Global Privacy Policy – Marea Software Inc.

4.1 Account and Profile Information (Controller)

• Customer name, authorized user names, email addresses, authentication credentials, and user roles.

4.2 Usage and Device Information (Controller)

• IP address, approximate location, browser details, device identifiers, pages visited, and performance logs generated through use of the Site or Services.

4.3 Patient Health Information and Clinical Data (Processor / Business Associate)

When Customers use the Services, they may submit Patient data to the platform, including PHI as defined under HIPAA (45 C.F.R. §160.103). Marea processes this data solely as a processor acting on Customer's instructions under the applicable BAA.

Customer is solely responsible for: (a) ensuring it has a valid legal basis under HIPAA and all Applicable Health Privacy Laws for submitting Patient data to the Services; (b) obtaining all required written Patient authorizations or consents before submission; and (c) providing Patients with all required notices of privacy practices. These obligations are set out in full in Section 5.9 of the Marea SaaS Terms.

Heightened Protection:Records relating to mental health, substance use disorder, and HIV/AIDS status are subject to heightened protection under CMIA §56.10(d), California Welfare and Institutions Code §5328, and 42 C.F.R. Part 2. Marea processes such records only pursuant to specific, valid written authorization provided by the Customer and never uses them for any secondary purpose.

4.4 Audio Recordings and Voice Data (Processor / Controller)

Where Customers use the AI Dental Receptionist or Scribe features, the Services may process audio of patient-provider interactions for the purpose of generating clinical documentation on the Customer's behalf. Marea does not store audio recordings; audio is processed in real time and is not retained after transcription is complete.

All-Party Consent (California / CIPA): Under Cal. Penal Code §632 and §632.7, all parties to a confidential communication must consent to recording. Customer is responsible for ensuring that all required consents are obtained from Patients prior to initiating any recording. Where Marea's system delivers an automated disclosure at the start of a call, this is a technical facilitation only; the legal obligation to obtain valid consent remains with Customer.

Biometric Identifiers:Where voice characteristics are processed for speaker identification or diarization, such data may constitute a biometric identifier under Illinois BIPA (740 ILCS 14/10) and Texas CUBI (Bus. and Com. Code §503.001). See Section 4.6 for applicable protections.

4.5 Health Data Under Washington My Health MY Data Act (MHMDA)

The Washington My Health MY Data Act (SB 1155, eff. March 31, 2024) applies to any entity that collects consumer health data from Washington State residents regardless of HIPAA coverage. To the extent Marea collects consumer health data from Washington residents directly (e.g., through AI agent interactions), Marea does so only with valid authorization. Customer is responsible for ensuring that Patient data submitted to the Services from Washington residents is collected and transmitted in compliance with MHMDA.

4.6 Biometric Data (BIPA / CUBI)

Where Marea's AI voice systems process voice characteristics for speaker identification or diarization, Marea maintains the following protections that apply directly to individuals regardless of the Customer intermediary:

• Written Policy: Marea maintains a written Biometric Data Retention and Destruction Policy, available upon request, specifying the purpose and duration of biometric data collection.
• Informed Written Consent (BIPA §15(b)): Biometric identifiers are not collected from Illinois residents without prior written informed consent specifying the purpose, length of term, and storage and use of the data. Customer is responsible for facilitating this consent for their Patients.
• No Profit from Biometric Data (BIPA §15(c)): Marea does not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information.
• Destruction Schedule: Biometric data is destroyed when the initial purpose for collection has been satisfied, or within 3 years of the individual's last interaction with Marea, whichever comes first. Texas biometric identifiers are destroyed within a reasonable time not exceeding one year after the purpose is satisfied (CUBI).

4.7 Customer-Uploaded Data (Processor)

• Business workflow data, clinical records, intake forms, and other data uploaded by Customers through the platform.

4.8 Integration Data (Processor / Controller)

• Data pulled from third-party systems at Customer direction.
• Metadata logs and API operational information handled as Controller.

4.9 Cookies and Tracking Technologies / CalOPPA

Our Site does not use advertising cookies or behavioral tracking. We do not share personal information with third parties for cross-context behavioral advertising. Marea's Site does not respond to Do Not Track (DNT) signals at this time as no universal standard has been established (Cal. Bus. and Prof. Code §22575).

4.10 Contract and Marketing Information (Controller)

We collect personal information such as your name, email address, and phone number when you contact us or use the Services. Where required by Canadian law, we collect and process this information with your express or implied consent depending on the sensitivity of the information.

5.1 Service Provision and Operation

• Enable platform access, transcribe clinical interactions, generate scribe documentation, synchronize data, and provide Customer support.

5.2 AI-Powered Scribe and Automated Processing

Marea's Services involve automated processing of Patient data, including audio-to-text transcription and AI-generated clinical note drafting, strictly on Customer's behalf. Under Québec Law 25 (s. 12.1), where automated processing produces outputs that may directly affect individuals, Marea implements human review processes. Customers may contact us to request information about automated processing parameters.

5.3 Improving the Services

• Enhance platform functionality and test new features using de-identified or aggregated data only. Identifiable PHI or audio recordings are never used to train AI models without explicit written consent from Customer.

5.4 Security and Fraud Prevention

• Monitor suspicious activity, protect Customer accounts, and enforce the Marea SaaS Terms.

5.5 Communications and Marketing

We use Customer contact information to respond to inquiries, provide product updates and operational notices, and send communications about features or offerings that may be of interest. Where required by applicable law, we obtain your consent before sending marketing communications. For Customers in Canada, marketing communications are sent in accordance with CASL. You may opt out at any time via the unsubscribe mechanism or by contacting us.

6.1 HIPAA and HITECH

Where Marea processes PHI on behalf of Customers that are Covered Entities under HIPAA, Marea acts as a Business Associate as defined under 45 C.F.R. §160.103 and processes PHI only pursuant to a valid and fully executed Business Associate Agreement. HIPAA compliance does not independently satisfy obligations under applicable state medical privacy laws, including CMIA and the statutes identified in this Section 6.

6.2 Québec Law 25

• Express Consent: Required for PHI, audio recordings, biometric data, and automated decision-making that directly affects individuals.
• Implied Consent: May apply to routine non-sensitive administrative processing where the purpose is evident.
• Legal Obligation or Legitimate Interest: Where required by law or necessary for a legitimate purpose proportionate to privacy interests, with appropriate Privacy Impact Assessment (PIA) conducted.

6.3 PIPEDA

For Customers located in Canada outside Québec, processing is conducted in accordance with PIPEDA's consent and reasonableness requirements.

6.4 CMIA (California)

Processing of medical information for Customers serving California Patients is conducted pursuant to the patient-provider relationship and Marea's role as a CMIA-bound contractor (Cal. Civ. Code §56.10(c)). Disclosures outside that contracted function require valid written Patient authorization under §56.11, which Customer is responsible for obtaining.

6.5 CCPA / CPRA (California)

For Customer personal information that Marea processes as a controller, processing is conducted in accordance with the CCPA and CPRA. Marea does not sell personal information or use sensitive personal information for purposes beyond those permitted. For Patient data, Marea acts as a service provider under CCPA and processes such data only as directed by the Customer.

6.6 Washington MHMDA

For Washington residents, consumer health data is collected and processed only with valid authorization. No health data is sold or used for targeted advertising.

6.7 Illinois BIPA / Texas CUBI

Biometric data is collected only pursuant to the written informed consent and policy requirements of BIPA and CUBI respectively, as further described in Section 4.6.

8.1 Subprocessors

We use cloud hosting, analytics, monitoring, transcription infrastructure, and support vendors. All subprocessors are contractually required to meet equivalent privacy and security standards, including Law 25 processor obligations and, for PHI, HIPAA and CMIA confidentiality requirements.

8.2 Healthcare Provider Customers

PHI processed through the Services is disclosed only to the Customer that authorized the interaction, or as otherwise required by law. Disclosure outside the contracted service function requires valid Patient authorization, which Customer is responsible for obtaining. Marea does not independently disclose PHI to any third party outside its processing role.

8.3 Biometric Data (BIPA / CUBI)

Biometric identifiers and biometric information are not sold, leased, traded, or otherwise disclosed to any third party without informed written consent or unless required by a valid court order or law. Texas biometric identifiers are not sold under any circumstances (CUBI §503.001(b)).

8.4 Legal Compliance

We may disclose data to comply with laws, court orders, or regulatory requirements, or to protect rights and safety.

8.5 Business Transfers

In mergers or acquisitions, data may be transferred to the successor entity, subject to equivalent privacy protections and, where required, notice to affected Customers. Biometric data transferred in a business acquisition is governed by the acquiror's BIPA/CUBI compliance obligations.

8.6 Aggregated and De-Identified Data

We may use de-identified or aggregated data for benchmarking, analytics, or product development. De-identified data is processed in a manner that cannot reasonably be used to re-identify individuals. Biometric data is never included in de-identified datasets.

8.7 No Sale of Personal or Health Information

Marea does not sell personal information, medical information, consumer health data, or biometric data to any third party. This applies under CCPA/CPRA, CMIA, MHMDA, BIPA, and CUBI.

10.1 Security Measures

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the information processed, including encryption in transit and at rest, access controls, audit logging, and regular security assessments. Enhanced security measures apply to Services infrastructure given the sensitivity of PHI, audio recordings, and biometric data.

10.2 Breach Notification

Québec (Law 25, s. 63.3–63.10): In the event of a confidentiality incident presenting a risk of serious injury, Marea will notify the Commission d'accès à l'information (CAI) and will maintain a Confidentiality Incident Register.

HIPAA / California (CMIA §56.36 / CCPA): In the event of a breach of unsecured PHI or medical information, Marea will notify the affected Customer without undue delay in accordance with the applicable BAA and HIPAA breach notification requirements (45 C.F.R. Part 164, Subpart D). Customer, as the Covered Entity, remains responsible for notifying affected Patients and, where required, the relevant regulatory authorities. Where Marea processes medical information as a direct CMIA-bound contractor independent of a Customer relationship, Marea will provide notice directly to affected California individuals as required by law.

Washington (MHMDA): Unauthorized acquisition of consumer health data will be notified to the affected Customer and, where required, to the Washington Attorney General.

Illinois (BIPA): Unauthorized acquisition of biometric data will be treated as a reportable security breach under the Illinois Personal Information Protection Act (815 ILCS 530) in addition to BIPA obligations.