React Health™ Mobile App Privacy Policy

React Health™ Mobile App Privacy Policy

Last revised: May 2026

Applies to: The React Health™ mobile application, including React Health Plus (the “App”).

Your Consent

By selecting “Accept & Continue” or otherwise using the App, you give React Health your explicit, freely given, and informed consent to collect, use, and store the following categories of sensitive data for the limited purposes described in this Policy: (i) health-related information generated by your device, including breathing indices, therapy minutes, and leak metrics; (ii) biometric or physiological measurements captured solely identity-verification features; and (iii) any other information that applicable law classifies as a “special category,” “sensitive personal information,” or “consumer health data.” If at any time you withdraw this consent through any applicable in-App settings or by contacting us, we will cease processing the affected data except to the extent retention is required by law or to protect patient safety.

Who We Are and How to Contact Us

“React Health,” “we,” “us,” and “our” refer to 3B Medical, Inc. d/b/a React Health. For privacy questions or to exercise privacy rights, contact info@reacthealth.com or use the contact options listed on our website’s Contact page. Please use the channels on our Contact page for the most up-to-date contact methods (phone and email).

Key Points (Quick Read)

The chart below summarizes the most important things you should know. It does not replace the full Privacy Policy, which controls if there is any conflict.

What We Collect	Why We Collect It	Your Main Choices
• Device usage data such as minutes used, pressure, and apnea-hypopnea index (AHI, a measure of how many breathing interruptions you have per hour). • Account details (name, email, birth date, device serial number). • Support communications and technical logs. • Camera data you choose to provide for QR scans.	• To show your therapy progress in the App. • To let your care team monitor and support your treatment. • To keep the App safe, reliable, and up to date. • To comply with law and improve our products.	• Use the App without registering (QR-code mode). • Turn push notifications on or off at any time. • Ask us to delete, correct, or access your data where the law allows. • Opt out of any practices your state law lets you opt out of.

Scope; Relationship to HIPAA and Other Privacy Laws

This Privacy Policy explains how the App collects, uses, discloses, and protects App Data (defined below) for patients and other end users. Some information in our systems may be Protected Health Information (PHI) when React Health receives and processes it on behalf of your healthcare provider or DME under HIPAA (e.g., via our cloud and Connect™ platform). When we act as a Business Associate, HIPAA and our Business Associate Agreements govern our handling of PHI; your provider’s HIPAA Notice of Privacy Practices explains those practices. For App interactions where React Health collects information directly from you (and not on behalf of a covered entity), HIPAA may not apply; in those cases, consumer privacy laws and this policy govern. See HHS guidance for how HIPAA applies to apps and data access requests; also note that additional federal and state privacy laws can apply to health apps and connected devices.

If a breach involves non-HIPAA health information maintained by a health app or connected device service, the FTC’s Health Breach Notification Rule (HBNR) may require consumer and regulator notifications (as updated in 2024 to expressly cover many health apps and connected devices). When HIPAA applies, HIPAA’s breach notification rules control.

The App and How It Works (Non-Registered vs. Registered Use)

The App helps patients view and manage therapy usage information from React Health CPAP/respiratory devices. You can use the App in two modes:

Non-registered (no account): You may scan Usage QR codes printed by compatible devices. These QR codes can contain up to 180 days of summary therapy data (e.g., minutes used, AHI, pressure, leak). The App parses that data, stores a copy locally on your phone, and securely transmits it to the React Health Cloud. In non-registered mode, the data upload is one-way (to the cloud), and no data is pulled down from the server to your device. You may still review local data and generate progress reports.
Registered (account): If you register an account (native username/password or Sign in with Apple or Google, with optional biometric device unlock), the App can sync usage data from the server to the App so you see the most complete picture of your therapy, including data that a device’s cellular modem may have sent to the server. Registered users may also receive device-specific content (product PDFs, help articles, videos) and in-App messages. Push notifications are optional and can be turned off in your device settings; in-App messages appear when you open the App and cannot be disabled.

We periodically prompt non-registered users to register (approximately every 30 days), but you may skip registration and continue using the QR features. Accepting the Privacy Policy and Terms of Use is required in both modes.

What We Collect

Category	Illustrative Elements	How Obtained	Primary Purposes
Device Usage Data	Time/duration of use; pressure; respiratory indices (AHI, AI, HI, CAI); leak metrics; device serial number	QR code scans; device modem; SD card upload by provider	Display data in App; transmit to designated medical professionals; support therapy monitoring, device performance, safety, and compliance
Account & Registration	Name; email; date of birth; device serial number; login credentials; optional: state, diagnosis method, AHI, insurance provider, time zone	Entered by you in App	Create/manage account; register device; synchronize data; respond to requests
Support Communications	Email address; device logs; screenshots; problem descriptions	Submitted by you through App or email	Provide support; resolve issues; maintain security and quality
Technical & Usage Info	Device identifiers; IP address; App version; OS version; crash/diagnostic logs	Automatically collected during App use	Operate core functionality; protect security; troubleshoot; improve reliability
Camera-Based Features	QR code scans;	Device camera with your permission	Upload therapy data

Notes: Examples are illustrative and may vary by device model and App version.

Purpose Limitation

We collect and use App Data only for the purposes described in this Privacy Policy or as otherwise permitted by law. We do not use App Data for unrelated advertising, profiling, or any other secondary purpose without your additional consent. Specifically, React Health processes App Data only for the following purposes:

to display your therapy progress in the App;
to transmit usage data to your designated healthcare provider or durable medical equipment supplier for clinical monitoring, troubleshooting, and insurance or regulatory compliance;
to maintain the safety, security, and reliable operation of the App and your device; and
to comply with legal obligations and improve our products in de-identified or aggregated form.

We will not use App Data for any secondary purpose without providing you notice and, where required by law, obtaining your prior consent.

Sensitive & Biometric Data

The App does not track your precise location or store biometric identifiers.

Third-Party Analytics Disclosure

To help us maintain and improve the App, we use industry-standard analytics and crash-reporting services. These providers act as our service providers and may receive limited technical information (such as device type and crash logs) solely to perform those services for us. They are contractually prohibited from using that data for their own purposes.

How We Use Data

Sharing with Medical Professionals. We transmit Usage Data and, if you register an account, certain account identifiers (name, birth date, device serial number, and last login time) directly to the cloud environment used by your prescribing clinician, DME, or other authorized medical professional. These professionals access your data under their own legal and ethical duties of confidentiality and use it solely to monitor your therapy, adjust device settings, or fulfil reimbursement and compliance requirements. We do not allow other third parties to access this clinical data unless required by law or expressly authorized by you.

We use data to: operate the App; display your therapy information; link your App account to existing DME/provider records when possible; deliver device-specific education; send in-App messages and (if enabled) push notifications; provide support; protect against fraud and misuse; comply with law; and improve safety, reliability, and performance. When the App is used in connection with your provider/DME, we may process Usage Data so that your provider and DME can review and manage your therapy.

We use information to support patient safety, device performance, quality, and reliability. This includes detecting and addressing malfunctions, performing maintenance and product support, improving device and App functionality, and conducting quality assurance and compliance checks. We use information for security, fraud prevention, and integrity monitoring so that we can help protect your data and our systems from unauthorized access and abuse.

We may use de-identified or aggregated information for analytics and to improve our products and services. When we de-identify information, we follow reasonable measures designed to remove or obscure identifiers and we commit not to re-identify the information unless permitted by law for security, safety, or other limited purposes.

React Health does not determine insurance coverage, compliance, or reimbursement decisions; those determinations are made by your insurer and/or provider.

How Data Flows To and From the App

In non-registered mode, QR scan data is stored locally and uploaded to the React Health Cloud over a secure connection; there is no download of server data to the device. In registered mode, the App syncs data to and from our servers so you have the most complete view (including cellularly uploaded data). These flows rely on your mobile data or WiFi connection.

When and With Whom We Disclose Information

We share data:

With your DME/provider when necessary to deliver therapy support and enable clinical workflows (e.g., patient record linkage, therapy start date, provider visibility of your last login, selected mask, and devices).
With service providers that host, process, or support the App (e.g., cloud hosting, maintenance, analytics, customer support), under contracts that restrict use to our instructions.
With affiliates in the React Health family, and in connection with a corporate transaction as permitted by law.
As required by law (e.g., court orders, regulatory requests) or to protect safety, rights, or integrity of systems.

We do not sell Personal Information. We may share de-identified or aggregated information that does not identify you for analytics and product improvement.

Security

React Health employs administrative, technical, and physical safeguards designed to protect App Data, including role-based access controls, industry-standard encryption in transit, secure development and testing practices, logging and monitoring, and vendor oversight. Access to information is restricted to personnel with a business need. No system can guarantee absolute security. If we confirm a breach, we will notify affected users as required by applicable law (HIPAA breach rules when PHI is involved; otherwise, the FTC’s HBNR and/or state law as applicable).

Notwithstanding the foregoing, In the unlikely event of a security incident that compromises personal information, we will investigate promptly, contain the incident, and notify affected users and regulators as required by applicable law. Notification will occur by email and/or prominent in-App notice and will describe (i) what happened, (ii) what information was involved, (iii) what we are doing to address the situation, and (iv) recommended steps you can take to protect yourself.

You can help protect your data by enabling your device’s PIN/biometric lock, keeping your OS up to date, and using the latest version of the App. If your device is lost or stolen, use the remote wipe function if available, and avoid public or unsecured networks where possible. In this regard, React Health strongly recommends that you:

• enable a strong device passcode, biometric unlock, or equivalent security feature;

• keep your operating system and the App updated with the latest security patches;

• activate the remote-wipe feature offered by your device manufacturer so you can erase local App Data if the device is lost or stolen;

• avoid using the App on public or unprotected Wi-Fi networks; and

• contact us immediately if you suspect unauthorized access to your account.

Failure to follow these practices may increase the risk of unauthorized disclosure of your information.

Camera, Facial Geometry, and Other Device Permissions

The App uses your device camera for one purpose, which requires your permission. The camera scans QR codes displayed on compatible devices to upload Device Usage Data quickly and accurately. You may disable camera access at any time in your device settings, though doing so will disable the scanning feature.

Data Retention

Unless a different retention period is required by law or by our HIPAA obligations as a Business Associate, we generally retain App Data for ten (10) years from receipt in our systems. We may retain certain records longer if required by law, to resolve disputes, or to maintain security.

We retain account information for as long as your account is active and as needed to provide the App, comply with legal obligations, resolve disputes, and enforce agreements. When retention is no longer required, we may delete or de-identify the information consistent with our policies and applicable law. Deleting the App from your mobile device removes local copies of data stored on that device, but it does not delete information stored on our servers or information previously shared with your designated medical professionals.

You may delete your registration data by using the ‘Delete Account’ option in the App settings. Device data already shared with your provider for clinical purposes will remain in your provider’s medical record, which we do not control.

Children’s Privacy

The App is not intended for or directed to children under the age of 13, and we do not knowingly collect Personal Information from children under 13. If we learn that we have collected Personal Information from a child under 13, we will take appropriate steps to delete that information as required by law. If you are between 13 and 17 years old, you should use the App only with the involvement of a parent or legal guardian. Pediatric use of React Health devices, if any, must be guided by the patient’s care team, and the App should not be used as a substitute for professional medical advice.

Your Privacy Choices and Rights

You may use the App in non-registered mode (QR scans only), decline push notifications, and limit optional fields. You can delete locally stored data by deleting the App; to delete app data stored on our servers, use the “Delete Account” option in the app. To exercise other rights, please contact us as described below.

HIPAA rights (when PHI is involved): When we process your data as a Business Associate on behalf of your provider/DME, your HIPAA rights (e.g., access, amendment) are exercised through your provider, as described in their Notice of Privacy Practices.

State Law Rights

State	Rights that may apply	Key notes
California (CCPA/CPRA)	Know/access; correct; delete; portability; limit use of sensitive personal information; opt out of sale/share; non-discrimination	HIPAA-regulated PHI is exempt. We do not sell Personal Information as defined by CPRA. We do not engage in targeted advertising.
Virginia, Colorado, Connecticut	Access; correct; delete; portability; we do not engage in targeted advertising, sale, or certain profiling; right to appeal	HIPAA-regulated PHI is exempt. We do not sell Personal Information.
Utah, Iowa, Indiana, Montana, Tennessee, Texas and similar	Access; delete; portability; we do not sell your info or engage in targeted advertising; other state-specific rights	Scope and definitions vary. HIPAA-regulated PHI is exempt. We do not sell Personal Information. We do not engage in targeted advertising.

We will honor those rights where applicable law requires and as our processing falls within each law’s scope. To exercise any privacy right (access, deletion, correction, appeal of a decision, or opt-outs where available), contact us at info@reacthealth.com or via our Contact page; we may need to verify your request. Authorized agents may act on your behalf where the law permits.

State-Specific Privacy Disclosures and Consumer Rights

The following disclosures are intended to satisfy the requirements of the California Consumer Privacy Act and California Privacy Rights Act (collectively, “CCPA/CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Iowa Consumer Data Protection Act (“ICDPA”), the Indiana Consumer Data Protection Act (“INCDPA”), the Montana Consumer Data Privacy Act (“MCDPA”), the Tennessee Information Protection Act (“TIPA”), the Texas Data Privacy and Security Act (“TDPSA”), the Washington My Health My Data Act (“MHMDA”), and any similar or successor U.S. state privacy laws that may apply to our processing of Personal Information (collectively, the “State Privacy Laws”).

These State Privacy Laws grant eligible residents certain rights regarding their “personal information,” “personal data,” or “consumer health data” (as those or similar terms are defined by each statute). The paragraphs below explain (i) what those rights are, (ii) how you may exercise them, and (iii) the limits and exceptions—particularly the exclusion of Protected Health Information (“PHI”) governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations.

Scope and Relation to HIPAA

When we process data on behalf of your healthcare provider or durable medical-equipment supplier (“DME”) in our capacity as a HIPAA Business Associate, that data is PHI. PHI is exempt from the State Privacy Laws and is handled in accordance with HIPAA, applicable Business Associate Agreements, and your provider’s HIPAA Notice of Privacy Practices. For any data that falls outside HIPAA—such as information you provide directly to us when you use the App on your own behalf—this State Privacy Rights section applies.

Your State Privacy Rights

Subject to the scope, exclusions, and limitations of each State Privacy Law, eligible residents may have some or all of the following rights with respect to non-PHI personal information we maintain about them:

• The right to know/confirm whether we process their personal information and to access that information in a portable and readily usable format;

• The right to correct inaccuracies in their personal information;

• The right to delete personal information we collected from or about them;

• The right to obtain a copy of personal information that they previously provided to us (“data portability”);

• The right to opt out of (i) the sale of personal information, (ii) targeted advertising (also called cross-context behavioral advertising), and (iii) certain forms of automated decision-making or profiling that produce legal or similarly significant effects (note that we do not presently engage in these activities);

• The right, for Washington residents, to withdraw consent for the collection, sharing, or other processing of “consumer health data,” and to appeal a denial of a request; and

• The right to be free from discrimination or retaliation for exercising any privacy right.

We do not sell personal information as that term is defined under the State Privacy Laws. We do not engage in automated decision-making that produces legal or similarly significant effects on individuals.

How to Exercise Your Rights

You (or your authorized agent, where permitted) may submit a privacy rights request by emailing info@reacthealth.com or by using any other method identified on the Contact page of our website. Please clearly state the right you wish to exercise, the state in which you reside, and sufficient information for us to verify your identity (and, if applicable, the authority of your agent). We will acknowledge your request within the timeframe required by the applicable State Privacy Law and will respond substantively within forty-five (45) days unless the law allows an extension. If we need additional time, we will inform you of the reason and the length of the extension.

Verification, Denials, and Appeals

We will use commercially reasonable methods to verify that the person making a request is the resident to whom the information pertains (or that resident’s authorized agent). If we deny your request, we will explain the basis for the denial. Where state law provides a right to appeal (e.g., under the VCDPA, CPA, CTDPA, MHMDA, and similar statutes), you may appeal our decision by resubmitting your request with the subject line “Privacy Request Appeal” or by following any additional instructions we include in our denial. We will respond to your appeal within the period required by applicable law.

Limitations and Exceptions

The rights described above do not apply to:

• PHI processed under HIPAA;

• De-identified or aggregated data that cannot reasonably be linked to an individual;

• Data maintained and processed solely in the context of current or future employment with React Health; or

• Information otherwise exempted under the State Privacy Laws (for example, data collected under certain federal regulations, credit-reporting laws, or in connection with product recalls).

We reserve the right to refuse, in whole or in part, requests that are manifestly unfounded, excessive, technically infeasible, or otherwise not required by law. Where we refuse or partially comply, we will provide an explanation consistent with the applicable statute.

No Waiver of Federal or State Rights

Nothing in this section is intended to limit any rights you may have under HIPAA or other federal or state laws. Where multiple laws apply, we will comply with the law that affords you the greater protection, subject to the exclusions and carve-outs described above.

Washington Residents – My Health My Data Act (MHMDA) Rights

If you are a Washington resident, you have specific rights under the Washington My Health My Data Act (MHMDA) regarding your consumer health data. These include the right to:

Know what consumer health data we collect, use, and share.
Access and request deletion of your consumer health data.
Withdraw consent for the collection or sharing of your consumer health data at any time.
Appeal any denial of your rights request.

To exercise these rights, please contact us at info@reacthealth.com or via our Contact page or use the relevant features in the App. We will respond to your request as required by law. We do not sell consumer health data.

International Users; Data Location; Canadian Residents

The App and our primary cloud hosting are located in the United States, and your data will be processed in the U.S. If you use the App from outside the U.S., you consent to U.S. processing, which may be subject to different privacy standards than those in your home country. Where required, we rely on legally recognized safeguards, such as standard contractual clauses, to protect cross-border data transfers.

Additional Details Specific to React Health Plus

Prompts and acceptance flow. Both non-registered and registered users must accept this Privacy Policy and the Terms of Use within the App (the App presents Privacy first, then Terms, each with a separate “Accept”). Non-registered users are periodically prompted to register but may continue to skip.

Provider visibility for registered users. If the App matches your account to a DME/provider record, your registered user status and certain metadata (e.g., last login time, selected mask and device) can be visible to that DME/physician in the React Health platform to support therapy management.

Push and in-App messages. You can disable push notifications at any time in your device settings. In-App messages remain available whenever you are logged in and cannot be turned off (they sync only when you use the App).

Insurance compliance. Some insurers require minimum device usage for reimbursement; that requirement is between you and your insurer/provider. React Health does not control coverage or reimbursement decisions.

Jurisdiction, Governing Law, and Enforcement

This Privacy Policy and any disputes arising from it or your use of the App are governed by the laws of the State of Ohio, United States, without regard to conflicts-of-law principles. You agree that exclusive jurisdiction and venue for any disputes will be in the state or federal courts located in Franklin County, Ohio, and you consent to the personal jurisdiction of those courts. If any provision of this Privacy Policy is held invalid or unenforceable, the remaining provisions will remain in full force and effect.

Accessibility Statement

We are committed to ensuring that this Privacy Policy is accessible to individuals with disabilities. The App supports screen readers and dynamic text sizing. If you need the Policy in an alternative format, please contact us and we will provide it free of charge.

Changes to This Policy

We may update this policy from time to time. We will post updates in the App (e.g., under About > Privacy Policy) and, when legally required, will provide additional notice or seek consent. Your continued use of the App after an update signifies acceptance of the revised policy. For reference, React Health maintains separate privacy notices for its website and for the React Health Connect™ portal.

How to Contact Us

Email: info@reacthealth.com

Website Contact Page: see “Reach Out to React Health” for up-to-date phone and email points of contact.

Mail: React Health, 5475 Rings Road, Suite 550, Dublin, Ohio 43017, United States.

Phone: (863) 226-6285

Definitions

Apnea-Hypopnea Index (AHI) means the average number of breathing pauses (apneas) and shallow breaths (hypopneas) you experience per hour of sleep.

App Data means all data the App collects or processes, including Usage Data, Account and Registration Data, and technical telemetry.

Consumer Health Data means health-related data regulated by certain state laws (e.g., Washington MHMDA) when HIPAA does not apply.

Sell means disclosing or making available personal information to a third party for monetary or other valuable consideration.

Share means disclosing or making available personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

Targeted Advertising (also called "cross-context behavioral advertising" or "interest-based advertising") means displaying advertisements to you based on personal information obtained from your activities across different businesses, websites, applications, or services, other than the business, website, application, or service with which you intentionally interact.

Usage Data means therapy and device information like minutes used, AHI, leak and pressure details, and device serials.