NOTICE OF PRIVACY PRACTICES

Version 2026.2

IMPORTANT NOTICE TO PATIENTS: This Notice describes how medical and dental information about you may be used and disclosed, and how you can get access to this information. Please review it carefully. This Notice is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, and applicable federal and state law.

I. WHO WE ARE — PLATFORM IDENTITY & ROLE CLARIFICATION

Dentulu Inc. (“Dentulu,” “we,” “us,” or “our”) is a national technology platform and healthcare marketplace facilitator providing teledentistry, dental marketplace, remote-care, AI-enabled oral health, medical-dental integration, and care-coordination services. Dentulu operates as a HIPAA Covered Entity and, where applicable, as a Business Associate.

PLATFORM NATURE DISCLOSURE — PLEASE READ CAREFULLY: Dentulu is a technology platform and marketplace that facilitates connections between patients and independently licensed dental and medical providers. DENTULU IS NOT A DENTAL OR MEDICAL PRACTICE. Dentulu does not itself render clinical diagnoses, treatment, or professional dental or medical opinions. Where Dentulu facilitates access to licensed providers through its teledentistry platform or dental marketplace, those providers render clinical services in their independent professional capacities and are solely responsible for their own clinical judgments, diagnoses, treatment plans, and professional conduct. Dentulu’s role is that of a technology facilitator and care-coordination platform, not a treating provider, except in the limited circumstances where Dentulu directly employs licensed clinicians in specific jurisdictions.

A. Independent Contractor Provider Relationships

The licensed dentists, dental hygienists, dental specialists, physicians, nurse practitioners, physician assistants, and other licensed healthcare professionals available through the Dentulu platform (“Network Providers”) are, unless otherwise expressly stated, independent contractors and not employees, agents, partners, or joint venturers of Dentulu. Specifically:

• Network Providers operate under their own professional licenses, state board authorities, and clinical practice standards;
• Network Providers exercise independent professional judgment in rendering clinical services and are solely responsible for their clinical decisions, diagnoses, prescriptions, treatment plans, and all clinical outcomes;
• Dentulu does not direct, supervise, or control the clinical judgment or professional practice of Network Providers;

• The patient-provider relationship is formed directly between the patient and the treating Network Provider, not with Dentulu;
• Dentulu is not responsible for the clinical acts, errors, omissions, malpractice, negligence, or professional misconduct of any Network Provider;
• Network Providers carry their own professional liability (malpractice) insurance and are credentialed in accordance with applicable state licensure requirements;
• The mere fact that Dentulu facilitates a patient’s connection to a Network Provider does not create an employment relationship, agency, or vicarious liability for that provider’s clinical conduct.

Nothing in this Notice or in Dentulu’s platform operations creates a duty of care by Dentulu with respect to the clinical services rendered by independent Network Providers. Patients seeking to assert clinical malpractice claims must do so against the treating provider and/or their professional liability insurer. In jurisdictions where Dentulu directly employs or contracts clinicians, Dentulu acts solely through such licensed professionals and only to the extent required by applicable law, and not as a general provider of care.

B. Dentulu’s Operational Role

Within the scope of its platform operations, Dentulu does:

• Maintain a HIPAA-compliant infrastructure for the secure transmission and storage of PHI;
• Facilitate scheduling, communication, billing, and care coordination between patients and providers;
• Provide technology tools including AI-assisted triage, oral health screening, and clinical decision support for use by licensed providers;
• Operate as a Business Associate where it receives, transmits, or maintains PHI on behalf of covered entity providers; and
• Coordinate care navigation and administrative support services.

II. OUR DUTIES AND COMMITMENT

We are required by law to:

• Maintain the privacy and security of your PHI;
• Provide you with this Notice of our legal duties and privacy practices;
• Notify you following a breach of your unsecured PHI;
• Abide by the terms of this Notice currently in effect; and
• Not use or disclose PHI in a manner inconsistent with this Notice.

We reserve the right to change this Notice at any time, including making revised terms effective for PHI already on file. The current Notice is always posted at www.dentulu.com/privacypractices.

III. PROTECTED HEALTH INFORMATION — WHAT WE COLLECT

“Protected Health Information” (PHI) includes individually identifiable information relating to your past, present, or future physical or mental health condition, the provision of healthcare to you, or payment for healthcare, in any form — oral, written, or electronic (“ePHI”). Dentulu may collect, create, maintain, and use PHI including but not limited to:

• Personal identifiers (name, date of birth, address, Social Security Number, government ID numbers);
• Contact information (phone, email, IP addresses, device identifiers);
• Dental and oral health history, diagnoses, treatment plans, clinical notes, X-rays, photographs, intraoral scan data, and imaging records;
• Medical history, medications, allergies, vitals, and co-morbidities relevant to dental or medical- dental integration care;
• Insurance, benefits, claims, billing, and financial records;
• Teledentistry session recordings, transcripts, and AI-generated triage notes;
• Prescription and pharmacy records;
• Laboratory, pathology, and imaging results;
• Patient portal messages, appointment records, and communications;
• Device and platform usage data where associated with your identity; and
• Any other information used or disclosed in connection with your care.

IV. HOW WE MAY USE AND DISCLOSE YOUR PHI

Federal law permits us to use and disclose your PHI for the following purposes without your written authorization. We apply the minimum necessary standard to all such uses and disclosures.

A. Treatment

We may use and disclose your PHI to provide, coordinate, and manage your dental and oral health care and related services, including:

• Synchronous and asynchronous teledentistry consultations with licensed Network Providers;
• Care coordination and referrals among network providers, dental offices, specialty clinics, imaging centers, laboratories, pharmacies, and physician networks;
• AI-assisted clinical decision support and symptom triage for use by licensed providers;
• Remote monitoring, medical-dental integration, emergency treatment coordination, peer review, and specialist consultations.

B. Payment

We may use and disclose your PHI to obtain payment for treatment and services, including billing insurers, verifying eligibility, obtaining prior authorizations, processing appeals, revenue cycle management, collections, and payer audits.

C. Healthcare Operations

We may use and disclose your PHI for general healthcare operations, including quality assurance, credentialing, utilization management, accreditation, training programs, legal and audit services, fraud detection and prevention, platform development and testing, care coordination, customer service, due diligence in mergers and acquisitions, and other operational functions necessary to run Dentulu.

V. OTHER PERMITTED USES AND DISCLOSURES WITHOUT AUTHORIZATION

Federal law also permits or requires the following uses and disclosures without written authorization:

A. Required by Law

Disclosure is made when required by federal, state, or local law, court orders, or administrative orders.

B. Public Health Activities

Disclosures to public health authorities for disease control, injury reporting, adverse event reporting, and risk notification.

C. Health Oversight Activities

Disclosures to government agencies for audits, investigations, inspections, and licensure proceedings.

D. Judicial and Administrative Proceedings

Disclosures in response to court orders, subpoenas, discovery requests, or other lawful legal process.

E. Law Enforcement

Disclosures to law enforcement officials as permitted or required by law.

F. Serious Threats to Health or Safety

Use or disclosure to prevent or lessen a serious and imminent threat to health or safety.

G. Workers’ Compensation

Disclosures as required to comply with workers’ compensation or similar programs.

H. Research

Use or disclosure for research approved by an IRB or Privacy Board, or where appropriate waivers have been obtained, or where de-identified as required by HIPAA.

I. Fundraising

We may contact you using limited PHI for fundraising. You have the right to opt out at any time by emailing support@dentulu.com.

J. Health Information Exchanges

We may participate in health information exchanges (HIEs) for treatment purposes, subject to your opt-out rights where applicable.

K. Business Associates

We may share your PHI with Business Associates who perform services on our behalf. All Business Associates execute HIPAA-compliant Business Associate Agreements (BAAs). See also Section VI.

VI. THIRD-PARTY SHARING — PLATFORM ECOSYSTEM & LIABILITY FRAMEWORK

Dentulu operates within a broad multi-party healthcare technology ecosystem. The following describes categories of third parties with whom PHI may be shared, together with the applicable liability framework.

A. Third-Party Sharing Categories

Dentulu may share your PHI, to the extent permitted by HIPAA, with:

• Licensed Dentists, Dental Specialists, Hygienists, and Oral Surgeons in the Dentulu provider network;
• Dental Offices, Group Practices, and Dental Service Organizations (DSOs);
• Dental Laboratories for prosthetics, orthodontic appliances, and dental devices;
• Pharmacies and Pharmacy Benefit Managers (PBMs) for prescription fulfillment;
• Dental and Medical Imaging Centers for diagnostic imaging and radiology;
• Medical Physicians, NPs, PAs, and licensed medical providers for medical-dental integration;
• Hospitals, Health Systems, and Emergency Care Facilities for referrals and integrated care;
• Medical Billing Companies and Revenue Cycle Management (RCM) vendors;
• Health Insurers, Dental Insurers, Managed Care Organizations, and Government Payers (Medicare, Medicaid, CHIP);
• Care Coordinators, Patient Navigators, and Case Managers;
• Technology Vendors providing EHR, practice management, scheduling, and telehealth platform services;
• API Partners and Software Vendors for platform interoperability;
• Cloud Computing and Data Storage Providers;
• Security, Compliance, and Audit Vendors;
• AI/Machine Learning Vendors operating as Business Associates under BAAs;
• Subcontractors operating under a Business Associate Agreement; and
• Any entity with which Dentulu maintains a current, valid Business Associate Agreement.

B. Third-Party Liability Limitation

THIRD-PARTY INDEPENDENCE NOTICE: Each third party in the Dentulu ecosystem — including Network Providers, dental offices, imaging centers, pharmacies, laboratories, billing companies, technology vendors, AI vendors, API partners, and subcontractors — operates as an independent entity subject to its own legal obligations, professional standards, licensure requirements, and contractual agreements. DENTULU IS NOT RESPONSIBLE FOR THE ACTS, OMISSIONS, ERRORS, SECURITY PRACTICES, PRIVACY PRACTICES, OR COMPLIANCE FAILURES OF ANY THIRD PARTY, except to the extent expressly required by HIPAA’s Business Associate provisions. Each third party is independently responsible for its own compliance with applicable law.

Specifically:

• Once PHI is disclosed to a Network Provider for treatment purposes as permitted by HIPAA, that provider is solely responsible for its own handling and protection of that PHI;
• Dentulu’s execution of a BAA with a Business Associate creates contractual obligations between those parties but does not make Dentulu liable for a Business Associate’s independent acts or failures in the absence of Dentulu’s own negligence;
• Third-party vendors, technology providers, and API partners are each independently responsible for their own security and privacy controls, subject to their BAAs with Dentulu;
• Dentulu does not warrant or guarantee the security, privacy, or compliance posture of any third- party system, platform, or service; and
• Dentulu does not sell your PHI. We do not share PHI with advertisers, data brokers, or marketing companies in ways that constitute a sale of PHI under HIPAA or applicable state law.

VII. AI, AUTOMATION, AND DATA ANALYTICS — RISK ALLOCATION & DISCLOSURES

Dentulu is a technology-forward healthcare platform that uses artificial intelligence (AI), machine learning (ML), natural language processing (NLP), automation, and advanced data analytics to support clinical operations and improve platform performance.

A. AI-Supported Clinical Functions

Dentulu may use AI-powered tools to support the following clinical-adjacent functions:

• Symptom triage and pre-visit intake processing for routing patients to appropriate providers;
• AI-assisted oral health screening, dental image analysis, and risk scoring for review by licensed providers;
• Clinical decision support tools that surface relevant clinical flags for licensed provider review;
• Care-gap identification and preventive care reminders;
• Risk stratification for chronic disease management and population health programs;
• AI-assisted documentation, clinical note summarization, and coding support; and
• Predictive analytics for care coordination and patient engagement workflows.

CRITICAL AI DISCLOSURE — NO CLINICAL WARRANTIES: ALL AI TOOLS AND AUTOMATED SYSTEMS ON THE DENTULU PLATFORM ARE CLINICAL DECISION- SUPPORT TOOLS ONLY. DENTULU MAKES NO WARRANTIES, EXPRESS OR IMPLIED, REGARDING THE ACCURACY, COMPLETENESS, RELIABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR CLINICAL APPROPRIATENESS OF ANY AI OUTPUT, RECOMMENDATION, SCORE, FLAG, ANALYSIS, OR AUTOMATED RESULT. AI OUTPUTS MAY CONTAIN ERRORS, OMISSIONS, INACCURACIES, OR CLINICALLY INCORRECT INFORMATION. DENTULU EXPRESSLY DISCLAIMS ALL WARRANTIES WITH RESPECT TO AI-GENERATED CONTENT TO THE FULLEST EXTENT PERMITTED BY LAW.

B. Clinical Judgment — Provider Responsibility

The following principles govern the role of AI within Dentulu’s clinical operations:

• AI tools are designed exclusively to assist — and under no circumstances replace — the independent, licensed clinical judgment of dental and medical professionals;
• All clinical diagnoses, treatment decisions, treatment plans, prescriptions, and recommendations are made solely by the treating licensed Network Provider, not by any AI system or automated process;
• Network Providers are independently responsible for reviewing, validating, accepting, modifying, or rejecting any AI-generated output, flag, or recommendation before acting upon it;
• A Network Provider’s reliance on, or failure to review, AI-generated outputs is within the sole professional responsibility of that provider and does not create liability for Dentulu;
• Dentulu does not guarantee that AI tools will be available, error-free, or uninterrupted at any given time; and

• Dentulu is not liable for clinical decisions made by Network Providers that were informed by, or contrary to, AI-generated clinical decision support.

C. AI Output Limitations — Patient Acknowledgment

Patients using the Dentulu platform are advised that:

• AI-powered triage, screening, and symptom assessment tools are not diagnostic tools and do not constitute a medical or dental diagnosis;
• AI-generated results, scores, and assessments are preliminary, informational, and subject to review and validation by a licensed provider;
• AI tools may produce false positives, false negatives, or inaccurate results due to limitations in training data, image quality, input data quality, or other technical factors;
• Patients should not rely solely on AI-generated outputs to make healthcare decisions and should always seek the advice of a qualified licensed dental or medical professional; and
• Emergency dental or medical conditions should always be evaluated in person or at an emergency facility, and AI triage results should never substitute for emergency care.

D. HIPAA-Compliant AI Infrastructure

To the extent PHI is processed by AI or automated systems, Dentulu ensures:

• All AI vendors with access to PHI operate under current, valid Business Associate Agreements;
• PHI in AI systems is subject to the same access controls, encryption, audit logging, and minimum- necessary safeguards as other PHI within Dentulu’s infrastructure;
• AI model inference and training on identifiable PHI requires authorization where mandated by HIPAA or applicable state law (see Addendum B); and
• De-identified data used in AI model training is de-identified in compliance with HIPAA’s Safe Harbor or Expert Determination methods (45 C.F.R. § 164.514(b)).

E. Limitation of Liability — AI Systems

TO THE MAXIMUM EXTENT PERMITTED BY LAW, DENTULU SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES ARISING FROM: (i) THE USE OF OR RELIANCE ON ANY AI-GENERATED OUTPUT, RECOMMENDATION, SCORE, OR ANALYSIS; (ii) ERRORS, OMISSIONS, OR INACCURACIES IN ANY AI OR AUTOMATED SYSTEM OUTPUT; (iii) FAILURE, UNAVAILABILITY, OR INTERRUPTION OF ANY AI OR AUTOMATED SYSTEM; OR (iv) ANY CLINICAL DECISION MADE BY A NETWORK PROVIDER IN RELIANCE ON OR CONTRARY TO AI-GENERATED OUTPUTS. This limitation applies regardless of the theory of liability (contract, tort, strict liability, or otherwise) and even if Dentulu has been advised of the possibility of such damages.

VIII. DE-IDENTIFIED, AGGREGATED & DERIVED DATA — DATA RIGHTS

Dentulu may create, generate, or derive data from your PHI by removing or altering identifying information in accordance with HIPAA’s Expert Determination (45 C.F.R. § 164.514(b)(1)) or Safe Harbor (45 C.F.R. § 164.514(b)(2)) de-identification standards. Once properly de-identified in compliance with these standards, information is no longer PHI and is not subject to HIPAA’s restrictions.

A. Dentulu’s Data Rights — Scope, Duration & Commercialization

With respect to properly de-identified, aggregated, anonymized, pseudonymized, statistical, derivative, or non-PHI data (collectively, “Derived Data”), Dentulu claims and retains the following rights, which are perpetual, irrevocable, worldwide, royalty-free, fully paid-up, sublicensable, and transferable:

• The exclusive right to use, reproduce, process, adapt, modify, publish, transmit, distribute, perform, display, and otherwise exploit Derived Data for any lawful purpose;
• The right to develop, train, validate, test, improve, and commercialize artificial intelligence models, machine learning algorithms, predictive analytics engines, clinical benchmarking systems, and related technologies using Derived Data;
• The right to create, own, license, sublicense, sell, transfer, or otherwise commercialize derivative works, statistical outputs, population health analytics, clinical insights, industry benchmarks, and aggregated reports based on Derived Data;
• The right to retain Derived Data indefinitely as a proprietary business asset of Dentulu Inc. without limitation of time or use;
• The right to share Derived Data with research institutions, public health agencies, industry partners, investors, acquirers, and successors without restriction; and
• The right to include Derived Data in Dentulu’s intellectual property portfolio, assign or license such rights, and include them in any sale, merger, or acquisition of Dentulu or any of its business units.

B. No Compensation Owed

Patients are not entitled to, and Dentulu shall not owe, any compensation, royalty, revenue share, or other remuneration in connection with Dentulu’s use of Derived Data for any purpose, including without limitation AI model development, commercial licensing, or sale of analytics products. Dentulu’s rights to Derived Data are acquired as a result of patients’ use of the Dentulu platform and provision of services, and no additional consideration is owed beyond the healthcare services rendered.

C. Ownership of Platform-Generated Data

Dentulu owns all platform-generated data, including metadata, usage logs, platform interaction data, session data, aggregate clinical quality metrics, and any other data that does not constitute PHI or is properly de-identified. Nothing in HIPAA limits Dentulu’s right to use such non-PHI platform data.

D. PHI Ownership Clarification

IMPORTANT CLARIFICATION: Dentulu does not claim ownership of your identifiable PHI beyond the use and disclosure rights expressly permitted by HIPAA. Your PHI remains subject to your patient rights as described in Section IX of this Notice. The broad data rights described in Sections VIII(A)–(C) apply exclusively to properly de-identified, aggregated, or non-PHI data, not to your identifiable PHI.

E. Survival

The rights granted in this Section VIII shall survive the termination of any patient relationship, account closure, deletion of a patient account, or revocation of any consent or authorization.

IX. YOUR RIGHTS REGARDING YOUR PHI

PATIENT RIGHTS — FULLY PRESERVED: The patient rights in this Section are required by federal HIPAA law and are not modified, limited, or waived by any other provision of this Notice or any companion document. These rights may not be contractually limited except as expressly permitted by HIPAA. To exercise any right, submit a written request to support@dentulu.com.

A. Right to Access and Inspect Your PHI

You have the right to inspect and obtain a copy of PHI about you in your Designated Record Set (DRS). We will provide access in the form and format requested where readily producible, including electronic format. We may charge a reasonable, cost-based fee. We must respond within 30 days (with a possible 30-day extension). Access may be denied only in circumstances permitted by HIPAA, with appeal rights provided.

B. Right to Amend Your PHI

You have the right to request amendment of PHI in your DRS if inaccurate or incomplete. If we deny, you may submit a statement of disagreement to be included in your record.

C. Right to an Accounting of Disclosures

You have the right to an accounting of disclosures of your PHI made in the six years prior to your request, excluding disclosures for treatment, payment, healthcare operations, and certain other categories. Your first accounting per 12-month period is free.

D. Right to Request Restrictions

You have the right to request restrictions on use or disclosure of your PHI. We are required to agree only when: (1) the disclosure is to a health plan for payment or operations purposes; (2) the PHI pertains solely to a service you paid for entirely out of pocket; and (3) you have requested the restriction.

E. Right to Confidential Communications

You have the right to request we communicate with you in a specific way or at a specific location. We will accommodate reasonable requests.

F. Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice at any time upon request. Contact support@dentulu.com.

G. Right to Breach Notification

You have the right to notification in the event of a breach of your unsecured PHI, within 60 days of discovery, including details of the breach, types of PHI involved, protective steps, our remediation efforts, and contact information.

H. Right to Opt Out of Fundraising

You have the right to opt out of fundraising communications. Email support@dentulu.com to opt out.

I. Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with Dentulu’s Privacy Officer at support@dentulu.com, or with the U.S. Department of Health & Human Services, Office for Civil Rights (OCR) at www.hhs.gov/ocr, 1-800-368-1019, or 200 Independence Ave. S.W., Washington, D.C. 20201. We will not retaliate against you for filing a complaint.

ANTI-RETALIATION ASSURANCE: Dentulu will not retaliate against any patient for exercising their rights under HIPAA or applicable law, including the right to file a complaint with HHS Office for Civil Rights. This assurance is irrevocable and not subject to the arbitration clause in Section XV.

XIII. MULTI-STATE OPERATIONS & SUBCONTRACTED PROVIDER NETWORKS

A. Cross-State Care Disclosures

Dentulu operates as a national teledentistry and healthcare marketplace platform serving patients and providers across all fifty (50) U.S. states, the District of Columbia, and U.S. territories. Patients acknowledge and agree that:

• The treating Network Provider may be licensed in a different state than the patient’s state of residence or location at the time of service;
• Teledentistry and telehealth services are subject to the dental and medical practice laws of both the patient’s state and the provider’s state of licensure, as applicable;
• State laws governing teledentistry, informed consent, prescribing, privacy, and patient rights vary significantly across jurisdictions;
• Where state law is more protective of patient rights or imposes greater restrictions on PHI use than HIPAA, Dentulu will comply with the more stringent standard;
• Your PHI may be transmitted across state lines in connection with teledentistry services, multi- provider care coordination, and Business Associate operations;
• Dentulu does not guarantee the availability of teledentistry services in all states, as state-specific regulatory requirements may restrict or require modification of certain services; and
• Applicable state-specific privacy addenda will be provided upon request for the following states with heightened health data privacy laws: California (CMIA, CPRA), Texas (THIPA), New York (New York SHIELD Act), Illinois (BIPA), Virginia (VCDPA), Colorado (CPA), Washington (My Health MY Data Act), Nevada, and others.

B. Subcontracted Physician and Provider Network

In connection with its medical-dental integration and care-coordination services, Dentulu may engage subcontracted physician networks, specialty networks, and ancillary provider groups. The following disclosures apply:

• Subcontracted providers operate as independent contractors of Dentulu and/or of independent physician networks or group practices that contract with Dentulu;
• Subcontracted providers are licensed in the jurisdictions where they practice and are responsible for their own professional credentials, malpractice coverage, and clinical standards;
• Dentulu’s subcontracting of provider services does not make Dentulu the employer, supervisor, or professional guarantor of subcontracted providers;
• PHI shared with subcontracted provider networks is subject to Business Associate Agreements or treatment-purpose disclosures, as applicable under HIPAA;
• Patients will be informed of the identity of the treating provider before or at the time of service; and
• Dentulu maintains a credentialing and quality oversight process for Network Providers, but credentialing does not guarantee clinical outcomes or create liability for Dentulu with respect to individual provider performance.

C. International Operations

At this time, Dentulu’s primary operations and patient services are limited to the United States. Where Dentulu engages international Business Associates or subcontractors for technology, data processing, or administrative support, Dentulu will ensure that appropriate data transfer mechanisms and contractual protections are in place to protect the confidentiality and integrity of PHI.

XIV. PLATFORM LIABILITY SHIELD — LIMITATIONS OF DENTULU’S LIABILITY

This Section sets forth the scope of Dentulu’s liability as a technology platform and care facilitation company.

A. No Clinical Liability for Platform-Facilitated Services

Dentulu facilitates access to licensed healthcare providers through its platform but does not itself provide clinical dental or medical care, diagnoses, or treatment, except in limited circumstances where Dentulu directly employs clinicians. Dentulu is not responsible for any clinical outcome, adverse event, misdiagnosis, delayed diagnosis, treatment error, complication, or harm resulting from the professional services of any Network Provider, regardless of whether such services were facilitated through the Dentulu platform. Patients’ clinical malpractice claims, if any, lie against the treating provider and/or their professional liability insurer.

B. No Liability for Third-Party Systems

Dentulu is not responsible for failures, breaches, outages, errors, or performance issues affecting third- party systems, platforms, networks, or services used in connection with Dentulu’s platform, including but not limited to: Electronic Health Record (EHR) systems, practice management software, telephony and video conference providers, pharmacy systems, laboratory systems, imaging systems, insurance portals, and payment processors.

C. No Warranty on Platform Availability

DENTULU MAKES NO WARRANTY THAT THE PLATFORM WILL BE AVAILABLE, ERROR-FREE, SECURE, OR UNINTERRUPTED AT ALL TIMES. The platform is provided on an “as is” and “as available” basis. Dentulu expressly disclaims all warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, and non-infringement. Planned and unplanned maintenance, technical outages, and network disruptions may occur.

D. Limitation of Damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, DENTULU’S TOTAL CUMULATIVE LIABILITY TO ANY PATIENT FOR ANY CLAIM ARISING OUT OF OR RELATING TO THE PLATFORM, THIS NOTICE, OR DENTULU’S PRIVACY PRACTICES SHALL NOT EXCEED THE GREATER OF: (i) THE TOTAL AMOUNT PAID BY THE PATIENT TO DENTULU IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM; OR (ii) ONE HUNDRED DOLLARS ($100.00). This limitation does not apply to: (a) Dentulu’s liability for HIPAA breach notification failures as required by law; (b) claims arising from Dentulu’s own gross negligence or willful misconduct; or (c) any liability that cannot be limited by law.

E. Indemnification

You agree to indemnify, defend, and hold harmless Dentulu Inc. and its officers, directors, employees, affiliates, agents, licensors, and successors from any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising from: (i) your use of the Dentulu platform; (ii) your violation of this Notice or applicable law; (iii) your submission of inaccurate, incomplete, or misleading information; or (iv) any clinical services obtained through the Dentulu platform.

XV. DISPUTE RESOLUTION — BINDING ARBITRATION & CLASS ACTION WAIVER

IMPORTANT — PLEASE READ CAREFULLY: This Section contains a binding arbitration clause and class action waiver. By using the Dentulu platform or receiving services facilitated through Dentulu, you agree that any dispute arising from or relating to this Notice, your PHI, your use of the Dentulu platform, or any services obtained through Dentulu will be resolved by binding individual arbitration, and you waive your right to a jury trial and to participate in a class action.

A. Agreement to Arbitrate

Except as otherwise provided in Section XV(E) below, you and Dentulu agree that any and all disputes, claims, or controversies arising out of or relating to: (i) this Notice of Privacy Practices or any companion document; (ii) Dentulu’s collection, use, or disclosure of your PHI; (iii) your use of the Dentulu platform; (iv) any teledentistry, marketplace, or care-coordination services facilitated by Dentulu; or (v) any breach, termination, or validity of this Notice, shall be resolved exclusively by final and binding individual arbitration, rather than in court.

B. Governing Rules — Federal Arbitration Act

This arbitration agreement is governed by the Federal Arbitration Act (FAA), 9 U.S.C. §§ 1 et seq., and the arbitration shall be administered by the American Arbitration Association (AAA) under its Consumer Arbitration Rules, as modified herein. A single, neutral arbitrator shall preside. The arbitrator shall have authority to award any remedy available in court on an individual basis, subject to the limitations in Section XIV(D). Arbitration proceedings shall be conducted in English.

C. Location and Format

Arbitration may be conducted: (i) in person in Los Angeles, California; (ii) by telephone; (iii) by videoconference; or (iv) solely on written submissions, as determined by the arbitrator. For claims under $10,000, arbitration shall be conducted solely on the papers unless a hearing is requested by a party.

D. Class Action Waiver

YOU AND DENTULU EACH AGREE THAT ANY DISPUTE RESOLUTION PROCEEDINGS, WHETHER IN ARBITRATION OR IN COURT, WILL BE CONDUCTED ONLY ON AN INDIVIDUAL BASIS AND NOT IN A CLASS, CONSOLIDATED, OR REPRESENTATIVE ACTION. If for any reason a claim proceeds in court, you and Dentulu each waive any right to a jury trial and any right to bring or participate in a class action, class arbitration, collective action, or representative proceeding. The arbitrator has no authority to consolidate more than one person’s claims or to preside over any class, collective, or representative arbitration.

E. Exceptions to Arbitration

The following claims are expressly excluded from this arbitration requirement:

• Claims subject to the exclusive jurisdiction of a government agency, including HIPAA complaints filed with HHS Office for Civil Rights;
• Claims for injunctive or other equitable relief for actual or threatened infringement, misappropriation, or violation of intellectual property rights;
• Claims that may not be subject to arbitration under applicable law; and
• Small claims court actions within the jurisdictional limits of such court.

F. Severability

If any portion of this arbitration clause (other than the Class Action Waiver) is found unenforceable, that portion shall be severed and the remaining arbitration provisions shall continue in full force. The Class Action Waiver may not be severed and must be enforced in its entirety or not at all.

G. Governing Law

This Notice and the arbitration agreement shall be governed by the laws of the State of Delaware, without regard to its conflict-of-laws principles, except that the Federal Arbitration Act governs the arbitrability of all disputes.

XVI. EFFECTIVE DATE, CHANGES & MISCELLANEOUS PROVISIONS

A. Effective Date and Revisions

This Notice is effective as of January 1, 2026 (Version 2026.2). Dentulu reserves the right to revise this Notice at any time. Changes apply to all PHI previously created or received, as well as PHI created or received in the future. The current Notice is posted at www.dentulu.com/privacypractices.

B. Severability

If any provision of this Notice (other than HIPAA-mandated patient rights provisions, which may not be severed) is found invalid or unenforceable, the remaining provisions shall continue in full force and effect.

C. Entire Agreement

This Notice, together with Dentulu’s Platform Terms of Service, Platform Privacy Policy, and any applicable signed authorizations or consents, constitutes the entire agreement between you and Dentulu with respect to the handling of your PHI and supersedes all prior notices, representations, or agreements on this subject.

D. Waiver

Dentulu’s failure to enforce any provision of this Notice shall not constitute a waiver of its right to do so in the future.

E. Contact Information

ADDENDUM A — PATIENT DATA AUTHORIZATION ADDENDUM

Optional Written Authorizations Under HIPAA § 164.508

NOTICE: This Addendum covers uses and disclosures of your PHI that require your written authorization under HIPAA (45 C.F.R. § 164.508). Signing is voluntary. Treatment will not be conditioned on whether you sign this Addendum, except as permitted by law. You may revoke any authorization at any time in writing.

PATIENT DATA AUTHORIZATION ADDENDUM

Authorization 1: Research and Clinical Studies

I authorize Dentulu Inc. to use and disclose my PHI, including dental records, imaging, clinical notes, and outcomes data, for participation in research, clinical trials, and quality improvement research by Dentulu or its research partners. Purpose: Advance dental and oral health science. Duration: Until revoked or as specified: _______________________

Authorization 2: Marketing Communications

I authorize Dentulu Inc. to use my PHI to send me personalized marketing communications about Dentulu products, services, and partner offerings relevant to my oral health. Purpose: Relevant health offers and service information. Duration: Until revoked.

Authorization 3: Sale of PHI

I authorize Dentulu Inc. to share my identifiable PHI with the following third parties for purposes beyond treatment, payment, or operations: _______________________. Dentulu will be compensated as follows: _______________________

Authorization 4: Disclosure to Non-Healthcare Third Parties

I authorize disclosure to: Name/Organization: _______________________ Relationship: _______________________ Purpose: _______________________

Authorization 5: Photos, Videos, and Testimonials

I authorize use of my photographs, videos, or recordings, including images of my oral cavity or dental work, for educational, promotional, or marketing purposes on Dentulu’s platform and marketing materials.

Right to Revoke

You may revoke any Authorization at any time by sending written notice to support@dentulu.com. Revocation is not effective to the extent Dentulu has already acted in reliance on the Authorization.

Authorizations selected (circle all that apply): 1 | 2 | 3 | 4 | 5 | ALL | NONE

Your single signature on the Notice of Acceptance at the end of this document constitutes acceptance of this Authorization Addendum for the authorizations selected above.

ADDENDUM B — AI & DATA USE CONSENT

NOTICE: This AI & Data Use Consent is voluntary and separate from your treatment. Dentulu uses de-identified and aggregated data for AI development without this Consent. This form covers optional consent for using your identifiable PHI for specific AI development purposes.

AI & DATA USE CONSENT

1. Scope of AI/ML Uses Covered

By agreeing to this Consent, you authorize Dentulu Inc. to use your identifiable PHI for:

• Training, validating, and improving supervised and unsupervised ML models for oral health diagnosis and care;
• Developing AI algorithms for dental image analysis, caries detection, periodontal risk scoring, and related clinical applications;
• Training NLP models using de-identified or pseudonymized clinical notes and patient communications;
• Improving AI-assisted triage and care routing systems; and
• Other AI/ML activities specifically described to you at the time of consent.

2. AI Risk Acknowledgment

PATIENT ACKNOWLEDGMENT: By agreeing to this AI & Data Use Consent, you acknowledge that you have read and understood Section VII of the Notice of Privacy Practices, including: (i) AI tools are decision-support only and do not replace clinical judgment; (ii) AI outputs may contain errors, omissions, or inaccuracies; (iii) Dentulu makes NO WARRANTIES regarding the accuracy, completeness, or fitness of AI outputs; (iv) all clinical decisions are made by licensed providers, not AI systems; and (v) Dentulu is not liable for clinical outcomes based on AI-generated outputs.

3. Data Protections

Dentulu will: limit use to purposes described herein; execute BAAs with AI vendors accessing identifiable PHI; apply access controls, encryption, and audit logging; not sell identifiable PHI for AI training; and notify you of material changes.

4. Perpetual Data Rights Acknowledgment

You acknowledge that any de-identified, aggregated, or derived data generated from your PHI in connection with AI development may be retained and used by Dentulu on a perpetual, irrevocable basis as described in Section VIII of the NPP, without compensation owed to you.

5. Duration and Revocation

Effective from the date of acceptance until revoked. To revoke, send written notice to support@dentulu.com. Revocation is not retroactive.

Your single signature on the Notice of Acceptance at the end of this document constitutes acceptance of this AI & Data Use Consent.

ADDENDUM C — TELEHEALTH CONSENT

TELEDENTISTRY & TELEHEALTH INFORMED CONSENT

This Consent applies to your use of Dentulu’s teledentistry and telehealth services, including live video consultations, asynchronous (store-and-forward) consultations, remote monitoring, AI-assisted screenings, and related digital health services.

1. Nature of Teledentistry Services

Teledentistry uses electronic communication technologies including video conferencing, digital imaging, asynchronous messaging, and AI-assisted tools for dental care delivery. It may be used for consultations, follow-up visits, second opinions, imaging transmission, oral health education, prescription (where permissible), referrals, and AI-assisted triage reviewed by licensed providers.

2. Technology Limitations — Patient Risk Assumption

CRITICAL RISK DISCLOSURE: TELEDENTISTRY HAS INHERENT LIMITATIONS COMPARED TO IN-PERSON DENTAL EXAMINATION. BY PROCEEDING WITH TELEDENTISTRY SERVICES, YOU EXPRESSLY ACKNOWLEDGE AND ASSUME THE FOLLOWING RISKS:

You acknowledge and agree that:

• Teledentistry CANNOT fully replicate an in-person clinical examination. Remote consultations lack tactile examination, direct intraoral probing, physical palpation, and other clinical assessments that may be necessary for complete diagnosis;
• A remote consultation DOES NOT GUARANTEE A DIAGNOSIS. The licensed provider may be unable to render a definitive diagnosis via teledentistry and may require or recommend an in-person examination;
• IMAGE AND VIDEO QUALITY LIMITATIONS may impair the provider’s ability to visualize and assess your oral condition. Poor lighting, low-resolution imagery, patient movement, or inadequate photography may prevent accurate assessment;
• TECHNOLOGY FAILURES including network outages, software malfunctions, hardware failures, poor internet connectivity, and session interruptions may prevent or degrade the teledentistry consultation, which is outside Dentulu’s control;
• YOU ASSUME THE RISK of technology limitations and acknowledge that Dentulu does not guarantee uninterrupted, error-free, or complete teledentistry sessions;
• DELAYS IN DIAGNOSIS OR TREATMENT are possible due to the asynchronous nature of certain teledentistry modalities;
• DENTULU MAKES NO GUARANTEE that teledentistry services will result in the same outcome as in-person care, and is not responsible for any adverse outcome attributable to the inherent limitations of remote care delivery;
• Certain dental conditions REQUIRE IN-PERSON EVALUATION AND TREATMENT and cannot be adequately addressed via teledentistry; and
• EMERGENCY CONDITIONS must always be addressed in person or at an emergency facility. AI triage results and teledentistry consultations are NEVER a substitute for emergency care. If you believe you are experiencing a dental or medical emergency, call 911 or go to an emergency room immediately.

3. Privacy and Security

Dentulu uses HIPAA-compliant platforms with encryption and access controls. However, no internet- based communication is 100% secure, and Dentulu cannot guarantee absolute privacy of electronic transmissions. Teledentistry sessions may be recorded for quality assurance and documentation purposes, and you will be notified if a session is recorded.

4. State Law Compliance

Teledentistry is subject to state dental and medical practice laws, which vary by jurisdiction. Dentulu providers are licensed in states where they practice and comply with applicable state teledentistry regulations. Service availability may vary by state.

5. Patient Affirmative Representations

By agreeing to use Dentulu or any of its services you are agreeing to this Consent, and you represent and affirm that:

• You have read and understood the technology limitations and risk disclosures in Section 2 above;
• You voluntarily and knowingly assume the risks described herein;
• You consent to receive teledentistry services subject to those limitations; and
• You understand that teledentistry may be provided by Network Providers who are independent contractors, as described in Section I of the NPP.

Your single signature on the Notice of Acceptance at the end of this document constitutes your informed consent to receive teledentistry services and your acceptance of all risk disclosures in this Addendum.

ADDENDUM D — THIRD-PARTY SHARING CONSENT

NOTICE: Much of Dentulu’s sharing of your PHI with third parties is permitted by HIPAA without your consent (for treatment, payment, and healthcare operations). This Addendum covers OPTIONAL sharing beyond what HIPAA automatically permits. Declining these optional consents will not affect your ability to receive Dentulu services.

THIRD-PARTY SHARING CONSENT

If you do not consent to any particular category, please check Decline for that category below. These preferences may be updated at any time by contacting support@dentulu.com.

If you do not decline, your consent is implied. If you have any questions or concerns about any of these categories please contact us at support@dentulu.com.

You may revoke or change these preferences at any time. Revocation applies prospectively and does not undo disclosures already made in reliance on prior consent.

Your single signature on the Notice of Acceptance at the end of this document constitutes acceptance of the third-party sharing preferences selected above.

ADDENDUM E — PLATFORM TERMS CROSS-REFERENCE

SECTION

Governing Document Interrelationship Guide

PLATFORM TERMS CROSS-REFERENCE

This Addendum identifies the sections of Dentulu’s Platform Terms of Service, Privacy Policy, and related agreements that intersect with this NPP and companion documents.

1. NPP and Platform Privacy Policy Relationship

Dentulu maintains both this HIPAA NPP (governing PHI) and a separate Platform Privacy Policy governing non-PHI data (usage data, cookies, device data), available at https://app.dentulu.com/page/privacy-policy. This NPP governs clinical health information; the Platform Privacy Policy governs general platform usage data.

2. Platform Terms of Service — Key Cross-References

3. Governing Document Hierarchy

• 45 C.F.R. Parts 160 & 164 (HIPAA/HITECH) and applicable state law (supreme);
• This Notice of Privacy Practices (for PHI);
• Platform Terms of Service (for platform use);
• Platform Privacy Policy (for non-PHI data); and
• Signed Addenda and Authorizations (for specific authorized uses).

4. State-Specific Addenda

State-specific privacy addenda are available upon request for patients in: California (CMIA, CPRA), Texas (THIPA), New York (SHIELD Act), Illinois (BIPA), Virginia (VCDPA), Colorado (CPA), Washington (My Health MY Data Act), Nevada, and any other state with healthcare-specific privacy laws more stringent than HIPAA. Contact support@dentulu.com.

NOTICE OF ACCEPTANCE