Privacy Policy

PatientPulse Care ("we," "our," or "us") operates the PatientPulse Care mobile application and the PatientPulse portal at portal.patientpulse.care (collectively, the "Platform"). We provide patient communication tools to healthcare practices ("Practices"). If you are a patient whose information is processed through our Platform at the direction of a Practice, that Practice is the covered entity responsible for your protected health information (PHI). PatientPulse Care acts as a Business Associate under HIPAA.

**Practice Users (staff, administrators):** • Account information: name, email address, job role • Authentication credentials (stored as cryptographic hashes — never plain text) • Device information: device type, OS version, app version • Usage data: screens visited, features used, session duration • Log data: IP address, timestamps, error reports **Patient Data:** We process patient contact information (name, phone number, email address) on behalf of Practices. This data is provided by the Practice and is used solely to deliver communications as directed by the Practice. We do not independently collect patient data. **Automatically Collected:** • Analytics events (anonymous aggregated usage metrics) • Crash reports (no PHI included)

We use collected information to: • Operate, maintain, and improve the Platform • Authenticate users and enforce access controls • Send campaigns and messages as directed by Practice users • Provide customer support • Monitor for security threats and unauthorized access • Fulfill legal and compliance obligations We do **not** use patient data for advertising, profiling, or any purpose beyond what is directed by the Practice.

We do not sell personal information. We may share information in the following limited circumstances: • **Service Providers:** Third-party vendors who assist us in operating the Platform (e.g., cloud hosting, SMS delivery, email delivery) under strict data processing agreements. • **Legal Requirements:** When required by law, court order, or governmental authority. • **Business Transfers:** In connection with a merger, acquisition, or sale of assets, with appropriate notice. • **With Your Consent:** For any other sharing with your explicit consent. All third-party service providers are contractually prohibited from using your data for their own purposes.

PatientPulse Care processes PHI as a Business Associate under HIPAA. We: • Use PHI only as directed by covered entity Practices • Maintain appropriate technical, physical, and administrative safeguards • Report breaches to the applicable Practice as required by the HIPAA Breach Notification Rule • Do not use or disclose PHI beyond what is permitted under our BAA and HIPAA Practices are responsible for obtaining appropriate patient authorizations for communications sent through our Platform.

We retain Practice user account data for the duration of the active subscription and for up to 2 years after account termination to support compliance and legal obligations. Patient contact data processed for campaigns is retained as directed by the Practice. Practices may request deletion of specific data at any time. Analytics and log data is retained for up to 12 months.

We employ industry-standard security measures including: • TLS 1.2+ encryption for all data in transit • Encryption at rest for stored data • Role-based access controls • Regular security assessments • Incident response procedures No method of transmission or storage is 100% secure. We are committed to promptly notifying affected parties of any security incident as required by applicable law.

**Practice Users** may: • Access and update their account information at any time through the portal • Request deletion of their account by contacting support@patientpulse.care **Patients** whose data has been processed through our Platform should contact the Practice that sent them communications to exercise their rights under HIPAA or applicable state law (e.g., right to access, right to restrict). We will assist Practices in responding to such requests. **California Residents:** You may have additional rights under the California Consumer Privacy Act (CCPA). Contact us to exercise those rights.

The Platform is not directed at children under 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent. If you believe we have inadvertently collected such information, contact us immediately at privacy@patientpulse.care.

We may update this Privacy Policy from time to time. Material changes will be communicated to Practice administrators via email or in-app notice at least 30 days before taking effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

For privacy-related questions, requests, or concerns: **Email:** privacy@patientpulse.care **Support:** support@patientpulse.care **Address:** PatientPulse Care, 9730 Martin Luther King Jr. Highway, Suite E, Lanham, MD 20706 For HIPAA-related inquiries or to request a Business Associate Agreement, contact: baa@patientpulse.care