At Thatch Health, Inc. ("Thatch"), your privacy is important to us. Our Privacy Policy describes the information we collect, how we collect the information, the reasons we collect information, and how we share or use the information we collect. This Privacy Policy also describes the choices you have with the information we collect, including how you can manage, update, or request to delete information.
Please take a moment to review this Privacy Policy. You may scroll through this Privacy Policy or use the headings below. It is important that you understand this Privacy Policy. By using our Platform, you are agreeing to the terms of this Privacy Policy. If you have any questions or concerns about this Privacy Policy, you may contact us at any time using the contact information provided in Section XVI of this Privacy Policy.
Table of Contents
I. Who is Thatch?
II. Key Terms & Definitions and Our Privacy Policy
III. When does our Privacy Policy apply?
IV. Personal Information
V. How do we collect your Personal Information?
VI. How do we use your Personal Information?
VII. How do we share your Personal Information?
VIII. AI Features
IX. Your choices about how we share your Personal Information.
X. California Privacy Rights and Disclosures
XI. Who may use the Services?
XII. Children’s Privacy
XIII. Does Thatch respond to Do Not Track signals?
XIV. Data Security
XV. Changes to our Privacy Policy
XVI. Contact Us
I. Who is Thatch?
Thatch is an all-in-one platform that makes it easy for employers to offer the most personalized healthcare experience to their employees using an Individual Coverage Health Reimbursement Arrangement ("ICHRA") to obtain the health coverage and qualified medical products or services that best meet their needs. We do this by administering ICHRAs on behalf of employers, helping their employees shop for and enroll in individual coverage, and operating the Thatch Marketplace where Members can spend any remaining ICHRA allowance on Qualified Medical Expenses.
Thatch is not a medical group, healthcare provider, or telemedicine service. We do not deliver medical diagnosis or treatment. Instead, we work with health plans, insurance carriers, brokers, employers, and other HIPAA‑regulated entities to facilitate coverage enrollment and enable the purchase of eligible health‑related goods and services. When you interact with these third parties, they are responsible for providing you with a HIPAA Notice of Privacy Practices describing their collection and use of your protected health information. Thatch receives and processes certain protected health‑related information only as necessary to provide our Services and in accordance with our agreements with those other HIPAA‑regulated entities, as described in this Privacy Policy.
II. Key Terms & Definitions and Our Privacy Policy
The following terms used in this Privacy Policy have the definitions set forth below.
| Key Term | Definition |
|---|---|
"Personal Information" | Any information relating to an identified or identifiable individual and any information listed in Section IV. |
"Platform" | Our Website(s). |
"Privacy Policy" | This privacy policy. |
"Products" | Any products available for purchase on our Platform. |
"Services" | Any services provided through our Platform. |
"Terms of Use" | Our Platform Terms, located here . |
"Website(s)" | Our websites and subdomains, including: www.thatch.com app.thatch.com |
"Thatch," "we," "us," or “our” | Thatch Health, Inc. |
Any capitalized terms used but not defined in this Privacy Policy will have the definitions provided in the Platform Terms or the User Agreements.
III. When does our Privacy Policy apply?
This Privacy Policy describes the types of information we may collect, including from:
You visit or use our Platform, including our Website;
Your employer or your employer’s authorized representative when they engage Thatch to administer an ICHRA or related services for employees;
Communications with you electronically (e.g., via email, live chat or text message); and
Communications with you in person or on the telephone.
When does our Privacy Policy not apply?
This Privacy Policy does not apply to information collected by any other website operated either by us or by a third party, unless the website is listed above or links to this Privacy Policy. It also does not apply to any website that we may provide a link to or that is accessible from our Platform.
Our Privacy Policy and Terms of Use
This Privacy Policy is incorporated into our Terms of Use, which also apply when you use our Platform.
IV. Personal Information
What is Personal Information?
Personal information is information from and about you that may be able to personally identify you. We treat any information that may identify you as personal information. For example, your name and email address are personal information.
What types of Personal Information do we collect?
We may collect and use the types of personal information (hereinafter, collectively referred to as "Personal Information") listed below.
| Categories of Personal Information | Specific Types of Personal Information Collected |
|---|---|
Personal Identifiers or Information that identifies, relates to, describes, or is capable of being associated with a particular individual | A real name, postal address, email address, Social Security number, account name, IP address, unique personal identifier, telephone number, employment information, bank account number, insurance policy number, and health insurance information. |
Characteristics of protected classifications under federal law | Age, national origin, citizenship, place of birth, marital status, medical condition, veteran or military status, or any similar information you choose to provide when using our Platform. |
Professional or Employment-Related Information | Job title, salary, other compensation details, licenses or certification, and dependents or beneficiaries. |
Commercial Information | Products or services purchased, obtained, or considered (e.g., marketplace purchases and plan selections). |
Geolocation Data | We collect IP-based information about your physical location or movements. This IP-based information can only identify your physical location or movements to a geographic region, such as town, city, state, and country, but cannot be used to identify your precise physical location or movements. |
Inferences Drawn From Other Personal Information | Profile reflecting a person’s preferences. |
Internet or other electronic network activity information | IP address, device model, device ID, operating system version, device language, operating system, browser type, mobile network information, and advertising ID. |
HIPAA Protected Health Information
In providing our Services we may receive or process certain Protected Health Information ("PHI") about you that is protected by federal law HIPAA. Examples of PHI we may encounter include information about your health plan coverage, data used to determine your eligibility for benefits, and records of health-related goods or services purchased using your ICHRA allowance.
We receive such PHI in our capacity as a HIPAA Business Associate to health plans, brokers, carriers, and/or other HIPAA Covered Entities or Business Associates. The applicable Covered Entity (such as your health plan) is responsible for providing you with a HIPAA Notice of Privacy Practices describing its collection, use, and disclosure of your PHI.
We will only use and disclose PHI as permitted by HIPAA, other applicable law, and the applicable HIPAA Notice of Privacy Practices. We may combine PHI we receive with other Personal Information that we have obtained from you or received from third parties such as your employer, health insurer, employee benefits program administrator, broker, or other healthcare-related entities where permitted by law.
V. How do we collect your Personal Information?
We collect most of this Personal Information directly from you, including when you visit our Platform and fill out forms or use our Services. We may also collect Personal Information in the following ways:
From employers. If your employer or the employer’s authorized representative engages Thatch to administer an ICHRA or related services, they may provide Personal Information about you and your dependents so we can determine eligibility, administer allowances, and facilitate plan enrollment. This may include: names, dates of birth, postal addresses, email addresses, telephone numbers, dependent counts and relationship to employee, employment information such as job title, salary, and other compensation details, health insurance policy numbers, plan selection details, and premium amounts, and Social Security numbers, where required for eligibility or enrollment. Any PHI received from these parties is handled in accordance with our Business Associate Agreements with Covered Entities or Business Associates.
When you make payments through the Platform. When you make a purchase or payment through the Platform, or connect a bank account, our authorized third‑party payment and financial services partners collect and process relevant information. We do not retain any payment card details or full account numbers, but may receive transaction identifiers and confirmation details. Rather, all such information is provided directly by you to our third-party providers, which include:
Stripe – payment processor and card issuing program manager (Stripe Privacy Policy)
Plaid – secure bank account linking and verification service (Plaid Privacy Policy)
Unit – financial infrastructure partner providing account services (Unit Privacy Policy)
Footprint – identity verification and fraud prevention services (Footprint Privacy Policy)
When You Contact Us. When you contact Thatch directly, such as when you contact our Customer Support team or use our Chat widget, we will receive the contents of your message or any attachments you may send to us, as well as any additional information you choose to provide. Such information may include details relevant to your inquiry or service request and, depending on the context, could incorporate Personal Information.
We will also collect information automatically as you navigate through our Platform. We use the following technologies to automatically collect data:
Cookies. We and our service providers may use cookies, web beacons, and other technologies to receive and store certain types of information whenever you interact with our Platform or Services through your computer or mobile device. A "cookie" is a small file or piece of data sent from a website and stored on the hard drive of your computer or mobile device. Some of the cookies we use are "session" cookies, meaning that they are automatically deleted from your hard drive after you close your browser at the end of your session. Session cookies are used to optimize performance of the Website and to limit the amount of redundant data that is downloaded during a single session. We also may use "persistent" cookies, which remain on your computer or device unless deleted by you (or by your browser settings). We may use persistent cookies for various purposes, such as statistical analysis of performance to ensure the ongoing quality of our Platform and/or the Services. We and third parties may use session and persistent cookies for analytics and advertising purposes, as described herein. On your computer, you may refuse to accept browser cookies by activating the appropriate setting on your browser, and you may have similar capabilities on your mobile device in the preferences for your operating system or browser. However, if you select this setting you may be unable to access or use certain parts of our Platform or the Services. Unless you have adjusted your browser or operating system setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Platform.
Facebook Pixel and Instagram. We use Facebook Pixel and Instagram, a web analytics and advertising service provided by Facebook Inc. ("Facebook") on our Platform. With its help, we and our customers can keep track of what users do after they see or click on a Facebook or Instagram advertisement, keep track of users who access our Platform or advertisements from different devices, and better provide advertisements to our target audiences. The data from Facebook Pixel and Instagram is also saved and processed by Facebook. Facebook can connect this data with your Facebook or Instagram account and use it for its own and others advertising purposes, in accordance with Facebook’s Data Policy which can be found at https://www.facebook.com/about/privacy/. Please click here if you would like to withdraw your consent for use of your data with Facebook Pixel https://www.facebook.com/settings/?tab=ads#_=_.
Google Analytics. We use Google Analytics, a web analytics service provided by Google, Inc. ("Google”) to collect certain information relating to your use of our Platform. Google Analytics uses cookies to help our Platform analyze how users use our Website. You can find out more about how Google uses data when you visit our Platform by visiting “How Google uses data when you use our partners' sites or apps”, (located at www.google.com/policies/privacy/partners/). For more information, please visit Google and pages that describe Google Analytics, such as www.google.com/analytics/learn/privacy.html.
LinkedIn. We use LinkedIn cookies to, among other activities, store and track visits across websites. You can find more information on the data collected by LinkedIn by visiting their Privacy Policy: https://www.linkedin.com/legal/privacy-policy.
Microsoft Bing Ads. Our Website uses Bing Ads technology to collect and store data that is used to track user activity on our Website. On our website a Bing UET tag is integrated. This service enables us to track user activity on our Website when it has reached our Website via advertisements from Bing Ads. If the page visitor reaches our website via such an ad, a cookie is set on their computer. This enables us to track, among other things, the length of time spent on our Website, which areas of the Website were accessed, and which advertisements have reached our Website. The collection of the data generated by the cookie and related to the use of our Website as well as the processing of this data can be prevented by deactivating the setting of cookies by visiting your browser setting. In addition, based on the user’s preferences Microsoft may be able to track usage behavior across multiple electronic devices through cross-device tracking, enabling it to display personalized advertising on or in Microsoft websites and apps. This behavior can be disabled by the site visitor at https://choice.microsoft.com/en-us/opt-out. For more information on Bing analytics services, visit the Bing Ads Web site. For more information about privacy at Microsoft and Bing, see the Microsoft Privacy Policy.
PostHog. We use PostHog to better understand how users interact with our Platform and to improve the user experience. We have a Business Associate Agreement with PostHog. The information PostHog processes may include information such as IP address, pages visited, features used, device type, and other usage data. For more information on the information that PostHog collects and how it uses information, please visit https://posthog.com/privacy.
Stripe. We use Stripe as our payment processor. In order to allow Stripe to function properly, a cookie is stored on your browser, which assists Stripe in detecting and preventing fraud. These are considered session cookies and typically only remain on your browser for 24 hours. For more information on Stripe, please visit the Stripe Privacy Policy.
Other third party tools. We use other third party tools which allow us to track the performance of our Platform. These tools provide us with information about errors, Platform performance, and other technical details we may use to improve our Platform and/or the Services.
VI. How do we use your Personal Information?
We may use your Personal Information for the following purposes:
Provide, support, personalize, and develop our Services, including monitoring and analyzing the effectiveness of content and features, and assisting you in completing the registration, enrollment, or claim submission process.
Process your requests, purchases, transactions, and payments, including facilitating premium payments, marketplace purchases, and qualified medical expense claims, and detecting, preventing, and mitigating transactional fraud.
Operate, maintain, supervise, administer, and enhance our Services, including monitoring and analyzing the effectiveness of content, aggregating site usage data, and improving overall performance, and related purposes which may include the use of artificial intelligence or machine learning.
Promote and market our Platform and/or Services, the products and services of our affiliates, and the products and services of third-party partners. For example, we may use your Personal Information, such as your email address, to send you news and newsletters, special offers, and promotions, or to otherwise contact you about products or information we think may interest you.
Communicate with you, including responding to requests and sending newsletters or other similar communications not specifically advertising our own goods and services, as permitted by law.
Notify you about changes to our Platform and/or Services or any products we offer or provide through them.
Help maintain the safety, security, and integrity of our business, Platform, products, Services, databases, and other technology assets.
Conduct internal testing, research, analysis, and product development, including to improve, upgrade, or enhance our Platform and Services.
Carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
Anonymize and aggregate information for analytics, reporting, and other purposes permitted by law.
Respond to law enforcement requests, court orders, and subpoenas, and carry out our legal and contractual obligations.
Authenticate use, detect fraudulent use, and otherwise maintain the security of our Platform and the safety of others.
Fulfill any other purpose for which you provide Personal Information, or any other purpose with your consent.
VII. How do we share your Personal Information?
We may share Personal Information with third parties in certain circumstances or for certain purposes, including:
Our business purposes. We may share your Personal Information with our affiliates, vendors, service providers, and business partners, including our data hosting and data storage partners, analytics and advertising providers, technology services and support, data security advisors, and payment processing services. We may also share your Personal Information with professional advisors, such as auditors, law firms, and accounting firms.
Marketplace merchants. We may share limited Personal Information with merchants in the Thatch Marketplace solely to facilitate onboarding to their products or services and to confirm your eligibility to receive offers or discounted rates as a Thatch member. This information is restricted to what is necessary for that purpose, for example, confirmation of membership status or relevant ICHRA eligibility.
Compliance with law. We may share your Personal Information to comply with applicable law or any obligations thereunder, including cooperation with law enforcement, judicial orders, and regulatory inquiries.
Business transfer. We may share your Personal Information to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of a bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us about our users are among the assets transferred.
To enforce our rights. We may share your Personal Information to enforce any applicable terms and conditions and Terms of Use, and to ensure the safety and security of our Services and our users.
De-identified information. We may also disclose de-identified information, so that it cannot be reasonably used to identify any individual, with third parties for marketing, advertising, research, or any other purpose permitted by law.
To market our Products and Services. We may share your Personal Information with affiliates and third parties to market our Products and Services to the extent permitted by law.
Third party analytics. We use third party analytics to understand and evaluate how visitors interact with our Platform and/or the Services. These tools help us improve our Platform and/or the Services, performance, and your experience. See How do we collect your Personal Information above.
With your consent. We may share your Personal Information if you request or direct us to do so.
VII. AI Features
Certain artificial intelligence ("AI") features may be used to improve your experience or the overall experience of the Platform and Services. When we collect Personal Information from an individual who uses the Platform, we may use the Personal Information in conjunction with our AI features to provide the Products and Services, and other internal purposes permitted by applicable laws. AI-generated insights assist but do not replace human decision making; in particular, any decision that influences health coverage or access to qualified medical products or services will be reviewed by a human.
We may use information we collect to internally refine, improve, and train the models and algorithms that support our AI features, in accordance with applicable law. This helps us enhance AI-driven insights, improve recommendations, and contribute to better outcomes.
IX. Your choices about how we share your Personal Information
This section of our Privacy Policy provides details and explains how to exercise your choices. We offer you choices on how you can opt out of our use of tracking technology, disclosure of your Personal Information for our advertising to you, and other targeted advertising. We do not control the collection and use of your information collected by third parties. These third parties may aggregate the information they collect with information from their other customers for their own purposes. You can opt out of third parties collecting your Personal Information for targeted advertising purposes in the United States by visiting the National Advertising Initiative's (NAI) opt-out page and the Digital Advertising Alliance's (DAA) opt-out page.
Each type of web browser provides ways to restrict and delete cookies. Browser manufacturers provide resources to help you with managing cookies. Please see below for more information.
For other browsers, please consult the documentation that your browser manufacturer provides.
If you do not wish to have your email address used by Thatch to promote our own Products and Services, you can opt-out at any time by clicking the unsubscribe link at the bottom of any email or other marketing communications you receive from us or logging onto your Account Preferences page. This opt out does not apply to information provided to Thatch as a result of a product purchase, or your use of our Platform and/or the Services. You may have other options with respect to marketing and communication preferences through our Platform.
You may also see certain ads on other websites because we participate in advertising networks. Ad networks allow us to target our messaging to users through demographic, interest-based, and contextual means. These networks track your online activities over time by collecting information through automated means, including through the use of cookies, web server logs, and web beacons. The networks use this information to show you advertisements that may be tailored to your individual interests.
How do I access and correct my Personal Information?
You may request to review or change your Personal Information in your Thatch Account dashboard. You may also contact us at any time using the contact information provided in Section XVI of this Policy to inform us of any changes or errors in any Personal Information we have about you to ensure that it is complete, accurate, and as current as possible or to delete your account. We may also not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect.
X. California Privacy Rights and Disclosures
California Civil Code Section 1798.83 (California’s "Shine the Light" law) permits users of our Platform and/or the Services that are California residents and who provide Personal Information in obtaining products and services for personal, family, or household use to request certain information regarding our disclosure of Personal Information to third parties for their own direct marketing purposes. If applicable, this information would include the categories of Personal Information and the names and addresses of those businesses with which we shared your Personal Information with for the immediately prior calendar year (e.g., requests made in 2025 will receive information regarding such activities in 2024). You may request this information once per calendar year. To make such a request, please contact us using the contact information provided in Section XVI of this Policy.
XI. Who may use the Services?
Thatch operates subject to state and federal regulations, and the Platform and/or the Services may not be available in your state. You represent that you are not a person barred from enrolling for or receiving the Services under the laws of the United States or other applicable jurisdictions in which you may be located. Access to and use of the Platform and/or the Services is limited exclusively to users located in states within the United States where the Platform and/or the Services is available. The Platform and/or the Services are not available to users located outside the United States. Accessing the Platform and/or obtaining the Services from jurisdictions where content is illegal, or where we do not offer the Platform and/or the Services, is prohibited.
XII. Children’s Privacy
We do not knowingly collect or sell Personal Information from children under the age of 18. If you are under the age of 18, do not use our Platform or Services or provide any information on or to the Platform or through any of its features. If we learn we have collected or received Personal Information from a child under the age of 18, we will delete it. If you are the parent or guardian of a child under 18 years of age whom you believe might have provided us with their Personal Information, you may contact us using the contact information provided in Section XVI of this Policy to request the Personal Information be deleted.
XIII. Does Thatch respond to Do Not Track signals?
Some web browsers permit you to broadcast a signal to Platforms and online services indicating a preference that they "do not track" your online activities. However, there is no accepted standard for how a website or online service should respond to this signal, and at this time, we do not take any action in response to such a signal.
XIV. Data Security
We have taken steps and implemented administrative, technical, and physical safeguards designed to protect against the risk of accidental, intentional, unlawful, or unauthorized access, alteration, destruction, disclosure, or use. The Internet is not 100% secure and we cannot guarantee the security of information transmitted through the Internet. Where you have been given or you have chosen a password, it is your responsibility to keep this password confidential.
The sharing and disclosing of information via the internet is not completely secure. We strive to use best practices and industry standard security measures and tools to protect your data. However, we cannot guarantee the security of Personal Information transmitted to, on, or through our Services. Any transmission of Personal Information is at your own risk. We are not responsible for the circumvention of any privacy settings or security measures contained on our Platform, in your operating system, or mobile device.
We retain your Personal Information for as long as we continue to provide the Services to you, or for a period in which we reasonably foresee continuing to provide the Services. Even after we stop providing the Services directly to you, we may continue to retain your Personal Information to comply with our legal and regulatory obligations, as well as with tax, accounting, and financial reporting obligations, including when such retention is required by our contractual agreements.
XV. Changes to our Privacy Policy
We may update our Privacy Policy periodically to reflect changes in our privacy practices, laws, and best practices. If we make material changes to our practices with regards to the Personal Information we collect from you, we will notify you by email to the email address specified in your account and/or through a notice on the Platform. The date this Privacy Policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically accessing the Platform and reviewing this Privacy Policy to check for any changes.
XVI. Contact Us
If you have any questions, concerns, complaints or suggestions regarding our Privacy Policy or otherwise need to contact us, you may contact us at the contact information below.
