Privacy Statement – 

 This Privacy Policy outlines the general policies of AnthroTronix, Inc. (“ATI,” “we,” “us” or “our”) regarding data security and privacy, the types of information we gather, how we use it, and the notice and choice affected individuals have regarding our use of, and their ability to correct, that information. This policy applies to the DANA® mobile applications, our cloud database and web portal, this Website, and all of our other products and services (collectively referred to as the “Products”) and all personal data collected thereby. 

This Privacy Policy also addresses administrative and technical measures implemented by ATI to comply with the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) regulating the security and privacy of protected health information in the United States. 

By visiting or using the danabrainvital.com or anthrotronix.com website, any other internally linked web pages, features, content, or any other products or services we offer from time to time by or in connection therewith (collectively, the “Website”), you acknowledge that you understand, agree, and consent to the practices and policies outlined in this Privacy Policy. 

DEFINITIONS 

As used herein, the following definitions apply: 

“Protected Health Information” (or “PHI”) is Personal Information that consists of health information, including demographic information, created or received by ATI or the Products and which relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and that identifies or can be used to identify the individual. 

“Personal Information” (or “PII”) means any data element that: (i) is recorded in any form, (ii) is about, or pertains to a specific individual, and (iii) can be linked to that individual whether through the information or the collection of the information and other publicly available information on the individual. 

INFORMATION COVERED BY THIS PRIVACY POLICY 

This Privacy Policy covers our treatment of Personal Information that we gather when you are accessing or using the Products. This policy does not apply to the practices of companies that we do not own or control, or to individuals that we do not employ or manage. 

Information You Provide to Us 

The types of information we may collect directly from you, or your provider include: 

• Account Information, such as name, email address, phone number, and any other information a patient or provider may choose to provide; 

• PII and PHI, such as demographic information (e.g., age, gender, language preferences, and education) and health-related information that you or your provider input into the Products (e.g., symptoms, medications, and medical history); 

• Information about others, such as the names, telephone numbers, and email addresses of patient caregivers; 

• Other information you choose to provide, such as when you contact us, or when you request technical or customer support. 

Information We Collect Automatically 

When you access or use the Products, the types of information we may automatically collect about you include: 

• Non-personally identifiable information. We collect information about the Products and how users use them, such as the assessments completed within the DANA mobile applications. 

• Assessment data. We collect data regarding your responses on reaction time measurements and psychological questionnaires to share with your healthcare provider. This data includes assessment type, date and time of the assessment, timestamps of responses, and responses (chosen or filled in). 

• Device information. We collect device-specific information such as the mobile device model number and operating system version used for the Products. 

• Log information. We may collect and store certain information when you use the Products to enable us to enhance future version of the application. This information may include the dates and times you use the application, device event analytics such as application crashes, and hardware settings. 

• Information Collected by Cookies and Other Tracking Technologies. We and our service providers use various tracking technologies, including cookies and web beacons, to collect information about you when you interact with the Website. Cookies are small data files stored on your hard drive or in device memory that help us improve the Website and your experience, and count visits. Web beacons are electronic images that may be used in the operation of the Website or emails and help deliver cookies, count visits and understand usage and campaign effectiveness. 

Links to Other Websites 

Our Products may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site, and the privacy policies of the sites to which you migrate will apply. We strongly advise you to review the privacy policy of every site you visit. This Privacy Policy applies to your interactions with our Products only. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services. 

This Privacy Policy does not address the privacy practices of the third parties on whose behalf we act as an independent contractor and recipient of PHI and PII, such as the group, institutional or medical provider that provided you access to the Products. We have no control over any other entity’s privacy practices. 

USE OF INFORMATION 

We may use your Personal Information for the following purposes: 

• Provide and Maintain our Products. We may use your Personal Information to provide and maintain our Products for your use, including to monitor the usage of our Website. 

• Product and Website Personalization and Improvement. We may use your Personal Information to personalize and improve the Products and our Website, including to link or combine with it with information we get from others to help understand your needs and provide you with a better experience. 

• Contract Performance. We may use Personal Information for the performance of a contract to allow access to the Products licensed to you or your provider and to manage a patient or provider account and send related information, including confirmations, updates, technical notices, security alerts and support and administrative messages. 

• Communications. We may use Personal Information to communicate with you, to respond to comments, questions and requests, and to provide customer service. 

• Marketing and Advertising. We may use Personal Information to improve our marketing and promotional efforts, including delivering information to you that, in some cases, is targeted to your interests, and to market new products and services to you. We may also retarget you on third-party platforms. 

• Security. We may use your Personal Information to detect, investigate and prevent fraudulent and other illegal activities and protect the rights and property of ATI and others. 

• Compliance with Law. We may use your Personal Information to respond to law enforcement requests, court orders and legal process, as well as to comply with any other applicable regulatory obligations. We may also use Personal Information to carry out our legal and contractual obligations and enforce our rights, or for any other purpose permitted by law or with your lawful consent. 

• De-identified Data. We may aggregate or de-identify, pseudonymize or anonymize Personal Information and PHI so that you cannot reasonably be identified and use such data for any lawful purpose. You acknowledge and agree that we may use your information in a de-identified manner to create aggregated, de-identified datasets, including to evaluate and implement future products or services and to share such de-identified datasets with third parties in accordance with applicable law, including without limitation, HIPAA and HITECH regulations. 

SHARING OF INFORMATION 

We may share information about you as follows or as otherwise described in this Privacy Policy: 

• Affiliates. We may share Personal Information internally between and among ATI and any current or future parent, subsidiary and/or affiliated company. 

• Vendors and Contractors. We may share Personal Information with vendors, consultants and other service providers who need access to such information to carry out work or perform services on our behalf. 

• Advertising Partners. We may share Personal Information with advertising partners, who help us display digital ads, as well as track conversion and engagement with our ad campaigns. 

• Required by Law. We may share Personal Information in response to a request for information if we believe disclosure is in accordance with, or required by, any applicable law, rule, regulation or legal process, or if we believe your actions are inconsistent our license provisions or other policies, or to protect the rights, property or safety of ATI or others. 

• Corporate Transactions. In connection with, or during negotiations of, any merger, acquisition, sale of assets or any business, other change of control transaction or financing; the recipient of your information may subsequently use your information under the terms of their own privacy policies, which may differ from this Privacy Policy. 

• As Directed by You. We may share Personal Information with third parties with your consent or at your direction. 

CROSS-BORDER TRANSFER OF INFORMATION 

Personal Information is stored electronically on cloud-based servers located within the United States. We may transfer Personal Information to other countries or jurisdictions. In the event of a cross-border transfer, we will ensure that appropriate safeguards are in place to protect your Personal Information in accordance with applicable data protection laws. 

RETENTION OF INFORMATION 

ATI will retain Personal Information only for as long as is necessary for the purposes set out in this Privacy Policy. We may also keep a record of your past transactions with ATI. We will retain and use Personal Information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. 

YOUR CHOICES 

Location Information 

With your consent, we may collect information about your actual location when you use the DANA mobile applications. You may stop the collection of this information at any time by changing the settings on your mobile device, but note that some features of our mobile applications may no longer function if you do so. 

Native Applications on Mobile Device 

Some features of our mobile applications may require access to certain native applications on your mobile device. If you decide to use these features, we will ask you for your consent prior to accessing 

the applications and collecting information. Note that you can revoke your consent at any time by changing the settings on your mobile device. 

Requests to Access, Correct or Delete Personal Information 

In order to request access to, correct, or delete any of your Personal Information, send an email to info@danabrainvital.com with the email subject line “DATA ACCESS REQUEST.” Please note, however, that we may need to retain certain information when we have a legal obligation or lawful basis to do so (e.g., to comply with other laws, cooperate with law enforcement, perform certain internal operations, or conduct internal research to improve products or services). 

ATI does not maintain any Designated Record Set (“DRS”) as that term is defined by HIPAA. Accordingly, all requests for access to PHI contained within a DRS should be directed to the third party institutional user that created and / or maintains the DRS, such as the group, institutional or medical provider that provided you access to the Products. Similarly, requests for amendments or restrictions to PHI or PII under HIPAA should be directed to the same third parties. 

ADDITIONAL PRIVACY RIGHTS 

In addition to the other rights described in this Privacy Policy, the laws of California, Colorado and other states that have comprehensive privacy laws permit residents of such states to request certain details about how their information is shared with third parties for direct marketing purposes. Under the law, a business must either provide this information or permit such residents to opt in to or opt out of this type of sharing. You have the right to submit a request to ATI and receive the following information within 30 days of its receipt of that request: (1) the types of Personal Information disclosed to third parties during the immediately preceding calendar year, (2) the names and addresses of third parties that received the Personal Information, and (3) if the nature of a third party’s business cannot be reasonably determined from the third party’s name, examples of its products or services. You are entitled to receive a copy of this information in a standardized format. Information provided will not be specific to you individually. All such requests must be in writing and sent to us at info@danabrainvital.com. ATI permits residents of these states to opt out of having their information shared with third parties for direct marketing purposes. You may make such a request by writing to us via the contact information listed below. 

CHILDREN 

The DANA mobile applications are intended for use by individuals aged 8 and older, including children under the age of 13, as part of their FDA-cleared medical use. We are committed to protecting the privacy of all users, including children, and we comply with the Children’s Online Privacy Protection Act (COPPA) and other applicable privacy laws. We do not knowingly collect Personal Information directly from children under the age of 13 without verifiable parental or guardian consent or authorization through a healthcare provider or authorized adult. Any collection of data from children is limited to what is necessary to provide the intended functionality of the Products and is handled in accordance with applicable legal and regulatory requirements, including those governing health information. 

If you are a parent or legal guardian and believe that your child under 13 has provided us with Personal Information outside of the authorized use of our Products, please contact us at info@danabrainvital.com, and we will take steps to delete such information promptly. None of the Products are intended to be downloaded, accessed, or used independently by children without appropriate supervision by a parent, legal guardian, or authorized clinician. 

SECURITY 

ATI has established and maintains comprehensive data security and privacy policies. These include the implementation of appropriate administrative, physical, and technical safeguards compliant with SOC 2 Type II standards to secure PHI and PII received, prevent misuse, and mitigate any potential harm to individuals in the event of a breach. Our employees are trained on the requirements of HIPAA, and their access to PHI and PII (including electronically provided PHI [“e-PHI”]) is based on job function. ATI implements other industry-standard security measures to validate our security controls and foster continuous improvement, including but not limited to (i) periodic audits of security controls and (ii) certification, accreditation, and independent reviews of our operations and our products, including SOC 2 Type II reports. The security of your Personal Information is important to us, but remember that no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security. 

The DANA mobile applications and web portal are HIPAA-compliant and use the security measures mentioned below. We maintain strict security standards for both hardware and software and have implemented policies and procedures to comply with federal, state and local laws and regulations regarding the use and disclosure of such PHI and PII, to protect the confidentiality and integrity of the PHI and PII we collect or create, and to prevent inappropriate access to or disclosure of such information. In addition to these security features, access to information is also restricted based on the minimum information necessary and user permission level. 

DANA Mobile Applications 

The DANA mobile applications utilize the following safeguards (among others) to help secure any PHI and PII collected: 

• User authentication/authorization 

• Data encryption (mobile device storage and in transit to/from the DANA server) 

• Automated logoff (upon app focus switching, and screen being put to sleep) 

DANA Server and Web Portal 

All data generated or recorded in the DANA mobile applications is securely encrypted and stored in a database on servers within a virtual private cloud (“VPC”). Primary access to the cloud database is provided via authentication on the DANA web portal, which is also hosted on a HIPAA-compliant server. The web portal automatically logs out a user if they have been inactive on the site for ten minutes or longer. The DANA VPC provides advanced security features such as security groups and 

network access control lists to enable inbound and outbound filtering at the instance level and subnet level. Transport layer security (TLS) safeguards have been implemented for any data transfers among the DANA cloud database, DANA web portal, and DANA mobile applications. 

In the event of a breach of the confidentiality or security of your PHI or PII, we will notify you as required by law, if reasonably possible and as reasonably necessary, so that you can take appropriate protective steps. We may notify you under such circumstances using the email address(es) we have on record for you or through alternative means. You should also take care with how you handle and disclose your PHI and PII. Please refer to the Federal Trade Commission’s Website at consumer.ftc.gov for information about how to protect yourself against identity theft. 

UPDATES 

We may update this Privacy Policy at any time and in our sole discretion, including as required to comply with changes in HIPAA and/or HITECH regulations. Unless otherwise noted, any changes we make to this Privacy Policy will become effective immediately once posted to our Website. Please see the date noted above for the latest revision date. Your continued use of our Website following any changes to this Privacy Policy indicates your consent to the practices described in the revised Privacy Policy. 

CONTACT US 

If you have any questions or concerns about this Privacy Policy, your rights or any other aspects of your privacy and how we are collecting, using, protecting, and/or disclosing Personal Information, or if you would like more information on the security controls and policies, please contact us as follows: 

Email us at info@danabrainvital.com 

Or write to us at: 
AnthroTronix, Inc. 
8403 Colesville Road, Suite 1100 
Silver Spring, MD 20910 
Attn: Privacy Officer