Privacy Statement

At KneeEd.com ("we," "us," or "our"), we are committed to protecting the privacy of our users. This Privacy Statement explains how we collect, use, disclose, and safeguard your personal information when you visit our website and use our services, including our orthopedic product recommendation tools and educational content.

Please read this Privacy Statement carefully. By using this website, you consent to the data practices described herein. If you do not agree, please do not use this website.

KneeEd.com is owned by KneeEd LLC, registered in the State of Texas with principal offices in Austin, Texas. The current live production site is available at https://kneed-app.vercel.app/.

KneeEd is not a HIPAA "covered entity" or "business associate" under federal law. However, certain state laws, including Washington's My Health My Data Act (MHMDA, in effect since June 2024), Connecticut's Senate Bill 3, and Nevada's Senate Bill 370, extend privacy protections to "consumer health data" outside the HIPAA umbrella. Where you reside in a state with such a law, those rights apply to you in addition to anything else described here. Where you reside in another U.S. state, we extend the same rights to you as a matter of policy.

Consumer health data, in this context, includes information about your physical or mental health, conditions you self-report (e.g., a torn ACL, low back pain), bodily functions and measurements, healthcare-related actions you take through KneeEd, and inferences we generate from any of the above.

• We collect consumer health data from you only with your opt-in consent. The first time you provide it, you will be asked affirmatively to agree.
• We do not share your consumer health data with third parties except as you separately consent to or as required by law. "Sharing" includes any disclosure to third-party processors beyond what is necessary to deliver KneeEd to you.
• We do not sell your consumer health data. If we ever contemplate doing so in the future, we will request a separate, standalone authorization from you, and you may always decline.
• You have the right to access, delete, withdraw consent for, and (where applicable) correct your consumer health data. We respond to requests within 45 days, in line with MHMDA, and most often immediately. Use the in-app Privacy controls or email legal@kneeed.com.
• Within 2,000 feet of any in-person healthcare facility, we do not engage in geofencing to identify, track, advertise to, or collect data from consumers. This is a flat prohibition under MHMDA and we apply it everywhere.

Because KneeEd offers a personal health record-style service to consumers and is not a HIPAA-covered entity, we are subject to the FTC's Health Breach Notification Rule (16 CFR Part 318). In the event of a breach involving unsecured health information, we will notify affected consumers without unreasonable delay (and in any event within 60 days), notify the FTC where required, and notify prominent media outlets where the breach affects 500 or more individuals in a state.

If you have reason to believe your KneeEd record may have been improperly accessed, please contact legal@kneeed.com.

Direct individual accounts on KneeEd require users to be 18 or older. We recognize that younger athletes (ages 13–17) can also benefit from movement plans and recovery support, particularly in school and club sports settings. For these users, KneeEd offers Family Accounts: a parent, legal guardian, athletic trainer, or coach signs up as the account holder and adds the minor as an athlete profile. The adult account holder is responsible for all consents, receives all data subject rights notices, and may delete the minor's record at any time.

KneeEd does not knowingly create accounts for children under 13. If we learn that a child under 13 has provided us with personal information without verifiable parental consent, we will delete the information promptly. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at legal@kneeed.com.

KneeEd uses automated systems, including large language models (LLMs), to generate movement plans and adjustments based on the information you provide. We send the minimum information necessary for the system to function, and we maintain audit logs of when AI processes your data and which fields are used.

We use established API offerings from Anthropic, OpenAI, and Google. Their standard API terms prohibit using customer inputs to train general-purpose models. We are actively pursuing formal Business Associate Agreements with these providers; until those are executed, we enforce minimum-necessary discipline through technical means: PHI redaction at the vendor boundary, per-call audit logging, and structured prompts that exclude direct identifiers like name, exact birthdate, or email.

You can review the structure of our automated systems, the safety stages they pass through, and material changes to their operation on our public methodology page (KneeEd.com/methodology).

1.1 Information You Provide Directly

When you use our website, you may voluntarily provide:

• Contact information (e.g., name, email address, phone number, mailing address).
• Physical and body measurements (e.g., height, weight, shoe size, limb circumference).
• Self-reported orthopedic health information (e.g., body part affected, type of injury, activity level, symptoms described in general terms).
• Self-reported general exercise level profile (e.g., frequency of physical activities, types of physical activity).
• Self-reported demographics (e.g., age range, sex/gender, education level, academic activities including sports and academics).
• Account credentials if you create a user profile.
• Communications you send to us directly.

IMPORTANT: We ask that you do not submit sensitive medical records, physician notes, diagnoses, prescription information, or other protected health information through this website. Our service is designed for general product guidance only.

We may automatically collect certain technical information when you visit our website, including:

• IP address and approximate geographic location.
• Browser type, version, and operating system.
• Pages visited, time spent on pages, and clickstream data.
• Referring URLs and search terms used to find our website.
• Device identifiers and information.

We collect this information through cookies, web beacons, pixels, and similar tracking technologies. See Section 6 for more information about cookies.

We may receive information about you from third-party sources, such as analytics providers, advertising networks, or social media platforms, consistent with their own privacy policies.

We use the personal information we collect for the following purposes:

• To provide personalized orthopedic product recommendations based on the information you submit.
• To deliver general educational content relevant to your stated interests.
• To create and manage your user account.
• To communicate with you, including responding to inquiries and sending service-related messages.
• To improve, optimize, and develop our website and services.
• To detect, prevent, and address fraud, abuse, or security incidents.
• To comply with legal obligations.
• To send marketing communications where you have opted in (see Section 9 for opt-out options).

We do not use your personal information to provide medical diagnoses, treatment recommendations, or any other form of medical advice.

If you are located in the European Economic Area or the United Kingdom, our legal basis for collecting and using your personal information depends on the information and context:

• Performance of a contract: to fulfill our service to you.
• Legitimate interests: to improve our services and prevent fraud.
• Consent: where you have given clear consent (e.g., for marketing).
• Legal obligation: to comply with applicable laws.

We do not sell your personal information. We may share your information in the following limited circumstances:

• Service Providers: We share information with third-party vendors who assist us in operating our website and delivering services (e.g., cloud hosting, email delivery, analytics). These providers are contractually obligated to protect your data.
• Business Transfers: If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
• Legal Requirements: We may disclose information if required by law, court order, or governmental authority.
• Protection of Rights: We may disclose information to protect the rights, property, or safety of our company, our users, or the public.
• Business Sponsors: We may disclose anonymized or pseudonymized personal data for the purpose of market research for the purpose of improving our products and services offered.
• Product Partners: We may disclose anonymized personal data to Product partners or marketing affiliates.

We retain your personal information only as long as necessary to fulfill the purposes described in this Privacy Statement, unless a longer retention period is required or permitted by law. When information is no longer needed, we will securely delete or anonymize it.

We use cookies and similar tracking technologies to enhance your experience. Types of cookies we use include:

• Essential Cookies: Necessary for the website to function properly.
• Analytics Cookies: Help us understand how visitors interact with our website (e.g., PostHog, Google Analytics).
• Preference Cookies: Remember your settings and preferences.
• Marketing Cookies: Used to deliver relevant advertisements (where applicable and where consent has been provided).

Users may manage certain cookie preferences through their browser settings and, where available, through KneeEd's cookie preference controls. Essential cookies are required for the website to function. Analytics and advertising cookies may be limited, disabled, or subject to consent depending on the user's location and applicable law. KneeEd may update this section when a third-party consent management platform is implemented.

KneeEd may work with third-party advertising networks, including Google advertising products, to serve, measure, and improve advertisements. These partners may use cookies, pixels, web beacons, IP addresses, device identifiers, browser information, and similar technologies to provide ad delivery, measurement, fraud prevention, frequency capping, reporting, and related services.

KneeEd does not use self-reported injury information, symptoms, orthopedic profile information, body measurements, or health-related information to create personalized advertising segments.

9.1 Marketing Communications

You may opt out of receiving marketing emails at any time by clicking the "unsubscribe" link in any marketing email or by contacting us directly. Opting out of marketing will not affect service-related communications.

Depending on your location, you may have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your personal information (subject to legal retention requirements).
• Object to or restrict certain processing of your data.
• Receive a portable copy of your data.

To exercise these rights, please contact us using the information in Section 13. We will respond within the timeframe required by applicable law.

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know, the right to delete, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising your rights.

To exercise California privacy rights, including any right to opt out of sale or sharing where applicable, contact us at legal@kneeed.com.

We implement reasonable administrative, technical, and physical safeguards to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction. However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.

In the event of a data breach that affects your rights and freedoms, we will notify you and applicable authorities as required by law.

This website is not directed to children under the age of 13 (or 16 in some jurisdictions), and we do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us immediately.

We may update this Privacy Statement from time to time. Any changes will be posted on this page with a revised effective date. We encourage you to review this statement periodically. Your continued use of the website after the posting of changes constitutes your acceptance of the updated Privacy Statement.

If you have any questions, concerns, or requests regarding this Privacy Statement or our data practices, please contact us at:

• KneeEd LLC
• Austin, Texas
• Website: KneeEd.com
• Current live site: https://kneed-app.vercel.app/
• Email: legal@kneeed.com
• Chief Legal Officer: Julie Allen
• CLO Email: juliechenallen@gmail.com