PRIVACY POLICY

Last Updated: April 5, 2026

We at MDOPTIMUS LLC ("MDOPTIMUS LLC," "we," "us," or "our") have created this privacy policy (this "Privacy Policy") because we know that you care about how information you provide to us is used and shared. This Privacy Policy relates to the information collection and use practices of MDOPTIMUS LLC in connection with our website located at https://www.aclsassist.com/ (the "Website"), our proprietary Advanced Cardiovascular Life Support (ACLS) training and documentation software as a service (SaaS) platform (the "Platform") which is made available as a web application via our Website, as a mobile application via the Apple App Store (and any future mobile application stores for other platforms) (the "Mobile App"), and when you otherwise interact with us in any way. References to the "Platform" in this Privacy Policy include both the web application and the Mobile App, unless otherwise specified.

--------------------------------------------------------------------------------

1. DESCRIPTION OF USERS AND ACCEPTANCE OF TERMS

This Privacy Policy applies to visitors to the Website, who view only publicly-available content ("Visitors"), customers who have signed up to access and use the Platform (the "Customers"), and Customer's employees and contractors authorized by Customer to access and use the Platform ("Authorized Users").

By visiting our Website, Visitors are agreeing to the terms of this Privacy Policy and the accompanying Website Terms of Use.

By accessing and/or using the Platform, each Customer and Authorized User is agreeing to the terms of this Privacy Policy and the accompanying Platform Terms of Use.

Capitalized terms not defined in this Privacy Policy shall have the meaning set forth in our Website Terms of Use or the Platform Terms of Use, as the context requires.

--------------------------------------------------------------------------------

2. THE INFORMATION WE COLLECT AND/OR RECEIVE

In the course of operating the Website and the Platform, and/or interacting with you, we will collect (and/or receive) the following types of information. You authorize us to collect and/or receive such information.

2.1 Contact Information

When you contact us through the Website, email or by mail, when you call us, when you subscribe to receive more information about our products and services, you will be asked to provide certain information, including but not limited to, your name, email address, phone number, organization name, professional role, and any other information you are contacting us about (collectively, the "Contact Information"). The Contact Information is used to provide the requested service or information and to contact you for purposes of direct marketing of our current and future services.

2.2 Account Information

In order to access and use our Platform, you will have to create an account on our Platform. In connection with creating an account on our Platform, you will be asked to provide your email address, create a password, and may optionally provide your name, professional credentials, organization affiliation, and other profile information (collectively, "Account Information"). We use the Account Information to process the creation of your account, including to verify your identity, and to manage your account.

2.3 Billing Information

If you choose to pay the applicable fees by credit card, you will be required to provide certain additional information which may include a credit card number, expiration date, billing zip code, activation code, bank information, and similar information ("Billing Information"). Such Billing Information will be collected and processed by our third-party payment processor (Stripe) pursuant to the terms and conditions of their privacy policies and terms of use. MDOPTIMUS LLC does not directly obtain, store or process any Billing Information.

2.4 Your Data

In using the Platform, you will provide us Your Data. We will use Your Data (other than any personal information contained therein) in accordance with our Platform Terms of Use. Any personal information contained in Your Data will be used in accordance with this Privacy Policy.

For clarity, Your Data includes:
- ACLS session records and event documentation
- Medication administration records
- Procedure logs and respiratory intervention data
- Session notes and custom patient identifiers
- Uploaded images and documents for AI analysis (Pro Plus)
- Session timing and performance metrics
- QR code sharing activity (Pro tier)
- Session Reports and generated documentation

2.5 AI-Processed Data

Data Sanitization and PHI Removal. When you use AI-powered features of the Platform (including the AI-Powered Assistant, image analysis for ECGs, X-rays, and lab results, and evidence-based recommendations), Your Data is processed through an automated sanitization pipeline before being transmitted to any third-party AI service provider. This sanitization process removes all Protected Health Information ("PHI") as defined under HIPAA, including but not limited to patient names, dates of birth, medical record numbers, Social Security numbers, and any other individually identifiable health information, prior to transmission. The data transmitted to third-party AI service providers contains only de-identified clinical parameters, anonymized metrics, and non-identifiable medical data necessary to generate the requested AI output. No PHI is transmitted to, processed by, stored by, or accessible to any third-party AI service provider at any time. The sanitization and de-identification process occurs within MDOPTIMUS LLC's secure infrastructure before any data leaves our systems for AI processing.

AI Input Data Storage. MDOPTIMUS LLC stores all data submitted to AI-powered features ("AI Input Data"), including all prompts, queries, images, documents, and other content submitted by you or your Authorized Users to AI Features, within its secure infrastructure for the mandatory seven (7) year retention period described in Section 8 of this Privacy Policy. This storage supports Platform functionality, quality assurance, audit trail maintenance, and regulatory compliance.

AI Output Data Storage. MDOPTIMUS LLC stores all data generated by AI-powered features ("AI Output Data"), including all responses, recommendations, analyses, and other content generated by AI Features, within its secure infrastructure for the mandatory seven (7) year retention period described in Section 8 of this Privacy Policy.

Third-Party AI Service Provider. The Platform utilizes Anthropic's Claude API as its third-party AI service provider. Data transmitted to Anthropic for AI processing has been sanitized and de-identified as described above and does not contain PHI. Anthropic processes this de-identified data pursuant to Anthropic's API terms of service and privacy policy. Specifically: (a) Anthropic does not use API inputs or outputs to train its models unless a customer explicitly opts in; (b) Anthropic retains API inputs and outputs for a limited period (typically 30 days) for safety and abuse monitoring purposes, after which they are deleted; and (c) Anthropic maintains SOC 2 Type II certification and implements industry-standard security measures. We encourage you to review Anthropic's privacy policy at https://www.anthropic.com/privacy for the most current information regarding their data handling practices. MDOPTIMUS LLC is not responsible for changes to Anthropic's data handling policies; however, we will use commercially reasonable efforts to monitor material changes and update this Privacy Policy accordingly.

If you believe that PHI has been inadvertently transmitted to an AI service provider, please contact us immediately at privacy@aclsassist.com, and we will investigate and take appropriate remedial action.

2.6 Information Collected and/or Received Through the Contact Feature

When you utilize the "Contact" feature on the Website to reach out to us with questions about our business, Website, Platform, pricing, products, services or anything else, please only provide necessary information. All information you provide through the "Contact" feature will be used to assist you and answer your questions; provided, however, for recordkeeping, training and quality assurance purposes, we may record and maintain a transcript of any communication.

2.7 Information Obtained Automatically from Your Online Activity

When you access or use the Website and the Platform, we use browser cookies, pixels, web beacons, and similar technologies (collectively, "Tracking Technologies") to automatically collect or receive certain standard technical information and other data. This other data may include: traffic data; usage data (including but not limited to, sessions created, features used, frequency and duration of the Website and the Platform usage, and interactions with content on the Website and the Platform); location data; device information (including but not limited to, type of device, mobile device platform, operating system, browser type, screen resolution, IP address and other technical information); logs and other communications data sent to us by your computer, mobile device, tablet, or any other device over time on our Website and Platform; and your online activity across third party websites, apps, and devices. We may also evaluate your computer, mobile phone, or other access device to identify any malicious software or activity that may affect the availability of our Website and Platform.

When you access or use the Website and the Platform, advertising companies, analytics networks and providers, and other third parties may use Tracking Technologies to collect information about your online activities over time and across different websites, apps, online services, digital properties and devices.

The data we or third parties collect automatically may include personal information and/or statistical data that may not identify you personally; however, we or third parties may maintain, combine, or associate it with personal information collected in other ways or received from third parties. We and/or third parties use this information to (i) enhance the performance and functionality of the Website and Platform; (ii) personalize your experience with the Website and Platform, understand how you use the Website and Platform, maintain a persistent session, and improve and further develop the Website and Platform; and (iii) serve targeted and other advertising, and provide custom experiences, across other sites, apps, online services, digital properties and devices, measure how the ads perform, and for analytics purposes.

The Tracking Technologies used on the Website and the Platform include the following, among others:

Cookies: Cookies are small packets of data that a website stores on your computer's hard drive so that your computer will "remember" information about your visit. In addition to collecting information, we use cookies to help us authenticate users, provide content of interest to you, analyze which features you use most frequently, and measure and optimize advertising and promotional effectiveness. To do this, we may use both session cookies, which expire once you close your web browser, and persistent cookies, which stay on your computer until you delete them. For information regarding your choices regarding Cookies, please see Section 5 of this Privacy Policy.

Local Storage Technologies: We may use local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data on your device outside of your browser in connection with specific applications.

Web Beacons: We use Web beacons, also known as pixel tags or clear GIFs, to demonstrate that a webpage or email address was accessed or opened, or that certain content was viewed or clicked.

Third Party Sites: When access to the Website and/or the Platform is made available to you through third-party sites, please be aware that these other sites maintain their own policies regarding Tracking Technologies and the collection and use of information. You are responsible for reviewing those policies.

Session-Replay Technologies: We may use session-replay technologies provided by third parties to record your interactions with our Website and Platform. This information helps us to diagnose problems, fix any technical or performance issues you may be having with our Website and/or Platform and improve our Website and Platform. These technologies allow us to watch a video-like reproduction of user interactions on our Website and Platform and capture your activities such as your page visits, mouse movements, clicks, and scrolls.

PHI Safeguards for Session Replay: We implement technical measures to mask, redact, or exclude PHI and other sensitive health information from session-replay recordings. These measures include field-level masking of patient identifiers, medication records, and clinical data displayed within the Platform. Any third-party session-replay provider that may have access to Platform interaction data is required to enter into a Business Associate Agreement (BAA) with MDOPTIMUS LLC to the extent required by HIPAA. Notwithstanding these safeguards, we cannot guarantee that all PHI will be excluded from every session-replay recording. If you have concerns about session-replay data capture, you may contact us at privacy@aclsassist.com to request that session-replay be disabled for your account.

2.8 Information Obtained from Third-Party Analytics Services

We may use one or more third-party analytics services (such as Google Analytics, Vercel Analytics) to evaluate your use of the Website and the Platform, compile reports on activity (based on their collection of IP addresses, Internet service provider, browser type, operating system and language, referring and exit pages and URLs, date and time, amount of time spent on particular pages, what sections of the Website and the Platform you visit, number of links clicked while on the Website and the Platform, search terms and other similar usage data), and analyze performance metrics. These third parties use cookies and other technologies to help analyze and provide us the data. By accessing the Website and/or the Platform, you consent to the processing of data about you by these analytics providers in the manner and for the purposes set out in this Privacy Policy. For more information on these third parties, including how to opt out from certain data collection, please visit the sites below. Please be advised that if you opt out of any service, you may not be able to use the full functionality of the Website and the Platform.

For Google Analytics, please visit: https://www.google.com/analytics
For Google Maps (used in admin analytics), please visit: https://policies.google.com/privacy

2.9 Information Collected Through Mobile Applications

When you access the Platform through the Mobile App, we may collect additional information specific to your mobile device, including:

(a) Device Information: Device model, operating system version, unique device identifiers (such as IDFV — Identifier for Vendor), device language and locale settings, available storage, and screen resolution.

(b) Camera and Photo Library Access: If you grant permission, the Mobile App may access your device's camera and/or photo library to capture or upload images for AI analysis (such as ECGs, X-rays, and lab results). Images are processed in accordance with the AI data sanitization procedures described in Section 2.5. We do not access your camera or photo library without your explicit permission, and you may revoke this permission at any time through your device settings.

(c) On-Device Data Storage: The Mobile App may store certain data locally on your device to enable offline functionality, including ACLS session records, event documentation, medication records, procedure logs, and other session-related data ("On-Device Data"). On-Device Data is stored in encrypted form using industry-standard encryption and is automatically synchronized with our servers when an internet connection is available. On-Device Data is subject to all data protection and retention provisions of this Privacy Policy, the Platform Terms of Use, and the BAA. You are responsible for maintaining the physical security of your device and enabling device-level protections (such as passcode, biometric authentication, and device encryption). In the event of device loss or theft, notify us immediately at support@aclsassist.com.

(d) Network Connectivity Status: The Mobile App monitors your device's network connectivity status (e.g., online or offline) to manage data synchronization. We do not collect or store network identifiers such as Wi-Fi SSIDs or cellular network information.

(e) Push Notifications: If you opt in, we may send push notifications to your device regarding session reminders, medication timing alerts, and other Platform-related notifications. You may disable push notifications at any time through your device settings.

(f) App Analytics: We may collect anonymized usage data within the Mobile App (such as feature usage, session duration, and app performance metrics) to improve the Mobile App experience. This data does not include PHI or Your Data.

We do not collect precise geolocation data, contacts, call logs, SMS messages, or any data from other applications on your device.

2.10 Information Collected by or Through Third-Party Advertising Companies

We may share information about you with third parties that we have selected and approved for ad distribution and ad optimization (defined as the tailoring, targeting (i.e., behavioral, contextual, and retargeting), analyzing, managing, reporting, and optimizing of ads). These third parties may use cookies, pixel tags (also called web beacons or clear gifs), and/or other technologies to collect Other Information for such purposes. Pixel tags enable us and these third-party advertising companies to recognize a browser's cookie when a browser visits the site on which the pixel tag is located in order to learn which advertisement brings a user to a given site. In addition, we may receive information from advertisers and/or their service providers such as advertising identifiers, IP addresses, and post-conversion data.

Healthcare Data Advertising Restrictions. Notwithstanding the foregoing, MDOPTIMUS LLC does not share, sell, disclose, or otherwise make available to third-party advertising companies any of the following categories of data: (a) Protected Health Information (PHI); (b) Your Data, including ACLS session data, medication records, procedure logs, patient identifiers, uploaded images, Session Reports, AI Input Data, or AI Output Data; (c) any data that could reasonably be used to infer an individual's health status, medical condition, treatment history, or healthcare provider relationship; or (d) any information collected through authenticated (logged-in) sessions on the Platform. Data shared with advertising companies is limited to general website browsing activity on unauthenticated (public) pages of the Website, such as page views, referral sources, and general device information. This restriction is consistent with guidance issued by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) regarding the use of online tracking technologies by HIPAA-covered entities and business associates.

You may choose to opt-out of this type of tracking and sharing of information at any time by selecting the specific partners you wish to exclude from this website http://www.aboutads.info/choices. You can also limit this type of tracking through the Do Not Track functionality in your web browser and a "Limit Ad Tracking" setting on iOS devices or a setting to "Opt out of Interest-Based Ads" on Android.

--------------------------------------------------------------------------------

3. HOW WE USE AND SHARE THE INFORMATION

We may use and share your personal information as set forth below:

- To provide the Website and the Platform;
- To solicit your feedback, inform you about our products and services and those of our third-party marketing partners;
- To monitor, support, analyze, and improve the Website and the Platform;
- To communicate with you regarding the Website and the Platform;
- To fulfill your requests for information regarding new or improved products and services;
- To engage in marketing, advertising, and tracking activities, and evaluate the efficacy of our efforts, provided that, where required under applicable law, we will obtain your prior opt-in consent to send electronic marketing communications and/or our newsletter;
- To engage research, project planning, troubleshooting problems, and detecting and protecting against error, fraud, or other criminal activity;
- To protect the safety and security of our Website and Platform, businesses and customers;
- To third-party contractors and service providers that provide services to us in the operation of our business and assistance with the Website and the Platform, such as technical support for the Website and the Platform and providing services such as IT and cloud hosting (Supabase, Vercel), payment processing (Stripe), AI services (Anthropic Claude — receiving only sanitized, de-identified data as described in Section 2.5), email delivery (Microsoft Graph), customer relationship management, email marketing, advertising services, analytics services, name and address verification, marketing and order fulfillment, email distribution, market research, fraud detection and prevention, promotions management, administrative services and among others;
- To create and disclose aggregated, anonymous, user statistics and other information to (i) affiliates, agents, business partners, and other third parties; (ii) describe the Website and the Platform to current and prospective business partners; and (iii) other third parties for lawful purposes;
- To share some or all of your information with our parent company, subsidiaries, affiliates or other companies under common control with us;
- To fulfill our legal and regulatory requirements;
- To comply with applicable law, such as to comply with a subpoena, or similar legal process, and when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
- To assess or complete a corporate sale, merger, reorganization, sale of assets, dissolution, investment, or similar corporate event where we expect that your personal information will be part of the transferred assets;
- To audit our internal processes for compliance with legal and contractual requirements or our internal policies;
- To prevent, identify, investigate, and deter fraudulent, harmful, unauthorized, unethical, or illegal activity, including cyberattacks and identity theft;
- To improve or train our AI models, including MDOPTIMUS LLC's own proprietary or custom large language models (with your explicit opt-in consent via Platform settings, and using only de-identified, anonymized data as described in Section 2.5 and Section 4) to better serve your needs and improve the accuracy and quality of ACLS documentation, medical reasoning, and image analysis capabilities; and
- Otherwise, with your consent.

We will take reasonable measures (e.g., by contract) to require that any party receiving any of your personal information from us, including for purposes of providing the Website and the Platform, undertakes to: (i) retain and use such information only for the purposes set out in this Privacy Policy; (ii) not disclose your personal information except with your consent, as permitted by applicable law, or as permitted by this Privacy Policy; and (iii) generally protect the privacy of your personal information.

--------------------------------------------------------------------------------

4. AI/ML MODEL TRAINING CONSENT AND CONTROLS

Opt-In Consent Required. MDOPTIMUS LLC will not use Your Data for AI or machine learning model training (including training of MDOPTIMUS LLC's own proprietary or custom large language models) unless you provide explicit opt-in consent through the Platform settings. AI/ML model training consent is disabled by default for all accounts. You must affirmatively enable this setting if you wish to allow your de-identified, anonymized data to be used for model improvement purposes.

Scope of Data Used. If you opt in to AI/ML model training, only de-identified and anonymized data (from which all PHI has been removed in accordance with 45 C.F.R. 164.514(a)-(c)) will be used. No PHI, patient identifiers, or individually identifiable health information will be used for model training under any circumstances, whether for third-party models or MDOPTIMUS LLC's own proprietary or custom models.

Future Custom Models. MDOPTIMUS LLC may develop its own proprietary or custom large language models in the future to enhance the Platform. If and when such development occurs: (a) only de-identified, anonymized data will be used for training; (b) no PHI will be used under any circumstances; (c) updated notice will be provided to users through the Platform and/or this Privacy Policy prior to commencing such training; and (d) your opt-in consent will be required before your de-identified data is used for such training purposes.

Withdrawal of Consent. You may withdraw your consent for AI/ML model training at any time by disabling the relevant setting in your Platform account settings. Upon withdrawal of consent: (a) MDOPTIMUS LLC will cease using Your Data for new AI/ML model training within thirty (30) days of such withdrawal; (b) AI/ML models that were trained prior to the withdrawal of consent are not required to be retrained, modified, or deleted, as the de-identified training data has been incorporated into the model in a manner that cannot be practically extracted or reversed; and (c) withdrawal of consent will not affect the functionality of the Platform or your access to AI Features.

Transparency. We will maintain clear and accessible disclosures within the Platform settings regarding: (a) the current status of your AI/ML training consent (enabled or disabled); (b) a plain-language description of what data is used and how; and (c) instructions for enabling or disabling consent.

--------------------------------------------------------------------------------

5. ACCESSING AND MODIFYING INFORMATION AND COMMUNICATION PREFERENCES

Update Information: If the personal information we have for you changes, you may correct, update, or amend it by contacting us as set forth in Section 16 of this Privacy Policy. You may correct, update, or amend some of your personal information directly in your account on the Platform. We will use commercially reasonable efforts to process all such requests in a timely manner. You should be aware, however, that it is not always possible to completely remove or modify information in our databases. Additionally, we will retain and use your information (or copies thereof) as necessary to comply with our legal and/or regulatory obligations, resolve disputes, and enforce our agreements.

Important Note Regarding Deletion Requests: Due to the mandatory seven (7) year data retention period described in Section 8, and the no-deletion policy for Session Reports and Your Data described in the Platform Terms of Use, we are unable to delete Your Data, Session Reports, AI Input Data, or AI Output Data from the Platform prior to the expiration of the applicable retention period. Session Reports may only be marked as "In Error" or flagged for cancellation with a stated reason; the original record is preserved in all cases. This policy exists to maintain the integrity of the medical record and to comply with applicable legal, regulatory, and professional recordkeeping requirements. Personal information that is not part of Your Data (such as marketing preferences and certain Account Information) may be subject to deletion upon request, subject to our legal obligations.

Marketing Communications: You may manage your receipt of marketing and non-transactional communications by clicking on the "unsubscribe" link located on the bottom of any of our marketing emails. Please note that you cannot opt out of receiving transactional e-mails.

Cookie Management: Most browsers let you remove or reject cookies. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. Please note that if you set your browser to disable cookies or other Tracking Technologies, the Website and the Platform may not work properly. For more information about cookies, including how to see what cookies have been set on your browser and how to manage and delete them, visit www.allaboutcookies.org.

You will need to apply these opt-out settings on each device from which you wish to opt-out. We cannot offer any assurances as to whether the companies we work with participate in the opt-out programs described above.

--------------------------------------------------------------------------------

6. HOW WE PROTECT THE INFORMATION

We take commercially reasonable security measures to ensure that your information is treated securely and is protected from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in processing and the nature of such data, and in compliance with applicable laws and regulations. Unfortunately, the Internet cannot be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any information you provide to us. In particular, e-mail sent to or from the Website and/or the Platform may not be secure, and you should therefore take special care in deciding what information you send to us via e-mail or other electronic means. We do not accept liability for unintentional disclosure of your information.

We are compliant with HIPAA, and we have policies in place to ensure compliance with various state and federal laws governing the use of medical and consumer information. Our platform infrastructure utilizes:
- Encrypted data transmission (HTTPS/TLS)
- Secure cloud hosting (Supabase with Row Level Security)
- Regular security audits and monitoring
- Access controls and authentication systems
- Automatic session timeout mechanisms
- Encrypted database storage
- Automated PHI sanitization pipeline for AI data processing
- Field-level data masking for session-replay technologies
- Secure storage of all AI Input Data and AI Output Data
- On-device encryption for locally stored data in mobile applications
- Secure token-based authentication for mobile API communications
- Encrypted data synchronization between mobile devices and cloud servers

6.1 Incident Response and Breach Notification

MDOPTIMUS LLC maintains a written incident response plan for responding to security incidents involving personal information and PHI. In the event of a security breach involving your personal information or PHI:

HIPAA Breach Notification: We will notify affected Covered Entities within ten (10) days of Discovery of any Breach of Unsecured PHI, as required by our Business Associate Agreement and HIPAA Breach Notification Rule (45 C.F.R. sections 164.400-414).

Individual Notification: Where we are required to notify individuals directly (or where we assist Covered Entities in doing so), we will provide notification without unreasonable delay and in no event later than sixty (60) days following Discovery of the Breach, in accordance with applicable federal and state law.

State Breach Notification Laws: We will comply with all applicable state breach notification statutes, which may require notification to state attorneys general, affected individuals, and/or consumer reporting agencies within state-specified timeframes.

Content of Notification: Breach notifications will include, to the extent known: a description of the incident, the types of information involved, the steps individuals can take to protect themselves, what we are doing to investigate and mitigate the breach, and contact information for further inquiries.

--------------------------------------------------------------------------------

7. EXTERNAL SITES

The Website and Platform may contain links to external third-party websites ("External Sites"). MDOPTIMUS LLC has no control over the privacy practices or the content of these External Sites. As such, we are not responsible for the content or the privacy policies of those External Sites. You should check the applicable third-party privacy policy and terms of use when visiting any External Sites.

--------------------------------------------------------------------------------

8. DATA RETENTION

General Retention Period. MDOPTIMUS LLC retains all of Your Data, including ACLS session records, Session Reports, medication administration records, procedure logs, uploaded images and documents, AI Input Data, AI Output Data, and all associated records, for a mandatory minimum period of seven (7) years from the date of creation or last modification, whichever is later. This retention period is mandated by MDOPTIMUS LLC to comply with applicable federal and state recordkeeping requirements, including but not limited to HIPAA record retention requirements, state medical records retention laws, professional licensing and accreditation standards, and applicable statutes of limitation. Users do not have the ability to select, modify, or shorten this retention period.

Retention by Data Category. The following retention periods apply to each category of data:

- Your Data (including Session Reports, ACLS session records, medication records, procedure logs, uploaded images, AI Input Data, and AI Output Data): Minimum seven (7) years from the date of creation or last modification.
- Account Information: Retained for the duration of your account plus seven (7) years following account termination or deletion.
- Contact Information: Retained for the duration of our business relationship plus seven (7) years, or as required for legal compliance.
- Usage Data: Retained for a minimum of three (3) years for analytics, security, and compliance purposes.
- Billing records: Retained for seven (7) years in accordance with tax and financial recordkeeping requirements.
- AI/ML Training Data: De-identified, anonymized data incorporated into trained AI/ML models is retained indefinitely as part of the model. Source de-identified data used for training is retained for a minimum of seven (7) years.
- Backup Data: Backup copies of Your Data are retained for an additional seven (7) days beyond the primary retention period and are deleted in accordance with our backup rotation schedule.

On-Device Data Retention. Data stored locally on your mobile device ("On-Device Data") is retained on the device until it is successfully synchronized with our servers, at which point the server-side retention policies described above apply. On-Device Data may also be removed from your device upon uninstallation of the Mobile App or manual clearing of app data; however, any data that has been synchronized with our servers remains subject to the mandatory seven (7) year retention period. MDOPTIMUS LLC is not responsible for any loss of On-Device Data that has not been synchronized with our servers due to lack of internet connectivity, device failure, device loss, or uninstallation of the Mobile App.

No Deletion; Session Report Corrections. Your Data, including Session Reports, cannot be deleted from the Platform. Session Reports may only be marked as "In Error" or flagged for cancellation with a stated reason. In all cases, the original Session Report and all associated data are preserved in their original form as part of the permanent record. This policy exists to maintain the integrity of the medical record and to comply with applicable legal, regulatory, and professional recordkeeping requirements.

Platform Settings Data Access. Basic Free tier users have access to session history for the last 30 days within the Platform interface; however, all underlying data is retained for the full seven (7) year retention period. Pro and Pro Plus tier users have unlimited access to session history within the Platform interface for the duration of their subscription. Irrespective of your subscription tier, MDOPTIMUS LLC retains all underlying data for the mandatory retention period.

Post-Termination Retention. Following termination of your account or this Agreement, MDOPTIMUS LLC will retain Your Data for the remainder of the applicable minimum retention period. Within thirty (30) days of termination, upon your written request, we will provide you with an export of Your Data in our possession in a mutually agreeable format. After the applicable retention period has expired, Your Data will be securely deleted or de-identified in accordance with our data destruction policies.

Legal Holds. Notwithstanding the foregoing retention schedules, MDOPTIMUS LLC may retain Your Data beyond the stated retention periods if required by law, regulation, legal proceeding, government investigation, or if the data is subject to a litigation hold.

--------------------------------------------------------------------------------

9. CHILDREN

We do not knowingly collect personal information from children under the age of 18 through the Website or Platform. If you are under 18, please do not give us any personal information. We encourage parents and legal guardians to monitor their children's Internet usage and to help enforce our Privacy Policy by instructing their children never to provide personal information through the Website and the Platform without their permission. If you have reason to believe that a child under the age of 18 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

The Platform is designed for use by healthcare professionals, medical trainees, emergency medical services personnel, and individuals with appropriate medical training or credentials, all of whom must be 18 years of age or older.

--------------------------------------------------------------------------------

10. IMPORTANT NOTICE TO NON-U.S. RESIDENTS

The Website, the Platform and their servers are operated in the United States. If you are located outside of the United States, please be aware that any information you provide to us may be transferred to, processed, maintained, and used on computers, servers, and systems located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to use any of our Website and/or Platform, you consent to any transfer and processing of your personal information in accordance with this Privacy Policy and you do so at your own risk.

--------------------------------------------------------------------------------

11. DO NOT TRACK AND GLOBAL PRIVACY CONTROL

Do Not Track (DNT): As discussed above, third parties such as advertising networks and analytics providers may collect information about your online activities over time and across different websites when you access or use the Website and the Platform. Currently, various browsers offer a "Do Not Track" option, but there is no uniform standard for commercial websites. At this time, we do not monitor, recognize, or honor general web browser "Do Not Track" settings and/or signals.

Global Privacy Control (GPC): MDOPTIMUS LLC recognizes and honors the Global Privacy Control (GPC) signal as a valid opt-out mechanism for the sale or sharing of personal information, as required by applicable state privacy laws including the California Consumer Privacy Act (CCPA), the Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA). When we detect a GPC signal from your browser, we will treat it as a valid request to opt out of the sale or sharing of your personal information with third parties for targeted advertising purposes. The GPC signal applies on a per-browser and per-device basis. For more information about GPC, visit https://globalprivacycontrol.org/.

--------------------------------------------------------------------------------

12. NOTICE TO U.S. STATE RESIDENTS

12.1 California Residents

Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to obtain certain information about the types of personal information that companies with whom they have an established business relationship have shared with third parties for direct marketing purposes during the preceding calendar year, including the names and addresses of those third parties, and examples of the types of services or products marketed by those third parties. If you wish to submit a request pursuant to Section 1798.83, please contact us via email at privacy@aclsassist.com.

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) Rights: California residents have the following rights under the CCPA and CPRA:
- The right to know what personal information we collect, use, disclose, and sell;
- The right to request deletion of personal information (subject to the mandatory retention period and no-deletion policy described in Section 8 for medical records and Session Reports);
- The right to correct inaccurate personal information;
- The right to opt-out of the sale or sharing of personal information;
- The right to limit the use and disclosure of sensitive personal information;
- The right to non-discrimination for exercising CCPA/CPRA rights.

To exercise these rights, please contact us at privacy@aclsassist.com. We will respond to verifiable consumer requests within forty-five (45) days, or notify you if an extension of up to an additional forty-five (45) days is needed. Please note that deletion requests for Your Data and Session Reports are subject to the limitations described in Sections 5 and 8.

12.2 Virginia Residents

Residents of Virginia have rights under the Virginia Consumer Data Protection Act (VCDPA), including the right to access, correct, delete, and obtain a portable copy of your personal data, and the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of automated decisions that produce legal or similarly significant effects. To exercise these rights, contact us at privacy@aclsassist.com. We will respond within forty-five (45) days. If your request is denied, you may appeal by contacting us at the same email address, and we will respond to your appeal within sixty (60) days. Deletion requests are subject to the limitations described in Sections 5 and 8.

12.3 Colorado Residents

Residents of Colorado have rights under the Colorado Privacy Act (CPA), including the right to access, correct, delete, and obtain a portable copy of your personal data, and the right to opt out of targeted advertising, the sale of personal data, and certain profiling. We honor the Global Privacy Control (GPC) signal as described in Section 11. To exercise your rights, contact us at privacy@aclsassist.com. If your request is denied, you may appeal within the timeframe specified by the CPA. Deletion requests are subject to the limitations described in Sections 5 and 8.

12.4 Connecticut Residents

Residents of Connecticut have rights under the Connecticut Data Privacy Act (CTDPA), including the right to access, correct, delete, and obtain a portable copy of your personal data, and the right to opt out of targeted advertising, the sale of personal data, and profiling. We honor the Global Privacy Control (GPC) signal as described in Section 11. To exercise your rights, contact us at privacy@aclsassist.com. Deletion requests are subject to the limitations described in Sections 5 and 8.

12.5 Texas Residents

Residents of Texas have rights under the Texas Data Privacy and Security Act (TDPSA), including the right to access, correct, delete, and obtain a portable copy of your personal data, and the right to opt out of targeted advertising, the sale of personal data, and profiling. Additionally, the Texas Medical Records Privacy Act imposes specific requirements on the handling of medical records. To exercise your rights, contact us at privacy@aclsassist.com. Deletion requests are subject to the limitations described in Sections 5 and 8.

12.6 Washington Residents

Residents of Washington have rights under the Washington My Health My Data Act, which provides specific protections for consumer health data, including the right to access, delete, and withdraw consent for the collection, sharing, and sale of health data. The Washington My Health My Data Act applies broadly to "consumer health data," which may include data collected or processed through the Platform. To exercise your rights, contact us at privacy@aclsassist.com. Deletion requests are subject to the limitations described in Sections 5 and 8.

12.7 Other State Privacy Laws

Residents of other states with comprehensive privacy laws (including but not limited to Oregon, Montana, New Hampshire, New Jersey, Delaware, Iowa, Nebraska, Maryland, Minnesota, and other states that may enact privacy legislation) may have similar rights to access, correct, delete, and port their personal data, and to opt out of targeted advertising and the sale of personal data. We are committed to honoring the privacy rights of all our users in accordance with applicable law. If you reside in a state with a comprehensive privacy law and wish to exercise your rights, please contact us at privacy@aclsassist.com, and we will process your request in accordance with the applicable state law. Deletion requests are subject to the limitations described in Sections 5 and 8.

Universal Request Process: Regardless of your state of residence, all privacy rights requests may be submitted by emailing privacy@aclsassist.com. We will verify your identity before processing any request. You may also designate an authorized agent to make a request on your behalf, subject to verification. We do not discriminate against any user for exercising their privacy rights.

12.8 Nevada Residents

If you are a resident of Nevada, you have the right to opt-out of the sale of certain personal information to third parties. You can exercise this right by contacting us at privacy@aclsassist.com with the subject line "Nevada Do Not Sell Request" and providing us with your name and the email address associated with your account. Please note that we do not currently sell your personal information as sales are defined in Nevada Revised Statutes Chapter 603A.

--------------------------------------------------------------------------------

13. DATA SUBJECT ACCESS REQUESTS (DSARs)

Regardless of your state of residence, MDOPTIMUS LLC provides all users with the ability to submit data subject access requests. You may request:

- Access: A copy of the personal information and Your Data that we hold about you.
- Correction: Correction of inaccurate or incomplete personal information.
- Deletion: Deletion of your personal information, subject to the mandatory seven (7) year retention period and no-deletion policy described in Section 8 for Your Data and Session Reports. Personal information that is not part of Your Data (such as marketing preferences and certain Account Information) may be subject to deletion upon request, subject to our legal obligations.
- Portability: A copy of your personal information in a structured, commonly used, and machine-readable format.
- Restriction: Restriction of certain processing activities, where applicable.
- Opt-Out: Opt-out of the sale or sharing of personal information, targeted advertising, and/or AI/ML model training.

How to Submit a Request: Submit all requests to privacy@aclsassist.com. Include your full name, account email address, and a description of your request. We will verify your identity before processing any request. We will respond to all requests within forty-five (45) days of receipt, or notify you if additional time is required (not to exceed an additional forty-five (45) days). You will not be charged a fee for making a request unless the request is manifestly unfounded or excessive.

--------------------------------------------------------------------------------

14. CHANGES TO THIS PRIVACY POLICY

This Privacy Policy is effective as of the date stated at the top of this Privacy Policy. We may change this Privacy Policy from time to time with or without notice to you. Any such changes will be posted on the Website, the Platform, and the Mobile App. By visiting the Website, and/or accessing and/or using the Platform (including the Mobile App) after we make any such changes to this Privacy Policy, you are deemed to have accepted such changes. Please be aware that, to the extent permitted by applicable law, and without prejudice to the foregoing, our use of your information is governed by the Privacy Policy in effect at the time we collect the information. Please refer back to this Privacy Policy on a regular basis.

Material Changes. For material changes to this Privacy Policy that affect the collection, use, or sharing of personal information or PHI, or that reduce your rights, we will provide prominent notice via the Platform (such as a banner notification upon login) and, where we have your email address, via email notification, at least thirty (30) days before the changes take effect. Your continued use of the Platform after the effective date of a material change constitutes your acceptance of the updated Privacy Policy.

--------------------------------------------------------------------------------

15. HIPAA AND REGULATORY COMPLIANCE

MDOPTIMUS LLC operates as a Business Associate under HIPAA with respect to PHI processed through the Platform. Our obligations with respect to PHI are governed by the Business Associate Agreement (BAA) incorporated into our Platform Terms of Use as Schedule A. Key compliance measures include:

- All PHI is sanitized and de-identified before transmission to third-party AI service providers;
- All AI Input Data and AI Output Data are stored securely within MDOPTIMUS LLC's infrastructure;
- Business Associate Agreements are in place with all subcontractors who may access PHI;
- Regular HIPAA compliance training for MDOPTIMUS LLC personnel;
- Periodic risk assessments in accordance with 45 C.F.R. section 164.308(a)(1)(ii)(A);
- Policies and procedures for breach notification in accordance with the HIPAA Breach Notification Rule;
- Minimum necessary standard applied to all uses and disclosures of PHI; and
- Compliance with applicable state health privacy laws as described in Section 12.

For questions regarding our HIPAA compliance or to report a potential privacy concern involving PHI, please contact our Privacy Officer at privacy@aclsassist.com.

--------------------------------------------------------------------------------

16. CONTACT US

If you have any questions about this Privacy Policy or to report a privacy issue, please contact us in one of the following ways:

Email:
- General inquiries: support@aclsassist.com
- Privacy matters and DSARs: privacy@aclsassist.com
- HIPAA and PHI concerns: privacy@aclsassist.com
- AI data processing inquiries: privacy@aclsassist.com

Write to us at:

MDOPTIMUS LLC
Mailing Address:

[Note: Please update the mailing address above before publishing this Privacy Policy.]

--------------------------------------------------------------------------------

Copyright 2026 MDOPTIMUS LLC. All rights reserved.

End of Privacy Policy