Squirrel Health, LLC

DopeLock APPLICATION

PRIVACY POLICY

Effective Date: April 12, 2026

1. Introduction

Squirrel Health, LLC, a Delaware limited liability company ("Company," "we," "us," or "our"), operates the DopeLock mobile application (the "App"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use the App.

This Privacy Policy applies to all users of the App across all jurisdictions. Where specific laws grant additional rights to residents of certain jurisdictions (including, without limitation, the European Economic Area, the United Kingdom, and the State of California), those additional rights are described in Section 12 below.

PLEASE READ THIS PRIVACY POLICY CAREFULLY. By accessing or using the App, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the App.

2. Eligibility

The App is intended for use by individuals who are at least eighteen (18) years of age. We do not knowingly collect personal information from individuals under the age of eighteen (18). If we learn that we have collected personal information from a minor under 18, we will take steps to delete such information promptly. If you believe that we have inadvertently collected information from a minor, please contact us at legal@squirrelhealth.io.

3. Information We Collect

3.1 Information You Provide Directly

We collect information that you voluntarily provide when you register for the App, link financial accounts, or otherwise interact with the App, including:

  • Account registration information (name, email address, and authentication credentials)
  • Financial account credentials and tokens provided through our third-party financial data aggregation service provider (Plaid, Inc.)
  • Budget categories, spending limits, and app-locking preferences you configure within the App
  • Virtual card enrollment information provided in connection with Lithic card issuing services
  • Communications you send to us (support requests, feedback)

3.2 Information Collected Automatically

When you use the App, we automatically collect certain information, including:

  • Device information (device model, operating system version, unique device identifiers)
  • Usage data (App features accessed, interaction patterns, session duration)
  • Log data (IP address, access times, error logs)
  • Push notification tokens (for Firebase Cloud Messaging)

3.3 Financial Information Collected via Third-Party Services

Plaid, Inc.: When you connect a financial account through Plaid, we receive transaction data, account balances, and account metadata. We do not receive or store your bank login credentials. Plaid's use of your information is governed by Plaid's own privacy policy, available at https://plaid.com/legal.

Lithic, Inc.: When you use virtual card features powered by Lithic, Lithic processes card transaction data subject to Lithic's privacy policy. We receive transaction amounts, merchant information, and authorization status for the purpose of enforcing budget controls.

3.4 Screen Time and App Usage Data

The App utilizes Apple's Screen Time API (FamilyControls framework) to manage app restrictions on your device. This functionality operates locally on your device. Apple's FamilyControls framework is designed so that neither we nor Apple can access the specific apps or websites you visit. We receive only aggregate shield/lock status necessary to enforce your configured budget limits.

4. Use of Information

We use the information we collect for the following purposes:

  • To provide, operate, and maintain the App and its core functionality (budget tracking, app locking, virtual card management)
  • To process and enforce budget-based app restrictions via the Screen Time API
  • To process virtual card transactions and enforce server-side budget controls
  • To synchronize financial transaction data from your linked bank accounts
  • To send push notifications related to budget alerts, transaction activity, and account security
  • To respond to your support requests and communications
  • To detect, prevent, and address fraud, unauthorized transactions, and security issues
  • To comply with applicable legal obligations, including financial regulatory requirements
  • To improve and optimize the App's functionality and user experience

5. Gramm-Leach-Bliley Act (GLBA) Notice

Pursuant to the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801–6809) and Regulation P (12 CFR Part 1016), this section serves as your initial privacy notice.

5.1 Categories of Nonpublic Personal Information Collected

We collect the following categories of nonpublic personal information ("NPI"):

  • Information you provide on applications or forms (name, email, account preferences)
  • Information about your transactions with us or our affiliates (budget configurations, virtual card transactions, app-lock events)
  • Information about your transactions with nonaffiliated third parties (bank account transactions received via Plaid)

5.2 Categories of NPI Disclosed

We may disclose NPI to the following categories of nonaffiliated third parties, solely as necessary to provide the App's services:

  • Financial data aggregation providers (Plaid, Inc.) — to retrieve your bank transaction data
  • Payment processing providers (Lithic, Inc.) — to issue and manage virtual cards and process transactions
  • Cloud infrastructure providers (Google Cloud Platform) — to host and operate the App's backend services

5.3 Opt-Out Right

Under GLBA, you have the right to opt out of certain disclosures of your NPI to nonaffiliated third parties. However, because we share NPI only as necessary to process transactions and provide services you have requested (exceptions under 12 CFR § 1016.13–15), the opt-out right does not currently apply. Should our practices change, we will provide you with an opt-out notice and a reasonable opportunity to opt out before sharing NPI for other purposes.

5.4 Safeguards

In accordance with the FTC Safeguards Rule (16 CFR Part 314), we maintain a comprehensive information security program that includes administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of your NPI. These safeguards include encryption of data in transit and at rest, access controls, and regular security assessments.

6. Disclosure of Information

We may disclose your information in the following circumstances:

  • Service Providers: We share information with third-party service providers who perform services on our behalf, including Plaid (financial data aggregation), Lithic (payment processing and card issuance), Google Cloud Platform (cloud infrastructure, authentication, push notifications), and analytics providers. These service providers are contractually obligated to use your information solely for the purposes of providing services to us and are bound by confidentiality obligations.
  • Legal Requirements: We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with applicable law, respond to a court order, judicial or other government subpoena, or warrant.
  • Protection of Rights: We may disclose information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our Terms of Service, suspected fraud, situations involving potential threats to the safety of any person, or as evidence in litigation in which we are involved.
  • Business Transfers: If the Company is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the App's services. We may retain certain information after account closure for the following purposes:

  • To comply with legal and regulatory retention obligations (including financial record-keeping requirements under applicable law)
  • To resolve disputes and enforce our agreements
  • To maintain audit trails as required for Lithic Issuing compliance
  • To detect and prevent fraud

Transaction records associated with virtual card activity are retained in accordance with applicable financial regulations and Lithic's data retention requirements. Upon account deletion, we will delete or anonymize your personal information within ninety (90) days, except where retention is required by law.

8. Data Security

We implement appropriate technical and organizational measures designed to protect the security of your personal information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Server-side enforcement of budget controls and card authorization logic on secured Cloud infrastructure
  • Firebase Authentication for identity verification
  • Role-based access controls and principle of least privilege
  • Regular security assessments and monitoring
  • Secure key management via Google Cloud KMS

Notwithstanding the foregoing, no method of transmission over the Internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

9. Third-Party Services

The App integrates with the following third-party services, each of which is governed by its own privacy policy and terms of service:

  • Plaid, Inc. — Financial data aggregation (https://plaid.com/legal)
  • Lithic, Inc. — Virtual card issuance and payment processing (https://www.lithic.com/legal/privacy-policy)
  • Google Firebase — Authentication, cloud functions, push notifications, and database services (https://firebase.google.com/support/privacy)
  • Apple Screen Time / FamilyControls — Device-level app restriction enforcement (governed by Apple's privacy policy)

We encourage you to review the privacy policies of these third-party services. We are not responsible for the privacy practices of third-party services.

10. Push Notifications and Communications

We may send you push notifications related to budget alerts, transaction activity, virtual card status, and account security through Firebase Cloud Messaging (FCM). You may opt out of push notifications at any time through your device settings. Opting out of push notifications may affect the functionality of the App, including timely budget alerts.

11. Analytics and Tracking Technologies

The App may use analytics tools to collect information about usage patterns to improve the App's functionality. We do not use cookies in the mobile application. We do not engage in cross-app tracking or cross-context behavioral advertising.

12. Jurisdiction-Specific Rights

12.1 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100–1798.199.100):

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, our business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (including legal and regulatory retention requirements).
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell your personal information or share it for cross-context behavioral advertising. As such, there is no need to exercise this right.
  • Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive personal information (including financial account information), we use it solely to provide the services you have requested.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, please contact us at legal@squirrelhealth.io. We will verify your identity before processing your request. We will respond to verifiable consumer requests within forty-five (45) calendar days.

Financial Information Exemption:* Certain financial information collected and processed by the App may be exempt from CCPA/CPRA pursuant to the Gramm-Leach-Bliley Act exemption (Cal. Civ. Code § 1798.145(e)). This exemption applies to NPI collected, processed, and disclosed in accordance with GLBA and its implementing regulations.

12.2 European Economic Area and United Kingdom Residents (GDPR / UK GDPR)

If you are located in the European Economic Area ("EEA") or the United Kingdom ("UK"), the following additional provisions apply:

Data Controller: Squirrel Health, LLC, a Delaware limited liability company, is the data controller for the purposes of the GDPR and UK GDPR.

Lawful Basis for Processing: We process your personal data on the following legal bases:

  • Performance of a contract (Article 6(1)(b) GDPR) — processing necessary to provide the App's services to you pursuant to our Terms of Service
  • Legitimate interests (Article 6(1)(f) GDPR) — fraud detection and prevention, security monitoring, and service improvement
  • Legal obligation (Article 6(1)(c) GDPR) — processing necessary to comply with financial regulatory requirements

Your Rights: Under the GDPR and UK GDPR, you have the right to:

  • Access your personal data and obtain a copy thereof
  • Rectify inaccurate personal data
  • Erase your personal data (subject to legal retention requirements)
  • Restrict processing of your personal data
  • Object to processing based on legitimate interests
  • Data portability (receive your data in a structured, machine-readable format)
  • Lodge a complaint with your local supervisory authority

International Data Transfers: Your personal data may be transferred to and processed in the United States and other countries outside the EEA/UK. Where such transfers occur, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (June 2021 version) or other valid transfer mechanisms to ensure adequate protection of your data.

12.3 Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy laws may have additional rights, including rights to access, correct, delete, and opt out of certain processing. To the extent financial data processed under GLBA is exempt under your state's privacy law, those exemptions apply. For all other data, please contact us to exercise your rights.

13. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected individuals and applicable regulatory authorities in accordance with applicable law, including the FTC Health Breach Notification Rule (if applicable), GDPR Article 33 (72-hour notification to supervisory authorities), state breach notification laws, and the FTC Safeguards Rule (notification to the FTC for breaches affecting 500 or more consumers).

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy within the App and updating the "Effective Date" at the top of this document. For material changes that affect the processing of your financial information, we will provide at least thirty (30) days' prior notice. Your continued use of the App after the effective date of the revised Privacy Policy constitutes your acceptance of the revised Privacy Policy.

15. Contact Information

If you have any questions or concerns about this Privacy Policy, or wish to exercise any of your rights described herein, please contact us at:

Squirrel Health, LLC

Attn: Privacy Compliance

Email: legal@squirrelhealth.io

Web: https://squirrelhealth.io

For GDPR-related inquiries, you may also contact your local supervisory authority. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

16. Annual Privacy Notice (GLBA)

This Privacy Policy constitutes the annual privacy notice required under the Gramm-Leach-Bliley Act and Regulation P. If our information-sharing practices change materially, we will provide you with a revised privacy notice as required by law.

© 2026 Squirrel Health, LLC. All rights reserved.