Privacy Policy

We collect the following categories of information when you use HerbOS: Account Information • Email address, display name, and username provided during registration • Professional credentials (if you apply for Professional tier verification) Health-Related Data • Herbs you track and follow • Wellness logs and journal entries • Medications you record for interaction checking • For Professional tier: client records, protocols, and health data you enter on behalf of your clients Usage Data • Pages visited and features used • Search queries within the Platform • Device type, browser, and operating system • Interaction with emails (open and click rates) Payment Information • Payment processing is handled entirely by our payment processor (Authorize.net) • We do NOT store your full credit card number, CVV, or bank account details • We receive only a partial card number (last 4 digits) and billing status from our payment processor

We use your information for the following purposes: Providing the Service • Delivering personalized research feeds based on your tracked herbs • Processing interaction checks with your recorded herbs and medications • Generating wellness insights and tracking progress • Managing your account and subscription Communications • Sending the weekly research digest to your email • Delivering smart alerts for new studies and safety signals • Sending account-related notifications (billing, security, feature updates) • Responding to support requests Platform Improvement • Analyzing aggregate usage patterns to improve features • Identifying and fixing bugs and performance issues • Developing new features based on usage trends Payment Processing • Processing subscription payments and refunds through our payment processor • Managing trial periods and billing cycles

We do NOT sell your personal data. We never have and never will. We share data only with the following service providers, strictly for operating the Platform: • Authorize.net — Payment processing. Authorize.net receives your payment information directly and is subject to PCI DSS compliance standards. • Resend — Email delivery service for transactional emails, digests, and notifications. • Supabase — Database hosting and authentication. All data is encrypted at rest using AES-256 encryption. We do not share data with advertising partners, data brokers, or any other third parties. We do not use your health data for advertising purposes. We may disclose information if required by law, subpoena, or court order, or if necessary to protect the safety of our users or the public.

If you are a Professional tier subscriber using practice management features: Practitioner Responsibility • You are the data controller for client data you enter into HerbOS • You are responsible for obtaining appropriate consent from your clients • You are responsible for your own compliance with applicable privacy laws and professional regulations in your jurisdiction Data Isolation & Security • Client data is strictly isolated per practitioner using Row Level Security (RLS) policies • No practitioner can access another practitioner's client data • Client portal access is controlled via time-limited tokens generated by the practitioner • Client data is encrypted at rest and in transit Data Portability • Practitioners may export their client data at any time • Upon account deletion, all associated client data is permanently removed

• Account data is retained for as long as your account is active • Upon account deletion request, we permanently delete your personal data within 30 days • Anonymized, aggregate usage statistics may be retained indefinitely for Platform improvement • Client portal tokens expire after 30 days and are automatically invalidated • Payment records are retained as required by tax and accounting regulations • Backup data is purged within 90 days of account deletion

We take the security of your data seriously and implement the following measures: • All data is encrypted in transit using HTTPS/TLS • All data is encrypted at rest using AES-256 encryption • Row Level Security (RLS) is enforced on all database tables, ensuring users can only access their own data • Authentication tokens are securely managed with httpOnly cookies • We conduct regular security reviews and dependency audits • Access to production systems is restricted and logged • We use Content Security Policy (CSP) headers to prevent XSS attacks No system is 100% secure. If you discover a security vulnerability, please report it to security@herbos.app.

You have the following rights regarding your data: Access Your Data • You can view all personal data associated with your account from your settings page Export Your Data • You can export your herb tracking data, wellness logs, and account information Delete Your Account • You can request full account deletion from your settings page or by emailing privacy@herbos.app • Account deletion is permanent and cannot be undone Opt Out of Marketing • You can unsubscribe from the weekly digest and promotional emails at any time via the unsubscribe link in any email or from your notification settings • Account-related emails (billing, security alerts) cannot be opted out of while your account is active If you are located in the European Economic Area (EEA), you may also have additional rights under the GDPR, including the right to rectification, restriction of processing, and data portability. Contact privacy@herbos.app to exercise these rights.

HerbOS uses a minimal number of cookies: Required Cookies • Authentication session cookie — necessary to keep you signed in • Maintenance bypass cookie — used during scheduled maintenance periods Optional Cookies • Theme preference — remembers your light/dark mode choice We do NOT use third-party tracking cookies, advertising cookies, or analytics cookies from external providers. We do not use Google Analytics, Facebook Pixel, or any similar tracking tools.

HerbOS is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at privacy@herbos.app and we will promptly delete the information. Users between 13 and 18 must have parental or guardian consent to use the Platform.

We may update this Privacy Policy from time to time. We will provide at least 30 days' notice of material changes via: • Email notification to the address associated with your account • A prominent notice on the Platform The "Effective date" at the top of this page indicates when the policy was last revised. Your continued use of HerbOS after changes take effect constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or how we handle your data: • General support: support@herbos.app • Privacy-specific inquiries: privacy@herbos.app • Website: herbos.app

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): • Right to Know — you may request disclosure of the categories and specific pieces of personal information we have collected about you. • Right to Delete — you may request deletion of your personal information, subject to certain exceptions. • Right to Correct — you may request correction of inaccurate personal information. • Right to Opt-Out — you may opt out of the sale or sharing of your personal information. HerbOS does not sell your personal information. • Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights. To exercise your rights, contact us at privacy@herbos.app.

If you are a Washington State resident, you have additional rights under the Washington My Health My Data Act (effective March 2024). HerbOS collects health-related data including herb protocol tracking data, wellness check-in data, and practitioner-client communications. You have the right to: • Confirm whether we collect, share, or sell your consumer health data • Access your consumer health data • Withdraw consent for collection or sharing of your consumer health data • Request deletion of your consumer health data • Appeal our decisions regarding your rights requests To exercise your rights under MHMDA, contact privacy@herbos.app.

Louisiana residents should be aware that Louisiana Revised Statutes 37:1360.21 et seq. regulate the practice of herbalism in Louisiana. HerbOS provides educational information only and does not constitute the practice of herbalism, naturopathic medicine, or any licensed healthcare profession. No practitioner-patient relationship is created by use of this platform.

Certain states have additional regulations governing the recommendation or sale of botanical and herbal products. If you are accessing HerbOS from Texas, New York, or any state with specific herbalism scope-of-practice laws, all content is provided for educational reference only. Consult a licensed healthcare provider in your state before beginning any herbal regimen.

HerbOS is operated from the United States. If you are accessing the platform from outside the United States, please be aware that your information may be transferred to and processed in the United States. For users in the European Union, HerbOS processes data in accordance with GDPR. For users in Canada, content is provided for educational purposes and does not constitute advice regulated under the Natural Health Products Regulations. Country-specific compliance sections will be expanded as HerbOS launches in additional markets.

We do not sell, rent, or share your personal information with third parties for their direct marketing purposes. We do not sell personal information as defined under the California Consumer Privacy Act (CCPA/CPRA). We do not engage in "sharing" of personal information for cross-context behavioral advertising as defined by the CPRA. We do not use or disclose sensitive personal information for purposes other than providing the services you request. If you believe your data has been shared in error, contact privacy@herbos.app.

HerbOS collects certain categories of sensitive personal information, including health-related data (herbs tracked, wellness logs, medications recorded for interaction checking) and, for Professional tier users, client health records. We use sensitive personal information only to provide and improve the Platform services you have requested. We do not use sensitive personal information for advertising, profiling, or any purpose unrelated to the services. To request that we limit the use of your sensitive personal information, contact privacy@herbos.app.