Legal & Privacy Center

‍

Chubb DNC Policy

The term “Chubb” as used herein, means those insurers doing business in the United States that are directly or indirectly owned by Chubb Limited.

Chubb does not place marketing telephone calls (which for purposes of this Policy include text messages) to numbers appearing on a state or federal Do Not Call list (unless permitted by applicable law) or to the number of a person who has requested not to receive telemarketing calls made by or on behalf of Chubb.

If you ask not to receive telemarketing calls from us, you will be placed on our internally-maintained Do Not Call list and will not be called during any future telemarketing campaigns within the next five years (or any longer period required by applicable law). Any request to be placed on our internally-maintained Do Not Call list will be processed within a reasonable amount of time, not to exceed 30 days (or any shorter period required by applicable law).

Chubb employees receive training on how to use our internally-maintained Do Not Call list; how to document, process and honor requests to be placed on its internally-maintained Do Not Call list; and proper identification during telemarketing calls. Chubb requires any third-party that initiates telemarketing calls on Chubb’s behalf to comply with this policy.

We reserve the right to revise this Do Not Call Policy.

Chubb Fraud Notice

Fraud Notice: (Should Be on Back). “Any person who knowingly and with intent to defraud any insurance company or other person files an application for insurance or statement of claim containing any materially false information or conceals for the purpose of misleading, information concerning any fact material thereto, commits a fraudulent insurance act, which is a crime and shall also be subject to criminal and civil penalties.”

Notice of HIPAA Privacy Practices for Protected Health Information

Effective Date: December 16, 2025

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

1. Notice of PHI Uses and Disclosures

A. Required Uses and Disclosures

• Upon your request, the Company is required to give you access to certain PHI in order to inspect and copy it.
• Use and disclosure of your PHI may be required by the Secretary of Health and Human Services to investigate or determine the Company's compliance with the privacy regulations.

B. Uses and Disclosures to Carry Out Treatment, Payment, and Health Care Operations The Company and its business associates will use PHI without your consent, authorization, or opportunity to agree or object to carry out the following:

• Treatment: Provision, coordination, or management of health care and related services, including consultations and referrals.
• Payment: Actions to make coverage determinations and payment, such as claims management and pre-authorizations.
• Health Care Operations: Underwriting, premium rating, case management, legal services, and auditing functions.
• Note: The Company will not use or disclose PHI that is genetic information for underwriting purposes.

C. Uses and Disclosures that Require Your Written Authorization The Company will not use or disclose your PHI for the following purposes without your specific, written authorization:

• Use and disclosure of psychotherapy notes, except for treatment, training, or legal defense.
• Use and disclosure for marketing purposes, except for face-to-face communications.
• Use and disclosure that constitute the sale of your PHI.

D. Uses and Disclosures for which Consent or Authorization is Not Required The Company may disclose PHI without your authorization in circumstances including:

• When required by law.
• For public health activities, such as reporting product defects or communicable diseases.
• To report information about abuse, neglect, or domestic violence.
• For judicial or administrative proceedings, such as in response to a subpoena.
• For law enforcement purposes, to coroners, or for organ procurement.
• To prevent a serious and imminent threat to health or safety.
• For workers' compensation or government functions like national security.

II. Rights of Individuals

• Right to Request Restrictions: You may request restrictions on the use and disclosure of your PHI for treatment, payment, or health care operations. The Company is not required to agree unless you have paid out of pocket in full.
• Right to Inspect and Copy PHI: You have a right to inspect and obtain a copy of your PHI contained in a "designated record set" for as long as the Company maintains it.
• Right to Amend PHI: You have the right to request the Company amend your PHI in a designated record set.
• Right to Receive an Accounting of PHI Uses and Disclosures: You may request an accounting of disclosures made during the six years prior to your request, excluding those for treatment, payment, or operations.
• Right to Obtain a Paper Copy: You may obtain a paper copy of this notice upon request, even if you consented to receive it electronically.

III. The Company's Duties

The Company is required by law to maintain the privacy of PHI, provide notice of its legal duties, and notify affected individuals of a breach of unsecured PHI. When using or disclosing PHI, the Company will make reasonable efforts to use only the minimum amount of PHI necessary to accomplish the intended purpose.

IV. Contact Information and Complaints

If you believe your privacy rights have been violated, you may file a complaint with the Company or the U.S. Department of Health and Human Services (HHS).

Company Contact: North America Chief Privacy Officer, Chubb Group 202 Hall's Mill Road, Whitehouse Station, NJ 08889 Phone: 1-833-324-9798 Email: naprivacyoffice@chubb.com

HHS Contact: Centralized Case Management Operations, U.S. Department of Health and Human Services 200 Independence Avenue, S.W., Room 509F HHH Bldg., Washington, D.C. 20201 Email: OCRComplaint@hhs.gov

‍

Chubb Electronic Transactions Terms & Conditions

The Chubb Group of Companies, as affiliated covered and hybrid entities, (the "Company") is required by law to take reasonable steps to ensure the privacy of your personally identifiable health information, and to inform you

Please carefully read the following terms and conditions applicable to this Voluntary Consent to Electronic Transactions, Signature and Payments. Your consent to electronic transactions, signature and payments is voluntary.

‍VOLUNTARY CONSENT TO ELECTRONIC TRANSACTIONS, SIGNATURE AND PAYMENTS

‍1. ELECTRONIC TRANSACTIONS

▪ The Company's uses and disclosures of Protected Health Information ("PHI");

TYPE OF ELECTRONIC TRANSACTIONS SUBJECT TO THIS CONSENT

▪ Your privacy rights with respect to your PHI;

ACE Property and Casualty Insurance Company, a Chubb Company, and its affiliated insurers in the Chubb Group (collectively, “Chubb or “us”) are required by law to provide its policyholders with certain documents, notices and payments related to any policy you may have with us. In an effort to streamline how you do business with us, we are providing you with the option of receiving these documents, notices and acknowledgements electronically. These documents may include, but are not be limited to, the following:

▪ The Company's duties with respect to your PHI;

✓ Policy(s) documents, forms, and endorsements

▪ Your right to file a complaint with the Company and to the Secretary of the U.S. Department of Health and

✓ Policyholder notices

Human Services (“Secretary of Health and Human Services” or "HHS"); and

✓ Selection/Rejection Forms

▪ The person or office to contact for further information regarding the Company's privacy practices.

✓ Invoices

PHI includes all individually identifiable health information transmitted or maintained by the Company, regardless

✓ Acknowledgements of claims

of form (e.g., oral, written, electronic).

✓ Cancellation and Non-renewal Notices

A federal law, the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), regulates PHI use and

✓ Premium Increase Notices or Conditional Renewal Notices

I. Notice of PHI Uses and Disclosures

✓ State required notices, such as privacy notices and disclosures

This notice summarizes the regulations. The regulations will supersede any discrepancy between the information

✓ Claim notices, including explanation of benefits, proof of loss, claims documentation, releases, authorizations to obtain medical records, affidavits, and disclosures, to the extent permitted by law in this notice and the regulations.

The delivery of insurance and claims-related documents to you electronically, rather than sending paper copies, does not affect the validity, legal effect or enforceability of these insurance or claims-related documents. While we reserve the right to modify the terms of this Consent, we will not do so without first providing you with notice of any changes. The modified terms will apply to your insurance policy(s) and claims transactions, and will be binding on you unless you withdraw your agreement to this Voluntary Consent to Electronic Transactions, Signature and Payments.

A. Required Uses and Disclosures

METHOD OF DELIVERY

Upon your request, the Company is required to give you access to certain PHI in order to inspect and copy it.

We may make electronic documents available to you by posting them to our secure Chubb portal:

B. Uses and Disclosures to Carry Out Treatment, Payment, and Health Care Operations

https://portal.ahenroll.chubb.com, or we may send them via e-mail whether as text in, attachments to, and/or hyperlinks from, such emails to the email address that you provide to us. If you cannot access an electronic document, please send an email to chubbservice@90degreebenefits.com. Please note that, in some states, we may be required under existing state law, to send paper notices to you (e.g. cancellation, non-renewal or premium increase notices), in addition to any electronic notices we may send you, in order for such notices to become effective. Otherwise, if you live in a state where paper notices are not required to be sent, we will only send notices to you electronically.

Use and disclosure of your PHI may be required by the Secretary of Health and Human Services to investigate or determine the Company’s compliance with the privacy regulations.

WITHDRAWAL OF CONSENT

You may withdraw your consent to electronic delivery by providing notice to us at any time. If you provide such notice of your intent to withdraw consent, withdrawal will not become effective until seven (7) days after our receipt of such notice.

The Company and its business associates will use PHI without your consent, authorization or opportunity to disclosure by the Company. You may find these rules at agree or object to carry out treatment, payment and health care operations. The Company may also disclose permitted under HIPAA to the extent the plan documents restrict the use and disclosure of PHI as required by HIPAA.

Your withdrawal will not affect or change in any way the legal effectiveness, validity or enforceability of any documents that were delivered to you electronically before your withdrawal became effective.

To withdraw consent, please email chubbservice@90degreebenefits.com. In the subject header of the e-mail, please indicate “Withdrawal of Consent” and include your policy(s) number.

If you choose to receive certain insurance documents in paper format, it will reduce the speed at which we can complete certain transactions concerning your policy as we are then dependent on the U.S. Postal Service for delivery of your requests and our responses back to you. If you choose this option, we will be required to send your insurance related documents to the mailing address you provided.

PHI to a plan sponsor for purposes related to treatment, payment and health care operations and as otherwise

REQUEST FOR ADDITIONAL COPIES

While you can choose to print and save any of your electronic insurance policy documents, we also want you to know that you may request a paper or electronic copy of any insurance policy documents or records from us at no additional charge, at any time. Please send an e-mail to chubbservice@90degreebenefits.com.

In the subject header of the e-mail, please indicate “Policy Reprint” and include your policy(s) number.

Health care operations include, but are not limited to, underwriting, premium rating and other insurance activities establishing employee contributions, claims management, obtaining payment under a contract of reinsurance, is not limited to, consultations and referrals between one or more of your providers. For example, the Company may disclose to a treating orthodontist the name of your treating dentist so that the orthodontist may ask for your dental X-rays from the treating dentist.

In the body of the e-mail please provide us with the particular notice or document you are requesting and the manner in wish you’d like it sent.

UPDATING CONTACTS AND OTHER NOTICES, REQUESTS AND INQUIRIES

Please keep us up to date with how we may best contact you electronically. If you wish to correct or update your email address from what was previously provided you may do so at any time. To update your information, please email chubbservice@90degreebenefits.com with your details.

All requests, notices and other communications from you under this Consent must be made to us in writing (including via email) to chubbservice@90degreebenefits.com or you can make a request by phone by contacting us at 1-800-239-3503.

Payment includes, but is not limited to, actions to make coverage determinations and payment (including

If you fail to log into your account during a 12-month period or if we have reason to believe your email address is no longer valid, we will contact you by US mail to ensure we have the correct information on file.

1utilization review and pre-authorizations). For example, the Company may tell a doctor whether you are eligible

2. CONSENT TO ELECTRONIC PAYMENT

for coverage or what percentage of the bill will be paid by the Company.

You have the option to receive all covered claim payment as an electronic payment via automated clearing house (direct) deposit into your checking account. Chubb will not impose any fees on you for choosing to accept your payments electronically, but your financial institution may impose a fee or charge. By checking the “I agree” box below, you are accepting this offer and consenting to accept your claim payments electronically. Agreeing to this method of receiving your claim payments is voluntary. Your payments received through electronic transfer may be subject to attachment or garnishment if your account is subject to the same. Once you submit a claim to us, and we accept it for payment, you will receive an email with a link to setup an account and provide the routing and account number for the bank or other account where you wish the funds be deposited. Except as noted below, if you do not set up an account and provide the account information within three (3) days, we will automatically issue the payment via check mailed to the address on file.

C. Uses and Disclosures that Require Your Written Authorization

Some claims under certain portions of your policy, may be subject to automatic payment upon a loss. In this event, to the extent permitted by law, payment of your claim will be made automatically to the account or credit card you have provided us upon issuance of your policy (the “payment account”). You may change your payment account at any time by notifying us at chubbservice@90degreebenefits.com or logging into your account at https://portal.ahenroll.chubb.com.

relating to creating or reviewing insurance contracts. It also includes disease management, case management,

Unclaimed funds are subject to the applicable laws concerning unclaimed property.

conducting or arranging for medical review, legal services and auditing functions including fraud and abuse

3. CONSENT TO ELECTRONIC SIGNATURE

compliance programs, business planning and development, business management and general administrative

You also agree that your electronic signature is the legal equivalent of your manual signature on this document and on the documents noted in this Consent. You further agree that your use of a key pad, mouse or other device to select an item, button, icon or similar act/action, or to otherwise agree, acknowledge, consent, opt-in, or certify to this consent and any of the above documents constitutes your signature, acceptance and agreement as if manually signed by you in writing. You agree that no certification authority or other third-party verification is necessary to validate such signature, and that the lack of such certification or third-party verification will not in any way affect the enforceability of such signature or any such document. You represent that you will be bound by the terms of this Consent. This Voluntary Consent to Electronic Transactions, Signature and Payment is effective until withdrawn by you. Doing business electronically will not affect the validity, legal effect or enforceability of any of your transactions with Chubb.

activities. For example, the Company may use information about your claims to refer you to a disease

4. HARDWARE AND SYSTEM REQUIREMENTS

management program, project future benefit costs or audit the accuracy of its claims processing functions. The

In order to receive, access, view, sign and retain electronic transmissions that we make available to you, you will need a personal computer or electronic device with internet connectivity and each of the following:

Company will not use or disclose PHI that is genetic information for underwriting purposes.

Browsers: The latest stable release (except where noted) of the following browsers: Chrome, Firefox, Safari (Mac OS X only), Internet Explorer 11+

The Company also may contact you to provide appointment reminders or information about treatment

PDF Reader: Acrobat Reader® or similar software may be required to view and print PDF files

alternatives or health-related benefits and services that may be of interest to you.

Screen Resolution: 1024 x 768 minimum (for desktops and laptops)

The Company will not use or disclose your PHI for the following purposes without your specific, written

Enabled Security Settings: Allow per session cookies

authorization:

We will notify you if these requirements change.

▪ Use and disclosure of psychotherapy notes, except for your treatment, Company training programs, or to

5. CLICKING “I AGREE”

defend the Company against litigation filed by you.

By agreeing to this Voluntary Consent to Electronic Transactions, Signature and Payments, including the terms and conditions set forth in this document, you are giving us your consent to allow Chubb to deliver all documents, notices and claim payments relating to your insurance policy(s) electronically rather than by any other method of delivery (such as paper). If you need any assistance following the transaction, please send an email to chubbservice@90degreebenefits.com. You specifically acknowledge, as part of your clicking “I agree” that certain documents to be delivered electronically will contain confidential information and information regarding your personal financial matters (“Personal Financial Information”)

▪ Use and disclosure for marketing purposes, except for face to face communications with you or otherwise

and other personally identifiable information, and consent to the delivery of such confidential information, Personal Financial Information and personally identifiable information by electronic means.

▪ Use and disclosure that constitute the sale of your PHI. The Company does not sell the PHI of its

This Consent will remain in effect until you withdraw it.

permitted by HIPAA.

ACKNOWLEDGEMENT TO RECEIVE NOTICES, DOCUMENTS AND PAYMENTS ELECTRONICALLY

D. Uses and Disclosures Requiring Authorizations or Opportunity to Agree or Disagree Prior to the Use or

By agreeing to the terms and conditions in this Consent, you are confirming that your computer or electronic device meets the system requirements necessary to print, store and receive documents electronically and that you may be able to access such documents for future reference. By checking the “I Agree” box I confirm that:

customers.

• I AGREE TO RECEIVE ALL MAILINGS, NOTICES, COMMUNICATIONS, DOCUMENTS AND CLAIM PAYMENTS ELECTRONICALLY;

Except as otherwise indicated in this notice, uses and disclosures of PHI will be made only with your written

• I can access and read this VOLUNTARY CONSENT TO ELECTRONIC TRANSACTIONS, SIGNATURE AND PAYMENTS document; and

authorization subject to your right to revoke such authorization. You may revoke an authorization by submitting

• I can print on paper this document or save or send this document to a place where I can print it, for future reference and access.

a written revocation to the Company at any time. If you revoke your authorization, the Company will no longer

Trade Sanction Disclosure

use or disclose your PHI under the authorization. However, any use or disclosure made in reliance of your

I understand that once I have completed the enrollment process, it will be subject to underwriting verification by the Insurance Company. This offer is not binding to the extent that the United States or economic sanctions or other laws or regulations prohibit (Federal Insurance Company, a Chubb Company)/(ACE American Insurance Company) from offering or providing insurance. To the extent any such prohibitions apply, this offer is void JA initio.

authorization before its revocation will not be affected.

Smirk Privacy Policy

Release

Effective Date: January 1, 2025
Updated Date: May 18, 2026

Smirk Health (“Smirk,” “we,” “us,” or “our”) is committed to protecting your privacy and handling your
information in a transparent and responsible manner. This Privacy Policy describes how we collect, use,
disclose, and safeguard your information when you access or use our website, applications, products,
and services (collectively, the “Services”).
‍
Depending on how you interact with the Services, the information we collect may include both general
personal information and Protected Health Information (“PHI”) governed by the Health Insurance
Portability and Accountability Act of 1996 (“HIPAA”). When information constitutes PHI, we handle it in
accordance with HIPAA and other applicable laws.
‍
We collect and use information only as necessary to operate the Services, administer your coverage,
facilitate payments, and provide a reliable and understandable experience. By accessing the Services or
enrolling in a plan, you acknowledge that you have read this Privacy Policy.

1. Scope and Applicability
‍
This Privacy Policy applies to information collected through the Services and in connection with
enrollment, coverage, benefits administration, and related services. Depending on the context, Smirk
may act as a covered entity, a business associate, or a service provider handling general personal
information. Different legal requirements may apply based on the role we are performing and the
nature of the information at issue.
‍
This Privacy Policy is intended to address applicable federal and state privacy requirements, including
HIPAA, the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”), the
Washington My Health My Data Act, Texas medical privacy requirements including Texas HB 300, and
other applicable state consumer privacy laws.

2. Information We Collect
‍
We collect information about you in several ways depending on how you interact with our Services.
‍
Personal Information
‍
When you register for an account, enroll in a plan, or interact with us, we may collect identifying
information such as your name, email address, phone number, mailing address, date of birth,
demographic information, and payment details. This information is necessary to create and manage
your account, process transactions, and communicate with you.
‍
Dependent and Family Enrollment Information
‍
When policyholders enroll dependents or family members for coverage, we collect information relating
to those individuals, which may include names, dates of birth, gender, relationship information, and
coverage-related information. This information is collected from the policyholder or authorized
representative solely for enrollment, eligibility verification, coverage administration, claims processing,
and related operational purposes.
‍
Protected Health Information (PHI)

In connection with the Services, we may collect, create, receive, or maintain information that relates to
your physical or mental health, health care services, or payment for health care. This may include
benefit selections, claims information, payment activity, interactions with providers, pharmacy
information, telehealth interactions, and care-related inquiries. This information may constitute PHI
under HIPAA.
‍
Automatically Collected Information
‍
When you use the Services, we automatically collect certain technical and usage information, such as
your IP address, browser type, device identifiers, advertising identifiers, pages visited, session activity,
referral URLs, approximate geolocation information, and interaction data. We use cookies and similar
technologies to enhance functionality and analyze usage patterns. We do not deploy advertising or
marketing cookies, pixels, or similar tracking technologies on pages or sections of the Services where
users access PHI, view benefit information, or interact with care-related features. Where advertising or
analytics technologies are used on general informational portions of the Services, we configure those
technologies to prevent the transmission of PHI to third parties.
‍
Information from Third Parties
‍
We may receive information about you from third parties, including health care providers, pharmacies,
payment processors, financial institutions, advertising and analytics providers, and service partners. This
information helps us administer benefits, process payments, improve the Services, and provide a
seamless experience.

3. How We Use Your Information
‍
We use your information for a variety of purposes necessary to operate our business and deliver the
Services.
‍
We use personal information to create and manage your account, process enrollments, facilitate
transactions, provide customer support, communicate with you, deliver plan-related notices, send
marketing or promotional communications where permitted by law, improve the Services, personalize
user experiences, ensure security, prevent fraud, and comply with legal obligations.
‍
Use of Communications for Quality Assurance and Service Improvement
‍
We may use call recordings, transcripts, and chat interactions for internal quality assurance, customer
support training, and operational improvement. Where these communications contain PHI, such use
occurs under HIPAA as a health care operations activity.
‍
Use of Communications for Artificial Intelligence and Model Training
‍
Before using communications data to train or develop artificial intelligence systems, large language
models, or other machine learning technologies, we de-identify the data in accordance with the HIPAA
Safe Harbor method under 45 C.F.R. § 164.514(b)(2) or the Expert Determination method under 45
C.F.R. § 164.514(b)(1). We do not use identifiable PHI to train general-purpose or third-party AI or large
language model systems. We do not sell or license communications data, identifiable or de-identified, to
third parties for use in training their own AI or machine learning models.

When information qualifies as PHI, we use and disclose it in accordance with HIPAA as described below.

4. Permitted Uses and Disclosures of PHI (No Authorization Required)

Under HIPAA, we are permitted to use and disclose your PHI without your written authorization for
certain core purposes related to health care operations.
‍
Treatment
‍
We may use and disclose your PHI to provide, coordinate, or manage your health care and related
services. This includes sharing information with health care providers, pharmacies, telehealth providers,
and other entities involved in your care.
‍
Payment
‍
We may use and disclose your PHI to bill for and collect payment for the Services you receive. This
includes sharing information with providers, pharmacies, financial institutions, payment processors, and
other entities involved in payment processing or financing arrangements.
Health Care Operations

‍
We may use and disclose your PHI for operational purposes necessary to run our business. These
activities include quality assessment and improvement, customer service, care coordination,
underwriting (where permitted), fraud detection, auditing, analytics, operational reporting, and general
administrative functions.

Uses and Disclosures Required or Permitted by Law
‍
We may use or disclose your PHI without authorization in additional circumstances permitted or
required by law, including:

• To comply with federal, state, or local laws and regulations
• For public health activities, such as reporting disease, injury, or product issues
• To report abuse, neglect, or domestic violence, as authorized by law
• For health oversight activities, including audits, investigations, and inspections
• In connection with judicial or administrative proceedings, such as in response to subpoenas or
court orders
• For law enforcement purposes, including identifying or locating individuals
• To prevent or lessen a serious and imminent threat to health or safety

We may also disclose PHI to family members, close personal friends, or others involved in your care or
payment for care, when the information is directly relevant to their involvement and you have agreed or
have been given an opportunity to object and have not done so.

5. Uses and Disclosures Requiring Authorization
‍
In situations not covered above, we will obtain your written authorization before using or disclosing your
PHI. Specifically, we will obtain your authorization for:
‍
• Most uses and disclosures of psychotherapy notes
• Uses and disclosures of PHI for marketing purposes, as defined under HIPAA
• Any sale of PHI, as defined under HIPAA
• Other uses or disclosures not described in this Privacy Policy or otherwise permitted by HIPAA

If you provide authorization, you may revoke it at any time by submitting a written request, except to
the extent that we have already taken action in reliance on your authorization.
‍
6. Communications, Recordings, and Platform Interactions
‍
When you communicate with us, including through customer support, telephone calls, chat, SMS, email,
or other messaging features, we may collect and maintain records of those communications. This may
include call recordings, transcripts, chat messages, SMS communications, email communications, and
other interaction data.
‍
We may use automated tools, including artificial intelligence and large language model technologies, to
process, transcribe, summarize, route, and respond to communications, support customer service, and
improve the operation of our Services. Use of these technologies in connection with PHI is conducted in
accordance with HIPAA, including through Business Associate Agreements with vendors that process PHI
on our behalf. Identifiable PHI is not used to train general-purpose or third-party AI models. Additional
information regarding AI model training is set forth in Section 3.
‍
We may also collect information related to your engagement with our communications, including
whether emails, text messages, or other communications are opened, viewed, clicked, or otherwise
interacted with.
‍
On general informational portions of the Services, we may use cookies and similar technologies,
including analytics tools provided by third-party vendors, to understand user behavior, measure
performance, and improve the Services. We do not use third-party advertising or marketing cookies,
pixels, tags, or SDKs on portions of the Services where users authenticate, access PHI, view benefit or
claims information, or interact with care-related features. Where third-party analytics are deployed on
general portions of the Services, we configure them to prevent the transmission of PHI.

7. How We Share Information
‍
We share information only as necessary to operate the Services and comply with legal obligations.
We may share your information with service providers that perform functions on our behalf, such as
payment processing, hosting, analytics, communications, customer support, artificial intelligence
processing, transcription services, and operational support.
‍
We may also share information with health care providers, pharmacies, telehealth providers, insurance
carriers, administrators, and care partners to facilitate treatment, payment, eligibility verification, and
benefit administration.
‍
When we engage third parties to perform services involving PHI, we require them to agree to
appropriate safeguards and to comply with applicable privacy and security requirements, including
entering into Business Associate Agreements where required.
‍
We may also disclose information in connection with a merger, acquisition, financing, reorganization, or
sale of assets, subject to appropriate confidentiality protections and applicable law.
We do not knowingly sell personal information. We do not use personal information obtained through
authenticated or care-related portions of the Services for cross-context behavioral advertising. We do
not sell or share consumer health data as defined under the Washington My Health My Data Act.

8. Data Security

We maintain administrative, technical, and physical safeguards designed to protect your information
from unauthorized access, use, or disclosure. These safeguards include, among other measures,
encryption of data in transit and at rest where appropriate, access controls, multi-factor authentication
where appropriate, system monitoring, logging, vendor oversight, employee training, and regular
security reviews.
‍
Our security practices are designed to align with applicable legal and industry standards, including the
HIPAA Security Rule and other recognized security frameworks. We continuously evaluate and improve
our security controls and may pursue or maintain independent assessments or certifications relating to
our information security practices.
‍
While we take reasonable steps to protect your information, no method of transmission over the
internet or electronic storage can be guaranteed to be completely secure.

Breach Notification
‍
In the event of a security incident involving your information, we will investigate promptly and provide
notifications as required by applicable law. Where the incident involves unsecured PHI, we will provide
notification to affected individuals without unreasonable delay and in no event later than sixty (60) days
following discovery of the breach, consistent with the HIPAA Breach Notification Rule (45 C.F.R. Part
164, Subpart D). Where state law requires notification within a shorter period, we will comply with the
shorter period. Notifications will include, where required, a description of the incident, the categories of
information involved, steps we are taking to address the incident, recommended protective actions, and
information regarding how to contact us for additional support. We will also provide notifications to the
U.S. Department of Health and Human Services and, where applicable, to the media and state regulators
as required by law.

9. Data Retention
‍
We retain information only for as long as reasonably necessary to provide the Services, comply with
legal obligations, resolve disputes, enforce agreements, and protect our legal rights. Retention periods
are determined based on the type of information, the purpose for which it was collected, and applicable
legal and regulatory requirements.

In general:
‍
• Account registration and enrollment records: retained for up to seven (7) years following
account closure or the end of the customer relationship, consistent with applicable record-
keeping requirements.
• PHI, claims records, and coverage-related records: retained for the period required by applicable
law, which is generally a minimum of six (6) years under HIPAA and may extend to ten (10) years
or longer where required by state law, regulatory requirements, litigation holds, or contractual
obligations.
• Call recordings, transcripts, chat logs, and customer support communications: retained for up to
two (2) years for quality assurance and training purposes, except where a longer period is
required for legal compliance, dispute resolution, or fraud prevention.
• Marketing and analytics information: retained for up to two (2) years unless a longer retention
period is required for legal, operational, or fraud prevention purposes.
• Technical logs, security records, and backup archives: retained for periods consistent with
security, compliance, and operational continuity needs, generally not to exceed two (2) years for
routine logs.

We may retain de-identified or aggregated information for lawful business purposes without time
limitation where permitted by applicable law. De-identification is performed using the HIPAA Safe
Harbor method under 45 C.F.R. § 164.514(b)(2) or the Expert Determination method under 45 C.F.R. §
164.514(b)(1), and we maintain reasonable safeguards to prevent re-identification of de-identified data.

10. Your Rights Regarding PHI and Personal Information
‍
Under HIPAA and certain state privacy laws, you may have rights with respect to your PHI and personal
information, subject to applicable limitations. These rights may include:
‍
• The right to access and obtain a copy of your information
• The right to request corrections or amendments to your information
• The right to request deletion of certain information
• The right to request restrictions on certain uses or disclosures
• The right to request confidential communications through alternative means
• The right to receive an accounting of certain disclosures of PHI
• The right to opt out of certain targeted advertising or sharing activities
• The right to limit the use or disclosure of sensitive personal information where applicable under
state law
• The right to withdraw consent for the collection, use, or sharing of consumer health data where
applicable under state law
‍
To exercise these rights, you may contact us using the information provided below.
‍
Before processing requests, we may require you to verify your identity by providing information
sufficient to confirm your identity and authority to make the request. We will respond to verified
requests within the timeframes required by applicable law, including within forty-five (45) days where
required under California law, subject to any lawful extension rights.
‍
If we deny your request in whole or in part, you may appeal our decision by contacting us using the
information below and including “Privacy Appeal” in your request. We will review and respond to
appeals in accordance with applicable law.

11. Cookies and Tracking Technologies
‍
We use cookies, pixels, SDKs, and similar technologies to operate and secure the Services, understand
how users interact with the platform, improve functionality and performance, and support limited
analytics on general informational portions of the Services.
‍
We do not use advertising or marketing cookies, pixels, tags, or SDKs (including those provided by third-
party advertising or social media platforms) on portions of the Services where users authenticate, access
PHI, view benefits, claims, or coverage information, or interact with care-related features. Where third-
party analytics are deployed on general portions of the Services, we configure them to prevent the
transmission of PHI, and we maintain Business Associate Agreements with vendors where required.

These technologies may collect device identifiers, browsing activity, IP addresses, and engagement data.
You may manage cookies and tracking technologies through your browser or device settings, the privacy
controls offered through the Services, or, where applicable, Global Privacy Control (GPC) signals, which
we honor as required by law. Disabling certain technologies may affect the availability or functionality of
the Services.

12. De-Identified and Aggregated Information
‍
We may de-identify or aggregate information so that it does not reasonably identify any individual. We
use the HIPAA Safe Harbor method under 45 C.F.R. § 164.514(b)(2) or the Expert Determination method
under 45 C.F.R. § 164.514(b)(1) to de-identify PHI. Once information is de-identified in accordance with
these standards, it is no longer considered PHI under HIPAA.
‍
We do not attempt to re-identify de-identified information, and we contractually require third parties
that receive de-identified data to refrain from re-identification. We may use de-identified or aggregated
information for research, analytics, product improvement, benchmarking, and other lawful purposes.

13. Additional Privacy Rights and State-Specific Disclosures
‍
Depending on your state of residence, you may have additional rights regarding your personal
information.
‍
California Privacy Rights
‍
California residents may have rights under the CCPA and CPRA, including rights to know, access, correct,
delete, and limit the use of sensitive personal information, as well as rights relating to targeted
advertising, sharing, or sale of personal information.
‍
In the preceding twelve (12) months, we may have collected the following categories of personal
information:

• Identifiers and contact information
• Demographic information
• Commercial and transaction information
• Financial and payment information
• Internet and electronic activity information
• Geolocation information
• Health and medical information
• Audio, electronic, visual, or similar information
• Professional or employment-related information where applicable
• Inferences derived from personal information

We may disclose these categories of information to service providers, contractors, analytics providers,
carriers, providers, pharmacies, administrators, and operational vendors for business and operational
purposes.
‍
Certain categories of information, including health information, account credentials, payment
information, precise geolocation data, and government-issued identifiers where collected, may
constitute sensitive personal information under California law. California residents may request that we
limit the use and disclosure of sensitive personal information to uses authorized by applicable law.

We do not sell or share personal information for cross-context behavioral advertising as those terms are
defined under the CCPA and CPRA. We do not knowingly sell or share personal information of
individuals under 16 years of age. We honor Global Privacy Control (GPC) signals as opt-out preference
signals where required by law.
‍
To exercise California privacy rights, users may contact us at support@smirkhealth.com with the subject
line “California Privacy Request” or utilize available privacy controls presented through our Services.

Washington My Health My Data Act
‍
This subsection serves as the Consumer Health Data Privacy Policy required by the Washington My
Health My Data Act (“MHMDA”) for Washington residents and residents of any other state with a
substantially similar statute.
‍
Categories of consumer health data collected: We may collect consumer health data including, but not
limited to, information that identifies a consumer’s past, present, or future physical or mental health
status; health-related conditions, treatments, diseases, or diagnoses; social, psychological, behavioral,
and medical interventions; health-related surgeries or procedures; use or purchase of prescribed
medications; bodily functions and vital signs; diagnoses or diagnostic testing; gender-affirming care
information; reproductive or sexual health information; biometric data; precise location information
that could reasonably indicate an attempt to receive health services; and data identifying a consumer as
seeking health care services.
‍
Sources of consumer health data: We collect consumer health data directly from consumers, from
policyholders or authorized representatives, from health care providers, pharmacies, and care partners,
from payment processors and financial institutions, and from service providers acting on our behalf.
Categories of consumer health data shared: We share consumer health data only with providers,
pharmacies, carriers, administrators, care partners, payment processors, and service providers as
necessary for treatment, payment, eligibility verification, benefits administration, customer support, and
operational purposes. We do not sell consumer health data.
‍
Categories of third parties and affiliates with whom consumer health data is shared: Health care
providers and provider networks; pharmacies and pharmacy benefit managers; telehealth providers;
insurance carriers, administrators, and reinsurers; payment processors and financial institutions;
technology and hosting service providers; customer support and communications vendors; AI and
transcription vendors operating under Business Associate Agreements; auditors and legal advisors; and
affiliated entities of Smirk Health.
‍
Rights of Washington consumers: Washington residents have the right to confirm whether we are
collecting, sharing, or selling their consumer health data; the right to access their consumer health data;
the right to withdraw consent to our collection or sharing of consumer health data; the right to have
their consumer health data deleted; and the right to appeal a denial of any of these rights. To exercise
these rights, contact us at support@smirkhealth.com with the subject line “MHMDA Request.”

Texas Privacy Rights
‍
Texas residents may have rights relating to medical information and personal information under
applicable Texas law, including Texas HB 300 and the Texas Data Privacy and Security Act.
‍
Nevada, Connecticut, and Other State Rights
Residents of Nevada, Connecticut, Colorado, Virginia, Utah, Oregon, Montana, and other states with
applicable consumer privacy laws may have additional rights regarding certain data processing, targeted
advertising, and privacy practices as provided by applicable law. To exercise these rights, contact us
using the information in Section 18.
‍
14. Children’s Privacy
‍
The Services are intended for adult policyholders and account holders who are at least 18 years of age.
The Services are not directed to children under the age of 13, and we do not knowingly collect personal
information directly from children under 13 for our own commercial purposes in a manner that would
trigger the Children’s Online Privacy Protection Act (“COPPA”).
‍
In connection with family or dependent coverage, we routinely collect personal information and PHI
relating to insured dependents, including minors. Such information is collected exclusively from a
parent, guardian, policyholder, or authorized representative, and solely for enrollment, eligibility
verification, coverage administration, claims processing, customer support, and related health care
operations. We do not use information about minor dependents for behavioral advertising, profiling, or
marketing purposes.
‍
We do not knowingly allow minors to independently create accounts or directly use the Services without
authorization from a parent, guardian, or policyholder. If we become aware that we have collected
personal information from a child under 13 in a manner inconsistent with COPPA, we will delete such
information promptly. If you believe we have collected information from a child in error, please contact
us using the information in Section 18.
‍
15. Third-Party Websites
‍
The Services may contain links to third-party websites or services that are not operated by us. This
Privacy Policy does not apply to those third parties, and we are not responsible for their privacy
practices. We encourage you to review the privacy policies of any third-party websites or services you
visit.
‍
16. International Users
‍
The Services are intended for users located in the United States. If you access the Services from outside
the United States, your information may be transferred to, stored, and processed in the United States,
where privacy laws may differ from those in your jurisdiction. By using the Services from outside the
United States, you acknowledge this transfer.
‍
17. Changes to This Privacy Policy
‍
We may update this Privacy Policy from time to time to reflect changes in our practices, legal
requirements, technologies, or business operations. When we do, we will update the effective date and
post the revised policy on our website. Where required by law, we will provide additional notice of
material changes, such as by email or through a prominent notice on the Services. We encourage you to
review this Privacy Policy periodically.
‍
18. Contact Information
‍
If you have questions about this Privacy Policy, our privacy practices, or to exercise your rights, please
contact us at:
‍
Smirk Health
Email: support@smirkhealth.com
Address: 166 Hargraves Drive, Ste C-400 PMB 131, Austin, TX 78737

19. Acknowledgment
‍
By using the Services or completing enrollment, you acknowledge that you have read and understand
this Privacy Policy and agree to the collection, use, and disclosure of your information as described
herein.

Smirk Terms and Conditions

Smirk Terms and Conditions

Effective Date: January 1, 2025
‍
Welcome to Smirk Health ("Company," "we," "us," or "our"). These Terms and Conditions ("Terms") govern your access to and use of our website ("Site") located at www.smirkhealth.com and the services provided through the Site, including the purchase of dental insurance plans, dental discount products, provider searches, and informational content (collectively, "Services").
‍
By accessing or using the Site, you agree to be bound by these Terms. If you do not agree to these Terms, you may not use our Site or Services.

1. General Terms

These Terms constitute a legally binding agreement between you and Smirk Health. By using the Site, you represent that you have read, understood, and agree to these Terms and our Privacy Policy. Supplemental terms or policies may apply to specific features of the Site and are incorporated herein by reference.
‍
We reserve the right to update or modify these Terms at any time. Changes will be effective immediately upon posting on the Site, and your continued use of the Site constitutes acceptance of the updated Terms. The Site is not intended for distribution or use in any jurisdiction where such distribution or use would be contrary to law or regulation. By accessing the Site from outside the United States, you do so at your own risk and are responsible for compliance with local laws.The Site is intended for users who are at least 18 years old. Persons under 18 are prohibited from registering or using the Site.

2. Eligibility

You must be at least 18 years old to use this Site and purchase Services.
By using the Site, you represent and warrant that you meet this eligibility requirement.

3. Use of the Site

You agree to use the Site only for lawful purposes.

You are prohibited from:

- Interfering with or disrupting the operation of the Site.
- Attempting to gain unauthorized access to any part of the Site or its related systems.
- Using the Site to harass, harm, or defraud any person or entity.

4. Account Registration

Certain features of the Site may require you to create an account.

You agree to:

- Provide accurate and complete information during registration.
- Maintain the security of your account credentials.
- Notify us immediately of any unauthorized use of your account.

5. Purchases and Payments

All prices for dental insurance plans and dental discount products are listed in USD and are subject to change without notice. Payment must be made at the time of purchase through our secure payment gateway. By completing a purchase, you agree to the terms of the dental insurance plan or dental discount product as outlined in the policy documents. If your purchase is subject to recurring charges, you authorize us to charge your payment method on a recurring basis until cancellation. We reserve the right to correct pricing errors even after payment has been received.

6. Refund Policy

Refer to the refund policy provided earlier for Smirk Health.

7. Provider Network Information

While we strive to keep our provider network information accurate and up-to-date, we do not guarantee that the information is error-free.
Providers may change their participation status without notice.
Please verify network participation with your selected provider before scheduling an appointment.

8. Intellectual Property Rights

Unless otherwise indicated, the Site and its content, including text, graphics, software, and trademarks, are the proprietary property of Smirk Health or its licensors.
‍
You are granted a limited license to use the Site and its content for personal, non-commercial purposes.

All rights not expressly granted are reserved by Smirk Health.

9. Prohibited Activities

You agree not to:

- Use the Site for any unauthorized or illegal purposes.
- Systematically retrieve data from the Site to create a database.
- Circumvent security features of the Site.
- Use automated tools like bots or scrapers to access the Site.
- Upload or transmit harmful content such as viruses.

10. Limitation of Liability

To the fullest extent permitted by law, Smirk Health shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising out of your use or inability to use the Site or Services.
‍
Our total liability for any claims relating to the Services shall not exceed the amount you paid for the Services in the preceding 12 months.

11. Termination

We reserve the right to terminate or suspend your access to the Site and Services at our sole discretion, without notice, for any reason, including violation of these Terms.

12. Governing Law

These Terms shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict of law principles.

13. Changes to These Terms

We may update these Terms from time to time. Changes will be effective immediately upon posting on the Site.
‍
Your continued use of the Site constitutes acceptance of the updated Terms.

14. Contact Us

If you have any questions about these Terms, please contact us at:
‍
Smirk Health
Email: support@smirkhealth.com
Address: 166 Hargraves Drive, Ste C-400 PMB 131, Austin, TX 78737

Smirk Refund Policy

Refunds Governed by Insurance Policy Terms
‍
All refunds for insurance products offered through Smirk Health are issued solely in accordance with the terms and conditions of the applicable insurance policy.

Refund eligibility, amounts, timing, and any limitations are determined by the issuing insurance carrier and are subject to the specific policy provisions, including but not limited to coverage periods, cancellation rights, and claims activity.

Smirk Health does not modify, override, or expand refund rights beyond those expressly provided in the applicable insurance policy.

Customers are encouraged to review their insurance policy documents carefully for complete and authoritative information regarding refunds and cancellations.

Contact Us

If you have any questions regarding this refund policy or need further assistance, please contact our support team at support@smirkhealth.com.
‍
We are here to help you.