California Personnel and Applicant Privacy Policy

Last Updated: June 17, 2025

Carlsmed, Inc. (“Carlsmed,” “we,” or “us”) endeavor to protect the privacy of personal information. The purpose of this California Personnel and Applicant Privacy Policy (the “Policy”) is to notify California residents (“you”) of the processing of information that can reasonably be linked with you and that we collect, use, and disclose in the context of your application process or working relationship with us (“Personal Information”).

This Policy pertains only to the Personal Information that we may have collected about a California resident in the course of such person acting as an employee, director, officer, or contractor of Carlsmed (our “personnel”) or as a Carlsmed job applicant.

If you are an employee, the Policy also applies to the beneficiaries of your employment benefits, such as the individuals who are on your health plan and the beneficiaries of your retirement accounts, as well as your emergency contacts. It is your responsibility to inform any such individuals about this Policy and ensure that you have the right to provide their Personal Information to us.

Collection and Disclosure of Personal Information

The following chart details which categories of Personal Information we collect and process, as well as which categories of Personal Information we disclose to third parties for our operational business, hiring, and personnel management purposes, including within the 12 months preceding the date this Policy was last updated.

Categories of Personal Information Disclosed to Which Categories of Third Parties for Operational Business Purposes
Identifiers, such as name, contact information, online identifiers, IP address, and Social Security numbers and other government-issued ID numbers Service providers that provide services such as recruiting, talent acquisition, background checks, payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; public and governmental authorities, such as regulatory authorities and law enforcement; business partners
Personal information as defined in the California customer records law, such as name, contact information, signature, Social Security number, driver’s license number, passport number, insurance policy number; medical, insurance, financial, education and employment information; bank account number, credit card number for company card, physical characteristics or description Service providers that provide services such as recruiting, talent acquisition, background checks, payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; public and governmental authorities, such as regulatory authorities and law enforcement; business partners
Protected Class Information, such as characteristics of protected classifications under California or federal law, such as sex, age, gender, race, disability, citizenship, military/veteran status, gender identity and expression, primary language, immigration status, marital status, and requests for leave Service providers that provide services such as recruiting, talent acquisition, background checks, payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; public and governmental authorities, such as regulatory authorities and law enforcement
Commercial Information, such as transaction information and purchase history, such as travel expenses, including information about corporate credit card purchases, frequent flyer rewards, and other travel-related programs and expenses Service providers that provide services such as recruiting, talent acquisition, background checks, payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; public and governmental authorities, such as regulatory authorities and law enforcement; business partners
Biometric Information, such as faceprints, fingerprints and/or iris or retina scans Service providers that provide services such as payroll, benefits, training, consulting, expense management, medical/health, IT, and other services
Internet or network activity information, such as access and usage information regarding websites, applications and systems, information about online communications, including browsing and search history, timestamp information, and access and activity logs Service providers that provide services such as recruiting, talent acquisition, background checks, payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; public and governmental authorities, such as regulatory authorities and law enforcement
Geolocation Data, such as device location and approximate location derived from IP address Service providers that provide services such as recruiting, talent acquisition, background checks, payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; public and governmental authorities, such as regulatory authorities and law enforcement
Audio/Video Data. Audio, electronic, visual and similar information, such as images and audio, video or call recordings created in connection with our business activities Service providers that provide services such as recruiting, talent acquisition, background checks, payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; public and governmental authorities, such as regulatory authorities and law enforcement; business partners
Education Information subject to the federal Family Educational Rights and Privacy Act such as such as student records Service providers that provide services such as recruiting, talent acquisition, background checks, payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; public and governmental authorities, such as regulatory authorities and law enforcement; business partners
Employment Information. Professional or employment-related information, such as work history and prior employer, information relating to references, CV, details of qualifications, skills and experience, membership in professional organizations, personnel files, personal qualifications and training, eligibility for promotions and other career-related information, work preferences, business expenses, wage and payroll information, benefit information, information on leaves of absence or PTO, performance reviews, information on internal investigations or disciplinary actions, and other human resources data and data necessary for benefits and related administration services Service providers that provide services such as recruiting, talent acquisition, background checks, payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; public and governmental authorities, such as regulatory authorities and law enforcement; business partners

Sensitive Personal Information

Personal Information that reveals an individual’s Social Security, driver’s license, state identification card, or passport number; account log-in, financial account, or, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, citizenship, immigration status, or union membership; the contents of mail, email, and text messages unless Carlsmed is the intended recipient of the communication;

The processing of biometric information for the purpose of uniquely identifying an individual; and

Personal Information collected and analyzed concerning an individual’s health.

 Service providers that provide services such as recruiting, talent acquisition, background checks, payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; public and governmental authorities, such as regulatory authorities and law enforcement

We may also disclose the above categories of Personal Information to a third party in the context of any reorganization, financing transaction, merger, sale, joint venture, partnership, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).

We do not “sell” or “share” your Personal Information, including your Sensitive Personal Information, as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. We have not engaged in such activities in the 12 months preceding the date this Policy was last updated. Without limiting the foregoing, we do not “sell” or “share” the Personal Information, including the Sensitive Personal Information, of minors under 16 years of age.

Sources of Personal Information

We collect this Personal Information from you and from, your colleagues and managers, references you provide, recruiting firms, prior employers or schools, clients, background check providers, providers of benefits, social media networks, publicly available databases, and cooperative databases.

Purposes for the Collection and Use of Personal Information

We may collect or use Personal Information for the purposes of operating, managing, and maintaining our business, managing our recruitment process, workforce management and other personnel-related purposes, and accomplishing our business purposes and objectives, including, for example, using Personal Information to:

  • Plan and manage workforce activities and personnel generally, including for recruitment, onboarding, appropriate staffing, performance management, training and career development, payments and benefit administration, training, leaves and promotions;
  • Receive and process job applications and manage the applicant selection process;
  • Conduct reference and background checks, consistent with applicable law;
  • Contact you about future work opportunities;
  • Conduct workforce assessments, including determining physical or mental fitness for work and evaluating work performance;
  • Process payroll, manage wages and other awards such as stock options, stock grants and bonuses, reimburse expenses and provide healthcare, pensions, savings plans and other benefits;
  • Operate, maintain, monitor and secure our facilities, equipment, systems, networks, applications and infrastructure;
  • Manage attendance, time keeping, leaves of absence and vacation;
  • Facilitate communication and workforce travel;
  • Undertake quality and safety assurance measures, protect the health and safety of our workforce and others, and conduct risk and security control and monitoring;
  • Conduct research, analytics, and data analysis, such as to assist in succession planning and to ensure business continuity, as well as to design retention programs and diversity initiatives;
  • Perform identity verification, accounting, budgeting, audit, and other internal functions, such as internal investigations, disciplinary matters and handling grievances and terminations;
  • Operate and manage IT and communications systems and facilities, allocate company assets and human resources, and undertake strategic planning and project management; and
  • Comply with law, legal process, requests from governmental or regulatory authorities, internal policies and other requirements such as income tax deductions, record-keeping, work permit and immigration regulations and reporting obligations, and the exercise or defense of legal claims.

Purposes for the Collection, Use, and Disclosure of Sensitive Personal Information

We may collect, use, and disclose Sensitive Personal Information for purposes of: performing services on behalf of our business; performing services and providing goods as requested by you; ensuring the quality or safety of services we control or improving those services; ensuring the security and integrity of our infrastructure and the individuals we interact with; establishing and maintaining your employment relationship with us; managing payroll and corporate credit card use; administering and providing benefits; short-term transient use; securing the access to, and use of, our facilities, equipment, systems, networks, applications, and infrastructure; preventing, detecting, and investigating security incidents; resisting and responding to fraud or illegal activities; and other collection and processing that is not for the purpose of inferring characteristics about an individual. We do not use or disclose Sensitive Personal Information for additional purposes.

Retention Period

We retain Personal Information including, without limitation, Sensitive Personal Information for as long as needed or permitted in light of the purpose(s) for which it was collected. The criteria used to determine our retention periods include:

  • Plan an
  • The duration of your employment or your contract with us;
  • The duration of the job application process, whether your job application is approved, and whether you want to be notified of future job opportunities;
  • The length of time we have an ongoing relationship with you or your dependents/beneficiaries and the length of time thereafter during which we may have a legitimate need to reference your Personal Information to address issues that may arise;
  • Whether there is a legal obligation to which we are subject, for example, certain laws may require us to keep your records for a certain period of time; and
  • Whether retention is advisable in light of our legal position, such as in regard to applicable statutes of limitations, litigation or regulatory investigations.

Individual Requests

You may, subject to applicable law, make the following requests:

  1. You may request that we disclose to you the following information:
    1. The categories of Personal Information we collected about you and the categories of sources from which we collected such Personal Information;
    2. The business or commercial purpose for collecting Personal Information about you; and
    3. The categories of Personal Information about you that we otherwise disclosed, and the categories of third parties to whom we disclosed such Personal Information (if applicable).
  2. You may request to correct inaccuracies in your Personal Information.
  3. You may request to have your Personal Information deleted.
  4. You may request to receive the specific pieces of your Personal Information, including a copy of your Personal Information in a portable format.

We will not unlawfully retaliate against you for making an individual request. To make a request, please contact us at info@carlsmed.com or (888)-289-0604. We will verify and respond to your request consistent with applicable law, taking into account the type and sensitivity of the Personal Information subject to the request. We may need to request additional Personal Information from you, such as your employee ID, in order to verify your identity and protect against fraudulent requests. If you make a request to delete, we may ask you to confirm your request before we delete your Personal Information.

Authorized Agents

If an agent would like to make a request on your behalf as permitted by applicable law, the agent may use the submission methods noted in the section entitled “Individual Requests.” As part of our verification process, we may request that the agent provide, as applicable, proof concerning their status as an authorized agent. In addition, we may require that you verify your identity as described in the section entitled “Individual Requests” or confirm that you provided the agent permission to submit the request.

Changes to this Policy

We may change or update this Policy from time to time. When we do, we will communicate changes and updates to this Policy by posting the updated Policy on this page with a new “Last Updated” date.

Contact Us

Please contact us at info@carlsmed.com if you have any questions regarding this Policy.

POL-015