1. Health Privacy

Lyfe offers a web-based healthcare platform that integrates with multiple electronic medical record or electronic health record ("EMR") systems to provide a unified interface for accessing and managing health data. The Platform allows (a) licensed healthcare providers subject to our Terms of Service ("Providers") to access aggregated patient data from multiple EMR sources and AI-powered clinical decision support tools; (b) patients of Providers ("Patients") to view and manage their own health information and care preferences on the Platform; and (c) legally authorized caregivers of Patients who are granted delegated access to manage a Patient's account on the Platform ("Caregivers"). Patients grant their Caregiver(s) access to the Patient's information on the Platform and identify the Caregiver's permission, scope of access, and relationship to the Patient.

Lyfe collects and processes health data from the Patient's Provider. For purposes the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Lyfe is a business associate to the Provider subject to a Business Associate Agreement. A Patient may withdraw their consent to their Provider to process their health data on the Services at any time by contacting their Provider. If you are a Patient and you have questions about health privacy, please contact your Provider.

2. Minors

A parent or legal guardian may use the Services for a minor Patient who is their child as a Caregiver to that minor Patient. Caregivers of minor Patients establish access to the Platform on behalf of the minor Patient, subject to documentation and relationship verification. Caregivers of minor Patients are solely responsible for determining and providing authorization to other Users for Provider, Caregiver, or Patient access to data through the Platform. Lyfe will never knowingly collect Personal Data from a child online without prior express consent from the child's parent or legal guardian. If we learn we have collected or received Personal Data from a child without authorization, we will delete that information.

3. Personal Data

As used in this Privacy Policy, "Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Data is typically described in categories, for example:

• Identifiers (e.g., name, email, telephone number, address)
• Sensitive information (e.g., health information; government ID; racial or ethnic origin; religious beliefs; contents of messages when we are not the recipient; in some cases, information about a known child)
• Legally protected information (e.g., race, citizenship, marital status, sex)
• Biometrics (e.g., DNA, face/voice prints, health data) and audio, electronic, visual, thermal, or olfactory information
• Employment-related information (e.g., current or past employment)
• Non-public educational information, including information protected under the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99)
• Commercial information (e.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)
• Internet or other similar activity (e.g., browsing history; content interactions)
• Inferences drawn from Personal Data to create a profile about preferences, characteristics, trends, predispositions, behavior, attitudes, intelligence, and aptitudes

Information that is sometimes not protected by law as Personal Data includes publicly available information; aggregated information (meaning data summaries or reports with Personal Data removed); or anonymized information that cannot be linked back to an individual.

4. Lyfe's Privacy Practices

Lyfe collects and uses Personal Data from Patients as described in this section. During the preceding 12 months, Lyfe has collected Patient identifiers, sensitive information (including health data), commercial information, and other categories of Personal Data that might be disclosed to us as a business associate to our Providers. We will not collect additional categories of Personal Data or use already collected Personal Data for purposes that are materially different, unrelated, or not reasonably necessary or compatible with the original purpose without notice and consent to you as required by law.

Lyfe collects your Personal Data (a) with your consent when you opt-in to use our Services; (b) if we have a legitimate interest in doing so, like providing the Services to our Providers; or (c) as authorized or required by law. We only collect, use, retain, and disclose Personal Data as is adequate and relevant to the specific, express purpose of providing the Services to our Providers or as reasonably necessary and proportionate to achieve our internal business or other purposes permitted by applicable law.

Providers. Providers and their Authorized Users register with Lyfe directly during the onboarding process. At registration, Lyfe collects the Authorized User's name, login credentials, professional credentials, license number, practice details, and contact information. Providers use the Services to manage their Patients' EMR. The Provider will disclose any health data or other Personal Data contained in their Patient's EMR to Lyfe through secure integrations between the Platform and health information exchanges or other technology platforms. Lyfe applies HIPAA standards and requirements to all protected health information ("PHI") on the Platform.

Patients. Patients register with Lyfe to create their account and use the Platform. At registration, Lyfe collects the Patient's full name, login credentials, date of birth, email address, phone number, and details necessary to verify the patient's identity. The Patient also has the option to include in their profile additional contact details, emergency contact information, and their communication preferences.

Caregivers. Patients may request access for a Caregiver to help manage the Patient's health data on the Platform. When the Caregiver accepts access, the Caregiver creates an account on the Platform. At registration, Lyfe collects the Caregiver's full name, login credentials, email address, phone number, and relationship to the Patient.

Communications with Lyfe. If you contact Lyfe for any reason, we will collect your full name, account ID or email address, and any other information you choose to include in your message to us. We use this information to provide customer support, technical assistance, account management, and to respond to privacy requests.

Automatically Collected Through the Services. Lyfe collects technical data to improve platform performance, user experience, and system reliability. The data collected for this purpose includes session information, page views, feature usage, system performance metrics, performance data, device information (type, operating system, browser), IP address, and generalized geographic location.

5. Cookie Notice

Cookies are small text files downloaded and stored on your computer or mobile device when you visit or use an online platform. Cookies help the platform recognize your device, store your preferences, or perform certain functions for the platform. Lyfe deploys the following cookies:

• Essential cookies such as session authentication tokens, User ID/account identifier, login state information, and security tokens for CSRF protection. Essential cookies cannot be disabled because they are necessary for platform security and basic functionality.
• Functional cookies to enhance user experience, including user interface preferences, language settings, display preferences, recently viewed items. Functional cookies are configurable by the user.
• Analytics cookies to improve performance, such as use patterns and navigation paths, feature interaction data, performance metrics, and error logging data. Analytics cookies are configurable by the user.

You can directly control how cookies interact with your device by changing your permissions and settings when presented with a cookie consent pop-up or by changing your device or browser settings.

6. Data Retention

Lyfe only retains Personal Data for the minimum period necessary to provide our Services or achieve our business goals. Our retention periods are governed by our contracts with Providers, HIPAA and other applicable laws, and Lyfe company policies. For example:

• Patient accounts are retained while the account remains active and the Patient is an active user of the Platform. Inactive Patient accounts are deleted after 3 years of inactivity.
• Caregiver account information is retained while the account is active. Personal Data is deleted 30 days after a Caregiver's account is closed.
• EMR data is retained for 6 years from the date of creation or last Patient encounter. If the Patient was a minor at the time of treatment, their EMR data is retained until they reach age 18 or 6 years from the date of creation or last Patient encounter, whichever is longer.
• HIPAA-required audit logs are retained for 6 years from the date of creation or last Patient encounter.
• Access logs, security event logs, and audit trails are retained for 7 years.

7. Disclosures of Personal Data

Lyfe will only disclose Personal Data to third parties as described in this section, with your permission, or as required by law. In the preceding 12 months, we have disclosed Personal Data for a business purpose to:

• Your Provider. Providers associated with a Patient will have access to the Patient's EMR data and other Personal Data on the Platform.
• Your Caregiver. If a Patient authorizes a Caregiver to use the Platform in connection with the Patient's account, the Caregiver will have access to the Personal Data within the scope of access and permissions selected by the Patient.
• Lyfe's service providers. Lyfe's service providers like cloud hosting, data security, analytics platforms, payment processing, and technical infrastructure may have access to Personal Data as needed to perform their contractual obligations to us.
• Law enforcement and other governmental agencies, as permitted or required by law.
• Other third parties, as permitted by applicable law, for example: if we go through a business transition; to comply with a legal requirement or a court order; when we believe it is appropriate to take action regarding illegal activities or prevent fraud or harm.

8. Controlling Your Personal Data

Lyfe provides you a variety of methods and options to directly control how we collect and use your Personal Data, including but not limited to:

• Your Provider. Patients can contact their Provider to access, correct, delete, or control their Personal Data associated with their EMR.
• Your Account. Patients and Providers can access, modify, and delete certain data through their Platform account.
• Privacy Requests. If you want to exercise your rights under HIPAA or related to your relationship with a Provider, please contact your Provider. For concerns about Lyfe, please contact hello@lyfeco.ai.
• Device Settings. You can control the data we collect through cookies by adjusting your device settings or your cookie preferences on our website.
• Emails. You can unsubscribe from promotional emails via the links provided or send a request to hello@lyfeco.ai.

9. Your Privacy Rights

In the United States, consumer privacy is governed by federal privacy laws covering specific industries or data uses (like HIPAA) and state privacy laws providing with general consumer privacy rights. This section provides informational notices for state consumer privacy laws that require companies to inform consumers about their privacy rights and provide a method to exercise those rights.

• Right to Correct. You have the right to request that we correct inaccurate Personal Data about you on our systems.
• Right to Deletion. You may have the right to request that we delete your Personal Data that we collected and retained, with certain exceptions.
• Right to Access. You may have the right to request confirmation that we have collected Personal Data about you and that we provide you with access to that Personal Data.
• Health Data Rights. Some state laws entitle consumers to certain details about health data collected about them.
• No Selling or Sharing Personal Data. Lyfe does not sell your Personal Data or share it to third parties for cross-contextual behavioral advertising purposes.
• Right to Opt-Out of Profiling. Lyfe does not process your Personal Data to evaluate, analyze, or predict your interests and preferences.
• Right to Nondiscrimination. We will not discriminate against you for exercising your privacy rights.

10. Services Offered in the United States Only

Lyfe is a United States company with technical infrastructure in the United States. We design and market the Services for use by Providers, Patients, and Caregivers in the United States. If you access the Services from outside the United States, please be aware that your Personal Data may be transferred to, processed, stored, and used in the United States or other jurisdictions.

11. Third-Party Services

This Privacy Policy only applies to Lyfe Services. It does not apply to any third-party platforms or services, or any third-party services linked or accessible from the Services. We have no control over third-party websites, apps, devices, or systems, and you should exercise caution when deciding to disclose your Personal Data to anyone.

12. Security

Lyfe has implemented and maintains reasonable security measures to safeguard your Personal Data from accidental loss and unauthorized access, use, alteration, and disclosure. We maintain security measures that are appropriate to the volume, scope, and nature of the personal data processed. This includes a reasonable standard of care to protect the confidentiality, integrity, and accessibility of the health data we collect. Lyfe maintains compliance with SOC2 standards, and we provide the Services to Providers that are covered entities as business associates in compliance with HIPAA.

Please remember that no submission of information over the Internet is entirely secure. You are responsible for keeping your device access and login information confidential.

13. Updates

Lyfe may update this Privacy Policy from time to time. You can see when this Privacy Policy was last updated by checking the "last updated" date displayed at the top of this page. We will notify you about material changes to this Privacy Policy within the Services or by other measures that are appropriate to provide you with notice.