Notice of Privacy Practices

Xelecta Inc.("Xelecta," "we," "us," or "our") is committed to protecting the privacy and security of your health information. This Notice of Privacy Practices ("Notice") describes how we may use and disclose your Protected Health Information (PHI) and your rights regarding that information.

This Notice applies to the extent that Xelecta functions as a "covered entity" or "hybrid entity" under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the regulations implemented thereunder (45 CFR Parts 160 and 164). Where Xelecta operates as a Business Associate of a covered entity, the relevant Business Associate Agreement governs our obligations.

We are required by law to: (a) maintain the privacy of your PHI; (b) provide you with this Notice of our legal duties and privacy practices with respect to PHI; (c) notify you in the event of a breach of your unsecured PHI; and (d) abide by the terms of the Notice currently in effect.

Important Scope Note: Not all health data collected by Xelecta necessarily constitutes PHI under HIPAA. Consumer wellness data generated by devices purchased directly by individuals for personal use may not be subject to HIPAA if Xelecta is not acting as a covered entity with respect to that data. Regardless, Xelecta applies HIPAA-equivalent privacy and security protections to all health information we process.

PHI is individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA-covered entity. This includes information about your past, present, or future physical or mental health or condition; the provision of health care to you; or payment for health care.

Examples of PHI that Xelecta may hold include: continuous glucose monitoring readings linked to your identity, body composition measurements, heart-rate variability data, sleep architecture data, genomic variant information, wellness protocols generated for you, communications with your health architect, and any other health information you provide through the Platform.

HIPAA defines 18 categories of identifiers that, when combined with health information, create PHI: name, geographic data, dates (other than year), phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number.

We apply de-identification standards consistent with the Expert Determination or Safe Harbor methods under 45 CFR § 164.514(b) before using health data for aggregate analytics or research.

We use and disclose your PHI for the following primary purposes:

Treatment

We use your PHI to provide, coordinate, and manage your wellness protocol. For Longevity Suite subscribers, this includes sharing relevant PHI with your assigned health architect, who may review your CGM data, body composition trends, HRV, and sleep data to tailor your protocol. If you consent and authorize it, your health architect may share relevant data with healthcare professionals involved in your care.

Payment

We use your PHI to bill and collect payment for services. This includes processing credit card transactions, handling refunds, and addressing billing inquiries. We use Stripe as our payment processor; payment data shared with Stripe is governed by their Privacy Policy and a Business Associate Agreement where applicable.

Health Care Operations

We use your PHI to conduct quality assessments, improve our algorithms and protocols, conduct compliance reviews, train staff, and manage our business operations. These operational uses are permitted by HIPAA without your additional authorization.

Business Associates

We share your PHI with third-party service providers ("business associates") who perform services on our behalf — such as cloud hosting (AWS), payment processing (Stripe), and email delivery — under written Business Associate Agreements that require them to protect your PHI and prohibit unauthorized use.

We are required to disclose PHI in the following situations:

• To You or Your Representative: You have a right to access your own PHI (subject to limited exceptions). We must provide it upon request.
• To the Secretary of HHS: For purposes of investigating compliance with HIPAA, we must disclose PHI to the U.S. Department of Health and Human Services (HHS) when required.

HIPAA permits us to use or disclose your PHI without your prior written authorization in certain limited circumstances:

• As Required by Law: When required by federal, state, or local law, including valid subpoenas, court orders, or legal process.
• Public Health Activities: To public health authorities for the purpose of controlling disease, injury, or disability, as permitted by law.
• Health Oversight Activities: To government agencies for oversight activities authorized by law, such as audits, investigations, and inspections.
• Judicial and Administrative Proceedings: In response to a court order, subpoena, discovery request, or other lawful process, subject to reasonable precautions.
• Law Enforcement: For limited law enforcement purposes, such as reporting certain crimes or identifying a suspect, as specifically permitted by HIPAA.
• Serious Threats to Health or Safety: To prevent or lessen a serious and imminent threat to the health or safety of a person or the public, when consistent with applicable law and ethical standards.
• Coroners, Medical Examiners, and Funeral Directors: As necessary to identify a deceased person or determine the cause of death.
• Organ and Tissue Donation: To organ procurement organizations, as permitted by law.
• Breach Notification: As required to notify affected individuals, HHS, and/or the media in the event of a breach of unsecured PHI.

We will use or disclose the minimum necessary PHI to accomplish the purpose of each permitted disclosure, consistent with the "minimum necessary" standard of 45 CFR § 164.514(d).

For uses and disclosures not described above, we will obtain your prior written authorization before using or disclosing your PHI. This includes:

• Most marketing communications (with limited exceptions)
• Sale of PHI (we do not sell PHI)
• Psychotherapy notes (if applicable)
• Use or disclosure of PHI for research purposes that are not covered by a waiver of authorization from an Institutional Review Board (IRB)
• Any use or disclosure not otherwise permitted by HIPAA

You have the right to revoke any authorization you provide to us at any time, except to the extent that we have already taken action in reliance on it. To revoke an authorization, contact us at privacy@xelecta.com.

Special Protections for Genomic Data

Consistent with GINA and applicable state genetic privacy laws, we will not disclose your genetic information to health insurers, life insurers, employers, or other entities that could use it to discriminate against you, without your explicit written authorization. Genomic data carries heightened protections beyond standard PHI in our internal policies.

You have the following rights regarding the PHI we hold about you. To exercise any of these rights, submit a written request to privacy@xelecta.com. We will respond within 30 days (with one 30-day extension available upon written notice).

Right to Access (45 CFR § 164.524)

You have the right to inspect and receive a copy of your PHI that we maintain in a Designated Record Set, with limited exceptions. We may charge a reasonable cost-based fee for copies. You may request your records in electronic format where we maintain them electronically.

Right to Amend (45 CFR § 164.526)

You have the right to request that we amend your PHI if you believe it is inaccurate or incomplete. We may deny your request if we believe the information is accurate and complete, or if it was not created by us. If we deny your request, you have the right to have a statement of disagreement included in your record.

Right to an Accounting of Disclosures (45 CFR § 164.528)

You have the right to request a list of certain disclosures of your PHI made by us during the six years prior to your request. This right does not apply to disclosures made for treatment, payment, health care operations, or certain other categories. We will provide the first accounting in any 12-month period free of charge; subsequent requests may incur a reasonable fee.

Right to Request Restrictions (45 CFR § 164.522)

You have the right to request that we restrict our use or disclosure of your PHI for treatment, payment, or health care operations. We are not required to agree to your request, except in one situation: if you request that we not disclose PHI to a health plan regarding an item or service for which you have paid out-of-pocket in full, and the disclosure is not required by law, we must comply. If we agree to a restriction, we are bound by it (with limited exceptions for emergencies).

Right to Confidential Communications (45 CFR § 164.522)

You have the right to request that we communicate with you about your PHI by alternative means or at alternative locations (e.g., a different email address or phone number). We will accommodate reasonable requests.

Right to a Copy of This Notice

You have the right to receive a paper copy of this Notice upon request, even if you have agreed to receive the Notice electronically. Contact privacy@xelecta.comto request a paper copy.

Xelecta is required by law to:

• Maintain the privacy of your PHI
• Provide you with notice of our legal duties and privacy practices
• Notify you following a breach of your unsecured PHI
• Abide by the terms of the notice currently in effect
• Not retaliate against you for exercising your rights

We will not condition the provision of services on whether you agree to use or disclose your PHI beyond what is necessary to provide the service.

Breach Notification: If we discover a breach of your unsecured PHI, we will notify you by written notice within 60 days of discovering the breach. The notification will describe what happened, what type of PHI was involved, what you should do to protect yourself, and what we are doing to investigate and mitigate the breach. We will also notify HHS and, where required, prominent media outlets in affected states.

Minimum Necessary: We make reasonable efforts to limit our use and disclosure of PHI to the minimum amount necessary to accomplish the intended purpose, consistent with 45 CFR § 164.502(b).

If you believe we have violated your privacy rights or our obligations under HIPAA, you have the right to file a complaint. You will not be subject to retaliation for filing a complaint in good faith.

To file a complaint with Xelecta:

To file a complaint with HHS:

Complaints to HHS must be filed within 180 days of when you knew or should have known that the violation occurred. HHS may extend this deadline at its discretion.

Xelecta reserves the right to change this Notice at any time. Changes to this Notice will apply to PHI we already have about you as well as any PHI we receive in the future. The revised Notice will be posted on our website and will be available to you upon request. Material changes will be communicated by email.

The effective date of the current version of this Notice is stated at the top. A current version of this Notice is always available on our website at xelecta.com/legal/hipaa.

For questions about this Notice or to exercise your rights, contact our HIPAA Privacy Officer:

For general privacy questions, see our Privacy Policy. For general terms of use, see our Terms of Service.