Privacy Policy

Last Updated: 12/22/2025

1

Introduction

SOUND HSA, Inc. ("SOUND HSA", "we", "our", or "us") and its affiliates (collectively, SOUND) respect your privacy. This Privacy Policy explains how we collect, use, disclose, retain, and protect the information you provide when you interact with any of our services, including:

  • the SOUND General Services (website, Move to Earn health data driven bitcoin rewards, mobile app, self-custodial lightning wallet, wait‑list sign‑up, support interactions).
  • the SOUND HSA Platform (website app, mobile app, and related services that enable the Health Savings Account ("HSA") product.

By accessing or using any of these services you acknowledge that you have read, understood, and agree to the practices described below. If you do not agree, you must not use the Services.

Note: Information that is subject to higher‑security handling (e.g., Social Security Numbers, bank‑account details, medical receipts, and other health‑sensitive data) is collected only from users who open an HSA account. All other users (e.g., those using only the public Nostr features or the website) provide a minimal set of data as described in Section 2.

This policy is written in English. In the event of a conflict between an English version and a translated version, the English version controls.

2

Information We Collect

We collect only the data necessary to provide, improve, and secure our Services, and to meet legal and regulatory obligations. The categories below are divided between (A) General‑User Data (collected from anyone who accesses the non‑HSA portions of our Services) and (B) HSA‑Customer Data (collected only from users who open an HSA).

Category (A) General‑User Data (B) HSA‑Customer Data
Nostr Account Creation (Public) Username (required); Optional display name or profile fields (publicly visible on the Nostr relays) Same
Wait‑list / Newsletter Email Email address (when you sign‑up for the HSA wait‑list and newsletter); Indicator of current HSA eligibility (used only to notify you) Same, along with email address associated with HSA account
Bitcoin Lightning Address Optional Lightning address (used only for optional step‑reward payouts) Not applicable
Support Communications Email address, chat logs, or social‑media messages you send to us Same, plus any HSA‑related identifiers needed to verify your request
Device & Technical Info IP address, device type, OS, browser, cookies, log files, usage analytics (pages viewed, timestamps, etc.) Same, plus any device identifiers needed for MFA or security monitoring. By providing your mobile phone number, you consent to receive authentication codes via SMS for account security.
Health‑Related Data (Optional) "SOUND Health Data" – step counts, wellness goals you elect to share; "Third‑Party Health Data" – data you voluntarily sync from Apple Health, Google Fit, or other fitness services (read‑only) Same, plus any medical receipts or health‑plan documentation you upload to substantiate HSA reimbursements
Identity & Financial Data Not collected Full legal name, date of birth, Social Security Number (SSN) or other government ID (KYC/AML); Email, mailing address, phone number; Bank account and routing numbers (for funding); Transaction history, contribution/distribution records; Health‑plan eligibility verification (per IRS Publication 969)
Custodian & Partner Data Not collected Account balances, transaction updates from Horizon Trust (cash custodian) and Digital Trust (Bitcoin custodian)
Other Voluntary Data Any additional information you choose to provide in communications or surveys Same, plus any additional documentation required for compliance (e.g., tax forms)

How we collect it:

  • Directly from you – via forms, app settings, or uploads.
  • Automatically – via cookies, device logs, and usage analytics.
  • From third parties – fitness‑app APIs (with your permission), custodians, identity‑verification providers (e.g., Plaid, Onfido).
3

How We Use Your Information

3.1 General‑User Purposes

  • Service operation – enable account creation on the public Nostr protocol, self-custodial bitcoin lightning wallet username, provide support, and send wait‑list and newsletter updates.
  • Rewards – calculate and deliver bitcoin "sats" rewards for step‑based challenges (only if you opt‑in).
  • Security & analytics – detect fraud, improve performance, and understand aggregate usage trends.
  • Communications – respond to support requests and send service‑related announcements.

3.2 HSA‑Customer Purposes (higher‑security data)

  • Account creation & management – open, fund, and maintain your Health Savings Account; process contributions, distributions, and Bitcoin trades.
  • Regulatory compliance – satisfy Know‑Your‑Customer (KYC), Anti‑Money‑Laundering (AML), IRS tax reporting, and Bank Secrecy Act retention requirements.
  • Health‑expense reimbursements – verify medical receipts and other health‑plan documentation (treated as protected health information).
  • Rewards for health activity – verify step counts and calculate "Move‑to‑Earn" rewards.
  • Communications – send account statements, security alerts, and required regulatory notices.
4

Sharing Your Information

Applicable For Recipient What is shared Reason
HSA‑Customers Only HSA Custodians (Horizon Trust & Digital Trust) Identity & Financial Data (full KYC details, bank & Bitcoin account info) To open, fund, and maintain your HSA and Bitcoin custodial accounts.
HSA‑Customers Only Identity‑verification & fraud‑prevention providers Name, DOB, SSN, government ID, device data To confirm your identity and satisfy AML/KYC obligations.
All users Cloud‑hosting & support vendors Technical logs, support tickets, limited user profile data To host the platform, provide customer support, and maintain service availability.
HSA‑Customers Only Legal & regulatory authorities Any data required by subpoena, court order, or regulatory request; suspicious‑activity reports To comply with law enforcement, FINCEN, IRS, etc.
All users Public Nostr relays Your SOUND Step Data Only shared when you explicitly grant permission for us to share your step data to Nostr
All users Public Nostr relays Username, optional display name, any public profile fields you publish. By design, this information is publicly visible on the Nostr network.
We do NOT sell your personal information to advertisers, data brokers, or other third parties.
5

Health‑Data & Sensitive Information (HIPAA & Related)

  • Medical receipts & reimbursement documentation: Used only to substantiate HSA distribution requests. Not used for marketing or shared outside the custodial/compliance workflow. While the content is encrypted, certain connection metadata (like IP addresses and timestamps), is collected for security monitoring (as mentioned in Section 2).
  • Fitness/step‑count data: Used only for the optional "Move‑to‑Earn" rewards program. We never sell or license this data to insurers, advertisers, or other entities.
  • Encryption of health data: All health‑related data (both "SOUND Health Data" and "Third‑Party Health Data") is encrypted end‑to‑end before it leaves your device and is stored on our Nostr Secure Web‑Socket Relay. Only you (via your private key) can decrypt it. Your private key (nsec) is never known to us.
6

Data Security

We use administrative, technical, and physical security measures to help protect your Personal Information.

  • Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Access Control: Strict role-based access limits which employees can view sensitive user data.
  • Multi-Factor Authentication (MFA): We support and require MFA for account access. By providing your mobile phone number, you consent to receive authentication codes via SMS for account security.
7

Data Retention

  • General‑User Data: Retained for as long as your account remains active or as needed to provide the Services (typically 2 years after inactivity). SOUND can delete data from its own systems/relays, but has no control over data that persists on the decentralized Nostr network by third parties.
  • HSA‑Customer Data: Retained indefinitely for the life of the account plus minimum 7 years after account closure, as required by federal banking, tax, and anti‑money‑laundering statutes.
  • Technical logs: Kept for up to 90 days unless needed for security investigations, compliance, or legal holds.
8

Your Privacy Rights

Depending on your location, you may have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct inaccurate data.
  • Deletion: Request deletion of your data (subject to our legal retention obligations described in Section 7).

To exercise these rights, contact us at support@soundhsa.com.

We will respond to verifiable requests within 30 days.

9

Children's Privacy

  • The Services are not intended for individuals under 18.
  • We do not knowingly collect personal information from children.
  • If we become aware that we have inadvertently collected such data, we will delete it promptly.
10

International Data Transfer

All data is processed and stored on servers located in the United States. By using our Services you consent to the transfer of your information to the U.S., where privacy laws may differ from those in your home country. We rely on standard contractual clauses and our own privacy commitments to protect your data abroad.

11

California Residents (CCPA/CPRA)

  • Right to Know – request the categories of personal information we have collected, the sources, business purposes, and third parties with whom we share it.
  • Right to Delete – request deletion of your personal information, subject to statutory exemptions (e.g., financial record retention).
  • Right to Opt‑Out of Sale – we do not sell personal information; you will be notified if that changes.
  • Non‑Discrimination – we will not treat you differently for exercising any CCPA right.

Requests can be sent to support@soundhsa.com. We will verify your identity before fulfilling any request.

12

Do‑Not‑Track (DNT)

We do not track users across third‑party sites for advertising purposes and therefore do not respond to DNT signals. Third‑party services embedded in the Platform (e.g., analytics providers) may honor DNT at their discretion.

13

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes we will:

  1. Post the revised policy on our website and update the "Last Updated" date.
  2. Provide a notice within the App or via email (for HSA customers).

Your continued use of the Services after the changes become effective constitutes your acceptance of the revised terms.

14

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us at:

Email: support@soundhsa.com

Mailing Address: 1110 Halcyon Ave, Nashville, TN 37204

Thank you for trusting SOUND HSA with your privacy.