usage information: pages and features used and general activity on the Platform.
• Technical information: IP address, used for security and abuse prevention, not for advertising.
• Cookies and similar technologies: first-party only, for session management and operational features. See Section 6 and our Cookie Policy.

2.3 Information from third parties

In some cases, we receive information from:

• Insurance carriers: the status of your applications and policies.
• Identity verification providers: the results of identity verification checks.
• Consumer reporting agencies: where applicable under the Fair Credit Reporting Act (FCRA), in connection with identity verification or carrier underwriting.

2.4 Information about agent attribution

If you reached the Platform through an agent's referral link or were referred by an agent, we associate your account with that agent for service and attribution purposes.

3.1 To provide the Platform

We use information to create and maintain your account, authenticate you, display relevant insurance options, process applications and submit them to carriers, manage your policies and Wallet, send transactional communications, provide support, and resolve disputes.

3.2 To improve the Platform

We use aggregated, de-identified information to understand how features are used, identify and fix issues, and develop new features.

3.2 To comply with legal obligations

We use information to comply with insurance and financial regulations, maintain required records, respond to regulatory inquiries, detect and prevent fraud, and meet tax and reporting requirements. Where we offer Medicare-related products, we follow applicable Centers for Medicare & Medicaid Services (CMS) marketing and privacy requirements.

3.3 For marketing, with your consent

If you opt in, we may use information to send you promotional communications about products and offers and to surface relevant content within the Platform. You can opt out at any time. Marketing text messages require separate, explicit, TCPA-compliant consent that is never a condition of purchase.

We follow strict practices for health information collected during insurance applications.

4.1 Temporary retention

Health information you provide during an insurance application is encrypted and retained only for the time necessary to deliver the application to the carrier, to retry a failed transmission, or to allow re-submission if the carrier requests a correction (which requires your re-input). After the carrier confirms receipt, we purge our copy. We also purge upon application rejection, cancellation, or expiry of the application.

4.2 Encryption

Health information is encrypted at rest using application-level encryption, with keys managed in our key management system, and is encrypted in transit.

4.3 Access restrictions

No Epicare personnel, including agents, staff, support, or management, can view your specific health questionnaire responses. This information flows from your input to the carrier and is not exposed to our people.

4.4 Recovery and re-input

If a carrier requests additional information after your initial submission, we will notify you. You must re-enter the requested information yourself; we cannot retrieve your original responses.

4.5 HIPAA framework

We operate under HIPAA Security Rule principles where they apply to health information we handle, and we enter into Business Associate Agreements with service providers that process health information on our behalf.

5.1 With insurance carriers

When you apply for a policy, we share the information necessary to obtain that insurance with the relevant carrier. Carriers process your information under their own privacy practices.

5.2 With service providers

We use third-party service providers to operate the Platform. They are bound by contracts requiring confidentiality and security, and those that process health information sign Business Associate Agreements. Categories of service providers include:

• Cloud infrastructure and database hosting;
• Authentication and session management;
• Email, text message, and push notification delivery;
• PCI-compliant tokenization vault for payment instruments;
• Identity verification;
• Customer relationship and agency management;
• Continuous security and compliance monitoring;
• Mapping and address validation;
• Advertising measurement through server-side conversion methods, using hashed identifiers only;
• Artificial-intelligence assistance, where offered and subject to your consent.

The categories above describe the service providers we use. You may request additional information about our service providers through the privacy contact in Section 17.

5.3 With agents and Epicare personnel

Where applicable, your information is accessible to your agent of record (if your account is attributed to a specific agent), to our licensed personnel for service operations, and to our Member Support team for support requests. Access is governed by role-based permissions and is audited. As described in Section 4, agents and personnel cannot view the health questionnaire responses you submit during applications.

5.4 With government and regulators

We may share information when required by state or federal insurance regulators, law enforcement or court orders, tax authorities, or other government agencies with proper legal authority.

5.5 We do not sell or "share" for advertising

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising as defined under California law. A "Do Not Sell or Share My Personal Information" link is available in our footer and described in Section 9.

5.6 Business transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice of any transfer that materially affects your privacy rights.

We use cookies sparingly and only for operational purposes, such as session management, security, fraud prevention, and remembering your language and market preferences. We use first-party measurement only.

We do not use third-party advertising pixels, third-party analytics services, session-replay tools, or browser-fingerprinting technologies in our consumer experiences. For advertising measurement, we send aggregated conversion events to advertising platforms using their server-side methods with irreversibly hashed identifiers; this does not place tracking pixels in your browser and does not track your activity across other websites. You can opt out of marketing, and we will not send conversion events for users who have opted out.

Because we do not use third-party tracking or advertising cookies, we do not display a cookie banner. Full details are described in our Cookie Policy.

Our mobile app requests permissions only when needed:

• Push notifications: to send you alerts about your applications, policies, and account.
• Camera and photo library: when you choose to upload a document.
• Device biometrics (Face ID, Touch ID, or fingerprint):for sign-in. Biometric data is handled by your device's operating system; we never receive or store your biometric template, and we use only native operating-system interfaces with no third-party biometric software.

We do not request access to your location, contacts, microphone, or calendar.

8.1 Rights for all users

Regardless of where you live, you can access and update your account information through your settings, request deletion of your account, opt out of marketing communications, and withdraw consents (note that withdrawing electronic-communications consent will deactivate your account).

8.2 Rights under California law (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including the right to know what personal information we collect and how we use and disclose it; to access and obtain a copy of your personal information; to correct inaccurate personal information; to request deletion; to opt out of the sale or "sharing" of personal information (we do not sell or share, and the footer link makes this explicit); to limit the use of sensitive personal information; and to not be discriminated against for exercising your rights.

To exercise these rights, submit a request through your account settings or contact us using the details in Section 17. We will verify your identity before fulfilling the request and will respond within the timeframes required by applicable law (generally within 45 days, with an extension permitted for complex requests). You may use an authorized agent, subject to verification requirements.

8.3 Rights under other state laws

Several states have enacted comprehensive privacy laws. Where applicable, we honor the rights those laws provide, which generally include rights to access, correct, delete, obtain a copy of, and opt out of certain processing of your personal information. To exercise these rights, use the methods described in this Policy.

8.4 How we handle deletion and copies of your data

When you request deletion, we honor verified requests within the time required by applicable law, and we remove identifying information from our active systems, subject to information we are required or permitted to retain (such as insurance, financial, consent, and compliance records). Information may remain in secure backups for a limited period until those backups are automatically purged. When you request a copy of your personal information, we provide it, where required by law, in a portable format within the timeframe the law requires. Health questionnaire responses are not included, because we do not retain them after delivery to the carrier (see Section 4).

8.5 HIPAA

Where HIPAA applies, you have rights under the HIPAA Privacy Rule to access protected health information held by covered entities, which is typically the insurance carrier rather than Epicare. For health information held by a carrier, contact that carrier directly.

We keep personal information only as long as necessary for the purposes described in this Policy or as required by law. In general:

• Account and profile information is kept while your account is active and for a limited period afterward.
• Insurance and policy records, and the records we are required to keep as a licensed agency, are kept for the period required by applicable insurance and financial recordkeeping laws, commonly up to seven years.
• Health questionnaire responses are kept only temporarily and encrypted, and are purged after the carrier confirms receipt or the application ends (see Section 4).
• Consent and electronic-signature records are kept for as long as required to evidence them.
• Marketing data is kept until you opt out and for a short period afterward.

After you delete your account, we remove identifying information from our active systems following a short grace period; information may remain in secure backups for a limited time until those backups are automatically purged. Specific retention periods are maintained in our internal data retention policy and may change as our legal obligations change.

We use administrative, technical, and physical safeguards to protect your information, including encryption in transit and at rest (with application-level encryption for sensitive fields), row-level access controls, least-privilege principles, audit logging of administrative access, vulnerability management, continuous security monitoring (we are preparing for a SOC 2 audit and implementing HIPAA controls), and mandatory multi-factor authentication for personnel accounts.

If you believe you have found a security vulnerability, please contact us at the address in Section 17. In the event of a security incident affecting your information, we will notify you and applicable regulators as required by law.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

For privacy questions, requests, or concerns:

For California residents exercising CCPA/CPRA rights, see Section 8.2 for specific procedures. We respond to privacy inquiries within the timeframes required by applicable law.

A complete change log is available on request.