GDPR & CCPA / CPRA Addendum

The GDPR applies to the processing of personal data of individuals located in the European Economic Area (EEA). IntakeAccess.ai is a United States-based healthcare platform primarily serving U.S. healthcare providers and patients. Our platform is not directed at EEA residents and is not designed to provide healthcare services within the EEA.

However, to the extent that EEA residents access our public Website or correspond with us, the GDPR may apply to their personal data. This section describes our GDPR compliance posture for such interactions.

Healthcare providers or facilities established in the EEA who wish to use IntakeAccess.ai for cross-border healthcare workflows should contact us at privacy@intakeaccess.ai to discuss applicable GDPR data processing agreements.

Under the GDPR, the roles of "Data Controller" and "Data Processor" determine responsibility for personal data:

• Data Controller: When IntakeAccess.ai collects personal data from Website visitors (e.g., contact form submissions, analytics data), we act as a Data Controller and determine the purposes and means of processing.
• Data Processor: When healthcare providers (Covered Entities) submit patient data to us through the platform, we act as a Data Processor on behalf of the healthcare provider (who is the Data Controller for their patient data).
• Data Processing Agreement (DPA): EEA-based healthcare providers who use IntakeAccess.ai as a Data Processor may request a GDPR-compliant Data Processing Agreement (DPA) from privacy@intakeaccess.ai.

Under the GDPR (Article 6), we rely on the following lawful bases for processing personal data of EEA individuals:

EEA residents have the following rights under the GDPR with respect to personal data we process as Data Controller. These rights may be limited where data is processed under HIPAA as PHI.

To exercise GDPR rights: email privacy@intakeaccess.ai with subject line "GDPR Data Subject Request." We will respond within 30 days (extendable to 3 months for complex requests with notice).

IntakeAccess.ai is based in the United States. All PHI and platform data is stored in U.S.-based HIPAA-compliant data centers. Transfers of personal data from the EEA to the United States require an appropriate safeguard under GDPR Chapter V.

For EEA-based providers who use our platform:

• We rely on the EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914) as the primary transfer mechanism for personal data transferred from the EEA to the U.S.
• SCCs are incorporated into our Data Processing Agreement (DPA). EEA-based providers may request a DPA at privacy@intakeaccess.ai.
• We conduct Transfer Impact Assessments (TIAs) where required to assess the adequacy of protections for EEA personal data transferred to the U.S.

IntakeAccess.ai does not currently meet the thresholds requiring mandatory appointment of an EU Data Protection Officer (DPO) under GDPR Article 37, as we are a U.S.-based entity whose primary processing activities involve U.S. healthcare data under HIPAA. We have designated a Privacy Contact for all GDPR inquiries.

Privacy Contact: privacy@intakeaccess.ai | 205-855-4545

Right to Lodge a Complaint

EEA residents have the right to lodge a complaint with their national Data Protection Authority (DPA). A list of EEA supervisory authorities is available at: edpb.europa.eu. We encourage you to contact us first to resolve any concern directly.

For non-PHI personal data of EEA individuals processed under GDPR, we retain data only as long as necessary for the stated purpose:

• Website inquiry / contact data: 3 years from last contact, or until deletion requested
• Provider account data (non-PHI): Duration of business relationship + 3 years
• Analytics data: 26 months maximum
• Consent records: 5 years (required to demonstrate compliance)

You may request deletion of non-PHI data at any time, subject to legal retention requirements. Deletion requests for PHI (which is governed by HIPAA medical record retention laws, not GDPR) will be addressed under HIPAA's framework.

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California residents specific rights regarding their personal information. As noted at the start of this Addendum, information that qualifies as PHI under HIPAA is largely exempt from the CCPA/CPRA to the extent it is maintained in the same manner as PHI.

This section applies to personal information about California residents collected by IntakeAccess.ai that does not constitute HIPAA-regulated PHI — primarily:

• Information submitted through our public website (contact forms, demo requests, marketing communications)
• Non-PHI provider and facility account information (business contact details, payment information where not involving patient data)
• Website usage and analytics data
• Business-to-business commercial data

In the preceding 12 months, IntakeAccess.ai has collected the following categories of non-PHI personal information from California residents:

California residents have the following rights under the CCPA/CPRA with respect to non-PHI personal information:

• Right to Know (Cal. Civ. Code § 1798.110): Request disclosure of the categories and specific pieces of personal information collected about you, the sources, the business purposes, and the third parties with whom it has been shared.
• Right to Delete (§ 1798.105): Request deletion of personal information we have collected, subject to exceptions including legal retention requirements and HIPAA obligations for PHI.
• Right to Correct (§ 1798.106): Request correction of inaccurate personal information.
• Right to Opt Out of Sale/Sharing (§ 1798.120): Opt out of the sale or sharing of personal information. As noted above, we do not sell or share personal information for advertising purposes, so no action is required.
• Right to Limit Use of Sensitive Personal Information (§ 1798.121): Where we process sensitive personal information (as defined by CPRA) beyond necessary purposes, you may direct us to limit such use. Note: Patient health data (PHI) is governed by HIPAA, not CPRA.
• Right to Non-Discrimination (§ 1798.125): We will not discriminate against you for exercising any CCPA/CPRA right. Exercising privacy rights will not affect your subscription pricing or service quality.

In the preceding 12 months, we have disclosed non-PHI personal information to the following categories of third parties for business purposes:

• Cloud and infrastructure providers (Google Cloud, AWS) — for platform hosting and security
• Payment processors (Stripe) — for subscription billing
• Email service providers (SendGrid) — for transactional and marketing communications
• Analytics providers (Google Analytics) — for Website usage analysis (public pages only; IP anonymized)
• Legal, compliance, and professional advisors — as necessary for legal obligations

All third-party disclosures are made under contracts that restrict use to specified business purposes and prohibit unauthorized disclosure or use of personal information.

The CPRA creates a new category of "sensitive personal information" (SPI) with heightened protections. Categories of SPI that IntakeAccess.ai may process include:

• Health and medical information — governed by HIPAA as PHI; CPRA SPI rules do not apply to HIPAA-regulated PHI
• Account login credentials (usernames and passwords) — processed only for authentication security; not used for any secondary purpose
• Government-issued identification numbers (NPI, DEA registration) for providers — used only for credentialing

We use SPI only for the purposes for which it was collected, or as otherwise permitted under CPRA. We do not use SPI to infer characteristics about individuals or for advertising purposes.

California Civil Code Section 1798.83 permits California residents to request information about personal information shared with third parties for those parties' direct marketing purposes. IntakeAccess.ai does not share personal information with third parties for their direct marketing purposes. No Shine the Light disclosure is required, but you may confirm this by contacting us at privacy@intakeaccess.ai.

In addition to California, several other states have enacted consumer data privacy laws. We honor applicable rights under these laws for residents of those states:

To exercise rights under any applicable state privacy law, contact us at privacy@intakeaccess.ai identifying your state of residence and the right(s) you wish to exercise. We respond within the timeframes required by the applicable law.

Note: Health data regulated under HIPAA remains exempt from most state-level consumer privacy laws to the extent it is maintained as PHI. Our HIPAA patient rights framework (described in the Privacy Policy, Section 10) provides the applicable rights framework for patient health data regardless of state.

All GDPR, CCPA/CPRA, and state privacy rights requests should be directed to:

• Privacy Email: privacy@intakeaccess.ai
• Compliance Email: compliance@intakeaccess.ai
• Phone: 205-855-4545
• Website: https://intakeaccess.ai