Terms of Service

1. Acceptance of Terms

By accessing or using Cord's services, you agree to be bound by these Terms of Service (“Terms”). If you do not agree to these Terms, do not use our services.

These Terms constitute a binding agreement between you and Cord Labs LLC (“Cord,” “we,” “us,” or “our”). Where these Terms refer to “Provider,” “you,” or “your,” they address the healthcare provider using Cord's platform. Where they refer to “Patient” or “patient user,” they address the individual accessing a provider-generated payment or documentation link.

Minors under 18 may not create Provider accounts. Patient users accessing checkout links do so under their provider's supervision.

2. Description of Services

Cord provides payment processing services that facilitate FSA/HSA and standard payments for healthcare practices (“Services”). We act as a technology platform connecting practices with payment processing infrastructure and providing practitioner documentation tools.

Cord does not provide healthcare services, medical advice, diagnosis, treatment, tax advice, or legal advice.

3. Health Information Disclaimer

Cord facilitates payment transactions between patients and their healthcare providers. Cord is not a healthcare provider and does not provide medical advice, diagnosis, or treatment. Nothing in Cord's platform, documentation tools, or communications constitutes medical advice or creates a provider-patient relationship between Cord and any patient.

The healthcare provider — not Cord — is solely responsible for all clinical decisions, including but not limited to: determining the appropriateness of any service for a patient, diagnosing conditions, issuing practitioner recommendations, and determining what health information to submit through the platform.

Patients should direct all clinical questions to their healthcare provider. Cord cannot advise on whether a particular condition, treatment, or product is appropriate for any individual.

4. HIPAA Acknowledgment — Healthcare Providers

This section applies to Provider users only.

By using Cord's platform to process payments or generate documentation involving patient health information, you acknowledge that:

• Cord acts as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) when it processes Protected Health Information (“PHI”) on your behalf.
• A separate Business Associate Agreement (“BAA”) governs the handling of PHI by Cord on your behalf. The BAA is incorporated into these Terms and controls in the event of any conflict between the BAA and these Terms with respect to PHI.
• You are the Covered Entity or Business Associate responsible for your patients' PHI. You are solely responsible for determining what information constitutes PHI in your use of the platform and for ensuring that your use of Cord complies with your own HIPAA obligations.
• You are responsible for obtaining any patient authorizations required under HIPAA or applicable state law before submitting patient information through Cord.
• You must notify Cord promptly — and in any event within 24 hours — upon discovering a potential security incident or unauthorized disclosure involving PHI processed through Cord's platform.

Cord's HIPAA safeguards are described in the BAA and in our Privacy Policy. If you have not executed a BAA with Cord and you intend to submit PHI through the platform, contact hello@cord.health before proceeding.

5. Patient Acknowledgment

This section applies to patient users accessing Cord-generated payment or documentation links.

When your healthcare provider uses Cord to process FSA/HSA-eligible payments or generate practitioner recommendation letters on your behalf, limited health information (such as your reason for visit or relevant condition information) may be submitted through the platform by your provider.

Cord's commitments to patient users:

• Your health information is encrypted in transit (TLS 1.3) and at rest (AES-256 via AWS server-side encryption). Cord's application accesses your health information in cleartext only when generating your receipt or practitioner recommendation letter.
• Your health information is used solely for: processing your payment, generating FSA/HSA documentation, and delivering your practitioner recommendation letter or receipt.
• Cord does not sell, rent, or share your health information with advertisers, data brokers, or any third party for commercial purposes unrelated to your transaction.
• Cord does not use your health information to build consumer profiles or for behavioral advertising.

Your primary rights regarding PHI collected in connection with your provider's practice — including rights of access, amendment, and accounting of disclosures — are exercised through your healthcare provider, who is the Covered Entity under HIPAA. See our Privacy Policy for the full description of your rights and Cord's data practices.

6. FSA/HSA Documentation

Cord provides FSA/HSA-grade receipts and practitioner recommendation letters as convenience tools to support reimbursement claims. You acknowledge and agree that:

• No guarantee of reimbursement. Cord does not guarantee that any transaction will be approved for FSA/HSA reimbursement. Eligibility determinations are made exclusively by your FSA/HSA plan administrator and, where applicable, by the IRS under Section 213(d). Cord has no control over these determinations.
• Clinical judgment governs eligibility. The prescribing or recommending healthcare provider — not Cord — determines whether a service or product is clinically appropriate and eligible under IRS Publication 502. Cord's documentation tools do not constitute a determination of medical necessity.
• Administrator policies vary. Individual FSA/HSA plan administrators may apply eligibility rules more restrictively than IRS guidance. Cord cannot represent the policies of any third-party plan administrator.
• Documentation is not legal or tax advice. Receipts and practitioner recommendation letters generated through Cord are intended to facilitate reimbursement claims. They do not constitute legal or tax advice. Consult a tax advisor for questions about your specific FSA/HSA plan.
• Provider responsibility. Providers are solely responsible for the accuracy of clinical information submitted through the platform and the appropriateness of any practitioner recommendation letter they issue.

7. Data Processing

Cord's collection, use, and protection of personal information — including health information — is governed by:

• Privacy Policy (available at cord.health/privacy): describes what information Cord collects, how it is used, how it is protected, and your rights.
• Data Processing Agreement (“DPA”) (incorporated into Provider agreements by reference): governs Cord's role as a data processor under applicable privacy laws including the California Consumer Privacy Act (“CCPA”). The DPA includes Cord's Service Provider certification under Cal. Civ. Code § 1798.140 and details sub-processor obligations.
• Business Associate Agreement (“BAA”) (executed separately with Provider accounts): governs PHI processing under HIPAA. The BAA controls in the event of any conflict with these Terms regarding PHI.

In the event of a conflict between these Terms and the DPA or BAA with respect to personal data or PHI processing, the DPA or BAA (as applicable) shall control.

8. Provider Responsibilities

As a Provider using Cord, you acknowledge and agree that:

Compliance Responsibilities:

• You are solely responsible for determining whether your services qualify as eligible medical expenses under IRS Section 213(d) and applicable FSA/HSA regulations.
• You are solely responsible for ensuring that your practice complies with all applicable federal, state, and local laws, regulations, and licensing requirements, including HIPAA and applicable state health privacy laws.
• You are solely responsible for maintaining appropriate documentation, including practitioner recommendation letters where applicable.
• You are solely responsible for the accuracy of information provided to patients regarding FSA/HSA eligibility of your services.
• You are solely responsible for verifying patient information and the appropriateness of any documentation you issue.
• You are solely responsible for obtaining any required patient consents or authorizations before submitting patient information through the platform.

Prohibited Activities:

• Misrepresenting the nature of services to obtain FSA/HSA approval
• Submitting false or misleading information through our platform
• Using our Services for any unlawful purpose
• Attempting to circumvent FSA/HSA eligibility requirements
• Submitting PHI to Cord without an executed BAA in place
• Using Cord's Services in a manner that violates HIPAA or any applicable privacy law

9. Practitioner Documentation and Tools

Cord may provide practitioner recommendation letter templates and documentation tools to assist Providers. You acknowledge and agree that:

• Templates and tools are provided as convenience tools only, not as medical or legal advice
• You are solely responsible for the content, accuracy, and appropriateness of any practitioner recommendation letter or documentation you issue
• Templates do not guarantee FSA/HSA approval
• You must customize templates to reflect accurate patient information and your independent clinical judgment
• Cord does not review, approve, or validate any practitioner recommendation letter or documentation you create or issue
• You bear sole responsibility for ensuring any documentation you issue is within your scope of practice and complies with applicable laws

10. Third-Party Referrals and Services

Cord may provide referral services to third-party providers and product companies (“Third-Party Partners”). You acknowledge and agree that:

• Cord does not endorse, guarantee, or warrant any Third-Party Partner or their products
• Your relationship with any Third-Party Partner is solely between you and that partner
• Third-Party Partner products and services are subject to their own terms and policies
• Cord is not responsible for the quality, safety, legality, or efficacy of any third-party products
• You are responsible for compliance with all applicable regulations regarding any products or services you offer or recommend

11. Fees and Payment

• Pricing: Service fees are determined by agreement between you and Cord. Contact us for current pricing.
• Payment: You authorize Cord to collect applicable fees from transactions processed through our Services.
• Payment Processing Fees: Standard payment processing fees from third-party providers are separate from Cord's fees and are your responsibility.
• No Refunds: Fees are non-refundable except as required by law.

12. Term and Cancellation

Term: These Terms are effective upon your acceptance and continue on a month-to-month basis until terminated.

Cancellation by You: You may cancel your account at any time by providing 30 days written notice to hello@cord.health. Upon cancellation, access to Services will terminate at the end of the notice period, outstanding fees become immediately due, and we may retain transaction records as required by law.

Cancellation by Cord: We may suspend or terminate your account at any time, with or without cause, upon 30 days notice (or immediately in cases of fraud, illegal activity, HIPAA violation, or violation of these Terms).

13. Disclaimer of Warranties

Cord provides its services “as is” and “as available” without warranties of any kind, express or implied.

We do not warrant that:

• FSA/HSA payments will be approved for any particular transaction
• Our Services will be uninterrupted, secure, or error-free
• Practitioner documentation tools or templates will result in claim approval
• Third-Party Partner products or services will meet your needs
• Documentation generated through the platform will satisfy any particular FSA/HSA plan administrator's requirements

Approval of FSA/HSA payments is subject to the policies of individual FSA/HSA administrators and card issuers, over which Cord has no control.

14. Limitation of Liability

To the maximum extent permitted by law, Cord shall not be liable for any indirect, incidental, special, consequential, or punitive damages.

Cord is not liable for any claims, damages, or losses arising from:

• Declined FSA/HSA transactions
• Determinations by FSA/HSA administrators regarding eligibility
• IRS audits or penalties related to FSA/HSA usage
• Your failure to comply with applicable laws or regulations, including HIPAA
• Inaccurate information provided by you or your patients
• Actions or omissions of Third-Party Partners
• Any practitioner recommendation letter or documentation you create, issue, or submit
• Unauthorized PHI disclosure resulting from your failure to use the platform as directed or your failure to execute required agreements

In no event shall Cord's total aggregate liability exceed the lesser of: (a) total fees paid by you to Cord in the six (6) months preceding the claim, or (b) one thousand dollars ($1,000). This limitation applies to all causes of action in the aggregate.

15. Indemnification

You agree to indemnify, defend, and hold harmless Cord and its officers, directors, employees, and agents from any claims, liabilities, damages, and expenses (including reasonable attorneys' fees) arising out of or related to:

• Your use of our Services
• Your violation of these Terms
• Your violation of any applicable laws or regulations, including HIPAA
• Any practitioner recommendation letter or documentation you create, issue, or submit
• Your relationship with patients or Third-Party Partners
• Any claim that your services do not qualify for FSA/HSA reimbursement
• Your submission of PHI through the platform without an executed BAA or without required patient authorization
• Any breach of your HIPAA obligations as a Covered Entity or Business Associate

16. Arbitration Agreement and Class Action Waiver

Please read this section carefully. It affects your legal rights.

Mandatory Arbitration: Any dispute, claim, or controversy arising out of or relating to these Terms or your use of Cord's Services shall be resolved by binding arbitration administered by JAMS under its Streamlined Arbitration Rules.

Waiver of Jury Trial: You and Cord each waive any constitutional and statutory rights to go to court and have a trial before a judge or jury.

Class Action Waiver: All claims and disputes must be arbitrated on an individual basis and not on a class basis.

Opt-Out: You may opt out of this arbitration agreement by sending written notice to hello@cord.health within thirty (30) days of first accepting these Terms.

17. Changes to Terms

We may modify these Terms at any time. Material changes will be communicated via email or through our Services with at least 30 days notice. Continued use after changes constitutes acceptance of the modified Terms. Changes required by law or to address security vulnerabilities may take effect immediately.

18. Governing Law

These Terms shall be governed by the laws of the State of Delaware, without regard to conflict of law principles. Any arbitration shall be conducted in Delaware unless the parties agree otherwise.

19. Entire Agreement

These Terms, together with our Privacy Policy, the Data Processing Agreement (DPA), and — for Provider accounts — the Business Associate Agreement (BAA), constitute the entire agreement between you and Cord with respect to the Services. In the event of a conflict, the order of precedence is: BAA (for PHI matters) > DPA (for personal data matters) > these Terms.

20. Contact

Questions about these Terms should be directed to hello@cord.health.

Privacy and HIPAA inquiries: privacy@cord.health.