Privacy Policy

Last modified: June 23, 2025 (“Publication Date”)

1. Introduction

Helpany, Inc. (“Helpany”) and its parent company, Sedimentum AG (“Sedimentum”) (collectively referred to herein as the “Company,” or “we,” “us” and “our”) values your privacy and is committed to maintaining your trust. This Privacy Policy is being provided to US entities and Service users (“you”) inform you of our policies and procedures regarding the collection, use, and disclosure of personally identifiable information received from visitors to and/or users of the Company’s website located at https://www.helpany.com/ (the “Website”) and provision of the Company’s products and services online.

The Company provides a motion detection and analysis system and in-App notifications to designated user-contacts when action/assistance as may be needed through products called “Paul” and “Paul Junior” (each a “Product” and collectively, the “Products”). This system is operated through the Company’s web services accessible through the domain helpany.com, all its subdomains and/or mobile application (“App” or “Application”). Collectively, the Products, App, and Website are referred to herein as the Company’s “Services.” The Website, Product, and App are developed by Sedimentum and licensed to Helpany so it may directly contract with consumers and entities in the United States and sub-license the rights to use the Company’s Services.

The Helpany Product can be used for a variety of purposes, as further described in our Terms of Service, which is fully incorporated by reference herein.

2. Data Roles and Responsibilities

Sedimentum is designated as the data controller, as it determines the purposes and means of processing personal data and is responsible for operating the technology, cloud infrastructure, and overall service delivery. Helpany is responsible solely for sales, distribution, and customer success in the United States. Helpany does not operate any technical infrastructure or perform any processing activities independently. While Helpany may contract with U.S. customers under its own name, all personal data processing is conducted exclusively by the Sedimentum on behalf of Helpany.

Helpany is solely responsible for responding to legal requests from its U.S. customers. Helpany shall direct the legal requests to Sedimentum. Sedimentum is solely responsible for responding to legal requests related to U.S. and Swiss customer or user data, including subpoenas, discovery demands, and regulatory inquiries and shall respond in compliance with Swiss law. Helpany is not authorized to independently access or disclose such information and will coordinate with Sedimentum and Swiss legal counsel to ensure compliance with applicable Swiss laws related to export of any data pursuant to U.S. customer legal requests.

3. Use, Processing, and Sharing of Personal Information

All processing of Personal Information is carried out by Sedimentum, which acts as the data controller. Helpany only processes or stores limited data, including but not limited Personal Information of caregivers, residents, or customers, and only in relation to sales efforts in the United States or a customer’s use of the Services, specifically customer support. Helpany only provides customer support, distribution, and sales functions in the United States.

The following information applies to anyone who shares with us his, her, or a third-party’s¹ Personal Information². We may use, process³, and/or share your Personal Information (and we have done so in the past 12 months):

To respond to your inquiries and your requests regarding our Website or Services.
To send you information regarding our services and changes to our terms, conditions, and policies.
To complete your account registration, process your payments, and communicate with you regarding your purchase of our Services.
To send you marketing communication and newsletters about our Services.
To personalize your experience on our Website.
To inform you and allow you to participate in our Company’s promotions.
To facilitate social sharing functionality.
To collaborate with business affiliates, partners, vendors, or service providers to provide you with our Services.
In connection with our business purposes, as described above, including but not limited to data analysis, audits, fraud monitoring and prevention, developing or enhancing new and existing products and/or services, expanding our business activities, etc.

We will not use and/or share your Personal Information:

With anyone except for our Company’s authorized service providers⁴, business affiliates⁵, and business partners⁶ (including Stripe, Inc., Google Pay, and Apple
Pay), and strictly for business purposes; or unless we specifically inform you, and give you an opportunity to opt out of sharing your Personal Information. You herein agree that you have visited the websites of the aforementioned entities, and agreed to their Privacy Policies and Terms of Service.
To run interest-based advertising campaigns that collect Personal Information such as email addresses, telephone numbers, and credit card numbers.
To use or associate Personal Information with remarketing lists, cookies, data feeds, or other anonymous identifiers.
To use or associate targeting information, such as demographics or location, with any Personal Information collected from the ad or its landing page.
To share any Personal Information with Google or third party companies through our remarketing tag or any product data feeds which might be associated with our ads.
To send Google or third party companies precise location information without obtaining your consent.

However, we reserve the right to disclose Personal Information that we believe, in our sole discretion, to be necessary or appropriate in the following circumstances:

As required by law, such as to comply with a subpoena, or similar legal process.
When we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
To enforce our Terms of Service.
To allow us to pursue available remedies or limit the damages that we may sustain.

Profiling in the Context of Your Use of Company’s Services. When using the Company’s Services, an automated assessment of your personal characteristics may take place under certain circumstances (so-called “profiling”). Since the recorded sensor data are available in pseudonymized form, it is possible to create an activity profile of your premises. The activity profile of the respective room contains all activity information that was measured at the given time. Any movement (human, animal or mechanical etc.) within the room leads to a change in the activity information. Due to the pseudonymization of the data and the fact that the activity profile relates to a room and therefore not directly to you or another person, we consider the principle of proportionality to be upheld. We need this information to ensure the proper functioning of our Services.

Users with elevated rights who possess additional technology can be identified, enabling tracking of arrival, departure, and duration of visits within rooms where the Product is installed. All identified Users must wear an additional, dedicated device, available exclusively to business (non-consumer) customers. Companies that purchase and deploy this equipment assume full responsibility for ensuring compliance with all applicable regulations, including but not limited to employment contracts, workers’ rights, labor laws, and information rights of their Users. It is the purchasing company’s obligation to verify that the usage of this accessory adheres to all relevant legal standards and respects the rights and privacy of employees or other individuals using the Product.

Legitimate Business Interest. Our use of your Personal Information is based on the legitimate business grounds that:

The use is necessary in order to fulfill our commitments to you under our Terms of Service or other agreements with you or is necessary to administer your account – for example, in order to enable access to our Website on your device or charge you for our Services;
The use is necessary for compliance with a legal obligation;
The use is necessary in order to protect your vital interests or those of another person or entity;
We have a legitimate interest in using your information – for example, to provide and update our Website or Services, to improve our Website or Services so that we can offer you an even better user experience, to safeguard our Website or Services, to communicate with you, to measure, gauge, and improve the effectiveness of our advertising, and better understand user retention and attrition, to monitor and prevent any problems with our Services, and to personalize your experience; and/or
You have given us your consent.

Data Retention/Erasure. As the data controller, Sedimentum is responsible for all decisions relating to data retention, access, and deletion. U.S. customer requests will be managed by the Helpany and routed to Sedimentum, which shall comply in accordance with applicable Swiss data protection laws.

Sedimentum retains raw sensor data for a maximum period of 21 days. This short retention period is necessary due to technical and storage constraints. After 21 days, raw sensor data is either permanently deleted or anonymized, in accordance with applicable data protection standards.

In contrast, high-level interpreted data points—such as movement interpretations, computed activity scores, engagement metrics, or other analytical insights derived from raw sensor data—may be retained for longer periods. These data points are generated by processing the raw sensor input and do not include the original data itself.

The duration of retention for these interpreted or aggregated data forms depends on their specific business use case, such as supporting system improvements, service optimization, algorithm training, or usage analytics. These durations are subject to change based on evolving technical needs, cost considerations, and operational requirements.

Sedimentum does not retain personally identifiable sensor data beyond what is necessary to operate, maintain, and improve the Services.

If, at any time after agreeing to this Privacy Policy, you: (1) change your mind about receiving information from us; (2) wish to revoke permission for us to retain and use your Personal Information; (3) wish to object to the processing of your Personal Information; or (4) wish for us to erase a copy of your data, please make a request to the Company at info@Helpany.com. If you request erasure of your data, we may retain some of your Personal Information only for legitimate business interests, such as fraud detection, prevention, and enhancing the safety of our Website; and to comply with our legal obligations, specifically our tax, legal reporting, and auditing obligations. Within four (4) years of the termination of the contractual relationship, we delete or anonymize this data, provided there are no statutory retention periods.

4. Collection of Other Information

Personally Non-Identifiable Information: We may collect personally non-identifiable information, including but not limited to demographic data, age, education level, profession, geographic location or gender, from you at the time of registration on our Website or app, or when you choose to use our Services. The Company may store such information, or it may be included in databases owned and maintained by partners, affiliates, agents, or service providers of the Company. The Company may use such information and pool it with other information to track data related to growing the business, such as the total number of visitors to our Website and the domain names of our visitors’ Internet service providers.

Specifically, your GPS geolocation information data, your movement activity, room detection activity, room mapping, and movement activity classifications collected by Company in the provision of its Services is automatically deleted or completely anonymized no later than 21 days after collection.

Protected Health Information (“PHI”) and HIPAA:

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 provides specific protections for the privacy and security of “Protected Health Information” (“PHI”), and restricts how PHI is used and disclosed by “Covered Entities” and their “Business Associates,” as those terms are defined under HIPAA.

If you are a Covered Entity or a Business Associate engaging with the Company and disclosing PHI, execution of our Trial Agreement or Purchase Agreement includes execution of our Business Associate Agreement (“BAA”) unless a separate, duly executed Business Associate Agreement is in place between you and the Company. The full text of the BAA is attached as Exhibit B. The Company is not in a position to determine in advance whether any information it receives qualifies as PHI, and therefore shall not be held liable for any failure by the Covered Entity to execute the necessary agreements prior to the transmission of PHI. You may opt out of the BAA by sending the following information to the Company in a written notice (under the terms of your Trial Agreement or Purchase Agreement): your full legal name and any affiliate that is opting out.

This Privacy Policy shall apply to Covered Entity’s initial engagement of the Company. Covered Entity’s engagement shall be evidenced either by the deployment of the Product within its facilities or by a demonstrated intent to deploy the Product. Covered Entity’s intent to deploy the Product shall be shown through the Covered Entity’s request to initiate a trial and the sharing of necessary information in preparation of the trial. The Company will operate in accordance with its Notice of Privacy Practices attached hereto as Exhibit A, and has made its standard Business Associate Agreement available, attached as Exhibit B. By engaging with the Company—including by deploying the Product, initiating a trial, or sharing information in preparation thereof—the Covered Entity expressly agrees to the terms of the Business Associate Agreement in Exhibit B, unless a separate, duly executed Business Associate Agreement is in place between the Parties.

Should the Covered Entity require the execution of its own BAA in place of Exhibit B, such agreement may be negotiated and executed separately. In the event of conflict between Exhibit B and a separately executed BAA provided by the Covered Entity, the terms of the separately executed BAA shall take precedence.

This Website and the Services provided through it are not intended to be used by non-Covered Entities to communicate PHI. In accordance with our Terms of Service, if you are not a Covered Entity or not acting on behalf of one under a valid Business Associate Agreement, you should not use this Website or any related platforms to transmit information regarding your past, present, or future physical or mental health conditions.

We cannot guarantee the security or confidentiality of any such information transmitted through the Website or other communication channels we use to deliver our Services. By choosing to share any such Personal Information, including health-related details, you acknowledge and agree that you do so at your own risk and that such transmission does not impose any HIPAA-related obligations on the Company.

Location-Based Information. Our Service may use location-based services in order to locate you so we may verify your location, deliver you relevant content based on your location as well as to share your location with our vendors as part of the location-based services we offer. We may, from time to time, provide settings in the Services that permit you to disable location-based services. Changing setting options may not result in immediate changes to the settings, which are subject to our operations and maintenance schedules. Users should carefully consider the use of such settings to improve information display options and to ensure the settings are properly set and functioning in the manner desired. Notwithstanding the availability of privacy preference settings, you should be aware that these settings are for convenience only, do not employ complex data security protection and may not be error free. However, please note that we will only directly provide third parties we work with access to your exact location information if you first give us permission to do so. You should consider the risks involved in disclosing your location information to other people.

Passively Collected Information: Your visit to our Website may allow us to obtain certain additional, personally non-identifiable information that is collected passively using various technologies. This information includes but is not limited to, for example, IP addresses, browser types, date and time of page views, location information associated with your IP address, domain names, your interactions to an ad delivered by us or our ad technology partners and other anonymous statistical data involving your use of the Website and/or our services. This information cannot presently be used to specifically identify you.

Aggregated Personal Data: The Company may analyze your Personal Information provided through the Website or in connection with rendering the Services, in aggregate form. This aggregate information does not identify you personally. We may share this aggregate data with our partners, affiliates, agents, or service providers for business purposes. We may also disclose aggregated statistics to explain our Services to current and prospective business partners, and to other third parties for other lawful, business-related purposes.

Customer Credit Card Information. The Company uses a Third-Party Payment Processor, as that term is defined in the Privacy Policy which is incorporated by reference herein, to keep a protected copy of your credit card number. The Third-Party Payment Processor is Stripe, Inc. This billing data belongs to you, and by utilizing the Service, you grant the Company a license to use this data to bill you for services rendered. By purchasing the Services of the Company, you herein agree to the Terms of Service and Privacy Policy of Stripe, Inc., located at https://stripe.com/legal/end-users and https://stripe.com/privacy.

5. Website Tracking

We may, either directly or through third party companies and individuals we engage to provide services to us, also:

Track your use of our Website and the Services for purposes of our own customer support, analytics, research, product development, fraud prevention, risk assessment, regulatory compliance, investigation, etc.
Track your use of the Website and the Services to enable you to use and access the Services and pay for your activities on the Website and through the Services.
Track your behavior on our own Website and use of the Services to market and advertise our services to you on our Website platform and third party websites. You may opt out of receiving advertisements by visiting the Network Advertising Initiative (http://www.networkadvertising.org/choices/) and/or the Digital Advertising Alliance (http://www.aboutads.info/choices/). Please note that even if you choose to opt-out of receiving targeted advertising, you may still receive advertising on the Services, generally. The advertising will simply not be targeted or specific to your interests.

6. Tracking Technologies on our Website

The Company may use the foregoing technologies to track your activity on our Website:

Cookies. When you visit our Website or otherwise interact with the Service, we may send one or more “cookies” to your computer or other devices. Cookies are alphanumeric identifiers stored on your computer through your web browser and are used by most websites to help personalize your web experience. Some cookies may facilitate additional site features for enhanced performance and functionality such as remembering preferences, allowing social interactions, analyzing usage for site optimization, providing custom content, allowing third parties to provide social sharing tools, and serving images or videos from third party websites. Some features on this site will not function if you do not allow cookies. We may link the information we store in cookies to any Personal Information that you submit while visiting our Website.

We may use both session ID cookies and persistent cookies. A session ID cookie expires when you close your browser. A persistent cookie remains on your hard drive for an extended period of time. Persistent cookies enable us to track and target the interests of our users to enhance the experience on our site.

Functional cookies, persistent and session type, store information to enable core site functionality, such as Live Chat and Client ID remembrance.

Analytics cookies allow us to count page visits and traffic sources so we can measure and improve the performance of our site and our marketing campaigns.

Advertising cookies may be set through our Website by our advertising partners. Data may be collected by these companies that enable the companies to serve up advertisements on other sites that are relevant to your interests.

If you do not want information collected through the use of cookies, there is a simple procedure in most browsers that allows you to automatically decline cookies, or be given the choice of declining or accepting the transfer to your computer of a particular cookie (or cookies) from a particular site. You may also wish to refer to http://www.allaboutcookies.org/manage-cookies/index.html.

If you reject cookies, you may still use our site, but some features on the site will not function properly.

Web Beacons. Web beacons are electronic files that signal when a webpage, advertisement, video, other content, an email or newsletter has been viewed. They are usually invisible to you. We may use web beacons alone or in conjunction with cookies to compile information about our Service. Web beacons may be used within the Service to track email open rates, web page visits or form submissions. In some cases, we tie the information gathered by web beacons to your Personal Information to gauge the effectiveness of certain communications and our marketing campaigns.

Log Files. A Log File is a file that records either events that occur in an operating system or other software runs, or messages between different users of a communication software. Log file information is automatically reported by your browser or mobile application each time you access the Website or our Services. Along with cookies and web beacons, log files help provide additional functionality to the Website and Services and help us analyze Website and Services usage more accurately. We and our third party tracking-utility partners may use log files on our Service to gather automatically gather and store information including, but not limited to, internet protocol (“IP”) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data, for business purposes. We may use Google Analytics, which uses cookies and other similar technologies to collect and analyze information about the use of the Service and report on activities and trends. This service may also collect information regarding the use of other websites, apps and online resources. You can learn about Google’s practices by going to www.google.com/policies/privacy/partners/, and opt out of them by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout.

Embedded Scripts. An embedded script is programming code that is designed to collect information about your interactions with the Service, such as the links you click on. The code is temporarily downloaded onto your Device from our web server or a third party service provider, is active only while you are connected to the Service, and is deactivated or deleted thereafter.

Browser Fingerprinting. Collection and analysis of information from your Device, such as, without limitation, your operating system, plugins, system fonts and other data, for purposes of identification.

ETag, or entity tag. A feature of the cache in browsers. It is an opaque identifier assigned by a web server to a specific version of a resource found at a URL. If the resource content at that URL ever changes, a new and different ETag is assigned. Used in this manner ETags are a form of Device Identifier. ETag tracking may generate unique tracking values even where the consumer blocks HTTP, Flash and/or HTML5 cookies.

7. Children

The Children’s Online Privacy Protection Act of 1998 (COPPA) and its accompanying FTC regulation protects the privacy of American children aged 13 and under, who are using the Internet.

The Website and our related Services are not intended for anyone under 16, and we do not knowingly collect information from anyone under the age of 16. Anyone aged 16 or under should not submit any Personal Information without the permission of their parents or guardians. Parents or guardians may, on behalf of their children, submit their children’s Personal Information. By using the Website and our Services, you are representing that you are at least 16 years old and that you have the relevant legal authority to submit your Personal Information or that of a third-party minor, to the Company or on the Company’s Website.

8. Links to Other Websites

This Privacy Policy does not address, and we are not responsible for the privacy, information or other practices of any third parties. This Privacy Policy applies only to this Website and the Company’s Services. It does not apply to any third-party sites, and the inclusion of a link does not imply endorsement of the linked site or service by us or by our affiliates.

We are not responsible for the collection, usage and disclosure policies and practices (including the data security practices) of other organizations, such as Facebook, Apple, Google, Microsoft, RIM or any other app developers, app provider, social media platform provider, operating system provider, wireless service provider or device manufacturer, including any Personal Information you disclose to other organizations through or in connection with the Website, app, or Services.

9. Security

We maintain reasonable and appropriate, although not infallible, security precautions. However, we cannot guarantee that hackers or unauthorized personnel will not gain access to your Personal Information, despite our reasonable efforts. You should note that in using the Website, app, and/or our related Services, your information will travel through third-party infrastructures which are not under our control. Please feel free to raise any questions, concerns or specific directions you may have regarding the privacy and security of your information to info@Helpany.com.

10. Data Retention

Sedimentum does not retain personally identifiable sensor data beyond what is necessary to operate, maintain, and improve the Services.

11. Do Not Track

Your browser setting may allow you to automatically transmit a “Do Not Track” signal to websites you visit. The Company’s Website does not respond to “Do Not Track” signals or other mechanisms from a visitor’s browser. If, in the future, we create a program or protocol to respond to such web browser “Do Not Track” signals, we will inform you of the details of that protocol in this Privacy Policy. To find out more about “Do Not Track,” please visit https://www.allaboutdnt.com.

12. Advertising/Google Ads

On this Website, the Company has integrated Google Ads. Google Ads is a service for Internet advertising that allows the advertiser to place ads in Google search engine results and the Google advertising network. Google Ads allows an advertiser to pre-define specific keywords with the help of which an ad on Google’s search results only then displays when the user utilizes the search engine to retrieve a keyword-relevant search result. In the Google Advertising Network, the ads are distributed on relevant web pages using an automatic algorithm, taking into account the previously defined keywords.

The operating company of Google Ads is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.

The purpose of Google Ads is the promotion of our website by the inclusion of relevant advertising on the websites of third parties and in the search engine results of the search engine Google and an insertion of third-party advertising on our website.

If a data subject reaches our website via a Google ad, a conversion cookie is filed on the information technology system of the data subject through Google. The definition of cookies is explained above. A conversion cookie loses its validity after 30 days and is not used to identify the data subject. If the cookie has not expired, the conversion cookie is used to check whether certain sub-pages, e.g, the shopping cart from an online shop system, were called up on our website. Through the conversion cookie, both Google and the controller can understand whether a person who reached a Google Ads ad on our website generated sales, that is, executed or canceled a sale of goods.

The data and information collected through the use of the conversion cookie is used by Google to create visit statistics for our website. These visit statistics are used in order to determine the total number of users who have been served through Google Ads ads to ascertain the success or failure of each Google Ads ad and to optimize our Google Ads ads in the future. Neither our company nor other Google Ads advertisers receive information from Google that could identify the data subject.

The conversion cookie stores personal information, e.g. the Internet pages visited by the data subject. Each time we visit our Internet pages, Personal Information, including the IP address of the Internet access used by the data subject, is transmitted to Google in the United States of America. Personal Information is stored by Google in the United States of America. Google may pass these Personal Information collected through the technical procedure to third parties.

The data subject may, at any time, prevent the setting of cookies by our website, as stated above, by means of a corresponding setting of the Internet browser used and thus permanently deny the setting of cookies. Such a setting of the Internet browser used would also prevent Google from placing a conversion cookie on the information technology system of the data subject. In addition, a cookie set by Google Ads may be deleted at any time via the Internet browser or other software programs.

The data subject has a possibility of objecting to the interest based advertisement of Google. Therefore, the data subject must access from each of the browsers in use the link www.google.com/settings/ads and set the desired settings.

Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.com/intl/en/policies/privacy/.

13. Analytics

Google Analytics. We and our third-party tracking-utility partners use log files on our Service to automatically gather certain information, including but not limited to internet protocol (“IP”) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data, for analytics purposes. Specifically, we analyze trends, administer the site, track users’ movements around the Website, and gather demographic information about our user base as a in the aggregate. We and our third party tracking-utility partners use log files on our Service to automatically gather certain information, including but not limited to internet protocol (“IP”) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data, for analytics purposes. Specifically, we analyze trends, administer the site, track users’ movements around the Website, and gather demographic information about our user base as a in the aggregate.

On this Website, the Company has integrated the component of Google Analytics. Google Analytics is a web analytics service. Web analytics is the collection, gathering, and analysis of data about the behavior of visitors to websites. A web analysis service collects, inter alia, data about the website from which a person has come (the so-called referrer), which sub-pages were visited, or how often and for what duration a sub-page was viewed. Web analytics are mainly used for the optimization of a website and in order to carry out a cost-benefit analysis of Internet advertising.

The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.

The purpose of the Google Analytics component is to analyze the traffic on our website. Google uses the collected data and information, inter alia, to evaluate the use of our Website and to provide online reports, which show the activities on our websites, and to provide other services concerning the use of our Internet site for us.

Google Analytics places a cookie on the information technology system of the data subject. The definition of cookies is explained above. With the setting of the cookie, Google is enabled to analyze the use of our website. With each call-up to one of the individual pages of this Internet site, which is operated by the controller and into which a Google Analytics component was integrated, the Internet browser on the information technology system of the data subject will automatically submit data through Google Analytics component for the purpose of online advertising and the settlement of commissions to Google. During the course of this technical procedure, the enterprise Google gains knowledge of Personal Information, such as the IP address of the data subject, which serves Google, inter alia, to understand the origin of visitors and clicks, and subsequently create commission settlements.

The cookie is used to store Personal Information, such as the access time, the location from which the access was made, and the frequency of visits to our Website by the data subject. With each visit to our Internet site, such Personal Information, including the IP address of the Internet access used by the data subject, will be transmitted to Google in the United States of America. Personal Information is stored by Google in the United States of America. Google may pass these Personal Information collected through the technical procedure to third parties.

The data subject may, as stated above, prevent the setting of cookies through our Website at any time by means of a corresponding adjustment of the web browser used and thus permanently deny the setting of cookies. Such an adjustment to the Internet browser used would also prevent Google Analytics from setting a cookie on the information technology system of the data subject. In addition, cookies already in use by Google Analytics may be deleted at any time via a web browser or other software programs.

In addition, the data subject has the possibility of objecting to a collection of data that is generated by Google Analytics, which is related to the use of this Website, as well as the processing of this data by Google and the chance to preclude any such. For this purpose, the data subject must download a browser add-on under the link https://tools.google.com/dlpage/gaoptout and install it. This browser add-on tells Google Analytics through a JavaScript, that any data and information about the visits of Internet pages may not be transmitted to Google Analytics. The installation of the browser add-ons is considered an objection by Google. If the information technology system of the data subject is later deleted, formatted, or newly installed, then the data subject must reinstall the browser add-ons to disable Google Analytics. If the browser add-on was uninstalled by the data subject or any other person who is attributable to their sphere of competence, or is disabled, it is possible to execute the reinstallation or reactivation of the browser add-ons.

Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.com/intl/en/policies/privacy/ and under http://www.google.com/analytics/terms/us.html. Google Analytics is further explained under the following Link https://www.google.com/analytics/.

Facebook Analytics. The Company also uses Facebook Analytics, which allows us to analyze data, trends and charts related to your use of our Services, including but not limited to data related to your launching, viewing content, searching or purchasing.

Facebook is a social network. A social network is a place for social meetings on the Internet, an online community, which usually allows users to communicate with each other and interact in a virtual space. A social network may serve as a platform for the exchange of opinions and experiences, or enable the Internet community to provide personal or business-related information. Facebook allows social network users to include the creation of private profiles, upload photos, and network through friend requests.

The operating company of Facebook is Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, United States. If a person lives outside of the United States or Canada, the controller is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

With each call-up to one of the individual pages of this Website, which is operated by the controller and into which a Facebook component (Facebook plug-ins) was integrated, the web browser on the information technology system of the data subject is automatically prompted to download display of the corresponding Facebook component from Facebook through the Facebook component. An overview of all the Facebook Plug-ins may be accessed under https://developers.facebook.com/docs/plugins/. During the course of this technical procedure, Facebook is made aware of what specific part of the Website was visited by the data subject.

If the data subject is logged in at the same time on Facebook, Facebook detects with every call-up to our Website by the data subject – and for the entire duration of their stay on our Internet site – which specific sub-site of our Internet page was visited by the data subject. This information is collected through the Facebook component and associated with the respective Facebook account of the data subject. If the data subject clicks on one of the Facebook buttons integrated into our Website, e.g. the “Like” button, or if the data subject submits a comment, then Facebook matches this information with the personal Facebook user account of the data subject and stores the personal data.

Facebook always receives, through the Facebook component, information about a visit to our website by the data subject, whenever the data subject is logged in at the same time on Facebook during the time of the call-up to our Website. This occurs regardless of whether the data subject clicks on the Facebook component or not. If such a transmission of information to Facebook is not desirable for the data subject, then he or she may prevent this by logging off from their Facebook account before a call-up to our Website is made.

The data protection guideline published by Facebook, which is available at https://facebook.com/about/privacy/, provides information about the collection, processing and use of personal data by Facebook. In addition, it is explained there what setting options Facebook offers to protect the privacy of the data subject. In addition, different configuration options are made available to allow the elimination of data transmission to Facebook. These applications may be used by the data subject to eliminate a data transmission to Facebook.

HotJar. The Company uses HotJar for website analytics to understand how visitors behave on our website. The information collected by HotJar may include any or all of the following: visual heatmaps for where users click, move, and scroll; recordings of each visit, including the clicks, mouse movements, u-turns, and rage clicks; and feedback suggestion box.

In using our Website and/or Services, you agree to the HotJar Privacy Policy located at https://www.hotjar.com/legal/policies/privacy/ as referenced in its Terms of Use located at https://www.hotjar.com/legal/policies/terms-of-service/, both of which are incorporated herein by reference.

14. Your California Privacy Rights

While Helpany may enter into commercial agreements with U.S. customers, it does not determine how personal data is used or processed. All data subject rights requests will be handled by Helpany and routed to Sedimentum, the data controller. Sedimentum shall comply with Swiss law in addressing all requests.

California “Shine the Light” Law

Under California Civil Code Section 1798.83, California customers are entitled to request information relating to whether a business has disclosed Personal Information to any third parties for the third parties’ direct marketing purposes. This code section applies to businesses with 20 or more full or part-time employees. At this time, the Company does not need to comply with this law, but does so voluntarily in an effort to assure you that we value your privacy.

You may request and obtain from us once a year, free of charge, certain information about the Personal Information (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year. If applicable, this information would include a list of the categories of Personal Information that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to info@Helpany.com.

California Consumer Privacy Act

Organizations who are subject to the California Consumer Privacy Act (CCPA) must provide a clear and conspicuous link titled “Do Not Sell My Personal Information” on their homepage and in their privacy policy in order to meet the requirements of the new CA privacy law effective as of January 1, 2020. The law applies to businesses with over $25 million in revenue, those handling information from 100,000 consumers, or deriving 50%+ annual revenue from selling consumer personal information. At this time, the Company does not need to comply with this law, but does so voluntarily in an effort to assure you that we value your privacy.

You may opt out of the Company’s sale of your personal information at any time by emailing us at info@Helpany.com. Under the CCPA, “personal information” is defined to include information that identifies or relates to a particular consumer or household including, but not limited to, name, postal address, email address, IP address, social security number, personal property records, purchasing histories, biometric information, internet activity such as browsing or search history, geolocation data, employment information, education information and inferences drawn from this information, in so far as it is not publicly available information. The Company’s “sale” of personal information is broadly defined by the law to include selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. In other words, most business to business transfers of personal information will fall within the definition of a sale.

The Company has provided visitors to our Website with a link to an Internet Web page on our Website enabling visitors to opt out of the “sale” of their “personal information.” Our Website also contains a recognizable and uniform opt-out logo or button to promote consumer awareness of the option to opt-out. Please feel free to access both for more information and to effectively opt out.

Additionally, If you are a California resident age 16 or older, as of January 1, 2020, the CCPA gives you certain rights with respect to the processing of your personal information.

RIGHT TO KNOW REQUEST – Under the CCPA, you may have a right to request information about our collection, use, and disclosure of your personal information over the prior 12 months, and ask that we provide you with the following information:
- Categories of and specific pieces of personal information we have collected about you.
- Categories of sources from which we collect personal information.
- Purposes for collecting, using, or selling personal information.
- Categories of third parties with which we share personal information.
- Categories of personal information disclosed about you for a business purpose.
- If applicable, categories of personal information sold about you and the categories of third parties to which the personal information was sold, by category or categories of personal information for each third party to which the personal information was sold.
RIGHT TO DELETE REQUEST – You may also have a right to request that we delete personal information, subject to certain exceptions. They can be invoked if it is necessary for the Company to maintain the personal information pursuant to the exception.
- Transactional: Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
- Security: Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Errors: Debug to identify and repair errors that impair existing intended functionality.
- Free Speech: Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- CalECPA Compliance: Comply with the California Electronic Communications Privacy Act
- Research in the Public Interest: Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
- Expected Internal Uses: To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- Legal Compliance: Comply with a legal obligation.
- Other Internal Uses: Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
- Absent an exception, under the CCPA, we have 45 days to comply with your request.
DISCLOSURES OF PERSONAL INFORMATION FOR BUSINESS PURPOSE – In the preceding 12 months, we may have disclosed certain personal information to the categories of recipients listed in Section III of this Privacy Policy for one or more business purposes. If you are a California resident 16 years of age or older and would like to make a verifiable request for information about the personal information we have collected about you or a request for deletion of such personal information, please submit your request in writing to info@Helpany.com and Helpany will route your request accordingly.

15. Referrals

If you choose to use our referral service to tell a friend about our Services by email, we will ask for your friend’s email address, and send your friend a one-time email inviting them to visit our Website and inform them of our Services. We will only store your friend’s email address for the sole purpose of sending this one-time message and tracking the success of the referral program. Your friend may contact us at info@Helpany.com to request that we remove this information from our database at any time.

If you submit any Personal Information relating to other people to us or to our service providers in connection with our Services, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.

16. Testimonials, Ratings and Reviews

If you submit testimonials, ratings, or reviews of the Services directly on our Website, any Personal Information you include will be displayed on the Website. We may also partner with third-party service providers to collect and display ratings and review content on our Website. If you provide our third-party service providers with your Personal Information in the process of submitting your rating and review, the content and Personal Information collected by a third party will be posted on our Website, absent your express instruction not to do so. If you want your testimonial, rating, or review removed from our Website at any time, please contact us at info@Helpany.com.

17. Changes

This Privacy Policy may be updated from time to time for any reason, at our sole discretion. We will notify you of any material changes to our Privacy Policy by posting the new Privacy Policy on our Website, and emailing you a copy of the revised Privacy Policy or a link to it. You are advised to consult our Website regularly for any changes.

The most recently published version of this Privacy Policy is effective as of January 1, 2025 (“Effective Date”). If you continue to use our Services, Website, and/or App after the Publication Date, you expressly agree to the terms of the Privacy Policy and its related Terms of Service, incorporated fully by reference herein, as of that Effective Date.

18. Incorporation into Terms of Service

By using or accessing the Website or the Services, you are accepting the practices described in this Privacy Policy, and you are consenting to our processing of your information as set forth in this Privacy Policy and as amended by us. This Privacy Policy is incorporated into, and considered a part of, the Company’s Terms of Service.

19. Opt-Out Policy

If, at any time after registering, you change your mind about receiving information from us or about the use of information volunteered by you, or if you prefer that we do not share your Personal Information with third parties for marketing purposes, please contact us at info@Helpany.com.

20. Contact Us

For all requests related to your Personal Information, please contact Helpany at the information provided below. You may reach out to Helpany for general inquiries via email at info@Helpany.com or postal mail address below, and we will route your request accordingly to Sedimentum, which shall comply under Swiss law.

Helpany, Inc.
2261 Market Street #86050
San Francisco
CA 94114

¹ Third Party Personal Information. We may obtain your Personal Information from third parties, such as third parties with whom we affiliate in providing the Company’s services. If you provide the Company with Personal Information about third parties, you warrant to the Company that any Personal Information that you provide to the Company about any third party individuals was obtained by you with full consent, that you have the legal authority to provide us with such information, and that the individual has not
communicated to you that they wish to opt out of receiving communications from the Company or having the Company collect information about him or her.
² Personal Information. “Personal Information” may include, but is not limited to information that identifies you as an individual or relates to an identifiable person, such as name, postal address, telephone number, email address, etc. The Company does not collect any Personal Information from visitors to its website that is not voluntarily provided. The Company only collects your Personal Information if you register for an account with the Company’s Website, when you use the Company’s Services, and when you send the Company communications in connection with your use of the Services.
³ Process. “Processing” covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
⁴ Authorized service providers are companies that perform certain services including, but not limited to, fulfilling orders, processing credit card payments, delivering packages, providing customer service and marketing assistance, performing business and local sales analyses, supporting the functionality of the Services, and supporting contests, sweepstakes, surveys and other features we offer, on our behalf. These service providers may have access to your Personal Information, but to the extent necessary to perform or fulfill their business purpose. We do not permit them to share or use any of your Personal Information for any other purpose.
⁵ Affiliate businesses are those businesses with whom we may affiliate to sell our products or Services. We may share information we collect, including Personal Information, with affiliated businesses. Sharing such information with our affiliates enables us to provide you with information about a variety of products and Services that might interest you. We instruct all affiliated businesses to comply with applicable privacy and security laws and, at a minimum, in any commercial email they send to you, to give you the opportunity to choose not to receive such email messages in the future.
⁶ Business partners are typically merchants offering the products, services, promotions, contests and/or sweepstakes in connection with or somehow related to our own products and Services. We will not share your Personal Information with business partners unless you choose to participate in their offer or program. When you choose to engage in a particular offer or program, you authorize us to share your email address and other Personal Information with the relevant business partner.

Exhibit A: Notice of Privacy Practices

Effective Date: January 1, 2024

This Notice describes how the Company may use and disclose Protected Health Information (“PHI”) and the rights individuals have under the Health Insurance Portability and Accountability Act (“HIPAA”). Please review it carefully.

Our Responsibilities

As a business associate supporting healthcare providers, the Company is required by law to:

Maintain the privacy and security of PHI.
Provide this notice outlining our legal duties and privacy practices.
Follow the terms of this notice or any updates to it.

How We Use and Disclose PHI

We may use or disclose PHI without individual authorization for the following purposes:

Health Care Operations: To support services such as quality improvement, data analysis, and system functionality.

Legal Requirements and Subpoenas: The Company may be required to respond to subpoenas, court orders, or other lawful requests concerning PHI. The Company does not serve as the data controller of PHI in connection with its services and will assess each request individually, responding in accordance with applicable laws and legal standards. When appropriate, the Company coordinates with its subcontractors, including its parent company Sedimentum, to identify and process any affected data. Any disclosure occurs only after appropriate legal review, including verification of whether the requested information is protected by legal privileges such as the attorney-client privilege or attorney work-product doctrine. The Company does not influence international legal frameworks and recognizes that applicable foreign laws may impact its ability to respond to U.S.-based legal requests.

Business Operations: To subcontractors (including our parent company, Sedimentum) who support us in providing services. These subcontractors are required to comply with applicable HIPAA safeguards.

Public Safety: When necessary to prevent a serious threat to health or safety.

We do not sell PHI, use it for marketing, or disclose it for unrelated purposes without written authorization.

Your Rights

You have the right to:

Request access to your PHI.
Request an amendment to incorrect or incomplete PHI.
Request restrictions on certain uses and disclosures.
Request confidential communications, such as alternate contact methods.
Receive a notice of a breach of your PHI, if applicable.
Receive an accounting of disclosures.
You may receive an electronic copy of this Notice at any time. If you would like a paper copy, you may request one.
File a complaint.

To exercise any of these rights, contact us at: compliance@helpany.com

Changes to This Notice

We may change this Notice at any time and apply the new terms to PHI we already hold. The updated Notice will be available on our website, and you may request a copy at any time.

Complaints

If you believe your privacy rights have been violated, you can:

Contact us directly.
File a complaint with the U.S. Department of Health and Human Services Office of Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington D.C. 20201; calling 1-877-696-6755; or visiting https://www.hhs.gov/hipaa/filing-a-complaint/what-to-expect/index.html
We will not retaliate against you for filing a complaint.

Contact

If you have questions about this Notice, please contact:

Email: compliance@helpany.com

Mailing Address:

Helpany Inc.
2261 Market Street, #86050
San Francisco, CA 94114

Exhibit B: Business Associate Agreement

If Customer is a Covered Entity or a Business Associate and discloses Protected Health Information to Helpany, Inc. (“Helpany”) and its parent company, Sedimentum AG (“Sedimentum”) (collectively referred to herein as the “Company”), this HIPAA Business Associate Agreement (“BAA”) is incorporated upon execution of the Trial Agreement and/or Purchase Agreement collectively referred as (“Agreement”) that incorporates the Company’s Privacy Policy. If there is any conflict between a provision in this BAA and a provision in Agreement, this BAA will control.

1. Definitions.

Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.

“Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.

“Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Company.

“Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Customer.

“Customer,” for this BAA only, means Customer and its Affiliates.

“HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996, which includes the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009.

“Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.

“Protected Health Information” or “PHI” has the same meaning given to the term “protected health information” in 45 CFR §§ 164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

“Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.

2. Uses and Disclosures of PHI.

Except as otherwise indicated in this BAA, the Company may Use and Disclose PHI for, or on behalf of, Customer as specified in the Agreement; provided that any such Use or Disclosure would not violate HIPAA if performed by Customer, unless expressly permitted under paragraph b of this Section.
Except as otherwise limited by this BAA or federal or state law, Customer authorizes Company to use the PHI in its possession for the proper management and administration of Company’s business and to carry out its legal responsibilities. Company may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Company obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Company immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.

3. Responsibilities of Company.

To the extent Company is acting as a Business Associate, Company agrees to the following:
1. Use and Disclosure. Except as otherwise provided in this BAA, Company may use or disclose PHI as reasonably necessary to provide the services described in the Agreement to Customer, and to undertake other activities of Company permitted or required of Company by this BAA or as required by law. Company will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Company will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI.
2. Safeguards. Company will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Company agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Customer. Company agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.
3. Reporting. Company will report to Customer: 1) any Use or Disclosure of PHI not provided for by this BAA of which it becomes aware, 2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/ or 3) any Breach of Customer’s Unsecured Protected Health Information that Company may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Company agrees to report any such event within five (5) business days of becoming aware of the event. For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Company’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information. Notification(s) under this Section, if any, will be delivered to contacts identified by Customer pursuant to Section IV(B) (Contact Information for Notices) of this BAA by any means Company selects, including through email. Company’s obligation to report under this Section is not and will not be construed as an acknowledgement by Company of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.
4. Subcontractors. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, Company shall require its Subcontractors who create, receive, maintain, or transmit PHI on behalf of Company to agree in writing to: 1) the same or more stringent restrictions and conditions that apply to Company with respect to such PHI; 2) appropriately safeguard the PHI; and 3) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. Company remains responsible for its Subcontractors’ compliance with obligations in this BAA.
5. Disclosure to the Secretary. Company shall make available its internal practices, records, and books relating to the Use and/or Disclosure of Protected Health Information received from Customer to the Secretary of the Department of Health and Human Services for purposes of determining Customer’s compliance with HIPAA, subject to attorney-client and other applicable legal privileges.
6. Access. Provided that the data is still available under Company’s Privacy Policy and data retention policies, Company agrees to furnish Customer with copies of the PHI maintained by Company in a Designated Record Set in the time and manner designated by Customer to enable Customer to respond to an Individual’s request for access to PHI under 45 CFR § 164.524. In the event any Individual or personal representative requests access to the Individual’s PHI directly from Company, Company within ten (10) business days, will forward that request to Customer. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Customer.
7. Amendment. Provided that the data is still available under Company’s Privacy Policy and data retention policies, upon request and instruction from Customer, Company will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Company as directed by Customer in accordance with procedures established by 45 CFR § 164.526. Any request by Customer to amend such information will be completed by Company within 15 business days of Customer’s request. In the event that any Individual requests that Company amend such Individual’s PHI or record in a Designated Record Set, Company within ten (10) business days will forward this request to Customer. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Customer.
8. Accounting of Disclosures. Company, at the request of Customer, shall within thirty (30) days make available to Customer such information relating to Disclosures made by Company as required for Customer to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.
9. Performance of Covered Entity’s Obligations. To the extent that Company is obligated to carry out a Covered Entity obligation under the Privacy Rule, Company shall comply with the Privacy Rule requirements that apply to Customer in the performance of such obligation.

4. Responsibilities of Customer.

No impermissible Requests. Customer shall not request that Company Use or Disclose PHI in a manner that would be impermissible under HIPAA if performed by a Covered Entity (unless permitted by HIPAA for a Business Associate).
Notices. Company will send any applicable notifications to the notification email address provided by Customer in the Agreement or via direct communication with Customer.
Safeguards and Appropriate Use of PHI. Customer is responsible for implementing appropriate privacy and security safeguards to protect its Protected Health Information in compliance with HIPAA. Without limitation, it is Customer’s obligation to implement privacy and security safeguards in the systems, applications, and software that Customer controls, configures, and uploads during its use of Company’s services under Agreement.

5. Applicability of BAA.

This BAA is applicable to services contracted by Customer under Agreement. It is Customer’s obligation to not disclose PHI to Company (as that term is defined in 45 CFR § 160.103 of HIPAA) until this BAA is effective as to the applicable service.

6. Definitions.

Term. This BAA shall continue in effect until the earlier of (1) termination by a Party for breach as set forth in Section VI(B) below, or (2) expiration of Customer’s Agreement.
Termination for Breach. Upon written notice, either Party immediately may terminate the Agreement and this BAA if the other Party is in material breach or default of any obligation in this BAA. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice.
Return, Destruction, or Retention of PHI Upon Termination. Upon expiration or termination of this BAA, Company shall return or destroy all PHI in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Agreement. If it is not feasible to return or destroy any portions of the PHI upon termination of this BAA, then Company shall extend the protections of this BAA, without limitation, to such PHI and limit any further Use or Disclosure of the PHI to those purposes that make the return or destruction infeasible for the duration of the retention of the PHI.

7. Miscellaneous.

Interpretation. The Parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Except where this BAA conflicts with the Agreement, all other terms and conditions of the Agreement remain unchanged. Any captions or headings in this BAA are for the convenience of the Parties and shall not affect the interpretation of this BAA.
Amendments; Waiver. This BAA may not be modified or amended except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, as a bar to, or as a waiver of any right or remedy as to subsequent events.
Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
Severability. In the event that any provision of this BAA is found to be invalid or unenforceable, the remainder of this BAA shall not be affected thereby, but rather the remainder of this BAA shall be enforced to the greatest extent permitted by law.
No Agency Relationship. It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Customer and Company under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this BAA shall be construed to make or render Company an agent of Customer.