Privacy Statement

Nonstop Administration and Insurance Services, Inc. PRIVACY STATEMENT

This policy explains how Nonstop Administration and Insurance Services, Inc. ("Company," "Nonstop", "We,", "Us" or "Our") treats personal information we obtain from you ("You" or "Your") as users of Our various Company websites and mobile applications, including but not limited to www.nonstophealth.com ("Company Information Site") and the Nonstop Health mobile application ("Mobile App"), but do not apply to any third-party sites or applications that may be linked to them, including the websites and applications that provide employee or employer services (i.e., "Portals") that you may receive as a licensed user (collectively "Company Sites").

We use the Company Information Site to make information, products, and services available to You. The term "Personal Information" means information that You provide to us that personally identifies You to be contacted or identified, such as Your name, phone number, email address, and any other data tied to such information.

1) The General Information We Obtain. We collect the information We need to provide You with the information, products, and services that You request and to update, promote, and distribute Our products and services to meet Your needs as they evolve. If You request information, products, or services from Us, We will ask You to provide the information We need to respond to Your request. No one is required to provide any information to Us at any time. However, if You do not provide Us with the information We request, We may be unable to provide You with the information, products, or services You have asked for. In other cases, Your decision not to give us information may preclude Your access to certain features and functions of the products and services We offer.

2) How Information is Obtained. We obtain information through the Company Information Site by using forms posted on or linked to the site that seek information, including Your interests and concerns, preferences for products and services, or contact information. We also seek information through email and in other routine, lawful operations that We conduct in the ordinary course of operating Our business. These operations may include the use of standard data gathering functionality, such as cookies and other devices that collect certain standard information generated by Web browsers about users of the Company Site, such as IP addresses, access times, and their experience using one or more web sites operated by or on behalf of Us. We use Google Analytics™ web analytics services on some Company Information Site. Google Analytics is a service that Google, Inc. ("Google") provides. Google uses the data collected to track and examine the use of the Company Information Site, prepare reports on its activities, and share them with other Google services. Google may use the data collected to contextualize and personalize the ads in its network or advertisers. For more information about Google's data practices, see Google's Privacy Policy at https://policies.google.com/privacy. To opt out of Google Analytics tracking, visit https://tools.google.com/dlpage/gaoptout. We also use third-party marketing and communication platforms to manage email correspondence and other touch points. We use third-party product analytics platforms to collect data including page views, feature usage, and user interaction events across the Company Sites. This data is used solely to understand how our products are used and to improve them; it does not include session recordings or the capture of Protected Health Information. If you do not wish to have your information shared with us, please contact us at the email listed below with your request. You can, of course, unsubscribe or "opt out" of marketing communications at any time.

SMS/TEXT MESSAGING COMMUNICATIONS

Information We Collect Through SMS. When you opt in to receive SMS/text messages from Nonstop Health, we may collect and process the following information: Mobile Phone Number (the phone number you provide when opting into SMS services), Opt-In Records (date, time, and method of your consent to receive SMS messages), Carrier Information (your mobile carrier and device information, automatically provided), Message Interaction Data (delivery status, response messages such as STOP and HELP, and engagement metrics), Timestamp Data (dates and times of messages sent and received), and Preference Data (your selected message types and frequency preferences).

How We Use SMS Information. We use the information collected through our SMS program to: Deliver Requested Services (send health alerts, appointment reminders, security codes, and other service-related messages you've requested), Fulfill Consent (honor your communication preferences and opt-in choices), Ensure Compliance (maintain records of consent as required by law including TCPA and FCC regulations), Improve Services (analyze delivery rates and engagement to improve message timing and relevance), Provide Support (respond to HELP requests and customer service inquiries via SMS), Protect Security (send two-factor authentication codes and security alerts to protect your account), and send Marketing messages (only if you've opted into marketing communications).

Legal Basis for SMS Processing. We process your SMS information based on: Consent (your express written consent for marketing messages), Contract Performance (transactional messages necessary to provide services you've requested), Legitimate Interests (security messages and service notifications to protect your account and deliver our services), and Legal Obligation (compliance with telecommunications regulations and healthcare communication requirements).

SMS Data Sharing. We share your mobile phone number with trusted service providers who help us deliver SMS messages, including SMS gateway providers and telecommunications platforms (e.g., Amazon Pinpoint, Twilio), analytics providers who help us understand message delivery and engagement, and customer support platforms that help us manage communication preferences. These providers are contractually required to: use your information only to provide services to us, protect your information with appropriate security measures, not use your information for their own purposes, and comply with applicable privacy and telecommunications laws.

We Do Not Sell SMS Data. We will not sell, rent, loan, or otherwise transfer your mobile phone number to third parties for their own marketing purposes without your express consent.

Required Disclosures. We may disclose SMS information: to comply with legal obligations, court orders, or government requests; to protect our rights, safety, or property, or that of our users; in connection with a business transfer, merger, or acquisition (with notice to you); or to enforce our Terms of Service or investigate potential violations.

Your Mobile Carrier. Your mobile carrier may collect and use information about your SMS usage according to their own privacy policies. We are not responsible for the privacy practices of mobile carriers. Please contact your carrier directly for information about their data practices.

SMS Data Retention. Opt-In Consent Records are maintained for the duration of the messaging relationship plus 4 years (TCPA compliance requirement). Message Delivery Logs are retained for 90 days for troubleshooting and delivery verification. Opt-Out Records are maintained indefinitely to honor your preferences and comply with regulations. Preference Settings are maintained while your account is active and for 1 year after account closure. For health-related messages that may contain Protected Health Information (PHI), we follow HIPAA retention requirements as specified in our HIPAA Notice of Privacy Practices.

Security of SMS Data. We implement appropriate technical and organizational measures to protect SMS information: encryption of data in transit and at rest, access controls limiting who can view phone numbers, secure API connections with SMS service providers, regular security audits of messaging infrastructure, and incident response procedures for potential data breaches. Important: SMS/text messaging is not a fully secure communication method. Do not send sensitive personal information, account passwords, or detailed health information via SMS. For secure communications, please log into your account portal or contact us through secure channels. Where health-related SMS messages are sent, they are limited to minimal identifiers (e.g., appointment times, general reminders) and do not include detailed clinical information or Protected Health Information (PHI) unless you have explicitly acknowledged the risk of unencrypted transmission. By opting in to health-related SMS alerts, you acknowledge that SMS is not a fully encrypted communication channel and accept the associated risks. Our use of SMS for health-related communications is supported by a risk analysis conducted under the HIPAA Security Rule, 45 C.F.R. § 164.308(a)(1).

Your SMS Privacy Rights. You have the right to: Access (request a copy of the SMS information we maintain about you), Correct (update your mobile phone number or communication preferences at any time), Delete (request deletion of your SMS information, subject to legal retention requirements), Opt-Out (withdraw consent and stop receiving SMS messages at any time), Restrict (choose which types of messages you receive, e.g., opt out of marketing while keeping security messages), and Object (object to processing of your SMS information for specific purposes). To exercise these rights, contact us at: compliance@nonstophealth.com, 1-877-626-6057, or 1800 Sutter St, Suite 730, Concord, CA 94520.

Updates to SMS Privacy Practices. We may update our SMS privacy practices to reflect changes in: legal requirements or regulatory guidance, SMS technology and service providers, or our messaging programs and offerings. We will notify you of material changes through: SMS notification to your registered phone number, email notification to your registered email address, or notice on our website. Continued use of SMS services after changes constitutes acceptance of updated practices.

Questions About SMS Privacy. If you have questions about how we handle SMS information, please contact: General inquiries (clientsupport@nonstophealth.com), Privacy questions (compliance@nonstophealth.com), or Opt-out support (Text STOP to any message or email clientsupport@nonstophealth.com).

MOBILE APPLICATION

Information We Collect Through the Mobile App. When you download and use the Nonstop Health mobile application ("Mobile App"), we may collect and process the following information in addition to the information described elsewhere in this policy:

Device Information: Device type, model, and manufacturer; operating system and version; unique device identifiers (including Apple IDFA on iOS and Google Advertising ID on Android, subject to your device privacy settings); app version; mobile network information; and device language and time zone.

App Usage and Diagnostics: Features and screens accessed, session duration, in-app navigation, crash reports, and diagnostic data used to maintain and improve app performance. We use third-party analytics platforms to collect this data. These platforms do not capture session recordings or Protected Health Information through our implementation. This data is not linked to your identity.

Push Notification Token: A unique identifier assigned by Apple (APNs) or Google (FCM) used solely to route push notifications to your device.

Device Permissions. Depending on the features you use, the Mobile App may request access to the following device functions:

• Biometric Authentication (Face ID / Touch ID / Fingerprint): If you enable biometric login, your biometric data is processed entirely on your device by Apple's or Google's native security frameworks. Nonstop Health does not access, store, or transmit your biometric data.
• Camera: Required only if you use document upload or identity verification features. Camera access is only active when you initiate such a feature.
• Push Notifications: Required to send health alerts, appointment reminders, security codes, and other service notifications. You may enable or disable push notifications through your device settings at any time.
• Local Device Storage / Keychain: Used to securely store session credentials and temporarily cache data for app performance.
• Locally stored data is encrypted at rest using platform-standard encryption (AES-256 or equivalent).
• Sessions automatically time out after a period of inactivity and require re-authentication.
• Screens displaying Protected Health Information (PHI) may prevent screenshots to reduce the risk of inadvertent disclosure.
• You may de-register your device from your account settings at any time, which will clear locally cached data upon the next app launch.

You may revoke any device permission at any time through your device operating system settings. Revoking certain permissions may limit the functionality of specific features within the Mobile App.

On-Device Data Storage and Mobile Security. Where the Mobile App caches data locally on your device, we implement the following safeguards in accordance with the HIPAA Security Rule:

No Sale of Health Data. We do not sell or share health data collected through the Mobile App with advertisers, data brokers, or information resellers. Health data is used exclusively to provide and support the services you have requested.

App Store Privacy Disclosures. When you download the Mobile App from the Apple App Store or Google Play Store, those platforms display a summary of our data practices ("App Privacy" labels on iOS or "Data Safety" on Android). Those summaries are derived from this Privacy Policy and are provided to help you make informed choices before downloading.

3) Customers and Other Authorized Users. Customers of Our products and services may use the sections of the Company Site reserved for customer use, such as Company Portals (login required), solely as their respective agreements permit. Other authorized users of information resources available on or through this site may use them solely as and to the extent authorized. We request information from customers and other authorized users to authenticate them and verify their authorized use of the products, services, and other resources. We provide. Further authorization details are provided in the privacy policies applicable to such products or services.

4) Promotional Offers. Promotional offers are governed by their terms and conditions. We may request information from those responding to offers to determine eligibility and to process and fulfill eligible responses.

5) How We Use The Information Provided. We do not request patient information through general Company Sites such as www.nonstophealth.com. Certain web-based services provided by Us, such as Nonstop Portal and certain support operations, involve access to and processing of patient information. This information is provided to Us lawfully by (i) employers who have obtained their employees' consent to provide Us with their information or (ii) by the employee themselves (or, if the user is a minor, through their parent or guardian). The Company Sites are not designed to be used by children. The Company Information Site is not intended to collect or retain patient data. However, the use of specific form requests and other web-based services (e.g., Nonstop Exchange Portal) We provide may allow and require collecting specific patient data. Children under the age of thirteen (13) should not use any of Our services unless they are doing so under the direction of their parent/guardian. We use the information We obtain to provide the Company Sites and provide Customers and authorized users with:

a) Products, services, and information resources;

b) The development of new and updated products, services, and information resources;

c) The administration of, protection of, and management of the Company Site, Our products, services, and information resources; and

d) General email communications concerning Our products, services, and information include offers, including the processing and, where applicable, fulfillment of one or more relevant offers or requests. You may opt out of receiving these emails at any time.

6) Disclosures of Information. We may disclose specific information We obtain to provide certain products, services, and information resources and develop, promote, and support Our products and services solely as Our agreements with Our customers, other authorized users, vendors, technology partners, marketing partners, and others permit. To ensure continuity of the Company Site and the integrity and availability of the information required to provide it and Our products and services, the information provided to Us may be backed up or archived, including the storage of information at facilities operated by Our vendors. Finally, We may disclose information as We believe necessary to (a) comply with applicable law and regulations, which may include disclosures made in response to any subpoena, document request, or other legal request seeking the disclosure of information that appears to have been lawfully issued; (b) perform under and enforce the terms and conditions under which Our products and services are provided; (c) exercise Our legal rights in its products, services, and resources and to otherwise protect its assets; and (d) protect Our rights, reputation, and property, or that of Our users, affiliates, or the public. The information We obtain in connection with the Company Site is not sold, rented, or otherwise disclosed to any person or entity except as this policy states.

7) Third-Party Links. The Company Site may contain links to third-party sites to provide additional, value-added services. Except as set forth herein, We do not share Your personal information with those third parties and are not responsible for their privacy practices. We, therefore, have no responsibility or liability for the content and activities of these linked sites. We suggest You read the privacy policies on all such third-party websites.

8) Privacy Regulation & Security. Certain information provided to Us may be Protected Health Information as that term is defined in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), American Recovery and Reinvestment Act ("ARRA"), Health Information Technology for Economic and Clinical Health Act ("HITECH") and in regulations promulgated there under and it may also be subject to regulation under state law ("PHI"). We offer and provide the Company Site and Our products and services in a manner that complies with all applicable laws and regulations we are aware of and become known to us and will continue to do so. For example, We have Business Associates Agreements in place with Our customers, partners, and vendors that govern the disclosure and use of PHI that is required for Us to provide them with the products and services they have requested. Suppose You order services from Us that require You to provide Us with personal health information protected under federal or state laws (including HIPAA), in that case, You grant Us a non-exclusive, perpetual, irrevocable, royalty-free right and license to use de-identified patient and administrative data ("De-Identified Use Data" as defined under 45 C.F.R. § 164.514) collected or provided through your use of the Company Site for any lawful business purpose, provided that such data is not personally identifiable. De-identification shall be performed using either the Safe Harbor method or Expert Determination method as specified under 45 C.F.R. § 164.514(b). We represent that We will not attempt to re-identify De-Identified Use Data or permit any third party to do so, and We maintain internal governance controls over De-Identified Use Data, including access restrictions, use limitations, and audit procedures. We shall have the right to de-identify such patient and administrative data and then utilize the De-Identified Use Data for any lawful purpose, including but not limited to creating statistical norms and reports de-identified score cards, regional or national benchmarking, or to be used for research considerations, provided however that the data shall not include member identities and claims information that is unprotected.

9) Personally identifiable patient, physician, and Your information shall remain confidential and not be released. Further, should We place the De-Identified Use Data in its national database or incorporate such data in studies and analyses conducted directly or indirectly by Us, no such data shall be identified as originating from You, Your Employer, or physicians. The De-Identified Use Data shall also not be utilized in any study, report, or publication without being integrated with a significant body of other data such that neither You nor your employer can be identified, unless appropriate, advance and written consents to such identification are obtained. We use regulatory-compliant security measures to protect the information.

10) Access and Changes to Information; Deletion of Information. Customers and authorized users of Our products, services, and information resources have access to the information We store about them and may change that information at no charge, provided that doing so is consistent with their respective agreements with Us. Certain information services We provide may reflect patient information as it appears in the medical records of those patients maintained by the medical professionals they consult. We may retain the information We obtain for a period sufficient to provide the products and services that Our customers request, as necessary to comply with Our legal obligations, and as Our management deems appropriate.

11) Compliance, Questions, and Concerns. We monitor Our compliance with this policy. Questions or concerns should be directed to compliance@nonstophealth.com Complaints will be acknowledged, investigated, resolved between Us and the parties concerned when possible, and reported to governmental authorities as the applicable law requires and as appropriate.

Contact Information

Phone: 1-877-626-6057

Email: clientsupport@nonstophealth.com

Location: 1800 Sutter St, Suite 730, Concord, CA 94520

Hours: Monday – Friday, 6am – 5pm Pacific Time / 8am – 7pm Eastern Time