Notice of Privacy Practices

Effective date: March 2026

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

1. About Flore Inc. and HIPAA

Flore Inc. ("Flore," "we," "us," or "our") operates Good Guys Probiotics (goodguysprobiotics.com). We create personalized probiotic formulations based on your microbiome data and health information.

Important Distinction: Flore Inc. is a HIPAA Business Associate, not a HIPAA Covered Entity. We receive and process Protected Health Information ("PHI") on behalf of covered entities (such as healthcare providers) and directly from individuals to provide our personalized probiotic formulation services. Our obligations regarding your PHI arise from HIPAA's Business Associate requirements, our Business Associate Agreements ("BAAs") with covered entities, and applicable state laws.

This Notice of Privacy Practices explains how we collect, use, and disclose your PHI, your rights with respect to that information, and our legal obligations.

2. How We Receive Protected Health Information

We may receive your PHI through the following channels:

Directly from you: When you complete our health and wellness questionnaire, upload lab reports, provide microbiome test results, or communicate health information through our Site or to our support team.
From covered entity healthcare providers: When your physician, lab, or other healthcare provider transmits your health data, microbiome analysis, or lab results to us under a Business Associate Agreement for the purpose of formulating your personalized probiotics.
From testing laboratories: When we receive microbiome sequencing or analysis results from laboratories performing tests on samples you have submitted.

3. Permitted Uses and Disclosures of PHI

As a Business Associate, we may use and disclose your PHI only as permitted or required by HIPAA and our Business Associate Agreements. Specifically, we may use or disclose your PHI for the following purposes:

3.1 To Provide Services

We use your PHI to formulate your personalized probiotic blends, fulfill your orders, and provide related services. This includes analyzing your microbiome data, health symptoms, and lab results to develop a formulation tailored to your individual needs.

3.2 As Directed by the Covered Entity

When we receive PHI from a covered entity under a BAA, we use and disclose that information as permitted by the BAA and as directed by the covered entity, consistent with HIPAA requirements.

3.3 For Our Internal Management and Administration

We may use your PHI for our internal management, administration, and legal compliance purposes, including quality assurance, auditing, and regulatory compliance.

3.4 As Required by Law

We may disclose your PHI when required to do so by federal, state, or local law, including in response to a court order, subpoena, or administrative request.

3.5 For Public Health and Safety

We may disclose PHI to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, or as required for public health activities.

3.6 De-Identified Data

We may use or disclose de-identified health information (information that does not identify you and cannot reasonably be used to identify you) for any purpose, including research and product improvement. De-identification is performed in accordance with HIPAA's standards.

3.7 With Your Authorization

For uses and disclosures not described in this Notice, we will obtain your written authorization before using or disclosing your PHI. You may revoke any authorization at any time in writing, except to the extent we have already acted in reliance on it.

4. Your Rights Regarding Your PHI

Under HIPAA, you have the following rights with respect to your PHI that we maintain:

4.1 Right to Access

You have the right to inspect and obtain a copy of your PHI that we maintain in a designated record set. To request access, submit a written request to support@goodguysprobiotics.com. We will respond within 30 days. We may charge a reasonable, cost-based fee for copies.

4.2 Right to Request Amendment

You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. Submit your request in writing with a reason for the amendment. We may deny your request in certain circumstances (e.g., if the information was not created by us, or if we believe the information is accurate). If we deny your request, we will provide a written explanation.

4.3 Right to an Accounting of Disclosures

You have the right to receive an accounting of certain disclosures of your PHI that we have made during the six years prior to your request (or a shorter period if you specify). This accounting does not include disclosures made for services, internal management, or pursuant to your authorization, among other exceptions. Submit your request in writing.

4.4 Right to Request Restrictions

You have the right to request that we restrict certain uses and disclosures of your PHI. We are not required to agree to your request, but if we do agree, we will comply with the restriction except in certain emergency situations.

4.5 Right to Request Confidential Communications

You have the right to request that we communicate with you about your PHI by alternative means or at alternative locations. For example, you may request that we contact you only at a specific email address or phone number. We will accommodate reasonable requests.

4.6 Right to a Copy of This Notice

You have the right to obtain a paper or electronic copy of this Notice at any time by contacting us or visiting this page.

5. Breach Notification

In the event of a breach of your unsecured PHI, we will comply with all applicable breach notification requirements under HIPAA:

Notification to covered entities: If we discover a breach of PHI that we maintain on behalf of a covered entity, we will notify the covered entity without unreasonable delay and no later than 60 days after discovery of the breach.
Notification to individuals: Where required, we will notify affected individuals without unreasonable delay and no later than 60 days after discovery. Notification will be made by first-class mail or email (if you have agreed to electronic notice) and will include a description of the breach, the types of information involved, steps you should take to protect yourself, what we are doing in response, and contact information for further questions.
Notification to HHS: We will report breaches to the U.S. Department of Health and Human Services (HHS) as required by law.
Notification to media: If a breach affects more than 500 residents of a state or jurisdiction, we will notify prominent media outlets in that area as required by HIPAA.

6. Security Safeguards

We implement administrative, technical, and physical safeguards to protect your PHI in accordance with the HIPAA Security Rule, including:

Encryption: PHI is encrypted both in transit (TLS 1.2+) and at rest (AES-256).
Access controls: Role-based access controls ensure that only authorized personnel with a legitimate business need can access your PHI. Unique user IDs, automatic session timeouts, and multi-factor authentication are enforced.
Audit logs: We maintain detailed audit trails of all access to and modifications of PHI, including who accessed the data, when, and what actions were performed.
Workforce training: All employees and contractors who handle PHI receive regular HIPAA privacy and security training.
Physical safeguards: Physical access to systems containing PHI is restricted to authorized personnel, with appropriate controls at our manufacturing facility in Joliet, IL and at data center locations.
Risk assessments: We conduct regular risk assessments to identify vulnerabilities and implement appropriate mitigations.
Incident response: We maintain an incident response plan for timely detection, investigation, and remediation of security incidents.

7. Business Associate Agreements

Flore Inc. enters into Business Associate Agreements with all covered entities that share PHI with us. These agreements define our permitted uses and disclosures of PHI, require us to implement appropriate safeguards, and establish our obligations in the event of a breach. We also require our subcontractors who handle PHI to enter into BAAs with us.

8. How to File a Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint:

8.1 Complaint to Flore Inc.

Contact our Privacy Officer:

Flore Inc. — Privacy Officer
Email: support@goodguysprobiotics.com
Subject line: "HIPAA Privacy Complaint"

We will acknowledge your complaint within 5 business days and investigate promptly. We will not retaliate against you for filing a complaint.

8.2 Complaint to the U.S. Department of Health and Human Services

You may also file a complaint with the HHS Office for Civil Rights (OCR):

U.S. Department of Health and Human Services
Office for Civil Rights
Website: www.hhs.gov/ocr/complaints
Phone: 1-800-368-1019
TDD: 1-800-537-7697

9. Changes to This Notice

We reserve the right to change this Notice and to make the revised Notice effective for PHI we already have as well as PHI we receive in the future. We will post any revised Notice on this page. Material changes will also be communicated via email to affected individuals.

10. Contact Us

For questions about this Notice or our privacy practices:

Flore Inc. (dba Good Guys Probiotics)
Email: support@goodguysprobiotics.com
Website: goodguysprobiotics.com
Parent company: Flore Inc. (flore.com)