Privacy Policy

Privacy Policy

Last Updated: January 1, 2026

Memoir, Inc. d/b/a Chapter and its affiliates, including Chapter Medicare, LLC d/b/a Chapter Advisory, LLC, Chapter Technologies, LLC, and Quentin Cares Insurance Services Inc. (collectively “Chapter,” “Company”, “we”, “us”), provide services to educate and advise individuals regarding certain healthcare, financial, and technology matters. We also, through Chapter Advisory, LLC (doing business in California as Chapter Insurance Services), provide licensed insurance agency services to help individuals choose a Medicare benefits plan and other types of health coverage for their needs. This privacy policy (“Privacy Policy”) is designed to help you understand how we collect, use, and share your Personal Data and to help you understand and exercise your privacy rights.

SCOPE

This Privacy Policy applies to personal data that individually identifies you (“Personal Data”) collected from and about you in connection with your use of our websites, mobile applications, and other online and telephonic offerings. To make this Privacy Policy easier to read, our websites, mobile applications, and other online and telephonic offerings are collectively called “Services”. This Privacy Policy, supplements and is incorporated into each of our Terms of Service (which governs your use of our Services, except for Services provided by Chapter Technologies, LLC) and the Chapter Technologies Terms of Service (which governs your use of the Services provided by Chapter Technologies, LLC). If you do not agree to the applicable Terms of Service ‎and the collection, use and ‎sharing of your information as detailed in this Privacy Policy, please ‎do not access or otherwise ‎use our Services or any information or content accessible on ‎our Services.‎

The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing Personal Data to third-party websites or applications is at your own risk.

We collect, use, share, and process Personal Data from users of our Services in several contexts as described below. This Privacy Policy does not apply to the following information:

Protected health information (“PHI”) subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) that we handle on behalf of our health insurance carrier partners, for which we are bound by separate legal and contractual obligations. If you have questions about how such information is used or disclosed, please contact your insurance provider.
Information we collect from individuals with whom we engage in solely business-to-business communications and transactions.

PERSONAL DATA WE COLLECT

The categories of Personal Data we collect depend on how you interact with us, our Services and the requirements of applicable laws, regulation, and official guidance. We collect information that you provide to us, information we obtain automatically when you use our Services, and information from other sources such as third-party services and organizations, as described below.

Information You Provide to Us Directly

We may collect the following Personal Data that you provide to us.

Health Coverage Questionnaires. We may collect Personal Data that you provide through a questionnaire on our website so that we can evaluate your health coverage preferences and identify the types of health plans that make sense for you. The Personal Data we collect may include name, zip code, telephone number, date of birth, current medical providers, prescriptions, current medical plan information, and information regarding your health history. While much of this information is optional, providing as much information as possible allows us to provide recommendations that are better tailored and more useful for you.
Account Creation. We may collect Personal Data if you choose to create an account, such as name, email address, and zip code.

Your Communications with Us. We may collect Personal Data when you request information about our Services, register for our newsletter or blog updates, request customer or technical support, interact with our online forms and tools, complete an application for insurance coverage, interact with one of our representatives over the phone, apply for a job or otherwise communicate with us.

Surveys. We may contact you to participate in surveys. If you decide to participate, you may be asked to provide certain information which may include Personal Data.
Interactive Features. We and others who use our Services may collect Personal Data that you submit or make available through our interactive features (e.g., messaging and chat features, commenting functionalities, forums, blogs, and social media pages). Any information you provide on the public sections of these features will be considered “public”, unless otherwise required by applicable law, and is not subject to the privacy protections referenced herein.
Sweepstakes or Contests. We may collect Personal Data you provide for any sweepstakes or contests that we offer, consistent with applicable laws and regulations. In some jurisdictions, we are required to publicly share information of sweepstakes and contest winners.

Conferences, Trade Shows, and Other Events.We may collect Personal Data from individuals when we attend conferences, trade shows, and other events.
Business Development and Strategic Partnerships.We may collect Personal Data from individuals and third parties to assess and pursue potential business opportunities.

Job Applications.We may post job openings and opportunities on our Services. If you reply to one of these postings by submitting your application, CV and/or cover letter to us, we will collect and use your information to assess your qualifications.
Information Collected Automatically

We may collect Personal Data automatically when you use our Services:

Automatic Data Collection. We may collect certain information automatically when you use our Services, such as your internet protocol (IP) address, user settings, MAC address, cookie identifiers, mobile carrier, mobile advertising and other unique identifiers, browser or device information, location information (including approximate location derived from IP address), and internet service provider. We may also automatically collect information regarding your use of our Services, such as pages that you visit before, during and after using our Services, information about the links you click, the types of content you interact with, the frequency and duration of your activities, and other information about how you use our Services. In addition, we may collect information that other people provide about you when they use our Services, including information about you when they tag you.
Cookies, Pixel Tags/Web Beacons, and Other Technologies. We, as well as third parties that provide content, advertising, or other functionality on our Services, may use cookies, pixel tags, local storage, session replay and other technologies (“Technologies”) to automatically collect information through your use of our Services. Session replay tools may record your interactions with the Services, such as how you move across the Services or interact with our web forms.

Cookies. Cookies are small text files placed in device browsers that store preferences and facilitate and enhance your experience.

Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in our Services that collects information about engagement on our Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement. We may also include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.
Our uses of these Technologies fall into the following general categories:
Operationally Necessary. This includes Technologies that allow you access to our Services, applications, and tools that are required to identify irregular website behavior, prevent fraudulent activity and improve security or that allow you to make use of our functionality;

Performance-Related. We may use Technologies to assess the performance of our Services, including as part of our analytic practices to help us understand how individuals use our Services (see Analytics below);
Functionality-Related. We may use Technologies that allow us to offer you enhanced functionality when accessing or using our Services. This may include identifying you when you sign into our Services or keeping track of your specified preferences, interests – e.g., as you indicate in our questionnaire –or past items viewed;

Advertising- or Targeting-Related. We may use first party or third-party Technologies to deliver content, including ads relevant to your interests, on our Services or on third-party websites.
Analytics. We may use Technologies and other third-party tools to process analytics information on our Services, such as Google Analytics. For more information, please review the Google Privacy Policy. To learn more about how to opt-out of Google Analytics’ use of your information, please click here.
Google Maps API. We use Google Maps APIs in some of our Services. For more information about the Google Maps APIs, please review the Google Privacy Policy.

Social Media Platforms. Our Services may containsocial media buttons such as LinkedIn, Twitter, Facebook, and Instagram. These features may collect your IP address, which page you are visiting on our Services, and may set a cookie to enable the feature to function properly. Your interactions with these platforms are governed by the privacy policy of the company providing it.
Marketing Communications. When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other Personal Data they or others have about you, including by association with your email or online profiles. We (or service providers on our behalf) may then send communications and marketing to these emails or profiles. You may opt out of receiving this advertising by visiting https://app.retention.com/optout

See Section 5 below to understand your choices regarding these Technologies.

Information Collected from Other Sources

We may obtain information about you from other sources, including healthcare providers and third-party organizations and partners who provide health-related services and who authorize such information sharing. For example, if you access our Services through a third-party application, such as an app store, a third-party login service, or a social networking site, we may collect information about you from that third-party application that you have made available via your privacy settings.

HOW WE USE YOUR PERSONAL DATA

We use your Personal Data for a variety of business purposes, including to provide our Services, for administrative purposes, and to market our products and Services, as described below.

Provide Our Services

We use your information to fulfill our contract (the Terms of Service or the Chapter Technologies Terms of Service) with you and provide you with our Services, such as:

Providing you with recommendations regarding health plans;
Assisting you in preparing coverage applications for submission to insurance carriers;

Providing information to your designated healthcare provider or the healthcare provider who referred you, if authorized by you;

Helping you utilize insurance plan benefits, including the fulfillment of OTC orders through the Chapter OTC application;
Managing your information and accounts;
Providing access to certain areas, functionalities, and features of our Services;

Answering requests for customer or technical support;
Communicating with you about your account, activities on our Services, and policy changes;

Processing applications if you apply for a job, we post on our Services; and
Allowing you to register for events, including any virtual events.
Administrative Purposes

We use your information for various administrative purposes, such as:

Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;

Measuring interest and engagement in our Services;

Short-term, transient use, such as contextual customization of ads;
Improving, upgrading or enhancing our Services;
Developing new products and Services;

Ensuring internal quality control and safety;
Authenticating and verifying individual identities;

Debugging to identify and repair errors with our Services;
Auditing relating to interactions, transactions and other compliance activities;
Enforcing our agreements and policies; and

Complying with our legal obligations.

Marketing and Advertising our Products and Services

We may use Personal Data to tailor and provide you with content and advertisements. We may provide you with these materials as permitted by applicable laws, regulations, and official guidance.

Some of the ways we market to you include email campaigns, custom audiences advertising, and “interest-based” or “personalized advertising,” including through cross-device tracking, in compliance with applicable laws and regulations.

If you have any questions about our marketing practices or if you would like to opt out of the use of your Personal Data for marketing purposes, you may contact us at any time as set forth below.

Other Purposes

We also use your information for other purposes as requested by you or as permitted by applicable law.

Consent. We may use Personal Data for other purposes that are clearly disclosed to you at the time you provide Personal Data or with your consent.
De-identified and Aggregated Information. We may use Personal Data and other information about you to create de-identified and/or aggregated information that does not identify you individually, such as metrics regarding plan selection, de-identified demographic information, de-identified location information, information about the devices from which individuals access our Services, or other analyses we create. De-identified and/or aggregated information is not Personal Data, and we may use and disclose such information in several ways, including research, internal analysis, analytics, and any other legally permissible purposes.

Share Content with Friends or Colleagues. Our Services may offer various tools and functionalities. For example, we may allow you to provide information about your friends or colleagues through our referral services. Our referral services may allow you to forward or share certain content with a friend, colleague, or healthcare provider, such as an email inviting your friend to use our Services.

HOW WE DISCLOSE OR SHARE YOUR INFORMATION

We disclose your information to third parties for a variety of business purposes, including to provide our Services, to protect us or others, or in the event of a major business transaction such as a merger, sale, or asset transfer, as described below.

Disclosures to Provide our Services

The categories of third parties with whom we may share your information are described below.

Service Providers. We may share your Personal Data with our third-party service providers who use that information to help us provide our Services. This includes service providers that provide us with IT support, hosting, payment processing, customer service, and related services.
Business Partners. We may share your Personal Data with business partners to provide you with a product or service that you have requested. With your consent, we may also share your Personal Data to business partners with whom we jointly offer products or services.

Affiliates. We may share your Personal Data with our company affiliates with your consent for our administrative purposes, including activities such as IT management, for them to provide services to you such as health brokerage services, or support and supplement the Services we provide.

Advertising Partners. We may share your Personal Data with third-party advertising partners where you have provided your consent for us to do so. These third-party advertising partners may set Technologies and other tracking tools on our Services to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit digital properties within their networks. This practice is commonly referred to as “interest-based advertising” or “personalized advertising.”
APIs/SDKs. We may use third-party Application Program Interfaces (“APIs”) and software development kits (“SDKs”) as part of the functionality of our Services, such as to obtain the latest information on Medicare plans, insurance carriers, healthcare providers, and prescription drugs to consider this information in our recommendations for you. For more information about our use of APIs and SDKs, please contact us as set forth below.
Disclosures to Protect Us or Others

We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.

Disclosure in the Event of Merger, Sale, or Other Asset Transfers

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, your information may be sold or transferred as part of such a transaction, as permitted by law and/or contract.

YOUR PRIVACY CHOICES AND RIGHTS
Email and Telephone Communications. If you receive an unwanted email from us, you can use the unsubscribe link found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails regarding products or Services you have requested. We may also send you certain non-promotional communications regarding us and our Services, and you will not be able to opt out of those communications (e.g., communications regarding our Services or updates to our Terms of Service or this Privacy Policy).
We process requests to be placed on do-not-mail, do-not-phone, and do-not-contact lists as required by applicable law.

Text Messages. You may opt out of receiving text messages from us by following the instructions in the text message you have received from us or by otherwise contacting us at [email protected]. We will not share your opt-in to an SMS campaign with any third party for purposes unrelated to providing you with the services of that campaign. We may share your data, including your SMS opt-in or consent status, with third parties that help us provide our messaging services, including but not limited to platform providers, phone companies, and any other vendors who assist us in the delivery of text messages.

Mobile Devices. We may send you push notifications through our mobile application. You may opt out from receiving these push notifications by changing the settings on your mobile device. With your consent, we may also collect precise location-based information if you use our mobile application. You may opt out of this collection by changing the settings on your mobile device.
“Do Not Track.” Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.
Cookies and Interest-Based Advertising. You may stop or restrict the placement of Technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, our Services may not work properly. Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt-out of personalized advertisements on some mobile applications by following the instructions for Android, iOS and others.

The online advertising industry also provides websites from which you may opt out of receiving targeted ads from data partners and other advertising partners that participate in self-regulatory programs. You can access these and learn more about targeted advertising and consumer choice and privacy by visiting the Digital Advertising Alliance, the European Digital Advertising Alliance, and the Digital Advertising Alliance of Canada. Additionally, you can turn off certain third-party targeting/advertising cookies by visiting the ‎Network Advertising Initiative: https://optout.networkadvertising.org/ and by ‎visiting Google:‎ https://tools.google.com/dlpage/gaoptout‎.

Please note you must separately opt out in each browser and on each device. Your browser may provide you with some options regarding ‎cookies. For more detailed information about how to disable or administer your ‎cookie settings in your web browser, please refer to the applicable page for the ‎browser you are using:‎
‎•‎ Safari: http://help.apple.com/safari/mac/8.0/#/sfri11471   ‎
‎•‎ Google Chrome: https://support.google.com/chrome/answer/95647?hl=en  ‎
‎•‎ Microsoft Edge / Internet Explorer: http://windows.microsoft.com/en-GB/windows-vista/Block-or-allow-cookies ‎
‎•‎ Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences     ‎

You can withdraw your consent to allow for cookies, change your browser settings, ‎and delete the cookies already stored on your computer at any time. Please note ‎that if you delete, or choose not to accept, cookies, you may not be able to utilize ‎the features of the services on our website to their fullest potential. ‎‍

SECURITY OF YOUR INFORMATION

We take steps to ensure that your information is treated securely and in accordance with this Privacy Policy. Unfortunately, no system is 100% secure, and we cannot ensure or warrant the security of any information you provide to us.

By using our Services or providing Personal Data to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on our Services, by mail or by sending an email to you.

‍7. USERS OUTSIDE OF THE UNITED STATES

The Services are controlled and operated by us from the United States and are not intended to subject us to the laws or jurisdiction of any state, country or territory other than that of the United States. Any information you provide to us through use of the Services may be stored and processed, transferred between and accessed from the United States and other countries that may not guarantee the same level of protection of personal data as the one in which you reside. However, we will handle your Personal Data in accordance with this Privacy Policy regardless of where your Personal Data is stored/accessed.

‍8. SOCIAL SECURITY PROTECTION POLICY STATEMENT

It is our policy to protect the confidentiality of Social Security numbers (“SSNs”) ‎from ‎misuse ‎and ‎improper disclosure by maintaining and enforcing physical, ‎‎‎electronic, and procedural ‎‎safeguards. ‎We prohibit unlawful disclosure of ‎SSNs, and limit access to SSNs to our ‎personnel ‎who need ‎access to SSNs in ‎order to perform their job functions. We do not ‎disclose SSNs to ‎third parties ‎‎except where required or ‎‎permitted by law.‎

‍9. SUPPLEMENTAL NOTICE FOR CALIFORNIA RESIDENTS

Residents of California may have certain rights under §1798.83, known as the “Shine The Light” law, to request ‎‎‎‎and obtain from us, once a year and free of charge, information about categories of personal ‎‎‎‎‎information (if any) we disclosed to third parties for direct marketing purposes and the names ‎‎‎‎and ‎addresses of all third parties with which we shared Personal Data in the immediately ‎‎‎‎preceding ‎calendar year. If you are a California resident and would like to make such a request, ‎‎‎‎please submit your ‎request clearly in writing to us using the contact information provided below.‎

In our capacity as an insurance agency, we rarely handle Personal Data that is subject to the California Consumer Privacy Act of 2018 (“CCPA”). For services provided as part of the Chapter OTC application under Chapter Technologies, LLC and in the other limited cases where we may collect Personal Data about certain California residents subject to the CCPA, our CCPA policy, incorporated herein, applies to that Personal Data. 

‍10. SUPPLEMENTAL NOTICE FOR WASHINGTON AND NEVADA RESIDENTS

For individuals in Washington and Nevada, please refer to our Consumer Health Data Privacy Policy, which is incorporated herein, for additional information about the processing of your Personal Data that is considered “consumer health data” as defined under those states’ laws.

INDIVIDUALS IN OTHER STATES

You may have rights under other state consumer privacy laws, including, without limitation, Colorado, Connecticut, Oregon, Texas, Utah, and Virginia. Please contact us at [email protected] if you have questions or would like to exercise a right under these laws.

CHILDREN’S INFORMATION

The Services are not directed to children or individuals under the age of 18. Children under the age of 18 are strictly prohibited from using the Services. We do not knowingly collect Personal Data from children.

Protecting children’s privacy online is very important to us. If you access or use the Services, you represent and warrant that you are either at least 18 years old or otherwise have adequate authority and capacity to consent to use the Services under applicable state and federal laws.

If you are a parent or guardian and wish to review information that you believe we may have unintentionally collected from your child, or have that information modified or deleted, you may contact us as described below. If we become aware that a child has provided us with Personal Data in violation of applicable law, we will delete any Personal Data we have collected, unless we have a legal obligation to keep it, and terminate the child’s account.

‍13. CHANGES TO OUR PRIVACY POLICY

We may revise this Privacy Policy from time to time in our sole discretion. If there are any material changes to this Privacy Policy, we will notify you as required by applicable law. You understand and agree that you will be deemed to have accepted the updated Privacy Policy if you continue to use our Services after the new Privacy Policy takes effect.

‍14. CONTACT US

If you have any questions about our privacy practices or this Privacy Policy, or to exercise your rights as detailed in this Privacy Policy, please contact us at:

Memoir, Inc. d/b/a Chapter

19 Union Square West, 12th Floor

New York, NY 10003

[email protected]

Supplemental Notice for California Residents - CCPA Policy

Last Updated: January 1, 2026

As discussed in our Privacy Policy, Memoir, Inc. d/b/a Chapter and its affiliates (collectively, as defined in the Privacy Policy, "Chapter," "Company," "we," and "us") rarely handle Personal Data that is considered “personal information” as defined by and subject to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”) in our capacity as an insurance agency. For services provided as part of the Chapter OTC application offered by Chapter Technologies, LLC and in the other limited cases where we may collect Personal Data about certain California residents subject to the CCPA, this CCPA Policy ("Policy") explains the rights of California residents regarding the collection, use, sale, and sharing of their Personal Data. This Policy is in addition to our Terms of Service and Privacy Policy. All references to "Chapter," "Company," "we," and "us" in this Policy have the meanings ascribed to them in the Privacy Policy.

This Policy does not apply to the following types of information:

Information provided when you apply for financial products or services (including information covered by the Gramm-Leach-Bliley Act, California Financial Information Privacy Act, or Fair Credit Reporting Act).
Health information protected by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) that we handle for our health insurance partners. We have legal and contractual obligations to these partners regarding this information. If you have questions about how this information is used or shared, contact your insurance provider. We do not control their privacy practices.
Information about people who are not California consumers as such term is defined by the CCPA.
Information about our employees, contractors, agents, and job applicants. This information is covered by a separate privacy notice that we provide to these individuals.
Information we collect from business-to-business communications and transactions, including due diligence activities and information about employees of our business clients.

Personal Data We Collect About You.

In the preceding 12 months, we have collected the following categories and specific types of Personal Data:

Categories of Personal Data We Collect	Categories of Third Parties with Whom We Disclose Personal Data for a Business Purpose
Identifiers (e.g., your real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers)	· Affiliates and subsidiaries · Third party service providers · For legal, security, and safety purposes · In connection with a corporate transaction · Entities to which you have consented to the disclosure
Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information (“Sensitive Information”)	· Affiliates and subsidiaries · Third party service providers · For legal, security, and safety purposes · In connection with a corporate transaction · Entities to which you have consented to the disclosure
Characteristics of protected classifications under California or federal law	· Affiliates and subsidiaries · Third party service providers · For legal, security, and safety purposes · In connection with a corporate transaction · Entities to which you have consented to the disclosure
Commercial information (e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)	· Affiliates and subsidiaries · Third party service providers · For legal, security, and safety purposes · In connection with a corporate transaction · Entities to which you have consented to the disclosure
Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer’s interaction with an Internet Website, application, or advertisement)	· Affiliates and subsidiaries · Third party service providers · For legal, security, and safety purposes · In connection with a corporate transaction · Entities to which you have consented to the disclosure
Geolocation data	· Affiliates and subsidiaries · Third party service providers · For legal, security, and safety purposes · In connection with a corporate transaction · Entities to which you have consented to the disclosure
Professional or employment-related information	· Affiliates and subsidiaries · Third party service providers · For legal, security, and safety purposes · In connection with a corporate transaction · Entities to which you have consented to the disclosure
Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes	· Affiliates and subsidiaries · Third party service providers · For legal, security, and safety purposes · In connection with a corporate transaction · Entities to which you have consented to the disclosure

How Your Personal Data is Collected.

We collect most of this Personal Data directly from interactions with you through our Services. However, we may also collect information from the following categories of sources:

Publicly accessible sources;
Third parties (e.g., healthcare providers and third-party organizations and partners who provide health-related services, app stores, third-party login services, social networking sites, advertising networks, data analytics providers);
Third parties with your consent (e.g., your bank);
Technologies on our Services (including cookies, pixel tags, local storage, and session replay tools);
Automated information collection;
Our IT systems, including:
Door entry systems and reception logs;
Automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems; and

Why We Use Your Personal Data.

We collect consumer Personal Data for the following business purposes:

Helping to ensure security and integrity to the extent the use of the consumer's Personal Data is reasonably necessary and proportionate for these purposes;
Debugging to identify and repair errors that impair existing intended functionality;

Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer's current interaction with the business, provided the consumer's Personal Data is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business;

Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business or service provider;
Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer;
Undertaking internal research for technological development and demonstration;

Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business;
To comply with our legal and regulatory obligations;

For the performance of our contract with you or to take steps at your request before entering into a contract;
For our legitimate interests or those of a third party; or
Where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

The table below explains what we use (process) your Personal Data for and our reasons for doing so:

What we use your Personal Data for	Our reasons
To provide services to you	For the performance of services to you or to take steps at your request before providing services
To prevent and detect fraud against you or Chapter	For our legitimate interests or those of a third party, i.e., to minimize fraud that could be damaging for us and for you
Conducting checks to identify our customers and verify their identity Screening for financial and other sanctions or embargoes Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business, e.g., under health and safety regulation or rules issued by our professional regulator	To comply with our legal and regulatory obligations
Gathering and providing information required by or relating to audits, inquiries, or investigations by regulatory bodies	To comply with our legal and regulatory obligations
Ensuring business policies are adhered to, e.g., policies covering security and internet use	For our legitimate interests or those of a third party, i.e., to make sure we are following our own internal procedures so we can deliver the best service to you
Operational reasons, such as improving efficiency, training, and quality control	For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price
Ensuring the confidentiality of commercially sensitive information	For our legitimate interests or those of a third party, i.e., to protect trade secrets and other commercially valuable information To comply with our legal and regulatory obligations
Statistical analysis to help us manage our business, e.g., in relation to our financial performance, customer base, product range or other efficiency measures	For our legitimate interests or those of a third party
Preventing unauthorized access and modifications to systems	For our legitimate interests or those of a third party, i.e., to prevent and detect criminal activity that could be damaging for us and for you To comply with our legal and regulatory obligations
Updating and enhancing customer records	For the performance of services to you or to take steps at your request before providing services To comply with our legal and regulatory obligations For our legitimate interests or those of a third party, e.g., making sure that we can keep in touch with our customers about existing orders and new products
Statutory returns	To comply with our legal and regulatory obligations
Ensuring safe working practices, staff administration and assessments	To comply with our legal and regulatory obligations For our legitimate interests or those of a third party, e.g., to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you
Marketing our services and those of selected third parties to: —existing and former customers; —third parties who have previously expressed an interest in our services; —third parties with whom we have had no previous dealings.	For our legitimate interests or those of a third party, i.e., to promote our business to existing and former customers
External audits and quality checks, e.g., for accreditations and the audit of our accounts	For our legitimate interests or those of a third party, i.e., to maintain our accreditations so we can demonstrate we operate at the highest standards To comply with our legal and regulatory obligations

Who We Share Your Personal Data With.

In the preceding 12 months, we have disclosed consumers’ Personal Data with:

Our affiliates, including Chapter Medicare, LLC d/b/a Chapter Advisory, LLC, Chapter Technologies, LLC, and Quentin Cares Insurance Services Inc.;
Service providers that provide us with IT support, hosting, payment processing, customer service, and related services;
Business partners and advertising partners (with your consent);
Third parties approved by you, including social media sites you choose to link your account to or third-party payment providers;
Our insurers and brokers;
Our banks;
External accountants.

We only allow our service providers to handle your Personal Data if we are satisfied that they take appropriate measures to protect your Personal Data. We also impose contractual obligations on service providers, contractors, and third parties to ensure they can only use your Personal Data to provide services to us and to you.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

We may also need to share some Personal Data with other parties, such as potential buyers of some or all of our business or during a re-structuring. We will typically anonymize information, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

Categories of Personal Data We Sold or Shared.

In the preceding 12 months, we have sold or shared the following categories of Personal Data:

Browser and Device Information (g. IP address, browser type and version, operating system, device type (mobile, desktop, tablet), screen resolution, language settings, time zone);
Behavioral Data (g., pages visited on the website, time spent on each page, referring URL (where the user came from), click behavior and navigation patterns, date and time of visit);
Cookie and Identifier Data (g., unique identifiers assigned to the user's browser, existing cookies from the advertising platform, cross-site tracking identifiers, and session IDs);
User Interaction Data (g., specific actions taken on the page (button clicks, video views), search queries entered on the site).

Categories of Personal Data We Disclosed for a Business Purpose.

In the preceding 12 months, we have disclosed the following categories of Personal Data for a business purpose:

Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers);
Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
Characteristics of protected classifications under California or federal law;
Commercial information (e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies);
Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer’s interaction with an Internet Website, application, or advertisement);
Geolocation data;
Audio, electronic, visual, or similar information;
Professional or employment-related information;
Sensitive Information.

How Long Your Personal Data Will Be Kept.

We will keep your Personal Data while you have an account with us or while we are providing services to you. Thereafter, we will keep your Personal Data for as long as is necessary:

To respond to any questions, complaints or claims made by you or on your behalf;
To show that we treated you fairly; or
To keep records required by law.

We will not retain your Personal Data for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of Personal Data.

Your Rights Under the CCPA/CPRA.

You have the right under the CCPA and CPRA, and certain other privacy and data protection laws, as applicable, to exercise free of charge:

Disclosure of Personal Data We Collect About You	You have the right to know, and request disclosure of: • The categories of Personal Data we have collected about you, including sensitive Personal Data; • The categories of sources from which the Personal Data is collected; • Our business or commercial purpose for collecting, selling, or sharing Personal Data; • The categories of third parties to whom we disclose Personal Data, if any; and • The specific pieces of Personal Data we have collected about you. Please note that we are not required to: • Retain any Personal Data about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained; • Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered Personal Data; or • Provide the Personal Data to you more than twice in a 12-month period.
Disclosure of Personal Data Sold, Shared, or Disclosed for a Business Purpose	In connection with any Personal Data we may sell, share, or disclose to a third party for a business purpose, you have the right to know: • The categories of Personal Data about you that we sold or shared and the categories of third parties to whom the Personal Data was sold or shared; and • The categories of Personal Data that we disclosed about you for a business purpose and the categories of persons to whom the Personal Data was disclosed for a business purpose. You have the right to opt-out of the sale of your Personal Data or sharing of your Personal Data for targeted behavioral advertising. If you exercise your right to opt-out of the sale or sharing of your Personal Data, we will refrain from selling or sharing your Personal Data, unless you subsequently provide express authorization for the sale or sharing of your Personal Data. To opt-out of the sale or sharing of your Personal Data, send an email to: [email protected]. You can also scroll to the bottom of this page and click the link to manage your cookies preferences.
Right to Limit Use of Sensitive Personal Data	You have the right to limit the use and disclosure of your sensitive Personal Data to the use which is necessary to: · Perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services; · To perform the following services: o (1) Helping to ensure security and integrity to the extent the use of the consumer’s Personal Data is reasonably necessary and proportionate for these purposes; o (2) Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, if the consumer’s Personal Data is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business; o (3) Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business; and o (4) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business; and As authorized by further regulations. You have a right to know if your sensitive Personal Data may be used, or disclosed to a service provider or contractor, for additional, specified purposes. To opt-out of the sale or sharing of your Personal Data, send an email to: [email protected]. You can also scroll to the bottom of this page and click the link to manage your cookies preferences.
Right to Deletion	Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will: • Delete your Personal Data from our records; and • Direct any service providers or contractors to delete your Personal Data from their records. • Direct third parties to whom the business has sold or shared your Personal Data to delete your Personal Data unless this proves impossible or involves disproportionate effort. Please note that we may not delete your Personal Data if it is reasonably necessary to: • Complete the transaction for which the Personal Data was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us; • Help to ensure security and integrity to the extent the use of the consumer’s Personal Data is reasonably necessary and proportionate for those purposes; • Debug to identify and repair errors that impair existing intended functionality; • Exercise free speech, ensure the right of another consumer to exercise their right of free speech, or exercise another right provided for by law; • Comply with the CCPA; • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent; • Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us; • Comply with an existing legal obligation; or • Otherwise use your Personal Data, internally, in a lawful manner that is compatible with the context in which you provided the information.
Right of Correction	If we maintain inaccurate Personal Data about you, you have the right to request us to correct that inaccurate Personal Data. Upon receipt of a verifiable request from you, we will use commercially reasonable efforts to correct the inaccurate Personal Data.
Protection Against Retaliation	You have the right to not be retaliated against by us because you exercised any of your rights under the CCPA/CPRA. This means we cannot, among other things: • Deny goods or services to you; • Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; • Provide a different level or quality of goods or services to you; or • Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

How to Exercise Your Rights.

If you would like to exercise any of your rights as described in this Policy, you may email us at: [email protected].

Please note that you may only make a CCPA/CPRA-related data access or data portability disclosure request twice within a 12-month period.

If you choose to contact us directly by email, you will need to provide us with:

Enough information to identify you (e.g., your full name, address and customer or matter reference number);
Proof of your identity and address (e.g., a copy of your driving license or passport and a recent utility or credit card bill); and
A description of what right you want to exercise and the information to which your request relates.

We are not obligated to make a data access or data portability disclosure if we cannot verify that the person making the request is the person about whom we collected information, or is someone authorized to act on such person’s behalf.

Any Personal Data we collect from you to verify your identity in connection with your request will be used solely for the purposes of verification.

Consumer Health Data Privacy Policy

Last updated: January 1, 2026

This notice supplements our Privacy Policy and applies to personal data defined as “consumer health data” subject to the Washington State My Health My Data Act (MHMDA) and Nevada’s Consumer Health Data Privacy Law.

Please note that data practices concerning PHI we collect are described in the terms and privacy disclosures specific to those services.

Consumer Health Data We Collect

As described in the Privacy Policy, the data we collect depends on the context of your interactions with us and the choices you make (including your privacy settings), the Services and features you use, your location, and applicable law.

Examples of consumer health data may include:

Information about your health-related conditions, symptoms, status, diagnoses, testing, or treatments (including surgeries, procedures, medications, or other interventions).
Information that could identify your attempt to seek health care services or information, including services that allow you to purchase certain over-the-counter medications.
Other information that may be used to infer or derive data related to the above or other health information.

Sources of Consumer Health Data

As described further in our Privacy Policy, we collect personal data (which may include consumer health data) directly from you, from your interactions with our Services, from third parties, and from publicly available sources.

Why We Collect and Use Consumer Health Data

We collect and use consumer health data for the purposes described in our Privacy Policy. Primarily, we collect and use consumer health data as reasonably necessary to provide you with the Services you have requested or authorized. This may include delivering and operating the Services and their features, personalization of certain Service features, ensuring the secure and reliable operation of the Services and the systems that support them, troubleshooting and improving the Services, and other essential business operations that support the provision of the Services (such as analyzing our performance, meeting our legal obligations, developing our workforce, and conducting research and development).

We may use consumer health data for other purposes for which we give you choices and/or obtain your consent as required by law – for example, for advertising or marketing purposes. See our Privacy Policy and the How to Exercise Your Rights section below for more details on the controls and choices you may have.

As described in our Privacy Policy, we may create aggregate/de-identified data from the information we collect through the Services and our disclosure of such aggregate/de-identified data is at our discretion.

Our Sharing of Consumer Health Data

We may share your consumer health data for the purposes described in our Privacy Policy. In particular, we may share personal data, including consumer health data, with your consent or as reasonably necessary to complete any transaction or provide any Service you have requested or authorized, as described above.

We share your Personal Data with third parties when you tell us to do so. If you make a purchase through the Chapter OTC application, we will share Personal Data about the transaction as necessary to process the payment, including protection against fraud. We may disclose Personal Data when we believe that doing so is necessary to comply with applicable law or respond to valid legal process.

Third Parties with which We Share Consumer Health Data

As necessary for the purposes described above, we share consumer health data with the following categories of third parties:

Service providers. Vendors or agents (“processors”) working on our behalf may access consumer health data for the purposes described above. For example, companies we’ve hired to provide customer service support or assist in protecting and securing our systems and services may need access to data to provide those functions. We may also share consumer health data with third-party service providers that assist with the Services, including for generating documentation and supporting certain workflows.
Business partners. We may share consumer health data with other companies, for example, where you use a Service that is cobranded and jointly operated with another company, or where you use our services to interact with another company.
Financial institutions & payment processors. When you make a purchase or enter into a financial transaction, we will disclose payment and transactional data to banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, analytics, or other related financial services.
Parties to a corporate transaction. We may disclose consumer health data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
Affiliates. We enable access to data across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access helps us to provide our Services and operate our business.
Government agencies. We may disclose data to law enforcement or other government agencies when we believe doing so is necessary to comply with applicable law or respond to valid legal process.
Other third parties. In certain circumstances, it may be necessary to provide data to other third parties, for example, to comply with the law or to protect our rights or those of our customers.
Other users and individuals. If you use our Services to interact with other users of the Service or other recipients of communications, we will share data, including consumer health data, as directed by you and your interactions.‍

How to Exercise Your Rights

The MHMDA and Nevada Consumer Health Data Privacy Law provide certain rights with respect to consumer health data, for example rights to access, delete, or withdraw consent relating to such data, subject to certain exceptions. Please refer to our Privacy Policy for more details on ways to request to exercise such rights. If you want to access or control consumer health data processed by us that is not available via those tools or directly through the Services you use, you can always contact us at [email protected].

If your request to exercise a right under the MHMDA or Nevada Consumer Health Data Privacy Law is denied, you may appeal that decision by contacting our Privacy Officer at [email protected]. If your appeal is unsuccessful, you can raise a concern or lodge a complaint with the Nevada State Attorney at https://ag.nv.gov/Complaints/File_Complaint/ or Washington State Attorney General at https://www.atg.wa.gov/file-complaint, as applicable.