Privacy Policy.

1. Acceptance and effective date

Effective May 26, 2026. Last reviewed May 26, 2026. This Privacy Policy describes the practices of Hydor Health, headquartered in Houston, Texas, U.S.A., with respect to information collected through hydorhealth.com (the "Site") and any document or form offered through it. Capitalized terms not defined here carry the meaning in the Hydor Health Terms of Service.

By accessing the Site or interacting with Hydor Health through the public surface, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, do not use the Site. Continued use after a posted change constitutes acceptance, subject to the notice provisions in Section 16.

This Privacy Policy does not govern protected health information processed on behalf of a covered entity. That work is governed by a separately signed Business Associate Agreement and the operative service contract.

2. Who we are and how to reach our Privacy Office

Hydor Health is the controller of personal information collected through the Site for inquiry routing, marketing communications, and the operation of public materials. The company maintains a Privacy Office in Houston, Texas, with a designated point of contact for privacy inquiries, data subject requests, and regulatory correspondence.

Contact the Privacy Office by email at privacy@hydorhealth.com or by mail at Hydor Health, Attention: Privacy Office, Houston, Texas, U.S.A. For inquiries involving personal information of residents of the European Economic Area or the United Kingdom, you may also request the contact information of our Data Protection Officer where one has been designated.

We treat the Privacy Office mailbox as a legal channel of record. Inquiries received through any other channel are routed to the Privacy Office.

3. What we collect from public website visitors

Most of the Site can be read without disclosing personal information. When you submit an inquiry, request a gated document, or subscribe to a newsletter, we collect what you provide, typically your name, professional email address, the organization you represent, your role, and a free-text description of your interest.

Our servers automatically receive certain technical information when your browser requests a page, including the originating IP address, user agent string, requested resource, referring URL, request time, and basic delivery telemetry used to detect and prevent abuse. This category is treated as access log data and retained for the periods in Section 11.

We use a limited set of first-party cookies and similar storage technologies described in our Cookie Policy. We do not load third-party advertising trackers, social pixels, or advertising tags for Google Ads, Meta, LinkedIn, or any equivalent platform.

Where the Site offers a download, we may record it against the inquiry record so the routing owner has context for follow-up. We do not associate downloads with persistent advertising identifiers and do not sell, rent, or transfer download data for marketing.

4. What we collect through clinical surfaces

The Site does not provide clinical services and does not request protected health information from a visitor. When Hydor Health processes protected health information on behalf of a covered entity (a health system, ministry of health, or federal counterpart), it does so as a business associate under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, and under the Texas Medical Records Privacy Act where applicable.

Each such engagement is governed by a separately signed Business Associate Agreement. That agreement, not this Privacy Policy, defines permitted uses and disclosures, security and breach notification obligations, audit rights, and termination provisions. Where any conflict exists, the Business Associate Agreement controls.

If you reached this Privacy Policy through a clinical surface operated by a covered-entity partner, the partner is the controller of your protected health information for purposes of your rights of access, correction, and accounting of disclosures. We will route any such request to the partner without unreasonable delay.

5. How we use the information we collect

We use information collected through the Site for a narrow set of operational purposes. Inquiry routing, so a sovereign briefing reaches the Office of the CEO, an investor inquiry reaches the CFO, a press inquiry reaches the communications lead, a federal request reaches the Office of the CIO, and a partnership request reaches the program lead. Marketing communications where you have asked to receive them. Security, fraud prevention, and abuse detection. Compliance with applicable law, including responses to subpoenas and court orders. Operation and improvement of the Site itself.

We do not engage in profiling that produces legal or similarly significant effects. We do not use the Site to make automated decisions about employment, credit, housing, insurance, or any matter that could meaningfully affect a person. We do not use information collected through the Site to train any AI model on a clinical surface.

Lawful bases vary by category: performance of pre-contractual steps for inquiry routing; your consent for marketing, which you may withdraw at any time; our legitimate interest in protecting the Site for security; and legal obligation for compliance.

6. What we do not do

Hydor Health does not sell or rent personal information. We do not share personal information with third parties for cross-context behavioral advertising. We do not maintain advertising profiles, do not auction inventory on a real-time bidding exchange, and do not embed third-party advertising pixels.

We do not use protected health information for marketing. We do not use it to train a public model. We do not transfer it across a border without a signed exchange receipt and the documented permission of the controller. We do not record protected health information on any public ledger or chain.

Where a statute defines "sale" or "sharing" in a way that would otherwise capture an operational activity (for example, routing an inquiry through a vetted email provider), we maintain a written contract that prohibits use for any purpose other than the service. The list of service providers is available on request.

7. Cookies and similar technologies

The Site uses a small number of first-party cookies for strictly necessary purposes, first-party analytics, and honoring your stated preferences. The detailed inventory is published in our Cookie Policy at /legal/cookies.

For visitors in the European Economic Area, the United Kingdom, or any jurisdiction that requires prior consent, non-essential cookies are off by default and will not load until you consent through the cookie banner. In opt-out jurisdictions, you may withdraw consent at any time through the banner or your browser settings. We honor the Global Privacy Control signal.

We do not load third-party advertising cookies or social media plug-ins that set cookies before you interact with them. Where the Site embeds a third-party resource, we use the privacy-enhanced mode where available.

8. Sharing with service providers

We share information with a limited set of service providers that support our operations: hosting and content delivery, edge security and bot management, transactional email delivery, customer relationship management, first-party analytics, and document storage. Each provider is engaged under a written contract that limits use to the agreed purposes and imposes confidentiality and security obligations consistent with this Privacy Policy.

Where a provider processes protected health information on our behalf, the engagement is governed by a Business Associate Agreement compliant with the Health Insurance Portability and Accountability Act of 1996. Where a provider processes personal information of residents of the European Economic Area or the United Kingdom, the engagement is governed by a data processing addendum compliant with Article 28 of the General Data Protection Regulation, including the subprocessor obligations in Article 28(2) and Article 28(4).

A current list of subprocessors is available on written request. We provide reasonable advance notice of material changes to controllers who have asked to be notified.

9. Mobile messaging and SMS data

When you give us a mobile number and ask us to text you, Hydor Health sends customer-care text messages tied to the inquiry you started. These are callback confirmations, scheduling notes, and replies to a question you raised. We do not run a promotional text program.

No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. Information sharing to subcontractors in support services, such as customer service, is permitted. All other use case categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

We capture consent in one of two ways. On the website, you check an unticked box next to the number you provide. On a phone call, our assistant asks for your permission and records your answer. Consent to texts is never a condition of contacting us or of any purchase.

You control the messages. Reply STOP to any text to opt out. Reply HELP for help, or reach us at hello@hydorhealth.com. Message frequency may vary. Message and data rates may apply.

Mobile opt-in data and consent records are stored separately from our general inquiry records. We do not use them to enrich, append to, or build third-party databases, and we do not sell or rent them. We retain the consent record for at least four years to meet our legal obligations under the Telephone Consumer Protection Act, then delete it. For questions about SMS data, contact hello@hydorhealth.com.

10. International transfers and data residency

Hydor Health operates a sovereign-first architecture for its clinical platform. Data residency is the contractual default for protected health information and for personal information processed inside a Sovereign Health Node. Cross-border exchange occurs only under signed, auditable receipts and on terms agreed by the controller.

For personal information collected through the Site, the primary processing location is the United States. Where we transfer personal information of residents of the European Economic Area, the United Kingdom, or Switzerland to a jurisdiction without an adequacy determination, we rely on the European Commission Standard Contractual Clauses, supplemented by the United Kingdom International Data Transfer Addendum and the Swiss Federal Data Protection and Information Commissioner addendum where relevant.

A copy of the relevant clauses and any supplementary measures is available on written request. We conduct a transfer impact assessment for each onward transfer and update it when the legal landscape materially changes.

11. Retention

We retain personal information only as long as needed to fulfill the purpose for which it was collected, to comply with law, to resolve disputes, and to enforce our agreements. Defaults are listed below. Specific periods may be longer where required by law or signed contract.

• Inquiry dataTwenty-four months from the date of the most recent interaction, after which the record is anonymized or deleted.
• Accounting and tax recordsSeven years from the close of the relevant fiscal year, consistent with the records retention requirements of the Internal Revenue Service and the Texas Comptroller of Public Accounts.
• Protected health informationFor the period specified in the operative Business Associate Agreement, returned or destroyed at the direction of the covered entity on termination of the engagement.
• Access log dataNinety days for security and abuse detection, then truncated. Aggregated log data is retained indefinitely for capacity planning.
• Anonymized aggregatesIndefinitely. Once a dataset has been anonymized to a standard that cannot be reversed, it is no longer personal information and is retained for analytics, product, and research purposes.

12. Security posture

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. The Site is delivered over TLS 1.3 with HTTP Strict Transport Security preload enabled, behind a web application firewall with bot management and DDoS protection. Inquiry forms are protected by edge rate limits and anti-automation controls.

Our intake is friendly to Business Associate Agreements. Where information is subject to the Health Insurance Portability and Accountability Act of 1996, do not include protected health information in a free-text intake field. Reach out through Section 2 and we will move the conversation to a secured channel under a signed Business Associate Agreement.

Hydor Health conducts external penetration testing on a quarterly cadence for every public surface that carries an inquiry form. Findings are remediated against severity-based timelines and the remediation record is available to controllers under the operative audit provisions.

13. Your rights

You have rights with respect to personal information we hold about you. The specific rights depend on your jurisdiction, but Hydor Health honors the following for every visitor.

• Right to accessRequest confirmation of whether we process personal information about you and a copy of what we hold.
• Right to correctRequest that we correct inaccurate or incomplete personal information.
• Right to deleteRequest that we delete personal information, subject to exceptions recognized by applicable law.
• Right to data portabilityRequest a copy in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
• Right to opt outOpt out of marketing communications at any time, and out of analytics through the cookie banner. Exercise any other opt-out recognized in your jurisdiction, including any "sale" or "sharing" under the California Consumer Privacy Act as amended.
• Right to non-discriminationWe will not discriminate against you for exercising any right under this Privacy Policy or applicable law.
• Right to appealIf we deny a request, you may appeal in writing within sixty days. The appeal is reviewed by a person not involved in the original decision.

14. How to exercise your rights

To exercise any right in Section 13, submit a request to privacy@hydorhealth.com or to the postal address in Section 2. We respond within forty-five days. Where a request is complex, we may extend by an additional forty-five days with notice within the original window.

We take reasonable steps to verify identity before acting, proportionate to the sensitivity of the information. For most requests we rely on email verification against the address of record. For sensitive personal information we may require additional verification. You may designate an authorized agent with a signed authorization; we may still require direct verification before acting.

Texas residents may exercise rights under the Texas Data Privacy and Security Act and may report unresolved complaints to the Office of the Attorney General of Texas. Residents of the European Economic Area or the United Kingdom may lodge a complaint with their local supervisory authority. California residents may exercise rights under the California Consumer Privacy Act as amended. Residents of any U.S. state with a comprehensive privacy statute receive the rights granted by that statute.

15. Children's privacy

The Site is not directed to children under the age of thirteen and we do not knowingly collect personal information from a child under thirteen. If you believe a child under thirteen has provided personal information through the Site, contact the Privacy Office and we will promptly delete it.

Where a Hydor Health clinical surface intentionally serves a minor, the engagement is governed by a separate contractual arrangement and parental or guardian consent is required in compliance with the Children's Online Privacy Protection Act of 1998, the Family Educational Rights and Privacy Act where applicable, and any local minor-consent statute.

16. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, services, applicable law, or regulatory guidance. When we do, we will post the update here and refresh the "Last reviewed" date at the top of Section 1.

Where a change is material (for example, a change in the categories of personal information we collect or the categories of third parties with whom we share it), we will provide thirty days of advance notice on the Site and, where we have your email on file, by email. Continued use after the effective date constitutes acceptance.

17. Governing law, venue, and contact

This Privacy Policy is governed by the laws of the State of Texas without regard to its conflict-of-laws principles. The exclusive forum and venue for any dispute is the state or federal courts located in Harris County, Texas. You and Hydor Health each consent to the personal jurisdiction and venue of those courts. Nothing here prevents either party from seeking injunctive or equitable relief in any court of competent jurisdiction to protect intellectual property or confidential information.

For privacy inquiries, contact privacy@hydorhealth.com or by mail at Hydor Health, Attention: Privacy Office, Houston, Texas, U.S.A. Where required, we will identify the responsible Data Protection Officer on written request.

Nothing in this Privacy Policy waives any right you hold under applicable law, including the Texas Identity Theft Enforcement and Protection Act, the Texas Medical Records Privacy Act, the Health Insurance Portability and Accountability Act of 1996, the California Consumer Privacy Act as amended, and the General Data Protection Regulation.