Privacy Policy

Last Updated: January 22, 2026

This Privacy Policy describes how Forma Health, Inc. ("Company," "Forma Health," "we," "us," or "our") collects, uses, and shares your personal information through our mobile application, physician portal, researcher portal, and website (collectively, the "Services"). This Privacy Policy does not apply to any third-party websites, services, or applications, even if they are accessible through our Services.

Table of Contents

1. Personal Information We Collect

The categories of personal information we collect depend on how you interact with Forma Health, the Services, as well as on the requirements of applicable law.

1.1 Personal Information You Provide to Us Directly

We collect personal information that you provide to us, including:

Account Information

When you create an account, we collect:

  • Your name and email address (or email from Google/Apple if you sign in using Google or Apple login)
  • A nickname or username of your choice
  • If you are a medical professional: your title, place of business, and credentials
  • If you are a researcher: information about your institution and clinical study details

Demographic Information

You may choose to provide:

  • Date of birth
  • Gender
  • Address
  • Other demographic information

Diagnosis and Health Information

When you use the Services, you may provide:

  • Information about your diagnosis, including the date of diagnosis and the diagnosing physician's name
  • Symptoms you experience (described in text, voice, or captured via photos/videos)
  • Medications you take
  • Doctor appointments and visit notes
  • Laboratory results
  • Allergies
  • Medical procedures
  • Treatment plans and outcomes
  • Details about your medical history
  • Patient-reported outcomes and health tracking data

Voice and Camera Data

When you grant us access to your device's camera and/or microphone:

  • Photos and Videos: We store images and videos you capture to document symptoms, wounds, medication packaging, or other health-related information. These images are securely stored and associated with specific health events you are tracking.
  • Voice Recordings and Transcriptions:You may record voice notes to describe symptoms or experiences. Currently, voice transcription occurs on your device using your phone's built-in speech-to-text capabilities. We receive and store only the text transcription, not the original audio recording. In the future, we may offer server-side voice processing, in which case we will update this policy and obtain your consent before implementing such features.

Communication Information

We collect personal information when you request information about Forma Health or the Services, request customer support, submit feature requests or bug reports, or otherwise communicate with us.

Interactive Features

You, your healthcare provider, or your caregiver may submit personal information through the interactive features of the Services, such as messaging or chat.

1.2 Personal Information Collected Automatically

We collect certain information automatically when you use the Services:

Usage Information

When you use the Services, we automatically collect:

  • Internet Protocol (IP) address
  • Device identifiers and user settings
  • Browser type and version
  • Operating system
  • Device type (phone, tablet, etc.)
  • Approximate location derived from IP address
  • Pages or screens viewed within the Services
  • Links clicked
  • Types of content you interact with
  • Frequency and duration of your activities
  • Timestamps of your interactions

Canada-Specific Notice:

In Canada, an IP address may be considered personal information where it can reasonably be linked to an identifiable individual. Because our Services relate to health and wellness, we treat IP addresses and related technical data as personal information and apply appropriate administrative, technical, and physical safeguards consistent with applicable Canadian privacy laws, including PIPEDA and applicable provincial health privacy legislation.

Crash Reports

If you experience technical issues and provide crash reports, we collect detailed diagnostic information about your device and the activities that led to the crash to help us improve the Services.

Cookies and Similar Technologies

We and third parties that provide content or functionality on the Services use cookies, pixel tags, web beacons, and other similar technologies ("Technologies") to collect information when you use the Services automatically.

  • Cookies: Small text files placed on your device that store preferences and enable and enhance your experience.
  • Pixel Tags/Web Beacons: Code embedded in the Services or emails that collects information about engagement, such as whether you visited a web page or opened an email.

Our use of these Technologies falls into the following categories:

  • Operationally Necessary: Technologies required for you to access the Services, prevent fraudulent activity, improve security, or use core functionality.
  • Performance-Related: Technologies used to assess the performance of the Services and understand how individuals use them.
  • Functionality-Related: Technologies that provide enhanced functionality, such as remembering your preferences or past items viewed.

Analytics

We use third-party analytics tools to process analytics information on the Services. These tools help us understand how the Services are used and allow us to improve and personalize them. Some analytics providers we may use include:

  • Google Analytics: For more information, visit Google Analytics' Privacy Policy. To opt out, visit Google Analytics Opt-Out.
  • Other analytics providers: We may use additional analytics tools from time to time. We configure these tools to minimize data collection and do not permit them to use your data for advertising, profiling, or any other purpose.

Canada-Specific Notice:

For users in Canada, analytics processing is conducted for legitimate business purposes such as service improvement, system reliability, and security. We do not use analytics tools to identify individual users or infer health conditions, and we apply data minimization practices consistent with Canadian privacy laws.

United States Notice:

For users in the United States, analytics data is processed in accordance with applicable federal and state privacy laws. We do not sell or use analytics data for targeted advertising based on health-related information.

1.3 Personal Information Collected from Other Sources

Third Parties

We may collect personal information from third parties, such as:

  • Your healthcare provider or caregiver, who may provide information about your diagnosis, treatment, and health status
  • Researchers administering studies in which you participate

Future Health Data Integrations

In the future, we may offer integrations with:

  • Apple Health and Google Health Connect (to import health data from your device)
  • Electronic health record systems and laboratories (to import medical records or lab results)

Before implementing any such integrations, we will update this Privacy Policy and obtain your explicit consent for these data imports.

2. How We Use Your Personal Information

We use your personal information for a variety of business purposes, as described below.

2.1 To Provide the Services

We use personal information to fulfill our contract with you and provide the Services, such as:

  • Managing your information and accounts
  • Providing access to certain areas, functionalities, and features of the Services
  • Enabling you to track and manage your health information
  • Facilitating communication between you and your healthcare providers through the Services
  • Answering support requests
  • Communicating with you about your account, activities on the Services, and policy changes
  • Processing and storing photos, videos, and voice transcriptions you create

2.2 For Administrative and Business Purposes

We use personal information for various administrative purposes, such as:

  • Pursuing our legitimate interests, including research and development, network and information security
  • Detecting security incidents and protecting against malicious, deceptive, fraudulent, or illegal activity
  • Measuring interest and engagement with the Services
  • Creating de-identified and/or aggregated information (see Section 2.4 below)
  • Processing specific text-based data using third-party artificial intelligence services (data is de-identified before being sent to these services, and we contractually prohibit these services from training on or retaining your data)
  • Developing and improving our own AI/ML models for future use (such as models hosted on AWS Bedrock or equivalent secure platforms)
  • Conducting analytics to improve, upgrade, or enhance the Services
  • Developing new products and services
  • Ensuring internal quality control and safety
  • Debugging to identify and repair errors in the Services
  • Auditing relating to interactions, transactions, and compliance activities
  • Enforcing our agreements and policies
  • Complying with our legal obligations

2.3 With Your Consent

We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information or with your explicit consent.

2.4 Creating De-Identified and/or Aggregated Information

We may create de-identified and/or aggregated information from your personal information. De-identified information is information that cannot reasonably be used to identify you. We create de-identified information by removing identifiers such as your name, email address, date of birth, and other information that could be used to identify you.

We may use de-identified and/or aggregated information for research, analysis, analytics, and any other legally permissible purposes, including:

  • Comparing patient data across cohorts to identify trends and insights
  • Supporting medical research and public health initiatives
  • Improving our Services and developing new features

Important: De-Identification Commitment

If we create de-identified information, we will not attempt to re-identify it unless required by law.

Your Control Over De-Identified Data Sharing:

Through the Services' settings, you can choose to include or exclude your de-identified data from being shared with:

  • Specific organizations (e.g., pharmaceutical companies, research institutions)
  • Specific studies (e.g., clinical trials or observational research studies)
  • Broad categories of organizations (e.g., academic research centers, biotechnology companies)

Even if you opt out of sharing de-identified data externally, we may still use de-identified data internally to improve the Services.

3. How We Disclose Your Personal Information

We disclose your personal information to third parties for various business purposes, as described below.

3.1 Disclosures to Provide the Services

Your Healthcare Providers

If you use the Services as part of your care with a healthcare provider (such as a physician or care team), we share your personal information—including all health information, photos, videos, voice transcriptions, and patient-reported outcomes—with that provider. This sharing is part of your treatment relationship and enables your provider to monitor your condition, adjust your treatment plan, and provide you with care.

You can manage which healthcare providers have access to your data through the Services' settings. If you revoke a provider's access, they will no longer be able to view new information you add. Still, they may retain copies of information they previously accessed as part of your medical record, in accordance with their own legal and professional obligations.

Caregivers

If you grant access to a caregiver (such as a family member), we share your personal information with that caregiver as you direct through the Services.

Researchers and Clinical Trial Sites

We handle researcher access in two ways:

De-Identified Research Data:

Researchers using the researcher portal have access only to de-identified and aggregated data. This data does not include your name, email address, date of birth, or other information that could reasonably identify you. You can control whether your de-identified data is shared with specific researchers, studies, or categories of organizations through the Services' settings.

Specific Research Studies:

If you explicitly enroll in a clinical trial or research study through the Services, we may share your identifiable personal information with the researchers or clinical trial site administering that study, but only after you provide explicit consent for that specific study. This allows them to contact you, enroll you, and include your data in the study.

Service Providers

We share your personal information with third-party service providers that perform functions on our behalf, such as:

  • Cloud hosting and data storage (Amazon Web Services)
  • Artificial intelligence and machine learning services (third-party AI providers that process de-identified text data; we contractually prohibit these providers from training on or retaining your data)
  • Customer support services (when implemented)
  • Analytics providers (configured to minimize data collection and prohibited from using your data for advertising or profiling)
  • Email and notification services (when implemented)
  • SMS and push notification services (such as Amazon SNS, when implemented)
  • Payment processors (for billing physicians and researchers at the aggregate level; we do not charge patients directly)

These service providers are authorized to process personal information only as necessary to provide services to us and are contractually required to protect your information.

3.2 Disclosures to Protect Us or Others

We may access, preserve, and disclose information we store if we, in good faith, believe doing so is required or appropriate to:

  • Comply with law enforcement or national security requests and legal process, such as a court order or subpoena
  • Protect your, our, or others' rights, property, or safety
  • Enforce our policies or contracts
  • Collect amounts owed to us
  • Assist with an investigation or prosecution of suspected or actual illegal activity

3.3 Disclosures in the Event of Merger, Sale, or Other Asset Transfers

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, your personal information may be disclosed or transferred as part of such a transaction. The acquiring entity will be required to honor the commitments made in this Privacy Policy.

3.4 What We Do Not Do With Your Information

  • We do not sell your personal information to third parties.
  • We do not share your personal information for cross-context behavioral advertising or targeted advertising.
  • We do not use your health information for marketing purposes without your explicit consent.
  • We do not display advertisements in the mobile application or portals.

4. Your Privacy Choices and Rights

4.1 Your Privacy Choices

Email Communications

If you receive marketing emails from us, you may opt out by using the unsubscribe link at the bottom of the email or by contacting us. You will continue to receive service-related and transactional emails (such as account notifications or security alerts).

Mobile Device Permissions

  • Push Notifications: You may opt out of push notifications by changing the settings on your mobile device.
  • Location Access: With your consent, we may collect precise location information via the Services. You may opt out by changing the settings on your mobile device.
  • Camera and Microphone Access: You control whether the Services can access your camera and microphone through your device settings.

"Do Not Track"

We do not currently respond to "Do Not Track" signals or similar mechanisms transmitted by web browsers.

Cookies

You may manage cookies by adjusting your browser or device settings. However, if you disable cookies, some features of the Services may not work correctly. Note that cookie-based opt-outs are ineffective in mobile applications.

Managing Healthcare Provider and Caregiver Access

You can manage which healthcare providers and caregivers have access to your information through the Services' settings. Revoking access prevents them from viewing new information, but does not delete information they previously accessed.

De-Identified Data Sharing

You can control whether your de-identified data is shared with external researchers and organizations through the Services' settings.

4.2 Your Privacy Rights

Depending on applicable law, you may have the right to:

  • Confirm Whether We Are Processing Your Personal Information (the right to know)
  • Request Access to Your Personal Information, including obtaining a copy of the personal information we hold about you
  • Request Portability of Your Personal Information, including receiving an electronic copy in a structured, commonly used, and machine-readable format, or asking us to send it to another company
  • Request Correction of your personal information where it is inaccurate, incomplete, or outdated (you can also update much of your information directly through the Services)
  • Request Deletion of your personal information, subject to certain exceptions (see Section 4.3 below)
  • Request Restriction of or Object to our processing of your personal information
  • Withdraw Your Consent to our processing of your personal information (note that withdrawal only affects future processing and does not affect the lawfulness of processing before withdrawal)

To exercise these rights, please contact us using the information in the "Contact Us" section below. You can also delete your account directly through the Services by going to Settings.

Verification:

We may need to verify your identity before we can respond to your request. We will not discriminate against you for exercising any of these rights.

Canada-Specific Notice:

Canadian users may make access or correction requests under PIPEDA or applicable provincial privacy legislation. We will respond to such requests in accordance with applicable law.

4.3 Important Information About Data Deletion

When you request deletion of your account or personal information, please note:

What Will Be Deleted:

  • Your identifiable personal information will be deleted within 30 days of your request
  • This includes your name, email address, contact information, and directly identifiable health information

What Cannot Be Deleted:

  • Research Study Data: If you have enrolled in a research study, the data you contributed to that study cannot be deleted, as doing so would compromise the integrity of the research. You can withdraw from future participation in a study, but data already collected will be retained by the study sponsor in accordance with research protocols and applicable law.
  • De-Identified Data: De-identified and aggregated data that can no longer reasonably identify you may be retained for research, analytics, and service improvement.
  • Legal Obligations: We may retain certain information where required by law or to comply with legal obligations, resolve disputes, or enforce our agreements.

Healthcare Provider Records:

When you authorize a healthcare provider to access your data through the Services, they may retain copies of that information as part of your medical record in accordance with their own legal and professional obligations. Deleting your Forma Health account does not delete the records your healthcare provider has retained.

Backups:

Personal information may persist in backup systems for up to 90 days after deletion, after which backups containing your information will be deleted.

5. How Long We Keep Your Personal Information

We retain personal information for varying periods depending on the type of information and the purpose for which it was collected.

5.1 General Retention Principles

We keep personal information:

  • For as long as you maintain an active account and use the Services
  • As necessary to fulfill the purposes for which we collected it
  • To comply with legal obligations, resolve disputes, and enforce our agreements
  • As described in the specific retention periods below

5.2 Specific Retention Periods

Active Accounts:

All personal information is retained while your account is active and you continue to use the Services.

After Account Deletion:

  • Identifiable Personal Information: Deleted within 30 days of your deletion request
  • De-Identified/Aggregated Data: May be retained indefinitely for research, analytics, and service improvement
  • Research Study Data: Data enrolled in active research studies is retained per study protocol and cannot be deleted (see Section 4.3)
  • Backup Systems: Personal information in backups is deleted within 90 days of account deletion

Technical and Security Data:

  • IP Addresses: Retained for 90 days for security monitoring, fraud prevention, and system integrity, then deleted or anonymized. (Canada-specific: IP addresses are treated as personal information and are subject to this 90-day retention limit.)
  • Server Logs and Technical Logs: Retained for 12 months for security purposes, troubleshooting, and system monitoring, then deleted
  • Crash Reports: Retained for 24 months to identify and fix bugs, then deleted

Communication Records:

Customer support communications and related records are retained for 3 years to maintain service quality and handle disputes.

Photos and Videos:

Photos and videos you upload are retained as long as your account is active. Upon account deletion, they are deleted within 30 days unless they are part of a research study you enrolled in, in which case they are retained per the study protocol.

Voice Transcriptions:

Text transcriptions of voice recordings are retained while your account is active and deleted within 30 days of account deletion (subject to research study exceptions).

5.3 Factors We Consider

When determining retention periods, we consider:

  • Applicable legal requirements
  • The amount, nature, and sensitivity of the personal information
  • The purposes for which we process the information
  • Whether we can achieve those purposes through other means
  • Risk factors and potential harm from unauthorized use or disclosure

6. Data Security

We implement administrative, technical, and physical safeguards to protect your personal information from unauthorized access, disclosure, alteration, or destruction. These safeguards include:

  • Encryption of data in transit and at rest
  • Secure cloud infrastructure (Amazon Web Services with data residency controls)
  • Access controls and authentication mechanisms
  • Regular security assessments and monitoring
  • Employee training on data protection and privacy
  • Contractual requirements for service providers to protect your information

However, no method of transmission over the Internet or method of electronic storage is entirely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

If you become aware of a security issue, please contact us immediately at security@formahealth.io.

7. Children's Privacy

7.1 Age Restrictions and Parental Controls

The Services are not directed to children under 13 years of age. However, we recognize that children with health conditions may benefit from tracking their health information.

For Children Under 13:

  • We do not knowingly collect personal information directly from children under 13.
  • Parents or legal guardians may create and manage accounts for their children under 13.
  • Parents or guardians must enter all information into the Services on behalf of the child.
  • We collect only the information that the parent or guardian provides.

When the Child Turns 13:

  • The child may request to take over control of their account.
  • The parent or guardian may transfer control of the account to the child through the Services' settings.

If We Learn of Unauthorized Collection:

If we learn that we have collected personal information directly from a child under 13 without appropriate parental consent, we will delete that information as required by applicable law.

7.2 Canada-Specific Notice

In Canada, children's personal information is afforded heightened protection. If we learn that we have collected personal information from a child under the age of 13 (or such other age of consent as may apply under provincial law) without appropriate consent, we will delete that information as required by applicable law.

7.3 United States Notice (COPPA)

In accordance with the Children's Online Privacy Protection Act (COPPA), we require verifiable parental consent before collecting, using, or disclosing personal information from children under 13. Parents have the right to review their child's personal information, request deletion, and refuse further collection or use of their child's information.

8. State-Specific Privacy Rights

8.1 California Privacy Rights

This section applies to residents of the State of California. It is provided to comply with the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), and the California Confidentiality of Medical Information Act ("CMIA").

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information, as defined under California law:

  • Identifiers (such as name, email address, IP address, device identifiers, and account credentials)
  • Personal information under the California Customer Records law (such as contact information and demographic information)
  • Protected classification characteristics (such as age and gender, if you choose to provide them)
  • Internet or other electronic network activity information (such as browsing history, search history, and interaction with the Services)
  • Geolocation data (approximate location derived from IP address)
  • Audio, electronic, visual, or similar information (such as photos, videos, and voice transcriptions you provide)
  • Health information and medical information (such as diagnosis, symptoms, medications, treatment information, and patient-reported outcomes)
  • Inferences drawn from the above to create a profile about you (such as health trends or preferences)

Sensitive Personal Information:

We collect sensitive personal information as defined under California law, including:

  • Precise geolocation (if you grant permission)
  • Health information
  • Contents of your communications with us

We use and disclose sensitive personal information only for purposes permitted under the CCPA/CPRA, including to provide the Services you requested, to prevent fraud and security incidents, and to comply with legal obligations.

Purposes for Collection and Use

We collect and use personal information for the purposes described in Section 2 of this Privacy Policy.

Disclosure of Personal Information

We disclose personal information to the categories of third parties described in Section 3 of this Privacy Policy for business purposes, including:

  • Healthcare providers (your treating physicians)
  • Service providers (such as cloud hosting, AI processing, analytics, and customer support)
  • Researchers (only de-identified data, unless you explicitly enroll in a specific study)

Sale or Sharing of Personal Information

We do not sell or share personal information for cross-context behavioral advertising, as those terms are defined under California law.

Your California Privacy Rights

California residents have the right to:

  • Know what personal information we collect, use, disclose, and share
  • Access the specific pieces of personal information we have collected about you
  • Request the deletion of your personal information, subject to certain exceptions
  • Request the correction of inaccurate personal information
  • Limit Use and Disclosure of sensitive personal information (we already limit use of sensitive personal information to permitted purposes)
  • Opt Out of Sale or Sharing (not applicable, as we do not sell or share your information)
  • Not Be Discriminated Against for exercising your privacy rights

Exercising Your Rights

To exercise your California privacy rights:

  • Contact us at privacy@formahealth.io or through the contact information in Section 12
  • Provide sufficient information to verify your identity
  • Describe your request with sufficient detail

We will respond to verifiable requests within 45 days. You may designate an authorized agent to request on your behalf.

California Medical Information Notice (CMIA)

California law provides additional protections for medical information. We will not disclose your medical information to third parties without your authorization, except as permitted by California law (such as for treatment, payment, healthcare operations, or as required by law).

California Shine the Light Law

California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

8.2 Washington Privacy Rights (My Health My Data Act)

This section applies to residents of Washington State and is provided to comply with Washington's My Health My Data Act ("MHMDA").

The MHMDA provides specific protections for "consumer health data," which includes personal information that we can reasonably link to you and that identifies your past, present, or future physical or mental health status.

Consumer Health Data We Collect:

We collect consumer health data as described in Section 1 of this Privacy Policy, including diagnosis information, symptoms, medications, treatment information, photos and videos of health conditions, and patient-reported outcomes.

Your Washington Privacy Rights:

  • Consent: We obtain your consent before collecting, sharing, or selling consumer health data (we do not sell consumer health data).
  • Right to Withdraw Consent: You may withdraw consent at any time by contacting us or adjusting your settings.
  • Right to Access: You have the right to confirm whether we are processing your consumer health data and to access such data.
  • Right to Delete: You have the right to request deletion of your consumer health data, subject to certain exceptions.
  • Right to Appeal: If we deny your request, you may appeal by contacting us.

Geofencing Restrictions:

We do not use geofencing to identify or track consumers for purposes of collecting, sharing, or selling consumer health data.

To Exercise Your Rights:

Contact us at privacy@formahealth.io or through the contact information in Section 12.

8.3 Other State Privacy Rights

Residents of the following states may have additional privacy rights under state law:

  • Colorado (Colorado Privacy Act)
  • Connecticut (Connecticut Data Privacy Act)
  • Nevada (Nevada Privacy Law - see Section 8.4 below)
  • Virginia (Virginia Consumer Data Protection Act)
  • Utah (Utah Consumer Privacy Act)

If you are a resident of one of these states, you may have rights similar to those described above for California, including the right to access, correct, delete, and obtain a copy of your personal information. To exercise these rights, please contact us at privacy@formahealth.io.

8.4 Nevada Privacy Rights

If you are a Nevada resident, you have the right to opt out of the sale of certain personal information to third parties. You can exercise this right by contacting us at privacy@formahealth.io with the subject line "Nevada Do Not Sell Request" and providing your name and the email address associated with your account.

Note:We do not currently sell your personal information as "sales" are defined in Nevada Revised Statutes Chapter 603A.

9. Cross-Border Data Transfers

Forma Health is based in the United States. We may process and store personal information on servers located in the United States or other jurisdictions where our service providers operate.

9.1 For Canadian Users

When you use the Services from Canada:

Data Storage:

We store Canadian users' data on servers in the AWS Canada (Central) Region to comply with Canadian data residency requirements.

Transfers Outside Canada:

Some of our service providers (such as third-party AI processors and analytics providers) may be located in the United States or other countries. When personal information is transferred outside Canada, we ensure that:

  • The receiving party is contractually obligated to provide a comparable level of protection
  • Appropriate safeguards are in place, such as standard contractual clauses
  • The transfer is necessary to provide the Services you requested

PIPEDA Compliance:

Our cross-border transfers comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. You may contact us to obtain information about our policies and practices regarding service providers outside Canada.

9.2 For Users in Other Jurisdictions

If you access the Services from outside the United States or Canada, please be aware that your information may be transferred to, stored, and processed in the United States or other countries where data protection laws may differ from those in your jurisdiction. By using the Services, you consent to such transfers.

10. Third-Party Websites or Applications

The Services may contain links to other websites or applications, and other websites or applications may reference or link to the Services. These third-party services are not under Forma Health's control.

We encourage you to read the privacy policies of each website and application you visit or use. We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of such third-party services.

Providing personal information to third-party websites or applications is at your own risk.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

When we make changes:

  • We will update the "Last Updated" date at the top of this Privacy Policy
  • If we make material changes, we will notify you by email (sent to the email address associated with your account) or by posting a notice in the Services
  • Where required by law, we will obtain your consent to material changes

Your Continued Use:

If you continue to use the Services after we post or send a notice about changes to this Privacy Policy, you are deemed to have accepted the updated Privacy Policy.

12. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, or if you wish to exercise your privacy rights, please contact us:

Forma Health, Inc.

Response Time:

We will respond to your inquiry or request within a reasonable time frame, as required by applicable law (generally within 30-45 days, depending on the jurisdiction).

Additional Information for Healthcare Providers and Researchers:

If you are a healthcare provider or researcher using the Services, you may have additional contractual obligations regarding the personal information you access through the Services. Please refer to your agreement with Forma Health for more information.

Compliance with Healthcare Privacy Laws:

While Forma Health is not a HIPAA-covered entity, we have chosen to implement administrative, technical, and physical safeguards comparable to those required under the Health Insurance Portability and Accountability Act (HIPAA) to protect the health information we handle. Healthcare providers using our Services remain responsible for their own HIPAA compliance obligations.

This Privacy Policy is effective as of the date listed above and applies to all personal information collected on or after that date.