Notice of Privacy Practices

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

GetPepWell, Inc. ("GetPepWell") is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to maintain the privacy of your Protected Health Information (PHI), to provide you with this Notice of Privacy Practices, and to abide by the terms of this Notice currently in effect. This Notice applies to all PHI created, received, maintained, or transmitted by GetPepWell in connection with the telehealth services we provide.

Our Duties

We are required by law to:

• Maintain the privacy and security of your Protected Health Information
• Provide you with this Notice of our legal duties and privacy practices regarding your PHI
• Follow the terms of the Notice that is currently in effect
• Notify you in the event of a breach of your unsecured Protected Health Information

We reserve the right to change the terms of this Notice and to make the new provisions effective for all PHI that we maintain. If we make a material change to this Notice, we will post the revised Notice on our website and make it available upon request.

Uses and Disclosures of Protected Health Information

The following describes the ways we may use and disclose your PHI. For each category, we provide an explanation and, where appropriate, examples. Not every use or disclosure will be listed, but all uses and disclosures will fall within one of the categories described below.

For Treatment

We may use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. This includes sharing your health information with physicians conducting your telehealth consultations, specialists to whom you may be referred, and compounding pharmacies that fulfill your prescriptions. For example, a physician reviewing your medical intake questionnaire before your consultation is a use of PHI for treatment.

For Payment

We may use and disclose your PHI to obtain payment for healthcare services we provide to you. This includes activities such as processing subscription billing, submitting claims, verifying insurance eligibility (if applicable), and conducting utilization review. For example, we may share limited information with our payment processor to verify that your subscription is active.

For Healthcare Operations

We may use and disclose your PHI for our healthcare operations, which are activities necessary to run our platform and ensure that our patients receive quality care. These activities include:

• Quality assessment and improvement activities
• Reviewing the competence and qualifications of healthcare professionals
• Training programs for medical staff and trainees
• Conducting or arranging for medical review, legal services, and auditing functions
• Business planning, development, and general administrative activities
• Compliance monitoring and fraud prevention

Required by Law

We may use or disclose your PHI when required to do so by federal, state, or local law. Such disclosures will be made in compliance with the law and limited to the relevant requirements of the law. For example, we may be required to report certain communicable diseases to public health authorities.

Public Health Activities

We may disclose your PHI for public health activities as permitted by law, including:

• Reporting to a public health authority for the purpose of preventing or controlling disease, injury, or disability
• Reporting adverse events, product defects, or problems with medications to the FDA
• Notifying a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition

Health Oversight Activities

We may disclose your PHI to a health oversight agency for activities authorized by law, such as audits, investigations, inspections, licensure, and other proceedings. These activities are necessary for the government to monitor the healthcare system, government benefit programs, and compliance with civil rights laws.

Your Rights Regarding Your PHI

You have the following rights with respect to your Protected Health Information. To exercise any of these rights, please submit a written request to our Privacy Officer using the contact information provided at the end of this Notice.

Right to Access

You have the right to inspect and obtain a copy of your PHI that is maintained in our designated record set. This includes medical records, billing records, and other records used to make decisions about your care. We will provide your records in the format you request if it is readily producible, or in a mutually agreed-upon alternative format. We may charge a reasonable, cost-based fee for copies. We will respond to your request within 30 days.

Right to Amend

You have the right to request that we amend your PHI if you believe it is inaccurate or incomplete. We may deny your request under certain circumstances, such as if the information was not created by us, is not part of the record set, or is already accurate and complete. If we deny your request, we will provide you with a written explanation.

Right to an Accounting of Disclosures

You have the right to request a list (accounting) of certain disclosures of your PHI that we have made. This accounting will not include disclosures made for treatment, payment, or healthcare operations, or disclosures you authorized in writing. The first accounting within a 12-month period will be provided free of charge. Additional requests within the same period may be subject to a reasonable fee.

Right to Request Restrictions

You have the right to request restrictions on certain uses and disclosures of your PHI. For example, you may ask that we not use or disclose your PHI for treatment, payment, or healthcare operations purposes. We are not required to agree to your requested restriction, except where the disclosure is to a health plan for payment or healthcare operations purposes and the PHI pertains solely to a healthcare item or service for which you have paid in full out of pocket.

Right to Request Confidential Communications

You have the right to request that we communicate with you about your health matters in a particular manner or at a certain location. For example, you may ask that we contact you only at a specific email address or phone number. We will accommodate reasonable requests when possible.

Right to a Paper Copy

You have the right to obtain a paper copy of this Notice of Privacy Practices upon request, even if you have previously agreed to receive the notice electronically.

Complaints

If you believe your privacy rights have been violated, you may file a complaint with GetPepWell or with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). We will not retaliate against you for filing a complaint.

Filing with GetPepWell

To file a complaint with GetPepWell, please contact our Privacy Officer:

• Email: privacy@getpepwell.com
• Mail: GetPepWell, Inc., Attn: Privacy Officer, [Address to be provided]

Filing with the Office for Civil Rights

You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:

• Online: HHS Complaint Portal
• Phone: 1-800-368-1019 (TDD: 1-800-537-7697)
• Mail: U.S. Department of Health and Human Services, 200 Independence Avenue S.W., Washington, D.C. 20201

Changes to This Notice

We reserve the right to change the terms of this Notice at any time. Any changes will apply to all PHI that we currently maintain, as well as any PHI we create or receive in the future. We will post the revised Notice on our website with a new effective date. You may request a copy of the current Notice at any time by contacting our Privacy Officer.

Effective Date

This Notice of Privacy Practices is effective as of March 1, 2026.

Contact Information

For questions about this Notice or to exercise your rights, please contact our Privacy Officer:

• Email: privacy@getpepwell.com
• Phone: [Phone number to be provided]
• Mail: GetPepWell, Inc., Attn: Privacy Officer, [Address to be provided]