Privacy Policy

1. Introduction

Speer Health, Inc. ("Speer," "we," "us," or "our") is committed to protecting the privacy of individuals who interact with us. This Privacy Policy describes how we collect, use, share, and safeguard personal information when you visit our website at speerhealth.ai (the "Site"), use our platform and applications (the "Services"), or otherwise engage with us.

This policy applies to:

• Visitors to our Site
• Prospective customers who request demos, download content, or contact us
• Authorized end users of our Services (such as Medical Affairs, Field Medical, and related personnel at our customer organizations)
• Healthcare professionals (HCPs) and other individuals whose information our customers process through the Services

If you are an HCP or other individual whose data has been entered into the Services by one of our customers, please note that our customer is the data controller of that information, and Speer acts as a data processor. Inquiries regarding such data should be directed to the relevant customer organization.

2. Information We Collect

2.1 Information you provide directly to us

When you interact with our Site or Services, we may collect:

• Contact information (name, email address, phone number, job title, employer)
• Account credentials and profile information for authorized users
• Communications you send to us (support requests, sales inquiries, feedback)
• Information submitted through forms, demo requests, and event registrations

2.2 Information collected automatically

When you visit our Site or use our Services, we may automatically collect:

• Device and browser information (IP address, browser type, operating system, device identifiers)
• Usage data (pages visited, features used, time spent, referral source)
• Cookies and similar tracking technologies (see Section 10)

2.3 Customer Data processed on behalf of our customers

When our customers use the Services, they may upload, input, or otherwise submit information including:

• HCP profile data (names, professional credentials, affiliations, contact details, NPI identifiers)
• Engagement records (interaction notes, meeting summaries, MSL observations, insights)
• Internal organizational content (medical strategy materials, scientific statements, taxonomies)

This data is collectively referred to as "Customer Data." Speer processes Customer Data solely on behalf of and in accordance with the instructions of the customer organization that provided it.

2.4 Information from third parties

We may receive information from publicly available sources (such as professional databases, NPPES, OpenPayments, PubMed) and from service providers who help us operate our business.

3. How We Use Information

We use personal information to:

• Provide, operate, maintain, and improve the Services
• Authenticate users and secure accounts
• Communicate with you about your account, the Services, support, and product updates
• Respond to inquiries and demo requests
• Send marketing communications (where permitted by law and subject to your preferences)
• Conduct analytics to understand how the Site and Services are used
• Comply with legal obligations and enforce our agreements
• Detect, prevent, and address fraud, security incidents, and abuse

We do not sell personal information.

4. Our Role: Controller and Processor

Speer's role with respect to personal information depends on the context:

Data Controller. Speer acts as a data controller for personal information we collect directly — for example, information about Site visitors, prospective customers, marketing contacts, and our own employees. We determine the purposes and means of processing this information.

Data Processor. Speer acts as a data processor for Customer Data uploaded to or generated within the Services by our customers. Our customers determine the purposes and means of processing this data, and we process it strictly on their documented instructions in accordance with our Data Processing Addendum and customer agreements. If you are an HCP or other individual whose data appears in the Services because a Speer customer entered it, please contact that customer to exercise your rights regarding that data.

5. How We Share Information

We share personal information only as described below:

5.1 Sub-processors and service providers

We engage trusted third-party service providers to help us deliver the Services. An up-to-date list of our sub-processors is maintained at our Trust Center: https://speer-health-343.trust.site/subprocessors. We require all sub-processors to provide an appropriate level of data protection through written agreements.

5.2 Within our organization

We share personal information among Speer personnel who need access to perform their duties, subject to confidentiality obligations.

5.3 Legal and protective disclosures

We may disclose personal information when required to comply with applicable law, lawful governmental requests, court orders, or legal process; to enforce our agreements; or to protect the rights, property, or safety of Speer, our customers, or others.

5.4 Business transfers

If Speer is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to appropriate confidentiality protections.

6. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with our legal obligations, resolve disputes, and enforce our agreements.

For Customer Data, retention periods are determined by our customer agreements and the instructions of the customer. Upon termination of a customer agreement, Customer Data is deleted or returned in accordance with the agreement.

For information we collect as a controller (such as marketing contacts and Site analytics), we retain data for the period reasonably necessary for the purposes for which it was collected.

7. Security

Speer maintains administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit (TLS) and at rest
• Role-based access controls and multi-factor authentication for administrative access
• Network security controls including limited network connections and transmission confidentiality
• Endpoint encryption on devices used to access the Services
• Continuous monitoring and automated reporting
• Security and privacy awareness training for all personnel
• Vendor risk management for sub-processors

Speer is GDPR compliant and CPRA compliant, and is actively pursuing SOC 2 and HIPAA attestations. Current details of our security program and certifications are available at our Trust Center: https://speer-health-343.trust.site.

No method of transmission or storage is 100% secure. While we work to protect personal information, we cannot guarantee absolute security.

8. Your Rights and Choices

Depending on your jurisdiction, you may have rights regarding your personal information, including the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or incomplete information
• Request deletion of your personal information
• Restrict or object to certain processing
• Receive a copy of your data in a portable format
• Withdraw consent (where processing is based on consent)
• Lodge a complaint with a supervisory authority

To exercise these rights, contact us at mshibly@speerhealth.ai. We may need to verify your identity before fulfilling your request.

If your data appears in the Services because a Speer customer entered it, please direct your request to that customer, who is the controller of that data. Speer will reasonably assist our customers in responding to such requests.

EU/EEA, UK, and Swiss residents should also review our GDPR Policy for additional rights and information.

9. International Data Transfers

Speer is headquartered in the United States, and our infrastructure is operated in the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States.

When we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on appropriate transfer mechanisms, which may include the Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms. See our GDPR Policy for details.

10. Cookies and Tracking Technologies

We use cookies and similar technologies on our Site to enable core functionality, remember your preferences, and analyze how the Site is used.

Categories of cookies we use:

• Strictly necessary cookies — required for the Site and Services to function
• Analytics cookies — used by tools such as Google Analytics to help us understand how visitors interact with our Site
• Functional cookies — remember your preferences

Most browsers allow you to manage cookie preferences. You can also use the cookie banner on our Site to manage your choices where applicable.

11. Children's Privacy

The Services are intended for business use by professionals in the life sciences industry. They are not directed at children, and we do not knowingly collect personal information from individuals under the age of 18. If we learn that we have collected such information, we will delete it.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Effective Date" at the top of this policy and, where required by law, provide additional notice (such as by email or through the Services).

13. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Speer Health, Inc.
Email: mshibly@speerhealth.ai

For data subjects in the European Economic Area, the United Kingdom, or Switzerland, see our GDPR Policy for additional contact information.