Spruce Health, Inc. – Privacy Policy

Last Modified: 14 May 2026

IF YOU ARE (OR SOMEONE ELSE IS) EXPERIENCING A MEDICAL EMERGENCY, CALL 911 IMMEDIATELY.

PLEASE READ THIS PRIVACY POLICY CAREFULLY BEFORE USING OUR SERVICES, OUR WEBSITE, OR OUR MOBILE APPLICATION.

I. Introduction

This privacy policy (the "Privacy Policy") describes the types of information Spruce Health, Inc. ("Spruce", "we", "our", or "us") may collect from you or that you may provide when you use the Spruce website or application (the "Platform"), whether accessed via mobile application or website. This Privacy Policy also describes our practices for collecting, using, maintaining, protecting, and disclosing that information.

This Privacy Policy applies to:

• Health care providers and their representatives, agents, and employees who use the Platform (collectively, "Providers");
• Patients and other individuals who communicate or otherwise interact with Providers via the Platform (collectively, "Patients"); and
• Individuals who visit our website, https://sprucehealth.com/, and otherwise interact with or communicate with us (collectively, "Business Contacts").

Use of the Platform is governed by this Privacy Policy and our Terms of Service (for users of the Spruce website: https://www.sprucehealth.com/terms-website, for organizations using the Spruce application: https://www.sprucehealth.com/terms-organizations, and for patients using the Spruce application: https://www.sprucehealth.com/terms-patients).

This Privacy Policy is incorporated into our Terms of Service. All capitalized terms used in this Privacy Policy but not defined herein have the meanings assigned to them in the Terms of Service. By accessing or using the Platform, you acknowledge that you have read, understood, and agreed to be legally bound by and comply with this Privacy Policy and our Terms of Service. If any term in this Privacy Policy is unacceptable to you, please do not use the Platform or provide any Personal Information (defined below). This Privacy Policy may change from time to time (see Revisions to Our Privacy Policy below) and your use of the Platform after we make changes is deemed to be acceptance of those changes, so please check this Privacy Policy periodically for updates.

This Privacy Policy does not apply to any website or application operated by a third party or to any application or content not operated by us that may link to or be accessible from or on the Platform. Also, you may be subject to different privacy policies or terms of service for other websites or applications.

Spruce is committed to protecting your privacy. We provide this Privacy Policy to explain the type of information we collect and to inform you of the specific practices and guidelines that protect the security and confidentiality of Personal Information, including protected health information ("PHI") that individually identifies you or others and that is subject to the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA").

II. Information About Patients

Information About You and Your Health Care Treatment and Payment

We collect several types of information from and about Patients, such as:

• Information by which you may be personally identified, such as name, mailing address, email address, telephone number and account information, billing and collection information, information related to your insurance eligibility, or any other information collected on the Platform that is defined as personally identifiable information under applicable law ("Personal Information"). This is information that you provide directly to us or that is provided to us by a related third party, such as your Provider.
• Clinical or patient information or data, including PHI or other health-related information. This includes information collected in connection with your use of the Platform that may be necessary for you to receive health care services, including previous doctors, applicable clinical history and condition, vital sign measurements and other clinical and health information, and any other information exchanged in emails, texts, chats, calls, or other communications between you and Spruce or the medical providers and their professional entities. For the avoidance of doubt, all such health-related information collected on the Spruce application is subject to the safeguards and protections of our Terms of Service, including those for privacy and security.
• Information about your Internet connection, the equipment you use to access our Platform, and usage details.
• Information about you that does not identify you individually, such as whether you are a current user, location or demographics, or information related to your inquiry or request.
• Other information that you volunteer or that you provide in response to a specific request from us.

We collect this information:

• Directly from you when you provide it to us.
• From third-party intermediaries; for example, the physicians, medical professionals, and pharmacies with whom we partner to provide their patients with services.

How We Use Patient Information

We use Patient information to provide the Platform and other services on behalf of your Provider, including:

• To complete any registration or other transactions or actions you request online, such as payment processing, including determining eligibility, use, and other benefits.
• For treatment, payment, or health care operations purposes.
• To communicate with you, including communications about our services and products or other information, services, and products, where such communications may include communications and messages via telephone, voicemail, email, fax, SMS text message, or communications within the Platform; any related fees from your mobile carrier or other service providers may apply to such contact and will be your sole responsibility, and you may customize your contact preferences by notifying us as provided in the Terms of Service or as directed in communications that you receive from us, such as by replying "STOP" to an SMS text message that you receive from us or by following an "unsubscribe" link in an email that you receive from us.
• To contact you if you receive health care services resulting from your use of the Platform, such as to deliver communications from providers on the Platform from whom you receive health care services.
• To create de-identified information that cannot be used to personally identify you, such as aggregate statistics relating to the use of our service.
• To enhance the safety, security, and performance of our products and services. This includes verifying your identity, as well as preventing or detecting fraud or other unauthorized or illegal activities.
• To design, develop, and communicate with you about our new features, products, and services, or, subject to any consents or authorizations that are required by applicable law, those of our subsidiaries, affiliates, and parent companies and any of their related businesses and those of our third-party partners.
• To notify you about changes to our services or the Platform.
• To enforce this Privacy Policy and any other terms that you have agreed to, including to protect the rights, property, or safety of us or any other person, or the copyright-protected content of the Platform.
• For any purpose where you have given your consent (where legally required).
• To comply with applicable federal, state, and other laws and regulations.

How We Disclose Patient Information

We disclose Patient information to provide the Platform and other services on behalf of your Provider, including:

• For treatment, payment, or health care operations purposes.
• To anyone authorized under this Privacy Policy or pursuant to any other consent or authorization that you may provide.
• To service providers that assist us in the maintenance, improvement, and optimization of our Platform, such as service providers that help us run and maintain the technology and security infrastructure that support our Platform or that provide services such as email delivery, auditing, and similar services.
• To medical providers, including, without limitation, physicians, health care facilities, and organizations, pharmacies, and laboratories, that provide any services to you, including medical providers with whom you communicate and/or medical providers who review your information in providing health care services to you. If applicable to you, you acknowledge and agree that when medical providers provide services to you, the medical providers and all personnel of their professional entities may see any information you provide.
• If we are under a duty to disclose or share your Personal Information to comply with any legal obligation, or in order to enforce or apply our Terms of Service and other agreements; or to protect the rights, property, or safety of Spruce, our customers, or others. This may include exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
• With respect to de-identified information, for any purpose without restriction.
• In the event of a sale, merger, consolidation, change in control, transfer of substantial assets, reorganization, or liquidation, we may transfer, sell, or assign to third parties information concerning your relationship with us, including, without limitation, Personal Information that you provide and other information concerning your relationship with us.

Patient Rights and Choices

We collect, use and disclose Patient information only in accordance with our agreements with Providers as a service provider to such Providers. Where Patient information is PHI governed by HIPAA, we are a "business associate" to Providers and we process PHI in accordance with business associate agreements that we enter into with Providers. If you are a Patient and you have questions about how your Provider collects, uses, and shares your information, including in connection with the Platform, please contact your Provider directly for more information and to understand your privacy rights and choices.

III. Information About Providers and Business Contacts

Information You Give to Us

The information we collect on or through our Platform may include:

• Information that we collect when you use our website or download our mobile application.
• Information that you provide on our Platform, including information provided when you sign in or register for an account for the Platform or for services provided by one of our affiliates or through communications with us.
• Information to process or respond to your inquiries related to requests for treatment, payment, or customer service; and when you provide feedback on our Platform, including payment processing information that includes billing information, such as a name, address, email address, and payment card information. When you provide or update your payment processing information, we transmit the payment via an encrypted connection to a third-party credit card processor.
• Records and copies of your correspondence (including email addresses) if you contact us, such as when you report a problem with our Platform or other services.
• Your search queries on the Platform.

Information We Receive From Other Sources

This is information we receive about you if you use any of the other websites we operate or other services we provide, such as if you visit pages we maintain on social media services, including, without limitation, LinkedIn and Meta. We sometimes work with third parties, and they sometimes provide information about you. We obtain information from such third parties with whom we work to provide you with certain services (including, for example, sub-contractors, analytics providers, and search information providers).

In addition, we may use third-party providers to serve or track interactions on other websites. You may link to or access our Platform using other third-party websites. Use of such third-party websites is subject to the terms of service and privacy policies of those third parties. Spruce does not control the use of this technology or the resulting information and is not responsible for any actions or policies of such third parties. We may combine information we receive from other sources with information you give to us and information we collect about you.

How We Use Information About Providers and Business Contacts

We may use information collected about you in the following ways:

• To administer your account, including processing your payments and fulfilling your orders, as may arise from your use of the Platform.
• To operate the Platform and perform any services associated with the Platform, including providing you with technical support and to improve the Platform and our products and services.
• To provide you with information that you have requested or to respond to your inquiries.
• To create de-identified information that cannot be used to personally identify you, such as aggregate statistics relating to the use of our service.
• To measure or understand the effectiveness of communications (including advertising) that we send to you and others, and to deliver relevant communications to you and to provide you with communications from Spruce, surveys, newsletters, and other information.
• To better understand our audience.
• To enhance the safety, security, and performance of our products and services. This includes verifying your identity, as well as preventing or detecting fraud or other unauthorized or illegal activities.
• To design, develop, and communicate with you about our new features, products, and services, or, subject to any consents or authorizations that are required by applicable law, those of our subsidiaries, affiliates, and parent companies and any of their related businesses and those of our third-party partners.
• To notify you about changes to our services or the Platform.
• To enforce this Privacy Policy and any other terms that you have agreed to, including to protect the rights, property, or safety of us or any other person, or the copyright-protected content of the Platform.
• For any purpose where you have given your consent (where legally required).
• To comply with applicable federal, state, and other laws and regulations.

How We Disclose Information About Providers and Business Contacts

We may disclose information you provide as follows:

• To our affiliates and their employees, including for the purpose of posting information or notifications in your account.
• To fulfill the purpose for which you provide it. For example, if you sign up for certain services, we may share your information in order to provide those services.
• To third-party credit card processors via an encrypted connection so that they can process any payments by you.
• To any third parties we believe necessary or appropriate to comply with applicable laws and regulations.
• For any other purpose disclosed by us when you provide the information or with your consent.
• If we are under a duty to disclose or share your Personal Information in order to comply with applicable law.
• If we are under a duty to disclose or share your Personal Information to comply with any legal obligation, or in order to enforce or apply our Terms of Service and other agreements; or to protect the rights, property, or safety of Spruce, our customers, or others. This may include exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
• With respect to de-identified information, for any purpose without restriction.
• In the event of a sale, merger, consolidation, change in control, transfer of substantial assets, reorganization, or liquidation, we may transfer, sell, or assign to third parties information concerning your relationship with us, including, without limitation, Personal Information that you provide and other information concerning your relationship with us.

Rights and Choices for Providers and Business Contacts

If you do not wish to have your contact information used by Spruce to promote our own products or services, you can unsubscribe by following the instructions at the bottom of any email you have received from us. If you are not able to unsubscribe through this method, please contact us and we can handle your request. You can also always exercise your right to ask us not to process your Personal Information for marketing purposes by contacting us at the address below.

Depending on where you reside, you may also have the following rights:

• Information. You may have the right to obtain information about how we collect, use, and share your personal information. We provide this information within this Privacy Policy.
• Access, correction, and deletion. You may also have the right to request access to your personal information, to correct personal information that is out of date or inaccurate, or to delete personal information that is no longer needed for a permitted purpose. If you have questions about we handle your personal information or if you believe your information is inaccurate or has been collected in error, please contact us as provided in the "Contact Information" section below and we will endeavor to resolve your questions or concerns. We may ask for specific information from you to help us confirm your identity. Where these rights apply, you can empower an authorized agent to submit the request on your behalf in accordance with applicable law. You are entitled to exercise these rights free from discrimination.
• Sharing personal information and targeted advertising. We use cookies and similar technologies to help us advertise our Platform and services on other websites or services you might visit as described in the "Use of Cookies and Similar Technologies" section below. We share information with advertising networks and analytics partners to support our interest-based advertising, which may qualify as a sale or sharing of personal information, or targeted advertising, under applicable law. You can opt out of our use or sharing of personal information for these purposes by using our "Your Privacy Choices" tool, accessible via https://sprucehealth.com/, or by enabling the Global Privacy Control setting within the browser that you use to access our website or Platform. Please note that your opt-out will be specific to the device and browser you use when you opt out. We do not have actual knowledge that we have sold or shared the personal information of children under the age of 16.

IV. Use of Cookies and Similar Technologies

As with many other websites and applications, as you navigate through and interact with our Platform, we may use automatic data collection technologies, including cookies, pixels, clear gifs, website tags, and other similar technologies, to collect certain information about your equipment, browsing actions, and patterns, including:

• Details of your visits to our Platform, including traffic data, location data, logs, language, date and time of access, frequency, and other communication data and the resources that you access and use on the Platform.
• Information about your computer and Internet connection, including your IP address, operating system, host domain, and browser type.
• Details of referring websites (e.g., URLs) or other referring sources.

We use such technologies to:

• Estimate how individuals access and use our Platform.
• Store information about your preferences.
• Speed up your searches.
• Recognize you when you return to our Platform.
• Help us advertise our Platform on other websites or services.
• Measures the effectiveness of our advertising.

The information we collect via cookies and similar technologies includes: the domain from which you access the Internet; IP address; operating system and information about the device or browser used when visiting the Platform; date and time of your visit; content you visited; general location; and website (such as google.com or bing.com) and website referral source (email notice or social media site) that connected you to the Platform.

You can limit online tracking by opting out, as per Section III of this Privacy Policy, and/or by blocking cookies in your web browser and using privacy plugins.

Do Not Track. Some Internet browsers may be configured to send "Do Not Track" signals to the online services that you visit. We currently do not respond to "Do Not Track" signals.

V. Data Security

We have implemented measures designed to reasonably secure your Personal Information from accidental loss and from unauthorized access, use, alteration, and disclosure.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Platform, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. The information you share in public areas may be viewed by any user of the Platform.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your Personal Information, we cannot guarantee the security of your data transmitted to or from our Platform; any transmission is at your own risk.

When you use our Platform, there is a risk that any PHI will be stored unencrypted on your mobile device. We have implemented a variety of technical safeguards to make sure that PHI does not leak onto your mobile device, but we cannot guarantee that these safeguards will work as intended.

VI. Data Retention and Deletion

We retain the data we collect for different periods of time depending on what it is, how we use it, and what your stated preferences are:

• Some data is deleted or anonymized automatically after a set period of time, such as connection data in server logs.
• Some data is kept indefinitely, such as account information. This retention may be necessary while you are using certain aspects of the Platform or other Spruce services. You may choose to have such data deleted by notifying us of this preference. Choosing to have certain data deleted may adversely affect your ability to use the Platform or other Spruce services.
• Some data we retain for longer periods of time when necessary for legitimate business or legal purposes, such as:
  • Security, fraud, and abuse prevention: We retain some data to protect you, other people, and Spruce from fraud, abuse, and unauthorized access.
  • Record-keeping: We retain some data for purposes such as accounting and dispute resolution.
  • Complying with legal or regulatory requirements: We retain some data to meet the requirements of any applicable law, regulation, legal process, or enforceable governmental request, or when needed to enforce applicable Terms of Service, including investigation of potential violations.
  • Ensuring the continuity of our services: We retain some data to ensure continuity of service for you and other users. This may occur, for instance, when you have shared data with other people, such as when you have sent a message to someone else. In such instances, a request by you to delete such data may not eliminate any copies that are maintained by or on behalf of other people.
  • Direct communications with Spruce: If you have directly communicated with us, such as through a customer-support channel, feedback form, or bug report, we may retain records of those communications.

When data is deleted, we follow a deletion process to make sure that your data is safely and completely removed from our servers, or retained only in anonymized form. We try to ensure that our services protect information from accidental or malicious deletion. Because of this, there may be delays between when the deletion process is initiated and when copies are deleted from our active and backup systems.

VII. Third-Party Platforms

Our Platform may contain links or references to other websites outside of our control. Please be aware that this Privacy Policy does not apply to these websites. Spruce encourages you to read the privacy statements and terms and conditions of linked or referenced websites you enter. These third-party websites may send their own cookies and other tracking devices to you, log your IP address, and otherwise collect data or solicit Personal Information. SPRUCE DOES NOT CONTROL AND IS NOT RESPONSIBLE FOR WHAT THIRD PARTIES DO IN CONNECTION WITH THEIR WEBSITES, OR HOW THEY HANDLE YOUR PERSONAL INFORMATION. PLEASE EXERCISE CAUTION AND CONSULT THE PRIVACY POLICIES POSTED ON EACH THIRD-PARTY WEBSITE FOR FURTHER INFORMATION.

VIII. Children Under the Age of 13

We will not intentionally collect any Personal Information from children under the age of 13 through our Platform without receiving parental or other legal guardian consent. If you think that we have collected Personal Information from a child under the age of 13 through our Platform, please contact us.

IX. Revisions to Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. It is our policy to post any changes we make to our Privacy Policy on this page. The date this Privacy Policy was last modified is identified at the top of the page. We may, at times, provide an additional notice of changes to this Privacy Policy, such as via email. If you are using the Platform as part of or on behalf of an organization, we may, in our sole discretion, choose to provide any notice only to the administrator of your organization. You are responsible for periodically monitoring and reviewing any updates to the Privacy Policy. Your continued use of the Platform after any changes to this Privacy Policy will be deemed to be your acknowledgement of and agreement to the changes.

X. Contact Information

If you have any questions or comments about this Privacy Policy and our privacy practices, please contact us at support@sprucehealth.com.