Your Privacy Matters

To Us

Health Stories Project Global Privacy Policy

Effective Date: September 23, 2025
Previous versions are available upon request.

AT A GLANCE – KEY POINTS

• What we collect: Health stories, demographics, health-related details, browsing activity, and any information you choose to share.
• Why we collect it: To connect people to clinical/research opportunities and opportunities to share their stories.
• Your choices: You can opt in or out marketing and cookies. You may also access, correct, or delete your data.
• Who we share with: Only with partners, sponsors, and vendors as needed—and only with your explicit consent. We never sell your personal information.
• Global coverage: This Policy applies globally. Special rights apply if you live in California, the EU, UK, Switzerland, or other regulated jurisdictions.

INTRODUCTION & SCOPE

This Privacy Policy (“Policy”) explains how Health Stories Project, LLC and Reverba Global™ (together, “Health Stories Project,” “Reverba Global,” “we,” “our,” or “us”) collect, use, disclose, and protect Personal Information when you interact with our:

• Websites, mobile applications, and online platforms
• Email, phone, or SMS communications
• Offline forms or programs operated under our control

This Policy applies only to information collected by us directly. If you provide information by telephone, email, or through third-party platforms outside our Sites, their policies may also apply. By using our Sites or providing information, you agree to this Policy and our Terms of Use located here.

The core activities supported by Health Stories Project is to enable people to learn more about:

• Opportunities to share their stories, and
• Clinical trial opportunities

We also conduct general website activities (forms, surveys inquiries, browsing)

We are committed to protecting privacy and applying appropriate safeguards to Personal Information.

Definitions. “Personal Information” means any information that identifies, relates to, or could reasonably be linked to an individual or household. Some categories (such as health, race/ethnicity, or precise geolocation) may be considered Sensitive Personal Information (SPI) or “special category data” under applicable laws.

Children’s Privacy. Our Sites are not directed to children under 13 (or 16 under EU/UK law). We do not knowingly collect Personal Information from children without verified parental/guardian consent. If discovered, we will delete it promptly.

COLLECTION OF INFORMATION

Information You Provide

We collect Personal Information when you voluntarily provide it, such as through:

• Surveys, questionnaires, or email communications
• Offline forms or signed agreements

Consent is always obtained via opt-in checkboxes, electronic signature, or written consent. You may withdraw consent at any time (see below).

Categories of Personal Information we may collect that is voluntarily provided:

1. Identifiers (e.g., name, contact details)
2. Dates (limited) (e.g., date of birth)
3. Health & Treatment Information (e.g., medical history, diagnosis, treatment)
4. Demographics (e.g., age, gender, race/ethnicity)
5.  Location of residence (location information smaller than state level, if consented)
6. Family/Household Data (information about spouse/partner or child)
7. Employment/Education (if voluntarily provided)

Automatically Collected Information

We also collect information automatically:

• Aggregated Data (overall usage trends, de-identified)
• Server Logs (IP, browser type, device, timestamps)
• Cookies & Similar Technologies (see Section 11)
• Link Tracking (click-through to external sites)

Third-Party Collection

Certain third-party providers may collect information via our Sites, including:

• Internet / Network Activity (e.g., logs, IP, browser, device type, Google tracking pixels)
• Hosting and IT service providers
• Analytics providers (e.g., Google Analytics)
• Cloud storage vendors
• Customer communication tools
• Security monitoring vendors
• (Where disclosed) advertising partners (e.g., Meta Pixel, LinkedIn)

Their use of Personal Information is governed by their own privacy policies.

HOW WE USE PERSONAL INFORMATION

We use Personal Information for:

• Story Sharing & Publication (with explicit consent)
• Clinical & Research Opportunities (screening for eligibility, connecting to sponsor companies)
• Website Purposes (responding to inquiries, administering forms)
• Communications (updates, notices, program details)
• Operations & Security (authentication, fraud prevention, incident response)
• Compliance & Legal Obligations (to meet regulatory requirements)
• Research & Analytics (de-identified insights, non-reidentifiable)
• Marketing (opt-in only) (newsletters, promotional opportunities—separate consent required)

We do not sell Personal Information.

LEGAL BASES FOR PROCESSING (EEA/UK/SWITZERLAND)

We rely on the following bases:

• Consent (e.g., publishing stories, processing health data, marketing)
• Contractual Necessity (to provide services you request)
• Legitimate Interests (improving services, ensuring security, analytics—balanced against your rights)
• Legal Obligation (to comply with applicable laws)
• Vital Interests (protecting life/safety in emergencies)

Right to Object: You may object to processing based on legitimate interests at any time.

REASONS WE SHARE PERSONAL INFORMATION

We may share Personal Information with:

• Sponsor Companies & Program Partners (with explicit consent for health/story data)
• Service Providers & Vendors (IT, analytics, consultants, hosting)
• Media/Campaign Partners (only with explicit consent for story publication)
• Corporate Transactions (e.g., merger, acquisition, sale)
• Legal/Regulatory Authorities (if required by law or subpoena)
• With Your Consent or Direction

We may also disclose aggregated or anonymized data that cannot reasonably identify individuals.

INTERNATIONAL TRANSFERS

Our Sites are hosted in the United States. If you are outside the U.S., your information will be transferred here. To safeguard this:

• For EEA/UK/Switzerland residents, we use Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or Addendum as applicable.
• Supplementary measures (encryption, access controls, audits) are applied.
• Some cloud vendors may process data in other regions; contractual safeguards apply.

RETENTION

We retain Personal Information only as long as needed for program or compliance purposes:

• Marketing/communications data: Until consent is withdrawn
• Cookies/analytics logs: As required for marketing purposes
• Legal/transactional data: As required by applicable law

De-identified or aggregated data may be kept indefinitely.

DATA SECURITY

We implementappropriate technical and organizational measures to protect Personal Information, including:

• Encryption of data in transit and at rest
• Role-based access controls
• Routine monitoring and penetration testing
• Incident response protocols

Breach Notification: If required by law, we will notify affected individuals and regulators without undue delay.

You should also protect your own data (e.g., by safeguarding passwords and avoiding shared/public devices for sensitive submissions).

YOUR RIGHTS

Depending on your location, you may have the right to:

• Access, correct, or delete your Personal Information
• Restrict or object to certain processing
• Withdraw consent at any time (does not affect prior lawful processing)
• Receive a copy of your Personal Information in portable format
• Object to profiling or automated decision-making
• File a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France)

Requests may be submitted via:

• Email: privacy@healthstoriesproject.com
• Phone: 1-800-481-8753
• Mail: Privacy Officer, Health Stories Project, 701 Pike Street, Suite 2000, Seattle, WA 98101

We will not retaliate against you for exercising your rights.

California Residents (CCPA/CPRA)

California residents may request:

• Categories/specific pieces of Personal Information collected
• Sources of collection
• Purposes for use
• Categories of third parties shared with
• Deletion or correction of data

You also have the right to:

• Limit use/disclosure of Sensitive Personal Information (SPI includes health, race/ethnicity, geolocation, etc.)
• Designate an authorized agent (with proof of authority)
• Be free from discrimination for exercising rights

Requests may be made via:

• Email: privacy@healthstoriesproject.com
• Phone: 1-800-481-8753
• Mail: Attn: Privacy Office, Reverba Global, 701 Pike Street, Suite 2000, Seattle, WA 98101

LINKS TO OTHER SITES

Our Sites may link to external websites we do not control. Their privacy practices are governed by their own policies.

COOKIES & SIMILAR TECHNOLOGIES

We use cookies and similar technologies to:

• Operate our Sites securely
• Remember preferences (e.g., language)
• Analyze usage (e.g., Google Analytics)
• Deliver advertising (only with consent where legally required)

Types of Cookies:

• Strictly Necessary (essential for operation)
• Performance/Analytics (usage measurement)
• Functionality (user preferences)
• Advertising/Targeting (consent-based ads)

Managing Cookies:

• You can disable cookies in your browser.
• In the EEA/UK, non-essential cookies are set only with your explicit consent.
• A cookie banner and preference center allow you to adjust settings at any time.

Do Not Track (DNT): Our Sites may not respond to DNT signals. Where required by law, we provide opt-out mechanisms.

QUESTIONS & CONTACT

If you have questions or concerns about our privacy practices, or wish to report an issue:

• Email: privacy@healthstoriesproject.com
• Phone: 1-800-481-8753
• Mail: Attn: Privacy Officer, Health Stories Project, 701 Pike Street, Suite 2000, Seattle, WA 98101

If you believe your rights have been violated, you may file a complaint with the relevant government authority. You will not be penalized for doing so.