1. Purpose and Scope
This Consumer Health Data Privacy Notice explains how Alpine Labs, Inc. (“Alpine Labs,” “we,” “us,” or “our”) collects, uses, discloses, shares, sells only where legally permitted and separately authorized, retains, and protects consumer health data through MedLocker. It supplements the MedLocker Privacy Policy, Terms of Service, Patient Directed Records Authorization, Platform Consent, Data Sharing and Monetization Consent, and Caregiver Access Authorization.
This Notice applies when MedLocker handles health related information in a consumer directed context, including information that may fall outside HIPAA but is protected by state consumer health data laws, comprehensive state privacy laws, consumer protection laws, breach notification laws, and similar requirements. This Notice does not limit rights or protections that may apply under other laws or under a separate agreement with you.
MedLocker is intended for adults and for parents, guardians, caregivers, or personal representatives who are legally authorized to manage records for another person. MedLocker is not intended for direct use by children without a parent or legal guardian.
2. HIPAA Boundary and Consumer Directed Data
When you direct a covered healthcare provider, health plan, laboratory, pharmacy, health information network, or other record holder to send information to MedLocker, the record holder may remain subject to HIPAA, state medical privacy law, or other source specific duties when making the disclosure. In the consumer directed MedLocker account context, Alpine Labs generally receives the information as your chosen personal health record service and not as the record holder’s HIPAA business associate.
Even when HIPAA does not govern Alpine Labs’ handling of your MedLocker account data, we treat the information as highly sensitive consumer health data. We protect it under this Notice, our Privacy Policy, your consent choices, applicable consumer health data laws, applicable consumer privacy laws, the FTC Health Breach Notification Rule where applicable, state breach notification laws, and our contracts with processors and service providers.
If Alpine Labs separately provides services to a healthcare provider, health plan, or other HIPAA regulated entity on that entity’s behalf, Alpine Labs may act as a HIPAA business associate for that specific data flow. That enterprise data flow is governed by the applicable business associate agreement and does not change the consumer directed posture of your MedLocker account unless expressly stated.
3. What “Consumer Health Data” Means Here
For purposes of this Notice, “consumer health data” means personal information that is linked or reasonably linkable to you, your household, your device, your MedLocker account, or another person whose account you are authorized to manage, and that identifies, relates to, is used to identify, or could reasonably reveal past, present, or future physical or mental health status, condition, diagnosis, care, treatment, payment, coverage, healthcare access, or health related choices.
Consumer health data may include, depending on your use of MedLocker:
medical, dental, behavioral health, pharmacy, laboratory, imaging, claims, insurance, cost, payment, and care management records;
health conditions, diagnoses, symptoms, vitals, medications, allergies, procedures, surgeries, immunizations, care plans, clinical notes, and health related communications;
reproductive health, sexual health, family planning, fertility, pregnancy, abortion, gender affirming care, sexually transmitted infection, HIV/AIDS, substance use disorder, mental health, genetic, and biometric information;
information from connected apps, devices, wearables, sensors, portals, APIs, or uploaded documents;
precise location, visit, appointment, or device information when it is used or reasonably capable of being used to infer an attempt to seek or receive healthcare services or products;
information that MedLocker derives, extracts, infers, predicts, normalizes, classifies, summarizes, or generates from other information, including proxy, derivative, emergent, algorithmic, or machine assisted health related data;
consent selections, research interests, survey responses, program eligibility signals, compensation records, recontact preferences, and records of disclosures or revocations.
Consumer health data does not include information that applicable law excludes from that definition, such as information that is deidentified under applicable law, publicly available information where legally excluded, or information governed by another exempt legal regime. When a law gives you broader rights than this Notice describes, we will honor the broader right where that law applies.
4. Categories of Consumer Health Data We Collect and Why
Category
Examples
Primary Purposes
Account and Identity
Name, email, phone, login information, identity verification information, authorized representative information, account settings, and consent selections.
Create and secure your account, authenticate requests, manage consents, support authorized representatives, and communicate with you.
Medical and Clinical Records
Diagnoses, conditions, medications, allergies, procedures, immunizations, notes, labs, imaging, vitals, care plans, discharge summaries, and continuity of care records.
Build and maintain your record vault, health timeline, search, summaries, record organization, and user controlled sharing.
Dental, Vision, Pharmacy, and Ancillary Records
Dental records, X rays, prescriptions, pharmacy history, optometry records, therapy records, laboratory records, imaging center records, and related clinical documentation.
Create a more complete longitudinal record and support your ability to retrieve, manage, understand, and share records.
Claims, Insurance, and Payment
Eligibility, benefits, claims, explanations of benefits, bills, allowed amounts, patient responsibility, health plan records, and payment history.
Help you understand coverage, costs, utilization, health history, and potential data quality gaps.
Uploaded and Extracted Data
PDFs, images, CCD/CDA files, FHIR resources, extracted text, structured fields, metadata, source tags, confidence scores, and quality review notes.
Convert files into usable MedLocker records, support search and display, maintain provenance, and enable quality review.
Health App, Device, and Wearable Data
Steps, sleep, heart rate, blood pressure, glucose, weight, symptoms, menstrual or fertility tracking data, device readings, and connected account metadata.
Display and contextualize health signals that you choose to provide or connect.
Sensitive Health Categories
Mental health, substance use disorder, HIV/AIDS, genetic, biometric, reproductive health, sexual health, family planning, abortion, fertility, pregnancy, gender affirming care, and STI related information.
Collected, used, or shared only where requested by you, necessary for the requested service, permitted by law, or authorized by specific affirmative consent where required.
Program Participation
Research interests, eligibility signals, survey responses, consent records, data licensing choices, recontact preferences, compensation records, and withdrawal history.
Operate optional research, life sciences, analytics, clinical trial matching, survey, data licensing, and compensation programs with required separate consent.
Technical, Security, and Usage Data
Device type, browser, operating system, IP address, approximate location, app events, audit logs, access logs, crash reports, support logs, and fraud or security signals.
Operate MedLocker, maintain security, detect fraud or abuse, troubleshoot, improve reliability, investigate incidents, and comply with legal obligations.
5. Sources of Consumer Health Data
We collect consumer health data from the following sources, depending on your choices and account configuration:
You and your account. Information you enter, upload, connect, correct, annotate, consent to, or submit through MedLocker, customer support, forms, surveys, or account settings.
Authorized record sources. Providers, hospitals, clinics, dentists, labs, pharmacies, imaging centers, health plans, payers, benefits administrators, patient portals, health information networks, QHINs where available, and other record holders that you authorize.
Connected apps and devices. Health apps, device platforms, wearables, APIs, and related services that you connect or authorize.
People you authorize. Caregivers, family members, legal guardians, personal representatives, providers, or other individuals you authorize to contribute or manage information.
Service providers and processors. Cloud, hosting, storage, authentication, communications, payment, security, support, analytics, and infrastructure vendors that help operate MedLocker under confidentiality and security obligations.
MedLocker generated information. Health timelines, indexes, normalizations, summaries, classifications, FHIR transformations, consent logs, audit logs, and other information generated from your use of MedLocker.
6. Purposes for Collection, Use, and Processing
We collect, use, and process consumer health data only for purposes disclosed in this Notice, the Privacy Policy, the applicable consent screen or agreement, or another notice provided at or before collection. Those purposes include:
providing the MedLocker record vault, longitudinal health timeline, record search, record summaries, document upload, connected record retrieval, consent controls, caregiver controls, and related features;
retrieving, receiving, storing, organizing, normalizing, indexing, converting, extracting, classifying, summarizing, and displaying records that you authorize us to collect or process;
supporting user directed sharing with caregivers, family members, personal representatives, providers, researchers, life sciences organizations, analytics partners, trial sponsors, or other recipients you choose or authorize;
operating optional research, life sciences, analytics, clinical trial matching, survey, data licensing, and compensation programs only under the required separate consent or authorization;
creating deidentified, aggregated, or statistical information where permitted by law and consistent with our public commitments and contracts;
providing support, quality review, product improvement, security, fraud prevention, troubleshooting, incident response, compliance, legal response, and enforcement of our agreements;
performing internal operations that are reasonably aligned with your expectations based on your relationship with MedLocker and that are adequate, relevant, necessary, and proportionate for the disclosed purpose.
Where applicable law requires a stricter standard, we limit collection, processing, or sharing of sensitive data to what is strictly necessary to provide or maintain the specific product or service you requested unless the law permits additional processing with specific consent. Where applicable law prohibits a use, sharing, or sale even with consent, we will not conduct that activity.
7. Consent Rules for Collection, Sharing, and Sale
MedLocker uses layered consent. We do not rely on a broad privacy policy or general terms alone when a law requires a clear affirmative act, specific consent, separate consent, or a written authorization.
Collection consent. We may collect consumer health data when you request MedLocker features, direct us to retrieve records, upload records, connect a source, or otherwise consent. Additional categories of consumer health data not disclosed in this Notice will not be collected until we disclose the additional category and obtain affirmative consent where required.
Purpose consent. We will not use consumer health data for a materially different or additional purpose not disclosed in this Notice, the Privacy Policy, or the applicable consent screen unless we first disclose the additional purpose and obtain affirmative consent where required.
Sharing consent. Where required, consent to share consumer health data is separate from consent to collect it. A sharing consent will describe the categories of data, purpose of sharing, categories of recipients, and how to withdraw consent.
Sale authorization. We do not sell consumer health data to advertisers or data brokers. If a proposed program is legally treated as a sale and is legally permitted, we will require a separate plain language written or electronic authorization before the sale. That authorization must identify the specific data, seller, purchaser, purchaser contact information, purpose, how the data will be gathered and used, your right to revoke, the redisclosure risk, and an expiration date no later than one year after signing where required. We will provide you a copy and retain required authorization records. Where law prohibits sale of sensitive data or consumer health data, we will not sell it.
No conditioning on sale. We will not condition MedLocker account access or ordinary MedLocker services on your signing an authorization to sell consumer health data unless a narrow legal exception applies and is disclosed.
No dark patterns. Consent must be freely given, specific, informed, and unambiguous. We will not treat silence, inactivity, hovering, closing a window, accepting broad terms, or agreement obtained through a dark pattern as consent where applicable law requires affirmative consent.
Withdrawal. You may withdraw consent for future collection, use, sharing, or sale through the MedLocker controls provided for the relevant program, by account settings where available, or by contacting privacy@alpinelabs.ai. Withdrawal does not undo actions already completed before withdrawal, but it will stop future processing to the extent required by law and technically feasible.
8. Categories of Consumer Health Data Shared and Recipients
We share consumer health data only as described below, as you direct, as necessary to provide a requested product or service, as permitted by law, or under separate consent or authorization where required.
Recipient Category
Data Shared
Purpose and Limits
People You Authorize
Records, summaries, data categories, or account access that you select.
Caregivers, family members, personal representatives, providers, or others you authorize. You may revoke future access where supported. Recipients may copy or disclose information outside MedLocker, so share only with people you trust.
Record Sources and Connected Services
Identity, authorization, request details, technical identifiers, and records needed to retrieve, verify, update, or manage your information.
Providers, payers, labs, pharmacies, portals, networks, APIs, apps, devices, and related services used to fulfill your request.
Processors and Service Providers
Consumer health data necessary for the contracted service, such as hosting, storage, security, authentication, support, communications, payments, analytics, or infrastructure support.
Bound by confidentiality, security, and processing instructions. They may use the information only to provide services to Alpine Labs or as otherwise permitted by law and contract.
Research, Life Sciences, Analytics, and Data Partners
Only the data authorized for the specific program, which may be deidentified, aggregated, limited, pseudonymized, or identifiable depending on the program and your consent.
Optional programs only. Participation is voluntary. We disclose recipient identity or category, purpose, data type, compensation terms, recontact permissions, revocation method, and whether redisclosure risk exists.
Professional, Legal, Safety, and Compliance Recipients
Information reasonably necessary for legal, security, audit, insurance, compliance, regulatory, dispute, or safety purposes.
Lawyers, auditors, insurers, courts, regulators, government entities, security investigators, or others when required by law or reasonably necessary to protect rights, safety, security, or compliance.
Business Transaction Recipients
Information reasonably necessary for diligence, financing, merger, acquisition, reorganization, bankruptcy, or asset transfer.
Subject to confidentiality, security, and legal restrictions. A buyer or successor must honor applicable privacy commitments and consumer health data obligations unless you are notified and consent is obtained where required.
9. Affiliates, Third Parties, and Contact Information
Specific affiliates: As of the Legal Coverage Date above, Alpine Labs does not share MedLocker consumer health data with a separate corporate affiliate. If Alpine Labs later shares consumer health data with a corporate affiliate, we will identify the affiliate in this Notice or another legally sufficient notice before the sharing occurs and obtain consent where required.
Third party list: Where applicable law gives you the right to know the third parties or affiliates with whom we shared or sold consumer health data, you may request a list of those recipients, including available contact information such as an active email address or other online mechanism where required. We may authenticate your request before providing recipient details.
Third party collection over time and across sites: As of this Notice, MedLocker does not allow third parties to collect consumer health data over time and across nonaffiliated internet websites or online services through MedLocker for behavioral advertising, cross context advertising, profiling, or data broker purposes. We do not place advertising pixels or tracking technologies on pages or screens where you enter, upload, view, or manage consumer health data unless the technology is configured as a service provider or processor tool and is not allowed to use the data for independent purposes. If this practice changes, we will update this Notice and obtain consent where required before the change applies.
10. Optional Research, Life Sciences, Analytics, Data Licensing, and Compensation Programs
MedLocker may offer optional programs involving research, life sciences, analytics, clinical trial matching, surveys, data licensing, cohort discovery, patient recontact, or compensation. These programs are not required to use ordinary MedLocker account features unless a specific feature is itself the requested program.
Before you participate in one of these programs, MedLocker will present a separate consent or authorization that explains, as applicable:
the program sponsor, purchaser, recipient, or category of recipient;
the specific consumer health data or categories of data involved;
whether the data is identifiable, pseudonymized, coded, limited, aggregated, or deidentified;
the purpose of the disclosure and the specific ways the data will be used;
whether the recipient may redisclose the data and what restrictions apply;
whether recontact is allowed and how recontact will occur;
whether compensation, revenue share, discount, or another financial incentive is involved;
whether the program is considered a sale, sharing, targeted advertising, profiling, research, or another regulated activity under applicable law;
how to withdraw consent or revoke authorization for future participation;
the expiration date or event, if required.
Where a financial incentive, discount, payment, or compensation program is offered in exchange for consumer health data or personal information, we will provide any required notice of financial incentive or program terms and obtain the required opt in consent. We will not use unjust, unreasonable, coercive, usurious, or discriminatory financial incentive practices.
11. Advertising, Targeting, Profiling, and Geofencing
MedLocker is not an advertising platform. We do not sell consumer health data to advertisers or data brokers. We do not use consumer health data for behavioral advertising, cross context behavioral advertising, targeted advertising, or profiling that produces legal or similarly significant effects unless we provide required notice and obtain any required consent or opt in authorization.
We do not use a geofence, or permit a vendor to use a geofence on our behalf, around a healthcare facility, mental health facility, reproductive or sexual health facility, pharmacy, laboratory, clinic, hospital, or similar location for the purpose of identifying or tracking people seeking healthcare, collecting consumer health data, building health profiles, inferring health status, or sending health related advertisements, notifications, or messages where prohibited by law.
We do not knowingly use precise location data to infer reproductive health, sexual health, gender affirming care, mental health, substance use, abortion, fertility, pregnancy, or other sensitive healthcare activity for advertising or data broker purposes. If a MedLocker feature needs location information for a user requested service, we will disclose that purpose and seek consent where required.
12. Deidentified, Aggregated, and Statistical Information
MedLocker may create or use deidentified, aggregated, or statistical information where permitted by law and consistent with our commitments. When we represent that information is deidentified, we will take reasonable measures designed to ensure it cannot reasonably be associated with you, publicly commit to maintain and use it only in deidentified form, not attempt to reidentify it except to test deidentification safeguards where allowed, and contractually require recipients to maintain the data in deidentified form and not attempt to reidentify it.
Deidentified or aggregated information may be used for product improvement, security, analytics, research, quality measurement, benchmarking, commercial insights, or other legally permitted purposes. If applicable law treats a dataset as consumer health data despite deidentification or aggregation, we will apply that law’s requirements.
13. Sensitive Data, Reproductive and Sexual Health, Gender Affirming Care, Genetic and Biometric Data, and Minors
Certain consumer health data requires heightened protection. This includes mental health, substance use disorder, HIV/AIDS, genetic, biometric, reproductive health, sexual health, family planning, abortion, fertility, pregnancy, gender affirming care, STI related information, precise location linked to healthcare, and data concerning known children or minors.
Sensitive data minimization. We limit collection, use, processing, retention, and access to sensitive data to what is reasonably necessary and proportionate for disclosed purposes, and where required, to what is strictly necessary to provide or maintain the specific product or service you requested.
Special consent. We obtain specific affirmative consent or written authorization where required before collecting, using, sharing, disclosing, selling where legally permitted, or otherwise processing sensitive categories for nonessential purposes.
Reproductive, sexual, and gender affirming health information. We do not obtain, disclose, sell, disseminate, geofence, target, or profile this information without required consent, and we apply heightened review before responding to legal demands seeking such information.
Genetic and biometric data. We do not use genetic or biometric data to identify you or disclose it to third parties for independent purposes without required express consent. We do not sell genetic or biometric data where prohibited.
Minor data. MedLocker is not directed to children. A parent, guardian, or authorized representative may manage a minor’s records where legally permitted. We do not knowingly process minor data for targeted advertising or sell minor data where prohibited. Where parental consent, minor consent, or additional protections are required, we will apply them.
14. Security, Access Controls, and Processor Requirements
We use administrative, technical, and physical safeguards appropriate to the volume and sensitivity of consumer health data we handle. These safeguards include encryption in transit and at rest, identity and access controls, role based access, least privilege access, access logging, audit logging, monitoring, secure deletion procedures, incident response procedures, vendor review, security review, and workforce privacy and security training.
We restrict access to consumer health data by employees, contractors, processors, and service providers to the people and systems for which access is necessary to provide MedLocker, perform the contracted service, honor consent choices, comply with law, maintain security, or support another disclosed purpose. Employees and contractors with access to consumer health data are subject to confidentiality obligations.
Processors and service providers that handle consumer health data for Alpine Labs must operate under contracts that set processing instructions, limit use of consumer health data, require confidentiality and reasonable security, require assistance with consumer rights and deletion where applicable, restrict subcontracting or require appropriate flow down terms, and prohibit processing outside our instructions unless permitted by law. If a processor processes consumer health data outside our instructions in a manner that makes it independently responsible under applicable law, that processor may be subject to direct legal obligations.
15. Retention, Deletion, and Backup Systems
We retain consumer health data for as long as reasonably necessary to provide MedLocker, maintain your account, support consented programs, comply with law, protect security, resolve disputes, enforce agreements, maintain audit logs, meet financial or tax obligations, or satisfy other legitimate and disclosed purposes. We apply retention periods based on the type of data, source, sensitivity, legal obligations, consent status, and account status.
You may request deletion of consumer health data. We will delete data from active systems where required, direct applicable processors, service providers, affiliates, and third parties to delete where required, and retain only the minimum information needed to remember and honor the deletion request where allowed. Deletion may be limited or delayed where retention is required or permitted for security, legal compliance, fraud prevention, dispute resolution, backup restoration, account integrity, or other legally recognized purposes.
For archived or backup systems, deletion may take additional time where applicable law permits delayed deletion to maintain system integrity and avoid restoring deleted information. Where a specific law imposes a maximum backup deletion period, we will honor that period.
16. Your Consumer Health Data Rights
Depending on where you live, how you interact with MedLocker, and which laws apply, you may have some or all of the following rights:
Right to know or confirm. Confirm whether we collect, use, share, disclose, sell, or otherwise process consumer health data about you.
Right to access. Access consumer health data we hold about you and receive a copy in a portable format where required.
Right to categories and purposes. Receive information about the categories collected, sources, purposes, categories shared, and categories of recipients.
Right to third party and affiliate list. Receive a list of third parties and affiliates with whom we have shared or sold consumer health data, including available contact information where required.
Right to correct, review, or amend. Correct inaccurate personal information or review and request amendment of consumer health data where required.
Right to delete. Request deletion of consumer health data, subject to legal, security, backup, fraud prevention, dispute resolution, and recordkeeping limits.
Right to withdraw consent. Withdraw consent for future collection, use, sharing, disclosure, sale where legally permitted, targeted advertising, profiling, or program participation where consent is required.
Right to stop collection, sharing, or sale. Ask us to stop collecting, sharing, or selling consumer health data where applicable law provides that right.
Right to opt out. Opt out of sale, sharing for cross context behavioral advertising, targeted advertising, profiling with legal or similarly significant effects, or other processing where applicable law provides that right.
Right to limit sensitive personal information. Limit the use and disclosure of sensitive personal information to legally permitted purposes where applicable law provides that right.
Right to non discrimination. Exercise privacy rights without unlawful discrimination, retaliation, denial of goods or services, or different pricing or quality because you exercised a legal right. Some features may not work if the information is necessary to provide the feature you requested.
Right to appeal. Appeal a refusal to act on a rights request where applicable law requires an appeal process.
17. How to Submit Requests, Authentication, Authorized Agents, and Appeals
You may submit privacy requests through any request mechanism MedLocker makes available, including account settings where available, in app privacy controls where available, email to privacy@alpinelabs.ai, or mail to Alpine Labs, Inc., Attn: Privacy and Compliance, 15 Highland Meadow Dr, Alexander, NC 28701. If applicable law requires additional request methods, such as a webform, toll free number, or opt out link, Alpine Labs will make those methods available before launch in the applicable jurisdiction.
We may authenticate your identity using commercially reasonable methods before acting on a request. We will not require you to create a new account solely to exercise a privacy right, although we may require you to use an existing MedLocker account where appropriate. If we cannot authenticate a request, we may ask for additional information reasonably necessary to authenticate you and your request.
You may use an authorized agent where applicable law permits. We may require evidence of the agent’s authority and may ask you to verify your identity directly unless the law prohibits that step.
We will respond without undue delay and within the time required by applicable law. In many cases, this means within 45 days after receiving the request, with one additional extension where reasonably necessary and legally permitted. We generally provide required responses free of charge up to the frequency required by law, but may charge a reasonable fee or decline to act where requests are manifestly unfounded, excessive, repetitive, technically infeasible, or abusive and applicable law permits that response.
If we deny your request in whole or in part, we will explain the reason where required and describe how to appeal. Appeals may be submitted by replying to our denial email with “Privacy Appeal” in the subject line or through any appeal mechanism provided in the denial. If we deny an appeal, we will provide any required mechanism for contacting the appropriate state regulator or attorney general.
18. California Notice at Collection, Sale or Sharing, Sensitive Information, and Financial Incentives
For California residents where California privacy laws apply, this section is intended to serve as a notice at collection and a consumer health related supplement. The categories of personal information, sensitive personal information, consumer health data, sources, purposes, and recipient categories are described in Sections 3 through 10 of this Notice.
Sale or sharing. We do not sell or share personal information or consumer health data for cross context behavioral advertising as those terms are used in California privacy law unless we first provide required notice and honor the right to opt out. If required, we will provide a “Do Not Sell or Share My Personal Information” link or equivalent mechanism.
Sensitive personal information. We use and disclose sensitive personal information only for purposes disclosed in this Notice, purposes you request, purposes allowed by law, or purposes for which we obtain consent. Where California law gives you a right to limit use or disclosure of sensitive personal information, we will honor that right.
Global privacy control. Where legally required, we honor valid browser based or device based opt out preference signals, including Global Privacy Control, for the browser, device, or account that sends the signal.
Medical information confidentiality. If California medical privacy law treats MedLocker or a MedLocker feature as a provider of healthcare for purposes of that law, we will maintain the confidentiality of medical information and will not disclose it without authorization except as permitted by law.
Financial incentive programs. If we offer compensation, payment, discount, or other benefit related to your personal information or consumer health data, we will provide required financial incentive terms, including material program terms and how to opt in or withdraw.
19. Legal Requests and Sensitive Health Data
Alpine Labs may disclose consumer health data when required by law, court order, subpoena, search warrant, regulator request, or other valid legal process, or when permitted to protect rights, safety, security, or legal interests. We review legal requests for validity, scope, jurisdiction, and sensitivity. Where legally permitted and appropriate, we may notify the affected user, seek narrowing, object, or require additional process before disclosing sensitive consumer health data.
We apply heightened review to requests involving reproductive health, sexual health, gender affirming care, mental health, substance use disorder, HIV/AIDS, genetic, biometric, minor, or precise healthcare location information. Nothing in this Notice is intended to waive any privilege, confidentiality protection, or legal objection available to Alpine Labs or to you.
20. Breach Notification and Incident Response
If we discover a breach, unauthorized acquisition, unauthorized disclosure, or security incident involving unsecured consumer health data or other personal information, we will investigate and provide notices required by applicable federal and state law. This may include notice to affected individuals, regulators, consumer reporting agencies, media outlets, or other parties where required. Service providers and processors must notify us of incidents involving MedLocker data as required by contract and applicable law.
21. Changes to This Notice
We may update this Notice to reflect changes in MedLocker, Alpine Labs, applicable law, security practices, data flows, processors, affiliate relationships, or consumer rights. The updated Notice will include an effective date. If a material change would allow collection, use, sharing, sale where legally permitted, or processing of consumer health data in a manner not previously disclosed, we will provide required advance notice and obtain affirmative consent or authorization where required before the change applies to your consumer health data.
A clear and conspicuous link to this Notice should be published on the MedLocker website homepage, in the MedLocker app, and at or before relevant points of collection where required.
22. Contact Us
Alpine Labs, Inc., Attn: Privacy and Compliance, 15 Highland Meadow Dr, Alexander, NC 28701. Email: privacy@alpinelabs.ai
Alpine Labs provides privacy rights request channels through its Privacy Request Form, the MedLocker app privacy settings, and privacy@alpinelabs.ai. Consumers may use these channels to request access, deletion, correction, portability, withdrawal of consent, opt out of applicable data sharing or sale, and appeal of a denied request. Where required by law, Alpine Labs will also provide a clear website or app based opt out link, honor applicable opt out preference signals, and include state regulator complaint information in appeal denial responses. Alpine Labs does not currently provide a toll free privacy request number unless and until it is required under the California Consumer Privacy Act or another applicable law.