SKYMD® PRIVACY POLICY

EFFECTIVE DATE: MAY 29, 2026
LAST UPDATED: MAY 29, 2026

This Privacy Policy applies to information collected through www.skymd.com, patient.skymd.com, and related SkyMD® online services and patient portals (collectively, the "Platform").

SkyMD® is a healthcare brand operated by Compass Dermatopathology PC ("Compass"), a healthcare provider and HIPAA-covered entity.

For information regarding how Compass uses and protects protected health information ("PHI"), please review our Notice of Privacy Practices.

SECTION 1
INTRODUCTION

This Privacy Policy describes how we collect, use, disclose, and protect information obtained through the SkyMD website, patient portal, mobile-enabled services, communications, and related online services (collectively, the "Platform").

This Privacy Policy applies to information collected through the Platform and other interactions with us that are not governed exclusively by our Notice of Privacy Practices.

Please read this Privacy Policy carefully to understand how information is collected and used. By accessing or using the Platform, you acknowledge that you have reviewed this Privacy Policy.

SECTION 2
SCOPE OF THIS PRIVACY POLICY

This Privacy Policy applies to information collected through the Platform, including information collected when you:

• Visit our websites;
• Create an account;
• Contact us through online forms or email;
• Use our patient portal;
• Request information regarding our services;
• Submit insurance information or identification documents;
• Communicate with our staff; or
• Otherwise interact with our online services.

This Privacy Policy does not replace or modify our Notice of Privacy Practices. Certain information collected through the Platform may constitute protected health information ("PHI") under the Health Insurance Portability and Accountability Act ("HIPAA"). The collection, use, disclosure, and protection of PHI is governed by our Notice of Privacy Practices and applicable healthcare privacy laws.

If there is any conflict between this Privacy Policy and our Notice of Privacy Practices with respect to protected health information, the Notice of Privacy Practices will control.

SECTION 3
RELATIONSHIP TO OUR NOTICE OF PRIVACY PRACTICES

Certain information collected through the Platform may become part of your healthcare record or otherwise constitute protected health information ("PHI") under applicable healthcare privacy laws.

Examples may include:

• Information submitted as part of a medical visit or consultation;
• Medical history, symptoms, diagnoses, treatment information, prescriptions, and communications with healthcare providers;
• Photographs and other clinical information submitted for evaluation;
• Insurance information submitted for healthcare services;
• Identification and verification information submitted as part of the healthcare intake process; and
• Billing and payment information related to healthcare services.

The collection, use, disclosure, retention, and protection of PHI is governed by Compass's Notice of Privacy Practices and applicable healthcare privacy laws.

Information collected solely for website operation, account registration, website security, analytics, communications, and general use of the Platform may also be governed by this Privacy Policy.

If there is any conflict between this Privacy Policy and the Notice of Privacy Practices regarding protected health information, the Notice of Privacy Practices will control.

SECTION 4
INFORMATION WE COLLECT

We may collect information directly from you, automatically through your use of the Platform, and from third parties as described below.

4.1 Information You Provide Directly

We may collect information that you voluntarily provide, including:

• Name;
• Email address;
• Telephone number;
• Mailing address;
• Username and password credentials;
• Communications submitted through contact forms, email, chat, or customer support interactions;
• Insurance information;
• Identification and verification information;
• Payment information submitted through authorized payment processors; and
• Other information you choose to provide through the Platform.

4.2 Account Registration Information

When you create an account, we may collect information necessary to establish, maintain, secure, and administer your account, including your login credentials and account preferences.

4.3 Healthcare and Intake Information

When you request healthcare services through the Platform, we may collect healthcare-related information, including medical intake information, photographs, insurance information, identification information, and other information necessary to provide healthcare services.

Such information may constitute protected health information ("PHI") and is also governed by our Notice of Privacy Practices.

4.4 Information Collected Automatically

When you visit or use the Platform, certain information may be collected automatically, including:

• IP address;
• Browser type;
• Device type;
• Operating system;
• Date and time of access;
• Referring website information;
• Pages viewed and interactions with the Platform; and
• Technical information used to maintain security, performance, and functionality.

4.5 Cookies and Similar Technologies

We may use cookies, session identifiers, and similar technologies to operate, secure, and improve the Platform. Additional information regarding these technologies is provided below in Section 7.

SECTION 5
HOW WE USE INFORMATION

We may use information collected through the Platform for legitimate business, operational, healthcare, security, and legal purposes, including to:

5.1 Provide and Operate the Platform

• Create and manage user accounts;
• Authenticate users and maintain account security;
• Provide access to Platform features and services;
• Respond to inquiries and customer support requests; and
• Operate, maintain, and improve the Platform.

5.2 Facilitate Healthcare Services

• Process requests for healthcare services;
• Facilitate communications with healthcare providers and staff;
• Verify identity and eligibility for healthcare services;
• Verify geographic location and provider licensure requirements;
• Process insurance and billing information; and
• Support treatment, payment, and healthcare operations.

Healthcare information and protected health information may also be used and disclosed as described in our Notice of Privacy Practices.

5.3 Communicate with You

We may use information to communicate with you regarding:

• Account-related matters;
• Healthcare services and healthcare operations;
• Appointment, visit, billing, and support matters;
• Platform updates and administrative notices;
• Security alerts; and
• Other communications necessary to provide and support our services.

Subject to applicable law and your communication preferences, we may also provide information regarding healthcare services, programs, locations, providers, educational content, healthcare services, provider information, practice updates, and other offerings that may be of interest to you.

5.4 Marketing, Advertising, and Analytics

We may use information collected through the Platform to:

• Promote our healthcare services and operations;
• Evaluate the effectiveness of advertising and marketing campaigns;
• Analyze website and platform usage;
• Improve user experience and website performance;
• Measure engagement with content, communications, and services;
• Develop and improve services, programs, and offerings; and
• Conduct audience measurement, market analysis, and business planning activities.

We may use cookies, analytics tools, advertising technologies, and similar technologies for these purposes, subject to applicable law and user choices where required.

Any use or disclosure of protected health information for marketing purposes will be conducted in accordance with applicable healthcare privacy laws and our Notice of Privacy Practices.

5.5 Comply with Legal and Regulatory Obligations

• Comply with applicable laws, regulations, court orders, and legal processes;
• Respond to lawful governmental requests;
• Maintain required records and documentation;
• Support audits, investigations, and compliance activities; and
• Protect against legal liability.

5.6 Improve Platform Performance

We may use aggregated, de-identified, or non-personal information to evaluate Platform performance, improve functionality, analyze usage patterns, and enhance the user experience.

Such information will not be used to identify individual users.

SECTION 6
HOW WE SHARE INFORMATION

We do not sell your protected health information.

We may share information collected through the Platform as described below and as otherwise permitted or required by applicable law.

6.1 Healthcare Providers and Workforce Members

We may share information with physicians, therapists, healthcare professionals, employees, contractors, and authorized personnel involved in providing healthcare services, operating the Platform, supporting patient care, processing billing activities, or conducting healthcare operations.

Protected health information may be used and disclosed as described in our Notice of Privacy Practices.

6.2 Service Providers and Business Partners

We may share information with third-party service providers, vendors, consultants, contractors, and business partners who assist us with operating the Platform and our business, including:

• Website hosting and cloud infrastructure providers;
• Technology and software service providers;
• Payment processors;
• Customer support providers;
• Communications providers;
• Analytics and reporting providers;
• Security and fraud prevention providers;
• Professional advisors; and
• Other vendors supporting our operations.

Such parties are authorized to access information only as necessary to perform services on our behalf and are required to protect information in accordance with applicable obligations.

6.3 Insurance, Billing, and Payment Activities

We may share information with health plans, insurance companies, claims administrators, billing vendors, clearinghouses, payment processors, and other parties involved in payment, reimbursement, collections, eligibility verification, or healthcare operations.

6.4 Legal Compliance and Protection of Rights

We may disclose information when we believe such disclosure is necessary to:

• Comply with applicable laws, regulations, legal processes, court orders, subpoenas, or governmental requests;
• Protect the rights, property, safety, and security of Compass, our workforce members, providers, patients, or others;
• Investigate, prevent, or address suspected fraud, security incidents, misuse, or unlawful activity; or
• Enforce our Terms of Use and other agreements.

6.5 Business Transactions

In the event of a merger, acquisition, investment transaction, financing, restructuring, sale of assets, reorganization, or similar business transaction, information may be transferred, disclosed, or assigned as part of evaluating, negotiating, or completing such transaction, subject to applicable legal requirements.

6.6 De-Identified and Aggregated Information

We may use, disclose, share, publish, or analyze de-identified, anonymized, aggregated, or statistical information that does not reasonably identify an individual.

6.7 Marketing and Advertising Partners

We may work with advertising, marketing, analytics, and communications providers to promote our services, evaluate advertising effectiveness, improve our Platform, and better understand audience engagement.

Any use or disclosure of protected health information for marketing purposes will be conducted in accordance with applicable healthcare privacy laws, our Notice of Privacy Practices, and applicable authorization requirements where necessary.

6.8 No Sale of Protected Health Information

We do not sell protected health information. Any sharing of information is conducted for legitimate business, healthcare, operational, legal, security, or marketing purposes as described in this Privacy Policy and applicable law.

SECTION 7
COOKIES, ANALYTICS, AND SIMILAR TECHNOLOGIES
7.1 Cookies and Similar Technologies

The Platform may use cookies, session identifiers, pixels, tags, local storage objects, software development kits (SDKs), and similar technologies ("Cookies") to operate, secure, maintain, analyze, and improve the Platform.

Cookies may be used to:

• Remember user preferences and settings;
• Maintain account sessions and authentication status;
• Improve Platform functionality and performance;
• Support security and fraud prevention activities;
• Analyze usage patterns and visitor interactions;
• Measure the effectiveness of content, communications, and advertising; and
• Support marketing and promotional activities.

7.2 Analytics Technologies

We may use analytics tools and services to help us understand how visitors and users interact with the Platform.

Analytics technologies may collect information such as:

• Pages visited;
• Features used;
• Browser and device information;
• IP address;
• Referring websites;
• Session activity; and
• General usage patterns.

Analytics information may be used to improve Platform functionality, user experience, service offerings, and business operations.

7.3 Advertising and Marketing Technologies

We may use advertising, audience measurement, attribution, remarketing, conversion tracking, and similar technologies to evaluate and improve our advertising and marketing efforts.

These technologies may be provided by third-party advertising, analytics, social media, or marketing partners.

Such technologies may assist us in:

• Measuring advertising effectiveness;
• Understanding audience engagement;
• Delivering relevant content and advertising;
• Improving user experience; and
• Evaluating the performance of our services and marketing campaigns.

7.4 Browser Controls and User Choices

Most web browsers allow users to manage, limit, block, or delete cookies through browser settings.

Please note that disabling certain cookies or technologies may affect the availability, functionality, or performance of portions of the Platform.

Certain browsers may also offer "Do Not Track" or similar privacy preference signals. Because there is not currently a universally accepted industry standard governing such signals, the Platform may not respond to all browser-based privacy preference mechanisms.

7.5 Future Technologies

As technologies, services, and business practices evolve, we may implement additional analytics, advertising, security, performance, communications, or operational technologies consistent with this Privacy Policy and applicable law.

SECTION 8
THIRD-PARTY SERVICES
8.1 Third-Party Service Providers

The Platform may rely upon third-party service providers to support healthcare operations, technology infrastructure, communications, security, payment processing, hosting, analytics, and other business functions.

These service providers may process information on our behalf in accordance with contractual obligations, applicable law, and appropriate privacy and security requirements.

8.2 Payment Processing

Payments made through the Platform may be processed by third-party payment processors.

We do not generally store complete payment card information on our systems. Payment information submitted for processing may be collected, stored, and processed by authorized payment processors in accordance with their applicable terms, privacy policies, and security practices.

8.3 Communications Services

We may utilize third-party providers to support communications, including email, text messaging, telephone communications, appointment notifications, security notifications, and other operational communications.

Such providers may process information necessary to facilitate communications on our behalf.

8.3.1 Appointment, Account, Billing, and Healthcare Communications

We may communicate with users, patients, caregivers, and authorized representatives through email, text message (SMS), telephone, patient portal notifications, or similar communication methods regarding:

• Appointment scheduling and reminders;
• Follow-up and continuity-of-care reminders;
• Healthcare service updates;
• Account-related matters;
• Billing and payment matters;
• Security notifications;
• Notifications that information is available within a secure patient portal; and
• Other operational or healthcare-related communications.

To help protect privacy, certain healthcare, billing, and account information may be made available through secure patient portals or secure systems rather than through email or text messages.

8.4 Hosting and Technology Infrastructure

The Platform may utilize third-party hosting providers, cloud service providers, content delivery networks, software vendors, cybersecurity providers, and technology infrastructure providers to operate and secure the Platform.

These providers may have access to information as necessary to perform services on our behalf.

8.5 Third-Party Websites and Services

The Platform may contain links to third-party websites, applications, social media platforms, healthcare resources, pharmacies, insurance resources, or other external services that are not owned or controlled by Compass.

We are not responsible for the privacy practices, content, security, availability, or policies of third-party websites or services. Users should review the applicable privacy policies and terms of use of any third-party services they access.

8.6 Social Media Platforms

We may maintain profiles, pages, or accounts on social media platforms and other online services.

Interactions with such platforms are governed by the privacy policies, terms, and practices of the applicable platform provider.

8.7 No Endorsement

References to third-party services, vendors, products, platforms, or websites are provided for convenience and informational purposes only and do not constitute an endorsement, guarantee, or recommendation by Compass unless expressly stated otherwise.

SECTION 9
DATA RETENTION
9.1 Retention of Information

We retain information for as long as reasonably necessary to:

• Provide and support healthcare services;
• Operate and maintain the Platform;
• Comply with legal, regulatory, tax, accounting, contractual, and recordkeeping obligations;
• Resolve disputes and enforce agreements;
• Protect the security and integrity of our systems; and
• Conduct legitimate business and healthcare operations.

The length of time information is retained may vary depending upon the nature of the information, the services provided, applicable legal requirements, and operational needs.

9.2 Healthcare Records and Protected Health Information

Certain information submitted through the Platform may become part of a patient's healthcare record or otherwise constitute protected health information ("PHI").

Healthcare records and PHI may be retained in accordance with applicable healthcare laws, professional standards, accreditation requirements, payer requirements, regulatory obligations, litigation hold requirements, and our record retention policies.

The retention of healthcare records is governed by our Notice of Privacy Practices and applicable law.

9.3 Account Closure and Deletion Requests

Users may request closure of their Platform account by contacting us.

Upon account closure, we may deactivate account access and discontinue future use of the Platform by the user.

However, account closure does not necessarily require the deletion of information that we are legally permitted or required to retain, including healthcare records, billing records, compliance records, security records, audit logs, business records, and other information maintained pursuant to legal, regulatory, operational, or contractual obligations.

9.4 Backup and Archived Information

Information may remain in backup systems, disaster recovery systems, archives, logs, and similar storage systems for reasonable periods of time consistent with operational, security, legal, regulatory, and business requirements.

Such information will continue to be protected in accordance with applicable policies and legal obligations.

9.5 De-Identification and Aggregation

We may retain, use, disclose, and analyze de-identified, anonymized, aggregated, statistical, or non-identifiable information for lawful business, operational, research, quality improvement, analytical, and reporting purposes, provided that such information does not reasonably identify an individual.

SECTION 10
SECURITY
10.1 Our Security Measures

We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, alteration, loss, misuse, or destruction.

Such safeguards may include:

• Access controls and authentication measures;
• User account security controls;
• Encryption and secure transmission technologies where appropriate;
• Network and system security controls;
• Monitoring and logging activities;
• Backup and disaster recovery procedures;
• Workforce training and confidentiality obligations; and
• Vendor management and security oversight processes.

We regularly evaluate and update our security practices in light of evolving technologies, operational needs, legal requirements, and cybersecurity risks.

10.2 User Responsibilities

Users are responsible for maintaining the confidentiality of their account credentials and for taking reasonable precautions to protect access to their accounts and devices.

Users should:

• Protect usernames and passwords;
• Use strong and unique passwords;
• Maintain appropriate security on personal devices;
• Promptly notify us of suspected unauthorized account activity; and
• Log out of accounts when appropriate, particularly on shared devices.

10.3 Electronic Communications

While we take reasonable measures to secure electronic communications and Platform activity, no method of electronic transmission, internet communication, storage system, or cybersecurity program can be guaranteed to be completely secure.

Users acknowledge that the transmission of information over the internet involves inherent risks.

10.4 Security Incidents

In the event of a security incident affecting information under our control, we will evaluate the incident and provide notifications as required by applicable law.

10.5 Third-Party Services

Certain services supporting the Platform may be provided by third-party vendors, service providers, business associates, payment processors, hosting providers, telecommunications providers, and technology partners.

While we seek to work with reputable providers and implement appropriate safeguards, we cannot guarantee the security practices or performance of third-party services that are outside of our direct control.

SECTION 11
YOUR PRIVACY CHOICES AND RIGHTS
11.1 Accessing and Updating Information

Users may have the ability to access, review, update, or correct certain account information through the Platform or by contacting us.

We may take reasonable steps to verify the identity of any individual requesting access to or modification of information.

11.2 Communication Preferences

Users may manage certain communication preferences, including marketing and promotional communications, through available account settings, unsubscribe mechanisms, or by contacting us.

Please note that even if you opt out of marketing communications, we may continue to send communications that are necessary to provide healthcare services, administer accounts, fulfill legal obligations, maintain security, or otherwise operate the Platform.

11.3 Account Closure Requests

Users may request closure of their Platform account by contacting us.

Account closure may result in the deactivation of account access and Platform functionality.

However, account closure does not require deletion of information that we are legally permitted or required to retain, including healthcare records, billing records, compliance records, security records, audit logs, and other information maintained pursuant to legal, regulatory, contractual, operational, or healthcare obligations.

11.4 Requests Regarding Protected Health Information

Requests regarding protected health information ("PHI"), including requests for access, amendment, restrictions, confidential communications, accounting of disclosures, or other rights available under applicable healthcare privacy laws, are governed by our Notice of Privacy Practices.

Users should refer to our Notice of Privacy Practices for additional information regarding rights associated with protected health information.

11.5 Verification of Requests

To protect privacy and security, we may require verification of identity before responding to requests regarding personal information, account information, protected health information, or other records.

11.6 Limitations

Certain rights and requests may be limited by applicable law, healthcare regulations, professional obligations, patient safety considerations, record retention requirements, security requirements, litigation hold obligations, fraud prevention requirements, or other legitimate operational needs.

We reserve the right to decline requests where permitted by applicable law.

11.7 Minors

The Platform is intended for use by adults and by parents, legal guardians, or authorized caregivers acting on behalf of minors or individuals for whom they are legally authorized to act.

We do not knowingly permit minors to independently establish healthcare relationships, create accounts, or submit healthcare requests except through a parent, legal guardian, or other legally authorized representative, as permitted by applicable law.

If we become aware that information has been submitted in a manner inconsistent with this policy, we may take appropriate steps to address the situation.

SECTION 12
CALIFORNIA PRIVACY RIGHTS
12.1 California Residents

California residents may have certain privacy rights under applicable California privacy laws, including the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), subject to applicable exemptions, limitations, and exceptions.

12.2 Healthcare Information Exemptions

Certain information collected, maintained, used, or disclosed by Compass may be exempt from the CCPA, CPRA, and similar consumer privacy laws because it is subject to federal and state healthcare privacy laws, including:

• The Health Insurance Portability and Accountability Act ("HIPAA");
• The Confidentiality of Medical Information Act ("CMIA"); and
• Other applicable healthcare privacy and medical record laws.

Protected health information and medical information are generally governed by our Notice of Privacy Practices and applicable healthcare privacy laws rather than this Privacy Policy.

12.3 California Privacy Requests

To the extent applicable under California law, California residents may have the right to request:

• Access to certain personal information;
• Correction of certain personal information;
• Information regarding categories of personal information collected, used, disclosed, or shared;
• Information regarding categories of third parties with whom information has been disclosed; and
• Other rights provided under applicable California law.

These rights are subject to applicable exemptions, exceptions, verification requirements, and legal limitations.

12.4 Verification of Requests

Before responding to privacy requests, we may take reasonable steps to verify the identity and authority of the requesting individual.

We may deny requests where permitted by applicable law, including where verification cannot reasonably be completed.

12.5 Non-Discrimination

We will not unlawfully discriminate against individuals for exercising privacy rights available under applicable law.

12.6 Sale or Sharing of Information

We do not sell protected health information.

Certain uses of cookies, analytics technologies, advertising technologies, or similar technologies may be considered "sharing" under applicable privacy laws.

Any such activities will be conducted in accordance with applicable law and this Privacy Policy.

12.7 Authorized Agents

Where permitted by applicable law, authorized agents may submit privacy requests on behalf of California residents. We may require verification of the agent's authority and the identity of the individual on whose behalf the request is made.

12.8 Additional Information

Because healthcare privacy laws, consumer privacy laws, and related regulations continue to evolve, the availability and scope of privacy rights may change over time.

Nothing in this Privacy Policy is intended to limit any rights provided under applicable law.

SECTION 13
CONTACT INFORMATION

If you have questions regarding this Privacy Policy, our privacy practices, our Notice of Privacy Practices, or information submitted through the Platform, please contact us:

Compass Dermatopathology PC
SkyMD® Privacy Office
Website: https://www.skymd.com
Email: support@skymd.com
Mailing Address:
6605 Nancy Ridge Drive
San Diego, CA 92121
Telephone: 858-750-2983

Privacy requests, account-related requests, and questions regarding protected health information may also be submitted through the contact methods identified above.

Please note that, for privacy and security purposes, we may require verification of identity before responding to certain requests.

SECTION 14
CHANGES TO THIS PRIVACY POLICY

We may update, revise, modify, or replace this Privacy Policy from time to time to reflect changes in our services, business operations, legal requirements, technology, privacy practices, security practices, or other operational needs.

When we make material changes to this Privacy Policy, we will update the "Last Updated" date appearing at the beginning of this Privacy Policy and may provide additional notice where required by applicable law.

The most current version of this Privacy Policy will be posted on the Platform and will supersede all prior versions.

Your continued access to or use of the Platform following the posting of an updated Privacy Policy constitutes acknowledgment of the revised Privacy Policy, to the extent permitted by applicable law.

We encourage users to periodically review this Privacy Policy to remain informed about our privacy practices.