Privacy Policy

Last Updated Feb 20, 2026

1. Introduction

This Privacy Policy (“Privacy Policy”) describes how float app, Inc., a Delaware corporation doing business as Burst (“Burst,” “Company,” “we,” “us,” or “our”), collects, uses, discloses, and otherwise processes Personal Information in connection with:

(a) the website located at getburst.com (the “Site”);

(b) any related web applications, integrations with merchant partners, or digital tools; and

This Privacy Policy applies to individual end users of the Services. Separate agreements govern our relationships with merchant partners, healthcare providers, and other business customers.

By accessing or using the Services, you acknowledge that you have read and understand this Privacy Policy.

2. Scope and Role of Burst

2.1 Consumer-Facing Services

Burst provides technology designed to facilitate access to tax-advantaged healthcare benefits, including Health Savings Accounts (“HSAs”), Flexible Spending Accounts (“FSAs”), and similar benefit arrangements.

2.2 Telehealth-Facilitated LMN Services

In connection with Letter of Medical Necessity (“LMN”) facilitation, independent licensed healthcare providers or medical groups (“Providers”) use Burst’s platform and electronic medical record (“EMR”) systems to review information you submit and determine whether to issue an LMN.

Providers are responsible for clinical decision-making and for compliance with applicable healthcare privacy laws, including HIPAA, where applicable.

2.3 HIPAA Status

In certain circumstances, Burst acts as a “Business Associate” (as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)) to Provider groups. In those cases, we handle Protected Health Information (“PHI”) in accordance with applicable Business Associate Agreements and HIPAA requirements.

Where Burst collects information directly from you outside of a HIPAA-covered context, that information is governed by this Privacy Policy.

3. Information We Collect

We collect information directly from you, automatically through your use of the Services, and from third parties.

3.1 Information You Provide Directly

(a) Account Information. When you create an account, we may collect your name, email address, mailing address, phone number, and login credentials.

(b) Health Information. In connection with LMN Services, you may provide symptoms, diagnoses, treatment history, medications, and other health-related information.

(c) Documentation and Receipts. You may upload purchase receipts, invoices, or supporting documents in connection with reimbursement claim submission.

(d) Financial and Benefits Information. If you use claim submission or account connectivity features, we may collect information relating to your HSA/FSA plan administrator, account balances, or related identifiers.

(e) Communications. We collect information you provide when you contact us for support or communicate with us.

3.2 Information Collected Automatically

(a) Device and Usage Information. We may collect IP address, browser type, device identifiers, operating system, pages visited, session duration, and interactions with the Services.

(b) Cookies and Similar Technologies. We use cookies, pixels, and similar technologies to operate the Services, analyze usage, and improve functionality.

You may adjust your browser settings to refuse certain cookies; however, some features may not function properly without them.

3.3 Information from Third Parties

We may receive information from:

(a) Merchant partners who refer you to our Services;

(b) Payment processors;

(d) Analytics providers; and

(e) Identity verification or fraud prevention providers.

4. How We Use Information

We use Personal Information for the following purposes:

4.1 To Provide the Services

(a) To create and manage accounts;

(b) To facilitate LMN intake and enable Providers to review submitted information;

(d) To enable account connectivity and related features.

4.2 To Operate and Improve the Services

(a) To maintain, troubleshoot, and enhance functionality;

(b) To conduct analytics and measure engagement;

4.3 Communications

(a) To send service-related communications, including LMN status and claim updates;

(b) To provide customer support;

4.4 Legal and Compliance

(a) To comply with applicable laws and regulations;

(b) To enforce our Terms of Service;

(d) To protect the rights, safety, or property of Burst, users, or others.

5. How We Disclose Information

We do not sell Personal Information.

We may disclose Personal Information as follows:

5.1 Healthcare Providers

Health Information you submit in connection with LMN Services is made available to independent Providers for evaluation.

5.2 Service Providers

We disclose information to vendors that provide services on our behalf, including hosting providers, cloud infrastructure providers, analytics providers, customer support platforms, and payment processors. These vendors are contractually obligated to safeguard information.

5.3 Merchant Partners

If you access our Services through a merchant partner, we may share limited information necessary to confirm LMN status or facilitate integration workflows, consistent with our agreements and applicable law.

5.4 Plan Administrators

If you authorize claim submission services, we may transmit documentation and information to your HSA/FSA plan administrator.

5.5 Business Transfers

In the event of a merger, acquisition, reorganization, financing, or sale of assets, Personal Information may be transferred as part of that transaction.

5.6 Legal Requirements

We may disclose information if required to do so by law, regulation, subpoena, court order, or governmental request.

6. Data Retention

We retain Personal Information for as long as reasonably necessary to:

(a) provide the Services;

(b) comply with legal and regulatory obligations;

(d) enforce agreements; and

(e) satisfy applicable healthcare record retention requirements.

Retention periods may vary depending on the type of information and applicable legal obligations.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect Personal Information. These measures may include encryption in transit, access controls, logging, and vendor risk management.

However, no system can guarantee absolute security.

8. Your Rights and Choices

Depending on your state of residence, you may have certain rights regarding your Personal Information. These may include the right to:

(a) access Personal Information we maintain about you;

(b) request correction of inaccurate information;

(d) opt out of certain types of processing, where applicable.

To exercise applicable rights, contact us at legal@getburst.com. We will respond in accordance with applicable law.

If we process PHI as a Business Associate, requests relating to medical records may need to be directed to the applicable Provider or medical group.

9. Children’s Privacy

The Services are not directed to individuals under 18 years of age. We do not knowingly collect Personal Information from children under 18. If we learn that we have collected such information, we will take appropriate steps to delete it.

10. Third-Party Websites and Services

The Services may contain links to third-party websites. This Privacy Policy does not apply to those third-party services. We encourage you to review their privacy policies.

11. U.S. Processing and Data Transfers

Burst operates in the United States. Personal Information may be processed and stored in the United States or other jurisdictions where our service providers operate.

By using the Services, you acknowledge that your information may be transferred to and processed in the United States.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Services or by other appropriate means.

Your continued use of the Services after the effective date of an updated Privacy Policy constitutes acknowledgment of the revised policy.