Privacy Policy

1. Introduction

Nimble Rx, Inc. (“NimbleRx,” “we,” “our,” or “us”) provides a digital platform that enables patients to pay for and arrange delivery or pickup of prescription medications from participating pharmacies. This Privacy Policy describes how we collect, use, disclose, and protect your personal information, including protected health information (“PHI”), when you interact with our website, mobile application, and related services (collectively, the “Services”).

NimbleRx is committed to maintaining your privacy and protecting your information in accordance with applicable federal and state laws, including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the California Consumer Privacy Act (“CCPA”), and other state-specific health privacy laws where applicable.

By using our Services, you acknowledge that you have read this Privacy Policy and agree to the practices described herein. Depending on how you use our Services, additional terms may apply, including but not limited to HIPAA marketing authorizations or consents required under state privacy law.

From time to time, our Services may include links to third-party websites, applications, or content that are not controlled by NimbleRx. Please note that this Privacy Policy does not apply to those external websites or services, and we encourage you to review their privacy practices independently.

If you do not agree with our practices, please do not use the Services.

2. Scope of This Privacy Policy

This Privacy Policy applies to personal information processed by NimbleRx through our Services, including our websites, mobile applications, and other online or offline offerings.

Important Note – Is Your Data Covered by HIPAA?

Not necessarily. HIPAA only applies to certain types of data and data uses. NimbleRx complies with HIPAA when applicable, such as when we act as a business associate to a HIPAA-covered entity (e.g., a pharmacy). In other contexts, your data may be subject to state consumer privacy laws instead. See Section 10 – HIPAA and Other Health Privacy Laws.

3. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you as required by law—for example, by posting a notice on our website, through our Services, or by contacting you directly.

The revised Privacy Policy will apply to personal information we collect after the effective date and, where permitted by law, to existing personal information consistent with the updated terms. We will not use your personal information in a materially different manner than described at the time of collection without providing you notice and obtaining any required consent.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Services after the effective date of any changes will constitute your acceptance of those changes.

4. What Information We Collect

We collect various types of personal information to provide and improve our Services. The categories of information we collect depend on how you interact with NimbleRx and the features you use. Some of this information may be considered protected health information (“PHI”) under HIPAA when we act as a business associate to a pharmacy or other covered entity.

4.1 Information You Provide to Us

We collect the following categories of personal information that you choose to provide when using our Services:

• Account and Contact Information: Name, date of birth, phone number, email address, delivery address, and any information you submit when registering or accessing your account or placing an order.
• Prescription and Health Information: Information necessary to process and deliver your medications or over the counter purchases, including prescription details, prescribing physician, pharmacy selection, insurance information, and in some cases, medical history or clinical notes.
• Payment Information: Credit or debit card details or other payment data, which is processed securely via third-party payment processors.
• Communications and Support Requests: Information you provide when you contact our support team, respond to surveys, or communicate with us by email, text, or other channels.
• Job Applications: If you apply for a role at NimbleRx, we may collect information such as your resume, cover letter, employment history, and qualifications. If you are hired, the information may become part of your employee file and be used in accordance with our internal HR policies.
• Other Voluntary Submissions: You may also provide personal information through participation in promotional events, contests, surveys, feedback forms, or interactive tools (e.g., chat features or AI assistants).
• Business Inquiries and Demo Requests: If you contact us through the website to learn more about our services (e.g., as a pharmacy or manufacturer), we may collect your name, business affiliation, contact information, and any message you submit. We use this information to respond to your request and manage our business relationships.

4.2 Information Collected Automatically

We and our service providers may collect certain types of information automatically when you interact with our Services, including:

• Device and Usage Information: IP address, browser type, operating system, mobile carrier, device identifiers (e.g., cookies or SDKs), app version, crash logs, and system activity.
• Activity Data: Pages you visit, searches you conduct, time spent using features, and interactions with in-app content, links, ads, or push notifications.
• Location Information: We may infer or collect approximate location data (e.g., based on IP address) or collect precise geolocation (e.g., GPS-based) if you enable it through your mobile device.
• Cookies and Tracking Technologies: We use cookies, pixel tags, and similar technologies to recognize your device, personalize content, analyze traffic, and deliver relevant advertisements. For more information, see [Your Privacy Choices] section.

4.3 Information from Pharmacies and Other Third Parties

We may collect personal information about you from pharmacies and other third parties to support prescription fulfillment and services, including:

• Prescription status updates and refill data
• Insurance verification or benefit eligibility
• Information about your interactions with the pharmacy
• Any other information necessary to facilitate delivery or pickup

We may also collect personal information from third-party platforms if you interact with our Services through a pharmacy partner’s interface or access our Services via social login or app integrations.

4.4 Artificial Intelligence (AI) and Personalized Features

If you choose to use AI-powered tools within NimbleRx (such as Mira AI), we may use your personal information—potentially including prescription data or Nimble pharmacy purchase history—to tailor health-related content, reminders, or guidance. You will be provided with appropriate disclosures and controls before using these features.

5. Sources of Information

We collect personal information from the following categories of sources:

• Directly from you – when you provide it through our Services, such as during account creation, placing a prescription or consumer product order, completing a payment, submitting a job application, contacting support, or requesting a product demo.
• Automatically – when you use our Services. We use cookies, mobile SDKs, pixel tags, and other tracking technologies to collect information about your device, activity, and interaction with our Services. For more details, see Section 4.2 and the “Your Privacy Choices” section.
• Pharmacies and other healthcare partners – including the pharmacy you select or interact with when using NimbleRx. These partners may provide information to us, such as prescription status updates, insurance details, or delivery confirmations, as needed to complete your order.
• Third-party services and platforms – such as when you log in using a third-party service, interact with embedded content, or are referred to us through a partner integration. We may receive information based on your settings and permissions with those services.
• Derived data – including information that we infer from your behavior on our platform, such as delivery preferences, engagement patterns, or health topics of interest.
• Public sources and business records – in limited cases, we may supplement your information with data from publicly available databases or business partners, such as for fraud prevention, regulatory compliance, or business development purposes.

6. How We Use Information

We use the personal information we collect for the following purposes:

6.1 To Provide Our Services

• Facilitate prescription or consumer product processing, fulfillment, and delivery or pickup;
• Operate and manage user accounts, including authentication and order history;
• Process transactions, including payments and insurance verification;
• Provide customer service and technical support;
• Communicate with you regarding order status, product updates, and account-related notifications.
• Communicate with you regarding our

Additionally, if you provide personal or payment information through the Nimble platform, we retain that information to facilitate prescription processing and delivery across any participating pharmacy you may select or switch to in the future. You may modify or remove your payment methods or personal data at any time through your Nimble account.

6.2 For Administrative and Operational Purposes

• Monitor usage patterns, diagnose issues, and maintain security;
• Detect, investigate, and prevent fraud or other unlawful activity;
• Perform audits, quality assurance, and internal recordkeeping;
• Comply with legal and regulatory obligations, including HIPAA where applicable;
• Enforce our terms and policies, and resolve disputes.

6.3 To Improve and Develop Services

• Analyze user activity and feature adoption to enhance functionality;
• Conduct research, surveys, or testing to improve user experience;
• Train and refine models for AI-powered tools, such as Mira AI;
• Develop new features, products, or partnerships.

6.4 For Employment and Recruiting

• Review and process job applications submitted via our website;
• Contact applicants regarding job openings or interview scheduling;
• Retain candidate records in accordance with legal requirements.

6.5 For De-identified or Aggregated Data Uses

We may convert personal information into de-identified or aggregated data (e.g., to understand medication trends or delivery logistics). We will not re-identify such information except as permitted by applicable law.

6.6 With Your Consent

We may use personal information for additional purposes that are clearly disclosed to you at the time of collection or otherwise with your explicit consent. In these instances, we may ask you to confirm your consent—such as by checking a box or taking a similar action that reflects your approval of the applicable terms and practices.

You may withdraw your consent at any time through your account settings (where applicable) or by contacting us as described in the Contact Information section below. Withdrawal will not affect the lawfulness of any processing performed prior to withdrawal.

7. Marketing and Authorizations

We may use your information to provide marketing communications or display customized content about our Services. In some cases, we may use health-related information — including PHI — for marketing purposes, but only with your express, written authorization as required under HIPAA or state privacy laws.

7.1 Types of Marketing and Advertising We May Use

• Email and Text Campaigns: Offers, reminders, product updates, or educational messages;
• In-App or On-Site Messaging: Personalized banners, alerts, or promotional content;
• Tailored Experiences: Suppressing irrelevant ads (e.g., hiding refill messages if recently filled) or customizing content based on medication type or usage patterns;
• Third-Party Ads: Display of targeted ads through third-party platforms, where permitted by law and only using non-PHI unless properly authorized.

7.2 HIPAA Marketing Authorizations

If a use of your PHI for marketing requires a HIPAA marketing authorization, we will obtain it separately and clearly from you. We do not share PHI with third-party sponsors for their own marketing use unless authorized by you.

You may withdraw your authorization at any time, and we will honor your request in accordance with applicable laws.

7.3 Opting Out of Marketing Communications

You may opt out of receiving marketing communications through the following methods:

• Email: Use the “unsubscribe” link found in our marketing emails;
• Text Messages: Text STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT from the mobile device receiving messages. Please note: opting out of all texts may impact your ability to receive operational updates related to prescription orders;
• In-App Preferences: Adjust your communication settings in your account profile (where available);
• Contact Us: You may also email us at privacy@nimblerx.com to make a request.

8. Sharing of Information

We may disclose your personal information to third parties as necessary to provide our Services, fulfill legal obligations, or support legitimate business functions. When we do, we take reasonable steps to limit the sharing to what is necessary and to protect your information in accordance with this Privacy Policy.

8.1 Disclosures to Provide Our Services

We share your personal information with the following types of third parties:

• Pharmacies: To fulfill and deliver your prescription, we share information such as your name, delivery address, prescribing physician, insurance details, and prescription data with the pharmacy of your choice. The pharmacy uses this information to fill your prescription and comply with applicable law.
• Service Providers: We engage vendors to help us operate our Services, including payment processors (e.g., Stripe), customer service platforms (e.g., Gladly), delivery partners, hosting providers, analytics services, and IT support. These providers may access your personal information only as necessary to perform services on our behalf and are contractually obligated to protect it.
• Corporate Affiliates: We may share your information with our affiliates or subsidiaries for purposes consistent with this Privacy Policy.
• Advertising Partners: With appropriate consent or legal basis, we may share limited personal information (never PHI without authorization) with third-party advertising or analytics partners who help us personalize content or measure marketing performance.

8.2 Disclosures Required by Law or to Protect Rights

We may disclose your personal information if we believe it is necessary to:

• Comply with a legal obligation, regulatory requirement, or valid legal process (e.g., subpoena, court order);
• Enforce our Terms of Service or investigate potential violations;
• Detect, prevent, or respond to fraud, abuse, security risks, or technical issues;
• Protect the rights, safety, or property of NimbleRx, our users, or others.

8.3 Business Transfers

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, sale of assets, or transition of service to another provider, your information may be disclosed or transferred as part of that transaction, consistent with legal requirements.

Note: We do not share SMS/text messaging originator opt-in data or consent with third parties for their own marketing purposes.

9. State Privacy Rights

Depending on where you live, you may have rights under applicable U.S. state privacy laws, including the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and other similar laws. These rights may include:

• Right to Know or Access: You may request information about the categories of personal information we collect, the sources of that information, the business purposes for which it is used, and the third parties with whom we share it. You may also request access to the specific pieces of personal information we hold about you.
• Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
• Right to Delete: You may request that we delete personal information we have collected about you, subject to certain legal exceptions.
• Right to Data Portability: You may request that we provide a copy of your personal information in a portable and readily usable format.
• Right to Opt-Out of Certain Processing: You may opt out of the sale or sharing of your personal information, or the use of your data for targeted advertising or profiling where applicable.
• Right to Appeal: If we deny your request, you have the right to appeal our decision in accordance with applicable state law.

How to Exercise Your Rights

To submit a privacy request, you may contact us at:

Email: privacy@nimblerx.com

Mail: Nimble Rx, Inc., 2317 Broadway, Suite 1, Redwood City, CA 94063

We will verify your identity before fulfilling certain requests. You may designate an authorized agent to make a request on your behalf. We will not discriminate against you for exercising your privacy rights.

10. HIPAA and Other Health Privacy Laws

Some of the information we collect may be subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as well as similar state laws that govern the privacy and security of health information.

10.1 When HIPAA Applies

NimbleRx is not a healthcare provider or a health plan, but we may act as a “business associate” to a HIPAA-covered entity, such as a pharmacy, when we provide services involving protected health information (“PHI”). In these cases, we handle PHI in accordance with applicable Business Associate Agreements (BAAs) and are subject to HIPAA’s privacy and security rules.

Examples of PHI we may process as a business associate include:

• Prescription fulfillment and delivery data
• Insurance information
• Prescription history shared by the pharmacy for operational purposes

10.2 When HIPAA Does Not Apply

Not all data processed through our Services is subject to HIPAA. For example:

• When you use the NimbleRx platform directly as a consumer to browse services or contact support
• When you provide information to us outside the context of a covered entity relationship (e.g., submitting a job application or requesting a product demo)
• When you use non-clinical features (e.g., in-app reminders, survey tools, or browsing content)

In these situations, the information you provide may be governed by state consumer privacy laws instead of HIPAA.

Additionally, if you voluntarily provide NimbleRx with your own health information in a context where no covered entity is involved (e.g., describing symptoms to an AI assistant), that information may not be subject to HIPAA. We will not treat such submissions as creating a business associate relationship. However, we will still protect that data with the same care and security practices we apply to PHI.

10.3 De-Identified and Aggregated Data

We may create de-identified or aggregated information from health data for research, analytics, or business operations. We do not attempt to reidentify such data unless permitted by applicable law.

11. Children’s Privacy

NimbleRx does not knowingly collect personal information directly from children under the age of 13 without verified parental consent. Our Services are intended for use by adults, including parents and legal guardians who may manage prescriptions or care for dependents.

11.1 Parental Involvement

If a child under 13 interacts with our Services (e.g., through a parent’s account), any information provided must be submitted by or with the consent of a parent or legal guardian. If we learn that we have inadvertently collected personal information from a child without proper consent, we will take steps to delete it.

11.2 Minor Rights Under State Law

In some jurisdictions, including California, minors may have the legal right to access, control, or limit the disclosure of their own health information, even if they are under age 18. For example:

• In California, minors age 12 or older may have rights to consent to and control certain health services (e.g., reproductive health, mental health, substance use treatment), and may request that their information not be shared with parents or guardians.
• Other states may grant similar rights to minors for specific types of healthcare.

When required by law, we honor these rights and work with pharmacies and healthcare providers to implement privacy protections consistent with applicable regulations.

If you are a minor with privacy rights under your state’s laws—or if you are a parent or guardian with questions about such rights—you may contact us at privacy@nimblerx.com.

12. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

This means we may retain personal information:

• For the duration of your relationship with NimbleRx
• To comply with our legal, regulatory, or contractual obligations
• To resolve disputes, enforce our agreements, or protect our rights
• For internal business purposes such as auditing, analytics, fraud prevention, or security
• In accordance with obligations under HIPAA or similar health privacy laws where applicable

We also consider factors such as:

• The sensitivity and nature of the information
• The potential risk of harm from unauthorized use or disclosure
• Whether we can achieve the same purposes through other means

When we no longer need personal information, we securely delete, deidentify, or anonymize it in accordance with applicable law and our internal policies.

13. Safeguards and Security

We implement technical, administrative, and physical safeguards designed to protect the personal information we collect and process through our Services. These safeguards are intended to prevent unauthorized access, use, alteration, or disclosure of your data.

Key elements of our security program include:

• Encryption: We use encryption protocols to protect data in transit and at rest, including secure HTTPS for web traffic and encryption of sensitive information such as PHI and payment details.
• Access Controls: We maintain role-based access controls, enforce multi-factor authentication, and limit internal access to personal information based on job function and necessity.
• Monitoring and Detection: Our systems are monitored for unauthorized access, vulnerabilities, and other security threats.
• Security Policies and Training: We maintain comprehensive internal security policies and conduct regular employee training on data protection, including HIPAA and applicable privacy laws.
• Vendor Oversight: We require our service providers to implement appropriate safeguards and to comply with applicable laws and contractual obligations regarding data security.
• Incident Response: We maintain an incident response plan and are prepared to respond to security incidents in accordance with legal and regulatory requirements.

13.1 SOC 2 Type II Audit

NimbleRx undergoes an independent SOC 2 Type II audit on an annual basis. This audit evaluates the operational effectiveness of our internal controls related to security, availability, and confidentiality, providing third-party assurance of our data protection practices.

While we take reasonable and appropriate measures to safeguard personal information, no system can be guaranteed 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at privacy@nimblerx.com.

14. Your Privacy Choices and Rights

Depending on your location and the nature of your relationship with NimbleRx, you may have certain rights and choices regarding your personal information under federal and state privacy laws.

14.1 Your Privacy Rights

Subject to applicable law, you may have the following rights:

• Right to Know and Access – You may request to know what personal information we collect, use, disclose, or retain about you, and receive a copy of that information.
• Right to Correct – You may request that we correct inaccuracies in your personal information.
• Right to Delete – You may request that we delete personal information we have collected from or about you, subject to applicable exceptions (e.g., to comply with legal obligations or complete a transaction).
• Right to Data Portability – You may request a copy of your personal information in a structured, commonly used, and machine-readable format.
• Right to Restrict or Object – In certain cases, you may request that we limit or stop specific uses of your personal information.
• Right to Withdraw Consent – If we rely on your consent to process personal information, you may withdraw it at any time. Withdrawal will not affect the lawfulness of processing prior to withdrawal.
• Right to Appeal – If we deny a rights request, you may appeal our decision by contacting us using the information below.
• Right to File a Complaint – If you believe your rights under HIPAA or another privacy law have been violated, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by visiting www.hhs.gov/ocr/privacy/hipaa/complaints.

14.2 How to Exercise Your Rights

To exercise any of the rights listed above, please contact us by:

Email: privacy@nimblerx.com

Mail: Nimble Rx, Inc., 2317 Broadway, Suite 150, Redwood City, CA 94063

We may need to verify your identity before processing your request, and in some cases, we may request additional information to do so. You may also designate an authorized agent to submit a request on your behalf.

We will not discriminate against you for exercising your privacy rights.

14.3 Minor Rights

In some jurisdictions, minors may have independent rights to consent to health services and control the privacy of their health information. For example, California law grants certain privacy rights to minors age 12 and older for specific types of care. NimbleRx complies with these laws and, where required, will limit parental or guardian access to a minor’s health data.

15. Third-Party Sites and Services

Our Services may contain links to or integrations with third-party websites, mobile applications, content, or services that are not owned or operated by NimbleRx. These third parties may include pharmacies, healthcare platforms, payment processors, analytics providers, social media plugins, advertising partners, or other service providers.

15.1 No Control Over Third-Party Privacy Practices

We do not control and are not responsible for the privacy or security practices of third parties. This Privacy Policy does not apply to any information you provide directly to third parties or that is collected by them through their own sites or services.

We encourage you to review the privacy policies of any third-party service before interacting with them or sharing your information.

15.2 Navigation Away from NimbleRx

If you leave the NimbleRx environment—such as by clicking a link or embedded content that directs you to a pharmacy’s website, manufacturer page, or other third-party service—your use of that service is governed by the privacy policies and terms of the third party, not this Privacy Policy.

15.3 Embedded Tools and Content

We may integrate third-party features into our Services, such as payment gateways (e.g., Stripe), customer service widgets (e.g., Gladly), and analytics platforms (e.g., Google Analytics). These tools may use cookies, pixels, or similar technologies to collect information. For more details, see Section 4.2 (“Personal Information We Collect Automatically”).

16. International Visitors

NimbleRx is based in the United States, and our Services are primarily intended for use by individuals located in the U.S. If you access or use our Services from outside the United States, please be aware that your personal information may be transferred to, processed, and stored in the United States or other jurisdictions where our service providers operate.

These countries may not offer the same level of data protection as the laws of your home country. However, we take steps to ensure that your personal information is treated securely and in accordance with this Privacy Policy and applicable data protection laws.

If you are located in the European Economic Area (EEA), Switzerland, or the United Kingdom, and we transfer your personal information to a country that does not provide an adequate level of protection, we will rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or other lawful transfer mechanisms.

For more information about international data transfers or to request a copy of the relevant safeguards, please contact us at privacy@nimblerx.com.

17. Contact Information

If you have any questions, concerns, or requests related to this Privacy Policy or our data practices, you may contact us at:

Email: privacy@nimblerx.com

Mail: Nimble Rx, Inc., 2317 Broadway, Suite 1, Redwood City, CA 94063

We welcome your feedback and are committed to protecting your privacy.

‍