Effective Date: 4/4/2025

CLEO TECHNOLOGIES, INC. PRIVACY POLICY

Table of Contents

1. Overview
2. What Information Do We Collect?
3. Cookies
4. How Do We Use Your Information?
5. What Information Do We Share or Disclose?
6. Your Rights Regarding Your Information
7. Additional Policies
8. Notice for Residents of European Economic Area, United Kingdom, or Switzerland

1. Overview.
   

1. Scope of Policy. This privacy policy (the “Policy”) is designed to inform users of our artificial intelligence documentation software and other products and services, whether accessed through our website (https://cleohealth.io/) or a mobile application (collectively, the “Services”), about how Cleo Technologies, Inc. (“Cleo”) collects, uses, and/or shares personal information in connection with the services that we provide. Cleo takes individual privacy seriously and we endeavor to inform you of the uses that we have for information that we obtain from you (collectively, “Personal Information”). We will take reasonable commercial steps to protect your privacy consistent with the guidelines set forth in this Policy and with applicable federal and state laws. Cleo’s treatment of patient information is governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and by Cleo’s contractual agreements with Providers. In this Policy, “Provider,” "user," “your,” or "you" refers to any individual from whom we obtain Personal Information, whether by using the Services, submitting any request through the Services, creating any account with the Services, or participating in any other activities or engaging with us. As the manners in which we obtain Personal Information and our uses for Personal Information may change, we encourage you to return to and reread this Policy from time to time. By accessing or using the Services, you acknowledge that you have read, understand, and agree to be bound by this Policy. If you do not agree to the terms of this Policy, do not use the Services.
   
2. Intended  Users. The Services provide a secure, encrypted platform that utilizes artificial intelligence technology to transcribe communications exchanged between licensed healthcare facilities and practitioners (each a “Provider”), patients, and other participants in the clinician-patient treatment relationship. Cleo intends that users of the Services will be Providers, who use it in connection with patient treatment. Cleo does not intend for any person that is not a Provider to use the Services and, if we learn of such use, we reserve the right to restrict the person from further use of the Services and delete or remove any information that the person has uploaded to the Services from our systems and database.
3. Patient Data. Cleo will enter a Business Associate Agreement with a Provider who uses the Services, pursuant to which Cleo agrees to maintain and protect all patient data that the Provider uploads to the Services according to the standards required of a “Business Associate” under HIPAA. Further, Providers who upload any patient data to the Services represent that they have obtained consent from the applicable patients to use and disclose their data for such purpose. The consent must be obtained in a manner that satisfies the requirements of all applicable law in the jurisdictions both where the patient is located and the Provider is located, and the Provider is solely responsible for determining that the consent is sufficient under such law. The Provider will maintain a copy of such consent and provide it to Cleo upon reasonable request. The Provider will be solely responsible for any claim of harm or damages to a patient or any third-party that results from the Provider uploading any patient data to the Services without proper consent.
4. Notice to Patients. Our processing of data on behalf of a Provider is governed by the agreements we enter into with the Provider. Your healthcare provider may also have its own privacy practices and/or policies that govern its collection and use of your data. If you are a patient who believes that Cleo is in possession of your healthcare or other personal data because your Provider uses the Services in connection with your treatment, you should consult with your Provider to discuss any questions regarding your data or the manner in which it will be used, maintained, or destroyed. To the extent required by applicable law, we will generally cooperate with your Provider in connection with any requests you submit relating to your data.

2. What Information Do We Collect? We collect two types of Personal Information from you: (i) Individualized Information, and (ii) Device Information:

1. Individualized Information. We may collect certain Individualized Information from you when you use the Services including, but not limited to, when you directly input this information while creating a user profile, provide it along with any feedback regarding the Services or question you send us, request that we provide any product or service, exchange any message or communication through the Service, or otherwise engage or interact with Cleo. Depending on the circumstances, this “Individualized Information” may include: your first and last name, email address, telephone number, postal address, education or work history or background, miscellaneous information in messages or communications sent to us or exchanged through the Services, or other information related to your individual interest in or need for the Services. In the event that we obtain your Individualized Information from other sources, we may add it to the Individualized Information that we have already collected from you in order to improve the Services and other Cleo products and services.
2. Device Information. We may collect certain web tracking information about the device that you use to connect to and use the Services. Depending on the circumstances, this “Device Information” may include, but is not limited to: information about your web browser (e.g., browser type, domain names, access times, and operating system), Internet protocol address (“IP address“); individual web pages or Cleo products or services that you have viewed and your time spent on each one; web pages or search terms that referred you to the Services; how you interact with the Services and your user
   preferences; time zone; or information about the cookies installed on your device. As described in Section 3, we may use cookies and navigational data like Uniform Resource Locators (“URLs”) to gather information regarding the date and time of your visit and the information for which you searched and viewed.

3. Cookies.

1. In General. A cookie is a small file containing a string of characters that is sent to your device or browser when you use a website or mobile application. When you use the website or mobile application again, the cookie allows it to recognize your device or browser. Cookies also offer a form of convenience in that they may store preferences and other information and, in doing so, save you time by allowing a website or mobile application to identify preferences that you have displayed or selected in the past. The Services may use cookies for purposes including, but not limited to, maintaining and improving the Services’ functionality, making the Services more efficient to you, generally customizing the Services to improve your experience, and offering advertisements through the Services that are relevant to you.
   
2. How Can You Control Cookies? You have the right to decide whether to accept, block, or reject cookies. You can generally select to accept, block, or reject cookies through your own device or browser controls. You should visit your device settings or browser’s help menu for instructions on how to make this selection and additional device-specific and browser-specific information about cookies. Cleo is not responsible for making this selection for you. If you choose to reject cookies, you may still use the Services, but your access to some functionality and areas of the Services may be restricted. For more information on how cookies work and how to control them, you may visit www.allaboutcookies.org.
   

4. How Do We Use Your Information?
   

1. Use of Personal Information. We may use Personal Information for a variety of purposes including, but not limited to: providing or communicating with you regarding our products and services; establishing and maintaining customer accounts; providing customer service; processing orders and transactions (including payments); verifying customer information; detecting security incidents that may compromise the confidentiality of Personal Information in our possession; maintaining or improving the quality or safety of our products or services; processing job applications; or enforcing our legal rights or as required by applicable law or requested by any judicial process or government agency.
   
2. Use of Device Information. We may use Device Information for a variety of purposes including, but not limited to: helping us screen for and prevent potential risk and fraud (in particular, through any IP address we collect from you); diagnosing and mitigating errors on the Services; administering and optimizing the Services; making our products and services more useful to you; generating analytics about how our customers browse and interact with the Services; assessing the success of any marketing or advertising
   campaigns; or storing user preferences. Using Device Information for these purposes allows us to determine which features on the Services users like best and generally helps us improve the Services and personalize each user’s experience.
3. Minimum Amount Necessary. Cleo will not use your Personal Information beyond the minimum amount and scope necessary to achieve the above purposes without first obtaining your consent.
4. License to Use Your Content. Please note that by sending us messages or inquiries, uploading files, inputting data, or engaging in any other form of communication through the Services, you are granting us a license to use, reproduce, disclose, publish, distribute, and otherwise exploit in any manner the content of any such message, inquiry, file, data, or communication. This license is granted to us without restriction and without the requirement that we compensate you in any way. We are under no obligation to maintain any such message, inquiry, file, data, or communication in confidence, or to provide you with any response or confirmation of receipt. For clarity, this section does not apply to any patient data, including Protected Health Information (PHI) as defined under HIPAA, that is submitted to the Services by or on behalf of a Provider.
   
5. Aggregated Data. To the extent permitted under applicable law, we may also create statistical, de-identified, anonymized, or aggregated data (collectively, “Aggregated Data”) relating to our users and the Services to use for analytical, research, or any other legal purposes. Aggregated Data includes data derived from Personal Information and data collected by Cleo from other sources that has been anonymized so that it does not relate to and could not reasonably be used to identify any individual.
   
6. Email Communications. If you provide us with your email address, we may in the future begin to send you promotional emails, including newsletters. If you wish to opt out of these communications, you may do so by following the "unsubscribe" instructions in the email.
   

5.   ​What Information Do We Share or Disclose?
   

1. Disclosure of Personal Information. We generally will not share or disclose Personal Information with any third-parties, except under the following circumstances:
   

1. When you have consented to us sharing or disclosing your Personal Information.
   
2. When the Personal Information is shared with or disclosed to a parent company, subsidiary, joint venture, or other entity under common control with us in order to achieve any of the purposes described in Section 4.
   
3. Subject to the terms of a confidentiality agreement, in connection with, and for the purposes of, a business deal (or negotiation of a business deal) involving the sale or transfer of all or a part of our business or assets. These deals may include any merger, financing, acquisition, or bankruptcy proceeding.
4. With a third-party contractor engaged to provide management, administrative, or support services on our behalf (a "Contractor"), which require the Contractor to have access to Personal Information. In this instance, we enter into an agreement with the Contractor limiting the Contractor’s use of the Personal Information to the minimum amount necessary to perform the services; requiring the Contractor to report any suspected or actual breach of security or other incident related to the Personal Information to us; and requiring the Contractor to adhere to the same level of privacy requirements that are required of us by all applicable law. By accessing or using the Services, you consent to our sharing your Personal Information with any Contractors and to the Contractors’ use of your Personal Information in accordance with all applicable law, this Policy, and the other terms and conditions applicable to the Services.
5. To detect, prevent, or otherwise address security, fraud, or technical issues.
6. To ensure the personal safety of any individual, including our employees or job applicants, users of the Services, or members of the general public.
7. To the extent required to comply with legal obligations, processes, or requests; enforce our contracts and agreements (including this Policy); or protect or defend our legal rights.
   
8. With third-party artificial intelligence service providers that process data submitted by Providers through the Services solely for the purpose of generating clinical documentation. In the course of using the Services, the following data may be transmitted to these providers: audio recordings of clinical encounters (transmitted to AssemblyAI and Microsoft Azure Speech Service for transcription) and transcribed clinical text derived from audio recordings (transmitted to Microsoft Azure AI Foundry Service for clinical note generation). All such providers have executed HIPAA Business Associate Agreements with Cleo and are contractually prohibited from retaining, accessing, or using any data for purposes other than providing the service. Data is transmitted over encrypted connections (TLS 1.2+) and is not used by these providers to train their models. Providers and/or provider organizations using the Services agree to this processing before initiating any recording session.
   

2. Aggregated Data. To the extent permitted by applicable law, we may in our sole discretion disclose any Aggregated Data that does not contain Personal Information to any third-parties for any legal purpose.
   
3. Network Operators. Use of the Services may involve the use of third-party search engine operators or telecommunications carriers. These operators are not our Contractors, and any information that these operators collect in connection with your use of the Services is not a part of our collected Personal Information and is not subject to this Policy. We are not responsible for the acts or omissions of these operators.
   

6.   ​Your Rights Regarding Your Information.
   

1. Removals. If you would like your Personal Information to be permanently removed from our database, please contact us by email at [email protected]. We may ask you to provide a copy of your driver’s license or other identifying documents to assist us in processing your request. Cleo may still contact users who have requested that their Personal Information be permanently removed for administrative purposes. The removal of your Personal Information may take some time to complete, consistent with applicable law. Please also note that the removal of any Personal Information will not necessarily result in the removal of records of past transactions or the deletion of information stored in our data archives. To the extent permitted by applicable law, we may in our reasonable discretion respond to a request to remove by converting the Personal Information into Aggregated Data, which is not subject to further requests for removal.
2. Access and Corrections. Cleo will, to the best of our ability and in accordance with applicable law, allow you to access and review the categories and specific pieces of Personal Information we have collected from you, the sources from which we have collected such Personal Information, the purposes for which we have used such Personal Information, and the types of third-parties to which we have disclosed such Personal Information for a purpose described under this Policy. We will also allow you to correct or add to your Personal Information held in our database. To make any such request, please contact us by email at [email protected]. We may ask you to provide a copy of your driver’s license or other identifying documents to assist us in processing your request.
3. Timeframe. Cleo will, to the best of our ability and in accordance with applicable law, confirm receipt of any request submitted under this Section 6 within ten (10) days of receipt of the request and respond to the request within forty-five (45) days. If a response requires additional time, we will notify you of the basis for the delay and may extend the timeframe for providing the response up to an additional forty-five (45) days.
4. Excessive  Requests. To the extent permitted by applicable law, if we reasonably determine that a request submitted under this Section 6 is manifestly unfounded or excessive, we may charge a reasonable fee for processing the request or may refuse to process the request.

7.   ​Additional Policies.

1. Security. To the extent required by applicable law, Cleo will utilize appropriate, commercially reasonable administrative, physical, and technical safeguards to protect Personal Information. The appropriate safeguards employed by us may vary depending on the nature of Personal Information collected, with more stringent measures applied to information of a sensitive nature. No Internet or software transmission is completely secure, and we cannot guarantee that security breaches will not occur. We are not responsible for the actions of hackers and other unauthorized third-parties that breach our reasonable safeguards. Additionally, you should be aware that certain Personal Information that you provide in connection with your use of the Services may remain stored on the device that you use to access the Services. You are solely responsible for maintaining the security of your device against unauthorized access. This Policy is not intended to confer, nor does it confer, any rights or remedies to users.
2. Third-Party Activity. The Services may contain links to other websites, cookies, or other materials from, or which may be operated by, third-party entities. The information practices and privacy policies of these third-party entities may be different than those of Cleo. We are not responsible for any actions or omissions by any such third-party entities. This Policy applies only to Personal Information collected by Cleo.
3. Data Retention. Unless you ask us to delete your Personal Information sooner, we will maintain it until such time that we determine, in our sole discretion, that (1) it is no
   longer necessary for any purpose for which Cleo may use it in accordance with this Policy; and (2) it may be destroyed or deleted in accordance with applicable law.
4. Do Not Track. “Do Not Track” (DNT) is a web browser setting that informs a website, mobile application, or other service that you do not wish to be tracked. The Company honors DNT signals and does not track, use cookies, or use advertising when a DNT setting or mechanism is in place. The Company does not enable third-parties to collect Personal Information from users through advertising or promotional materials or technology that the third-party deploys within the Services.
5. Amendments. Cleo will review this Policy from time to time and may modify or amend it as necessary to comply with applicable law. We may also update the Policy to reflect changes to our practices or for other operational reasons. If we make any material changes to how Personal Information is collected, used, disclosed, or transferred, we will notify you of these changes by modifying the version of this Policy that is available for your review on the Services. Accordingly, we encourage you to review this Policy from time to time. Notwithstanding any modifications we may make, all Personal Information will be treated in accordance with the version of the Policy that is/was in effect at the time the Personal Information was collected, unless we obtain your consent otherwise.
6. Accessibility. Any person with a disability that prevents or restricts them from accessing this Policy through Cleo’s website may request a copy in an alternative format by contacting us by email at [email protected].
7. Children. The Children’s Online Privacy Protection Act imposes certain requirements on website operators that have actual knowledge that they collect Personal Information from children. Cleo does not knowingly collect or maintain Personal Information from persons under 18 years of age, without explicit consent from an authorized person, such as a parent, guardian, or legal representative. While Cleo's Services are not directed toward children under 18, healthcare providers may utilize the Services in treating pediatric patients; provided that appropriate, verifiable consent has been obtained from a parent, guardian, or another individual legally authorized to provide such consent. If Cleo learns that Personal Information of persons under the age of 18 has been collected without verifiable parental consent, Cleo will delete the Personal Information.
8. Users from Outside the United States. Cleo and its servers are located and operate in the United States, subject to the applicable state and federal laws of the United States. Those who choose to access the Services do so on their own initiative and at their own risk, and are responsible for complying with all local laws, rules, and regulations. We may limit the Services’ availability, in whole or in part, to any person, geographic area or jurisdiction we choose, at any time and in our sole discretion. We do not represent or warrant that the Services, or any part thereof, is appropriate or available for use in any other jurisdiction. If you choose to access or use the Services, you consent to the use and disclosure of information in accordance with this Policy and subject to all applicable laws.
9. Contact. In the event you have any questions for us, wish to submit a complaint about how we have processed any Personal Information, or would like to contact us for any
   other reasons, please email [email protected]. We will deal with any complaints or requests as soon as possible, and without prejudice to you. In the event that you submit a complaint to us, you may of course also file any complaint with a relevant government agency in the state or jurisdiction in which you live or work.

8.   ​Notice for Residents of European Economic Area, United Kingdom, or Switzerland.

1. No Marketing to Such Residents. We do not market our services to residents of Europe, the United Kingdom (UK), or Switzerland, and are not subject to Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of Personal Information and free movement of Personal Information, known as the General Data Protection Regulation (“GDPR”). If you reside in the European Economic Area (“EEA”), UK, or Switzerland, please be aware that if you voluntarily provide us with any Personal Information, that information will be transferred from your location to data centers located in the United States for processing, and this transfer will be deemed to have been made with your consent.
2. Rights Honored. Although we are not subject to the GDPR, we will generally make commercially reasonable efforts to honor your data privacy rights upon request, subject to certain limitations. If you reside in the EEA, UK, or Switzerland, you have the rights, as applicable under the GDPR, to:

1.   ​Request an accounting of Personal Information that we possess that pertains to you in an electronically portable format.
2.   ​Request that we correct or update Personal Information that pertains to you.
3.   ​Request that we delete Personal Information that pertains to you.
4.   ​Fully or partially withdraw your consent to the collection, processing, and/or transfer of your Personal Information.

3. Requests and Complaints. Please contact us by email at [email protected] to request

(i) an accounting of your Personal Information; (ii) a correction or update to your Personal Information; (iii) the deletion of your Personal Information; or (iv) to withdraw your consent to the collection, processing, and/or transfer of your Personal Information, If we receive a deletion or withdrawal request, we will no longer process your Personal Information for the above purposes unless there are legitimate grounds for the processing that override your interests, rights, and freedoms, or unless we do so for the establishment, exercise, or defense of legal claims. If you believe we are unlawfully possessing your Personal Information, you have the right to complain to your local data protection supervisory authority. You can find contact details here: https://edpb.europa.eu/about-edpb/board/members_en.