Legal

Consumer Health Data Privacy Policy

Effective Date: January 14, 2026

Spotbrands Group, Inc. d/b/a Cottonball (“Cottonball,” “we,” “us,” or “our”) respects your privacy. This Consumer Health Data Privacy Policy (“CHD Privacy Policy”) explains how we collect, use, disclose, and protect “consumer health data” as defined under applicable state laws, including the Washington My Health My Data Act and the Nevada Consumer Health Data Privacy Law.

This CHD Privacy Policy supplements Cottonball’s general Privacy Policy. If there is any conflict between this CHD Privacy Policy and our general Privacy Policy with respect to consumer health data, this CHD Privacy Policy controls.

1. What Is Consumer Health Data?

For purposes of this CHD Privacy Policy, “consumer health data” means personal information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with an individual and that relates to the individual’s past, present, or future physical or mental health status. This includes, but is not limited to:

  • Information identifying physical health conditions (such as acne or other dermatological concerns).

  • Information relating to skincare assessments, treatment goals, skincare routines, or ingredient sensitivities.

  • Images of your skin or face submitted for evaluation.

  • Information that a consumer seeks to receive healthcare services.

  • Information derived or inferred from the above (e.g., potential treatment needs).

  • Browsing activity on pages that relate to skincare treatments or health conditions.

  • Cottonball collects only the consumer health data necessary to provide you with personalized skincare assessments, treatment recommendations, and related services.

2. Categories of Consumer Health Data We Collect

Cottonball may collect the following categories of consumer health data from or about you:

  • A. Information You Provide Directly

    • Photos of your face (front and side) submitted for clinical evaluation.

    • Intake questionnaire responses describing your skin concerns, skincare history, treatment goals, and allergies or sensitivities.

    • Gender assigned at birth, as required for clinical formulation accuracy.

    • Information indicating that you are seeking assessment or treatment for a skin condition.

  • B. Information We Collect Automatically

    • Device and browsing information related to visits to health-related pages on our Website.

    • Information showing that you visited or interacted with content related to skincare treatments, conditions, or health-related educational materials.

  • C. Information We Receive From Our Medical Group Partners

    • Clinical notes, assessments, and related information created or used by the Medical Group or its Providers for diagnosis, treatment, or prescription purposes. (This information may be classified as Protected Health

    • Information (“PHI”) under HIPAA and is governed by the Medical Group’s Notice of Privacy Practices.)

  • D. Inferences

    • Derived or inferred information used to tailor product recommendations or determine potential eligibility for treatment.

    • Cottonball does not collect biometric identifiers (such as face geometry or faceprints), nor do we use facial recognition technologies on your photos.

3. How We Use Consumer Health Data

  • Cottonball uses consumer health data only as permitted by applicable law and only for:

  • Providing the skincare intake assessment you request.

  • Facilitating evaluation and treatment by the Medical Group and Providers.

  • Determining eligibility for customized skincare formulations.

  • Customer support and communications related to your care.

  • Fulfilling your orders and managing your subscription.

  • Improving our products, services, and user experience.

  • Ensuring the security and integrity of our systems.

Cottonball does not use consumer health data for advertising or marketing unless you have separately provided affirmative express consent to such use.

Cottonball does not use consumer health data for profiling in furtherance of decisions that produce legal or similarly significant effects.

4. How We Disclose Consumer Health Data

Cottonball discloses consumer health data only to the following categories of third parties and only for the purposes described:

A. Medical Group and Providers

We disclose consumer health data to the Medical Group and its Providers when necessary for clinical evaluation, diagnosis, treatment, or prescription fulfillment.

B. Service Providers / Processors

We disclose consumer health data to service providers who assist with:

  • Hosting, storage, and secure data processing

  • Customer support

  • Shipping and fulfillment

  • Payment processing

  • Technical maintenance

  • Identity verification

  • Security and fraud prevention

We contractually require these entities to use consumer health data only to provide services to us, and to prohibit them from using or disclosing such data for their own purposes.

C. Third Parties With Your Consent

We disclose consumer health data to third parties only where you have provided affirmative express consent, such as when you opt in to receiving personalized marketing communications based on your health information.

D. Legal & Compliance Purposes

We may disclose consumer health data where required by law, regulation, subpoena, or other legal process, or where we believe in good faith such disclosure is necessary to:

  • Protect the security of the Service

  • Prevent harm or fraud

  • Comply with applicable legal obligations

  • Enforce our rights

E. Corporate Transactions

Consumer health data may be disclosed as part of a merger, acquisition, financing, bankruptcy, or sale of all or part of our business. Any successor entity will be subject to the restrictions described in this Policy.

Cottonball does not disclose consumer health data to third parties for their own independent marketing purposes.

5. Sale of Consumer Health Data

Cottonball does not sell consumer health data as defined under the Washington My Health My Data Act or Nevada’s Consumer Health Data Privacy Law.

If Cottonball ever sought to sell consumer health data in the future, we would first obtain a separate, signed, written “valid authorization” from you that meets all statutory requirements.

6. Your Privacy Rights Under State Consumer Health Data Laws

Depending on your state of residence, you may have the following rights regarding your consumer health data:

A. Right to Access

You may request confirmation of whether we collect consumer health data about you and request access to that data.

B. Right to Deletion

You may request that we delete consumer health data about you, subject to exceptions (e.g., data required for legal compliance or treatment).

C. Right to Withdraw Consent

Where we rely on your consent to process consumer health data, you may withdraw that consent at any time. Withdrawal does not affect prior lawful processing.

D. Right to Opt Out of Sharing or Certain Uses

You may opt out of:

  • Sharing of consumer health data

  • Use of consumer health data for marketing or advertising

(Note: We only engage in such uses with your explicit consent.)

E. Right to Appeal

If your request is denied, you may appeal that decision.

How to Exercise These Rights

Submit a request to: privacy@cottonball.com

We will verify your identity consistent with applicable law before fulfilling your request.

7. Data Security

Cottonball uses administrative, technical, and physical safeguards designed to protect consumer health data from unauthorized access, disclosure, alteration, or destruction. No security method is infallible, but we strive to implement industry-standard protections.

8. Data Retention

We retain consumer health data only as long as reasonably necessary to provide the services you request, operate our business, comply with legal obligations, enforce our rights, and maintain appropriate internal records. Where consumer health data is governed by HIPAA through our role as a business associate, we follow applicable federal and state medical-record retention laws.

9. International Use

The Service is intended for use only within the United States. We do not process consumer health data outside the United States.

10. Changes to This CHD Privacy Policy

We may update this CHD Privacy Policy from time to time. If we make material changes, we will provide notice as required by law. The “Effective Date” above indicates when this Policy was last updated.

11. Contact Us

If you have questions about this CHD Privacy Policy or our treatment of consumer health data, contact us at:

Spotbrands Group, Inc. d/b/a Cottonball 1266 E Main St, Suite 700R Stamford, CT 06902

Email: privacy@cottonball.com

Phone: 888.706.5650

Powerful Actives, Transformative Results