Opus Health Privacy Policy

Effective date: November 11th, 2025

Last updated: November 11th, 2025

This privacy notice for Opus Health Solutions, Inc. ("Opus Health," "we," "us," or "our") describes how and why we collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:

  • Visit our website at https://www.opushealth.io, or any website of ours that links to this privacy notice
  • Use our web or mobile applications (the "App") that link to this privacy notice
  • Connect eligible health accounts (e.g., HSA/FSA) and submit reimbursement claims through our platform
  • Engage with us in other related ways, including any customer support, sales, or events

Questions or concerns? Reading this privacy notice will help you understand your rights and choices. If you do not agree with our policies and practices, please do not use our Services. You can contact us at support@opushealth.io.

Summary of Key Points

  • What personal information do we process? Depending on how you interact with Opus Health and the Services, we may process personal information and, in certain contexts, Protected Health Information (PHI) and financial information. See Section 1.
  • Sensitive information? With your consent or as permitted by law, we may process health data and financial data (e.g., HSA/FSA eligibility, plan details, receipts) where necessary to provide the Services.
  • Third parties? We receive and share information with selected service providers (e.g., payments, data connectivity, hosting) and, as directed by you, with employers, benefit administrators/TPAs, banks/custodians, and healthcare providers to facilitate reimbursements.
  • How do we process information? We process data to operate, improve, and secure our Services; to support reimbursements and payments; to comply with law; and with your consent for additional purposes.
  • How do we keep it safe? We employ organizational and technical safeguards, including encryption and access controls, and align with HIPAA (where applicable) and PCI DSS for payment-related data.
  • Your rights. Depending on your location, you may have rights over your information (e.g., access, correction, deletion, portability, opt-out of certain processing).
  • How to exercise your rights. Contact support@opushealth.io or use the in-product controls where available.

Table of Contents

  1. What Information Do We Collect?
  2. How Do We Process Your Information?
  3. When and With Whom Do We Share Your Personal Information?
  4. Do We Use Cookies and Other Tracking Technologies?
  5. How Do We Handle Social Logins?
  6. How Long Do We Keep Your Information?
  7. How Do We Keep Your Information Safe?
  8. Do We Collect Information from Minors?
  9. What Are Your Privacy Rights?
  10. Controls for Do-Not-Track Features
  11. California Privacy Notice
  12. Virginia Privacy Notice
  13. Do We Make Updates to This Notice?
  14. How Can You Contact Us About This Notice?
  15. How Can You Review, Update, or Delete the Data We Collect from You?

1. What Information Do We Collect?

Personal information you disclose to us

In short: We collect personal information that you provide to us.

We collect personal information you voluntarily provide when you register, link accounts, file claims, upload receipts or documentation, communicate with support, or otherwise use the Services. This may include:

  • Identifiers & contact info: name, email, phone, mailing/billing address, employer, job title
  • Account credentials: usernames, passwords, multi-factor data (hashes/tokens)
  • Preferences: communication and notification preferences
  • Claims & documentation: uploaded receipts/invoices/EOBs, merchant names, dates, amounts, categories, and notes
  • Payment & reimbursement details: payout method, bank account tokens/identifiers, last four of card/account where applicable
  • Government identifiers (where necessary): SSN or similar identifiers required for identity verification or tax reporting (e.g., 1099/1095 support), subject to applicable law

Sensitive Information

With your consent or as permitted by law, we process:

  • Health-related data/PHI: plan type and eligibility (HSA/FSA/limited-purpose/LPFSA), claim eligibility determinations, documentation contents that may include diagnostic or treatment references present on receipts/EOBs
  • Financial data: account/balance information for HSA/FSA, reimbursement routing details, and transactions related to claims
  • Government identifiers: where required for KYC/identity verification or compliance

Payment Data

If you make payments or receive reimbursements, we may collect information necessary to process them. We use third-party processors (e.g., Stripe for card rails). Payment data is stored by those processors; please refer to their privacy notices (e.g., Stripe: https://stripe.com/privacy).

Note: We may use account connectivity providers (e.g., Plaid) to securely connect financial accounts. Their use is governed by their own privacy notices.

Information automatically collected

In short: Some information is collected automatically when you use the Services.

We automatically collect device and usage information (e.g., IP address, device and browser type, operating system, referring URLs, pages viewed, links clicked, error logs, performance data, and time/date stamps). We use cookies and similar technologies; see Section 4.

Application Data (if you use our App)

  • Mobile device access (optional): camera (for receipt capture), photo library (to attach receipts)
  • Mobile telemetry: device model, OS version, App version, crash logs
  • Push notifications: account, claims, and security alerts (you can manage these in your device settings)

All personal information you provide must be true, complete, and accurate, and you should notify us of any changes.

2. How Do We Process Your Information?

In short: To provide and improve the Services, communicate with you, secure our platform, and comply with laws.

We process information to:

  • Create and manage accounts; authenticate users; prevent fraud and abuse
  • Determine HSA/FSA eligibility and facilitate reimbursement workflows
  • Connect to custodians, TPAs, employers, and providers you authorize
  • Process and fulfill payments, reimbursements, and refunds
  • Provide support; respond to requests and feedback
  • Analyze usage; improve features, performance, and user experience
  • Send transactional messages (e.g., claim status, security alerts) and, where permitted, marketing communications (you can opt out)
  • Protect our Services and users; enforce terms; comply with legal obligations
  • Perform aggregate analytics and de-identified reporting

We process information only where we have a legal basis (e.g., your consent, performance of a contract, legitimate interests, compliance with legal obligations).

3. When and With Whom Do We Share Your Personal Information?

In short: We share with service providers, partners you authorize, and as required by law.

Categories of recipients

  • Service providers/contractors: hosting, security, analytics, product tools, payments/ACH, data connectivity, customer support, and communications
  • Payments & banking partners: card processors, ACH providers, banks/custodians
  • Benefits ecosystem: employers, TPAs/administrators, and healthcare providers as you direct or as needed to provide the Services
  • Professional advisors: auditors, legal counsel, and insurers
  • Corporate transactions: in connection with mergers, financing, or acquisitions, subject to safeguards

These parties may access data only to perform services for us under contract and must protect it.

We may also disclose information:

  • To comply with law, regulation, legal process, or government request
  • To enforce our terms and protect rights, safety, and security
  • With your consent or at your direction

4. Do We Use Cookies and Other Tracking Technologies?

Yes. We use cookies, SDKs, and similar technologies to operate the site, keep you logged in, remember preferences, measure performance, and improve the Services. You can manage cookies in your browser and (where offered) within our Cookie Preferences tool. Blocking some cookies may impact functionality.

5. How Do We Handle Your Social Logins?

If we offer social or single sign-on (SSO) and you choose to use it, we will receive certain profile information from the identity provider (e.g., name, email). We use this data only as described in this notice or as otherwise disclosed during login flows. Please review your identity provider's privacy notice for more information.

6. How Long Do We Keep Your Information?

We retain information only as long as necessary to fulfill the purposes described here, including providing the Services, complying with legal, accounting, and audit obligations, enforcing agreements, and resolving disputes. When no longer needed, we will delete or de-identify information, or securely store it until deletion is feasible (e.g., due to backups).

7. How Do We Keep Your Information Safe?

We maintain administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit and at rest where appropriate, least-privilege access, logging and monitoring, and secure development practices. For card data, our processors align with PCI DSS. Where we act as a HIPAA Business Associate, we implement required controls and will enter into BAAs with Covered Entities as applicable. However, no Internet or storage system is 100% secure.

8. Do We Collect Information from Minors?

We do not knowingly collect or market to children under 18. By using the Services, you represent you are at least 18, or a parent/guardian has consented to the minor's use. If we learn that we collected data from a child under 18, we will delete it. Contact support@opushealth.io if you believe a child has provided personal data to us.

9. What Are Your Privacy Rights?

Depending on your location, you may have rights such as access, correction, deletion, portability, and to object or restrict certain processing. Where we rely on consent, you can withdraw it at any time (this won't affect prior processing). You may also opt out of marketing communications using the unsubscribe link or by contacting us.

To exercise rights, contact support@opushealth.io. We will respond in accordance with applicable laws.

Account information. To review, change, or delete your account data, contact us or use in-product settings (where available). We may retain limited information as needed for legal, security, or operational purposes.

Cookies. You can manage cookies in your browser and our Cookie Preferences (where offered).

10. Controls for Do-Not-Track Features

Most browsers and mobile OSs include a Do-Not-Track (DNT) setting. No uniform standard to recognize DNT signals is finalized; accordingly, we do not currently respond to DNT. If a standard is adopted, we will update this notice.

11. California Privacy Notice

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides additional rights.

Notice at Collection & Categories

In the past 12 months, we may have collected:

Identifiers (e.g., name, email, IP), customer records data (e.g., contact, billing), protected classifications where necessary (e.g., date of birth), commercial information (e.g., transactions/claims), Internet activity (limited telemetry), geolocation (approximate via IP), audio/visual (support recordings if you consent), professional information (employer), inferences (limited product analytics), and sensitive personal information (health/financial data and limited government identifiers for KYC/compliance).

We collect and use this information for the purposes described in Sections 1–3 and 6–7.

Sharing/Selling

We do not sell personal information. We may "share" (as defined by CPRA for cross-context behavioral advertising) limited online identifiers with analytics/ads partners where applicable; you can opt out via "Do Not Sell or Share My Personal Information" (where available) and by adjusting cookie preferences.

Right to Know, Correct, Delete, and Limit

You may request: (i) access to categories/specific pieces of personal information; (ii) correction of inaccuracies; (iii) deletion; and (iv) to limit use/disclosure of sensitive personal information to what is necessary to provide the Services. We will verify your request and respond within required timelines. You may use an authorized agent; we may require proof of authorization and identity.

Contact: support@opushealth.io

12. Virginia Privacy Notice

If you are a Virginia resident, you may have rights under the VCDPA, including access, correction, deletion, portability, and to opt out of targeted advertising and certain profiling. Submit requests to support@opushealth.io. If we decline a request, you may appeal by emailing the same address; we will respond within 60 days with our decision and how to contact the Attorney General if you remain unsatisfied.

13. Do We Make Updates to This Notice?

Yes. We may update this notice from time to time. The updated version will be indicated by a new "Last updated" date and is effective when posted. If we make material changes, we may notify you via the Services or email.

14. How Can You Contact Us About This Notice?

If you have questions or comments, you may contact our Data Protection Officer (DPO) at support@opushealth.io or reach us by mail at:

Opus Health, Inc.
Attn: Privacy / DPO
2000 Club Lake Circle
Rockwall, TX 75087
United States

15. How Can You Review, Update, or Delete the Data We Collect from You?

Based on your location, you may have a right to request access, update, or deletion of your personal information. To submit a request, contact support@opushealth.io or use in-product mechanisms (where available).