Privacy Policy

We use the personal information we collect for the following purposes.

We do not sell your personal information. We share your information only as described below and only to the extent necessary to fulfill the purposes for which it was collected.

To the extent that information you submit through the Platform constitutes protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), we handle such information in accordance with applicable HIPAA requirements. We use and disclose PHI only as permitted or required by HIPAA and as necessary to provide the benefit administration services described in this Privacy Policy. We maintain the administrative, physical, and technical safeguards required by the HIPAA Security Rule for electronic PHI. To the extent uPPo acts as a Business Associate of a Covered Entity such as an insurance carrier or ERISA plan, we operate pursuant to a Business Associate Agreement governing our use and disclosure of PHI. We do not use PHI for marketing purposes without your specific, written authorization.

If you have questions about how your health information is handled, or if you believe your HIPAA rights have been violated, please contact us at the address provided in Section 10 of this Privacy Policy.

We retain your personal information for as long as necessary to provide the services described in this Privacy Policy; to comply with our legal obligations, including applicable federal and state recordkeeping requirements; to resolve disputes and enforce our agreements; and to fulfill the purposes for which the information was collected.

In general, we retain enrollment records and benefit administration data for a minimum of seven (7) years following the end of the applicable plan year, or such longer period as may be required by law — for example, ten (10) years for records subject to HIPAA or CMS requirements. Following the expiration of the applicable retention period, we will delete or securely anonymize your personal information.

We implement and maintain commercially reasonable administrative, technical, and physical security measures designed to protect your personal information against unauthorized access, disclosure, alteration, loss, or destruction. These measures include encryption of data in transit and at rest; role-based access controls limiting access to personal information to authorized personnel with a legitimate need to know; multi-factor authentication for platform administrative access; regular security assessments and vulnerability testing; employee training on data privacy and security practices; and incident response procedures for detecting and responding to security events.

No security system is impenetrable, and we cannot guarantee the absolute security of your information. In the event of a data breach that is likely to result in harm to you, we will notify you in accordance with applicable state breach notification laws and, where required, notify relevant regulatory authorities.

The Platform uses cookies and similar technologies — such as web beacons, pixel tags, and local storage — to operate and improve the Platform, maintain your session, and gather aggregate analytics. We use strictly necessary cookies that are required for the Platform to function, including session authentication and security tokens; functional cookies that enable personalization and remember your preferences such as language settings and saved plan selections; and analytics cookies that help us understand how users interact with the Platform in aggregate, generally without identifying individual users.

You may control non-essential cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform. We do not use cookies to track your activity across unrelated third-party websites or to serve you advertising.

Depending on your state of residence and the nature of your information, you may have certain rights with respect to your personal information. We honor these rights to the extent required by applicable law.

The Platform is not directed to children under the age of thirteen (13), and we do not knowingly collect personal information directly from children under thirteen. If we become aware that we have collected personal information from a child under thirteen without parental consent, we will take steps to delete that information promptly. If you believe a child under thirteen has provided us with personal information, please contact us immediately using the information in Section 10.

To the extent the Platform collects information regarding dependents who are minors, such information is submitted by the Employee — as parent or legal guardian — on behalf of the minor, and the Employee's consent and authorization under the Employee Enrollment Agreement covers such submission.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, or if you wish to exercise any of your rights described in Section 8, please contact us at:

We will respond to all privacy-related inquiries within thirty (30) calendar days of receipt.

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our data practices, applicable law, or the services we offer. When we make material changes, we will post the updated Privacy Policy on the Platform with a revised “Last Updated” date and notify registered users by email at the address on file where practicable. Where required by law, we will obtain renewed consent for any material changes to how we process sensitive personal information.

Your continued use of the Platform following notice of a material change constitutes your acceptance of the revised Privacy Policy. If you do not agree with a revised Privacy Policy, you must discontinue your use of the Platform and contact us to request deletion of your account.

This Privacy Policy is governed by the laws of the State of Florida, without regard to its conflict of law principles, and applicable federal privacy laws. To the extent any provision of this Privacy Policy conflicts with applicable state or federal law, such law shall control.

By using the uPPo Platform or executing the Employee Enrollment Agreement, you acknowledge that you have read, understood, and agree to this Privacy Policy. You further acknowledge that uPPo may update this Policy from time to time and that your continued use of the Platform following notice of any update constitutes your acceptance of the revised Policy.