Consumer Health Data Privacy Policy

This Policy is published in compliance with the Washington My Health My Data Act (RCW 19.373).

1. Introduction

This Consumer Health Data Privacy Policy ("CHD Policy") describes how Jaxson Software LLC, a Washington limited liability company ("Jaxson," "we," "us," or "our"), handles Consumer Health Data under the Washington My Health My Data Act ("MHMDA").

This CHD Policy supplements our general Privacy Policy. Where a conflict exists between the two policies with respect to Consumer Health Data of Washington residents, this CHD Policy controls.

Important note on scope. Most information Jaxson processes on behalf of dental practice customers is Protected Health Information ("PHI") governed by the Health Insurance Portability and Accountability Act ("HIPAA") and covered by a Business Associate Agreement. PHI processed under HIPAA is expressly excluded from the definition of Consumer Health Data under MHMDA (RCW 19.373.010(8)(b)). This CHD Policy therefore primarily addresses a narrow set of data flows that are not HIPAA-regulated — for example, information voluntarily disclosed by Washington consumers through our marketing website or during pre-contract discussions.

2. Who This Policy Applies To

This CHD Policy applies to Washington consumers whose Consumer Health Data Jaxson collects, processes, shares, or sells. A "Washington consumer" is a natural person who is a Washington resident, or a natural person whose Consumer Health Data is collected in Washington.

This CHD Policy does not apply to personal information that is PHI covered by HIPAA, to deidentified data, or to publicly available information — each as defined by MHMDA.

3. Categories of Consumer Health Data We Collect

Jaxson may collect the following categories of Consumer Health Data from or about Washington consumers:

• Health condition and treatment information voluntarily disclosed by a consumer (for example, if a prospective customer includes a health-related description in a marketing-site contact form submission or during a demo request).
• Consumer-provided information about use of health services voluntarily disclosed (for example, if a consumer describes seeking or using specific health-related services in a support or contact message).
• Information that we derive or extrapolate from non-health information to identify a consumer's health status — this is not a category we currently intend to process, and we do not use AI or analytic techniques to infer health status from non-health data.

Jaxson does not collect the following categories of Consumer Health Data from Washington consumers outside the HIPAA-covered context:

• biometric data,
• genetic data,
• precise geolocation data,
• reproductive or sexual health information (outside of PHI covered by HIPAA),
• gender-affirming care information (outside of PHI covered by HIPAA),
• prescription medication data (outside of PHI covered by HIPAA).

4. Sources of Consumer Health Data

We collect Consumer Health Data from the following sources:

• Directly from consumers who voluntarily provide information through our marketing website (https://jaxson.io), contact forms, demo request forms, email correspondence, or support interactions.
• From our practice customers who authorize Jaxson to process information on their behalf under a Business Associate Agreement — this information is generally PHI governed by HIPAA and therefore outside the scope of MHMDA.

We do not purchase Consumer Health Data from data brokers or third-party data suppliers.

5. Purposes for Collecting and Using Consumer Health Data

To the limited extent Jaxson collects Consumer Health Data subject to MHMDA, we use it solely for the following purposes:

• responding to the specific inquiry, request, or support need the consumer has initiated;
• providing the product or service the consumer has specifically requested;
• communicating with the consumer about the foregoing;
• detecting and preventing fraud, abuse, and security incidents;
• complying with legal obligations and enforcing our agreements.

We do not use Consumer Health Data to train artificial intelligence models. We do not use Consumer Health Data for targeted advertising. We do not use Consumer Health Data for any secondary purpose without the consumer's affirmative consent.

6. Categories of Consumer Health Data We Share

We do not sell Consumer Health Data. We do not share Consumer Health Data with third parties for targeted advertising, for any marketing purpose, or in exchange for any form of consideration.

To the limited extent we share Consumer Health Data, we share only with processors and service providers who perform functions on our behalf, strictly to provide the services Jaxson provides and bound by written contractual data-protection obligations.

7. Categories of Third Parties and Specific Affiliates

The categories of third parties (and specific affiliates) with whom we may share Consumer Health Data, in each case strictly as processors/service providers under contractual restrictions, are:

• Cloud infrastructure, AI inference, and transactional email — Amazon Web Services, Inc. (compute, storage, AI inference through Amazon Bedrock, identity, CDN, and transactional email delivery via Amazon Simple Email Service), under an executed HIPAA Business Associate Addendum covering the relevant services. Health content is not routinely included in transactional email but may appear if a consumer includes it in correspondence we then store or relay.
• Payment processor — Stripe, Inc. (processes billing information only; does not receive Consumer Health Data in the normal course).
• Connected-source integrations — when a customer activates a third-party content integration, file metadata and content the customer specifically authorizes is shared with the integration provider — currently Google LLC (Google Drive) or Microsoft Corporation (Microsoft 365 / SharePoint / OneDrive). Connected-source integrations are activated only at the customer's election; absent activation, no data flows to either provider.
• Marketing-site and account-creation analytics — PostHog, Inc., deployed on our marketing website at https://jaxson.io and on our pre-authentication account-creation page at https://app.jaxson.io/register. PostHog is not deployed inside the authenticated areas of the Jaxson application; form field contents (name, email, password, billing address) are excluded from collection by configuration, and PostHog does not, in the normal course, receive Consumer Health Data.

We may also disclose Consumer Health Data:

• where required by law, legal process, or a valid governmental request;
• to protect the rights, property, or safety of Jaxson, our customers, or others;
• in connection with a merger, acquisition, reorganization, or sale of assets, subject to this CHD Policy (or a successor policy with equivalent protections).

Jaxson has no affiliates at this time. If affiliates are added, they will be disclosed in an updated version of this Policy.

8. Your Rights Under MHMDA

As a Washington consumer, you have the following rights with respect to your Consumer Health Data:

8.1 Right to confirm and access. You have the right to confirm whether Jaxson is collecting, sharing, or selling your Consumer Health Data and to access such data, including a list of all third parties and affiliates with whom Jaxson has shared or sold your data and an active email address or other online mechanism to contact those third parties.

8.2 Right to withdraw consent. You have the right to withdraw consent from Jaxson's collection and sharing of your Consumer Health Data.

8.3 Right to deletion. You have the right to have your Consumer Health Data deleted. Upon receiving a verified deletion request, Jaxson will delete the consumer's Consumer Health Data from our records and notify all affiliates, processors, contractors, and other third parties with whom Jaxson has shared the Consumer Health Data of the deletion request.

8.4 Right to appeal. If Jaxson denies your rights request, you have the right to appeal our decision. See Section 9.3 for the appeal process.

9. How to Exercise Your Rights

9.1 Submitting a request. To exercise any of the rights described in Section 8, send a written request to:

Email: privacy@jaxson.io Mail: Jaxson Software LLC, Attn: Privacy Officer, c/o Northwest Registered Agent, 522 W Riverside Ave, Ste N, Spokane, WA 99201

Your request should include:

• your full name;
• a working email address or other reliable means to communicate with you;
• a clear description of the right you wish to exercise;
• sufficient information for Jaxson to verify that you are the consumer (or authorized agent of the consumer) whose data is at issue.

9.2 Response time. Jaxson will respond to your request within forty-five (45) days after receipt. This period may be extended once by an additional forty-five (45) days where reasonably necessary, taking into account the complexity and number of requests, provided that we notify you of the extension and the reason within the initial 45-day period.

9.3 Appeal process. If Jaxson denies your rights request in whole or in part, you may appeal by emailing privacy@jaxson.io with "MHMDA Appeal" in the subject line. Jaxson will respond to your appeal within forty-five (45) days of receipt, explaining in writing the reasons for any decision. If Jaxson denies the appeal, we will provide you a method to contact the Washington State Attorney General to file a complaint.

9.4 Authorized agents. You may designate an authorized agent to submit a request on your behalf. We may require the agent to provide proof of authority and may require you to verify your own identity directly before we act on the request.

9.5 No discrimination. Jaxson will not discriminate against you for exercising your rights under MHMDA.

10. Sale of Consumer Health Data

Jaxson does not sell Consumer Health Data. If this ever changes in the future, Jaxson will first obtain the consumer's valid authorization as required by MHMDA (RCW 19.373.040) and update this Policy before any sale occurs.

11. Retention

Jaxson retains Consumer Health Data only as long as reasonably necessary to fulfill the purpose for which it was collected, to comply with legal obligations, or to resolve disputes and enforce our agreements. General retention practices are described in our Privacy Policy.

12. Data Security

Jaxson implements administrative, physical, and technical safeguards designed to protect Consumer Health Data. These safeguards are described in our Privacy Policy and are at least consistent with the requirements of MHMDA.

13. Geofencing

Jaxson does not use geofencing to identify or track a consumer seeking health care services, to collect Consumer Health Data from a consumer, or to send notifications to a consumer regarding health care services or products based on location.

14. Changes to This Policy

We may update this CHD Policy from time to time. Material changes will be communicated by posting the updated CHD Policy on our website with an updated "Last Updated" date. We will provide at least thirty (30) days' advance notice before material changes take effect, except where a shorter notice period is necessary to address a security, legal, or regulatory issue.

15. Contact

Jaxson Software LLC Attn: Privacy Officer c/o Northwest Registered Agent 522 W Riverside Ave, Ste N Spokane, WA 99201 Email: privacy@jaxson.io

Complaints regarding Jaxson's handling of Consumer Health Data may also be directed to the Washington State Attorney General:

Washington State Office of the Attorney General https://www.atg.wa.gov/file-complaint