OLI HEALTH PRIVACY POLICY

Last Modified: 28 March 2026

Version: 1.1

Introduction

At Oli Health Inc. ("Oli Health," "we," "us"), we respect your privacy and are committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our practice management and electronic health records software (the "Services").

This Privacy Policy applies to information collected through our Services and should be read together with our Terms of Service and, where applicable, our Business Associate Agreement (BAA).

1. Our Role: Controller vs. Processor

It is important to understand our different roles in handling your data:

1.1 For Account and Subscriber Data: When you create an account, manage billing, or contact our support team, Oli Health acts as the Data Controller (or "Business" under certain U.S. state privacy laws). We determine how this information is collected and used to manage our business relationship with you.

1.2 For Client/Patient Health Data: When you (the health and wellness practitioner) enter client/patient records into our system, you are the Controller or Custodian, and Oli Health acts as the Data Processor or Service Provider:

• For U.S. Customers: You are the "Covered Entity" under the Health Insurance Portability and Accountability Act ("HIPAA"), and we are your "Business Associate." We process Protected Health Information (PHI) on your behalf in accordance with our Business Associate Agreement.
• For Canadian Customers: You are the "Custodian" or "Trustee" under applicable provincial health information legislation (such as Alberta's Health Information Act or Ontario's Personal Health Information Protection Act), and we act as your "Affiliate" or service provider (and, where applicable, an “information manager” under Alberta’s Health Information Act). We process Personal Health Information on your behalf in accordance with our service agreement and applicable privacy laws.

1.3 Client/Patient Inquiries: Clients or patients with questions about their health records, or who wish to exercise rights regarding their health information, should contact their health and wellness practitioner directly. We will assist practitioners in responding to such requests as required by law.

2. Information We Collect

2.1 Information You Provide Directly:

Account Information:

• Name, professional credentials, and license details
• Email address and phone number
• Business name and address
• Billing and payment information (processed through secure third-party payment processors)
• Communication preferences

Client/Patient Health Data:

• Client/patient demographics (name, date of birth, address, contact information)
• Health information, wellness assessments, and clinical notes
• Treatment plans, care documentation, and session notes
• Insurance and billing information
• Appointment scheduling information
• Any other information you choose to input into the Services

Support and Communications:

• Information you provide when contacting customer support
• Survey responses and feedback
• Communications and correspondence with us

2.2 Information Collected Automatically:

Usage Data:

• Login times and session duration
• Features and functions accessed
• Pages viewed and actions taken within the Services
• IP address, browser type, and device information
• Operating system and device identifiers
• Time zone settings and language preferences

Technical and Diagnostic Information:

• Error logs and crash reports
• Performance data and system diagnostics
• Network connection information

2.3 Cookies and Similar Technologies:

2.3.1 Essential Cookies: We use strictly necessary cookies and similar technologies to:

• Maintain your login session and authentication
• Remember your preferences and settings
• Provide security features and prevent fraud
• Enable core functionality of the Services

2.3.2 Analytics and Performance: We may use analytics services to understand how users interact with our Services, identify areas for improvement, and optimize performance. Where required by applicable law, we will obtain your consent before placing non-essential analytics or advertising cookies and will provide a cookie management tool that allows you to change your preferences. Where such a tool is available, you can also review the list of analytics providers we use through that tool or our Cookie Notice.

2.3.3 Your Cookie Choices: Most web browsers are set to accept cookies by default. You can typically adjust your browser settings to remove or reject cookies. However, disabling essential cookies may affect your ability to use certain features of the Services. For more information about managing cookies, visit your browser's help documentation.

2.3.4 Do Not Track: Some browsers include a "Do Not Track" feature. Our Services do not currently respond to Do Not Track signals because there is no industry standard for how such signals should be interpreted.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 To Provide and Maintain the Services:

• Processing and managing your account
• Hosting and storing client/patient records securely
• Facilitating appointment scheduling and practice management
• Processing billing and payment transactions
• Providing customer support and responding to inquiries
• Sending transactional communications and service notifications (e.g., system updates, security alerts, billing notices)

3.2 Product Improvement and Development: Consistent with our Terms of Service and applicable law, we may use information we process to create de-identified, aggregated, or anonymized data sets in accordance with HIPAA de-identification standards (45 C.F.R. § 164.514(b)) for U.S. PHI and applicable Canadian de-identification standards.

Once properly de-identified so that it can no longer reasonably identify an individual, this information is no longer considered Protected Health Information (for U.S. customers) or Personal Health Information (for Canadian customers). We may use such non-identifiable information for any lawful business purpose, including but not limited to:

• Maintaining, improving, and developing our Services and technologies
• Training and refining machine learning models and AI algorithms
• Creating industry benchmarks, analytics, and insights
• Research and development activities
• Quality assurance and testing

3.2.1 AI-Assisted Processing. Certain features of the Services use artificial intelligence ("Oli AI") to process Customer Data in real time, including but not limited to generating clinical note drafts, transcriptions, summaries, and suggestions. This real-time AI processing occurs within the security and privacy safeguards described in this Privacy Policy and, for Protected Health Information, under the terms of our Business Associate Agreement. Oli AI is not a medical device and is not intended to provide clinical advice, diagnosis, or treatment recommendations. AI-generated outputs are for informational and administrative support purposes only and are subject to practitioner review and verification. Oli Health does not use identifiable Protected Health Information or Personal Health Information to train general-purpose AI models; any AI training or improvement activities are conducted solely on properly de-identified data as described above.

3.3 Safety, Security, and Compliance:

• Verifying identity and authenticating accounts
• Detecting, preventing, and investigating fraud and security incidents
• Monitoring and analyzing security threats
• Enforcing our Terms of Service and other policies
• Complying with legal obligations and responding to legal requests
• Protecting the rights, property, and safety of Oli Health, our users, and the public

3.4 Marketing Communications (With Your Consent): With your consent where required by law (such as Canada's Anti-Spam Legislation), we may send you promotional emails about:

• New features and product updates
• Educational content and best practices
• Special offers and promotions
• Industry news and events

You can opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your communication preferences in your account settings
• Contacting us at privacy@olihealth.ai

Important: Even if you opt out of marketing communications, we will still send you essential transactional and administrative emails related to your account and use of the Services (such as billing notices, security alerts, and service updates).

3.5 Legal Basis for Processing:

Our legal basis for collecting and using your information depends on the specific information and the context in which we collect it:

• Contract Performance: We process your Account Information to perform our contract with you and provide the Services.

• Legal Obligations: We process certain information to comply with legal and regulatory requirements, including HIPAA (for U.S. customers), PIPEDA and provincial health information legislation (for Canadian customers), tax laws, and other applicable regulations.

• Legitimate Interests: We process usage data, de-identified information, and certain account data for our legitimate business interests in:

  • Improving and developing the Services
  • Preventing fraud and ensuring security
  • Conducting research and analytics
  • Marketing our Services (where consent is not required)

  These interests are balanced against your privacy rights and freedoms.

• Consent: Where required by law, we obtain your explicit consent for specific processing activities, such as marketing communications or certain uses of cookies.

• Vital Interests: In rare cases, we may process information to protect someone's vital interests (e.g., in a medical emergency).

4. How We Share Information

We do not sell your personal information to third parties. We share information only in the following limited circumstances:

4.1 Service Providers and Subcontractors:

We engage trusted third-party service providers to help us deliver the Services. These providers are carefully selected, contractually bound to protect your information, and may only use it to perform services on our behalf.

Service providers include cloud hosting, payment processing, communication services, customer support tools, analytics, and security services. For U.S. customers' PHI, providers execute HIPAA Business Associate Agreements. For Canadian customers' Personal Health Information, providers enter into agreements compliant with PIPEDA and provincial health legislation.

A list of our key subcontractors is available upon request to privacy@olihealth.ai.

4.2 Legal Requirements and Protection of Rights:

We may disclose information if required or permitted by law, including to:

• Comply with legal process, such as a subpoena, court order, or government request
• Respond to lawful requests from public authorities, including national security or law enforcement
• Enforce our Terms of Service, Business Associate Agreement, or other policies
• Investigate and prevent fraud, security incidents, or illegal activities
• Protect the rights, property, safety, or security of Oli Health, our users, or the public
• Defend against legal claims or disputes

In such cases, we will make reasonable efforts to notify affected customers unless prohibited by law or court order, or if providing notice would undermine the purpose of the disclosure.

4.3 Business Transfers:

If Oli Health is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your information may be transferred as part of that transaction. In such cases:

• We will notify you via email and/or prominent notice on our website before your information is transferred
• The acquiring entity will be required to maintain the confidentiality of your information
• You will have the opportunity to delete your account before the transfer if you do not agree
• Health information transfers will comply with HIPAA (for U.S. customers) and applicable Canadian privacy laws

4.4 Aggregated and De-identified Information:

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you or any individual with:

• Business partners for research and analytics
• Industry organizations for benchmarking
• The public through reports, publications, or marketing materials

Such information is no longer considered personal information and is not subject to this Privacy Policy.

4.5 With Your Consent:

We may share your information with third parties when you explicitly consent to such sharing, such as when integrating third-party applications or services with your account.

5. Data Security

5.1 Security Measures:

We take data security seriously and implement comprehensive administrative, physical, and technical safeguards to protect your information, including:

Technical Safeguards:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 or equivalent
• Multi-factor authentication options for account access
• Regular security testing, including vulnerability assessments and penetration testing
• Secure software development practices and code reviews
• Automated threat detection and monitoring systems
• Intrusion detection and prevention systems

Physical Safeguards:

• Secure data centers with restricted physical access
• Environmental controls and redundancy systems
• Video surveillance and access logging
• Secure disposal of hardware and media

Administrative Safeguards:

• Strict access controls based on principle of least privilege
• Role-based access management
• Employee security training and awareness programs
• Background checks for personnel with access to sensitive data
• Confidentiality agreements with all employees and contractors
• Incident response and disaster recovery plans
• Regular security policy reviews and updates

5.2 Compliance Standards:

Our security practices comply with HIPAA Security Rule requirements (for U.S. customers) and applicable Canadian federal and provincial privacy and security standards.

5.3 Breach Notification:

In the event of a data breach affecting your information, we will notify you in accordance with applicable law. For U.S. customers, notification will comply with HIPAA breach notification requirements (typically within 60 days of discovery). For Canadian customers, notification will comply with PIPEDA and provincial legislation requirements. Our notification will include a description of the breach, the information involved, steps taken to mitigate harm, recommended actions, and contact information. See our Business Associate Agreement for detailed breach notification procedures.

5.4 Your Security Responsibilities:

While we implement strong security measures, you also play a critical role in protecting your information:

• Keep your login credentials confidential and secure
• Use strong, unique passwords and enable multi-factor authentication
• Do not share your account with unauthorized individuals
• Log out when using shared or public devices
• Report any suspected unauthorized access immediately to security@olihealth.ai
• Keep your contact information current so we can reach you about security matters

5.5 Security Limitations:

Despite our best efforts, no internet transmission or electronic storage system is 100% secure. While we strive to protect your information using industry-standard methods, we cannot guarantee absolute security. You provide information to us at your own risk.

6. Data Retention

6.1 Active Accounts:

We retain your information for as long as your account is active and as necessary to provide you with the Services, comply with legal obligations, resolve disputes, and enforce our agreements.

6.2 Closed or Terminated Accounts:

Upon account termination or closure:

• Export Period: You have thirty (30) days to export your data using our standard export tools
• Deletion Timeline: After the 30-day export period, we will delete your Customer Data from our production systems within sixty (60) days
• Backup Retention: Data may persist in backup systems for an additional thirty (30) days before permanent deletion
• Exceptions: See Section 6.3 below for information we may retain longer

6.3 Legal and Legitimate Retention:

We may retain certain information longer than the standard deletion timeline when:

• Legal Requirements: Required by law, regulation, or court order (e.g., tax records, audit logs, transaction history)
• Dispute Resolution: Necessary to establish, exercise, or defend legal claims or resolve disputes
• Fraud Prevention: Needed to prevent fraud, enforce our Terms of Service, or investigate security incidents
• Business Records: Required for legitimate business purposes (e.g., accounting, compliance audits)

Such retention will be limited to the minimum necessary period and subject to appropriate safeguards.

6.4 De-identified Data:

As described in Section 3.2, information that has been properly de-identified in accordance with applicable law is no longer considered personal information and is not subject to deletion obligations. De-identified data may be retained indefinitely for product development, research, and improvement purposes.

6.5 Client/Patient Health Information:

For client/patient health information, practitioners (our customers) may have specific legal obligations regarding retention periods under applicable laws and professional regulations. Practitioners are responsible for ensuring their use of our Services complies with such requirements. Practitioners are solely responsible for determining applicable retention periods under their professional licensing requirements and applicable law. Oli Health is not liable for data deletion that occurs after the standard retention period unless Practitioner has made alternative arrangements in writing.

7. Your Rights and Choices

7.1 Rights for All Users:

Access and Correction: You may access, review, and update your Account Information at any time through your account settings or by contacting us at privacy@olihealth.ai.

Data Portability: You may export your data in standard formats (CSV, JSON, PDF) at any time through the export functionality in your account settings.

Account Deletion: You may request deletion of your account and associated data by contacting us at privacy@olihealth.ai or through your account settings. Deletion is subject to our retention obligations described in Section 6.

Communication Preferences: You may manage your email preferences and opt out of marketing communications through your account settings or by clicking "unsubscribe" in any marketing email.

7.2 Additional Rights for Canadian Customers:

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, Canadian customers have the right to:

Right to Access: Request access to your personal information held by Oli Health and information about how it has been used and disclosed.

Right to Correction: Request correction of inaccurate or incomplete personal information.

Right to Withdraw Consent: Withdraw consent for certain uses of your personal information (where consent is the legal basis for processing), subject to legal or contractual restrictions.

Right to Complain: File a complaint with the Privacy Commissioner of Canada (1-800-282-1376 or www.priv.gc.ca) or your provincial privacy commissioner if you believe we have violated your privacy rights.

Response Timeline: We will respond to your requests within 30 days or as otherwise required by applicable law.

7.3 Additional Rights for U.S. Customers:

Depending on your state of residence, you may have additional privacy rights:

California Residents (CCPA/CPRA):

• Right to know what personal information we collect, use, and disclose
• Right to request deletion of personal information (subject to exceptions)
• Right to opt out of "sales" or "sharing" of personal information (Note: We do not sell personal information)
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information (Note: Health information collected through the Services is processed on behalf of healthcare providers)
• Right to non-discrimination for exercising your privacy rights

Other State Privacy Laws: Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws may have similar rights. Contact us at privacy@olihealth.ai to exercise these rights.

Verification: To protect your privacy, we may need to verify your identity before responding to requests. We will respond to verified requests within the timeframes required by applicable law.

7.4 Rights Regarding Client/Patient Health Information:

Important: For rights related to client/patient health information (health records):

• Contact Your Practitioner: Oli Health processes client/patient health data on behalf of health and wellness practitioners. Clients and patients should contact their practitioner directly to: access their health records; request corrections; request an accounting of disclosures; request restrictions on use or disclosure; or exercise other rights under HIPAA or applicable Canadian health legislation.
• Our Role: We will assist practitioners in responding to such requests as required by our Business Associate Agreement (for U.S. customers) or applicable service agreements (for Canadian customers).

7.5 How to Exercise Your Rights:

To exercise any of the rights described above, please contact us at:

• Email: privacy@olihealth.ai

Please include sufficient detail to allow us to understand and respond to your request. We may need to verify your identity before processing your request.

8. Data Location and International Transfers

8.1 Data Storage:

Customer Data is stored in secure data centers maintained by Oli Health or its service providers. Oli Health implements appropriate safeguards for any cross-border data transfers in accordance with applicable law.

8.2 Cross-Border Processing:

We may process Customer Data using service providers located in various jurisdictions as necessary to provide the Services. Such processing is subject to appropriate contractual and technical safeguards in accordance with applicable law.

8.3 Access from Other Locations:

If you access the Services while traveling or from outside your country of residence, your session and login data may be transmitted internationally, but your health information remains stored in your jurisdiction's data centers. You are responsible for complying with local laws regarding data transmission and access.

8.4 International Users:

The Services are designed for users in the United States and Canada. If you are located elsewhere, your information may be transferred to and processed in these jurisdictions, which may have different data protection laws. By using the Services, you consent to such transfer and acknowledge that your information may be subject to access by law enforcement and government authorities in the United States or Canada. The Services are not intended for users located in the European Economic Area. If you are located in the EEA, you may not use the Services.

9. Children's Privacy

9.1 Not Directed at Children:

Our Services are intended for use by health and wellness practitioners and are not directed at children under 13 (or under 16 where applicable). We do not knowingly collect personal information directly from children.

9.2 Client/Patient Data Regarding Minors:

Health and wellness practitioners using our Services may enter client/patient data regarding minors (children under 18) as part of their professional practice. In such cases: the information is collected and controlled by the practitioner, not by Oli Health; we process this information solely on behalf of the practitioner; the practitioner is responsible for obtaining any necessary parental or guardian consent; and the practitioner must comply with applicable laws regarding the treatment and privacy of minor clients/patients.

9.3 If You Believe We Have Information About a Child:

If you believe we have inadvertently collected personal information directly from a child without appropriate parental consent, please contact us immediately at privacy@olihealth.ai and we will take steps to delete such information.

10. Third-Party Links and Services

10.1 Third-Party Websites:

The Services may contain links to third-party websites, applications, or services that are not owned or controlled by Oli Health. This Privacy Policy does not apply to such third-party sites.

10.2 Third-Party Integrations:

If you choose to integrate third-party applications or services with your Oli Health account:

• You may be sharing information with those third parties
• Such third parties have their own privacy policies and terms
• We are not responsible for the privacy practices of third parties
• You should review their policies before connecting their services

10.3 No Endorsement:

Links to third-party sites do not imply endorsement or affiliation. We encourage you to read the privacy policies of any third-party sites you visit.

11. Changes to This Privacy Policy

11.1 Right to Modify:

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Modified" date at the top of this policy.

11.2 Notice of Material Changes:

For material changes that significantly affect your rights or how we handle your information, we will provide notice by:

• Posting a prominent notice on our website
• Sending an email notification to the address associated with your account
• Displaying an in-app notification when you next log in
• Or other appropriate means

Material changes will take effect thirty (30) days after notice is provided, except where required by law to be effective immediately.

11.3 Your Acceptance:

Your continued use of the Services after the effective date of changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with the changes, you may terminate your account as described in our Terms of Service before the changes take effect.

11.4 Review Regularly:

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Us

12.1 Privacy Questions and Requests:

If you have questions about this Privacy Policy, our privacy practices, or wish to exercise your privacy rights, please contact us:

Email: privacy@olihealth.ai

Support: support@olihealth.ai

Security Concerns: security@olihealth.ai

12.2 Privacy Officer:

Our designated Privacy Officer is responsible for overseeing compliance with this Privacy Policy and applicable privacy laws. You may contact the Privacy Officer directly at the addresses above.

12.3 Response Timeframe:

We strive to respond to all privacy inquiries within a reasonable timeframe, typically within 30 days or as required by applicable law. For complex requests, we may need additional time and will keep you informed of our progress.

12.4 Regulatory Authorities:

If you are not satisfied with our response to your privacy concern, you have the right to contact the appropriate regulatory authority:

For Canadian Customers:

• Office of the Privacy Commissioner of Canada
  • Phone: 1-800-282-1376
  • Website: www.priv.gc.ca
  • Email: info@priv.gc.ca
• Provincial Privacy Commissioners (depending on your province):
  • Alberta: www.oipc.ab.ca
  • British Columbia: www.oipc.bc.ca
  • Ontario: www.ipc.on.ca
  • Quebec: www.cai.gouv.qc.ca

For U.S. Customers:

• For HIPAA Complaints:
  • U.S. Department of Health and Human Services
  • Office for Civil Rights
  • Website: www.hhs.gov/ocr/privacy/hipaa/complaints
  • Phone: 1-800-368-1019
• For State Privacy Law Complaints:
  • Contact your state Attorney General's office or consumer protection agency

Summary of Key Points

To help you understand our privacy practices at a glance:

✓ We respect your privacy and protect your information

✓ We don't sell your personal information

✓ Your data is protected with appropriate safeguards for any cross-border transfers

✓ You control your data - access, export, correct, or delete at any time

✓ We implement strong security - encryption, access controls, and monitoring

✓ We comply with applicable laws - HIPAA (U.S.), PIPEDA/provincial laws (Canada)

✓ You have rights - contact privacy@olihealth.ai to exercise them

Thank you for trusting Oli Health with your information.

Oli Health Inc.