SYNC.MD PRIVACY POLICY

SyncMD is a company with a technological platform that helps exchange information between individuals and organizations in a more secure, efficient, and electronic manner. SyncMD uses software, mobile applications, website, and associated services (collectively the “Services”) to collect, store, share, and exchange your personal information with organizations and individuals that you choose.

The team at SyncMD takes the privacy and protection of your personally identifiable information (or “PII”) as our top priority. We will not sell or rent your data. We will not allow third parties to use it for profit or monetary transactions, and this includes both your PII and any deidentified or anonymized data that may be created based on your PII.

SyncMD uses encryption and strong security measures to prevent any unauthorized attempts to access your PII. However, to provide you with our Services, SyncMD must collect and use your PII in different ways. This Privacy Policy describes the ways in which SyncMD can collect, store, process, use, share, and destroy your PII.

If you do not want your PII to collected and used by SyncMD, do not consent or agree to this Privacy Policy and stop using our Services. By continuing to use our Services, you are agreeing to the terms of this Privacy Policy and SyncMD’s continued collection and use of your PII as described below.

SyncMD and our Services do not provide medical advice, treatment, or diagnosis. Always seek the advice of healthcare providers directly, not through our Services, with any issues, questions, or concerns that you may have regarding a medical or health emergency, treatment, or diagnosis.

SyncMD operates and provides the Services in compliance with all applicable federal, state, and local laws, regulations, and applicable regulatory guidance. SyncMD maintains policies, procedures, and safeguards designed to support compliance with legal and regulatory requirements governing the privacy, security, and use of health and personal information.

Section 1. Collection of Personally Identifiable Information

Information Provided to SyncMD

When you use SyncMD, you may submit or SyncMD may collect a variety of PII to give you access to our Services. Depending on the type of product or service that you are using, this PII may include:

• Contact Information (name, email, address, telephone number)
• Demographic Information (birthdate, age, gender, marital status)
• Financial Information (employment status, employer, salary)
• Government-Issued Driver’s License Information (driver’s license number, barcode, copy or image of license)
• Automotive Insurance Information (insuring organization, insurance status, account number, copy or image of insurance card)
• Payment information (billing address and credit card details, including card number, expiration date, and security code)
• Biometric Information (temporary processing of face, facial, eye, iris, retina, and other ‘Selfie’ related image data, scans, or identifiers for identity verification services)
• Personal Health Information (information and data related to the provision of health care to you such as your health status, medical records and related information or documents, consent to treatment forms, authorization to disclose medical information forms, Medicare forms, Medicaid forms, living wills, Directives to Physicians and Family or Surrogates, Medical Powers of Attorney, Out of Hospital Do Not Resuscitate Orders, Declarations of Mental Health Treatment, images, reports, labs and test results, medical treatments performed on you, and any other “protected health information” that may otherwise be defined under HIPAA and similar terms as defined by state, national, or international law)
• Self-Reported Health Information (information that you voluntarily enter or provide while using our Services, such as information about your health and/or medical condition and behaviors such as medications, exercise, or other activities)
• Legal Forms, Contracts, and Agreements (forms, contracts, agreements, authorizations, and other types of legally binding documents provided or collected through our services for your storage, transfer, review, consent, execution, or electronic signature including originals and/or copies)
• Electronic Signatures (record and/or image of your electronic signature including name, date, and time of the signature)
• Business Contact Information (name of organization, business email, business address, business telephone number)
• Other information that you provide directly to us or authorize a third party to provide to us

Automatically Collected Information while using our Services

In addition to the PII listed above, SyncMD may automatically collect, store, and analyze data from your computer, mobile device, or smartphone. SyncMD automatically collects IP addresses and web site usage information when you access our Services including:

• The type of web browser used
• Access times
• Webpages viewed
• Location
• The Webpage viewed before navigating to our Services
• Information about the computer, mobile device, or phone used to access our Services, including hardware model, operating system and version, unique device identifiers, and mobile network information.

This information helps SyncMD evaluate how our users, visitors, and customers navigate our platform. We look at such things as the number and frequency of people accessing each web page and how long they stay.

Identity Verification and Authentication

SyncMD uses secure authentication and authorization controls to verify user identity and protect access to personal health information. Access to SyncMD accounts requires authentication credentials and is protected by industry-standard security practices designed to prevent unauthorized access. When connecting to external healthcare providers or patient portals, SyncMD utilizes recognized healthcare interoperability standards, including SMART on FHIR and OAuth 2.0 authorization frameworks.

Use of Cookies

SyncMD may use cookies to collect and store information about your usage of SyncMD. Cookies are data files stored on your computer’s hard drive or in the device memory of your phone or mobile device. They help SyncMD improve delivery of Services to you. By measuring our online features and user experiences with them, we can determine areas and features that are most popular or in need of improvement.

Web browsers are often set to accept cookies by default. If you prefer not to share cookies with SyncMD, you may be able to set your browser to delete or reject all cookies or specific browser cookies. If you choose to delete or reject cookies from SyncMD, this could impact the functionality of the services provided through SyncMD.

Information Collected from Third-Party Sources

SyncMD may collect information about you from other online or offline sources. This includes commercially available third-party sources to verify eligibility and securely offer our services to you. We may combine this information with the PII we have collected about you under this Privacy Policy.

Your Rights and Choices

You may:

• Access your information;
• Download your records in available formats;
• Share or revoke access at any time;
• Request correction or annotation;
• Request account deletion.

Requests for account deletion are processed within 24-48 hours.

Revocation of consent will apply to future disclosures only and does not affect information that has already been shared with authorized recipients.

Section 2. Use and Disclosure of Personally Identifiable Information

SyncMD may use the PII collected about you only for the following:

• For the purpose(s) you specifically provided the information
• To register you as a customer, client, or associated user (or as a potential customer, client, or associated user) with organizations, individuals, or entities that you choose and consent to sharing and exchanging information with through SyncMD
• To provide you with our Services or access to our Services
• To provide our Services or access to our Services with the organizations, individuals, or entities that you choose and consent to sharing and exchanging information with through SyncMD
• To send you electronic notices or email to provide informational and operational support such as user management, customer service, system maintenance, or legal notifications
• To verify your identity and the legitimacy of your submitted PII
• To evaluate, enhance, and develop features, products, and services
• To detect and prevent fraudulent or illegal usage of our services
• To ensure internal quality control
• To perform accounting, auditing, and other internal functions
• To carry out any other purpose for which the information was collected

We use your information solely to provide, operate, secure, and improve the Services you request. SyncMD does not use personal or health information for marketing, targeted advertising, profiling, or automated decision-making that affects your legal rights or access to healthcare.

We may also use the information in other ways with your express consent. For instance, if we use a service or product that we offer jointly or through another entity. We may also use the information we collect about you in other ways if we provide specific notice and gather your active consent at that time.

Retention of PII

SyncMD may keep the PII we obtain for as long as you continue to actively use or maintain our services, as needed to fulfill the specific purpose(s) for which it was collected, and/or to provide ongoing services to the organizations or individuals with whom you have already shared or exchanged your PII. We may also need to retain your PII to resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws and regulations.

Consumer account data is retained while the account remains active and is deleted or de-identified within a reasonable period after account closure unless required for legal or compliance purposes

In the event of unused, or otherwise inactive accounts, SyncMD will retain your PII and associated user data for a period of ten years. At that point, your account, information, and all its associated user data may be permanently deleted from our records. Once deleted, it will no longer be accessible by us or recoverable by you in any way.

You are always free to delete your account and all its information and data, at any time, for any reason. You can initiate this process directly through the Services at your own discretion or by contacting SyncMD at help@syncmd.com. We will respond to all requests within a reasonable time or thirty business days.

Please make sure that you download or make copies of any information that you wish to keep before deleting your account; once deleted, documents and records will no longer be accessible by us or recoverable by you in any way

Legal Foundation for Handling Your PII

Some jurisdictions require companies to tell you the legal framework that gives them authority to use, disclose, or process your PII. To the extent that any of those laws apply, our legal foundation is as follows:

• To fulfill our contractual commitment we made with you
  • Most of our processing of PII is done to provide you with continued access and use of our services to exchange and share your information with the organizations, individuals, or entities that you choose.
• Legitimate business interests
  • Other processing of PII occurs because it furthers a legitimate or protected business interest in a way that does not override individual interests or fundamental rights and freedoms. This includes activity such as:
    • Providing a safe and enjoyable user experience
    • Customer Service
    • Marketing Communications via push notifications, which users may opt out of at any time through their device or application settings
    • Protecting our users, employees, property, or trade secrets
    • Analyzing and improving our business operations by collecting information about how you use our services to improve on the design and placement of features
    • Managing legal, regulatory, or compliance-based issues
• Legal Compliance
  • We may need to use, disclose, and maintain PII in certain ways to comply with legal obligations or for certain activities or features offered within our services that require different standards.
• Consent
  • Where required by law, and in some other circumstances, we handle PII on the basis of your express or implied consent to use it.
• To protect and safeguard vital interests of individuals or other people.

In summary:

• Uses & Disclosures Required to Operate the App
  • Storing health records
  • Identity verification
  • Security monitoring
  • Maintaining system functionality
  • To operate the Services, provide support, and meet legal and regulatory requirements
• Uses & Disclosures Initiated by the User
  • Sharing records with a provider, caretakers, family, attorney, or other third-party entities
  • Downloading/exporting data
  • Granting access to another party
  • Submitting a request for records
  • Data retrieval via FHIR interfaces

Section 3. Sharing of Personally Identifiable Information

SyncMD is not in the business of selling, renting, or sharing your PII for profit or monetary transactions. This includes any de-identified or anonymized data created from your PII. Third parties are not allowed to use your PII, including using or creating de-identified or anonymized data based on your PII, without your active consent. Third parties are not allowed to use your PII in any way that contradicts the standards of this Policy or the terms of our Services.

The services we provide to you involve the sharing of sensitive information. The trust you place in SyncMD to handle that information is why we consider the protection and safeguarding of your privacy our top priority. However, there are certain situations in which we may share your information with specific third parties based on the following conditions.

No Sale of Personal Information

SyncMD does not sell, rent, license, trade, or otherwise monetize your personal or health information.

Consent

We may share information about you with other parties or users of SyncMD based on your active consent, at your direction, or based on your usage of SyncMD which implicitly requires such sharing. By accepting this Privacy Policy and continuing to use SyncMD, you understand and agree that , SyncMD has permission to provide the organizations and individuals you choose with access, exchange, or sharing of your PII through our Services.

You may customize, manage, and revoke your consents through our Services and Applications. Be aware that the organizations, or individuals that you shared your PII with may have already acted, made decisions, or used your PII while your consent was active. Do not share your PII unless you are comfortable with recipient being able to view and use it for the purposes or services that you are providing it.

You may revoke SyncMD’s access to your health information at any time through your account settings or by contacting SyncMD support.

Once access is revoked, SyncMD will stop collecting new health information from connected sources.

Sharing, Storing, and Processing by Related Service Providers

We may need to share, store, or process information about you with SyncMD related Service Providers as part of the delivery of our Services . We may also share information about you with these service providers to support, enhance, or troubleshoot the Services we provide to you, to fulfill legal requirements, and for routine business purposes.

The types of activities and service providers to whom we may share, store, or process PII with include the following categories.

• Information Technology (IT) services
• Business Technology (BT) services
• Payment Processing Services
• Customer Service Activities
• Identity Verification or Identity Authentication Services
• Fraud Prevention
• Health care providers authorized by you
• Health information networks and interoperability services
• The provision of Information and Services which you have specifically requested and consented to
• In connection with the provision of other Services or Products that we may offer in the future after updating this Policy accordingly
• All vendors that process health data are required to follow strict confidentiality and security obligations

Legal Requirements

We may need to disclose or be required to disclose information about you in specific legal situations.

• As needed for legal requirements or legal process (such as a court order or subpoena)
• In response to requests by government agencies such as law enforcement authorities
• To establish, exercise, or defend the rights of SyncMD
• When disclosure is necessary or appropriate to prevent physical, financial, or other harm
• In connection with an investigation of suspected or actual illegal activity or content
• With your consent or at your discretion

Business Transfers

If all or a part of SyncMD is sold, merged, or otherwise transferred to another party, the PII you have stored with us may be transferred as part of that transaction. We will give you advance notice and information about the new ownership. We will include details on whether the terms of their Privacy Policy match the standards of our own, so that you may make an informed decision.

Should you choose to stop using our Services and close your account, you will be given a chance to have copies of your PII securely transmitted, shared, or downloaded for your personal use or retention before your account, information, and all your associated data is permanently deleted.

Section 4. Collection and Usage of De-Identified Data

SyncMD may create de-identified information that cannot reasonably be used to identify you. De-identified information is used internally and is not sold or shared for advertising purposes. SyncMD prohibits re-identification of de-identified information.

SyncMD may collect, process, and use your PII to change it into aggregated or non-aggregated data sets of de-identified information. De-identified information means that your PII has been fundamentally changed so that any information, and data points that could be used to identify you (or which could be reasonably used in combination with other information to specifically identify you), has been completely removed or transformed.

Aggregation of de-identified information means that even after your PII is made anonymous, it is combined with large amounts of other anonymous data so that no single source of data is identifiable.

SyncMD may use de-identified data in aggregated or non-aggregated forms exclusively internally for the following purposes:

• To evaluate, enhance, and develop features, products, and services
• To directly perform or engage in research, analytics, and testing
• For any other legitimate but exclusively internal business purpose authorized by law

Section 5. No Sharing of De-Identified Data

SyncMD does not sell, rent, or otherwise profit or engage in monetary transactions from providing any de-identified or anonymized user data to third parties, in any form.

Section 6. Risks of Choosing to Share or Exchange Data and Information through SyncMD

When you use SyncMD, we will provide you with Services that allow you to collect, store, share, and exchange PII about yourself with any organizations or individuals that you choose. Your decision to use SyncMD and share information with other parties in this manner is not without risk however, and you should consider them before or while using our Services.

SyncMD does not use artificial intelligence, profiling, or automated systems to make decisions that materially affect your legal rights, healthcare treatment, insurance eligibility, or access to services.

You are not required to use SyncMD to receive any form of medical treatment, advice, or services from a healthcare provider. SyncMD is an optional, third-party service provided directly to individuals for use as their own Personal Health Record. You are always free to request, exchange, and access your medical information directly from your healthcare providers without using SyncMD.

When you share medical information, you should be aware that it could include data or information that may impact others. Genetic tests, family histories, and similar types of medical information can reveal sensitive health information about others such as your spouse, relatives, children, etc. Carefully consider whether you trust the recipient to keep such information secure and protected before you share it.

Also consider the risks of information disclosure if you make a mistake or error when using SyncMD. You should always carefully review and verify the details of any organizations, individuals, or entities that you select or choose to share information with. We encourage you to talk directly with those recipients outside of SyncMD before you share information. You should discuss any concerns that you may have, such as their reason for needing your information, how much information they need, and what actions or decisions they may make based on that information.

SyncMD is not responsible for any actions or decisions that an organization or individual may take based on the information that you share with them. This includes any decisions regarding healthcare advice, treatment, diagnosis, verification of qualifications or insurance, testing results, offers of employment, terms of loans or product purchases, or any other actions that may come from the sharing of your PII. Carefully consider whether you want or need an organization or individual to have access to your information through SyncMD.

Section 7. Geographic Processing of Information – Consent to Transfer, Process, and Use your PII in the US from other countries

SyncMD is based in the United States and we offer our Services exclusively as part of operations within the United States. The laws of the United States which govern the collection and use of personal data may not be as comprehensive or protective as the laws of many other countries.

If you are a member of a country or region whose laws governing data collection and use may conflict with the laws of the United States, you consent to the processing and transferring of your information, including your PII, into the United States. By accessing and using our Services, you consent that SyncMD may collect, store, process, use, disclose, and transfer your data and PII as described in this Privacy Policy.

Section 8. Your Consent for Email Communications from SyncMD

By using our Services or providing your PII to SyncMD, you agree that SyncMD may send you emails about important user account, security, privacy, and/or administrative matters relating to your use of the services.

If we learn of a security or data breach for example, we will email you based on the information that you provided at the time of your registration. You may also have a legal right to receive such notice in writing.

Section 9. Unsolicited Information

You may provide us with ideas for new products, modifications to existing products, or other unsolicited submissions, feedback, or contributions (collectively, “Unsolicited Information”). All Unsolicited Information is non-confidential. SyncMD is free to reproduce, use, disclose and distribute such Unsolicited Information to others without limitation or attribution.

Section 10. Request to Access or Delete PII

SyncMD operates as a persistent Personal Health Record platform. Your information remains stored until you delete specific records or request account deletion. SyncMD does not automatically delete inactive accounts.

We will give you the chance to access or delete PII that we have in our possession. You can manually access or delete most forms of PII collected through SyncMD through your account, our applications, or our Services. If you wish to directly request access or deletion of your personal information, please contact us at help@syncmd.com or use the “Delete Account” function available within our Services or Applications.

We may still need to keep certain information as required by law, to provide ongoing services for the organizations, individuals, or entities who already have your PII, or for legitimate business purposes. We will respond to your request for access or deletion within a reasonable period or within thirty business days.

If you request to delete your PII, it will all be permanently deleted. Please make sure that you download or make copies of any information that you wish to keep before deleting your account.

Although SyncMD makes good faith efforts to provide individuals with access to their PII when requested, there may be times when SyncMD cannot provide access, including:

• The information contains legal privilege
• The information would compromise the privacy or rights of other individuals
• The burden or expense of providing access outweighs the risks to the individual’s privacy
• Where it is commercially proprietary

Section 11. Annotating, Correcting, or Marking PII

SyncMD makes an effort to provide tools and methods for you to directly update or change your PII, like contact information, as needed. However, some forms of PII collected are unable to have their content changed, such as records, forms, and documents that may be stored or preserved in static electronic formats such as PDFs.

In these situations, SyncMD will provide you with a process to flag or mark these forms of PII based on particular conditions. This way you and any organizations, individuals, or entities that you choose to share this PII with, will have notice of the problem, issue, or error associated with the underlying PII.

You may always reach out to us at help@syncmd.com to request corrections, annotations, or changes to your PII. We will respond to all requests within a reasonable time or thirty business days, although we may not always be able to fulfill every request due to technical or legal barriers.

Section 12. Data Security and Data Breach

SyncMD takes appropriate technical, security, and organizational measures to protect against unauthorized access, unlawful processing, accidental loss, destruction, or damage to PII and other data. You acknowledge and agree however, that no security measures are perfect or impenetrable, and SyncMD cannot guarantee that the information submitted to, maintained on, or transmitted from our systems will be completely secure. SyncMD is not responsible for the circumvention of any privacy settings or security measures contained on the SyncMD platform or services by any users or third parties.

In the event of a confirmed data breach involving your personal information, SyncMD will notify affected individuals without unreasonable delay and no later than thirty (30) days following confirmation, unless a shorter period is required by applicable law.

If a data breach does occur, SyncMD will formally notify the impacted parties via email with information about how and when the data breach occurred and the kinds of personal information that was involved or put at risk. The notice will explain and detail the steps that SyncMD is taking to remedy the breach, protect individuals, and what services we are offering in response. The notice will include individual steps or actions that you may take, and how to contact us for more information.

Section 13. Policy for Minor Users

The services made available on SyncMD are not intended for or made available to anyone under the age of thirteen (13) years old and we do not knowingly collect data from minors under the age of thirteen (13) years old. Minors between the ages of thirteen (13) and seventeen (17) may use our Services, but a parent, guardian, or personal representative must consent to this Privacy Policy and any other associated Agreements on their behalf. If you believe that we have mistakenly collected data from a minor user, please contact us at help@syncmd.com.

Section 14. Changes to Policy

SyncMD may choose to, or need to, change this Privacy Policy from time to time. If we do, we will notify you through appropriate channels to provide you with a plain language summary of the major changes and to obtain your active consent to the new terms.

This may include a combination of direct disclosures or notifications within our Services, Applications, or Website, contacting you through email, and by posting the revised policy on this page with a new “Last Updated” date. Providing your renewed consent to the changes we make, publish, or communicate about this Policy means that you are agreeing with the new terms.

Section 15. Change in Ownership

SyncMD will notify you if all or a part our company shuts down operations or sells, merges, or otherwise transfers ownership to another party. You will get advance notice and information about the new ownership so that you may make an informed decision on whether to continue using our Services. This will include details on the new entity’s Privacy Policy and whether it matches the standards and terms of this Policy regarding data collection and usage.

If SyncMD undergoes a merger, acquisition, or asset transfer, your information may be transferred as part of that transaction. If the transfer materially changes how your information is handled, you will receive advance notice and an opportunity to delete your account before the transfer is completed.

Should you choose to stop using our Services and close your account, you will be given the chance to have copies of all your PII securely transmitted, shared, or downloaded for your personal use prior to your account and all its associated data and information being permanently deleted.

Section 16. Governing Law

By choosing to visit or utilize SyncMD or otherwise provide information to us, you agree that any dispute over privacy or the terms contained in this Privacy Policy will be governed by the laws of the United States and the State of South Carolina.

Section 17. How to Contact Us or Submit a Complaint

If you would have a question about this policy, are seeking privacy related information, or would like to submit a complaint, please send us an email at help@syncmd.com. We will respond to all complaints within a reasonable time or thirty business days.

Privacy Oversight

SyncMD has designated a Compliance Program Coordinator responsible for privacy and security oversight. Questions or complaints regarding privacy practices may be directed to help@syncmd.com.

Section 18. Notice to California Users

The information provided in this section applies only to California residents.

The California Consumer Privacy Act of 2018 (“CCPA”) requires us to provide an explanation of the rights and choices we offer to California residents regarding our handling of their personal information, along with information regarding the categories of personal information we collect, use, and share.

1. California Residents’ Privacy Rights

The CCPA grants California residents the following rights:

• Information: You can request information about how we have collected, used, and shared your personal information during the past 12 months.
  • Access: You can request a copy of the personal information that we maintain about you.
  • Deletion: You can ask us to delete the personal information that we collected or maintain about you.

The CCPA places limits on these rights. We may not be able to provide certain sensitive information in response to an access request. We may be limited in the circumstances in which we must comply with a deletion request. If we do deny or limit your request, we will communicate our decision to you. You may exercise the rights listed above free from discrimination.

2. How to Submit a Request

To request access or deletion of personal information from out databases, please send us an email at help@syncmd.com. The CCPA requires us to take certain steps to properly verify the identity of the individual submitting a request before we can process it.

• We will contact you independently using the email address associated with your PII to confirm the validity of the request and your ownership of the data. We may also ask that you provide certain details and information about yourself to assure us that you are in fact the individual to whom the information you have requested belongs to.
• Once we have confirmed your identity to a satisfactory level in keeping with the principles of the CCPA, we will begin processing your request and notify you of any limitations or denials.
• California residents may empower an “authorized agent” to submit requests on their behalf. As part of our security and privacy measures, we require that any authorized agents have a written authorization with your signature confirming their authority to act on your behalf.

3. Personal Information that SyncMD Collects, Uses, and Shares

SyncMD will never sell or rent your personal information without your consent.

Information that SyncMD directly collects from you:

• Our services may collect information directly from you, which identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or device (“Personal Information”).
• We may collect this Personal Information directly from you on our web portal or through our services, or indirectly from you, such as by observing your actions when using our web portal, our services, or our website.
• As described in our Privacy Policy, we use cookies and other tracking tools on our web portal and website to analyze traffic and usage patterns.

4. Categories of Personal Information

The CCPA requires that companies disclose their collection and use of specific categories of Personal Information enumerated in CCPA. Below is a table of those categories and a notification as to whether SyncMD collects each. Please note that while each “CCPA category” may cover many types of personal information, SyncMD only collects, uses, and shared the personal information described in this Privacy Policy.