MAIN LINE BENEFITS LLC

1. Scope and Applicability

This Privacy Notice applies to all visitors and users of our website and online platforms (‘Website’), as well as to individuals who request, obtain, or are enrolled in health insurance products or services through us. It covers personal information we collect in our capacity as a licensed health insurance broker.

This Notice does not apply to the privacy practices of the insurance carriers, providers, or third parties whose products we offer. Please review their separate privacy notices.

2. Categories of Personal Information We Collect

2.1 Information You Provide Directly

• Identifiers: Full name, date of birth, Social Security Number (SSN), government-issued ID number, address, email, and phone number.
• Health and Medical Information: Current health conditions, prescription medications, prior medical history, disability status, and information about household members seeking coverage.
• Financial Information: Income, tax filing status, household size (for subsidy determinations), payment information (credit/debit card, bank account details), and billing address.
• Insurance Application Data: Current and prior insurance coverage, policy numbers, claims history, and beneficiary designations.
• Communications: Records of calls, emails, chat logs, and correspondence with our brokers or staff.

2.2 Information Collected Automatically

• Device and Usage Data: IP address, browser type, operating system, pages visited, clickstream data, time stamps, and session duration.
• Cookies and Tracking Technologies: We use cookies, web beacons, and similar tools. See Section 7 for details and your opt-out options.
• Location Data: Approximate geolocation derived from your IP address or, with your consent, precise location.

2.3 Information from Third Parties

• Insurance Carriers: Enrollment confirmations, policy status, and claims information.
• Government Agencies: Marketplace eligibility data (e.g., Healthcare.gov / CMS) when applicable.
• Consumer Reporting Agencies: Credit-related data where permitted by law for premium or underwriting purposes.
• Data Brokers and Marketing Partners: Demographic and contact information to support outreach, with your prior consent where required.

3. How We Use Your Personal Information

3.1 Primary Business Purposes

• Brokerage Services: Quoting, enrolling, managing, and renewing health insurance policies on your behalf.
• Subsidy and Eligibility Verification: Determining eligibility for ACA premium tax credits, Medicaid, CHIP, or other assistance programs.
• Customer Service: Responding to inquiries, resolving complaints, and processing requests.
• Legal and Regulatory Compliance: Meeting obligations under HIPAA, ACA, state insurance regulations, and applicable consumer privacy laws.
• Fraud Prevention: Detecting and preventing fraudulent applications, identity theft, and unauthorized access.

3.2 Secondary and Ancillary Purposes

• Marketing and Communications: With your consent (where required), informing you of plan options, renewal reminders, and new products that may be of interest.
• Analytics and Improvement: Analyzing usage patterns to improve our Website, tools, and services (using aggregated or de-identified data where possible).
• Business Operations: Auditing, accounting, legal defense, and internal reporting.

4. Disclosure and Sharing of Personal Information

4.1 Permitted Disclosures

We disclose personal information only as described below:

• Insurance Carriers and Underwriters: To obtain quotes, process applications, confirm enrollment, and service policies.
• Government Agencies and Marketplaces: To verify eligibility, process subsidies, and comply with reporting mandates (e.g., CMS, state health exchanges).
• Service Providers (Processors): Third-party vendors who provide IT support, data hosting, payment processing, compliance services, or document management, under data protection agreements.
• Professional Advisors: Attorneys, auditors, and compliance consultants under appropriate confidentiality obligations.
• Legal Requirements: When required by law, regulation, court order, or to cooperate with government investigations.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, with appropriate notice to affected individuals.

4.2 What We Do Not Do

• We do not sell your personal information to data brokers, advertisers, or other third parties for independent commercial purposes, except as permitted with your consent.
• We do not share your health data for marketing by third parties without your explicit written authorization.
• We do not disclose personal information to employers without your consent, except as required by law.

5. HIPAA and Health Information Protections

To the extent we act as a Business Associate (as defined by HIPAA) to insurance carriers or other covered entities, we comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the HIPAA Privacy Rule (45 CFR Part 164) and Security Rule.

Protected Health Information (PHI) that we receive in connection with insurance transactions will be used and disclosed only as permitted under HIPAA and applicable Business Associate Agreements. You have rights under HIPAA with respect to PHI held by covered entities; please contact the relevant carrier directly to exercise those rights.

Our Notice of Privacy Practices (NPP) for PHI is available separately upon request. In the event of any conflict between this Privacy Notice and our HIPAA obligations, our HIPAA obligations control.

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Notice, including:

• Active insurance policy records: Duration of the policy plus seven (7) years, or longer if required by state insurance regulations.
• Application data (declined or not enrolled): Three (3) years unless a longer period is required by applicable law.
• Financial and transaction records: Seven (7) years for tax and accounting purposes.
• Marketing communications preferences: Until you opt out or withdraw consent, plus a reasonable period to implement your request.
• Website usage logs: Twelve (12) months unless longer retention is required for security investigations.

We securely dispose of or de-identify personal information when it is no longer needed.

7. Cookies, Tracking Technologies, and Opt-Out

7.1 Types of Cookies We Use

• Strictly Necessary Cookies: Required for the Website to function (e.g., session management, security). Cannot be disabled.
• Functional Cookies: Remember your preferences to improve your experience.
• Analytics Cookies: Measure site traffic and usage patterns (e.g., Google Analytics). We use IP anonymization.
• Advertising / Targeting Cookies: May be used to serve relevant insurance advertisements. You may opt out as described below.

7.2 Managing Your Cookie Preferences

You can control cookies through your browser settings or by using our [Cookie Preference Center] available on our website footer. Note that disabling certain cookies may affect Website functionality.

8. Data Security

We implement administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, use, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit (TLS 1.2 or higher) and at rest for sensitive data fields.
• Role-based access controls limiting access to personal information to personnel with a business need.
• Multi-factor authentication for systems containing sensitive personal or health information.
• Regular security assessments, penetration testing, and vulnerability management.
• Employee training covering data privacy and security practices.

In the event of a security breach involving your personal information, we will notify you as required by applicable federal and state data breach notification laws, including state insurance department regulations.

9. State-Specific Privacy Rights

Residents of certain U.S. states have specific rights under their state privacy laws. The following table summarizes key state laws that may apply. Additional detailed disclosures follow for states with the most comprehensive requirements.

9.1 California Residents — CCPA / CPRA

Under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, CCPA/CPRA), California residents have the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources of that information, our business purposes for collecting or selling it, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of personal information we have collected about you, subject to certain exceptions (e.g., HIPAA, legal obligations, fraud prevention).
• Right to Correct: Request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale/Sharing: Direct us not to sell or share your personal information with third parties for cross-context behavioral advertising. We do not sell personal information of California residents as of the Effective Date of this Notice. To opt-out of sharing for targeted advertising, click [“Do Not Share My Personal Information”] on our website footer.
• Right to Limit Use of Sensitive Personal Information: Direct us to limit the use of sensitive personal information (including health data, SSN, financial account numbers, and precise geolocation) to purposes reasonably necessary and proportionate to providing our services.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
• Right to Access by Authorized Agent: You may designate an authorized agent to submit requests on your behalf.

Sensitive Personal Information We Collect (California)

We collect the following categories of sensitive personal information: SSN / government ID numbers; health and medical information; financial account information; and precise geolocation (with consent). This information is used solely to provide our brokerage services and comply with legal obligations.

9.2 Virginia, Colorado, Connecticut, and Similar State Frameworks

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and states with substantially similar laws have the following rights:

• Right of Access: Confirm whether we process your personal data and obtain a copy.
• Right to Delete: Request deletion of personal data you have provided or that we have collected about you.
• Right to Correct: Request correction of inaccurate personal data.
• Right to Portability: Receive a portable copy of your personal data in a machine-readable format.
• Right to Opt-Out of Targeted Advertising: Direct us not to process your personal data for targeted advertising.
• Right to Opt-Out of Sale: Direct us not to sell your personal data to third parties.
• Right to Opt-Out of Profiling: Opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.
• Right to Appeal: If we decline to act on your request, you have the right to appeal our decision within a reasonable time. If your appeal is denied, you may contact your state Attorney General.

9.3 Texas Residents — TDPSA

Texas residents have rights under the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, including rights to access, delete, correct, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale of personal data, and certain profiling. Texas residents may submit requests using the contact methods in Section 10.

9.4 New Jersey Residents — NJDPA

Residents of New Jersey have rights under the New Jersey Data Privacy Act, effective January 15, 2025, including rights to access, delete, correct, and obtain portability of personal data. New Jersey residents may opt out of the sale of personal data, targeted advertising, and certain automated profiling. Requests may be submitted as described in Section 10.

9.5 Nevada Residents

Nevada residents have the right to opt out of the sale of certain covered personal information under Nevada Revised Statutes Chapter 603A. If you are a Nevada resident, you may submit an opt-out request as described in Section 10.

9.6 New York Residents

Regulatory Oversight. Main Line Benefits LLC is licensed as an insurance broker in the State of New York. In New York, the New York State Department of Financial Services (DFS) is the state agency responsible for supervising and regulating insurance companies, health maintenance organizations, insurance brokers and agents, and other financial services entities operating in New York. New York residents who have questions or complaints regarding our insurance practices may contact the DFS at:

New York State Department of Financial Services | One Commerce Plaza, Albany, NY 12257 | (800) 342-3736 | www.dfs.ny.gov

New York SHIELD Act. We comply with the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which requires us to implement and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of private information belonging to New York residents. In the event of a data breach affecting New York residents, we will provide notice as required by New York General Business Law § 899-aa.

NOTICE TO NEW YORK RESIDENTS — DOMESTIC VIOLENCE PROTECTIONS (New York Insurance Law § 2612)

Pursuant to New York Insurance Law § 2612, no insurer, insurance broker, or insurance agent may, on the basis that an applicant or insured is or has been a victim of domestic violence:

• Deny, cancel, or refuse to renew an insurance policy or certificate;
• Restrict or exclude coverage under any insurance policy or certificate;
• Charge a higher rate or premium for any insurance policy or certificate; or
• Consider the status of being or having been a victim of domestic violence in any underwriting decision.

We are committed to complying with these protections. We do not use domestic violence victim status as a factor in any insurance recommendation, application, or placement decision. If you believe you have been discriminated against in connection with insurance coverage on the basis of your status as a victim of domestic violence, you may file a complaint with the New York State Department of Financial Services at (800) 342-3736 or at www.dfs.ny.gov.

9.7 Residents of Other States

Additional states continue to enact comprehensive privacy legislation. We are committed to honoring applicable rights as laws become effective. If you reside in a state not specifically listed above and believe you have rights under your state’s privacy law, please contact us through the communication options listed in Section 10. We will review and respond consistent with the applicable requirements.

10. How to Exercise Your Privacy Rights

10.1 Submission Methods

To submit a verifiable consumer request or exercise any right described in this Notice:

• Online Request: https://mlbenefitsco.com/contact/
• Email: compliance@mlbenefitsco.com
• Toll-Free Phone: 1-833-709-2591 (available Monday–Friday, 9:00 AM – 5:00 PM [Time Zone])
• Mail: Attn: Compliance, Main Line Benefits LLC, 462 E. King Rd Malvern, PA 19355.

10.2 Verification Process

We are required to verify your identity before fulfilling access, deletion, correction, or portability requests. We will match information you provide against records we maintain. For sensitive requests, we may require additional verification steps. We will not require you to create an account solely to submit a privacy request.

10.3 Response Timelines

• Standard response: Within 45 days of receiving a verifiable request.
• Extended response (if necessary): Up to an additional 45 days (90 days total), with prior notice to you explaining the reason for the extension.
• Confirmation: We will confirm receipt of your request within ten (10) business days.

10.4 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We will require proof of the agent’s authorization (written permission or power of attorney) and may verify your identity directly. California and certain other states impose specific requirements for authorized agents.

11. Children’s Privacy

Our Website and services are not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent as required by the Children’s Online Privacy Protection Act (COPPA). If you believe we have inadvertently collected information from a child under 13, please contact us immediately at the address in Section 10 and we will promptly delete that information.

For family health insurance plans, we collect information about dependents, including minors, solely as necessary to process insurance applications. This information is handled with the same security and confidentiality as all other sensitive data.

12. Third-Party Websites and Links

Our Website may contain links to third-party websites, including insurance carrier portals, Healthcare.gov, state health exchanges, and social media sites. These third-party sites have their own privacy policies that govern their data practices. We are not responsible for the privacy practices or content of third-party sites. We encourage you to review the privacy notices of any third-party sites you visit.

13. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, applicable laws, or regulatory guidance. When we make material changes, we will:

• Post the updated Notice on our Website with a revised “Last Updated” date;
• Provide prominent notice on our homepage for at least 30 days following a material change; and
• For existing customers, send email notification to the address on file where we are required to do so by applicable law.

Your continued use of our Website or services after the effective date of changes constitutes your acknowledgment of the updated Notice.

14. Contact Information and Data Protection Officer

For questions, concerns, or requests related to this Privacy Notice, please contact our Privacy Officer:

15. Regulatory Information and Complaints

We are licensed as an insurance broker in the states where we operate. Our insurance licensing information, including license numbers by state, is available upon request. If you believe we have violated your privacy rights, you may also file a complaint with:

• Your state Insurance Commissioner
• Your state Attorney General (for state consumer privacy law violations)
• The U.S. Department of Health and Human Services Office for Civil Rights (for HIPAA violations): www.hhs.gov/ocr/privacy
• The Federal Trade Commission (FTC): www.ftc.gov

We are committed to resolving complaints and will not retaliate against you for filing a complaint.

Appendix A: Glossary of Key Terms

The following definitions apply throughout this Privacy Notice: