XFERALL, LLC PRIVACY POLICY

XFERALL, LLC. ("we" or "our") is committed to protecting the privacy and security of personal
information and patient health information collected through our online service or mobile
application. This Privacy Policy describes how we collect, store, use and distribute information
through our software, website, mobile application, and related services (together, the "Services").

1. Consent.

By using the Services, you consent to the collection and use of your Protected Health Information
(as defined under the Health Information Portability and Accountability Act of 1996 and its
implementing regulations, "HIPAA") and certain Personal Information as described in this Privacy
Policy. Except as set forth in this Privacy Policy, your Protected Health Information and/or
Personal Information will not be used for any other purpose without your consent. We
acknowledge that we are a Business Associate under HIPAA and will not use or disclose Protected
Health Information collected through your use of the Services for any purpose that would violate
HIPAA. We also do not actively collect Personal Information for the purpose of sale of such
information in a way that specifically identifies you as an individual (i.e. we don’t sell customer
lists).

2. Collection of Information.

We may collect the following information about you, your patient(s), and your organization ("User
Data"):

Personal Information

When you register to use the Services, we may require you to provide certain personally
identifiable information, such as your name, company/organization name, and email address. We
will also collect your browser user-agent string, your IP address, and your geolocation coordinates.
Collectively, this information is referred to as your Personal Information. If you represent an entity
who will be purchasing the Services, we may require you to provide financial and billing
information, including but not limited to billing name and address, credit card number, federal and
state Employer Identification Numbers, etc. ("Billing Information").

Protected Health Information
In order to facilitate appropriate patient transfers through the Services, we may ask you to enter
certain information about the patient including but not limited to the patient’s age, sex, diagnosis,
condition level, insurance information, prior treatment, status, care level, special conditions, and
if required, all or part of the patient’s name. The information that we collect will be tailored to the
patient’s condition and the type of transfer requested.

Analytics Information
As you use our Services, we may also collect information through the use of commonly-used
information-gathering tools, such as cookies, log files, and Web beacons. Such Information may
include standard information regarding your mobile device, browser type, browser language,




Operating System, Internet Protocol ("IP") address, and the actions you take on our web site (such
as the web pages viewed and the links clicked) or while using the Services. Collectively, this
information is referred to as "Analytics Information."

Data, Diagnostic & Login Information
You may be able to create, upload, publish, transmit, distribute, display, store or share information,
data, text, graphics, video, messages or other materials using our Services (this is collectively
referred to below as "Data"). Some of this Data may be stored and maintained on our servers. If
you run into technical errors in the course of using the Services, we may request your permission
to obtain a crash report along with certain logging information from your system documenting the
error ("Diagnostic Information"). Such information may contain information regarding your
Operating System version, hardware, browser version (and .NET version information in case of
Windows systems), and your email address, if provided. Additionally, certain login information
may be maintained in a cookie stored locally on your personal computing device (i.e. not on a
server) in order to streamline the login process ("Login Information").

3. Use of Information.

We may use the information we collect from you in the following ways:

Personal Information
We use this information to manage your account, to provide the Services, to maintain our
transferring facilities list, to respond to your inquiries or provide feedback, for identification and
authentication purposes, for service improvement, to address issues like malicious use of the
Services, and to generate aggregated transfer reports. We may also use Personal Information for
limited marketing purposes, specifically, to contact you to further discuss your interest in the
Services or any additional services we may provide in the future, and to send you information
about us or our partners.

Billing Information
We use financial information to manage your account, to provide the Services, and to collect
payment for the Services. We may use a third-party service provider to manage credit card
processing. If we do so, such a service provider will not be permitted to store, retain, or use Billing
Information except for the sole purpose of credit card processing on our behalf.

Protected Health Information
In order to appropriately provide the Services, we will use and disclose Protected Health
Information about your patient(s) for the purpose of coordinating the appropriate facility transfer.
This information will be used solely for treatment, payment or health care operations purposes and
will not be shared with third parties outside of these limited purposes. We reserve the right to use
any de-identified information for purposes of data aggregation and to support our administrative,
management, or other business functions.

Analytics Information
We use this information to provide you with the Services. Analytics Information may be used to




support our administrative, management or other business purposes and may be used in aggregated
format to generate reports for our clients. We may also use your Analytics Information in a de-
identified, anonymous way in conjunction with an analytics service to monitor and analyze use of
the Services, for the Services’ technical administration, to increase the Services’ functionality and
user-friendliness, to offer new or additional service lines and features, to monetize business
intelligence, and to verify users have the authorization needed for the Services to process their
requests.

Data, Diagnostic Information and Login Information
We use this information solely for the purpose of administering, supporting, and improving our
Services to you.

If we plan to use your Personal Information or Protected Health Information in the future for any
other purposes not identified above, we will only do so after informing you by updating this
Privacy Policy.

4. Other Uses and Disclosures.

We have put in place contractual and other organizational safeguards with our partners and agents
to ensure an appropriate level of protection of your Personal Information and Protected Health
Information. In addition to those measures, we will not use or disclose your Personal Information
or Protected Health Information to third parties without your authorization, except as specified in
this Privacy Policy.

From time to time we may employ third parties to help us improve the Services. These third parties
may have limited access to databases of user information or client information solely for the
purpose of helping us to improve our website, mobile application, or other Services offerings and
they will be subject to contractual restrictions prohibiting them from using such information in a
manner contrary to law and as stated in this Privacy Policy. Such agents or third parties do not
have any rights to use Personal Information or Protected Health Information beyond what is
necessary to assist us.

5. Disclosure Exceptions.

We may disclose your Personal Information or Protected Health Information to third parties
without your consent if required by law or otherwise permitted under HIPAA. Any disclosure of
your Personal Information or Protected Health Information made under an exception will be
effectuated in good faith and in accordance with law.

We may also disclose your Personal Information or Protected Health Information in connection
with a merger, acquisition, corporate re-organization, a sale of all or a substantial portion of our
assets or stock, including any due diligence exercise carried out in relation to the same, provided
that the information disclosed continues to be used for the purposes permitted by this Privacy
Policy by the entity acquiring the information.





6. Security.

The security of your Personal Information and Protected Health Information is very important to
us. We use commercially reasonable efforts to store and maintain your Personal Information and
Protected Health Information in a secure environment, including encryption of such information
both in transit and at rest. Additionally, our databases and backups are encrypted and all
connections (Client to server https, Client to server wss, server to database SSL) are encrypted to
HIPAA standards. We also take technical, physical, administrative, and contractual security steps
designed to protect Personal Information and Protected Health Information that you provide to us.

You are also responsible for helping to protect the security of your Personal Information and
Protected Health Information. For instance, never give out your password, and safeguard your user
name, password and personal credentials when you are using the Services, so that other people
will not have access to your information. Furthermore, you are responsible for maintaining the
security of any personal computing device on which you utilize the Services and for timely
updating the Services in response to any security push notifications that we may send to you.

7. Sharing Information with Third Parties.

You may be able to share Personal Information and Protected Health Information with third parties
through use of the Services. The privacy policies of these third parties are not under our control
and may differ from ours. The use of any information that you may provide to any third parties
will be governed by the privacy policy of such third party or by your independent agreement with
such third party, as the case may be. If you have any doubts about the privacy of the information
you are providing to a third party, we recommend that you contact that third party directly for more
information or to review its privacy policy.

8. Retention.

We will keep your Personal Information and Protected Health Information for as long as it remains
necessary for the identified purpose or as required by law, which may extend beyond the
termination of our relationship with you. We may retain certain data as necessary to prevent fraud
or future abuse, or for legitimate business purposes, such as analysis of aggregated, non-
personally-identifiable data, or account recovery. All retained Personal Information and Protected
Health Information will remain subject to the terms of this Privacy Policy.

9. Access to Information.

You have the right to access the Personal Information and Protected Health Information we retain
from you. Upon receipt of your written request, we will provide you with a copy of your Personal
Information and/or Protected Health Information, although in certain limited circumstances we
may not be able to make all relevant information available to you, such as where that information
also pertains to another user. In such circumstances we will provide reasons for the denial to you
upon request. We will endeavor to deal with all requests for access and modifications in a timely
manner.





We will make every reasonable effort to keep your Personal Information accurate and up-to-date,
and we will provide you with mechanisms to update, correct, delete or add to your Personal
Information as appropriate. This amended Personal Information will be transmitted to those parties
to which we are permitted to disclose your information, as appropriate. Having accurate Personal
Information about you enables us to give you the best possible service.

Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to ask us
for a notice identifying the categories of Personal Information which we share with our affiliates
and/or third parties for marketing purposes, and providing contact information for such affiliates
and/or third parties. If you are a California resident and would like a copy of this notice, please
submit a written request to:

ATTN: PRIVACY INQUIRY | ADMIN
XFERALL, LLC
111 Congress Avenue, Suite 400
Austin, TX 78701

10. Amendment of this Privacy Policy.

We reserve the right to change this Privacy Policy at any time. If we decide to change this Privacy
Policy in the future, we will post or provide appropriate notice. Any non-material change (such as
clarifications) to this Privacy Policy will become effective on the date the change is posted, and
any material changes will become effective 10 days from their posting on our website or via email
to your listed email address. Unless stated otherwise, our current Privacy Policy applies to all
Personal Information and Protected Health Information that we collect from you. The date on
which the latest update was made is indicated at the bottom of this Policy. We recommend that
you revisit this Policy from time to time to ensure you are aware of any changes. Your continued
use of the Services signifies your acceptance of any changes.

11. Contact Us.

If you would like to access your information, if you have any questions, comments or suggestions
of if you find any errors in our information about you, please contact us:

Via email at: privacy@xferall.com




Via mail at:


ATTN: PRIVACY INQUIRY | ADMIN
XFERALL, LLC




111 Congress Avenue, Suite 400
Austin, TX 78701


If you have a complaint concerning our compliance with applicable privacy laws, we will
investigate your complaint and if it is justified, we will take appropriate measures. You also have
the right to file a complaint with respect to our use and disclosure of Protected Health Information
to your local Regional Office of the United States Department of Health and Human Services –
Office for Civil Rights.

Last Updated: November 28, 2016

YOUR USE OF XFERALL’S SERVICES MEANS THAT YOU ARE ACCEPTING THE
PRACTICES SET FORTH IN THIS PRIVACY POLICY. WE RESERVE THE RIGHT TO
MAKE CHANGES TO OUR PRIVACY POLICY BY POSTING THE NEW VERSION WITH
A NEW EFFECTIVE DATE. YOUR CONTINUED USE OF OUR SERVICES INDICATES
YOUR AGREEMENT TO THE CHANGES.