ESSOS

Essos Privacy Policy

Effective Date: June 12, 2025

Last Updated: June 12, 2025

1. Introduction and Scope

At Essos, we are committed to protecting your privacy and maintaining the security of your personal information. This Privacy Policy explains how we collect, use, share, and protect your information when you use our platform to access global healthcare services, including our marketplace and financing solutions (which may be provided directly by Essos or through trusted financial partners).

This policy applies to all users of our services, including patients, healthcare providers, and other stakeholders who interact with our platform across all jurisdictions where we operate.

Our Commitment: We believe healthcare decisions are deeply personal. We are committed to transparency about our data practices and giving you meaningful control over your information.

2. Key Definitions

Personal Information: Any information that identifies, relates to, or could reasonably be linked with you
Health Information: Information about your medical history, procedures, treatments, and health status
Processing: Any operation performed on personal information, including collection, storage, use, and sharing
Third Parties: Organizations other than Essos that may receive your information
Services: Our marketplace platform, financing solutions (provided by Essos or financing partners), and related services

3. Information We Collect

3.1 Information You Provide Directly

Account and Profile Information:

Name, email address, phone number, date of birth
Government-issued identification for verification
Profile photos and biographical information
Communication preferences and language settings

Health and Medical Information:

Medical history and current health conditions
Procedure interests and consultations
Before and after photos (when you choose to share)
Medical records and documentation

Financial Information:

Payment method details (credit cards, bank accounts)
Billing and shipping addresses
Financial qualification information for financing applications
Transaction history and payment records
Credit-related information (collected directly or through financing partners, depending on our financing model)

Travel and Procedure Information:

Travel preferences and documentation
Procedure scheduling and coordination details
Accommodation and transportation arrangements
Emergency contact information

3.2 Information Collected Automatically

Device and Usage Information:

IP address, device identifiers, and browser information
Operating system and device characteristics
Pages visited, features used, and time spent on our platform
Search queries and interaction patterns

Location Information:

General geographic location (country/region level)
Precise location (only when you grant permission)
Travel-related location data for procedure coordination

Cookies and Tracking Technologies:

Essential cookies for platform functionality
Analytics cookies to improve our services
Marketing cookies for relevant advertising (with your consent)
Third-party tracking pixels and similar technologies

3.3 Information from Third Parties

Healthcare Providers and Clinics:

Medical assessments and consultation notes
Procedure outcomes and follow-up information
Quality ratings and safety assessments

Financial Partners:

Credit scores and financial verification data (when using third-party financing)
Payment processing and fraud prevention data

Verification Services:

Identity verification and background check results
Professional licensing and certification data (for providers)

Marketing and Analytics Partners:

Ad interaction data from social media platforms, search engines, display networks, video platforms, and other digital advertising channels
Demographic information and interest profiles from data brokers and marketing platforms
Conversion tracking and performance data from advertising campaigns across multiple channels and emerging platforms

4. How We Use Your Information

4.1 Primary Business Purposes

Marketplace Services:

Matching you with appropriate healthcare providers
Facilitating consultations and procedure bookings
Providing customer support and care coordination
Ensuring safety and quality standards

Financing Services:

Evaluating creditworthiness and loan eligibility (whether provided by Essos or financing partners)
Processing payments and managing financing accounts
Preventing fraud and ensuring regulatory compliance
Facilitating financing applications and approvals

4.2 Platform Improvement and Safety

Analyzing usage patterns to improve our services
Developing new features and functionality
Ensuring platform security and preventing fraud
Conducting safety and quality assessments
Personalizing your experience and recommendations

4.3 Communication and Marketing

Sending transactional notifications about your bookings
Providing customer support and responding to inquiries
Sharing relevant health and procedure information
Delivering targeted advertising based on your interests and behavior across multiple digital platforms and channels
Determining the effectiveness of promotional campaigns and marketing initiatives across various advertising networks
Requesting feedback about your experience with our services and providers
Marketing communications and promotional offers (with your consent)
Educational content about procedures and safety

4.4 Platform Improvement and Safety

Identifying usage trends to better understand how our services are used
Protecting our Services through fraud monitoring and security measures
Analyzing user behavior to enhance platform functionality
Conducting safety and quality assessments

4.5 Automated Decision-Making and Profiling

Automated Decisions with Legal or Significant Effects:

Credit and financing decisions for loan approvals and terms (whether processed by Essos or financing partners)
Risk assessments for procedure suitability and safety screening
Clinic matching algorithms that determine provider recommendations
Fraud prevention systems that may block transactions or accounts

Profiling Activities:

Creating user profiles based on health interests, procedure preferences, and behavior
Targeted advertising profiles for personalized marketing and ad delivery across multiple platforms and channels
Credit risk profiles for financing purposes
Usage pattern analysis to personalize your platform experience

Your Rights Regarding Automated Decisions:

Right to request human review of automated decisions
Right to challenge decisions that significantly affect you
Right to receive meaningful information about the logic involved
Right to opt-out where legally permissible

How We Ensure Fairness:

Regular testing for bias and discrimination
Human oversight of high-impact automated decisions
Clear appeals processes for disputed decisions
Transparency about factors considered in automated decisions

4.6 Legal and Regulatory Compliance

Complying with applicable healthcare regulations
Responding to legal requests and court orders
Protecting our rights and those of our users
Ensuring compliance with international data transfer requirements

5. How We Share Your Information

5.1 Healthcare Providers and Clinics

We share relevant health and contact information with healthcare providers to:

Facilitate consultations and procedure planning
Ensure continuity of care and proper follow-up
Enable providers to assess your suitability for procedures
Coordinate travel and accommodation arrangements

5.2 Financial Partners and Financing Services

Financing Model: Essos may provide financing solutions either directly or through partnerships with third-party financial institutions. The data sharing practices depend on the financing model used:

When financing is provided by Essos directly:

Credit assessment and payment processing are handled internally
Your financial information remains within Essos systems
No sharing with external financing partners for these purposes

When financing is provided through third-party partners:

Credit assessment and loan processing information may be shared with financing partners
Payment processing and account management data shared as needed
Fraud prevention and regulatory compliance data shared with financial institutions
Financial qualification and underwriting information shared for loan decisions

In both scenarios:

We maintain the same security standards and privacy protections
You retain all privacy rights outlined in this policy
Data sharing is limited to what's necessary for financing services

5.3 Service Providers and Vendors

The categories of third parties we may share personal information with are as follows:

Ad Networks - For targeted advertising and marketing campaigns across social media platforms, search engines, display networks, video platforms, and other digital advertising channels
Affiliate Marketing Programs - For referral and partnership programs across various marketing networks
AI Platforms - For automated decision-making and personalization
Cloud Computing Services - For data storage and platform hosting
Communication & Collaboration Tools - For customer support and team coordination
Data Analytics Services - For usage analysis and platform improvement
Data Storage Service Providers - For secure information storage
Finance & Accounting Tools - For payment processing and financial management
Order Fulfillment Service Providers - For procedure booking and coordination
Payment Processors - For transaction processing and fraud prevention
Performance Monitoring Tools - For platform optimization and security
Product Engineering & Design Tools - For platform development and maintenance
Retargeting Platforms - For personalized advertising campaigns across multiple advertising networks and platforms
Sales & Marketing Tools - For customer relationship management and marketing automation
Social Networks - For marketing and customer engagement across various social media platforms
Testing Tools - For platform quality assurance and improvement
User Account Registration & Authentication Services - For secure account management
Website Hosting Service Providers - For platform infrastructure and performance

5.4 Legal and Regulatory Disclosures

We may disclose your information when required by law or to:

Respond to subpoenas, court orders, or legal processes
Protect our rights, property, or safety
Investigate fraud or other illegal activities
Comply with healthcare reporting requirements

5.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy.

6. International Data Transfers

As a global platform, we transfer your information across international borders to:

Facilitate healthcare services in your chosen destination
Process payments and provide financing globally
Ensure platform functionality and security worldwide

Transfer Safeguards:

Standard Contractual Clauses (SCCs) for EU data transfers
Adequacy decisions where available
Additional security measures for sensitive health data
Compliance with local data localization requirements

Specific Regions:

EU/EEA: Transfers comply with GDPR requirements
Canada: Transfers meet PIPEDA standards
Other Jurisdictions: Local privacy law compliance as applicable

7. Data Security and Protection

7.1 Technical Safeguards

End-to-end encryption for sensitive health data
Secure Socket Layer (SSL) encryption for all transmissions
Multi-factor authentication for account access
Regular security assessments and penetration testing
Secure cloud infrastructure with industry-leading providers

7.2 Organizational Safeguards

Employee training on privacy and security practices
Role-based access controls and need-to-know principles
Regular audit and monitoring of data access
Incident response procedures for security breaches
Privacy by design principles in system development

7.3 Healthcare-Specific Protections

HIPAA-compliant handling of US health information
Segregated storage for different data categories
Audit trails for all health data access
Secure deletion procedures for sensitive information

8. Cookies and Other Tracking Technologies

We may use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.

We also permit third parties and service providers to use online tracking technologies on our Services for analytics and advertising, including to help manage and display advertisements, to tailor advertisements to your interests, or to send abandoned shopping cart reminders (depending on your communication preferences).

Third-Party Analytics and Advertising: We may share your information with various analytics and advertising platforms to track and analyze the use of the Services and deliver targeted advertising. These may include but are not limited to:

Search Engine Analytics (such as Google Analytics, Microsoft Clarity)
Social Media Advertising Platforms (such as Facebook, Instagram, TikTok, LinkedIn, Twitter, Snapchat, Pinterest)
Display and Video Advertising Networks (such as Google Ads, Amazon DSP, programmatic advertising platforms)
Mobile Advertising Platforms (such as Apple Search Ads, Google Ads for mobile apps)
Streaming and Audio Platforms (such as Spotify, YouTube, podcast advertising networks)
Emerging Advertising Technologies and new platforms as they become available
Other Digital Marketing Platforms and advertising networks

Advertising Features: The advertising features we may use include remarketing, lookalike audiences, custom audiences, conversion tracking, demographic targeting, and other advertising capabilities across these platforms.

Opt-Out Options: To opt out of tracking by specific platforms:

Google Analytics: Visit https://tools.google.com/dlpage/gaoptout
Google Ads: Use Ads Settings and Ad Settings for mobile apps
Facebook/Meta: Use Facebook Ad Preferences
Other platforms: Visit the respective platform's privacy or ad settings pages
General opt-out: Visit http://optout.networkadvertising.org/ and http://www.networkadvertising.org/mobile-choice

For more comprehensive opt-out options, please refer to your browser settings, device privacy controls, and the individual privacy policies of advertising platforms. As new advertising platforms and technologies emerge, we may integrate them into our marketing efforts, and we will update our opt-out guidance accordingly.

To the extent these online tracking technologies are deemed to be a "sale"/"sharing" under applicable US state laws, you can opt out of these online tracking technologies as described below under "DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?"

9. Data Retention and Deletion

9.1 Retention Periods

Account Information: Retained while your account is active plus 7 years after closure Health Information: Retained for 10 years after last procedure or as required by medical regulations Financial Information: Retained for 7 years after last transaction for regulatory compliance Marketing Information: Retained until you opt out or 3 years of inactivity

9.2 Deletion Practices

Secure deletion using industry-standard methods
Removal from backup systems within 90 days
Anonymization of research and analytics data
Compliance with healthcare record retention requirements

10. Minors and Parental Consent

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services.

If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at privacy@essos.com.

11. Your Privacy Rights and Choices

11.1 Access and Control Rights

Right to Access: Request copies of your personal information Right to Rectification: Correct inaccurate or incomplete information Right to Erasure: Request deletion of your information (subject to legal requirements) Right to Portability: Receive your information in a machine-readable format Right to Object: Object to certain processing activities

11.2 Communication Preferences

Marketing Communications:

Opt out of promotional emails and notifications
Control frequency and types of communications
Separate preferences for health education vs. marketing

Essential Communications:

Transaction confirmations and booking updates
Safety notifications and recall information
Account security and fraud alerts

11.3 Cookie and Tracking Controls

Browser settings to manage cookies across all platforms
Platform-specific opt-out tools for analytics and advertising (Google, Facebook, TikTok, etc.)
Mobile device settings for location and app permissions
Industry opt-out tools (NAI, DAA) for multiple advertising networks
Device-level advertising controls (iOS, Android)

Account Information Management: If you would like to review or change the information in your account or terminate your account, you can log in to your account settings and update your user account. Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

12. Do United States Residents Have Specific Privacy Rights?

In Short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the personal information we maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your personal information.

12.1 Categories of Personal Information We Collect

CategoryExamplesCollectedA. IdentifiersContact details, real name, postal address, telephone number, unique personal identifier, online identifier, Internet Protocol address, email address, account nameYESB. Personal information (California Customer Records statute)Name, contact information, education, employment, employment history, financial informationYESC. Protected classification characteristicsGender, age, date of birth, race and ethnicity, national origin, marital status, demographic dataNOD. Commercial informationTransaction information, purchase history, financial details, payment informationYESE. Biometric informationFingerprints and voiceprintsNOF. Internet or network activityBrowsing history, search history, online behavior, interest data, interactions with websites and applicationsYESG. Geolocation dataDevice locationYESH. Audio, electronic, sensory informationImages and audio, video or call recordings created in connection with our business activitiesYESI. Professional or employment informationBusiness contact details, job title, work history, professional qualificationsNOJ. Education InformationStudent records and directory informationNOK. Inferences drawn from collected personal informationInferences drawn from collected personal information to create profiles about preferences and characteristicsYESL. Sensitive personal InformationAccount login information, contents of email or text messages, debit or credit card numbers, drivers' licenses, and health dataYES

12.2 Your Rights

You have rights under certain US state data protection laws, including:

Right to know whether or not we are processing your personal data
Right to access your personal data
Right to correct inaccuracies in your personal data
Right to request the deletion of your personal data
Right to obtain a copy of the personal data you previously shared with us
Right to non-discrimination for exercising your rights
Right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects

12.3 How to Exercise Your Rights

To exercise these rights, you can contact us by submitting a data subject access request, by emailing us at privacy@essos.com, or by referring to the contact details at the bottom of this document.

Request Verification: Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system.

Appeals: Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at privacy@essos.com.

13. International Privacy Rights

13.1 European Union (GDPR)

Legal basis for processing: Consent, contract performance, legitimate interests, legal obligations
Right to lodge complaints with supervisory authorities
Automated decision-making disclosures: Right not to be subject to purely automated decision-making with legal or significant effects
Right to explanation: Meaningful information about automated decision logic and consequences

13.2 Canada (PIPEDA)

Complaint procedures through Privacy Commissioner
Consent requirements for sensitive health information
Additional protections for cross-border transfers

14. Special Considerations

14.1 Minors and Parental Consent

Users must be 18 or older to create accounts
Parental consent required for users under 18 with legal guardian involvement
Enhanced protections for any minor-related information

14.2 Sensitive Health Conditions

Additional consent for mental health information
Special handling for reproductive health data
Enhanced security for addiction-related treatments

14.3 Emergency Situations

Limited disclosure for medical emergencies
Coordination with emergency contacts and healthcare providers
Compliance with emergency care regulations

15. Contact Information and Requests

15.1 Privacy Officer Contact

Email: privacy@essos.com
Phone: +1-516-754-1138
Mail: Essos Privacy Officer, 401 Broadway, Suite 1610, New York, New York 10013-3002

15.2 Request Procedures

Response Time: 30 days for most requests (45 days for complex requests) Verification: Identity verification required for all requests Appeals: Contact our Privacy Officer if unsatisfied with our response

15.3 Regulatory Contacts

EU Residents: Contact your local Data Protection Authority California Residents: Contact the California Attorney General Canadian Residents: Contact the Privacy Commissioner of Canada

16. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will:

Post the updated policy on our website
Notify you of material changes via email or platform notification
Provide 30 days' notice before material changes take effect
Obtain additional consent where required by law

Version History: Previous versions available upon request

17. Additional Resources

Health Information Security: Learn more about how we protect your health data International Compliance: Information about our global privacy practices Security Center: Current security measures and best practices Transparency Reports: Regular reports on government requests and compliance

This Privacy Policy is designed to be comprehensive while remaining accessible. Our financing services may be provided directly by Essos or through trusted financial partners, and our data practices are designed to protect your privacy regardless of the financing model used. If you have questions about any section, please contact our Privacy Officer for clarification.