Privacy Policy for CA Residents

Privacy Policy for California Residents

Last updated: December 29, 2025

This Privacy Policy for California Residents supplements the information contained in SiteRx’s Privacy Policy and applies solely to all visitors, users, job applicants, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, including the updates effective January 1, 2026, and their implementing regulations (collectively referred to as “CCPA”) and any terms defined in the CCPA have the same meaning when used in this Policy. For purposes of this Privacy Policy for California Residents, the term “personal information” does not include: (a) information subject to HIPAA or the California Confidentiality of Medical Information Act; (b) deidentified or aggregated consumer information; or (c) publicly available information that (i) has been lawfully made available from government records; (ii) we have a reasonable basis to believe has lawfully been made available to the general public by you or from widely distributed media; or (iii) has been made available by a person to whom you disclosed the information unless you restricted such information to a specific audience. In the event of any conflict between this Policy and any SiteRx privacy policies, this Policy shall govern for California residents.

I. Notice at Collection

This Notice at Collection (“Notice”) is to inform you that SiteRx is collecting information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“personal information”).

Information about the categories of personal information from consumers we have collected within the last twelve (12) months, including the business purposes for which we collect the information, is set forth in the tables below. Of note, SiteRx does not share or sell personal information or sensitive personal information.

Category	Business Purpose
Identifiers, such as name and contact information	Performing services, certain short-term uses, security, marketing or advertising Any marketing or advertising activities are limited to SiteRx’s own services and do not constitute cross-contextual behavioral advertising as defined under the CCPA.
California Customer Records personal information, such as name and contact information	Performing services, certain short-term uses, security
Protected classification characteristics under California or federal law, such as age, medical condition, and race	Performing services, certain short-term uses, security
Professional or employment-related information, if you apply for a job at SiteRx.	Performing services, certain short-term uses, security, to administer the employment relationship
Non-public education information, if you apply for a job at SiteRx.	Performing services, certain short-term uses, security, to administer the employment relationship
Internet or other similar network activity, such as your browsing history and interactions with our website.	Performing services, certain short-term uses, security, auditing interactions with our website, debugging, quality and safety maintenance and verification
Inferences drawn from other personal information.	Performing services, certain short-term uses
Sensitive Personal Information Category	Business Purpose
Government identifiers (social security, driver's license, state identification card, or passport number)	Performing services, certain short term uses
Complete account access credentials (user names, account numbers, or card numbers combined with required access/security code or password)	Performing services, certain short-term uses, security, auditing interactions with our website, debugging, quality and safety maintenance and verification
Racial or ethnic origin	Performing services, certain short term uses
Genetic data	Performing services, certain short term uses
Health, sex life, or sexual orientation information	Performing services, certain short term uses

Our Retention of your Personal Information and Sensitive Personal Information.

SiteRx retains personal information and sensitive personal information for as long as necessary to provide the services and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. We determine retention periods using factors such as statutory limitation periods, contractual obligations, and operational needs. Because these needs can vary for different data types, the context of our interactions with you or your use of services, actual retention periods can vary significantly.

We retain each category of personal information for no longer than reasonably necessary for the purposes disclosed. The table below lists our retention periods (or criteria) by category. Where retention is expressed as a range, the applicable period is determined based on the sensitivity of the data, regulatory obligations, and documented business need.

Category	Retention Period
Identifiers, such as name and contact information	3 years after last interaction or while providing services, plus time to comply with legal obligations.
California Customer Records personal information, such as name and contact information	3 years or per legal/contract requirements.
Protected classification characteristics under California or federal law, such as age, medical condition, and race	Until purpose fulfilled, then securely deleted or de-identified.
Professional or employment-related information, if you apply for a job at SiteRx.	Until purpose fulfilled, then securely deleted or de-identified.
Non-public education information, if you apply for a job at SiteRx.	Until purpose fulfilled, then securely deleted or de-identified.
Protected classification characteristics (where provided)
Internet or other similar network activity, such as your browsing history and interactions with our website.	12–24 months for security, fraud prevention, and audit.
Inferences drawn from other personal information.	12–24 months or until profiling purpose is complete.
Sensitive Personal Information Categories (listed above)	Retained only for statutorily permitted purposes and for the shortest time needed to achieve those purposes (see Section VI.F).

Where a fixed time is not appropriate, we apply objective criteria (e.g., legal holds, limitation periods, regulatory requirements, and business need).

If you have any questions about this Notice or need to access it in an alternative format due to having a disability, please contact privacy@siterx.com.

II. Sources of Personal Information

We obtain the categories of personal information listed above from the following categories of sources:

Directly from you. For example, from forms you complete or information and records you provide to us.
Indirectly from you. For example, from forms you complete or information you provide to other parties who share them with us.
From a third party at your direction and/or on your behalf. For example, from medical records and related information you authorize us to obtain from your health care provider.
Internet cookies.
Data analytics providers.

III. Use of Personal Information

We may use the personal information we collect for one or more of the following purposes:

To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to obtain a service, we will use that information to facilitate the performance of that service. We may also save your information to facilitate new product orders or process returns.
To provide, support, personalize, and develop our products and services.
To create, maintain, customize, and secure your account with us.
To process your requests, purchases, transactions, and payments and prevent transactional fraud.
To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
To personalize your experience and to deliver content and service offerings relevant to your interests, including via website, email or text message (with your consent, where required by law).
To help maintain the safety, security, and integrity of our services, databases and other technology assets, and business.
For testing, research, analysis, and product development, including to develop and improve our services.
To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
As described to you when collecting your personal information or as otherwise set forth in the CCPA.
In connection with purposes specified in the SiteRx Privacy Policy for Middleware Services such as conducting review and analysis to help determine your potential eligibility to participate in current and/or prospective studies (“Studies”) by clinical research sponsors (“Sponsors”), and facilitating your study recruitment, including contacting and communicating with you via land line phone, cell phone, email, and text message (with your consent where required by law; cell and data charges may apply).
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our users and/or consumers is among the assets transferred.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

IV. Disclosure of Personal Information

We do not sell personal information or sensitive personal information.

We may disclose your personal information to a third party for a business purpose. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, and prohibit using the disclosed information for any purpose except performing the contract. In the preceding twelve (12) months, we have disclosed personal information for a business purpose to the categories of third parties indicated in the chart below.

Personal Information Category	Business Purpose Disclosures	Categories of Third-Party Recipients
Identifiers.	To provide the requested services To improve our services To troubleshoot our website To comply with legal requests	Outside organizations in connection with providing products and services, completing transactions, supporting our everyday operations, or business management and development. Representatives of California residents Government agencies
California Customer Records personal information categories.	To provide the requested services To improve our services To troubleshoot our website To comply with legal requests	Outside organizations in connection with providing products and services, completing transactions, supporting our everyday operations, or business management and development. Representatives of California residents Government agencies
Protected classification characteristics under California or federal law.	To provide the requested services To improve our services To troubleshoot our website To comply with legal requests	Outside organizations in connection with providing products and services, completing transactions, supporting our everyday operations, or business management and development. Representatives of California residents Government agencies
Internet or other similar network activity.	To provide the requested services To improve our services To troubleshoot our website To comply with legal requests	Outside organizations in connection with providing products and services, completing transactions, supporting our everyday operations, or business management and development. Representatives of California residents Government agencies
Professional or employment-related information.	To provide the requested services To improve our services To troubleshoot our website To comply with legal requests	Outside organizations in connection with administering employment benefits. Government agencies
Non-public education information.	To provide the requested services To improve our services To troubleshoot our website To comply with legal requests	Outside organizations in connection with administering employment benefits. Government agencies
Inferences drawn from other personal information.	To provide the requested services To improve our services To troubleshoot our website To comply with legal requests	Outside organizations in connection with providing products and services, completing transactions, supporting our everyday operations, or business management and development.
Sensitive Personal Information Category	Business Purpose Disclosures	Categories of Third-Party Recipients
Government identifiers (social security, driver's license, state identification card, or passport number)	To provide the requested services To improve our services To troubleshoot our website To comply with legal requests	None
Complete account access credentials (user names, account numbers, or card numbers combined with required access/security code or password)	To provide the requested services To improve our services To troubleshoot our website To comply with legal requests	Outside organizations in connection with providing products and services, completing transactions, supporting our everyday operations, or business management and development. Representatives of California residents Government agencies
Racial or ethnic origin	To provide the requested services To improve our services To troubleshoot our website To comply with legal requests	Outside organizations in connection with providing products and services, completing transactions, supporting our everyday operations, or business management and development. Representatives of California residents Government agencies
Genetic data	To provide the requested services To improve our services To troubleshoot our website To comply with legal requests	Outside organizations in connection with providing products and services, completing transactions, supporting our everyday operations, or business management and development. Representatives of California residents Government agencies
Mail, email, or text messages contents not directed to us	To provide the requested services To improve our services To troubleshoot our website To comply with legal requests	None
Health, sex life, or sexual orientation information	To provide the requested services To improve our services To troubleshoot our website To comply with legal requests	Outside organizations in connection with providing products and services, completing transactions, supporting our everyday operations, or business management and development. Representatives of California residents Government agencies

All third parties receiving personal information for business purposes act as ‘service providers’ or ‘contractors’ as defined under the CCPA and are contractually restricted from retaining, using, or disclosing personal information outside the scope of the services.

V. Automated Decision-making Technology (ADMT)

“ADMT” means technology that processes personal information and uses computation to replace or substantially replace human decision-making—for example, where a decision is made without human involvement using the technology’s output.

Our practices. SiteRx does not use ADMT to make decisions that produce legal or similarly significant effects about consumers. We therefore do not offer consumers the ability to opt out of the use of ADMT in the processing of consumer personal information.

VI. Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

A. Right to Know and Data Portability

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months (the “right to know”). Once we receive your request and confirm your identity (see Exercising Your Rights to Know, Delete, or Correct), we will disclose to you:

The categories of personal information we collected about you.
The categories of sources for the personal information we collected about you.
Our business or commercial purpose for collecting that personal information.
If we disclosed your personal information for a business purpose, a list of all disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
The specific pieces of personal information we collected about you (also called a data portability request).

B. Right to Delete

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions (the “right to delete”). Once we receive your request and confirm your identity (see Exercising Your Rights to Know, Delete, or Correct), we will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Debug products to identify and repair errors that impair existing intended functionality.
Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
Comply with a legal obligation.
Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We will delete or deidentify personal information not subject to one of these exceptions from our records and will direct our service providers to take similar action.

C. Right to Correct

You have the right to correct inaccurate personal information we maintain about you. We will use commercially reasonable efforts to correct such inaccurate personal information. Once we receive a correction request and confirm your identity (see Exercising Your Rights to Know, Delete, or Correct), we will review the contested information’s accuracy, considering the totality of the circumstances, and determine if it is more likely than not that the personal information we maintain is inaccurate. We will review and consider any documentation you provide to support your correction request and encourage you to make a good faith effort to provide us with all necessary information during the request submission process. If we determine it is more likely than not that the personal information is inaccurate, we will correct such information on our systems and instruct all service providers and contractors to whom such personal information was disclosed to make the necessary corrections in their respective systems.

Alternatively, we may delete the contested personal information instead of correcting it when either:

Deleting it does not negatively impact you, for example, by making it harder for you to obtain a job or any other type of opportunity; or
You consent to deletion.

We may deny your correction request if:

The request conflicts with federal or state law or qualifies for an exception;
Based on the circumstances, the request makes compliance impossible or involves disproportionate effort;
We have a good faith, reasonable, and documented belief that the request is fraudulent or abusive;
The request was previously made and denied within the past six months, unless you provide new or additional documentation to prove the contested information is inaccurate; or
We cannot verify your identity to the requisite level.

D. Exercising Your Rights to Know, Delete, or Correct

How to submit requests (Know/Delete/Correct):

You may use any of the following methods to submit requests to know, delete, and correct:

Web portal: Use our Privacy Center to submit and track requests.
Email: privacy@siterx.com
Mail: SiteRx, Inc., Attn: Privacy Office, 101 Sixth Avenue, Floor 10, New York, NY 10013
Toll-Free Number: (888) 703-3262

Only you, or someone legally authorized to act on your behalf, may make a request to know, delete, or correct related to your personal information.

You may only submit a request to know twice within a 12-month period. Your request to know, delete, or correct must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include:
- Confirmation of your name, address, date of birth, or other similar information about you in our possession.
- Confirmation by your legally authorized representative of your name, address, date of birth or other similar information about you in our possession, as well as delivery of a valid power of attorney or other documentation verifying their status as your legally authorized representative.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

You do not need to create an account with us to submit a request to know, delete, or correct.

We will only use personal information provided in the request to verify the requestor’s identity or authority to make it.

E. Response Timing and Format

We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please contact privacy@siterx.com.

We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

F. Right to Limit Our Use and Disclosure of Your Sensitive Personal Information

We use and disclose sensitive personal information only for CCPA-permitted purposes (e.g., to provide requested services, ensure security and integrity, and perform short-term transient uses). Because we do not use sensitive personal information for additional purposes, the CCPA’s “right to limit” does not apply to our current practices. If our practices change, we will offer the right to limit.

G. Personal Information Sales and Sharing Opt-Out Rights

As aforementioned, SiteRx does not sell personal information or “share” such information as “sharing” is defined under the CCPA. We also do not engage in cross-context behavioral advertising. Therefore, we do not offer a process for opting out of such selling/sharing.

VII. Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you with a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

VIII. Other California Privacy Rights

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to privacy@siterx.com or write us at: siterx.com/contact.

IX. Changes to Our Privacy Policy

We reserve the right to amend this notice at our discretion and at any time. When we make changes to this notice, we will post the updated notice on the Website and update the notice’s effective date. Your continued use of our services following the posting of changes constitutes your acceptance of such changes.

X. Contact Information

If you have any questions or comments about this notice, the ways in which SiteRx collects and uses your information described here and in the Privacy Policy, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Website: siterx.com
Email: privacy@siterx.com
Postal Address: SiteRx, Inc.
Attn: Privacy Office
101 Sixth Avenue, Floor 10, New York, NY 10013

If you need to access this Policy in an alternative format due to having a disability, please contact us via any of the methods provided.