Privacy Policy

1. Overview

Appa Health, Inc. ("Appa Health," "we," "us," or "our") operates a student mentorship platform that connects young people with trained mentors, clinical support, and wellness resources. This Privacy Policy describes how we collect, use, disclose, and otherwise process personal information in connection with the Appa Health platform (the "Service"), including our website, mobile applications, and related services.

This policy applies to all users of our Service, including students, caretakers (parents or guardians), mentors, clinical team members, school administrators, and other staff. We are committed to protecting the privacy and security of the personal information entrusted to us, particularly information relating to minors.

2. Information We Collect

We collect the following categories of personal information:

• Contact and identity: Name, email, phone, date of birth, grade level, school, caretaker contact information, and optional profile photo.
• Health and wellness: Well-being survey responses, clinical screening data, session notes, mentor observations, and safety-related disclosures.
• Messages: In-app messages between students, mentors, and staff, as well as comments and feedback.
• Usage data: Content interactions, session attendance, login timestamps, device information, browser type, IP address, and general location.
• Identifiers: Unique user IDs, authentication tokens, and device identifiers.

3. Sources of Personal Information

We collect personal information from the following sources:

• Directly from you: When you create an account, complete intake forms, send messages, submit surveys, or otherwise interact with the Service.
• From caretakers: When a parent or guardian provides information during the enrollment or intake process on behalf of a minor.
• From schools and referral partners: When a school administrator, counselor, or referral partner submits a referral or provides student information for eligibility screening.
• Automatically collected: When you use the Service, we automatically collect usage data, device information, and interaction data through standard web and mobile technologies.
• From mentors and staff: When mentors record session notes, observations, or escalate concerns through the platform.

4. Business Purposes for Collection

We use personal information for the following business purposes:

• Program delivery: Matching students with mentors, scheduling sessions, delivering curriculum content, and tracking program progress.
• Safety and clinical support: Monitoring for safety concerns, routing clinical escalations, and fulfilling mandatory reporting obligations.
• Communication: Facilitating in-app messaging between students, mentors, caretakers, and staff.
• Program improvement: Analyzing engagement data and survey responses to improve our mentorship programs and outcomes.
• Administrative operations: Managing enrollments, timesheets, staff assignments, and organizational reporting.
• Compliance: Meeting legal and regulatory obligations, including mandatory reporting, record retention, and audit requirements.
• Security: Protecting the Service and its users from unauthorized access, fraud, and abuse.

5. Third Parties We Share Data With

We may share personal information with the following categories of service providers who assist us in operating the Service:

• Cloud infrastructure, database hosting, and authentication providers
• Customer relationship management platforms
• Email delivery services (transactional emails and notifications)
• Web application hosting providers
• SMS and phone verification services

All service providers are contractually bound to use your information only for the purposes we specify and in accordance with this Privacy Policy. We maintain appropriate agreements with each provider to protect the security and confidentiality of your data.

We may also share information with law enforcement, child protective services, or other government agencies when required by law, including in connection with mandatory reporting obligations (see Section 8).

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

6. Sensitive Personal Information

Our Service may collect or process certain categories of information that are considered "sensitive personal information" under the California Consumer Privacy Act (CCPA), including:

• Health-related information (wellness surveys, clinical screening data)
• Information about minors under 16 years of age
• Precise account credentials (authentication data)

We use sensitive personal information only for the purposes described in this policy and as permitted under CCPA, including providing the Service, ensuring safety, and complying with legal obligations. We do not use or disclose sensitive personal information for purposes other than those authorized under CCPA Section 1798.121.

7. Information About Minors

Appa Health's mentorship programs serve students who are minors (typically ages 13-18). We take the privacy of minors seriously and implement the following protections:

• Students under 18 must have caretaker (parent or guardian) consent to use the Service.
• Students must be at least 13 years of age to create an account.
• We do not sell the personal information of consumers under 16 years of age.
• We do not share minors' personal information for cross-context behavioral advertising.
• Messages between students and mentors are visible to authorized staff for safety monitoring.
• All mentors undergo background checks and training before being assigned to students.
• Clinical escalation protocols are in place for safety concerns involving minors.

If you are a caretaker and believe your child's information has been collected without your consent, please contact us at privacy@appahealth.com.

8. Mandatory Reporter Disclosure

Appa Health mentors are mandated reporters under the California Child Abuse and Neglect Reporting Act (CANRA), California Penal Code Section 11165.7. This means:

• Mentors are legally required to report known or suspected child abuse or neglect to the appropriate authorities (such as child protective services or law enforcement).
• If a student discloses information that indicates abuse, neglect, or imminent danger, mentors must report this information regardless of any other privacy protections.
• Reports may include personal information about the student, the reported circumstances, and any supporting information available to the mentor.
• Mandatory reporting obligations override the confidentiality provisions of this privacy policy.

All users of the Service, including students and caretakers, should be aware that communications through the platform are not privileged and may be subject to mandatory reporting requirements.

9. Data Retention

We retain personal information for as long as necessary to provide the Service, subject to minimum retention periods required by law:

• Clinical and safety records: 6 years (California Health & Safety Code)
• Payroll and time records: 3 years (California Labor Code Section 1174)
• Messages: 1 year after account closure
• Account and profile data: Duration of account + 45 days after deletion request
• Audit logs: 3 years

After the applicable retention period, we securely delete or anonymize the information unless a longer period is required by law or a pending legal matter.

10. Your Privacy Rights (CCPA)

California residents have the following rights under the CCPA:

• Right to Know: Request the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties we share with.
• Right to Delete: Request deletion of your personal information, subject to legal retention requirements.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out: Opt out of the sale or sharing of personal information. Appa Health does not sell personal information or share it for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not deny services or charge different prices for exercising your rights.

To exercise your rights, contact us at privacy@appahealth.com. We will verify your identity before processing requests. For minors, we verify the requesting parent or guardian. We respond within 45 days.

11. Contact Us

If you have any questions about this Privacy Policy, your personal information, or wish to exercise any of your privacy rights, please contact us:

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you through the Service (such as an in-app notification) or by other means as required by law. We encourage you to review this policy periodically.

This Privacy Policy was last updated on March 15, 2026 and is effective as of March 15, 2026.