Privacy Policy

Introduction

This Privacy Policy (this "Policy") describes how CreoRx Solutions LLC, and other company names used by us and our affiliates (together, "CreoRx," "we," "us," or "our") handles and secures information we collect through our website www.creorx.com (the "CreoRx Website") and through registered users of the CreoRx Solutions portal (collectively, our "Services"). For purposes of this Policy, "you" or "User" means the individual user of our Services and/or visitors to the CreoRx Website.

Please also review the Service's End User License Agreement ("EULA") and Terms and Conditions, which govern your use of the Services and are available at www.creorx.com. By using our Services, you consent to this Policy, our EULA, and our Terms and Conditions.

This Policy applies to CreoRx's Sites and Services. It does not apply to personal data we process solely on behalf of our business customers as a service provider or business associate. For information on how our business customers process your data, please refer to their respective privacy policies.

If you do not agree to the terms of this Privacy Policy, please do not provide us with any personal information and do not use the Services.

Information We Collect

A. Personal Data You Provide Directly

Personal data is any information that relates to an identified or identifiable individual. We collect several types of personal data from and about users of our Services:

• Account Information. When you register for a CreoRx account, we collect your full name, email address, phone number, organization name, and account login credentials.
• Profile Information. You may choose to add information to your profile, such as a username and profile photo. Please do not upload information you would not want made public.
• Inquiry Information. When you contact our team via online form, we ask for your name, contact information, and other information about your interest in our Services.
• Billing and Payment Information. If you are a Subscriber, you will provide contact and financial information including order history and transaction records.
• Communications. When you communicate with us or other users through the Services, we collect information about those communications.
• Client Enrollment Data. When a law firm or case manager enrolls a client, we collect client personal information, case information, prescription requests, lien acknowledgments, and other intake data necessary to provide pharmacy benefit services.

B. Information from Third-Party Sources

We may combine personal data we receive from you with data from other sources, including public records, data providers, partners, service providers, business transaction partners, and referring parties such as law firms or medical providers.

C. Information Collected Automatically

Our Services use cookies, web beacons, server logs, and other tracking technologies ("Engagement Tools") to collect:

• Device and browser data: IP address, device type, operating system, browser type and version, language settings.
• Usage data: pages visited, links clicked, time spent on pages, search terms, referring URLs.
• Session and interaction data: how you navigate the portal, including client enrollments, approvals, and document access.

We may work with third-party analytics providers such as Google Analytics. To opt out, visit tools.google.com/dlpage/gaoptout.

Session Replay: We may use third-party session replay tools to capture user interactions in order to improve portal functionality. This data is used solely to improve our Services.

SMS/Text Messaging: Your SMS opt-in data and consent will not be shared with any third parties for their own purposes.

You may control Engagement Tools by modifying your browser settings. We honor opt-out preference signals such as the Global Privacy Control (GPC) where required by applicable law.

Categories of Personal Information We Collect

• Personal identifiers — name, phone, address, email, Social Security number, driver's license, date of birth.
• Case information — account numbers, law firm names, case identifiers.
• Demographic characteristics — gender and date of birth.
• Medical information — diagnoses, treatment information, prescription history, and pharmacy transaction data.
• Financial information — billing records, payment history, lien amounts, and settlement information.
• Internet and electronic network activity — browsing history on our Services, portal interactions.
• Professional information — law firm affiliation, bar number, and staff role designations.
• Any other information that identifies, relates to, describes, or could reasonably be linked directly or indirectly with you.

How We Use Your Information

We use personal and non-personal information to:

• Operate, maintain, and administer our Services, including client enrollments, pharmacy benefit card issuance, lien administration, and customer support;
• Respond to questions and communications;
• Provide administrative announcements about features, functionality, and terms;
• Safeguard our Services and respond to legal process;
• Detect security incidents and protect against fraudulent or illegal activity;
• Debug to identify and repair errors in existing functionality;
• Process transactions, verify customer information, and provide analytic services;
• Conduct internal research for technological development;
• Verify or maintain the quality and safety of our Services;
• Inform you about products, services, and events we offer, consistent with your communication preferences;
• Other legitimate business purposes permitted by law.

How We Share Your Information

We will not share personal information you submit except under the following circumstances:

• Affiliates. With other CreoRx affiliates to provide our Services and for administrative purposes.
• Service Providers. With contractors and third parties supporting our business, such as hosting, data analysis, marketing, customer service, and auditing.
• Business Partners. With law firms, medical providers, pharmacies, and other partners in connection with our Services.
• Account Administrators. Administrators with rights over your account may access your account information and manage your account settings.
• Corporate Transactions. In connection with a merger, reorganization, sale of assets, or acquisition.
• Compliance and Harm Prevention. To comply with court orders, laws, or legal process; to enforce our agreements; or to protect rights, property, or safety.
• Consent or Authorization. When complying with your requests or express authorization.
• Legitimate Business Purposes. For other purposes as permitted by law.

Consents and Authorizations

From time to time, we may request your consent in connection with the use or sharing of your information. Where you have opted in to uses or sharing not otherwise provided for in your User Agreement or this Policy, you will have the ability to withdraw your consent and opt out going forward. In that event, we will refrain from the consented use or sharing, but we may not be able to require removal of information already shared with third-party recipients.

Confidentiality of Health Information

Business Associate Obligations Under HIPAA

When we perform services on behalf of medical providers that require us to receive, use, disclose, or maintain individually identifiable health information protected by HIPAA, we are functioning as a "business associate." In those instances, we will protect the privacy and security of health information as set forth in the applicable Business Associate Agreement ("BAA") and as authorized by the patient.

Patient Rights Under HIPAA

Under HIPAA, patients have a right to access and request amendment of their individually identifiable health information. Such requests must be submitted directly to the health care provider. When acting as a business associate, we will work with health care providers to process patient requests for access, amendment, and accounting of disclosures.

Non-Business Associate Use of Health Information

We may also receive and use individually identifiable health information when we are not functioning as a business associate — for example, when you sign an authorization permitting use for purposes described in that authorization. In these instances, our use may be governed by applicable state medical privacy laws rather than HIPAA.

Use of Medical Information for Marketing

As described in our Terms and Conditions, patients may authorize the use of their medical information for marketing purposes limited to CreoRx's pharmacy lien services and related healthcare offerings. We will not sell, rent, or lease patient medical information to unaffiliated third parties for their independent marketing purposes. To revoke a marketing authorization, contact us at info@creorx.com. Revocation is effective prospectively only.

Your Privacy Rights and Choices

Depending on where you live, you may have the following rights under applicable data protection laws:

• Access — Know what personal data we have collected and access such data.
• Data Portability — Receive a copy of your personal data in a portable format.
• Deletion — Request deletion of your personal data, subject to certain exceptions.
• Correction — Correct inaccuracies in your personal data.
• Opt Out — Opt out of targeted advertising, sale or sharing of personal data, use of sensitive personal data, or profiling.
• Objection / Restriction — Object to or restrict our processing in certain circumstances.
• Withdraw Consent — Where we rely on your consent, you may withdraw it at any time.
• Lodge a Complaint — Lodge a complaint with a supervisory authority if you believe we have violated your rights.

To exercise any of these rights, contact us by phone at (877) 273-6791, email at info@creorx.com, or in writing at 871 Coronado Center Dr., Suite 200, Henderson, NV 89052. You may also exercise opt-out rights by broadcasting the Global Privacy Control (GPC) signal.

We must verify your identity before fulfilling requests. We will not discriminate against you for exercising any privacy right described in this Policy.

You may opt out of marketing emails via the unsubscribe link in such emails. Opting out does not affect transactional or account-related communications.

How Our Services Allow Users to Share Information

If you are a healthcare or healthcare-related service provider with a User Agreement with us, your contact and directory information may be listed in our professional directories.

Our Services facilitate communications between users, including appointment requests, case-related information, and prescription transmissions. This Policy covers only information you submit through our Services. Information exchanged outside our Services is not covered by this Policy.

Because our Services enable users to share information, take care in selecting with whom you share your records. We cannot take responsibility for the actions of other users or persons with whom you share your information.

Data Security

We deploy a wide range of technical, physical, and administrative safeguards, including SSL encryption and firewall protections, system alerts and information security technologies, secure facilities restricting physical and network access, and regular evaluation and enhancement of our IT systems.

No system can guarantee 100% security at all times. Accordingly, we cannot guarantee the security of information stored on or transmitted to or from our Services.

Data Breach Notification

In the event of a security breach involving your personal information, we will notify affected individuals in accordance with applicable federal and state breach notification laws, including Nevada's requirements under NRS 603A.220 and, to the extent applicable, the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). Notification will be provided without unreasonable delay and within the timeframes required by applicable law.

Steps You Can Take to Protect Your Information

• Install and regularly update malware detection software;
• Use a firewall to prevent unauthorized access to your device;
• Promptly apply operating system and software security patches;
• Use a strong, unique password — do not share your password with others;
• On shared devices, close all programs and log out before leaving the device unattended;
• Avoid public wireless networks where possible; if you do use them, apply the most restrictive wireless settings;
• Be cautious with emails requesting personal information; look for the lock symbol in your browser's address bar before submitting information;
• Exercise care when participating in open communication platforms about what personal or health information you share.

Data Retention

We retain personal data as long as we are providing Services to you or our Subscribers, and after we stop providing Services we keep your data to comply with legal and reporting obligations.

Data Retention Schedule

• Electronic signature records, lien agreements, and letters of protection: minimum 7 years following last activity on the associated account or client record.
• Prescription records and pharmacy transaction data: retained for the period required by applicable state pharmacy board regulations and federal law, which may exceed 5 years.
• Individually identifiable health information: retained as required by HIPAA and applicable state medical records laws.
• Billing, invoicing, and financial records: minimum 7 years or as required by applicable tax and accounting regulations.
• All other personal information: 5 years following account deactivation, or longer as required by law.

Upon expiration of the applicable retention period, data will be securely destroyed or de-identified. To deactivate your account or request a data export, contact us at info@creorx.com, subject to applicable fees and legal restrictions.

We store indefinitely non-personal information, including de-identified health information, Engagement Data, and information shared on public forums or surveys.

California Privacy Rights

California Consumer Privacy Act (CCPA)

Under the CCPA, California residents have the right to: request disclosure of personal information we have collected; request deletion of personal information; request correction of inaccurate information; opt out of the sale or sharing of personal information; and not be discriminated against for exercising any CCPA rights.

To submit a CCPA request, contact us at www.creorx.com or info@creorx.com. We will ask you to verify your identity by confirming three of the following: name; telephone number; city and state; ZIP code; attorney name or law firm; or date of loss or procedure.

California "Shine the Light" Law

California residents may request information regarding third parties to whom CreoRx has disclosed personal information for those third parties' direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes. Questions may be directed to info@creorx.com.

California Consumer Complaint

California residents may report complaints to the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs: 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210.

Children Under 18

Our Site and Services are not intended for or designed to attract children under the age of 18, and we do not knowingly collect personal information from such children. If we learn that we have inadvertently obtained personal information from a child under the age of 18, we will delete that information as soon as practicable.

Our Services do allow users above the age of 18 — such as healthcare providers, parents, and legal guardians — to submit personal information about others, including minors. Such users assume full responsibility for their submission, use, and transmission of such information.

Third-Party Services and Links

This Policy applies only to our Site and Services. It does not apply to sites and services offered by third parties, including websites our Services may display links or advertisements for. When you click on such links, you will be visiting websites operated by third parties with their own information collection practices. We do not control how any third party gathers or uses information, and we encourage you to review their privacy policies.

United States Only

Access to our Site and Services is administered in the United States and is intended for users in the United States. You may not use our Site and Services in any jurisdiction where doing so would be illegal or unlawful. If you are located outside of the United States, information you submit will be transferred to the United States. By using our Services, you consent to this transfer and to the processing of your personal information as described in this Policy.

Changes to This Policy

We continue to improve our Services, and some improvements may result in changes to this Policy. We will post such changes on this page. If the changes are significant, we will provide more prominent notice, which may include email notification. We encourage you to periodically reread this Policy.

Any changes to this Privacy Policy will go into effect as soon as they are posted to the Site. Your continued use of our Services following any change constitutes your agreement to the terms of the revised Policy.

How to Contact Us

Should you have any questions or complaints about the practices described in this Policy, please contact us: