California Privacy Disclosures

Kora Health, LLC
Effective Date: March 30, 2026
Last Updated: March 30, 2026

I. INTRODUCTION AND SCOPE

These California Privacy Disclosures are provided pursuant to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA,” codified at Cal. Civ. Code Section 1798.100 through Section 1798.199.100). These disclosures are published by Kora Health, LLC (“Kora MD,” “we,” “us,” or “our”) in its capacity as the operator of the consumer-facing website at koramd.com (the “Platform”).

These disclosures supplement the Kora MD Privacy Policy and apply solely to residents of the State of California (“consumers” or “you”) as defined under Cal. Civ. Code Section 1798.140(i). These disclosures describe how we collect, use, disclose, and otherwise process personal information as defined under Cal. Civ. Code Section 1798.140(v) in connection with your interaction with the Platform, including browsing the website, completing the health screening questionnaire, purchasing a bundled membership, and engaging with our marketing communications.

The Platform operates as a technology platform and administrative services provider. Medical services, clinical evaluations, prescribing decisions, and treatment are provided exclusively by OpenLoop Healthcare Partners, PC and its affiliated professional corporations (collectively, the “Practice”). Pharmacy dispensing services are provided by RedRock Pharmacy, Health Warehouse, Precision Compounding Pharmacy, and Triad Rx (collectively, the “Pharmacy Partners”). Protected health information collected, maintained, and used in the course of treatment, payment, and healthcare operations by the Practice and Pharmacy Partners is governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA,” 45 C.F.R. Parts 160 and 164) and is excluded from CCPA coverage to the extent set forth in Cal. Civ. Code Section 1798.145(c)(1)(A). These disclosures address personal information collected by the Platform in its capacity as the consumer-facing technology platform and marketing entity, including information collected prior to the consumer’s engagement with the Practice for clinical services.

II. CATEGORIES OF PERSONAL INFORMATION COLLECTED

Pursuant to Cal. Civ. Code Section 1798.100(a), we are required to disclose the categories of personal information we have collected from consumers within the preceding twelve (12) months. The following describes each category of personal information as enumerated in Cal. Civ. Code Section 1798.140(v), the specific data elements we collect within each category, whether we have collected that category, the sources from which we collect it, our business or commercial purpose for collection, and the categories of third parties to whom we disclose it.

A. Identifiers (Category A)

Collected: Yes

Specific Data Elements: Full legal name, email address, telephone number, date of birth, mailing address (including zip code and state of residence), IP address, unique account identifiers, and device identifiers.

Sources of Collection: Directly from consumers when they create an account, complete the health screening questionnaire, or purchase a bundled membership; automatically through cookies, pixels, and similar technologies when consumers browse the Platform; and from advertising networks and affiliate partners who direct consumers to the Platform.

Business and Commercial Purposes: To create and manage consumer accounts; to process bundled membership purchases; to verify identity and age eligibility; to facilitate the redirect to the Practice for clinical evaluation; to communicate with consumers regarding their accounts, orders, and services; to detect and prevent fraud; and to comply with legal obligations, including state age verification requirements.

Categories of Third Parties to Whom Disclosed: The Practice (for clinical evaluation intake); Pharmacy Partners (for order fulfillment coordination); payment processors (for transaction processing); email and SMS communication service providers; cloud hosting and data storage providers; analytics providers (in aggregated or de-identified form only); and advertising networks (subject to the disclosures in Section V below).

B. Personal Information Described in Cal. Civ. Code Section 1798.80(e) (Category B)

Collected: Yes

Specific Data Elements: Name, address, telephone number, and payment card information (card number, expiration date, and billing address, processed and stored by our PCI-compliant third-party payment processor and not stored on our servers in unencrypted form).

Sources of Collection: Directly from consumers at the time of membership purchase.

Business and Commercial Purposes: To process and complete bundled membership transactions; to issue refunds and manage billing disputes; and to maintain transaction records for accounting, tax, and legal compliance purposes.

Categories of Third Parties to Whom Disclosed: PCI-compliant payment processor; financial institutions for transaction settlement; and as required by law for tax reporting purposes.

C. Protected Classification Characteristics Under California or Federal Law (Category C)

Collected: Yes (Limited)

Specific Data Elements: Date of birth (to verify minimum age eligibility for services) and biological sex (as voluntarily provided during the health screening questionnaire to support clinical intake by the Practice).

Sources of Collection: Directly from consumers when completing the health screening questionnaire.

Business and Commercial Purposes: To verify age eligibility (services are restricted to adults age 18 and older); and to support the health screening questionnaire responses transmitted to the Practice for clinical evaluation. We do not use protected classification characteristics for marketing segmentation or discriminatory purposes.

Categories of Third Parties to Whom Disclosed: The Practice (as part of the health screening questionnaire responses transmitted for clinical evaluation).

D. Commercial Information (Category D)

Collected: Yes

Specific Data Elements: Records of membership plans purchased, membership tier selected, transaction dates and amounts, membership renewal history, and cancellation records.

Sources of Collection: Generated through consumer transactions on the Platform.

Business and Commercial Purposes: To fulfill and manage bundled memberships; to process recurring subscription billing and cancellations; to maintain business records; to analyze aggregate purchasing trends to improve service offerings; and to comply with Good Faith Estimate requirements under 45 C.F.R. Section 149.610.

Categories of Third Parties to Whom Disclosed: Payment processor; the Practice (to confirm membership status for clinical intake); cloud hosting and data storage providers; and accounting and tax service providers.

E. Biometric Information (Category E)

Collected: No

We do not collect biometric information as defined under Cal. Civ. Code Section 1798.140(c), including fingerprints, faceprints, voiceprints, iris or retina scans, or keystroke patterns.

F. Internet or Other Similar Network Activity Information (Category F)

Collected: Yes

Specific Data Elements: Browsing history on the Platform (pages visited, time spent on pages, click patterns); search terms entered on the Platform; information regarding consumer interactions with the Platform, including interactions with the health screening questionnaire (completion rate, drop-off points); referring URLs (the website or advertisement that directed the consumer to the Platform); browser type and version; operating system; and device type.

Sources of Collection: Automatically collected through cookies, web beacons, and similar tracking technologies when consumers interact with the Platform; and from advertising networks and affiliate partners through tracking parameters appended to inbound URLs.

Business and Commercial Purposes: To operate and improve the Platform; to analyze website performance and user experience; to measure the effectiveness of advertising campaigns; to personalize content displayed to consumers; and to detect and prevent technical errors, fraud, and security threats.

Categories of Third Parties to Whom Disclosed: Analytics service providers; cloud hosting providers; and advertising networks (see Section V regarding sale and sharing disclosures).

G. Geolocation Data (Category G)

Collected: Yes (Approximate Only)

Specific Data Elements: Approximate geolocation derived from IP address (city and state level); and state of residence as self-reported by the consumer during registration and the health screening questionnaire. We do not collect precise geolocation data (GPS coordinates).

Sources of Collection: Automatically from IP address; and directly from consumers during registration and the health screening questionnaire.

Business and Commercial Purposes: To verify that the consumer resides in a state where services are available; to comply with state-specific regulatory requirements, including state telehealth licensing laws; and to deliver location-relevant content.

Categories of Third Parties to Whom Disclosed: The Practice (state of residence for licensure verification); and analytics providers (in aggregated form).

H. Sensory Data (Category H)

Collected: No

We do not collect audio, electronic, visual, thermal, olfactory, or similar sensory information through the Platform.

I. Professional or Employment-Related Information (Category I)

Collected: No

We do not collect professional or employment-related information from consumers through the Platform.

J. Non-Public Education Information (Category J)

Collected: No

We do not collect education records, transcripts, or student directory information from consumers through the Platform.

K. Inferences Drawn from Other Personal Information (Category K)

Collected: Yes (Limited)

Specific Data Elements: Inferences about consumer preferences regarding membership tier selection; and inferences about consumer interest in specific service categories based on health screening questionnaire responses and browsing behavior. We do not create profiles reflecting consumers’ health status, medical conditions, or treatment outcomes.

Sources of Collection: Generated internally from analysis of the personal information described in Categories A, D, and F above.

Business and Commercial Purposes: To improve service offerings and Platform content; and to personalize marketing communications (with consumer consent where required).

Categories of Third Parties to Whom Disclosed: Analytics providers (in aggregated or de-identified form); and advertising networks (subject to Section V disclosures).

III. SENSITIVE PERSONAL INFORMATION

Pursuant to Cal. Civ. Code Section 1798.140(ae), “sensitive personal information” includes specific categories of information warranting heightened protection. The Platform collects the following categories of sensitive personal information:

Health-Related Information. Responses to the health screening questionnaire may include information about height, weight, body mass index, existing medical conditions, current medications, and weight management goals. This information is collected solely for the purpose of facilitating the consumer’s intake with the Practice for clinical evaluation. To the extent this information is transmitted to the Practice and becomes part of the clinical record, it is thereafter governed by HIPAA and is excluded from CCPA coverage under Cal. Civ. Code Section 1798.145(c)(1)(A).

We use sensitive personal information only for the purposes expressly authorized under Cal. Civ. Code Section 1798.121(a), specifically to perform services reasonably expected by the consumer (facilitating clinical intake with the Practice) and to verify and maintain the quality of our services. We do not use sensitive personal information for profiling consumers in furtherance of decisions that produce legal or similarly significant effects, nor do we use it for advertising or marketing purposes.

You have the right to limit our use and disclosure of your sensitive personal information to uses that are necessary to perform the services you request. To exercise this right, see Section VII below.

IV. RETENTION OF PERSONAL INFORMATION

Pursuant to Cal. Civ. Code Section 1798.100(a)(3), we retain each category of personal information only for as long as reasonably necessary to fulfill the purpose for which it was collected. Our specific retention periods are as follows:

Account identifiers, contact information, and commercial information are retained for the duration of the consumer’s active membership and for a period of seven (7) years following the termination or cancellation of the membership to comply with tax, accounting, and legal hold obligations.

Payment card information is retained by our PCI-compliant payment processor in accordance with its own retention policies and is not stored on our servers in unencrypted form.

Health screening questionnaire responses are retained for the period necessary to complete the redirect to the Practice (typically no more than thirty (30) days) and are thereafter deleted from Platform systems, except to the extent the Practice independently maintains such information as part of the clinical record under HIPAA.

Internet and network activity information is retained for a period of twenty-four (24) months from the date of collection.

Geolocation data derived from IP addresses is retained for twelve (12) months.

V. SALE AND SHARING OF PERSONAL INFORMATION

We Do Not Sell Personal Information. Kora MD does not sell personal information as defined under Cal. Civ. Code Section 1798.140(ad). We do not exchange personal information for monetary consideration.

Cross-Context Behavioral Advertising. We may share certain personal information, specifically identifiers (Category A) and internet or network activity information (Category F), with advertising networks for the purpose of cross-context behavioral advertising as defined under Cal. Civ. Code Section 1798.140(ah). Under the CCPA as amended by the CPRA, such sharing constitutes “sharing” of personal information for purposes of Cal. Civ. Code Section 1798.140(ah) regardless of whether monetary consideration is exchanged.

You have the right to opt out of this sharing. To exercise your right, you may click the “Do Not Sell or Share My Personal Information” link in the footer of our website, submit a request through the methods described in Section VII below, or enable a browser-based opt-out preference signal such as Global Privacy Control (“GPC”) as described in Section VIII below.

We do not have actual knowledge that we sell or share the personal information of consumers under the age of 16.

VI. THIRD-PARTY DISCLOSURE SUMMARY

The following summarizes the categories of personal information disclosed to third parties for business purposes within the preceding twelve (12) months, the categories of third-party recipients, and the purpose of disclosure, as required by Cal. Civ. Code Section 1798.115(c).

The Practice (OpenLoop Healthcare Partners, PC and affiliated entities): Categories A, C, G (state of residence), D (membership status), and sensitive personal information (health screening questionnaire responses). Purpose: To facilitate clinical intake, verify membership status, and support the delivery of medical services by the Practice.

Pharmacy Partners (RedRock Pharmacy, Health Warehouse, Precision Compounding Pharmacy, Triad Rx): Categories A and D. Purpose: To coordinate prescription fulfillment for consumers who are prescribed medication by the Practice.

Payment Processor: Categories A and B. Purpose: To process bundled membership transactions, recurring subscription billing, and refunds.

Cloud Hosting and Data Storage Providers: All categories collected. Purpose: To host and maintain the Platform, process data, and provide infrastructure services pursuant to written service provider agreements.

Email and SMS Communication Providers (Customer.io): Category A (name, email, phone number, membership status). Purpose: To send transactional communications (account creation, order confirmation, membership renewal notices, shipping notifications) and, with consent, marketing communications. Customer.io does not receive health assessment data, clinical information, or sensitive personal information.

Analytics Providers: Categories F, G (approximate), and K (in aggregated or de-identified form). Purpose: To analyze Platform performance and improve user experience.

Advertising Networks (Google Ads, Meta Business Manager including Facebook and Instagram): Categories A (limited to hashed identifiers or device identifiers) and F. Purpose: To measure advertising campaign performance and, subject to consumer opt-out rights, for cross-context behavioral advertising as described in Section V. Advertising technologies are not deployed on pages where health information or sensitive personal information is collected.

VII. YOUR RIGHTS UNDER THE CCPA

If you are a California resident, you have the following rights under Cal. Civ. Code Section 1798.100 et seq.

A. Right to Know (Cal. Civ. Code Section 1798.110)

You have the right to request that we disclose the specific pieces of personal information we have collected about you, the categories of personal information collected, the sources from which we collected it, the business or commercial purposes for collection, and the categories of third parties to whom we disclosed it. You may submit a verifiable consumer request up to two (2) times within any twelve (12) month period.

B. Right to Delete (Cal. Civ. Code Section 1798.105)

You have the right to request that we delete personal information we have collected from you, subject to certain exceptions specified in Cal. Civ. Code Section 1798.105(d), including where retention is necessary to complete a transaction, comply with a legal obligation, detect security incidents, or exercise legal claims.

C. Right to Correct (Cal. Civ. Code Section 1798.106)

You have the right to request that we correct inaccurate personal information that we maintain about you, taking into account the nature of the personal information and the purposes of processing.

D. Right to Opt Out of Sale or Sharing (Cal. Civ. Code Section 1798.120)

You have the right to direct us not to sell or share your personal information to third parties for cross-context behavioral advertising. You may exercise this right by clicking the “Do Not Sell or Share My Personal Information” link in the footer of our website or by submitting a request through the methods described below.

E. Right to Limit Use and Disclosure of Sensitive Personal Information (Cal. Civ. Code Section 1798.121)

You have the right to limit our use and disclosure of your sensitive personal information to uses that are necessary to perform the services you request, as permitted under Cal. Civ. Code Section 1798.121(a).

F. Right to Non-Discrimination (Cal. Civ. Code Section 1798.125)

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices, provide a different level of quality, or suggest that you will receive a different level of service for exercising your privacy rights.

VIII. HOW TO EXERCISE YOUR RIGHTS

A. Submitting a Request

You may submit a request to exercise any of the rights described above by contacting us through any of the following methods:

Email: privacy@koramd.com (include “Privacy Rights Request” in the subject line)
Toll-Free Telephone: (855) 597-1248
Online: koramd.com/pages/data-sharing-opt-out

When submitting a request, please provide your full name, email address associated with your account, and a description of the right you wish to exercise. We will use this information solely for the purpose of verifying and fulfilling your request.

B. Verification Process

Upon receiving a request, we will verify your identity to a reasonable degree of certainty before responding, in accordance with Cal. Civ. Code Section 1798.185 and the implementing regulations at 11 Cal. Code Regs. Section 7060 et seq. For requests to know categories of personal information, we will verify your identity to a reasonable degree of certainty by matching at least two (2) data points you provide against information we maintain. For requests to know specific pieces of personal information or requests to delete, we will verify your identity to a reasonably high degree of certainty by matching at least three (3) data points and requiring a signed declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.

If we cannot verify your identity, we will inform you and explain what additional information, if any, is needed. We will not fulfill a request if we cannot verify the requestor’s identity.

C. Authorized Agents

You may designate an authorized agent to submit a request on your behalf in accordance with Cal. Civ. Code Section 1798.140(e). If you use an authorized agent, we may require the agent to provide proof of written authorization signed by you, and we may require you to verify your own identity directly with us and confirm that you authorized the agent to act on your behalf. Authorized agent requests may be submitted through the same methods listed above.

D. Response Timeline

We will acknowledge receipt of your request within ten (10) business days. We will respond to verifiable consumer requests within forty-five (45) calendar days of receipt, as required by Cal. Civ. Code Section 1798.145. If we require additional time, we will inform you of the reason and the extension period, which shall not exceed an additional forty-five (45) calendar days (ninety (90) calendar days total from the date of your request).

E. Global Privacy Control

We recognize and honor the Global Privacy Control (“GPC”) browser signal as a valid opt-out of sale and sharing preference signal in accordance with Cal. Civ. Code Section 1798.135(e). When we detect a GPC signal from your browser, we will treat it as a request to opt out of the sale and sharing of personal information associated with that browser. If you are logged in to your account when we receive a GPC signal, we will apply the opt-out to your account. For information about GPC, please visit globalprivacycontrol.org.

IX. APPEAL PROCESS

If we decline to take action on your request in whole or in part, we will inform you of the reason for our decision and provide instructions for how to appeal. You may appeal our decision by contacting us at privacy@koramd.com with the subject line “CCPA Appeal” within fifteen (15) calendar days of receiving our decision. We will respond to your appeal within sixty (60) calendar days. If your appeal is denied, we will provide you with an explanation of the reason and information about how to contact the California Attorney General to submit a complaint.

X. INFORMATION REGARDING MINORS

The Platform is not directed to consumers under the age of 18. We do not knowingly collect personal information from minors under the age of 16. We do not sell or share the personal information of consumers we know to be under the age of 16. If we become aware that we have collected personal information from a minor under the age of 16 without appropriate consent, we will take steps to delete such information in accordance with Cal. Civ. Code Section 1798.120(c).

XI. CHANGES TO THESE DISCLOSURES

We may update these California Privacy Disclosures periodically to reflect changes in our personal information practices, changes in applicable law, or other operational requirements. When we make material changes, we will post the updated disclosures on this page with a revised “Last Updated” date. If we make material changes that expand our use or disclosure of personal information beyond what was described in the version in effect at the time of collection, we will provide notice in accordance with applicable law.

XII. CONTACT INFORMATION

If you have questions or concerns about these California Privacy Disclosures or our personal information practices, you may contact us at:

Kora Health, LLC Attn: Privacy Inquiries 10503 Foundation Road, Austin, TX 78726 Email: privacy@koramd.com Telephone: (855) 597-1248

For general customer service inquiries (non-privacy), please contact: care@koramd.com.