Privacy Policy Last updated: July 11, 2024 Elation Health, Inc. (“Elation Health”) is committed to maintaining the security and privacy of your personal information collected through this website, www.elationhealth.com (the “Website”), the Elation Health electronic health record (the “EHR”) and the Elation Health patient portal, Elation Passport (the “Patient Portal”). This Privacy Policy discloses Elation Health’s information collection and dissemination practices in connection with the Website, the Clinical EHR and the Patient Portal and applies solely to the information that we collect through those means. This Privacy Policy does not address personal information that you provide to us in other contexts (e.g., through a business or investment relationship not expressly described in this Privacy Policy). Contents 1. The Electronic Health Record 2. The Patient Portal 3. The Website 4. General Terms The Electronic Health Record Elation Health provides the web-based Clinical EHR to customers who enter into an Elation Service Agreement (“Customers”), who then authorize Clinical EHR users, including physicians, physician assistants, nurse practitioners and non-physician staff members (“Authorized Users”). Customers and Authorized Users are responsible for determining uses and disclosures of patient medical information maintained in the Clinical EHR, in accordance with their legal and professional responsibilities as health care professionals and state and federal medical privacy laws, including the federal Health Insurance Portability and Accountability Act (“HIPAA”). To the extent that Elation Health receives or maintains patient medical information in the course of providing the Clinical EHR, that information is secured, used and disclosed only in accordance with Elation Health’s legal obligations as a “business associate” under HIPAA. The Patient Portal Elation Health Customers may choose to make the Patient Portal available to patients to enable certain interactions between the Customer, Authorized Users and patients, including scheduling appointments, discussing medical treatment, sending medication prescription-related messages, and enabling patient viewing of a portion of the Clinical EHR. Customers are solely responsible for the content of the patient’s medical record maintained in the Clinical EHR and determining the portion of the Clinical EHR that may be viewed by the patient through the Patient Portal. Elation Health may utilize patient medical information on a limited basis as necessary to provide the Patient Portal services, including the following uses and disclosures: An email address and a cell phone number are required to be stored in the Clinical EHR before an invitation can be sent to the patient to open a Patient Portal account. When a letter or a response from a doctor is opened by the patient through the Patient Portal, the opened status will be communicated to the doctor inside the Clinical EHR. If instructed by the patient to fax a clinical profile derived from the patient’s medical record (a “Profile”) to a fax machine within the Portal, Elation Health will fax such documents on the patient’s behalf. Elation Health will maintain aggregate information regarding usage of the Patient Portal for product improvement purposes, but that data will not identify individual patients. Elation Health will not sell any personal information provided by a patient through the Patient Portal to a third party. The Website Acceptance of Privacy Policy By using the Website, you signify your acceptance of this Privacy Policy. If you do not agree to the terms of this Privacy Policy, please do not use this Website. Your continued use of the Website following the posting of changes to these terms will mean that you accept those changes. Information We Collect and How We Use It Personal Information Provided by You Except as described in this Privacy Policy, Elation Health only collects your personal information through this Website when you choose to provide such information, such as when you use the “Contact Us” feature. Personal Information can include your name, phone number, and email. Elation Health uses your Personal Information to address your requests for information, products or services. Elation Health will not share, sell, rent, license, or trade your Personal Information with third parties/affiliates or partners for their own direct marketing use unless we receive your express consent to do so. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties. Unless you give us permission to do so, Elation Health will not disclose your Personal Information other than as specified in this Privacy Policy. Web Server Logs and IP Addresses An Internet Protocol (“IP”) address is a number that automatically identifies the computer/device you have used to access the Internet. The IP address enables our server to send you the web pages that you want to visit, and it may disclose the server owned by your Internet Service Provider. This information is collected automatically from your browser and device. Elation Health may use IP addresses to conduct website analyses and performance reviews and to administer the Website. Cookies and Web Beacons Cookies are pieces of information that a website transfers to a user’s computer for purposes of storing information about a user’s preferences. This information is collected automatically from your browser and device. Cookies in and of themselves do not personally identify users, although they do identify a user’s computer. Many websites use cookies as a standard practice to provide useful features when a user visits the website, and most web browsers are set up to accept cookies. Elation Health uses cookies to improve your online experience when visiting the Website. You can set your browser to refuse cookies, but some portions of the Website may not work properly if you refuse cookies. Some of the Website’s web pages may use web beacons in conjunction with cookies to compile aggregate statistics about website usage. A web beacon is an electronic image (also referred to as an “action tag,” “single-pixel,” or “clear GIF”) that is commonly used to track the traffic patterns of users from one web page to another in order to maximize web traffic flow and to otherwise analyze the effectiveness of websites. Some web beacons may be unusable if you elect to reject their associated cookies. Aggregated Data Elation Health collects aggregate queries for internal reporting and also counts, tracks, and aggregates the visitor’s activity into Elation Health’s analysis of general traffic-flow at the Website. To these ends, Elation Health may merge information about you into aggregated group data. In some cases, Elation Health may remove personal identifiers from the Personal Information and maintain it in aggregate form that may later be combined with other information to generate anonymous, aggregated statistical information. Such anonymous, group data may be shared on an aggregated basis with Elation Health’s affiliates, business partners, service providers and/or vendors; if it does so, this aggregated information would not be personal information, and would not disclose your individual identity. Recipients of Personal Information Disclosures to Service Providers, Third Parties Assisting In Our Operations Elation Health may disclose your Personal Information under contractual agreements with other companies that work with, or on behalf of, Elation Health to provide products and services and maintain confidentiality. These companies, which may include members of Elation Health’s corporate family, may use your Personal Information to assist Elation Health in its operations. However, these companies do not have any independent right to disclose this information. Disclosures Under Special Circumstances We may provide information about you to respond to subpoenas, court orders, legal process or governmental regulations, or to establish or exercise our legal rights or defend against legal claims. We believe it is necessary to disclose information in order to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or as otherwise required by law. Business Transfers We may disclose your Personal Information to other business entities, in connection with the sale, assignment, merger or other transfer of all or a portion of Elation Health’s business to such business entity. We will require any such successor business entity to honor the terms of this Privacy Policy. Referrals/Links The Website may contain links to third-party websites that may offer information of interest. This Privacy Policy does not apply to those websites, and Elation Health recommends reviewing those websites’ privacy policies individually. Elation Health assumes no responsibility for any material outside of the Website, including any website that may be accessed through a link from the Website. Security Elation Health understands that storing our data in a secure manner is essential. Elation Health stores Personal Information and other data using industry-standard physical, technical and administrative safeguards to secure data against foreseeable risks, such as unauthorized use, access, disclosure, destruction or modification. Please note, however, that while Elation Health has endeavored to create a secure and reliable website for users, the confidentiality of any communication or material transmitted to/from the Website or via e-mail cannot be guaranteed. Children’s Privacy Protection Elation Health understands the importance of protecting children’s privacy in the interactive online world. The Website is not designed for, or intentionally targeted at, children 18 years of age or younger. It is not our policy to intentionally collect or maintain information about anyone under the age of 18. No one under the age of 18 should submit any Personal Information to Elation Health and/or the Website. California Business Contact Information If you are a California resident and we receive your Personal Information in the form of contact details from business events, for example as part of a business appointment (e.g., by exchanging business cards) or as part of any other form of collaboration, we may use your contact and business details to maintain our business contacts. For this purpose, we may transfer your contact details to our internal database. Pursuant to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), you have privacy rights with respect to your business contact Personal Information. The processing activity may include the following categories of Personal Information: Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address); and Details on your profession (e.g., job title, position, personnel number, place of work, branch office, department, qualifications). This data processing is based on our legitimate business interests. We have a legitimate economic interest in maintaining contacts beyond the initial context and in using them to establish and develop a business relationship and to remain in contact with the parties concerned. Such business contacts could also be easily processed in our email communications with you and then kept in typical business software, either centrally or on the electronic devices of our employees. California law provides you with the following rights with respect to your Personal Information: The right to know what Personal Information we have collected, used, or disclosed about you. The right to request that we delete any Personal Information we have collected about you. The right to correct inaccurate Personal Information about you. The right to opt out of the sale or sharing of Personal Information about you. We do not sell or share our data subjects’/consumers’ Personal Information, as defined by the CCPA. California law requires us to identify, for the 12-month period prior to the date of this Privacy Policy, what information we may have “sold” or “shared” about you. Submitting Requests California residents have the right to limit the use of their Sensitive Personal Information. However, we do not use Sensitive Personal Information for any additional purposes that are incompatible with the purposes listed above, unless we provide you with notice of those additional purposes. You may submit requests to correct, delete, and know specific Personal Information and/or categories of Personal Information we have collected about you by accessing our California Consumer State Privacy Rights request portal at this link. California residents may opt out of the sale or sharing of Personal Information by broadcasting an Opt-Out Preference Signal, such as the Global Privacy Control (GPC) (on the browsers and/or browser extensions that support such a signal). To download and use a browser supporting the GPC browser signal, click here: https://globalprivacycontrol.org/orgs. If you choose to use the GPC signal, you will need to turn it on for each supported browser or browser extension you use. Verification of Your Identity When you exercise these rights and submit a request to us, we or our partners will verify your identity by asking you to authenticate your identity via standard authentication procedures. For example, we may ask for your email address, order numbers of previous orders of our products and services, full name, street address, or the date of your last purchase from us. We also may use a third-party verification provider to verify your identity Non-Discrimination If you make a request under the CCPA, we will not discriminate against you in any way. For example, we will not deny you goods or services, charge you different prices or rates for goods or services, deny you discounts or other benefits or impose penalties on you, or provide you with or suggest that you will receive a different level or quality of goods or services. Automated Decision-Making We generally do not use automated decision-making technology, as that term is defined by State Privacy Laws. If we make use of automated decision-making technology, you will be informed through a separate privacy notice. Record Retention We may retain your Personal Information for as long as necessary to fulfill the purpose for which it was collected or to comply with legal or regulatory requirements. We strive to retain your Personal Information no longer than is reasonably necessary to carry out the purposes listed in this Notice or as required by law. We retain your Personal Information following the end of your services or other business relationship in accordance with applicable law and our data retention and destruction policies. Changes Regarding Your Personal Information We will also process certain requests from individuals outside the state of California. If you are not a California resident, you may still review and request changes to your Personal Information that Elation Health has collected, including the removal of your Personal Information from Elation Health’s databases in order to prevent receipt of future communications or to halt receipt of our Website services, using any of the following options:You can send your request via e-mail to: privacy@elationhealth.com, or mail your request to the following postal address: Elation Health, Inc. 550 15th Street, Suite 21, San Francisco, CA 94103. General Terms Policy Updates This Privacy Policy may be revised from time to time as we add new features and services, as laws change, and as industry privacy and security best practices evolve. We display a version number and a date at the top of this Privacy Policy so that it will be easier for you to know when there has been a change. If we make any change to this Privacy Policy regarding use or disclosure of Personal Information, we will provide advance notice on this Website. Small changes or changes that do not significantly affect individual privacy interests may be made at any time and without prior notice. Questions If you have any questions about this Privacy Policy or about Elation Health’s handling of your information, please contact privacy@elationhealth.com.