Our Commitment to Your Privacy

General Use

This is the Cliniqon Privacy Policy. It specifies how Cliniqon will collect and process your Personal Data that we collect when you enter this website.

Definitions

• Personal Data

Information that identifies or can reasonably identify an individual.

• Process

Any operation performed on Personal Data, such as collection, storage, use, or disclosure.

• Purpose

To assess the use of our website, to contact you if you request it;

Your Personal Data

• Cliniqon collects the following categories of Personal Information, consistent with U.S. state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the CPRA: (Information You Provide Directly)

Contact / Inquiry Forms

When you fill out our contact or inquiry forms (including the Partner With Us page), we may collect:

• Name

• Email address

• Phone number

• Company name

• Preferred time and time zone

• Message content

• Any additional information you voluntarily provide

Careers Page Submissions

When you submit an application or inquiry through our Careers page, we may collect:

• Name

• Email address

• Phone number

• Qualifications

• Certificates or credentials

• Uploaded CV or résumé

• Any other files or information you choose to upload or provide

• Cliniqon is the controller and processor of your Personal Data.

• Cliniqon will retain your Personal Data in electronic form.

• Cliniqon may transfer your Personal Data out of your country of residence (including the European Economic Area) and/or disclose your Personal Data for the purpose under conditions of confidentiality and similar levels of security safeguards as in the country of your residence, to any one or more of the following parties:

• Cliniqon’s agents, contractors, third party providers and their sub-contractors that provide administrative, telecommunications, information technology to Cliniqon in any part of the world.

• Persons legally entitled to have your Personal Data.

• Our third-party service providers. They are required to comply with data protection laws and implement appropriate security measures to protect your Personal Data in compliance with our policies. We specify to our third-party service providers that they may not use your Personal Data for their own purposes. We only permit them to process your Personal Data for specified purposes in accordance with our instructions and subject to a duty of confidentiality.

• If we transfer Personal Data outside the U.S., we ensure adequate protection through contractual clauses or other lawful mechanisms.

• We do not sell Personal Data. We share it only with service providers under strict contractual obligations and with entities legally entitled to receive it

• Cliniqon will retain your Personal Data for a period of two (2) years. If you object to such retention, we will delete your record immediately if there is no obligation or legal right to keep the records. In this regard, we may have the legal right to archive your Personal Data for a longer period (corresponding to the applicable local statute of limitation).

• In accordance with applicable data protection law and under certain circumstances, you have the right to access, rectify, delete, restrict Personal Data and a right to portability, a right to object to the processing of your data, where this processing is based on our legitimate interest, and a right to withdraw your consent. Where we rely on consent to process your Personal Data, you also have the right to withdraw your consent for processing for that purpose at any time. To do so, please contact the Data Protection Representative at dpr@cliniqon.com

• Cliniqon may decline to allow you to access, rectify or erase some or all your Personal Data under any of the following circumstances:

• Cliniqon has a legal obligation or the right to deny your request.

• The burden or expense of providing access would be unreasonable for Cliniqon.

• The request is trivial, frivolous or vexatious.

• The request is unfounded or excessive.

• The Personal Data does not exist or cannot be found.

• The Personal Data is subject to legal privilege.

• The Personal Data would reveal confidential commercial information that could harm the competitive position of Cliniqon.

• If the Personal Data was collected, used or disclosed for the purposes of a lawful investigation and the investigation and associated proceedings and appeals have not been completed.

• It could threaten the safety or physical or mental health of an individual.

• It could cause immediate or grave harm to an individual’s safety or physical or mental health.

• It could reveal the Personal Data of another individual.

• It could be contrary to the national interest of a friendly country.

Third Party Analytics & Advertising Technologies

Cliniqon does not use cookies or any browser stored identifiers. However, we do use limited third-party technologies, such as Google Analytics and LinkedIn Insight Tag, that operate through script-based data transmissions, not cookies.

These tools help us understand general website traffic patterns and measure the effectiveness of our business-to-business outreach. They are used only on nonclinical, non-authenticated, non-PHI webpages.

1. Information Collected by These Tools

Because these tools operate without cookies, they may still receive certain technical data your browser automatically sends, such as:

• Page URLs and time stamps

• Referrer information

• Device and browser information

• IP address

• High-level webpage interaction data

Google Analytics prohibits transmitting PHI and does not offer a HIPAA Business Associate Agreement (BAA). Therefore, we do not deploy Google Analytics on any page where PHI could be created or accessed.

LinkedIn Insight Tag similarly collects pseudonymized interaction data but does not operate as a HIPAA business associate.

2. HIPAA Compliance Restrictions

Under federal guidance, analytics and tracking technologies must not capture or disclose PHI unless a Business Associate Agreement is in place, which Google and LinkedIn do not provide. Accordingly:

• These tools are never used on patient portals

• Never used on appointment or intake forms

• Never used on symptom checkers

• Never used on any page that may involve PHI or imply a user’s healthcare intent

We configure our systems to prevent PHI from reaching third-party vendors.

3. Targeted Advertising & Legal Opt-out Rights

Some states consider the use of LinkedIn or Google Ads data to be “sharing” for cross context behavioral advertising (CCBA) under the California Privacy Rights Act (CPRA). CPRA requires a way for users to opt out of such “sharing.”

Even though we do not use cookies, the law still requires an opt out if any identifiers are used for targeted advertising purposes.

4. Opt-out Options for Google Analytics and LinkedIn

You may opt out of analytics and advertising functions associated with Google Analytics and LinkedIn Insight Tag through the following methods:

1. Google Analytics Opt-out Tools

Google provides tools that allow you to disable Analytics data collection in your browser:

• Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout
  This addon prevents Google Analytics JavaScript (ga.js, analytics.js, and gtag.js) from sharing information with Google.

2. LinkedIn Advertising & Insight Tag Opt-out

LinkedIn allows users to control data used for advertising, including data collected from the Insight Tag:

• LinkedIn Ad Settings (Data for Ad Targeting): https://www.linkedin.com/psettings/advertising
  LinkedIn allows members to opt out of targeted advertising uses of off LinkedIn data.

5. No Cookies / No Local Storage

We do not:

• Set cookies (except session cookies used with Veeta)

• Use browser storage

• Use pixel-based identifiers that write data on your device

• Use session replay tools

• Sell personal data

6. Vendor Data Practices

For more information about these vendors:

• Google Analytics and HIPAA Restrictions: Google prohibits any PHI and does not sign BAAs.

• LinkedIn Insight Tag Data Practices: LinkedIn collects pseudonymized event data but does not share member identifiable information with us.

AI Chatbot (“Veeta”)

1. AI Chatbot (“Veeta”)

Cliniqon offers an AI-powered chatbot (“Veeta”) on our website to assist visitors with general inquiries about our services. The chatbot uses Microsoft Azure OpenAI Services, including the GPT4.1 Mini large language model and Retrieval Augmented Generation (RAG), to generate conversational responses.

2. Information the Chatbot Collects

When you use the chatbot, the following limited information is collected and processed:

2.1. IP Address (Region Only Use)

Your IP address is captured solely to determine your approximate geographic region (e.g., state or country).

This allows the system to provide region appropriate information (e.g., time zones, business hours).

We do not use your IP address to identify you personally.

2.2. Session Cookie (Temporary)

A browser session cookie is used to maintain the chat session as you navigate through the website. This cookie:

• Does not track you across websites

• Does not persist after your session ends

• Does not store personal identifiers

• Is used only for the functioning of the chatbot

2.3. Chat Messages

Any text you enter into Veeta is processed to generate responses.

Cliniqon does:

• Not use chat content to build user profiles

• Not share chat content with third parties except Microsoft (as our contracted service provider)

• Not use chat content for marketing, advertising, or data selling

Azure OpenAI does not use your data to train Microsoft's models.

3. Purpose of Processing

The chatbot collects limited data only to:

• Provide real-time assistance

• Maintain session continuity

• Improve accuracy and performance of the chatbot

• Ensure system security and prevent misuse

We do not use chatbot data for targeted advertising, analytics beyond operational metrics, or cross context behavioral profiling.

4. HIPAA and PHI Restrictions

The chatbot is deployed only on non-clinical, non-PHI webpages.

Visitors should not provide:

• Medical details

• Patient information

• Insurance numbers

• Any Protected Health Information (PHI)

If PHI is entered, the chatbot is configured to redirect you to appropriate contact channels.

5. Data Retention

• Session cookies expire automatically when the browser session ends.

• Chat logs may be retained for up to 30 days, strictly for system monitoring, debugging, and security.

• Logs are not used for marketing or model training.

• Any Protected Health Information (PHI)

6. Third-party Processing

The chatbot operates within Microsoft Azure, which processes data under strict contractual privacy and security obligations. Azure acts as a data processor and does not use chatbot data for independent purposes.

SMS Privacy Policy

Cliniqon LLC (“Company,” “we,” “our,” or “us”) is committed to maintaining the privacy and security of your Protected Health Information (“PHI”) and personal data in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), applicable federal law, and all state regulations. This Privacy Policy explains how we collect, use, disclose, safeguard, and store your information—including mobile numbers used for SMS appointment reminders and care-related updates.

By using our website, services, or providing your information, you consent to this SMS Privacy Policy.

We use a HIPAA-compliant SMS service provider under a Business Associate Agreement to transmit messages securely. Whose role is as follows:

• Transmits SMS reminders to your mobile number

• Operates as a secure communication channel

• Does not use your information for their own marketing or promotional purposes

Clinqon LLC maintains full responsibility for how your information is collected and used.

Cliniqon LLC – SMS Terms & Conditions

By opting in to receive SMS text messages from Cliniqon LLC, you consent to the terms outlined below. All SMS communications are governed by HIPAA and TCPA regulations.

1. Role of Cliniqon and RingCentral

Cliniqon as Business Associate (BA)

Cliniqon processes PHI on behalf of healthcare providers. We do not originate patient communications without Client direction, and we do not determine the purposes for which patient mobile numbers are collected.

RingCentral as Subcontractor BA

Cliniqon uses RingCentral as a secure communications platform under a Business Associate Agreement (BAA). RingCentral:

• Transmits SMS securely on Cliniqon’s behalf

• Maintains safeguards under HIPAA

• Does not use patient data for marketing or independent purposes

2. Consent Responsibility (Covered Entities Collect Consent)

Cliniqon does not collect patient consent. Clients are responsible for obtaining all HIPAA, TCPA, and 10DLC/TCRcompliant consent prior to sending SMS through Cliniqon’s RingCentral platform.

By using our services, Clients represent and warrant that:

• Valid prior express consent has been obtained

• Patients understand SMS is not fully secure

• Clear optout instructions were provided

• All communications comply with HIPAA’s minimum necessary rule

• No marketing SMS will be sent unless legally authorized

Cliniqon relies entirely on Clients for patient consent compliance.

Clients must capture optin at the point of number collection with clear disclosures identifying: (i) the sender (Client brand), (ii) Program description, (iii) “Message and data rates may apply,” (iv) message frequency (e.g., “Message frequency varies”), and (v) “Text STOP to cancel; HELP for help.” Clients must display links to their Privacy Policy and these SMS Terms.

3. Types of SMS Messages Sent

Messages may include:

• Appointment reminders

• Scheduling confirmations

• Followup care

• Provider/office updates

• Billing or insurance notices

• Verification or operational messages (e.g., MFA codes)

Messages must be informational and healthcarerelated.

Marketing content is not permitted.

Each message must identify the Client’s brand (e.g., “Acme Clinic: ...”).

SHAFT (sex, hate, alcohol, firearms, tobacco, including CBD/THC) content and carrierprohibited categories are not allowed.

3A. 10DLC/TCR & TollFree Verification

Clients must use fully registered 10DLC campaigns and/or verified TollFree numbers. Clients must provide accurate brand details, sample messages, and optin flows, and maintain OptIn Logs. Cliniqon may request such documentation or suspend messaging if information is missing, inaccurate, or noncompliant.

4. Use and Disclosure of Mobile Numbers

Cliniqon:

• Processes numbers only under Client instruction

• Does not share numbers for marketing

• Does not use numbers for its own purposes

• Uses PHI only per HIPAA, Client BAA, and RingCentral BAA

5. How SMS Messages Are Transmitted

RingCentral:

• Operates under a HIPAA-compliant BAA

• Uses administrative, technical, and physical safeguards

• Logs delivery, timestamps, and metadata

• Supports automated STOP/HELP processing where available

Because SMS is not end-to-end encrypted, Clients must ensure patients understand and accept this before consenting.

Clients must advise patients that carriers/OS systems may access SMS content and instruct them not to transmit highly sensitive details via SMS.

6. Opt-Out Requirements

Patients may opt out by replying “STOP” or contacting their healthcare provider.

Cliniqon (via RingCentral) blocks further SMS to opted-out numbers.

Common variants such as “UNSUBSCRIBE,” “END,” “CANCEL,” and “QUIT” are also honored where supported.

Clients must propagate revocations across all their internal systems, campaigns, and numbers.

7. Help / Support Commands

• Reply “HELP” for assistance.

• For additional support, patients should contact their healthcare provider.

Cliniqon support:

• Email: dpr@cliniqon.com
• Phone: 1-800-826-2477

For PHI-related security/privacy incidents, Clients must notify Cliniqon promptly.

8. Messaging Disclosures

• Message and data rates may apply

• Message frequency may vary

• Patients may opt out anytime by replying STOP

• SMS is not fully secure

• Each message must identify the Client’s brand/practice

• Optin flows must display a Privacy Policy and SMS Terms link

• Marketing consent, when applicable, must state consent is not a condition of care/purchase

9. Data Retention

Cliniqon maintains:

• Message delivery logs

• Consent attestations provided by Clients

• Opt-out logs

Retention is six (6) years, or longer if required by law, contract, or carrier rules. Clients must maintain their own consent records for at least six (6) years.

10. Client Responsibilities

Clients must:

• Obtain valid consent compliant with HIPAA/TCPA

• Provide clear opt-out instructions

• Limit SMS content to healthcare-related purposes

• Not send marketing messages (unless legally compliant)

• Use only numbers with documented consent

• Maintain consent records

• Notify Cliniqon if consent is revoked

• Identify their brand in every message

• Maintain accurate 10DLC/TFN registrations

• Comply with CTIA/carrier rules and SHAFT restrictions

• Provide OptIn Logs when requested

10A. Quiet Hours & Jurisdictional Compliance

Clients are responsible for complying with federal and state “quiet hour” rules and mini-TCPA laws. Cliniqon may rate-limit or throttle messaging to reduce carrier filtering.

11. Changes to These SMS Terms

We may update these Terms to reflect changes in law, technology, or carrier requirements. Updates will be posted with the “Last Updated” date. Material changes will apply prospectively.

12. Enforcement, Suspension & Indemnity (New)

Cliniqon may suspend or terminate messaging that appears noncompliant with HIPAA, TCPA, CTIA/carrier rules, 10DLC/TCR/TFN requirements, or these Terms.

Clients shall indemnify and hold harmless Cliniqon and its subcontractors for any claims, penalties, carrier fees, or damages arising from Client noncompliance, including consent failures, HIPAA/TCPA violations, prohibited content, or failure to honor opt-outs.

Sections 2, 3A, 5, 6, 8, 9, 10, 10A, and 12 survive termination.

13. Binding Effect of Privacy and Compliance Obligations

By accessing or using any Cliniqon services, including SMS messaging services, communication tools, platforms, software, or integrations, Clients acknowledge and agree that their existing contractual privacy, security, and confidentiality obligations (including those arising under HIPAA, Business Associate Agreements, Service Agreements, or other applicable contracts with Cliniqon) extend to, and fully govern, their use of these services.

Accordingly, Clients expressly agree that they are legally bound by, and must comply with, this Privacy Policy and the SMS Terms & Conditions, which are hereby incorporated by reference into all applicable service agreements.

Clients further acknowledge that:

• Their duties under HIPAA, the TCPA, applicable state privacy laws, and professional regulations apply equally to all SMS communications and all personal or health information processed through Cliniqon’s systems;

• They are responsible for obtaining and maintaining all required patient consents and opt-ins;

• They must ensure that all PHI, personal information, and mobile numbers used within Cliniqon’s systems are collected, used, transmitted, and disclosed in full compliance with applicable law and contractual obligations;

• Any violation of these requirements constitutes a breach of their contractual privacy obligations.

14. Last Updated

This Privacy Policy and the SMS Terms & Conditions were last updated on February 17, 2026.