Privacy Policy

CareScribe ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered documentation service for care providers. BUSINESS INFORMATION • Business Name: CareScribe • Operated by: Bernard Adjei-Yeboah • ABN: 55 441 896 015 • Business Type: Individual/Sole Trader • Location: New South Wales, Australia By using CareScribe, you consent to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service. This Privacy Policy complies with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and other applicable Australian privacy legislation.

PERSONAL INFORMATION Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not. SENSITIVE INFORMATION A subset of personal information that includes health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, and biometric information. HEALTH INFORMATION Personal information about an individual's health, including information about health services provided. SERVICE The CareScribe AI-powered documentation platform, including websites, applications, and related services. USER Any person who accesses or uses the Service, including account holders and their authorised users. PARTICIPANT An individual receiving care services whose information may be entered into CareScribe by a User.

We use the information we collect for the following purposes: SERVICE DELIVERY • Provide, maintain, and improve the CareScribe Service • Process voice recordings into text (transcription) • Generate AI-powered reports based on your input • Manage your account and subscription • Process payments and manage billing COMMUNICATION • Send service-related communications (account updates, security alerts) • Respond to your inquiries and support requests • Send product updates and announcements (with your consent) • Provide customer support IMPROVEMENT AND ANALYTICS • Analyse usage patterns to improve our Service • Develop new features and functionality • Conduct research and analysis (using anonymised data) • Monitor and improve Service performance LEGAL AND SECURITY • Detect, prevent, and address fraud or abuse • Comply with legal obligations and regulatory requirements • Enforce our Terms of Service • Protect the rights, property, and safety of CareScribe and users

Under Australian privacy law, we collect and process personal information where we have a lawful basis to do so. Our legal bases include: CONSENT • When you create an account, you consent to our collection and use of your information • You may withdraw consent at any time by deleting your account • Continued use of the Service after updates to this Policy constitutes consent CONTRACT PERFORMANCE • Processing necessary to provide the Service you have requested • Managing your subscription and processing payments • Providing customer support LEGAL OBLIGATIONS • Complying with Australian laws and regulations • Responding to lawful requests from authorities • Maintaining records as required by law LEGITIMATE INTERESTS • Improving and developing the Service • Ensuring security and preventing fraud • Analysing usage patterns (using aggregated data)

CareScribe uses artificial intelligence to transcribe voice recordings and generate reports. We want to be transparent about how this works: VOICE TRANSCRIPTION • Voice recordings are processed using OpenAI's Whisper API for transcription • Audio data is transmitted securely over encrypted connections (HTTPS/TLS) • Recordings are processed in real-time and are NOT stored after transcription • OpenAI does not retain audio data after processing is complete REPORT GENERATION • Text content is processed using AI language models (Claude by Anthropic or OpenAI GPT models) • These providers process data according to their enterprise privacy policies • We use enterprise-tier API services that contractually prohibit training on customer data • AI processing occurs in data centres with appropriate security certifications IMPORTANT - DATA TRAINING PROHIBITION • Your participant information and reports are NEVER used to train AI models • We have enterprise agreements with AI providers that explicitly prohibit this • Your data remains confidential and is only used to provide the Service THIRD-PARTY SERVICE PROVIDERS • Stripe: Payment processing (PCI-DSS compliant) • Supabase: Database hosting (SOC 2 Type II certified) • Vercel: Application hosting (SOC 2 Type II certified) • OpenAI/Anthropic: AI transcription and generation (enterprise agreements)

We do not sell your personal information. We share information only in the following circumstances: SERVICE PROVIDERS We share information with trusted third-party service providers who assist in operating our Service: • Stripe: Payment processing • OpenAI/Anthropic: AI transcription and generation • Vercel: Application hosting • Supabase: Database and authentication All providers are bound by contractual obligations to protect your data. LEGAL REQUIREMENTS We may disclose information if required by law or in response to valid legal requests, including: • Court orders or subpoenas • Government or regulatory requests • Law enforcement requests where we are legally compelled • Protection of our legal rights BUSINESS TRANSFERS If CareScribe is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy. WITH YOUR CONSENT We may share information with third parties when you explicitly consent to such sharing. WE NEVER: • Sell your personal information to third parties • Share your data with advertisers • Use your participant data for marketing purposes • Share data with third parties for their own purposes

We implement comprehensive security measures to protect your information: TECHNICAL SECURITY • Encryption in transit: All data transmitted using HTTPS/TLS 1.2+ • Encryption at rest: Data encrypted in databases using AES-256 • Password security: Passwords hashed using bcrypt with salt • Secure authentication: JWT tokens, session management, and optional 2FA INFRASTRUCTURE SECURITY • Hosted on SOC 2 Type II certified infrastructure • Regular security audits and penetration testing • Automated vulnerability scanning • DDoS protection and web application firewall ACCESS CONTROLS • Row-level security (RLS) ensures users only access their own data • Role-based access control for team accounts • Principle of least privilege for system access • Employee access logged and monitored INCIDENT RESPONSE • Documented security incident response procedures • Breach notification procedures in compliance with Australian law • Regular security training for personnel YOUR RESPONSIBILITIES While we implement strong security measures, you are responsible for: • Maintaining the confidentiality of your login credentials • Using strong, unique passwords • Logging out from shared devices • Reporting suspected security incidents promptly LIMITATION No method of transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.

We retain your data according to the following principles: ACCOUNT INFORMATION • Retained while your account is active • Deleted within 30 days of account deletion request • Billing records retained for 7 years (legal requirement) REPORT HISTORY BY SUBSCRIPTION TIER • Free: 30 days report history • Starter: 3 months report history • Team: 12 months report history • Business: Unlimited history (until account deletion) VOICE RECORDINGS • Processed in real-time for transcription • NOT stored after transcription is complete • Audio data is immediately deleted after processing USAGE DATA • Aggregated analytics retained for up to 2 years • Individual usage logs retained for 90 days • Error logs retained for 30 days LEGAL RETENTION We may retain information longer if required for: • Legal proceedings or disputes • Compliance with legal obligations • Fraud prevention and security • Tax and accounting requirements DELETION UPON REQUEST • You may request deletion of your data at any time • We will delete your data within 30 days of request • Some data may be retained as required by law

Under the Privacy Act 1988 and Australian Privacy Principles, you have the following rights: RIGHT TO ACCESS (APP 12) • Request a copy of the personal information we hold about you • We will respond within 30 days of your request • Access is provided free of charge in most circumstances RIGHT TO CORRECTION (APP 13) • Request correction of inaccurate, incomplete, or out-of-date information • We will correct information within 30 days of your request • If we disagree with the correction, you may request we attach a statement RIGHT TO KNOW (APP 1 & 5) • Know what personal information we collect and why • Know how we use and disclose your information • Access this Privacy Policy at any time RIGHT TO COMPLAIN • Lodge a complaint with us about how we handle your information • If unsatisfied with our response, complain to the Office of the Australian Information Commissioner (OAIC) RIGHT TO OPT-OUT • Opt out of marketing communications at any time • Manage your notification preferences in account settings • Request anonymisation of your data where possible RIGHT TO DELETION • Request deletion of your account and personal information • We will delete your data within 30 days (except where retention is legally required) EXERCISING YOUR RIGHTS To exercise any of these rights, contact us at info@carescribe.com.au. We will verify your identity before processing requests.

CareScribe may process health information and other sensitive information as part of providing our Service. We treat this information with additional care: COLLECTION OF HEALTH INFORMATION • We only collect health information that you input into the Service • You are responsible for obtaining appropriate consent before entering participant health information • We collect health information solely to provide documentation services USE OF HEALTH INFORMATION • Health information is used only to provide the Service (generating reports) • We do not use health information for marketing or other purposes • Health information is not shared with third parties except as necessary to provide the Service PROTECTION OF HEALTH INFORMATION • Health information receives the same security protections as all data (encryption, access controls) • Access to health information is limited to what is necessary to provide the Service • We comply with all applicable Australian laws regarding health information YOUR OBLIGATIONS As a user of CareScribe, you have obligations when handling participant health information: • Ensure you have authority and consent to input health information • Comply with the Privacy Act 1988 and your organisation's privacy policies • Use CareScribe in accordance with your professional obligations • Maintain appropriate records of consent SENSITIVE INFORMATION We may collect other sensitive information (such as disability status) that you input. The same protections apply.

CareScribe's services use infrastructure and service providers located in various countries. Your information may be transferred to, stored, and processed in countries outside Australia: TRANSFER DESTINATIONS • United States (AI processing via OpenAI/Anthropic, hosting via Vercel) • Other countries where our service providers maintain infrastructure SAFEGUARDS When transferring data internationally, we ensure appropriate safeguards: • Contractual protections with all service providers • Enterprise agreements that require equivalent privacy protections • Selection of providers with appropriate security certifications • Compliance with APP 8 (cross-border disclosure of personal information) YOUR CONSENT By using CareScribe, you consent to the transfer of your information to countries outside Australia. We will take reasonable steps to ensure your information is treated securely and in accordance with this Privacy Policy. EU USERS If you are accessing CareScribe from the European Union, please note that your data will be transferred to and processed in Australia and the United States. By using the Service, you consent to such transfers.

We use cookies and similar tracking technologies to collect and track information about your use of our Service: ESSENTIAL COOKIES • Required for the Service to function properly • Authentication and session management • Security features • Cannot be disabled ANALYTICS COOKIES • Help us understand how you use the Service • Aggregate usage statistics (not personally identifiable) • Can be disabled in your browser settings PREFERENCE COOKIES • Remember your settings and preferences • Improve your user experience • Optional MANAGING COOKIES • Most browsers allow you to control cookies through settings • Blocking all cookies may affect Service functionality • Essential cookies cannot be disabled and are required for the Service DO NOT TRACK We currently do not respond to "Do Not Track" browser signals as there is no consistent industry standard for compliance.

CareScribe is designed for use by care providers and support workers who are adults. We do not knowingly collect personal information directly from children under 18. ACCOUNT HOLDERS • Must be at least 18 years old • Must have legal capacity to enter into agreements PARTICIPANT INFORMATION • Users may enter information about care participants, who may include children • Users are responsible for obtaining appropriate consent and authority • CareScribe does not directly collect information from children PARENTAL CONCERNS If you believe we have collected personal information from a child without appropriate consent, please contact us at info@carescribe.com.au. We will promptly investigate and delete such information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. NOTIFICATION OF CHANGES • Material changes will be notified via email to your registered address • We will post prominent notice on our website • We will update the "Last Updated" date at the top of this page REVIEW PERIOD • Material changes become effective 30 days after notification • Continued use of the Service after changes constitutes acceptance • If you disagree with changes, you must stop using the Service VERSION HISTORY We maintain a record of previous versions of this Privacy Policy. You may request access to previous versions by contacting us. REGULAR REVIEW We encourage you to review this Privacy Policy periodically to stay informed of how we protect your information.

We take privacy complaints seriously and will investigate and respond to any complaints about our handling of personal information. MAKING A COMPLAINT To make a complaint about our handling of your personal information: 1. Contact us at info@carescribe.com.au with details of your complaint 2. We will acknowledge your complaint within 7 business days 3. We will investigate and provide a response within 30 days 4. If additional time is needed, we will inform you ESCALATION If you are not satisfied with our response, you may escalate your complaint to: OFFICE OF THE AUSTRALIAN INFORMATION COMMISSIONER (OAIC) • Website: www.oaic.gov.au • Phone: 1300 363 992 • Email: enquiries@oaic.gov.au • Post: GPO Box 5218, Sydney NSW 2001 RESOLUTION We are committed to resolving complaints fairly and promptly. Our goal is to address concerns to your satisfaction while complying with our legal obligations.