CareFlow One LLC Privacy Policy

Effective Date: 12/31/2025

TABLE OF CONTENTS

• Scope and Purpose
• What Does CareFlow One Do?
• What Personal Information Do We Collect?
• How Do We Collect Your Information?
• How Do We Use Your Information?
• How Do We Share Your Information?
• Retention and Protection of Data
• Cookies and Automated Data Collection Technologies
• Social Media and Third-Party Integrations
• State Consumer Privacy Rights
• Minors
• International Data Transfers
• Updates to This Privacy Policy
• Contact Information

I. SCOPE AND PURPOSE

This Privacy Policy (“Policy”) describes how CareFlow One LLC (“CareFlow,” “CareFlow One,” “we,” “us,” or “our”), a Florida limited liability company, collects, uses, discloses, and protects information about you when you access or use our websites, applications, software platforms, and related services that link to this Policy (collectively, the “Services”).

This Policy also applies to information collected offline, such as during product demonstrations, conferences, onboarding activities, customer support interactions, or other business engagements where this Policy is made available.

This Policy does not apply to:

• Protected Health Information (“PHI”) processed by CareFlow on behalf of healthcare providers, which is governed by applicable Business Associate Agreements (“BAAs”) and the Health Insurance Portability and Accountability Act (“HIPAA”)
• Third-party websites, services, or platforms that may be linked to or integrated with the Services

CareFlow processes PHI solely as a business associate or service provider, in accordance with contractual obligations and applicable law. Healthcare providers are responsible for their own privacy practices, and we encourage you to review your provider’s Notice of Privacy Practices.

II. WHAT DOES CAREFLOW ONE DO?

CareFlow One provides cloud-based healthcare workflow automation software designed to help primary care clinics, specialists, and healthcare organizations manage and optimize:

• Referral ordering and tracking
• Prior authorization workflows
• Insurance eligibility and network verification
• Clinical document intake (including fax and electronic submissions)
• Secure collaboration and communication related to patient care

CareFlow One does not provide medical care, diagnosis, or treatment and does not replace the professional judgment of licensed healthcare providers.

III. WHAT PERSONAL INFORMATION DO WE COLLECT?

“Personal Information” means information that identifies, relates to, describes, or could reasonably be linked to an individual. Depending on your interaction with CareFlow, we may collect the following categories of information:

A. Identifiers

• Name
• Email address
• Telephone number
• IP address
• Account credentials (username, role, organization ID)

B. Professional and Organizational Information

Depending on your role (clinic staff, provider, administrator, or authorized user), we may collect:

Account & Business Information

• Practice or organization name
• Name
• Job title or role
• Provider identifiers (e.g., NPI, practice ID)
• Work email address
• Work phone number
• Business address

Patient-Related Information (Processed on Behalf of Customers)

• Patient demographics (e.g., name, date of birth, address)
• Insurance information (payer, member ID, plan details)
• Insurance card images (front/back)
• Referral details, diagnosis codes (ICD-10), procedure codes (CPT/HCPCS)
• Authorization status, scheduling coordination data, and related workflow metadata

CareFlow One collects and processes this data solely to provide the Services and in accordance with customer instructions.

C. Information from Third Parties

We may receive limited information from third parties such as:

• Electronic Health Record (EHR) systems
• Payer portals or APIs
• Eligibility and clearinghouse services
• Professional platforms (e.g., LinkedIn) for business contact enrichment

D. Internet and Device Information

• Browser type and version
• Device identifiers
• Operating system
• Log data and usage activity

E. Geolocation Information

• Approximate location derived from IP address (city/state level)

F. Customer Support and Communications

• Emails, messages, or recordings exchanged with CareFlow support
• Feedback, survey responses, and feature requests

PHI NOTICE: Any Protected Health Information processed through the CareFlow platform is handled solely under HIPAA-compliant agreements and is not used for marketing or advertising purposes.

IV. HOW DO WE COLLECT YOUR INFORMATION?

We collect information through:

Direct interactions, such as when you:

• Create an account
• Request a demo
• Contact customer support
• Participate in surveys or onboarding

Automated technologies, including:

• Log files
• Cookies and similar technologies
• Analytics tools

Third-party sources, such as:

• EHR or payer integrations authorized by customers
• Identity and access management providers
• Business partners and referral sources

V. HOW DO WE USE YOUR INFORMATION?

We use Personal Information to:

• Provide, operate, and maintain the Services
• Authenticate users and manage accounts
• Improve platform performance, reliability, and usability
• Respond to inquiries and provide customer support
• Communicate service updates, security notices, and administrative messages
• Monitor for fraud, security incidents, and misuse
• Comply with legal, regulatory, and contractual obligations

We may use aggregated or de-identified data for analytics, benchmarking, and product improvement, consistent with applicable law.

VI. HOW DO WE SHARE YOUR INFORMATION?

We may share Personal Information:

A. With Service Providers

Vendors who assist with:

• Cloud hosting and infrastructure
• Security monitoring
• Customer support tools
• Analytics and logging

All service providers are contractually obligated to protect data and use it only for authorized purposes.

B. With Customers

When you are an authorized user of a healthcare organization, information may be shared with that organization in accordance with contractual terms.

C. For Legal and Safety Purposes

When required to:

• Comply with law or legal process
• Respond to lawful requests from authorities
• Protect rights, safety, and security

D. Business Transfers

In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality protections.

CareFlow does not sell personal information as that term is defined under applicable state privacy laws.

VII. RETENTION AND PROTECTION OF DATA

We retain information only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required by law or contract.

CareFlow employs administrative, technical, and physical safeguards, including:

• Encryption in transit and at rest
• Role-based access controls
• Audit logging
• Security monitoring

No system can be guaranteed to be 100% secure, but we continuously improve our safeguards.

VIII. COOKIES AND AUTOMATED DATA COLLECTION TECHNOLOGIES

CareFlow uses cookies and similar technologies to:

• Enable core site functionality
• Improve user experience
• Analyze usage patterns

You may control cookies through browser settings. Disabling cookies may impact functionality.

IX. SOCIAL MEDIA AND THIRD-PARTY INTEGRATIONS

Our Services may link to or integrate with third-party platforms (e.g., EHRs, identity providers). These third parties operate under their own privacy policies, and CareFlow is not responsible for their practices.

X. STATE CONSUMER PRIVACY RIGHTS

Residents of certain U.S. states may have rights to:

• Access personal information
• Correct inaccuracies
• Delete personal information
• Obtain a portable copy
• Opt out of certain processing activities

Requests may be submitted using the contact information below. We will verify your identity and respond within the timeframe required by law.

XI. MINORS

The Services are intended for use by adults and professionals. CareFlow does not knowingly collect personal information from children under 13 and does not knowingly process information of minors outside healthcare provider-directed workflows governed by HIPAA.

XII. INTERNATIONAL DATA TRANSFERS

CareFlow is based in the United States. If you access the Services from outside the U.S., your information may be transferred to and processed in the U.S., where data protection laws may differ.

XIII. UPDATES TO THIS PRIVACY POLICY

We may update this Policy from time to time. Changes will be posted on our website with an updated effective date. Continued use of the Services constitutes acceptance of the revised Policy.

XIV. CONTACT INFORMATION

For questions or requests regarding this Privacy Policy, please contact:

CareFlow One LLC

Attn: Privacy & Compliance

28 Geary St. Suite 650

San Francisco, CA 94108

Email: admin@getcareflow.com