Privacy Policy

Last Updated: June 17, 2025

Carlsmed, Inc. (“Carlsmed,” “we,” or “us”) wants you to be familiar with how we collect, use and disclose information. This Privacy Policy describes our practices in connection with information that we collect through our websites, including at https://carlsmed.com/ and https://personalizedspine.com (the “Websites”). This Privacy Policy does not apply to patient information that we collect in connection with providing medical devices services to medical providers.

Personal Information

“Personal Information” is information that identifies you as an individual or relates to an identifiable individual. The Websites collect Personal Information, including:

  • Name
  • Telephone number
  • Zip code
  • Email address

Use of Personal Information

We and our service providers may use Personal Information for the following purposes:

  • Providing the functionality of the Websites
    • To respond to your inquiries and fulfill your requests, such as when you contact us via one of our online contact forms or otherwise, or request information about our products and services.
    • To send administrative information to you, such as changes to our terms, conditions, and policies.
  • Providing you with our newsletter and/or other marketing materials
    • To send you marketing related emails, with information about our services, new products and other news about our company.
    • To facilitate social sharing functionality that you choose to use.
  • Analyzing Personal Information for business reporting and providing personalized services
    • To analyze or predict our users’ preferences in order to prepare aggregated trend reports on how our digital content is used, so we can improve our Websites.
    • To better understand your interests and preferences, so that we can personalize our interactions with you and provide you with information and/or offers tailored to your interests.
  • Aggregating and/or anonymizing Personal Information
    • We may aggregate and/or anonymize Personal Information so that it will no longer be considered Personal Information. We do so to generate other data for our use, which we may use and disclose for any purpose, as it no longer identifies you or any other individual.
  • Accomplishing our business purposes
    • For our business purposes, such as data analysis, security, identity verification, audits, fraud monitoring and prevention, developing new products, improving or modifying our Websites and other services, identifying usage trends, determining the effectiveness of promotional campaigns, and operating and expanding business activities.

If you disclose any Personal Information relating to other people to us or to our service providers in connection with the Websites, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.

Disclosure of Personal Information

  • To our third-party service providers for services such as website hosting, data analysis, IT infrastructure, customer service, email delivery, auditing, and other functions.
  • With your consent, with other parties you choose, such as your caregivers.

Other Uses and Disclosures

We may also use and disclose Personal Information as we believe to be necessary or appropriate: (a) to comply with applicable law, to respond to requests from public and government authorities, to cooperate with law enforcement, or for other legal reasons; (b) to enforce our terms and conditions; and (c) to protect our rights, privacy, safety or property, and/or that of you, or others. We may use, disclose or transfer your Personal Information to a third party in connection with any proposed or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our assets or stock (including in connection with any bankruptcy or similar proceedings).

Other Information

    • Your browser or device
      • Certain information is collected by most browsers or automatically through your device, such as your Media Access Control (MAC) address, computer type (Windows or Mac), screen resolution, operating system name and version, device manufacturer and model, language, and Internet browser type and version. We use this information to ensure that the Websites function properly.
    • Cookies
      • Cookies are pieces of information stored directly on the computer that you are using. Cookies allow us to collect information such as browser type, time spent on the Websites, pages visited, language preferences, and other traffic data. We and our service providers use the information for security purposes, to facilitate navigation, to display information more effectively, and to personalize your experience. We also gather statistical information about use of the Websites in order to continually improve their design and functionality, understand how they are used, and assist us with resolving questions regarding the Websites. We do not currently respond to browser do-not-track signals. If you do not want information collected through the use of cookies, most browsers allow you to automatically decline cookies or be given the choice of declining or accepting a particular cookie (or cookies) from a particular website. You may also wish to refer to http://www.allaboutcookies.org/manage-cookies/index.html. If, however, you do not accept cookies, you may experience some inconvenience in your use of the Websites.
    • IP Address
      • Your IP Address is a number that is automatically assigned to your computer by your Internet Service Provider. An IP Address may be identified and logged automatically in our server log files whenever a user accesses the Websites, along with the time of the visit and the pages visited. We use IP Addresses for purposes such as calculating usage levels, diagnosing server problems, and administering the Websites. We may also derive your approximate location from your IP Address.

Uses and Disclosures of Other Information

We may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. If we are required to treat Other Information as Personal Information under applicable law, we may use and disclose it for the purposes for which we use and disclose Personal Information as detailed in this Privacy Policy. In some instances, we may combine Other Information with Personal Information. If we do, we will treat the combined information as Personal Information as long as it is combined.

Security

We seek to use reasonable organizational, technical and administrative measures designed to protect Personal Information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contact Us” section below.

Choices and Access

If you no longer want to receive marketing-related emails from us on a going-forward basis, you may opt-out by using the “unsubscribe” mechanism contained in each such email. Please note that if you opt out of receiving marketing-related emails from us, we may still send you important administrative messages, from which you cannot opt out.

Third-Party Services

This Privacy Policy does not address, and we are not responsible for, the privacy, information, or other practices of any third parties, including any third party operating any website or service to which the Websites link. The inclusion of a link on the Websites does not imply endorsement of the linked site or service by us or by our affiliates.

Use of Websites by Minors

The Websites are not directed to individuals under the age of eighteen (18), and we do not knowingly collect Personal Information from individuals under 18.

Jurisdictional Issues

The Websites are controlled and operated by us from the United States and are not intended to subject us to the laws or jurisdiction of any state, country or territory other than that of the United States.

Updates to This Privacy Policy

The “Last Updated” legend at the top of this Privacy Policy indicates when this Privacy Policy was last revised. Any changes will become effective when we post the revised Privacy Policy on the Websites.

Contact Us

If you have any questions about this Privacy Policy, please contact us at patientprivacy@carlsmed.com.

California Supplement (CCPA)

This section supplements the information provided above in this Privacy Policy and is applicable to California residents as described in the California Consumer Privacy Act (CCPA). This California supplement covers all Personal Information we process about California residents (apart from employees, job applicants, and contractors), whether collected offline or online.

The following chart details which categories of Personal Information we collect and process, as well as which categories of Personal Information we disclose to third parties for our operational business purposes, including within the 12 months preceding the date this Privacy Policy was last updated.

Categories of Personal Information Disclosed to Which Categories of Third Parties for Operational Business Purposes
Identifiers, such as such as name, postal address, online/device identifier, IP address, email address and social media account handle.
  • Our third-party service providers, to facilitate services they provide to us, such as website hosting, data analysis, information technology and related infrastructure provision, customer service, email delivery, auditing, and other services.
  • With your consent, we may disclose your Personal Information with other parties you choose, such as your caregivers.
Personal information as defined in the California customer records law, such as name, signature, contact information, and social media account handle.
  • Our third-party service providers, to facilitate services they provide to us, such as website hosting, data analysis, information technology and related infrastructure provision, customer service, email delivery, auditing, and other services.
  • With your consent, we may disclose your Personal Information with other parties you choose, such as your caregivers.
Protected Class Information, such as characteristics of protected classifications under California or federal law, which we may collect to provide you with our client services, such as age.
  • Our third-party service providers, to facilitate services they provide to us, such as website hosting, data analysis, information technology and related infrastructure provision, customer service, email delivery, auditing, and other services.
  • With your consent, we may disclose your Personal Information with other parties you choose, such as your caregivers.
Commercial Information, such as client services transaction history, financial details, and payment information.
  • Our third-party service providers, to facilitate services they provide to us, such as website hosting, data analysis, information technology and related infrastructure provision, customer service, email delivery, auditing, and other services.
  • With your consent, we may disclose your Personal Information with other parties you choose, such as your caregivers.
Internet or network activity information, such as interactions with our Websites, systems, and emails.
  • Our third-party service providers, to facilitate services they provide to us, such as website hosting, data analysis, information technology and related infrastructure provision, customer service, email delivery, auditing, and other services.
  • With your consent, we may disclose your Personal Information with other parties you choose, such as your caregivers.
Geolocation Data, such as country or city location.
  • Our third-party service providers, to facilitate services they provide to us, such as website hosting, data analysis, information technology and related infrastructure provision, customer service, email delivery, auditing, and other services.
Audio/Video Data. Audio, electronic, visual and similar information, such as call recordings and audio and video recordings of events, conferences, and meetings.
  • Our third-party service providers, to facilitate services they provide to us, such as website hosting, data analysis, information technology and related infrastructure provision, customer service, email delivery, auditing, and other services.
Employment Information. Professional or employment-related information, such as employer name and role/title.
  • Our third-party service providers, to facilitate services they provide to us, such as website hosting, data analysis, information technology and related infrastructure provision, customer service, email delivery, auditing, and other services.
    With your consent, we may disclose your Personal Information with other parties you choose, such as your caregivers.

We do not “sell” Personal Information, including Sensitive Personal Information, and we do not “share” Personal Information, including Sensitive Personal Information, for purposes of cross-context behavioral advertising, as defined under the CCPA. We have not engaged in such activities in the 12 months preceding the date this Privacy Policy was last updated. Without limiting the foregoing, we do not “sell” or “share” Personal Information, including Sensitive Personal Information, of minors under 16 years of age.

Retention Periods

We retain each category of Personal Information, including Sensitive Personal Information, for as long as needed or permitted in light of the purpose(s) for which it was collected. The criteria used to determine our retention periods include:

  • The length of time we have an ongoing relationship with you and provide services to you, for example, for as long as you use our services, and the length of time thereafter during which we may have a legitimate need to reference your Personal Information to address issues that may arise;
  • Whether there is a legal obligation to which we are subject, for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them; and
  • Whether retention is advisable in light of our legal position, such as in regard to applicable statutes of limitations, litigation or regulatory investigations.

Sources of Personal Information

We collect Personal Information from you and from our corporate affiliates, trusted third-party service providers, public social networks, and publicly available databases.

Collection, Use, and Disclosure of Sensitive Personal Information

We may collect, use or disclose Sensitive Personal Information for purposes of performing services for our business, providing goods or performing services as requested or reasonably expected by you, ensuring safety, security and integrity, countering wrong or unlawful actions, short term transient use, servicing accounts, providing customer service, verifying customer information, processing payments, activities relating to quality and safety control or product improvement, and other collection and processing that is not for the purpose of inferring characteristics about an individual. We do not use Sensitive Personal Information for additional purposes.

Individual Rights and Requests

You may request that we:

  1. Disclose to you the following information:
    1. The categories of Personal Information we collected about you and the categories of sources from which we collected such Personal Information;
    2. The business or commercial purpose for collecting Personal Information about you; and
    3. The categories of Personal Information about you that we disclosed, and the categories of third parties to whom we disclosed such Personal Information (if applicable).
  2. Correct inaccuracies in your Personal Information.
  3. Delete Personal Information we collected from you.
  4. Provide the specific pieces of your Personal Information, including a copy in a portable format.

To make a request, email patientprivacy@carlsmed.com or call (888) 289 0604.

Process. We will verify and respond to your request consistent with applicable law, taking into account the type and sensitivity of the Personal Information subject to the request. We may need to ask you for additional information that will help us do so, including government-issued IDs containing your name and address, utility bills containing that same information, and/or unique identifiers like usernames. We will only use that additional information in the verification process, and not for any other purpose. If you make a request to delete, we may ask you to confirm your request before we delete your Personal Information.

You have the right to be free from unlawful discrimination for exercising your rights under the CCPA.

If an agent would like to make a request on your behalf as permitted by applicable law, the agent may use the submission methods noted above. As part of our verification process, we may request that the agent provide, as applicable, proof concerning their status as an authorized agent. In addition, we may require that you verify your identity as described above or confirm that you provided the agent permission to submit the request.

De-Identified Information

Where we maintain or use de-identified information, we will continue to maintain and use that information only in a de-identified form and will not attempt to re-identify the information.

POL-014