PRIVACY POLICY
(Aviary and Aviary Health)

Last Updated: March 18, 2026

This Privacy Policy explains how Recora, Inc. (“Recora,” “Company,” “we,” “our,” or “us”) collects, uses, discloses, and protects information in connection with your access to and use of our Services. In this Privacy Policy, “Aviary Health” refers to our care-related services, program operations, and related communications, and “Aviary” refers to our technology platform, software, workflows, and related digital tools. The “Services” include our websites, apps (including the Aviary Health App and other Aviary-branded applications where applicable), and related services, content, tools, features, device integrations, and communications, as described in our Terms of Service (“ToS”).

By accessing or using the Services, you acknowledge that you have reviewed this Privacy Policy. If you do not agree with the Terms of Service or applicable policies, do not use the Services.

1.Relationship to HIPAA and Partner Programs

Depending on your Partner Program (as defined in the ToS) and how you use the Services, information processed through the Services may include health information, including information that may be protected under the Health Insurance Portability and Accountability Act (“HIPAA”).

  • Partner Programs’ clinical role. Partner Programs (and/or their licensed professionals) provide clinical services and remain responsible for their clinical services and their own notices, consents, and privacy practices.
  • Recora, Inc., acting through Aviary Health and/or Aviary, as a Business Associate (for certain Partner Programs). For certain Partner Programs, Recora, Inc. may act as a business associate and may receive, create, maintain, or transmit Protected Health Information (“PHI”) on behalf of those Partner Programs in accordance with applicable law and applicable business associate agreement(s).
  • HIPAA Notice controls for PHI. Where applicable, PHI handled by Recora, Inc. acting through Aviary Health and/or Aviary in connection with the Services is described in Aviary Health’s HIPAA Notice of Privacy Practices (the “HIPAA Notice”), as posted through the Services or on our website. If there is a conflict between this Privacy Policy and the HIPAA Notice regarding PHI, the HIPAA Notice will control for PHI.

This Privacy Policy primarily addresses information that is not PHI or is processed outside HIPAA contexts (for example, general website/app usage data, account administration, support interactions, and marketing preferences), unless stated otherwise. Where the same digital experience includes both Aviary Health care-related services and Aviary platform functionality, this Privacy Policy applies to both, subject to the HIPAA-related carve-outs described in this Privacy Policy and the HIPAA Notice.

2. Information We Collect

A. Information you provide

We may collect information you provide through the Services, such as:

  • Contact and account information (e.g., name, email, phone number, login credentials, preferences
  • Enrollment and program administration information
  • Communications (e.g., messages to care team/support, survey responses, feedback)
  • User Content (as described in the ToS), such as questionnaire responses, photos/files, or other information you submit

B. Health-related information

When you use the Services in connection with a Partner Program, information may include health-related information. To the extent that information is PHI, it is handled under the HIPAA Notice and applicable agreements.

C. Information collected automatically

We and our service providers may automatically collect:

  • Device and browser information
  • Identifiers and logs (e.g., IP address, timestamps, diagnostic data)
  • Usage and interaction data (e.g., pages/screens viewed, features used, session duration)
  • Approximate location (e.g., inferred from IP address)

D. Information from third parties

We may receive information from:

  • Partner Programs (for program enablement/operations; may include PHI, as applicable)
  • Service providers (e.g., hosting, security, analytics, customer support tools)
  • Device/integration partners (if you connect them)
  • Advertising/measurement partners (subject to your choices and applicable law)

3. How We Use Information

We may use information to:

  • Provide, operate, maintain, secure, and improve the Services, including Aviary Healthcare-related services and Aviary platform functionality
  • Create and manage accounts; administer enrollment and participation
  • Provide support and respond to inquiries
  • Communicate with you about authentication, service updates, program reminders, and administrative/security matters
  • Detect, prevent, and address fraud/misuse/security incidents; enforce the ToS
  • Comply with legal obligations
  • Create and use de-identified or aggregated information where permitted by law for analytics, research, and service improvement.

4. How We Disclose Information

We may disclose information:

  • To Partner Programs to support enrollment, operations, and participation (PHI disclosures governed by the HIPAA Notice and applicable agreements)
  • To service providers that perform services for us (hosting, support, analytics, communications, security), subject to contractual and legal protections
  • For legal and safety reasons (lawful requests, protecting rights/safety/security, investigating fraud or violations)
  • In connection with a business transfer (merger, acquisition, financing,reorganization, bankruptcy, or sale of assets), subject to applicable law
  • With your direction or consent, where required

5. Cookies,Pixels, and Similar Technologies

We and our service providers may use cookies, pixels, SDKs, and similar technologies to:

  • authenticate and maintain sessions(where applicable)
  • remember preferences
  • conduct analytics and performance measurement
  • enhance security and prevent fraud
  • support marketing/measurement (see Section 6)

Cookie banner /preference center

We may provide a cookie banner and/or cookie preference center that allows you to accept, reject, or manage certain categories of cookies and similar technologies (except those that are strictly necessary for the Services to function).

You can also control cookies through your browser settings. Disabling certain cookies may affect Services functionality.

Global PrivacyControl / universal opt-out signals

Some browsers or extensions allow you to send an opt-out preference signal (such as Global Privacy Control). Where required by law, we will treat such signals as valid requests to opt out of certain processing, such as “sale” or “sharing” of personal information for targeted advertising.

6. Advertising and Marketing (Targeted Advertising)

We may use certain information (often via cookies, pixels, SDKs, and similar technologies) to:

  • Measure and improve the performance of our advertising and outreach, and
  • Provide information about Aviary,Aviary Health, and the Services.

We do not use or disclose HIPAA-regulated PHI for targeted advertising or cross-context behavioral advertising except as expressly permitted by applicable law and, where required, with a valid authorization.

Do Not Sell or Share / opt-out link.

Where required by applicable law(including for cross-context behavioral advertising), we provide a “Do Not Sell or Share My Personal Information” link (or similarly titled link) that you can use to opt out of certain disclosures of personal information for targeted advertising purposes.

7. AI and Automated Processing

Some features may use automated processing, including AI, to support functionality (for example, summarizinginformation you provide or improving user experience). AI outputs may be inaccurate and are not medical advice. Where required by law, you may request a human review of certain decisions.

8. Security

We take reasonable measures intended to protect the Services and information processed through them. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for protecting your devices, credentials, and account access.

If you believe your interaction with us is no longer secure, contact us at hello@aviaryhealth.com.

9. DataRetention

We retain information for as long as reasonably necessary to:

  • provide and maintain the Services,
  • comply with legal obligations,
  • resolve disputes,
  • enforce agreements, and
  • protect safety and security.

Where applicable, retention of PHI is governed by HIPAA, the HIPAA Notice, and applicable Partner Program requirements.

10. State Privacy Rights and Choices

Depending on where you live, you may have rights regarding your personal information, which may include:

  • access, correction,deletion, and portability (subject to legal exceptions)
  • opting out of targeted advertising
  • opting out of certain profiling/automated decision-making (where applicable)
  • appealing certain decisions regarding a request (where required by law)

These rights generally do not apply to PHI, medical information, or other data that is exempt from certain state privacy laws, including information subject to HIPAA or other applicable health-privacy laws.

How to exercise your rights

You may submit requests by:

  1. using the “Do Not Sell or Share My Personal Information” link (or similarly titled link)where available; and/or
  2. emailing privacy@aviaryhealth.comwith the subject line “Privacy Request.”

We may need to verify your identity before processing certain requests. Where permitted, you may use an authorized agent.

California

California residents may have additional rights under the CCPA/CPRA, including the right to opt out of “sale” or “sharing” of personal information (including for cross-context behavioral advertising), and we will process such requests through the opt-out mechanisms described above,including recognition of valid opt-out preference signals where required.

11. Children’s Privacy

The Services are intended for adults and are not directed to children under 13. We do not knowingly collect personal information from children under 13 without appropriate permission/consent. If you believe a child has provided information to us, contact privacy@aviaryhealth.com.

12.International Use; U.S. Processing

The Services are operated from the United States and may not be available or appropriate outside the U.S. If you use the Services from outside the U.S., you understand that information may be processed and stored in the U.S., where laws may differ.

13. Electronic Notices and Consent

You agree that we may provide notices and disclosures (including privacy-related notices) electronically through the Services or via email. Your affirmative act of clicking “I agree,” “Accept,” “Continue,”“Submit,” or similar buttons or checkboxes (including during enrollment/onboarding) constitutes your electronic signature/acceptance of this Privacy Policy and related terms, where applicable.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The “Last Updated” date above indicates when it was most recently revised. If we make material changes, we will provide notice consistent with the ToS and applicable law. Continued use of the Services after changes constitutes acceptance to the extent permitted by law.

15. Contact Us

  • Privacy requests/questions: privacy@aviaryhealth.com
  • General support and security concerns: hello@aviaryhealth.com
  • Care team /accessibility accommodations: careteam@aviaryhealth.com
  • HIPAA/privacy compliance questions: compliance@aviaryhealth.com
Contact:
1-844-Aviary-1
hello@aviaryhealth.com
Contact us
AICPA SOC badge indicating SOC for Service Organizations with URL aicpa.org/soc4so.
© ---- Recora, Inc. (Aviary Health). All rights reserved
HIPAA CompliancePrivacy PolicyTerms of Service