AcceptCare Privacy Policy Last Updated: 9/27/2022 AcceptCare (“AcceptCare,” “we,” “us,” or “our”) values your privacy. In this Privacy Policy (“Policy”), we describe how we collect, use, and disclose information that we obtain about users of our web-based platform, AcceptCare (the “AcceptCare Platform”), and the services made available through AcceptCare (collectively, the “Services”). Our Services are made available to end users (together, “Users”) by our clients who have licensed our Services (our “Clients” or “Providers”); our Clients control how Users use and access the Services. Our Clients are healthcare providers, such as dental practices, that use our Services as part of their business administration and support services, and they own the information collected in connection with the Services. AcceptCare allows our Clients to offer their own in-house financing solution, as well as thirdparty financing, to Users. By using or accessing AcceptCare or using any of the Services, you consent to this Policy, including the provisions governing how your personal information will be handled. Your use of our Services, and any dispute over privacy, is subject to this Policy and our Terms of Service, including the applicable limitations on damages and the resolution of disputes. The AcceptCare Terms of Service are incorporated by reference into this Policy. Users are designated by Clients and include: (1) administrators of our Clients who have administrative control over treatment information such as the cost, date, and nature of your treatment (“Administrators”); and (2) end users who are patients of our Clients (“Patients”). Both types of Users are collectively referred to as “Users” or “you” unless necessary to distinguish between the types. Collection of Information Use of Your Information Sharing of Your Information Protected Health Information Use of Cookies and Other Tracking Mechanisms Third-Party Sites and Services Security Your Choices Children Under 13 Your California Privacy Rights Changes to this Policy Contact Information Collection of Information We may collect information directly from Users and third parties such as our Clients, as well as automatically through your use of the Services. The type of information that we collect from you depends on your particular interaction with our Services, but generally includes the below information. Information Collected. The information we collect about you depends on your use the Services. • Administrators/Providers. Our Clients may provide us with your information such as your name, telephone number, and email address so that we can send you a link to register with us or access the AcceptCare Platform, as well as certain information about the treatment you are looking to finance, including the type, cost, and date of treatment. To the extent the disclosure involves “Protected Health Information,” please see Protected Health Information below. Our Clients may also provide your patient identifier (i.e., chart, patient, or invoice number) and the portion of your treatment, if any, that is covered by insurance. If you access or use the AcceptCare Platform through a link provided by us (outside the presence of your Provider) at the direction of your Provider, you will be asked to verify your identity before proceeding. • Interact with AcceptCare or Services. When you email us, call us, or otherwise contact us, we maintain records about our interactions and communications with you, including the nature of the request, name, and contact information. If you provide feedback, comments, suggestions, or participate in a survey, you may provide us with your name, telephone number, and email address. • Information Provided by You. We collect personal information from you when you: o Access or Use the AcceptCare Platform to Explore Financing Offers. When you access or use the AcceptCare Platform to explore financing offers, the AcceptCare Platform will permit you to enter personal information about yourself and/or your treatment(s). We collect and store any information you enter on the AcceptCare Platform except as otherwise noted herein. In order to process your request for financing offers from your Provider and third parties, we will collect your name and contact information, including your phone number, address, and email address, in addition to your date of birth, social security number, gross monthly income, and monthly rent or mortgage payment amount. You may be asked to submit additional documentation via the AcceptCare Platform to receive financing offers from third party lenders or your Provider, including but not limited to a copy of your driver’s license or proof of residency. o Create an Account for In-House Financing Through Provider. If you elect to finance any portion of your treatment through the in-house financing offered by your Provider, you will be required to create an account with us. On behalf of your Provider, we will collect personal information from you, including your name, contact information, payment information, and bank account or other payment method information. If you choose inhouse financing through your Provider, we will store all information you provide via the AcceptCare Platform for and on behalf of your Provider except as otherwise noted herein. • External Parties. Some of the information you provide via the AcceptCare Platform may be collected by external parties on our behalf. For example, AcceptCare does not offer payment processing. When you engage in a transaction on the AcceptCare Platform, AcceptCare uses a payment processor to process that payment. While we will collect information from you directly in relation to the transaction, including personal information such as your payment information, we do not store your credit card or other payment information. AcceptCare also does not pull your credit report, make credit inquiries, or perform credit processing; rather, it discloses the information you provide in the Pre-Qualification Form (and subsequent requests for related information or documentation) to a service provider who performs those services, including performing a soft inquiry on your credit, sourcing lenders willing to make financing offers, and relaying the same to us. Again, while we may collect information and documentation from you directly in relation to your request to be considered for financing offers, we do not store your financial or credit information, except as noted herein in relation to in-house financing through your Provider. As a result, the personal information you provide may be subject to and governed by the policies and terms & conditions of third parties. • Information Received from Third Parties. AcceptCare is not a lender or a broker and does not communicate with third-party lenders directly. AcceptCare does not review the personal information you provide via the AcceptCare Platform to determine your eligibility for financing offers. However, we may obtain personal information about you from third parties, such as credit bureaus and lenders, when you use the Services. The financing offers you receive, which could reflect or have taken into account information obtained from third parties, will be and stored on and accessible through the AcceptCare Platform for thirty (30) days. Please note that we do not store this information after 30 days. Automatically Collected Information/Usage Data. We automatically collect information such as the following about your use of our Services through cookies, web beacons, log files, and other methods: log files, IP address, app identifier, device ID, location information, browser type, device type, the dates and times you access the AcceptCare Platform and perform certain activities; device name and model; operating system type, name, and version; the length of time that you are logged into or using the AcceptCare Platform, and the links you click and your other activities within the AcceptCare Platform (“Usage Data”). We may combine Usage Data with other information that we have collected about you. Please see the section “Use of Cookies and Other Tracking Mechanisms” below for more information. Use of Your Information Subject to the limitations in the section on “Protected Health Information” where we serve as a HIPAA business associate, we use your information, including your personal information, for the following purposes: Providing and Improving Our Services. To provide and maintain our Services; to improve our Services; to develop new features, products, or services; to authenticate Users; to perform technical operations, such as updating software; and for other Client or User service and support purposes. For Communication Purposes. To communicate with you about your use of the AcceptCare Platform, including to respond to your inquiries. AcceptCare may also contact you via surveys to conduct research about your opinion of the AcceptCare Platform. Please see the Your Choices section for more information about how to change your communications preferences. We may also send you notifications by text message if you have requested or opted in to receive them. Protecting Rights and Interests. To protect the safety, rights, property, or security of AcceptCare, Providers, the AcceptCare Platform, any third party, or the general public; to detect, prevent, or otherwise address fraud, security, or technical issues; to prevent or stop activity that we consider to be, or to pose a risk of being, an illegal, unethical, or legally actionable activity; to use as evidence in litigation; and to enforce this Policy or our Terms of Service. Legal Compliance. To comply with applicable legal or regulatory obligations, including as part of a judicial proceeding; to respond to a subpoena, warrant, court order, or other legal process; or as part of an investigation or request, whether formal or informal, from law enforcement or a governmental authority. General Business Operations. Where necessary for the administration of our general business, accounting, recordkeeping, and legal functions. As part of our routine business administration, such as employee training, compliance auditing, and similar internal activities. Research and Analytics. To better understand how Users access and use our Services, and for other research and analytical purposes, such as to evaluate and improve our Services and business operations and to develop additional products, services, and features. Sharing of Your Information Subject to the limitations in the section on “Protected Health Information” where we serve as a HIPAA business associate, our Services are provided to our Clients, who have engaged us to make the Services available to their Patients. As such, all User information may be shared with Clients or at the direction of Clients. In general, we may also disclose your information, including your personal information, as follows: • Affiliates. We may disclose the information we collect from you to our affiliates or subsidiaries. However, if we do so, their use and disclosure of your personal information will be subject to this Policy. • Service Providers. We may disclose the information we collect from you to third-party vendors, third-party service providers, contractors, subcontractors, licensors, or agents as necessary to operate the AcceptCare Platform. • Business Transfers. We may disclose your information to another entity in connection with an acquisition or merger, sale, or transfer of a business unit or assets, bankruptcy proceeding, or as part of any other similar business transfer, including during negotiations related to such transactions. • Protecting Rights and Interests. We may disclose your information to protect the safety, rights, property, or security of AcceptCare, the AcceptCare Platform, the Providers, any third party, or the general public; to detect, prevent, or otherwise address fraud, security, or technical issues; to prevent or stop activity which we, in our sole discretion, may consider to be, or to pose a risk of being, an illegal, unethical, or legally actionable activity, to use as evidence in litigation, and to enforce this Policy or our Terms of Service. • Legal Compliance. We may disclose your information to comply with applicable legal or regulatory obligations, including as part of a judicial proceeding such as in response to a subpoena, warrant, court order, or other legal process; or as part of an investigation or request, whether formal or informal, from law enforcement or a government official. • With Your Consent. We may disclose your information as permitted with your written consent. • Aggregate and De-Identified Information. We may disclose aggregate, anonymous, or deidentified information about Users for marketing, advertising, Client-reporting, research, compliance, or other purposes. Protected Health Information We may collect your health information while acting as a “business associate” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), some of which may constitute “Protected Health Information.” A “business associate” includes an entity that provides services to a HIPAA covered entity that involves the use or disclosure of Protected Health Information. If your healthcare provider, such as your dentist, qualifies as a HIPAA covered entity, we qualify as a business associate of the healthcare provider. “Protected Health Information” as defined under HIPAA, generally means information about you that identifies you and that relates to your physical or mental health or condition, the provision of healthcare to you, or payment for healthcare provided to you. To the extent we are acting as a business associate, we will only use and disclose your information as follows: • To fulfill our service obligations to covered entities. • For our proper management and administration. • To carry out our legal responsibilities. • To aggregate data for the operations of our covered entity Clients. • To de-identify data. • To seek authorization from you for additional uses and disclosures of Protected Health Information. • As required by law. Use of Cookies and Other Tracking Mechanisms AcceptCare and our third-party service providers use cookies, pixels, java script, and other tracking mechanisms to track information about your use of the Services. We or our third-party service providers may combine this information with other information, including personal information, we collect from you. Cookies. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you and can only be read by a web server in the domain that issued the cookie to you. One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the web server that you have returned to a specific page. For example, if you verify your identity on the AcceptCare Platform, a cookie helps AcceptCare to recall your specific information on subsequent visits. This simplifies the process of recording your personal information, such as billing addresses. When you return to the AcceptCare Platform, the information you previously provided can be retrieved, so you can easily use the AcceptCare Platform. Disabling Cookies. You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the AcceptCare Platform. Clear GIFs, pixel tags and other technologies. Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer’s hard drive, clear GIFs are embedded invisibly on web pages. We may use clear GIFs (also referred to as web beacons, web bugs or pixel tags), in connection with our Services to, among other things, track the activities of Users of the Services, help us manage content, and compile statistics about usage of our Services. We and our thirdparty service providers also may use clear GIFs in HTML emails to Users, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded. Do-Not-Track Signals. The AcceptCare Platform does not respond to do-not-track signals. For more information about do-not-track signals, please click here. You may, however, disable certain tracking as discussed in the Cookies and Other Tracking Mechanisms section above (e.g., by disabling cookies). Third Party Analytics. We may use third-party analytics companies, for example Google Analytics (see privacy policy and opt-out), to evaluate use of our Services. We may use these tools to help us understand use of, and to improve, our Services, performance, ad campaigns, and User experiences. These entities may use cookies and other tracking technologies, such as web beacons or local storage objects (LSOs), to perform their services. Third-Party Sites and Services The AcceptCare Platform may contain links to or embedded links from third-party websites. This Policy applies to the use and disclosure of personal information we collect from Users. If you exit the AcceptCare Platform by link or by entering a new web address in your internet browser’s address window or utilize an embedded link, we no longer have any control over the information collected from you or its security. We are not responsible for the privacy practices of third-parties or your use of any third-party website or web-based service. Security AcceptCare has implemented precautions to protect the information we collect from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Please be aware that no data security measures can guarantee 100% security. You should take steps to protect against unauthorized access to your password, phone, and computer by, among other things, signing off after using a shared computer, choosing a robust password that nobody else knows or can easily guess, and, if applicable, keeping your log-in and password private. If you access the AcceptCare Platform through a text or email link from us or your Provider, you are responsible for maintaining the confidentiality of that link. We encourage you to take steps to ensure that the link is not accessible to unauthorized third parties. We are not responsible for any lost, stolen, or compromised passwords, or for any activity on the AcceptCare Platform via unauthorized password activity. To the extent applicable, you agree to immediately notify AcceptCare of any unauthorized use of your password or account or any other breach of security related to the AcceptCare Platform or the Services. Your Choices We may send periodic emails to you. You may opt out of any promotional communications by following the opt-out instructions contained in the email. Please note that it may take up to 10 business days for us to process opt-out requests. If you opt out of receiving promotional emails, we may still send you emails about your account with your Provider, your account with us, or any Services you have requested or received from us or your Provider. We may retain certain information about you as required by law or as permitted by law for legitimate business purposes. For example, if you request that we delete your information, but we believe that you have violated our Terms of Service, we may retain information about you in order to attempt to resolve the issue before deleting it. Children Under 13 Our Services are provided to our Clients and are not designed for children under 13. We do not intentionally collect information from those we actually know to be under 13. If we discover that a child under 13 has provided us with personal information, we will delete such information from our systems. California Privacy Rights If you are a California user of our Services (“California Consumer”), you have certain rights with respect to the collection, use, transfer, and processing of your “personal information,” as defined by the California Consumer Privacy Act (CCPA). Our Consumer Notice at Collection and Privacy Policy for California Residents is incorporated herein by reference and can be found here. Changes to this Policy This Policy is current as of the Last Updated date set forth above. We may change this Policy from time to time, so please be sure to check back periodically. We will post any changes to this Policy on the AcceptCare Platform. If we make any changes to this Policy that materially affect our practices with regard to the personal information we have previously collected from you, we will endeavor to provide you with notice in advance of such change, such as via email or prominent notice on the AcceptCare Platform. Contact Information If you have questions about the privacy aspects of our Services or would like to make a complaint, please contact us at support@acceptcare.com. We will forward any requests from Users regarding their personal information collected on behalf of Clients to the respective Clients. If you need to access this Policy in an alternative format due to having a disability, please contact us at support@acceptcare.com or (866) 846-8266.