Privacy Policy

1. Who This Policy Applies To

Scienza Health, Inc. ("Scienza," "we," "us," or "our") operates a business-to-business-to-consumer ("B2B2C") healthcare technology platform. This Privacy Policy explains how we handle information in three distinct roles:

• Website visitors and prospects. When you browse scienzahealth.com or request a demo, Scienza acts as an independent controller / business of the limited contact and usage information you provide.
• Provider personnel ("Authorized Users"). When a clinician, staff member, or administrator at a healthcare organization uses our platform, Scienza handles Authorized User account data under our customer's professional-services agreement.
• Patients screened on the platform. Protected Health Information ("PHI") of patients is processed by Scienza solely as a HIPAA Business Associate of the healthcare provider (the Covered Entity) that offers the screening. Scienza does not have a direct relationship with patients. Patient rights regarding PHI — including access, amendment, accounting of disclosures, and restriction — are exercised through the patient's provider, and Scienza supports the provider in fulfilling those rights.

This Policy is a layered notice. For additional detail, see our Security Overview, AI Transparency, and (for covered customers) the executed Business Associate Agreement, which controls over this Policy for any PHI-related matter.

Your use of our public Website constitutes acknowledgment of this Policy. Processing of PHI is governed by the applicable Business Associate Agreement; processing of personal data subject to the GDPR or a U.S. state consumer health data law is based on the lawful basis or affirmative consent identified in the applicable notice or consent interface.

2. Information We Collect

We collect information in several ways to operate and improve our Services. Scope and legal basis differ by audience (see Section 1).

a. Personal Information You Provide

• Contact and Account Information: Name, email address, phone number, mailing address, and account credentials when you register, request a demo, or contact us.
• Health-Related Information (PHI). When a healthcare provider uses our GIA™ platform for patient screenings, we process medical history, screening responses, cognitive and behavioral results, and related clinical indicators on behalf of that provider as a HIPAA Business Associate. See Sections 4 (Voice Biomarkers), 6 (HIPAA), and 7 (42 CFR Part 2).
• Payment Information: Billing details processed securely via third-party payment providers; we do not store full payment card details.
• Other Voluntary Information: Feedback, survey responses, or communications you send us.

b. Automatically Collected Information

• Usage Data: IP address, browser type, device identifiers, pages visited, time spent, and referring URLs when you access our Website or Services.
• Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies. See Section 11 for categories and controls.
• Sensor and Device Data: With appropriate consent or provider authorization, we may receive environmental data from IoT sensors (e.g., temperature, humidity, air quality) and health data from Samsung Galaxy devices (Samsung Health platform, Galaxy Watch).

c. Information from Third Parties

• Partners and Integrations: Data from healthcare providers, EHR systems (e.g., Epic, Cerner, PointClickCare), Samsung Galaxy devices (Samsung Health platform, Galaxy Watch), or APIs (e.g., ElevenLabs for voice processing) as part of service delivery.
• Public Sources: Aggregated data from public databases for research purposes, de-identified in accordance with Section 8.

We limit collection to what is necessary for our Services ("minimum necessary," for PHI, under 45 C.F.R. § 164.502(b)) and do not knowingly collect data from children under 13 without verifiable parental consent. See Section 12.

3. How We Use Your Information

We use information for legitimate business purposes, including:

• Providing Services: Operating GIA™ and digitalhumanOS™, performing cognitive and behavioral screenings, automating documentation and billing, and delivering clinical-decision support for review by qualified healthcare professionals.
• Improving and Personalizing: Analyzing usage to enhance features and customize experiences. AI model training is addressed separately in Section 8.
• Compliance and Security: Detecting fraud, performing audits, and maintaining data integrity.
• Communications: Sending service updates, alerts, and — with opt-in consent where required — marketing materials.
• Research and Analytics: Aggregating de-identified data for health research, subject to IRB or equivalent oversight where applicable and the de-identification standards in Section 8.
• Legal Obligations: Responding to subpoenas, court orders, or regulatory requests.

For PHI, we process only as permitted by the applicable Business Associate Agreement and the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E). For personal data subject to the GDPR, we rely on the lawful bases of contract, legitimate interests, consent, or legal obligation, as applicable.

4. Voice Biomarkers and Biometric Data

The GIA™ platform analyzes more than 2,500 acoustic, prosodic, and linguistic features extracted from a patient's voice, and may analyze video for cognitive and behavioral indicators. These features are derived from biometric identifiers and, depending on the patient's state of residence, may be regulated as:

• Biometric information under the Illinois Biometric Information Privacy Act (740 ILCS 14/);
• Biometric identifiers under the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001);
• Consumer health data under the Washington My Health My Data Act (RCW 19.373) and comparable state laws;
• Sensitive personal information under the California Consumer Privacy Act, as amended by the CPRA (Cal. Civ. Code § 1798.140(ae)).

When Scienza processes voice or biometric data as a HIPAA Business Associate, the provider's patient authorization and Notice of Privacy Practices govern. Where Scienza processes such data outside a HIPAA context, we obtain separate, affirmative, written consent before collection and before any subsequent disclosure, and we provide a mechanism for withdrawal of consent and deletion, subject to applicable legal retention requirements.

5. How We Share Your Information

We do not sell your personal information for monetary consideration. Sharing occurs only as necessary:

• Service Providers / Subprocessors: With vendors bound by written agreements that impose confidentiality, security, and (for PHI) HIPAA subcontractor obligations per 45 C.F.R. § 164.502(e)(1)(ii). Current subprocessors include AWS (cloud hosting), ElevenLabs (voice processing), Samsung Health and Samsung Knox (device integration), and platforms supporting EHR connectivity.
• Business Partners: Healthcare providers, EHR integrators, and device partners under BAAs or data processing agreements.
• Legal and Safety Reasons: To comply with laws, respond to authorities, or protect rights and safety (e.g., public health reporting).
• Business Transfers: In mergers, acquisitions, or reorganizations, with notice and consent where required and continuity of the protections in this Policy.
• With Your Consent: For any other purpose you approve.

A live subprocessor registry, including descriptions and processing locations, will be published at /subprocessors. For covered customers, Scienza will provide at least 30 calendar days' advance notice of any new subprocessor involved in PHI processing, and the customer may object in accordance with the applicable BAA.

Under the CCPA, we do not sell personal information. We may "share" limited data with advertising partners (e.g., LinkedIn Insight Tag) for cross-context behavioral advertising. California residents and users with Global Privacy Control signals may opt out via the Cookie Preferences link in the footer or by emailing support@scienzahealth.com.

6. HIPAA and Business Associate Obligations

Scienza's HIPAA Role. When providing the GIA™ / digitalhumanOS™ platform to a healthcare provider, Scienza is a Business Associate as defined in 45 C.F.R. § 160.103. Our handling of PHI is governed by the Business Associate Agreement ("BAA") executed with each provider customer. To the extent this Policy and the BAA conflict on matters involving PHI, the BAA controls.

Minimum Necessary. We limit uses and disclosures of PHI to the minimum necessary to perform the services identified in the BAA (45 C.F.R. § 164.502(b)).

Subcontractor Flow-Down. Where a subcontractor creates, receives, maintains, or transmits PHI on our behalf, Scienza executes a written agreement that imposes the same restrictions applicable to us (45 C.F.R. § 164.502(e)(1)(ii)).

Return or Destruction. Upon termination of the BAA, Scienza will return to the provider or destroy all PHI we maintain on behalf of the provider, and retain no copies, in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(J) — except where return or destruction is not feasible, in which case Scienza extends the protections of the BAA for so long as the PHI is retained.

Support for Provider Notices of Privacy Practices. Scienza supports each Covered Entity in maintaining and updating its Notice of Privacy Practices under 45 C.F.R. § 164.520, including the substance-use-disorder provisions described in Section 7.

7. Substance Use Disorder Records (42 CFR Part 2)

To the extent the provider is a "Part 2 program" or otherwise subject to 42 C.F.R. Part 2, Scienza treats patient identifying information received from that provider in accordance with Part 2, as updated by the 2024 U.S. Department of Health and Human Services final rule. This includes the written-consent, redisclosure-notice, segregation, and Notice of Privacy Practices obligations that took effect February 16, 2026. Scienza will support the Covered Entity's implementation of those obligations through our platform, contractual terms, and audit logging.

8. AI, Automated Decisions, and Human Oversight

a. AI Model Training & De-identification

We do not use raw PHI to train our AI models except as expressly permitted by the applicable BAA and only after de-identification in accordance with 45 C.F.R. § 164.514(b)(1) (Expert Determination) or 45 C.F.R. § 164.514(b)(2) (Safe Harbor). De-identification methodology, training-data sources, and known model limitations are published and updated on our AI Transparency page in accordance with California AB 2013.

b. AI-Generated Clinical Communications (AB 3030)

When the GIA™ platform generates or assists in generating clinical or health-related communications, the platform enables the healthcare provider's disclosure obligations under California AB 3030 by providing prominent AI-generated notices, human-review workflows, and audit logs. The underlying disclosure duty to the patient rests with the provider as the Covered Entity.

c. Human Oversight

Our AI systems operate under a 5-layer governance framework with mandatory human oversight for all clinical decisions. AI outputs are decision-support: every screening result is surfaced to a qualified clinician for review before it is written to the patient's record. AI outputs are designed to assist, not replace, qualified healthcare professionals.

d. Automated Decision-Making Technology (ADMT)

Scienza does not make solely automated decisions that produce legal or similarly significant effects concerning a patient. Where a California resident requests information about our use of automated decision-making technology under the California Consumer Privacy Act, as amended (Cal. Civ. Code § 1798.185(a)(16)), we will provide a meaningful description of the logic involved, the intended output, and the role of human review, and will honor verified opt-out requests where applicable. Equivalent rights under the GDPR (Art. 22) and other applicable laws are addressed in Section 9.

9. Your Privacy Rights

a. Rights with Respect to PHI

Under HIPAA, a patient's rights of access, amendment, accounting of disclosures, restriction, and confidential communications are exercised against the Covered Entity (the patient's healthcare provider). If you are a patient and wish to exercise these rights, please contact your provider. Scienza will support the provider's response in accordance with the applicable BAA.

b. Rights with Respect to Other Personal Data

Depending on your location, you may have the following rights with respect to personal data that Scienza processes as a controller or business (for example, data collected through our Website or in connection with a demo request):

• Access: Request details of your data.
• Correction / Rectification: Update inaccurate information.
• Deletion / Erasure: Request removal, subject to legal exceptions.
• Opt-Out of Sale / Sharing: We do not sell data for monetary consideration; you may opt out of cross-context behavioral advertising and honor signals such as Global Privacy Control.
• Limit Use of Sensitive Personal Information: Restrict our processing of CPRA "sensitive personal information" to permitted purposes.
• Portability: Receive your data in a transferable format.
• Object / Withdraw Consent: Stop processing based on consent or legitimate interests.
• Non-Discrimination: No penalties for exercising rights.

To exercise rights, contact us at support@scienzahealth.com or via our Website form. We respond within 30 to 45 days (extendable under law), free of charge (up to twice per twelve-month period under the CCPA). Verification may require government-issued ID or other reasonable proof. For GDPR matters, contact our Data Protection Officer at dpo@scienzahealth.com. For CCPA requests, you may also call +1 (888) 400-1409. We honor Global Privacy Control signals.

10. Data Security and Breach Notification

Scienza maintains a zero-trust, defense-in-depth security program. Controls include:

• AES-256 encryption for data at rest and in transit.
• Role-based access controls, network segmentation, and continuous monitoring.
• Regular vulnerability scanning and penetration testing.
• Mandatory workforce training on data protection and HIPAA.
• SOC 2 Type II attestation and alignment with NIST cybersecurity frameworks.

Further detail is available on our Security Overview page. No system is impenetrable; we use commercially reasonable safeguards appropriate to the sensitivity of the data we process.

a. HIPAA Breach Notification (Scienza as Business Associate)

Scienza notifies the Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery (45 C.F.R. § 164.410). The Covered Entity is responsible for patient, HHS, and (where applicable) media notification under the HIPAA Breach Notification Rule.

b. GDPR / UK GDPR Breach Notification

Where Scienza acts as a processor, we notify the relevant controller without undue delay upon becoming aware of a personal data breach (GDPR Art. 33(2)). Where Scienza acts as a controller, we notify the competent supervisory authority within 72 hours of awareness (GDPR Art. 33(1)) and affected data subjects where required (Art. 34).

11. Cookies and Tracking Technologies

We use cookies for site functionality, analytics, and marketing. Categories:

• Essential: Required for site operation.
• Analytics: Help us understand how the site is used and improve it (e.g., Google Analytics).
• Marketing: Conversion tracking and audience retargeting (e.g., LinkedIn Insight Tag).

Manage preferences via our Cookie Banner or the Cookie Preferences link in the footer. For visitors from the European Economic Area and the United Kingdom, non-essential cookies are loaded only after affirmative consent, consistent with the ePrivacy Directive.

12. SMS Text Messaging

When you provide a phone number and affirmatively consent on the pilot application form or our other contact forms, Scienza Health may send you transactional SMS messages over our toll-free number +1 (888) 400-1409. Consent is captured by a required checkbox that records the exact wording you agreed to, the consent timestamp, and the source IP address for our carrier-compliance audit log.

Message Types

We send transactional messages only: demo confirmations, appointment reminders, and pilot onboarding next-steps. We do not send marketing or promotional SMS. Messages originate from a U.S. toll-free number, are delivered through Twilio as our carrier-grade SMS processor, and are limited in scope to the use case you opted into.

Message Frequency

Frequency varies by your engagement stage — typically zero messages when no activity is pending, and one to three messages around an active demo or pilot onboarding event. We do not send marketing blasts.

Opt-Out and Help

You can opt out at any time by replying STOP to any message. Reply HELP for contact information, or call +1 (888) 400-1409 or email support@scienzahealth.com. Opt-out is honored immediately for all future messages from that number. Standard message and data rates may apply.

Data We Collect and How We Use It

For SMS specifically we record: the phone number you provided, the consent timestamp, the verbatim consent text version you agreed to, and the source IP address of the form submission. We use this data solely to deliver the messages you consented to and to prove consent in a carrier audit. We retain SMS consent records for at least four years per The Campaign Registry (TCR) audit-retention guidance.

Carriers and Third-Party Processors

SMS delivery is operated by Twilio, Inc. as our carrier-grade processor. Twilio handles message routing through U.S. mobile carriers (AT&T, T-Mobile, Verizon, and others). We do not sell or share SMS opt-in information, consent records, or message content with third parties for marketing purposes, and consent given for SMS communications is not used for any non-SMS-related purpose.

13. Children's Privacy

Our Services are not directed to children under 13 in the United States, or under the applicable age of consent for data processing in other jurisdictions (13 to 16 under the GDPR, depending on member state). We do not knowingly collect data from minors without verifiable parental consent. If we become aware that we have collected such data, we delete it promptly.

14. International Data Transfers

Data may be transferred to the United States or other countries. For transfers from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework where and to the extent Scienza is self-certified, and on the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), together with the UK International Data Transfer Addendum, where the Data Privacy Framework does not apply.

15. Data Retention Schedule

We retain data only as long as necessary for the purposes described in this Policy, to comply with legal obligations, and to exercise or defend legal claims. Retention periods vary by data category:

16. Changes to This Policy

We may update this Policy; changes are posted here with the updated date. For material changes, we provide notice via email or Website banner. Material changes affecting PHI handling will be handled through BAA amendment with covered customers and will not take effect against PHI until agreed in writing.

17. Contact Us

For questions or rights requests: