Effective Date: April 9, 2026

Last Updated: April 9, 2026

This policy outlines how BeneVibe, its affiliates, and related entities (collectively, “BeneVibe,””we,” “us,” or “our”) collect, use, and disclose your information when you use our services, products, and content (“Services”). We implement safeguards to protect your privacy and personal information.

This Notice is designed to align with applicable privacy laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other applicable data protection laws.

Contact Us

If you have questions or concerns about this privacy policy or our practices, please contact us at hello@BeneVibe.co. Privacy Officer: BeneVibe Privacy Office

Scope of This Privacy Policy

This Privacy Policy applies to personal information processed by BeneVibe in its role as a service provider or data processor.

Important Notice Regarding Protected Health Information (PHI):

When BeneVibe processes PHI on behalf of a health plan or other covered entity, BeneVibe acts as a Business Associate under HIPAA. In those cases, the applicable Covered Entity’s Notice of Privacy Practices governs how PHI is used and disclosed. BeneVibe’s obligations are defined by HIPAA and applicable Business Associate Agreements.

BeneVibe’s Role in Data Processing

BeneVibe processes personal information in different roles depending on the context, including as a service provider, processor, or contractor under applicable law. The specific role depends on the relationship with the organization providing the services and the applicable legal framework.

Changes to This Notice

We reserve the right to change the terms of this Notice and to implement new provisions regarding your protected health information as permitted or required by law. If a material change is made, we will provide you with a revised Notice of Privacy Practices. You can also obtain the latest revised Notice by contacting our Privacy Officer using the contact information above or via our intranet.

Authorization for Disclosure

Except as permitted or required by HIPAA or other applicable laws, BeneVibe will obtain your authorization before using or disclosing your Protected Health Information (PHI).

Permitted Uses and Disclosures Without Authorization

BeneVibe may use or disclose PHI as permitted under HIPAA, including for healthcare operations, benefits administration, legal compliance, and security purposes.

Collecting and Using Your Personal Data

At BeneVibe, we implement safeguards to protect the security, confidentiality, and integrity of your health information. Our tracking and data collection practices are strictly limited to product functionality and efficacy. BeneVibe does not sell personal data and does not share personal data for cross-context behavioral advertising. BeneVibe does not use Protected Health Information (PHI) for advertising or marketing purposes.

1. Information Collection & HIPAA Compliance

We distinguish between Standard Usage Data (technical metadata) and Protected Health Information (PHI). Standard Usage Data: When you navigate our site, we automatically collect certain technical information (IP address, browser type, device characteristics, and operating system). This metadata is used solely for security monitoring, maintaining system uptime, and internal analytics. When you access the service via a mobile device, we automatically collect specific technical metadata—including device type, unique device identifiers, IP address, operating system, and browser specifications—to ensure secure authentication and maintain the technical integrity of our platform. In accordance with HIPAA technical safeguards, this diagnostic data is used exclusively for monitoring system performance, preventing unauthorized access, and ensuring the secure delivery of services; it is never aggregated with your Protected Health Information (PHI) for marketing or non-functional tracking purposes. Protected Health Information (PHI): Any health-related data you input into BeneVibe is treated with the highest level of security. In accordance with HIPAA standards, this data is encrypted in accordance with industry-standard practices, including encryption in transit and at rest where applicable.2. Safeguards and Data Security To ensure the protection of your personal and health data, we employ a multi-layered security framework: Technical Safeguards: We use encryption and secure “audit logs” to track who accesses data and when. Administrative Safeguards: Access to sensitive data is restricted to authorized personnel only, governed by the principle of “least privilege.“

3. Cookies and Tracking

Like most secure platforms, we use cookies to maintain your session and remember yourpreferences. These cookies do not “phone home” with your health information; they are used exclusively to ensure your experience is seamless and secure.

SMS Communications & Mobile Data Privacy Policy

BeneVibe uses SMS messaging solely to provide transactional and service-related communications, including account security notifications, service updates, and customer support responses. BeneVibe does not use SMS for marketing or promotional purposes.

Opt-In Methods

By providing your mobile phone number and affirmatively opting in (for example, by checking a consent box or submitting a form), you expressly consent to receive SMS messages from BeneVibe related to your benefits, account notifications, and support services. Consent is not a condition of purchase or use of BeneVibe services. Users may opt in to the BeneVibe SMS program through any of the following approved channels:

●Submit a mobile phone number via the BeneVibe website or mobile application registration forms.

●Checking a designated “Opt-In” checkbox during enrollment in services or support workflows.

●All opt-in methods capture affirmative consent prior to the first message being sent.

Consent to receive SMS messages is not a condition of using the BeneVibe Services. By providing your mobile phone number and affirmatively opting in (e.g., checking a consent box, submitting a form, or similar action), you expressly consent to receive SMS messages from BeneVibe as described in this policy. Consent is not a condition of purchase or use of services.

Opt-In Confirmation Message (sent automatically upon first opt-in): “Welcome to BeneVibealerts. Message frequency varies. Message & data rates may apply. Reply HELP for help (hello@BeneVibe.co). Reply STOP to opt out.”

Signup Form example: By checking this box, you agree to receive SMS messages from BeneVibe related to your benefits, account notifications, and support. Message frequency varies (typically 2–4 per month). Message & data rates may apply. Reply STOP to opt out or HELP for help. Consent is not a condition of use. View our SMS Terms and Privacy Policy.

Example message: “BeneVibe: You have a new benefits update available. Log in to your account to review your information.”

Additional example: “BeneVibe: Reminder — open enrollment ends soon. Log in to review your benefits. Reply STOP to opt out, HELP for help.“

Opt-Out, Re-Opt-In & Help Keywords

The following keywords are recognized and processed automatically by the BeneVibe messaging platform:

● STOP: Immediately unsubscribes the user from all BeneVibe SMS messages. Sent — confirms unsubscription. No further messages will follow.

● START / UNSTOP: Re-subscribes a previously opted-out user. Re-enrollment also available via the original opt-in methods. Sent — confirms re-subscription.

● HELP: Returns support contact information and instructions to the user. Sent — includes support email hello@BeneVibe.co and opt-out instructions. Users may opt out at any time by replying STOP. Opt-out requests are processed promptly in accordance with applicable telecommunications regulations.

Mobile Messaging Privacy

BeneVibe respects your privacy when you opt in to receive SMS communications. No mobile information sharing: Mobile phone numbers, SMS opt-in data, and consent records will not be shared, sold, rented, or disclosed to third parties or affiliates for marketing or promotional purposes. Limited use: This information is used solely to deliver service-related messages, including account notifications, benefits updates, and support communications. Third-party service providers: We may use trusted service providers (such as messaging platforms) strictly to deliver SMS communications on our behalf. These providers are contractually prohibited from using your information for any purpose other than providing services to BeneVibe.

No Sharing for Marketing PurposesMobile phone numbers and opt-in data will NOT be shared with third parties or affiliates for

marketing or promotional purposes. SMS opt-in data and consent records are explicitly excluded from any third-party data sharing arrangements. This information will not be shared for marketing or promotional purposes and will only be disclosed as necessary to provide services or comply with legal obligations.

Message Rates & Frequency

Privacy & Data Protection

BeneVibe collects and uses mobile phone numbers exclusively to deliver the services, security notifications, and support described in this policy.

Message Frequency

Determined by your employer. Messages are primarily seasonal or event-driven — such as open enrollment periods, benefits updates, or annual plan changes. Message frequency varies per month, depending on employer activity and service updates or when significant updates occur.

Carrier Charges and Financial Responsibility

BeneVibe does not charge for SMS messages. Message and data rates may apply depending on your mobile carrier and plan. It is important for all users to understand that standard message and data rates, as determined by their wireless service provider, may apply to text messages. For complete details regarding potential charges related to text messages, data usage, and the specifics of their personal text and data plan, users are strongly advised to contact their wireless carrier directly.

Supported Mobile Carriers

BeneVibe supports messaging across major U.S. carriers; however, message delivery is subject to carrier network availability and is not guaranteed.

Geographic Scope of Service

The BeneVibe messaging service is primarily designed and deployed for use within the United

States. Unless an explicit and specific provision is made within a user’s individual service agreement—or a separate, approved written communication specifies otherwise—the geographic scope of this service should be assumed to be limited to U.S. territory. Users accessing the service from outside the United States may experience delivery issues or incur international roaming charges, for which BeneVibe is not responsible.Data Transfers, Legal 

Obligations, and Security

At BeneVibe, we apply safeguards designed to protect your data in accordance with applicable laws. The following principles govern our handling of your information:

1. Business Transitions & Affiliates

If BeneVibe is involved in a merger, acquisition, financing, or asset sale, your Personal Data and Protected Health Information (PHI) may be transferred. Where required by applicable law, we will provide notice if your information becomes subject to a different privacy policy. Any affiliates, including parent companies or subsidiaries, will be strictly required to honor the terms of this Privacy Policy.

2. Legal Disclosures & Government Requests

We may disclose your information when legally required to comply with applicable laws, judicial proceedings, or valid requests by public authorities (such as a subpoena or court order). We evaluate and respond to legal requests in accordance with applicable law.

3. Vital Interests and Safety

We reserve the right to process or share data when necessary to investigate potential policy violations, suspected fraud, or situations involving potential threats to the safety of any person. This includes protecting the rights and property of the company and defending against legal liability.

4. Our Security Commitment

We implement reasonable administrative, technical, and physical safeguards to protect your information. However, please be aware that no method of transmission over the internet or electronic storage is 100% secure. While we strive for maximum protection, we cannot guarantee absolute security.

5. Interaction Within Your Organization

If you use BeneVibe within a professional organization, certain information (such as your profile or activity descriptions) may be visible to other authorized users within your specific organization to facilitate collaborative care and communication.

Data Storage and Global Transmission

To deliver the BeneVibe Services effectively and securely, we may store, process, and transmit information in the United States and, where applicable, other jurisdictions where our service providers operate. Please be aware that:

●Cross-Border Protection: When data is processed outside your country of residence,

we implement rigorous technical and administrative safeguards to ensure it receives a

level of protection consistent with HIPAA standards and applicable international data

privacy laws.

● Local Storage: For your convenience and platform performance, certain encrypted data may be stored locally on the devices you use to access our Services.

● Encrypted Transit: All data moving between your device and our global servers is protected using industry-standard encryption protocols (such as TLS/SSL) to prevent unauthorized interception.

● Data Residency: We host health-related data in environments that meet the strict physical and logical security requirements necessary for handling sensitive medical information.

Data Retention and Disposal

BeneVibe retains your personal information and Protected Health Information (PHI) only for aslong as necessary to fulfill the purposes outlined in this Privacy Policy, or as required to meet our legal, regulatory, and contractual obligations.

1. Contractual Fulfillment

Information collected to perform a specific contract or agreement between you and BeneVibe will be retained until that agreement has been fully executed. Once the service period ends, data is handled according to our secure decommissioning protocols.

2. Legal and HIPAA Compliance

In accordance with HIPAA and applicable state laws, we may be required to retain certain records for a minimum period (as required by HIPAA and applicable law, which may range from six to ten years, depending on the type of data and legal obligations) from the date of creation or the date it was last in effect. We will also extend retention periods if required by a government order, ongoing litigation, or to prevent fraud and ensure system security.

3. Secure Disposal

When personal information is no longer required for the purposes mentioned above, we employ industry-standard Secure Disposal methods. This includes cryptographic erasure for digital data and physical destruction for any hard-copy records, ensuring that the information cannot be reconstructed or read, in full compliance with HIPAA’s Physical and Technical Safeguards.

Breach Notification Protocols

In the unlikely event of a security incident, BeneVibe maintains a rigorous response plan to

protect your information. In accordance with the HIPAA Breach Notification Rule, we will take

the following actions if we discover a breach of unsecured Protected Health Information (PHI):

1. Individual NotificationIf your PHI is compromised, we will notify you via first-class mail (or email, if you have opted into electronic communications) without unreasonable delay, and in no case later than 60 daysfollowing the discovery of the breach. This notification will include: A brief description of what happened and the date of the breach. A description of the types of unsecured PHI that were involved. The steps you should take to protect yourself from potential harm. A brief description of what we are doing to investigate the breach, mitigate losses, and protect against future incidents.

2. Media and HHS Notification

Media Notice: For breaches affecting more than 500 residents of a state or jurisdiction, we will provide notice to prominent media outlets serving that area. Secretary of HHS: We will notify the Secretary of the U.S. Department of Health and Human Services (HHS) of any breach. For breaches involving 500 or more individuals, we will notify the Secretary contemporaneously with the notice sent to you. For smaller breaches, we will maintain a log and notify the Secretary annually.

3. Business Associate Responsibility

If we are acting as a Business Associate for another covered entity (such as your healthcare provider), we will notify that entity immediately following the discovery of a breach so they may fulfill their own notification obligations.

Your Rights Regarding Protected Health Information

In many cases, these rights are fulfilled by the applicable health plan or covered entity. BeneVibe may direct requests to the appropriate entity where required. Under HIPAA, you have specific rights concerning your Protected Health Information (PHI). To exercise any of the rights listed below, please submit a written request to our Privacy Officer. Right to Inspect and Copy: You may request to see or obtain electronic or paper copies of your health records and billing information. We will provide these within 30 days, though a reasonable, cost-based fee may apply. Right to Amend: If you believe your health information is incorrect or incomplete, you may ask us to correct it. We may say “no” if the information is already accurate or wasn’t created by us, but we will provide a written explanation within 60 days.Right to an Accounting of Disclosures: You can request a list of the times we’ve shared your health information (for up to six years before your request), who we shared it with, and why. This excludes disclosures made for treatment, payment, and healthcare operations. Right to Request Restrictions: You may ask us not to use or share certain health information for treatment, payment, or our operations. While we are not always required to agree (especially if it affects your care), we will honor agreed-upon restrictions unless the information is needed for emergency treatment. Right to Confidential Communications: You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address. We will accommodate all reasonable requests. Right to a Paper Copy: You are entitled to a paper copy of this notice at any time, even if you have agreed to receive it electronically.

Legal Notices:

HIPAA Compliance

As required by HIPAA, this Notice informs you of our duties concerning your Protected Health Information (PHI). BeneVibe does not provide healthcare services and is not a Covered Entity. Where applicable, your health plan or employer-sponsored plan is responsible for providing a Notice of Privacy Practices. The information system subject to this assessment is the All-in-One Employee Benefits Platform, a web-based benefits administration system that provides employees with health plan information. The system enables access to enrollment data, coverage summaries, claims documentation, enrollment guidance, and benefits-related support services. Because the system processes individually identifiable health information related to health plan enrollment and coverage, and because this information is stored and transmitted electronically, it qualifies as electronic Protected Health Information (e-PHI) under 45 CFR §164.302. All uses and disclosures are limited to the minimum necessary standard in accordance with 45 C.F.R. § 164.502(b).

What is Protected Health Information (PHI)?

PHI is individually identifiable health information, including demographic data, that is collected from you or created/received by a healthcare provider, clearinghouse, health plan, or your employer (on behalf of a group health plan). PHI relates to:

1. Your past, present, or future physical or mental health or condition;

2. The provision of healthcare to you, or

3. The past, present, or future payment for the provision of healthcare to you.Our Legal Duties under HIPAA

When acting as a Business Associate, BeneVibe is required under HIPAA and applicable

agreements to:

●Maintain the privacy of your protected health information.

●Support the provision of rights regarding protected health information as required under HIPAA.

●Furnish you with a copy of this Notice outlining our legal duties and privacy practices concerning your protected health information.

●Adhere to the terms of the Notice currently in effect.

Children’s Privacy & Parental Rights

BeneVibe is committed to protecting the privacy of the youngest members of our community. Our practices are designed to comply with the Children’s Online Privacy Protection Act (COPPA) and HIPAA regulations regarding minors.

1. Information from Children Under 13

Our Services are not intended for independent use by children under the age of 13. We do not knowingly collect personal information directly from children under 13. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately so we can delete the information.

2. Parental Control of Health Records

In cases where a parent or legal guardian provides health information regarding a minor (a “Dependent”):

Guardian Authority: Under HIPAA, the parent or guardian is generally considered the “personal representative” of the minor. You have the right to access and manage the PHI of your dependent as outlined in the “Your Rights” section of this policy.

Consent and Privacy: We only collect health data about minors when provided by a verified parent or legal guardian for health management. This data is afforded the same (or higher) encryption and security standards as adult PHI.

3. Adolescent Privacy

In certain jurisdictions and under specific clinical circumstances, minors may have the right to control certain aspects of their health information. We respect these local laws and will work with families to ensure that data access aligns with both legal requirements and the best interests of the patient.State-Specific and International Privacy Rights Depending on where you live, you may have additional rights regarding the Personal Information (PI) we collect that falls outside the scope of HIPAA (such as website analytics, marketing preferences, and account metadata).

The following rights apply only where required by applicable law based on your jurisdiction.

1. California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights regarding your non-health personal information:

Right to Deletion: You may request that we delete the personal information we have collected from you, subject to certain legal exceptions (e.g., if we are required to keep the data for HIPAA compliance or legal obligations).

Right to Opt-Out of Sale or Sharing: BeneVibe does not sell your personal information. However, you have the right to opt out of the “sharing” of your data for cross-context behavioral advertising.

Right to Correct: You have the right to request that we correct inaccurate personal information.

Right to Limit Use of Sensitive PI: You can direct us to limit the use of sensitive personal information (like precise geolocation) to only what is necessary to perform our services.

2. Washington Residents (My Health My Data Act)

For Washington residents, we afford heightened protections to “Consumer Health Data” not covered by HIPAA. This includes the Right to Withdraw Consent for data collection and the Right to have your health-related interactions deleted from our non-clinical systems.

3. European Union & UK Residents (GDPR)

If you are accessing our services from the EU or UK, you have specific rights under the General Data Protection Regulation:

Right to Erasure (“Right to be Forgotten”): You can request the deletion of your data when it is no longer necessary for the purposes it was collected. Data Portability: You have the right to receive your data in a structured, commonly used, and

machine-readable format. Right to Object: You can object to the processing of your data based on legitimate interests or

for direct marketing.These rights apply only to users located in the European Economic Area (EEA) or United Kingdom.

How to Exercise Your Rights

To submit a request regarding your personal information, please contact us at hello@BeneVibe.co. We may need to verify your identity before processing your request. We will respond to verified requests within the timeframes required by applicable law.

Complaints

To file a complaint with the Plan, telephone or write the Privacy Officer as provided above under Contact Information. You will not be penalized, or in any other way retaliated against, for filing a complaint with the Office of Civil Rights or with us. You should keep a copy of any notices you send to the Plan Administrator or the Privacy Officer for your records. If you believe that your privacy rights have been violated, you may file a complaint with the Plan or with the Office for Civil Rights of the United States Department of Health and Human Services. You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696- 6775, or visiting https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html