Legal

Tether Health, Inc. ("Tether Health," "we," "us," or "our") provides a referral management and specialist discovery platform for healthcare providers through our website and software services (collectively, the "Services"). This Privacy Policy describes how we collect, use, disclose, and protect information when you use the Services, visit our website, or otherwise interact with us.

The Services are directed towards healthcare provider customers and their authorized staff. Before using the Services or submitting any personal information to us, please review this Privacy Policy carefully. By using the Services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Services.

We collect personal information when you create an account, request a demo, contact us, or otherwise provide information to us. This may include your name, email address, phone number, job title, practice name, NPI number, professional credentials, mailing address, and billing information.

When you use the platform, we collect data necessary to operate the referral management and specialist discovery features:

• Referral data: Information entered by authorized practice users, which may include patient names, dates of birth, contact information, insurance details, diagnoses, and referral notes.
• Directory data: We compile our specialist directory using publicly available sources including the NPPES NPI Registry, state medical board databases, CMS provider data, and specialty society directories. Providers on the platform may also submit or update their own directory listings.
• Usage data: Features accessed, actions taken, referral volume, and interaction patterns.
• Device and log data: IP address, browser type and settings, operating system, device identifiers, access times, pages viewed, and referring URLs.
• Location data: We derive a rough estimate of your location from your IP address.

Health data: Our healthcare provider customers share patient information with us through referral forms, intake forms, insurance documentation, and other standard healthcare forms. We process this information on their behalf to automate referral routing, status tracking, and appointment scheduling. We apply HIPAA privacy and security standards to all health data we receive and process it pursuant to our Business Associate Agreements.

Patient communications: If you are a patient of one of our healthcare provider customers and receive text messages or emails regarding your referral status or appointment scheduling, we collect your responses and related scheduling information on behalf of that provider. These communications are sent only with appropriate consent and in compliance with the Telephone Consumer Protection Act (TCPA).

We may create de-identified or aggregated data that cannot reasonably be used to identify any individual. De-identification is performed using the Safe Harbor method defined under HIPAA (removal of the 18 specified identifiers). We may use de-identified data for research, product development, refining our algorithms and machine learning models, analytics and benchmarking reports, aggregate referral pattern analysis, and public reports on referral trends containing no individually identifiable information.

We may share de-identified and aggregated data with partners and third parties. This data is non-personal information and is not subject to the restrictions on PHI described in this policy.

We use cookies and similar technologies to operate our website, analyze usage, and improve your experience. For details, please see our Cookie Policy.

We use analytics services, including PostHog, to understand how visitors use our website. These services use cookies to collect information in aggregate form. No PHI is transmitted to analytics services. Our website currently does not respond to "Do Not Track" browser signals.

We use the information we collect for the following purposes:

• To provide and operate the Services: Processing referrals, maintaining the specialist directory, tracking referral status, enabling communication between practices, and facilitating patient appointment scheduling.
• To enable referral network features: Routing referral information between referring providers and receiving specialists through the platform.
• To send patient communications: When authorized by the applicable practice and with appropriate patient consent, sending referral status updates, appointment confirmations, or scheduling-related messages.
• To improve and develop the Services: Analyzing usage patterns, identifying issues, conducting research, and developing new features.
• To communicate with you: Responding to inquiries, providing customer support, and sending service-related administrative notices.
• To ensure security: Monitoring for unauthorized access, fraud detection, and maintaining system integrity.
• To comply with legal obligations: Responding to lawful requests, complying with applicable laws, and enforcing our agreements.
• Marketing: We may use your contact information to send you information about our products and services. You may opt out at any time by following the unsubscribe instructions in our emails or by contacting us.

We do not sell personal information. We share it only with consent, as necessary to provide the Services, or as required by law.

• Between practices on the platform: Referral information is shared between the referring practice and the receiving specialist practice as necessary to complete the referral.
• Service providers and vendors: We share information with third-party vendors who perform services on our behalf, including cloud hosting, database management, communications, analytics, and payment processing. These providers are contractually obligated to protect your information and, where applicable, are bound by Business Associate Agreements.
• Professional advisors: We may disclose information to lawyers, accountants, auditors, and insurers where necessary.
• Affiliates: We may share information with any future parent company, subsidiaries, or affiliates for purposes consistent with this Privacy Policy.
• Business transfers: In connection with a merger, acquisition, financing, or sale of assets, your information may be transferred. We will notify you of any such change.
• Compliance and safety: We may share information when we believe disclosure is necessary to comply with legal obligations, protect our rights, prevent fraud, or protect safety.

When Tether Health processes PHI on behalf of a healthcare provider, we do so as a Business Associate under HIPAA and HITECH. Our obligations regarding PHI are governed by the HIPAA Privacy and Security Rules, the HITECH Act, and our Business Associate Agreement with the applicable healthcare provider. We apply the minimum necessary standard to all PHI we access.

For patients: If you are a patient whose information has been processed through our platform as part of a referral, your rights regarding your health information (including the right to access, amend, and receive an accounting of disclosures) are exercised through your healthcare provider. Your provider's Notice of Privacy Practices describes your rights in detail.

We use a combination of technical, administrative, and physical safeguards to protect your information, including:

• Encryption of data at rest (AES-256) and in transit (TLS 1.2 or higher)
• Role-based access controls limiting access to authorized personnel
• Multi-factor authentication for administrative and production system access
• Comprehensive audit logging of all access to sensitive data
• Regular security assessments, vulnerability scanning, and penetration testing
• HIPAA workforce training and signed confidentiality agreements for all team members
• HIPAA-compliant infrastructure for all health data storage and processing

While we take reasonable measures to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.

• Account and profile information: Retained for the duration of the account and a reasonable period thereafter
• Referral data containing PHI: Retained in accordance with HIPAA requirements (minimum 6 years) and our Business Associate Agreements
• Audit logs: Minimum 6 years
• Usage and analytics data: Retained in de-identified or aggregated form

Depending on your location and applicable law, you may have the right to know the categories of personal information we have collected, to access the specific pieces of personal information we hold, to request deletion (subject to legal retention obligations), to correct inaccurate information, and to opt out of the sale of personal information (we do not sell personal information).

Residents of certain states (including California, Virginia, Colorado, and Connecticut) may have additional rights under their state's privacy statute. To exercise any privacy right, please email support@tetherhealth.co.

The Services are directed to healthcare professionals and are not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact us immediately and we will promptly delete that information.

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last Updated" date. For material changes, we will provide additional notice. Your continued use of the Services after the effective date constitutes acceptance of the changes.

These Terms of Service ("Terms") are a legally binding agreement between you and Tether Health, Inc. ("Tether Health," "we," "us," or "our") governing your access to and use of the Tether Health platform, website, and related services (the "Services"). By accessing or using the Services, you agree to these Terms. "You" refers to the individual using the Services and, if applicable, the healthcare practice or entity on whose behalf you act.

The Services are intended for licensed healthcare providers, authorized practice staff, and healthcare organizations in the United States. By registering, you represent that you are at least 18 years old, have authority to bind the practice or organization you represent, and that the information you provide is accurate and complete. You are responsible for maintaining the confidentiality of your account credentials and for all activity under your account. Notify us immediately of any unauthorized use.

Tether Health provides a referral management and specialist discovery platform. The Services may include referral creation, submission, and tracking; specialist directory search; referral status updates and loop closure; patient communication tools; analytics and reporting; and EHR integrations.

You may use the Services solely for legitimate healthcare operations. You agree not to:

• Use the Services for any purpose other than legitimate healthcare operations
• Share account credentials with unauthorized individuals or access another user's account
• Transmit malicious code or harmful content through the Services
• Reverse engineer, decompile, or disassemble any part of the Services
• Use the Services to send unsolicited marketing communications to patients
• Scrape or collect data from the Services through automated means without prior written consent
• Use specialist directory data for purposes unrelated to patient referrals
• Violate any applicable law, regulation, or third-party rights in connection with your use

Use of the Services involving PHI requires a fully executed Business Associate Agreement (BAA) between your practice and Tether Health. The BAA is incorporated into these Terms by reference. As a Covered Entity, you are responsible for ensuring your use complies with HIPAA, including obtaining necessary patient authorizations. You agree to include only the minimum necessary PHI in referrals transmitted through the platform.

If you enable patient-facing communications through the Services (such as referral status text messages or appointment notifications), the following requirements apply:

• You must obtain prior express written consent from patients before automated messages are sent on your behalf
• Consent must be documented and stored with a record of who consented, when, and to what
• Patients must be able to opt out at any time, and opt-out requests must be honored immediately
• Consent may not be a condition of receiving treatment or services
• All messages will identify the sending practice, state the purpose, and include opt-out instructions

Tether Health provides the infrastructure for consent management, message delivery, and opt-out processing, but you are responsible for ensuring consent is properly obtained before enabling patient communications.

Certain features require payment as described in your subscription agreement or order form. Fees are billed monthly or annually as specified. All fees are non-refundable except as expressly stated or required by law. We may change fees upon 30 days' prior written notice. Failure to pay may result in suspension of access. You are responsible for applicable taxes.

Our intellectual property: The Services, including all software, technology, designs, and content (excluding your data), are owned by Tether Health and protected by intellectual property laws. We grant you a limited, non-exclusive, non-transferable, revocable license to use the Services in accordance with these Terms.

Your data: You retain all ownership rights in the data you input into the Services. You grant us a limited license to use, process, and store your data solely to provide the Services and as described in our Privacy Policy.

Aggregated and de-identified data: We may create aggregated or de-identified data derived from use of the Services. Such data does not identify any individual or practice. We may use it for product improvement, analytics, benchmarking, and other lawful purposes.

THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." TO THE FULLEST EXTENT PERMITTED BY LAW, TETHER HEALTH DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

Tether Health is not a healthcare provider and does not provide medical advice. We do not guarantee the accuracy or completeness of specialist directory listings. We are not responsible for clinical decisions, referral appropriateness, or patient outcomes associated with referrals made through the platform.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, TETHER HEALTH SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES. OUR TOTAL AGGREGATE LIABILITY SHALL NOT EXCEED THE GREATER OF (A) AMOUNTS PAID BY YOU IN THE TWELVE MONTHS PRECEDING THE CLAIM, OR (B) ONE HUNDRED DOLLARS ($100).

You agree to indemnify and hold harmless Tether Health, its officers, directors, employees, and agents from claims arising out of your use of the Services in violation of these Terms, your violation of any law or regulation, the content or accuracy of data you submit, or your failure to obtain required patient consents.

These Terms remain in effect until terminated. Either party may terminate upon 30 days' written notice for any reason, or immediately upon material breach that is not cured within 30 days of notice. Upon termination, your access will be deactivated, PHI will be returned or destroyed per the BAA, surviving provisions remain in effect, and your data will be available for export for 30 days.

These Terms are governed by the laws of the State of Delaware, without regard to conflict of laws principles. Disputes shall be resolved in the state or federal courts located in Delaware.

Entire Agreement: These Terms, the Privacy Policy, the BAA, and any order form constitute the entire agreement between you and Tether Health. Amendments: We may modify these Terms by posting the revised version. Material changes will be communicated with at least 30 days' notice. Severability: If any provision is unenforceable, the remaining provisions remain in full force. Waiver: Failure to enforce any provision is not a waiver of that provision. Assignment: You may not assign these Terms without our consent. We may assign in connection with a merger, acquisition, or asset sale. Force Majeure: Neither party is liable for delays due to events beyond reasonable control.

This Cookie Policy explains how Tether Health, Inc. uses cookies and similar tracking technologies on our website and platform. It should be read alongside our Privacy Policy.

Cookies are small text files placed on your device when you visit a website. They help websites function efficiently, improve user experience, and provide usage information to site operators. Cookies may be session-based (deleted when you close your browser) or persistent (remaining until they expire or you delete them).

Essential for the Services to function. These enable authentication, session management, and security. You cannot opt out of these cookies.

Allow us to remember your preferences and settings, such as language and display options. These enhance your experience but are not strictly necessary.

Help us understand how visitors use our website by collecting aggregated information about page views, traffic sources, and user behavior. We use PostHog for this purpose. No PHI is transmitted to analytics services.

We do not currently use marketing or advertising cookies. If this changes, we will update this policy and obtain consent where required.

• Browser settings: Most browsers allow you to refuse cookies, delete existing cookies, or receive alerts when cookies are placed. Disabling certain cookies may affect functionality.
• Consent banner: Our website presents a cookie consent banner allowing you to accept or decline non-essential cookies.
• Analytics opt-out: Third-party analytics providers may offer their own opt-out mechanisms.

Our Services do not currently respond to "Do Not Track" browser signals. We will update this policy if that changes.

We may update this Cookie Policy from time to time. Changes will be posted on this page with an updated effective date.

Tether Health, Inc. operates as a Business Associate under HIPAA and the HITECH Act. We provide referral management services to healthcare providers ("Covered Entities") and process protected health information (PHI) on their behalf.

As a Business Associate, Tether Health:

• Enters into Business Associate Agreements with every provider that uses our platform to process PHI
• Implements administrative, technical, and physical safeguards to protect PHI
• Limits use and disclosure of PHI to what is necessary to perform our services or as required by law
• Reports breaches of unsecured PHI to affected providers in accordance with HIPAA
• Requires subcontractors who handle PHI to enter into BAAs and comply with HIPAA
• Trains all workforce members on HIPAA privacy and security requirements

If your information was transmitted through our platform as part of a referral:

• Your healthcare provider is the Covered Entity responsible for your health information
• Your rights (access, amendment, accounting of disclosures, restrictions) are exercised through your provider
• Your provider's Notice of Privacy Practices describes your rights in detail
• Questions about how your information was used should be directed to your provider

If you are interested in using Tether Health:

• A Business Associate Agreement must be executed before any PHI is processed
• Security posture documentation and compliance evidence are available upon request
• Contact support@tetherhealth.co to request a BAA or security documentation

• AES-256 encryption at rest; TLS 1.2+ in transit
• Role-based access controls and multi-factor authentication
• Comprehensive audit logging of all PHI access
• Regular risk assessments, vulnerability scanning, and penetration testing
• Documented incident response and breach notification procedures
• Workforce HIPAA training and signed confidentiality agreements

For a detailed overview of our security architecture, visit our Security page.

In the event of a breach of unsecured PHI, Tether Health will notify the affected healthcare provider(s) without unreasonable delay as required by HIPAA and the applicable BAA, so that the provider can fulfill its notification obligations to patients and regulators.