Effective as of January 30, 2026.

This notice supplements the Prolacta Privacy Notice and applies to personal data defined as “consumer health data” subject to the Washington State My Health My Data Act (MHMDA), the Nevada Health Data Privacy Act (NHDPA), or other applicable state consumer health privacy law.

The Categories of Consumer Health Data We Collect

We collect the following categories of consumer health data:

• Individual health conditions, treatment, diseases, or diagnosis;
• Social, psychological, behavioral, and medical interventions;
• Health-related surgeries or procedures;
• Use or purchase of prescribed medication;
• Bodily functions, vital signs, symptoms, or measurements of identifiable health status information;
• Diagnoses or diagnostic testing, treatment, or medication;
• Reproductive or sexual health information;
• Genetic data;
• Biometric data;
• Data that identifies a consumer seeking health care services; and
• Other information that may be processed to derive or infer data related to the above or other categories of consumer health data derived or extrapolated from non-health information.

We process any deidentified consumer health data only in a deidentified fashion and will not attempt to reidentify such data.

Why We Collect and How We Use Consumer Health Data

We collect and use consumer health data for the following purposes:

• Perform the services and provide the goods requested by consumers;
• Match donated milk to the qualified donor profile and ensure traceability and safety throughout the process;
• Communicate with consumers as necessary to provide the aforementioned goods or services;
• Ensure security and the protection of consumers' rights;
• Prevent, detect, and respond to security incidents;
• Perform auditing, reporting, and other similar internal operations;
• Comply with applicable legal and regulatory obligations;
• Assist with general business and operational support, including through service providers who perform services on our behalf; and
• Verify or maintain the quality or safety of our products and services, and to improve, upgrade, or enhance our products and services

Our Sharing of Consumer Health Data

We may share your consumer health data described above as reasonably necessary to provide our products and services requested by you, including with our:

• Business partners and affiliates, specifically:
  • Gulf Coast Blood: third-party blood testing
  • ExamOne, A Quest Diagnostics Company: phlebotomist who draws the blood and transfers the specimen to Gulf Coast Blood
  • DocuSign: for electronically executing documents
  • GoTo Technologies USA, LLC: virtually faxing documents to physicians and receiving correspondence
  • RapidFAX: virtually faxing documents to physicians and receiving correspondence
  • Salesforce: Cooler Requests, Communication
  • Microsoft Forms: Freezer temperature recording
  • FormAssembly: Medical Questionnaire for Donors
  • Formstack: Cooler & Milk Storage Bag Request
  • SendGrid: sending emails at scale
• Donor's physicians;
• Donor’s baby’s healthcare provider;
• Donor’s acupuncturists, if applicable;
• Donor’s surrogate agencies, if applicable;
• Donor’s adoption agency or attorney, if applicable;
• Donor’s baby’s intended parents, if applicable; and
• Advisors, auditors, consultants, and representatives.

How to Exercise Your Rights with Respect to Consumer Health Data

You may be entitled, in accordance with applicable law, to submit a request to know, access, or delete the consumer health data we have collected about you or withdraw your consent to our use of your consumer health data. Please visit our Online Web Form here to exercise these rights. You may appeal any decision we have made about your request by following the instructions provided in the correspondence we send to you communicating our decision.