Health Data Analytics Institute, LLC Privacy Policy for healthpicture.com Last Updated on July 24, 2020 Overview Your access to, and use of, the Health Data Analytics Institute, Inc. (the “Company”) website, healthpicture.com, and the information, community, products and services that we provide to you and other users through this website portal provided by us in connection with our products and services (collectively, the “Services”) is subject to the Terms of Service and this Privacy Policy. When it comes to the release of your health information, you have certain rights. For medical treatments covered by Medicare, you may access and review your own health records at an online website portal called “Blue Button”.  This portal is designed for patients to download their own health information in a variety of formats, such as text and PDF. You may also provide consent for other individuals or companies to access this information in electronic form using a Blue Button Access App. If you provide consent for us to access your information through Blue Button, this Privacy Policy describes how we will use, collect, and protect your private health and other information we collect, either for our own use or on behalf of third parties, and explains how you can access and request modification or deletion of certain information that we may store about you. This Privacy Policy is incorporated and made part of the Terms of Service. _______________________________________________________________________ Medical Disclaimer: The information on our Services is not intended or implied to be a substitute for professional medical advice, diagnosis or treatment. All content, including text, graphics, images and information, contained on or available through the Services is for general information purposes only. The Company makes no representation and assumes no responsibility for the accuracy of information contained on or available through the Services, and such information is subject to change without notice. You are encouraged to confirm any information obtained from or through the Services with other sources such as your physician, and review all information regarding any medical condition or treatment with your physician. NEVER DISREGARD PROFESSIONAL MEDICAL ADVICE OR DELAY SEEKING MEDICAL TREATMENT BECAUSE OF SOMETHING YOU HAVE READ ON OR ACCESSED THROUGH THIS WEBSITE.  IF YOU ARE EXPERIENCING A MEDICAL EMERGENCY PLEASE CALL YOUR HEALTH CARE PROVIDER OR 911. The Company does not recommend, endorse or make any representation about the efficacy, appropriateness or suitability of any specific products, procedures, treatments, services, opinions, health care providers, health insurers, plans or other information that may be contained on or available through or in connection with the Services. THE COMPANY IS NOT RESPONSIBLE NOR LIABLE FOR ANY ADVICE, COURSE OF TREATMENT, DIAGNOSIS OR ANY OTHER INFORMATION, SERVICES OR PRODUCTS THAT YOU OBTAIN THROUGH OR IN CONNECTION WITH THIS SERVICE. Your Acceptance of This Privacy Policy and Changes to It By accessing, viewing or otherwise using any Service, you consent to the collection and use of your information by the Company in accordance with this Privacy Policy. If you do not agree to this Privacy Policy, you may not use the Service. You represent and warrant that you have permission to share any information you elect to provide through the Services, you consent to such information being shared as described in this Policy. Company reserves the right to change, modify, add or remove portions of this Privacy Policy at any time, without prior notice. Changes take effect on the date that appears on the revised Privacy Policy. Accordingly, if your account is active and you have subscribed to e-mail notifications, we will notify you of any material change to the Privacy Policy as determined by the Company’s Privacy officer. If you use the Services following a change in this Privacy Policy, we will ask you to accept the new Privacy Policy before allowing use of the Service. Your acceptance will indicate your agreement to be bound by the changes. What information do we collect? We collect personally identifiable information which may include your medical records (“Personal Information”) and other non-individually identifiable information from you when you create an account, respond to any communication such as e-mail, or otherwise use the Services in any manner. Such Personal Information may include certain of your protected health information (“PHI”) as that term is defined under Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).  We may also collect your Personal Information on behalf of third parties, such as your health care provider, persons or organizations that you authorize, as described below. In order to use our Services, you will be required to provide Personal Information.  For example, when registering as a user on the Service, we ask you for your name, e-mail address. We may also ask for additional personal information such as mailing address, phone number, your sex, and date of birth if not provided from Blue Button. We collect and use mobile device identifiers, IP addresses and session identifiers to analyze trends, to administer the Company Services, to track user activities, to infer user interests, and to otherwise learn about individual users and market segments.  We also collect and store certain other non-identifiable information, which is collected passively using various technologies, and cannot presently be used to specifically identify you. Some of the Personal Information received by the Company in connection with providing the Services is subject to privacy and security laws and regulations including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that govern the use and disclosure of certain individually identifiable health-related Personal Information (“Protected Health Information”). For more information about our HIPAA-compliant activities, please contact [email protected]. We use “cookies” to enhance your experience and gather information about visitors and visits to the Services to help us understand your preferences based on previous or current activities. We also use cookies to help us compile aggregate data about Services traffic and Services interaction so that we can offer better experiences and tools in the future. We may contract with third-party service providers to assist us in better understanding our visitors and users.  If you are using our platform on a computer, you can change your browser settings to set your cookie preferences. If you are accessing our platform from a mobile device, you can change your permissions and settings on your mobile device. Our Company Services currently do not respond to “Do Not Track” (DNT) signals. Safeguarding Your Personal Information and Protected Health Information We cannot guarantee the absolute security of any Personal Information submitted to or otherwise collected during your use of the Services, but the Company takes every reasonable effort to protect your Personal Information. The Company follows generally accepted industry security standards to safeguard and help prevent unauthorized access and maintain data security of Personal Information. We are also subject to HIPAA because we act as a healthcare clearinghouse, which means we receive Protected Health Information from one source in one format and convert it into another format for use by a different source. HIPAA requires us and healthcare providers, who receive and use your Protected Health Information to implement certain measures to safeguard the confidentiality, integrity, and availability of your Protected Health Information. Healthcare providers who access your Personal Information through the Service agree to handle Protected Health Information in compliance with HIPAA. Further we encrypt your Protected Health Information when it is stored with our outside cloud computing services provider, who we require to comply with HIPAA to protect the security and privacy of your information. It will also be encrypted when transmitted electronically. However, no commercial method of information transfer over the Internet or electronic data storage is known to be 100% secure. What Personal Information Do We Use? We will only share elements of your individual Protected Health Information with entities that you have expressly authorized to acquire it as the primary service of the app (“Approved Third Parties”). These Approved Third Parties may include, without limitation, your healthcare providers or others who are involved in your care. We may use the Personal Information and other data we collect from you when you register, access, view or use the Services, to communicate with you about access to your medical records. We may send you an email, to verify your username and password when you create an account. We will communicate with you in response to your inquiries, to provide the services you request and to manage your account. We may send you requests on behalf of Approved Third Parties if they wish to access your Protected Health Information. We may send you notices when your records have been accessed, uploaded, or amended by Approved Third Parties. We will communicate with you by email or telephone, according to your account preferences. We will also send you strictly service-related announcements on rare occasions when it is necessary to do so. For instance, if our Services are temporarily suspended for maintenance, we might send you an email. Generally, you may not opt-out of these communications, which are not promotional in nature What Information do We Share, and with Whom do we Share it? We will not rent or sell your Personal Information or Protected Health Information with other people or non-affiliated companies. We share your Personal Information, which might include your Protected Health Information, with the following people in the following ways:
  • With Your Consent: We will ask for your consent if we wish to share your information with anyone in a materially different way than discussed in this Privacy Policy
  • With Approved Third Parties: With your consent, we may share, transfer or otherwise disclose certain of your Personal Information to your advocates/caregivers, your health care providers, in order to perform the Services, in connection with treatment, payment, or healthcare operations purposes, and for other purposes permitted or required by law.
  • Business Transfers: We may choose to sell our company or certain of our assets. In these types of transactions, customer information, including Personal Information about customers, is typically one of the business assets that are transferred but any data that is transferred will be subject to this Privacy Policy. If your personal information is part of such a transaction, you hereby consent to such transfer provided that the transferee agrees to abide by this Privacy Policy with respect to your Personal Information in our possession. We will notify you if such an event occurs.  You can always request that we remove your Personal Information as described below.
  • Protection of the Company and Other People: We may release Personal Information when we believe in good faith that release is necessary to comply with the law; enforce or apply our conditions of use and other agreements; or protect the rights, property, or safety of the Company, our employees, our users, or others. If necessary, we will make all legally required disclosures of any breach of the security, confidentiality, or integrity of your Personal Information (including your Protected Health Information). To the extent permitted by applicable laws, we will make such disclosures to you as quickly as we can but consistent with the legitimate needs of law enforcement or our need to conduct a thorough investigation.
  • Anonymized Information: We may create Anonymized Information from the information that you share with us, including any Personal Information, and use such Anonymized Information without restriction. We may, for example, use the De-identified Information ourselves for research and development purposes.
Retention of Your Personal Information We will store your Personal Information for as long as we believe is necessary or appropriate (i) to carry out the purpose(s) for which we collected it, or (ii) to comply with applicable laws, contracts, or other rules or regulations, which may extend beyond the termination of our relationship with you. Unless otherwise set forth in the applicable Terms of Service or a separate agreement with you governing the applicable Services, if you cease using such Service, we may retain or destroy, at our discretion, all Personal Information and non-personally identifiable information we collect through your use of such Service. In addition to requesting us to  delete your Personal Information in the application itself, you may also contact us at [email protected] to request that we delete your Personal Information. All retained Personal Information will remain subject to the terms of this Privacy Policy. Use from Outside the United States You understand and agree that if you are using the Services from a country outside the United States and provide Personal Information to the Company, you will be authorizing and consenting to the transfer of Personal Information about yourself to the United States. You understand that the privacy laws of the United States may be different from and not as comprehensive or protective as those in your country, and you agree that the transfer of your Personal Information to the United States occurs with your consent. Personal Information collected on the Company Service may be stored and processed in the United States or abroad. Correcting and Updating Your Personal Information You can request that we correct or update your Personal Information associated with your user account by contacting us by e-mail [email protected] or you may access your user settings and update it yourself. You may also request an accounting of disclosures of your Protected Health Information.  It may take us up to 60 days to process your request. If we cannot respond to your request within that time, we will provide you with a reason why, and we may request another 30 days to respond.   At this time, we cannot correct or update your Protected Health Information—please contact your health care provider or insurer. Opt-Out Choices To “opt-out” of (1) any consents previously given to us, (2) receiving communications from us, or (3) having Personal Information disclosed to third parties, send an e-mail to [email protected] or alternatively you may revoke access via your account on the healthpicture.com website. Privacy and Third Party Links This Privacy Policy applies solely to information collected by the Company through our website located at healthpicture.com and through the services we make available, and applies to information whether collected on our behalf or that of Approved Third Parties. This Privacy Policy does not apply to the third party sites and services, including Blue Button, that are accessible through these links and we suggest that you contact the operator of the third party service to obtain details about their privacy policies. Exclusions This Privacy Policy shall not apply to any unsolicited information you provide to us through the Services or through any other means. This includes, but is not limited to, any ideas for new products or modifications to existing products, and other unsolicited submissions (collectively, “Unsolicited Information”). All Unsolicited Information shall be deemed to be non-confidential and we shall be free to reproduce, use, disclose, and distribute such Unsolicited Information to others without limitation or attribution. Your California Rights The California Consumer Privacy Act (“CCPA”) provides California residents with specific rights regarding personal information.  The CCPA does not apply to certain information, such as information subject to the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and certain other state or federal privacy laws.  The CCPA also does not apply to businesses which do not have annual gross revenues in excess of twenty-five million dollars, collects personal information of 50,000 or more California consumers, households, or devices, or derives 50% or more of its annual revenue from selling consumers’ personal information.  At this time, the Company is not subject to the CCPA.  We will update this Privacy Policy in the future as to comply with applicable laws. Children’s Privacy The Company Service is intended only for use by adults, either for themselves or on behalf of their minor children. We do not knowingly collect information directly from children under the age of thirteen.  If you have reason to believe that a child under the age of 13 has provided Personal Information to us through the Company Service, please contact us, and we will to delete that information from our databases. Contact Us We welcome your questions, comments, and concerns about the Services. Please send us any and all feedback pertaining to the Services to [email protected]

ActiveUS 180446150v.1