Privacy Policy

Memr, Inc. ("Company" or "We") respect your privacy and are committed to protecting it through our compliance with this policy.

This policy describes the types of information, including Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA) of your participants, we may collect from you or that you may provide when you use our web-based medical record retrieval and analysis platform at www.memrhealth.com (our "Platform"). This policy explains our practices for collecting, using, maintaining, protecting, and disclosing that information in accordance with HIPAA and other applicable healthcare privacy laws, particularly as they relate to our automated medical record retrieval and analysis services.

This policy applies to information we collect:

• On this Website.
• In email, text, and other electronic messages between you and this Website.
• When you interact with our advertising and applications on third-party websites and services if those applications or advertising include links to this policy.

It does not apply to information collected by:

• Us offline or through any other means, including on any other website operated by Company or any third party (including our affiliates and subsidiaries); or
• Any third party (including our affiliates and subsidiaries), including through any application or content (including advertising) that may link to or be accessible from or through the Website.

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Website. By accessing or using this Website, you agree to this privacy policy. This policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of this Website after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.

Our Website is not intended for children under 16 years of age. No one under age 16 may provide any personal information to or on the Website. We do not knowingly collect personal information from children under 16. If you are under 16, do not use or provide any information on this Website or through any of its features, register on the Website, make any purchases through the Website, use any of the interactive or public comment features of this Website, or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use.

If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us at support@memrhealth.com.

California residents under 16 years of age may have additional rights regarding the collection and sale of their personal information. Please see Your State Privacy Rights for more information.

We collect several types of information from and about users and participants of our Website, including information:

• By which you may be personally identified, including name, email and/or phone number.
• Protected Health Information (PHI) of your participants, such as medical records, health history, treatment information, lab results, medications, diagnoses, and other health-related data, as well as personal identifiers including name, gender, address, phone number, email, date of birth, medical record numbers, and other information necessary to provide our automated medical record retrieval and analysis services ("personal information" and "PHI"). This includes information we process through our automated systems to analyze and extract relevant medical information.
• Records and financial information for the purpose of payment, such as bank account and routing numbers, credit and debit card information, amount you send or request, and other financial information.
• About your internet connection, the equipment you use to access our Website, and usage details.
• About user interactions and activity with first-party testing mechanisms provided by Company, e.g. email, text, etc.
• Collected via secure, HIPAA-compliant API integrations with healthcare providers, electronic health record systems, and other authorized medical information sources for the purpose of automated medical record retrieval and analysis.

We collect this information:

• Directly from you when you provide it to us.
• Automatically as you navigate through the site. Information collected automatically may include usage details, IP addresses, and information collected through cookies, web beacons and other tracking technologies.
• From third parties, for example, our business partners.

The information we collect on or through our Website may include:

• Information that you provide by filling in forms on our Website. This includes information provided at the time of registering to use our Website, subscribing to our service, posting material, or requesting further services. We may also ask you for information when you report a problem with our Website.
• Records and copies of your correspondence (including email addresses), if you contact us.
• Your responses to surveys that we might ask you to complete for research purposes.
• Details of transactions you carry out through our Website and of the fulfillment of your orders. You may be required to provide financial information before placing an order through our Website.
• Your search queries on the Website.

You also may provide information to be published or displayed (hereinafter, "posted") on public areas of the Website, or transmitted to other users of the Website or third parties (collectively, "User Contributions"). Your User Contributions are posted on and transmitted to others at your own risk. Although you may set certain privacy settings for such information by logging into your account profile, please be aware that no security measures are perfect or impenetrable. Additionally, we cannot control the actions of other users of the Website with whom you may choose to share your User Contributions. Therefore, we cannot and do not guarantee that your User Contributions will not be viewed by unauthorized persons.

As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

• Details of your visits to our Website, including traffic data, location data, logs, and other communication data and the resources that you access and use on the Website.
• Information about your computer and internet connection, including your IP address, operating system, and browser type.

The information we collect automatically is only statistical data and does not include personal information, but we may maintain it or associate it with personal information we collect in other ways or receive from third parties. It helps us to improve our Website and to deliver a better and more personalized service, including by enabling us to:

• Estimate our audience size and usage patterns.
• Store information about your preferences, allowing us to customize our Website according to your individual interests.
• Speed up your searches.
• Recognize you when you return to our Website.

The technologies we use for this automatic data collection may include:

• Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our Website.
• Web Beacons. Pages of our Website and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics.
• Flash Cookies. Certain features of our Website may use local stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from, and on our Website.

Some content or applications, including advertisements, on the Website are served by third-parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our website. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.

We do not control these third parties' tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.

We use information that we collect about you or that you provide to us, including any personal information and PHI:

• To present our Website and its contents to you.
• To provide you with information, products, or services that you request from us.
• To fulfill any other purpose for which you provide it.
• To provide you with notices about your account/subscription, including expiration and renewal notices.
• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
• To notify you about changes to our Website or any products or services we offer or provide through it.
• To allow you to participate in interactive features on our Website.
• In any other way we may describe when you provide the information.
• For any other purpose with your consent.
• To develop, train, improve, and validate our artificial intelligence and machine learning models, algorithms, and systems, which may involve processing your personal information and participant PHI. Such processing will be conducted in accordance with applicable privacy laws and regulations, including HIPAA requirements where applicable, and with appropriate technical and organizational safeguards in place to protect your information.

We will retain your information (including your participant's PHI) only for as long as is necessary for the purposes set out in this Privacy Policy, and as required by law, including HIPAA. We will retain and use your information to the extent necessary to comply with our legal obligations, resolve disputes and enforce our legal agreements and policies.

We will also retain data collected automatically either generated by the use of our Website or from the Website infrastructure itself for internal analysis and artificial intelligence and machine learning model training purposes. This information is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer periods.

We may disclose aggregated information about our users, and information that does not identify any individual, without restriction.

We may disclose personal information that we collect or you provide as described in this privacy policy:

• To our subsidiaries and affiliates.
• To contractors, service providers, and other third parties we use to support our business and who are bound by contractual obligations (including, as applicable, BAAs) to keep personal information and PHI confidential and use it only for the purposes for which we disclose it to them.
• To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Company's assets, in which personal information and PHI held by Company about our Website users is among the assets transferred.
• To third parties to market their products or services to you if you have consented to or not opted out of these disclosures.
• To fulfill the purpose for which you provide it.
• For any other purpose disclosed by us when you provide the information.
• With your consent.

We may also disclose your personal information and participant's PHI:

• To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
• For personal information only (not PHI) to enforce or apply our terms of use or terms of service and other agreements, including for billing and collection purposes.
• If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Memr, Inc., our Users, or others, subject to HIPAA requirements and restrictions. Any disclosure of PHI or automated analysis will be made only as permitted or required by HIPAA and other applicable healthcare privacy laws.

We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following control over your information:

• Tracking Technologies and Advertising. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of this site may then be inaccessible or not function properly.
• Disclosure of Your Information for Third-Party Advertising. If you do not want us to share your personal information with unaffiliated or non-agent third parties for promotional purposes, you can opt-out by sending us an email at support@memrhealth.com.
• Promotional Offers from the Company. If you do not wish to have your email address/contact information used by the Company to promote our own or third parties' products or services, you can opt-out by sending us an email at support@memrhealth.com.

You can review and change your personal information by logging into the Website and visiting your account profile page.

You may request access to, obtain copies of, or request amendments to your PHI by contacting our Privacy Officer at support@memrhealth.com. All such requests will be handled in accordance with HIPAA requirements, including verification of identity and authority to access the requested information. You have the right to receive an accounting of disclosures of your PHI as provided by HIPAA.

Certain web browsers offer a "do not track" option that communicates to websites your preference not to have your online actions monitored. This is distinct from blocking or erasing cookies since even with the "do not track" function activated, browsers might still accept cookies. Presently, there's no universal guideline on how businesses should address these "do not track" requests, but one might emerge later on. Currently, we don't acknowledge "do not track" requests; if that changes, we'll update this Privacy Policy to explain our approach.

State consumer privacy laws may provide their residents with additional rights regarding our use of their personal information.

Colorado, Connecticut, Virginia, and Utah each provide their state residents with rights to:

• Confirm whether we process their personal information.
• Access and delete certain personal information.
• Data portability.
• Opt-out of personal data processing for targeted advertising.

Colorado, Connecticut, and Virginia also provide their state residents with rights to:

• Correct inaccuracies in their personal information, taking into account the information's nature and processing purpose.
• Opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.

To exercise any of these rights or appeal a consumer rights request decision please email support@memrhealth.com.

Nevada provides its residents with a limited right to opt-out of certain personal information sales. However, we do not currently sell data triggering that statute's opt-out requirements.

We have implemented measures designed to secure your personal health information in accordance with HIPAA Security Rule requirements and industry best practices, which is particularly critical for our automated medical record retrieval and analysis services. All protected health information (PHI), including retrieved medical records and AI analysis results, is stored on HIPAA-compliant servers with enterprise-grade encryption at rest and in transit.

We maintain administrative, physical, and technical safeguards including access controls, audit logging, encryption (minimum AES-256), and secure backup systems. Our AI processing environments are isolated and secured, and all automated analysis is conducted within HIPAA-compliant environments. Any payment transactions and other sensitive information are protected using TLS 1.3 encryption technology and we maintain compliance with HITECH Act requirements.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping this password confidential.

We maintain breach notification protocols as required by HIPAA and applicable state laws, and will notify affected individuals, the Secretary of HHS, and, in some cases, the media in the event of a breach of unsecured protected health information in accordance with federal and state requirements.

It is our policy to post any changes we make to our privacy policy on this page with a notice that the privacy policy has been updated on the Website home page. If we make material changes to how we treat protected health information (PHI) or other personal information, we will notify you by email to the primary email address specified in your account and/or through a notice on the Website home page. The date the privacy policy was last revised is identified at the top of the page.

To ask questions about this privacy policy and our privacy practices, register a complaint or concern, or to contact our HIPAA Privacy Officer, please reach out to us at: support@memrhealth.com