Privacy Policy

Effective Date: April 22, 2026 Last Updated: April 22, 2026

262, Inc., a Delaware corporation doing business as "Fidaris" ("Fidaris," "we," "us," or "our"), operates a fiduciary intelligence platform that helps employer plan sponsors, their advisors, and other authorized parties oversee and evaluate employer-sponsored health benefit plans. Our services include the fidaris.ai website (the "Website") and the Fidaris software platform made available under a customer agreement (the "Platform," and together with the Website, the "Services").

This Privacy Policy describes how we collect, use, disclose, and safeguard information in connection with the Services. Because Fidaris handles information that may include Protected Health Information ("PHI") under the Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act and their implementing regulations (collectively, "HIPAA"), this Privacy Policy also explains how we operate as a Business Associate under HIPAA.

When Fidaris receives, creates, maintains, or transmits PHI on behalf of a Covered Entity customer (such as an employer group health plan or a third-party administrator), that PHI is governed primarily by the Business Associate Agreement ("BAA") between Fidaris and the Covered Entity, by HIPAA, and by the underlying Covered Entity's Notice of Privacy Practices. To the extent of any conflict between this Privacy Policy and the applicable BAA with respect to PHI, the BAA controls.

1. Scope of This Policy

This Privacy Policy applies to:

  • Visitors to the Website at fidaris.ai and any related marketing properties we operate;

  • Authorized users of the Platform, including employer administrators, benefits consultants, brokers, fiduciaries, and their designated representatives (each, a "Platform User");

  • Individuals who communicate with us by email, by web form, or at events; and

  • PHI that Fidaris receives, creates, maintains, or transmits as a Business Associate on behalf of a Covered Entity customer, subject to the limitations described in this Policy and in the applicable BAA.

This Privacy Policy does not apply to the practices of our customers or of any third party that we do not own or control, even if that third party is linked from the Services.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you provide when you interact with the Services, including:

  • Account and contact information: name, business email, employer, job title, business phone number, and other information you provide when requesting a demo, creating an account, or communicating with us.

  • Authentication credentials: login identifiers, password hashes, and multi-factor authentication data.

  • Customer content: files, records, plan documents, and other content you or your organization upload to or generate within the Platform for the purpose of receiving the Services.

  • Correspondence: the content of your messages to us, including support tickets, feedback, and survey responses.

2.2 Information We Collect Automatically

When you use the Services, we and our service providers may automatically collect:

  • Device and log data: IP address, browser type and version, operating system, device identifiers, referring and exit pages, pages viewed, time spent, and timestamps.

  • Usage data: Platform features used, actions taken, and performance telemetry used to operate, troubleshoot, and secure the Services.

  • Cookies and similar technologies: as further described in Section 5 below.

2.3 Protected Health Information (PHI)

Fidaris does not solicit PHI from the public through the Website. PHI is received only through the Platform or other secure channels established with a Covered Entity customer, and only pursuant to a written BAA. Depending on the Covered Entity's instructions and the specific services engaged, PHI we receive may include:

  • Demographic identifiers (such as name, date of birth, address, and member or employee identifier);

  • Enrollment and eligibility information;

  • Claims data, procedure and diagnosis codes, and provider information;

  • Benefits design, utilization, and cost data tied to identifiable individuals; and

  • Other information designated as PHI under HIPAA that is provided to us by or on behalf of a Covered Entity.

Individuals whose PHI is processed by Fidaris should direct privacy questions or rights requests to the Covered Entity that collected the information (typically the individual's health plan or plan sponsor). See Section 7 for further detail on our Business Associate obligations.

2.4 Information From Third Parties

We may receive information about you from third parties, such as single sign-on providers you choose to use, business contact databases, event registration partners, and your organization's authorized representatives. We handle this information in accordance with this Privacy Policy.

3. How We Use Information

We use information (other than PHI, which is addressed separately below) for the following purposes:

  • To provide and operate the Services, including authenticating users, enabling Platform functionality, fulfilling requests, and processing customer agreements.

  • To improve and develop the Services, including debugging, analytics on de-identified or aggregated usage, product research, and training internal tools.

  • To communicate, including sending administrative messages, service announcements, customer support responses, and, where permitted by law, marketing communications you may opt out of at any time.

  • To secure the Services, including monitoring for, investigating, and responding to security events, fraud, and abuse.

  • To comply with legal obligations, including responding to lawful requests from government authorities and enforcing our agreements.

3.1 Uses of PHI

Our use of PHI is strictly limited to the uses and disclosures permitted or required by (a) the BAA between Fidaris and the Covered Entity, (b) HIPAA, and (c) any specific written instructions from the Covered Entity. In particular:

  • Minimum necessary. We access and use only the minimum PHI necessary to perform the contracted services.

  • No secondary commercial use. We do not sell PHI and do not use PHI for marketing, advertising, or any purpose unrelated to the services we provide to the Covered Entity, except as expressly permitted under the BAA and HIPAA.

  • De-identification. We may de-identify PHI in accordance with 45 C.F.R. § 164.514(b) (the Safe Harbor or Expert Determination method). De-identified data is no longer PHI and may be used to operate, secure, and improve the Services as described above.

  • AI and automated processing. Where PHI is processed by AI or machine-learning systems, such processing occurs within environments covered by our BAAs with the relevant infrastructure providers. PHI is not used to train general-purpose third-party foundation models.

4. How We Share Information

4.1 Service Providers and Subprocessors

We share information with vendors who perform services on our behalf and who are contractually bound to appropriate confidentiality, security, and (where applicable) HIPAA Business Associate obligations. These include cloud infrastructure, hosting, monitoring, analytics, customer support, and professional services providers. Where these vendors process PHI, we enter into a BAA with them.

Amazon Web Services, Inc. (AWS) provides our cloud infrastructure, storage, and AI model inference (including Amazon Bedrock). A BAA is in place with AWS covering HIPAA-eligible services used in the Fidaris environment. When AI inference occurs through Amazon Bedrock, third-party foundation models (including Anthropic models) are invoked within the AWS BAA-covered environment; Fidaris does not transmit PHI to model providers outside of this environment.

A current list of subprocessors is available on request. Covered Entity customers may request advance notice of material subprocessor changes in accordance with their BAA.

4.2 Legal and Compliance Disclosures

We may disclose information when we believe in good faith that disclosure is necessary to: (i) comply with applicable law or valid legal process; (ii) protect the rights, property, or safety of Fidaris, our customers, or the public; (iii) enforce our agreements; or (iv) respond to a lawful request from public authorities. Where we receive a legal request that would require disclosure of PHI, we will comply with HIPAA and the applicable BAA, including notifying the Covered Entity where required and permitted.

4.3 Business Transfers

If Fidaris is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its assets, information may be transferred as part of that transaction. PHI will be transferred only in a manner consistent with HIPAA and the applicable BAAs.

4.4 At Your Direction

We may share information with third parties when you or your organization direct us to do so, for example through integrations or data export features you enable.

4.5 No Sale of Personal Information or PHI

We do not sell personal information or PHI, and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA").

5. Cookies and Similar Technologies

The Website uses cookies, pixels, local storage, and similar technologies (collectively, "cookies") to operate, secure, and measure the Website. We use the following categories:

  • Strictly necessary: required for core Website functionality, authentication, and security.

  • Analytics: help us understand how the Website is used so that we can improve it.

  • Preferences: remember your choices, such as language or display settings.

Where required by applicable law, we obtain your consent before placing non-essential cookies. You can manage cookie preferences through your browser settings and, where available, through our cookie preference tool. We honor applicable opt-out preference signals (such as the Global Privacy Control) for website visitors in jurisdictions where these are legally recognized.

The Platform itself does not rely on advertising cookies and is not used for cross-context behavioral advertising.

6. Data Security

Fidaris implements administrative, physical, and technical safeguards designed to protect information we process, consistent with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) and industry standards. These safeguards include:

  • Encryption in transit and at rest using current industry standards (TLS 1.2 or higher in transit; AES-256 or equivalent at rest);

  • Access controls including role-based access, least-privilege provisioning, and multi-factor authentication for personnel access to production systems;

  • Audit logging of access to PHI and other sensitive systems, retained in accordance with HIPAA requirements;

  • Secure software development practices including code review, automated security testing, and dependency vulnerability management;

  • Vendor risk management, including security reviews and BAAs with subprocessors that handle PHI;

  • Workforce training on HIPAA, privacy, and security obligations, completed upon hire and annually thereafter;

  • Continuous compliance monitoring across infrastructure, identity, endpoints, and applications; and

  • Incident response procedures, including documented runbooks, tabletop exercises, and defined breach notification timelines.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of an actual or reasonably suspected breach affecting PHI, we will notify the affected Covered Entity in accordance with HIPAA and the applicable BAA (no later than 60 days after discovery, and typically sooner). Notification to individuals is made by the Covered Entity in accordance with 45 C.F.R. § 164.404 unless otherwise agreed.

7. HIPAA: Our Role as a Business Associate

Fidaris operates as a Business Associate, as that term is defined at 45 C.F.R. § 160.103, with respect to Covered Entity customers (typically employer-sponsored group health plans and their administrators). This Section 7 describes how we handle PHI in that capacity. The terms in this Section are intended to be consistent with, and supplemental to, the BAA executed with each Covered Entity; the BAA controls in the event of any conflict.

7.1 Permitted Uses and Disclosures of PHI

We use and disclose PHI only as permitted or required by the BAA or by law. Specifically, we may use or disclose PHI to:

  • Perform the services described in the underlying customer agreement with the Covered Entity;

  • Carry out our own proper management and administration and to fulfill our legal responsibilities, in accordance with 45 C.F.R. § 164.504(e)(4);

  • Provide data aggregation services relating to the health care operations of the Covered Entity, where permitted under 45 C.F.R. § 164.504(e)(2)(i)(B); and

  • De-identify PHI in accordance with 45 C.F.R. § 164.514(b).

We do not use or disclose PHI in any manner that would violate HIPAA if done by the Covered Entity itself, except as specifically permitted above.

7.2 Minimum Necessary Standard

We apply the Minimum Necessary Standard under 45 C.F.R. § 164.502(b) to our uses, disclosures, and requests for PHI. Our access controls, role design, and data pipelines are configured to limit exposure of PHI to the minimum required to perform the contracted services.

7.3 Subcontractors

We require that any subcontractor that creates, receives, maintains, or transmits PHI on our behalf agree in writing to the same restrictions and conditions that apply to us with respect to that PHI, as required by 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b).

7.4 Individual Rights

HIPAA provides individuals with certain rights regarding their PHI, including the right to access, amend, or receive an accounting of disclosures of their PHI. These rights are administered by the Covered Entity, not by Fidaris directly. If you are an individual whose PHI we process on behalf of a Covered Entity and you wish to exercise these rights, please contact the Covered Entity (typically your health plan or plan sponsor). We will support Covered Entities in responding to such requests as required under HIPAA and the applicable BAA.

7.5 Breach Notification

In the event of a Breach of Unsecured PHI, as those terms are defined under 45 C.F.R. § 164.402, we will notify the affected Covered Entity without unreasonable delay and in no case later than 60 calendar days after discovery, and will provide the information required under 45 C.F.R. § 164.410 to enable the Covered Entity to meet its notification obligations.

7.6 Return or Destruction of PHI

Upon termination of a BAA or the underlying customer agreement, we will return or destroy all PHI we maintain on behalf of the Covered Entity in the form and manner required by the BAA. Where return or destruction is not feasible, we will extend the protections of the BAA to the retained PHI and limit further use and disclosure to the purposes that make return or destruction infeasible.

8. Data Retention

We retain information for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements, unless a longer or shorter retention period is required by applicable law or a customer agreement.

  • Website and marketing data: typically retained for the duration of your interest in the Services and for a reasonable period thereafter.

  • Platform account data: retained for the duration of the customer agreement and for a reasonable period thereafter for legal, audit, and backup purposes.

  • PHI: retained in accordance with the applicable BAA and the Covered Entity's instructions, and returned or destroyed as described in Section 7.6.

  • Audit logs and security records: retained for the period required by applicable law or standards (generally at least six years for HIPAA-related records).

9. Your Privacy Rights

9.1 HIPAA Exemption

PHI is regulated by HIPAA and, where HIPAA applies, is generally exempt from state consumer privacy laws, including the CCPA/CPRA and similar laws in other states. Requests relating to PHI should be directed to the Covered Entity as described in Section 7.4.

9.2 U.S. State Privacy Rights (Non-California)

Residents of Virginia, Colorado, Connecticut, Utah, Texas, and certain other U.S. states may have similar rights under their respective state privacy laws, including rights to access, correct, delete, obtain a portable copy of, and opt out of certain processing of their personal information. PHI regulated by HIPAA is generally exempt from these laws. To exercise applicable rights, contact us at the address in Section 13. Residents of states that provide an appeal right may appeal a denied request by replying to our response with a written request for appeal; we will respond to appeals within the period required by applicable law.

California residents should refer to the "California Residents: Your Privacy Rights" section at the end of this Policy.

9.3 Non-Discrimination

We will not deny goods or services, charge different prices, or provide a different level of service because you exercised your privacy rights, except as permitted by law.

10. Children's Privacy

The Services are intended for business use and are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected such information, we will delete it. To the extent PHI of minors is processed through the Platform on behalf of a Covered Entity, that processing is governed by HIPAA and the applicable BAA.

11. International Users

Fidaris is based in the United States and the Services are operated from the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States, where privacy laws may differ from those in your country of residence. We do not currently market the Services to individuals outside the United States.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated Policy on the Website with a new "Last Updated" date and, where required by law or the applicable customer agreement, by additional means such as email. Your continued use of the Services after the updated Policy becomes effective constitutes your acceptance of the updated Policy, to the extent permitted by applicable law.

13. Contact Us

If you have questions about this Privacy Policy or our privacy practices, or if you wish to exercise a privacy right, please contact us:

262, Inc. (d/b/a Fidaris) Attn: Privacy Email: security@fidaris.ai Mailing address: 1111B S Governors Ave STE 40927 Dover, DE 19904

California Residents: Your Privacy Rights

This section provides additional information for California residents as required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"). This section applies only to personal information that is not exempt under the CCPA/CPRA. Protected Health Information regulated by HIPAA is exempt from the CCPA/CPRA; rights with respect to PHI are addressed in Section 7 and through the applicable Covered Entity.

Categories of Personal Information Collected

In the preceding 12 months, Fidaris may have collected the following categories of personal information about California residents, as defined by Cal. Civ. Code § 1798.140:

  • Identifiers (e.g., name, business email, business phone, IP address, online identifiers);

  • Customer records information (e.g., account and contact details provided during account creation or business communications);

  • Commercial information (e.g., records of Services used, engagement history);

  • Internet or other electronic network activity information (e.g., browsing history on the Website, interactions with the Platform);

  • Geolocation data (approximate, derived from IP address);

  • Professional or employment-related information (e.g., employer, job title, role);

  • Inferences drawn from the above to support product operation and improvement; and

  • Sensitive personal information, only where specifically provided, such as account log-in credentials used for authentication.

We do not use sensitive personal information for any purpose other than those permitted without the right to limit under Cal. Civ. Code § 1798.121(d) and the related regulations (e.g., to perform the Services, ensure security and integrity, and comply with law).

Purposes of Collection and Use

We collect and use the categories of personal information above for the business and commercial purposes described in Section 3 of this Policy, including to provide and operate the Services, communicate with Platform Users and website visitors, secure the Services, and comply with legal obligations.

Sources of Personal Information

We collect personal information directly from you, automatically from your use of the Services, from your organization or its authorized representatives, and from third-party sources such as single sign-on providers and business contact databases.

Disclosure of Personal Information

We disclose personal information to the categories of recipients described in Section 4 of this Policy, including service providers and subprocessors (under written contracts meeting the CCPA/CPRA requirements for service providers), affiliates, legal and regulatory authorities, and parties to corporate transactions. We do not "sell" personal information and do not "share" personal information for cross-context behavioral advertising, as those terms are defined by the CCPA/CPRA.

Your Rights Under CCPA/CPRA

Subject to verification and the exceptions available under the CCPA/CPRA, California residents have the following rights:

  • Right to know what personal information we collect, use, disclose, and retain about you;

  • Right to access and receive a copy of your personal information in a portable format;

  • Right to correct inaccurate personal information;

  • Right to delete personal information, subject to certain exceptions;

  • Right to opt out of the sale or sharing of personal information (we do not sell or share);

  • Right to limit the use and disclosure of sensitive personal information; and

  • Right to non-discrimination for exercising any of the above rights.

How to Exercise Your Rights

To submit a request, email security@fidaris.ai with the subject line "California Privacy Request" and describe the right you wish to exercise. We will acknowledge receipt within 10 business days and respond within 45 calendar days (with one 45-day extension where reasonably necessary), as required by the CCPA/CPRA. Before we respond, we will verify your identity using reasonable methods. Authorized agents must submit written authorization and we may require the underlying individual to verify their identity directly with us.

If we deny your request in whole or in part, you may appeal by replying to our response with a written request for reconsideration. We will respond to appeals within the period required by applicable law.

Notice at Collection

At or before the point of collection, we provide this Policy as our notice at collection. The categories of personal information we collect, the purposes for which each category is used, and our retention practices are described in Sections 2, 3, and 8 of this Policy, respectively, and summarized above.

Shine the Light

California Civil Code § 1798.83 permits California residents to request certain information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.