LAYRD HEALTH, INC.

1. INTRODUCTION

Layrd Health, Inc. ("Layrd Health," "Company," "we," "us," or "our") is committed to protecting the privacy and security of the information we collect and process. This Privacy Policy describes how we collect, use, disclose, and protect information in connection with our artificial intelligence-powered software platform designed to assist healthcare providers with chart preparation, clinical documentation, and related administrative tasks (the "Services").

This Privacy Policy applies to information collected through our website (thelayrd.com), our platform and applications, and any other interactions you may have with Layrd Health. By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

2. INFORMATION WE COLLECT

2.1 Information You Provide to Us. We collect information that you voluntarily provide to us when you register for an account, use our Services, communicate with us, or otherwise interact with us. This information may include:

• (a) Account Information: Name, email address, phone number, job title, practice or organization name, and other contact information.
• (b) Billing Information: Billing name, billing address, and payment method details. Note that payment processing is handled by third-party payment processors, and we do not store complete credit card numbers.
• (c) Communications: Information contained in communications you send to us, including support requests, feedback, and other inquiries.
• (d) Professional Information: Professional license numbers, NPI numbers, specialty, and other professional credentials.

2.2 Customer Data and Protected Health Information. When Healthcare Providers use our Services, they may submit, upload, or transmit patient information, clinical data, and other healthcare-related data ("Customer Data"). Customer Data may include Protected Health Information ("PHI") as defined under HIPAA. Our collection, use, and disclosure of PHI is governed by the Business Associate Agreement between Layrd Health and the applicable Healthcare Provider, and we process PHI only as permitted or required by the BAA and applicable law.

2.3 Information Collected Automatically. When you access or use our Services, we automatically collect certain information, including:

• (a) Device Information: Device type, operating system, unique device identifiers, browser type, and browser language.
• (b) Log Information: Access times, pages viewed, IP address, and the page visited before navigating to our Services.
• (c) Usage Information: Information about how you use our Services, including features accessed, actions taken, and time spent on the Services.
• (d) Location Information: General location information based on IP address.

2.4 Cookies and Similar Technologies. We use cookies, pixels, and similar technologies to collect information about your interactions with our Services. Cookies are small data files stored on your device that help us improve our Services and your experience. You can control cookies through your browser settings, but disabling cookies may limit your ability to use certain features of our Services.

3. HOW WE USE INFORMATION

We use the information we collect for the following purposes:

• (a) To provide, maintain, and improve our Services, including to process transactions, authenticate users, and provide customer support.
• (b) To communicate with you about your account, our Services, updates, and promotional offers (with your consent where required by law).
• (c) To personalize and improve your experience with our Services.
• (d) To analyze usage patterns and trends to improve the functionality and performance of our Services.
• (e) To develop new products, services, features, and functionality.
• (f) To detect, prevent, and address technical issues, security threats, fraud, and other harmful or illegal activities.
• (g) To comply with legal obligations and enforce our terms and policies.
• (h) For any other purpose with your consent.

3.1 Use of Protected Health Information. We use PHI only as permitted or required by the Business Associate Agreement and applicable law. Our use of PHI is limited to providing the Services to Healthcare Providers, including chart preparation, clinical documentation assistance, and related administrative functions. We do not use PHI for marketing purposes or sell PHI to third parties.

3.2 De-identified and Aggregated Data. We may create de-identified and/or aggregated data from information we collect, including from PHI, in accordance with applicable law. De-identified data does not identify any individual and is not subject to this Privacy Policy. We may use de-identified and aggregated data for any lawful purpose, including research, analytics, product development, and benchmarking.

4. HOW WE SHARE INFORMATION

We may share information in the following circumstances:

4.1 Service Providers. We share information with third-party service providers who perform services on our behalf, such as hosting, data analytics, payment processing, customer support, and marketing. These service providers are contractually obligated to use information only for the purposes of providing services to us and in accordance with this Privacy Policy.

4.2 Business Transfers. If Layrd Health is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your information.

4.3 Legal Compliance and Protection. We may disclose information if we believe disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our agreements, policies, and terms of service; (c) protect the security or integrity of our Services; (d) protect Layrd Health, our users, or the public from harm or illegal activities; or (e) respond to an emergency that we believe in good faith requires us to disclose information.

4.4 With Your Consent. We may share information with third parties when you have given us your consent to do so.

4.5 Protected Health Information. We share PHI only as permitted or required by the Business Associate Agreement and applicable law. We may disclose PHI to subcontractors who assist us in providing the Services, provided that such subcontractors agree to the same restrictions and conditions that apply to Layrd Health with respect to PHI. We do not sell PHI or use PHI for marketing purposes.

5. DATA RETENTION

5.1 General Retention. We retain information for as long as necessary to fulfill the purposes for which it was collected, including to provide our Services, comply with legal obligations, resolve disputes, and enforce our agreements. The retention period may vary depending on the context and our legal obligations.

5.2 Protected Health Information. We retain PHI only for as long as necessary to provide the Services and as required by the Business Associate Agreement and applicable law. Our Services are designed for real-time processing, and we do not retain PHI beyond what is necessary to provide the Services. Upon termination of the Business Associate Agreement, we will return or destroy PHI as required by the BAA.

5.3 Account Information. If you close your account, we will delete or anonymize your information within a reasonable period, except as required to comply with legal obligations, resolve disputes, or enforce our agreements.

6. DATA SECURITY

We implement and maintain reasonable administrative, technical, and physical safeguards designed to protect information from unauthorized access, use, disclosure, alteration, and destruction. Our security measures include:

• (a) Encryption: All data is encrypted in transit using TLS 1.3 and at rest using 256-bit AES encryption.
• (b) Access Controls: Role-based access controls limit access to information to authorized personnel on a need-to-know basis.
• (c) Multi-Factor Authentication: We require multi-factor authentication for access to our systems.
• (d) Security Monitoring: We continuously monitor our systems for security threats and vulnerabilities.
• (e) Employee Training: Our employees receive regular training on data security and privacy.
• (f) Incident Response: We maintain incident response procedures to address security incidents promptly.

For detailed information about our security controls and compliance certifications, please visit our Trust Center at: https://trust.delve.co/layrd.

While we take reasonable measures to protect information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your information.

7. HIPAA COMPLIANCE

Layrd Health is committed to compliance with HIPAA and the HITECH Act. When we receive PHI from Healthcare Providers, we act as a "Business Associate" under HIPAA and are bound by the terms of our Business Associate Agreement with the Healthcare Provider.

Our HIPAA compliance measures include:

• (a) Business Associate Agreements with all Healthcare Provider customers.
• (b) Administrative, physical, and technical safeguards as required by the HIPAA Security Rule.
• (c) Breach notification procedures in compliance with the HIPAA Breach Notification Rule.
• (d) Workforce training on HIPAA requirements.
• (e) Regular risk assessments and security audits.
• (f) Policies and procedures to ensure minimum necessary use and disclosure of PHI.

Our Services are designed to assist Healthcare Providers with administrative and documentation tasks. Healthcare Providers remain responsible for their own HIPAA compliance, including obtaining any necessary patient authorizations and maintaining appropriate privacy practices.

8. YOUR RIGHTS AND CHOICES

8.1 Account Information. You may access, update, or delete your account information at any time by logging into your account or contacting us. Note that we may retain certain information as required by law or for legitimate business purposes.

8.2 Communications Preferences. You may opt out of receiving promotional communications from us by following the unsubscribe instructions in those communications or by contacting us. Even if you opt out of promotional communications, we may still send you non-promotional communications, such as those about your account or our ongoing business relations.

8.3 Cookies. Most web browsers are set to accept cookies by default. You can usually set your browser to remove or reject cookies, but this may affect your ability to use certain features of our Services.

8.4 Do Not Track. Some browsers include a "Do Not Track" feature that signals to websites that you do not want your online activity tracked. Our Services do not currently respond to "Do Not Track" signals.

8.5 Patient Rights. If you are a patient whose information has been processed through our Services, please contact your Healthcare Provider directly to exercise your rights under HIPAA, including your rights to access, amend, and receive an accounting of disclosures of your PHI. Healthcare Providers are responsible for responding to patient requests regarding PHI.

9. CALIFORNIA PRIVACY RIGHTS

If you are a California resident, you may have additional rights under the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"). However, please note that PHI that is collected and used in compliance with HIPAA is exempt from the CCPA/CPRA.

For non-PHI personal information, California residents may have the right to:

• (a) Know what personal information we collect, use, disclose, and sell.
• (b) Request deletion of personal information.
• (c) Opt out of the sale or sharing of personal information.
• (d) Non-discrimination for exercising privacy rights.
• (e) Correct inaccurate personal information.
• (f) Limit the use of sensitive personal information.

We do not sell personal information or share personal information for cross-context behavioral advertising purposes.

To exercise your California privacy rights, please contact us using the information provided in Section 14 below.

10. OTHER STATE PRIVACY RIGHTS

Residents of certain other states, including Virginia, Colorado, Connecticut, and Utah, may have similar privacy rights under applicable state laws. If you are a resident of one of these states, you may have rights to access, correct, delete, and obtain a copy of your personal information, as well as the right to opt out of certain processing activities. To exercise your rights, please contact us using the information provided in Section 14 below.

11. CHILDREN'S PRIVACY

Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information. If you believe that we may have collected information from a child under 18, please contact us using the information provided in Section 14 below.

Note that Healthcare Providers may submit PHI relating to minor patients through our Services. Such PHI is processed in accordance with the Business Associate Agreement and HIPAA, and is not subject to the Children's Online Privacy Protection Act (COPPA) when processed for treatment, payment, or healthcare operations purposes.

12. INTERNATIONAL DATA TRANSFERS

Layrd Health is based in the United States, and information we collect is processed and stored in the United States. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country. By using our Services, you consent to the transfer of your information to the United States.

If we transfer PHI internationally, we will do so in compliance with HIPAA and any applicable data protection laws, including implementing appropriate safeguards such as standard contractual clauses.

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated Privacy Policy on our website, by email, or by other means reasonably calculated to provide notice. The updated Privacy Policy will be effective as of the date stated at the top of the Privacy Policy. Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically to stay informed about our privacy practices.

14. CONTACT INFORMATION

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

For questions specifically related to Protected Health Information, please contact your Healthcare Provider directly, as they are the Covered Entity responsible for your PHI under HIPAA.

15. ADDITIONAL INFORMATION FOR HEALTHCARE PROVIDERS

If you are a Healthcare Provider using our Services, please note the following:

• (a) Business Associate Agreement: Your use of our Services involving PHI is governed by the Business Associate Agreement between you and Layrd Health. In the event of any conflict between this Privacy Policy and the BAA with respect to PHI, the BAA shall control.
• (b) Your Responsibilities: You are responsible for ensuring that you have all necessary consents, authorizations, and legal bases to submit PHI to our Services. You are also responsible for your own compliance with HIPAA and other applicable privacy laws.
• (c) Patient Requests: You are responsible for responding to patient requests to access, amend, or obtain an accounting of disclosures of their PHI. We will assist you in responding to such requests as required by the BAA.
• (d) Breach Notification: In the event of a Breach of Unsecured PHI, we will notify you in accordance with the BAA and applicable law.