Privacy Policy for this Website

Effective Date: September 1, 2020 Updated: February 2, 2021

CoFi, Inc., (referred to as “CoFi”, “we”, “our” or “us”) respects your privacy. CoFi recognizes the importance of protecting personal data we may collect from visitors to our website and any other individual or entity (“Users”, “you”, or “your”) who visit our websites and who use our platform. This Privacy Policy describes the types of Personal Data we collect through our payments products and services via our online presence, which include our main website at www.CoFimd.com, and other CoFi-related sites, applications, software, communications (“Services”) accessible on or by any top-level CoFi domain owned by us (each, a “Site” and collectively the “Sites”). CoFi provides services utilizing the CoFi platform (our “Platform”) to our business customers (“Customers”). The Platform enables Customers to process payments submitted by their patients. This Privacy Policy addresses the types of Personal Data we collect about individuals who our Customers have authorized to use the Platform, such as their employees and staff, and also the types of information we collect about individuals who visit our website or contact us through the website. When you visit the Sites or contact us through our website, we collect your Personal Data as the data controller. When we collect your Personal Data because our Customer has provided you with credentials to use our Platform, we collect your Personal Data as a service provider to the Customer and as a data processor. For more information about our role as a service provider to our Customers, please see the section titled “CoFi Customers” below. This Privacy Policy describes how we use Personal Data, with whom we share it, your rights and choices, and how you can contact us about our privacy practices. This policy does not apply to third-party websites, products, or services, even if they link to our Services or Sites, and you should consider the privacy practices of those third-parties carefully. Please familiarize yourself with our privacy practices and let us know if you have any questions. By using the Sites, you signify your acceptance of this Privacy Policy. If you do not agree to this Privacy Policy, please do not use the Sites. If you have any questions or comments about this Privacy Policy, please submit a request to privacy@cofimd.com. When This Privacy Policy Applies. Our Privacy Policy applies to all of the Services offered by CoFi and its affiliates but excludes services that have separate privacy policies that do not incorporate this Privacy Policy. Our Privacy Policy does not apply to services offered by other companies or individuals, including products or sites that may be displayed to you, or other sites linked from our Services. Our Privacy Policy does not cover the information practices of other companies and organizations who advertise our Services, and who may use cookies, pixel tags and other technologies to serve and offer relevant ads. Terms and Conditions. By accessing or using the Sites in any manner, you also agree to be bound by CoFi’s Terms and Conditions (the “Agreement”), accepted at the time you create your CoFi user account. Please read the Agreement carefully. If you do not accept all of the terms and conditions contained in or incorporated by reference into the Agreement, you cannot use the Sites. Information We Collect. We collect information, including personal data, to provide better services to all our Users. We use the term “Personal Data” to refer to any information that identifies or can be used to identify you. Common examples of Personal Data include: full name, email address, digital identity, such as a login name or handle, information about your device, and certain metadata. When you use our Services, we collect Personal Data in the following ways: 1. Information You Give to Us • Website Visitors You may choose to provide us with Personal Data about yourself, including your name, organization name, title, phone number and email address by completing forms on our website. You may also provide us with Personal Data about yourself when you report a problem or have a question about our services. When you visit our website, we collect certain information automatically, such as your operating system version, browser type, and internet service provider. We also collect information about your interaction with the Services, such as creating or logging into your account, when you use our Site, we automatically collect and store this information in service logs. This includes: details of how you used our Site; Internet protocol address; cookies that uniquely identify your browser, the referring web page and pages visited. We may also collect and process information about your actual location. • Customer End User If you are a User of the CoFi platform, you or your employer may provide your contact details, such as an email address, in order for you to access a CoFi account. As part of your business relationship with us, we may also receive financial and Personal Data about you or your company, such as your company’s bank account information and the SSN or EIN of the account administrator. For more information about the types of information we process in our role as a service provider to our Customers, please see the section titled “CoFi Customers” below. 2. Other Information We Obtain from Your Use of Our Services Whether you are a visitor to our website, or an end user of our Platform, we collect additional information about you, including location data and device ID information. Our Sites and Services use cookies and similar technologies to collect this information. We may use such information for internal purposes and to provide you a better experience, such as to troubleshoot application problems you may experience. We also use these technologies to collect and store information when you interact with services from our partners, such as advertising services. These technologies record information about your use of our Sites, including: • Browser and device data, such as IP address, device type, operating system and Internet browser type, screen resolution, operating system name and version, device manufacturer and model, language, plug-ins, add-ons and the language version of the Sites you are visiting; • Usage data, such as time spent on the Sites, pages visited, links clicked, language preferences, and the pages that led or referred you to our Sites. We also collect information about your online activities on websites and connected devices over time and across third-party websites, devices, apps and other online features and services. We use Google Analytics on our Sites to help us analyze your use of our Sites and diagnose technical issues. To learn more about the cookies that may be served through our Sites and how you can control our use of cookies and third-party analytics, please see our Cookie Policy. How We Use Personal Data. a. Our products and services. We rely upon a number of legal grounds to ensure that our use of your Personal Data is compliant with applicable law. We use Personal Data to facilitate the business relationships we have with our Customers and their Users, to comply with our legal obligations, and to pursue our legitimate business interests. b. Marketing and events-related communications. We may send you email marketing communications about CoFi products and services, invite you to participate in our events or surveys, or otherwise communicate with you for marketing purposes, provided that we do so in accordance with the consent requirements that are imposed by applicable law. For example, when we collect your business contact details through our participation at trade shows or other events, we may use the information to follow-up with you regarding an event, send you information that you have requested on our products and services and, with your permission, include you on our marketing information campaigns. c. Advertising. When you visit our Sites, we (and our service providers) may use Personal Data collected from you and your device to target advertisements for CoFi Services to you on our Sites and other sites you visit (“interest-based advertising”), where allowed by applicable law. For example, when you visit our Site, we will use cookies to identify your device and direct ads for our Services to you. You have choices and control over our cookies (or similar technologies) we use to advertise to you. Please see our Cookie Policy for more information. At present, there is no industry standard for recognizing Do Not Track browser signals, so we do not respond to them. We do not use, share, rent or sell the Personal Data of our Users’ Customers for interest-based advertising. We do not sell or rent the Personal Data of our Users, their Customers or our Site visitors. We and our service providers may use IP addresses to understand the locations from which our Users are accessing the Services. Except where prohibited by applicable law or regulation, we may combine information collected through one source with information obtained through other resources. We also may supplement the information we collect with information obtained from third parties. We will treat any information that we combine with your Personal Data as Personal Data pursuant to this Privacy Policy. We use information collected from cookies and other technologies, to improve your User experience and the overall quality of our services. We may use your Personal Data to see which web pages you visit at our Site, which web site you visited before coming to our Site, and where you go after you leave our Site. We can then develop statistics that help us understand how our visitors use our Site and how to improve it. We may also use the information we obtain about you in other ways for which we provide specific notice at the time of collection. d. Non-Personal and Aggregate Site Use Information. CoFi may compile and share information collected through its website and platform in aggregated form or in de-identified form so that it cannot reasonably be used to identify an individual (“De-Identified Information”). We may disclose such De-Identified Information publicly and to third parties, for example, in public reports about exercise and activity. CoFi may also disclose De-Identified Information for general research purposes and in research collaborations with third parties, such as universities, hospitals or other laboratories to determine the prevalence of particular conditions among Users or to determine whether a User might be suitable for research or clinical trials. CoFi may also use De-Identified Information for commercial collaborations with private companies for purposes such as product design or enhancement of Services. How We Disclose Personal Data. CoFi does not sell or rent Personal Data to marketers or unaffiliated third parties. We share your Personal Data with trusted entities, as outlined below. a. CoFi. We share Personal Data with other CoFi entities in order to provide our Services and for internal administration purposes. b. Service providers. We share Personal Data with a limited number of our service providers. We have service providers that provide services on our behalf, such as identity verification services, website hosting, data analysis, information technology and related infrastructure, customer service, email delivery, and auditing services. These service providers may need to access Personal Data to perform their services. We authorize such service providers to use or disclose the Personal Data only as necessary to perform services on our behalf or comply with legal requirements. We require such service providers to contractually commit to protect the security and confidentiality of Personal Data they process on our behalf. Our service providers are located in the United States of America. c. Business partners. We share Personal Data with third party business partners when this is necessary to provide our Services to our Users. Notably, this includes third party payment processing companies. d. Our Users and third parties authorized by our Users. We share Personal Data with Users as necessary to maintain a User account and provide the Services. We share data with parties directly authorized by a User to receive Personal Data. The use of Personal Data by an authorized third party is subject to the third party’s privacy policy. e. Corporate transactions. In the event that we enter into, or intend to enter into, a transaction that alters the structure of our business, such as a reorganization, merger, sale, joint venture, assignment, transfer, change of control, or other disposition of all or any portion of our business, assets or stock, we may share Personal Data with third parties in connection with such transaction. Any other entity which buys us or part of our business will have the right to continue to use your Personal Data, but only in the manner set out in this Privacy Policy unless you agree otherwise. f. Compliance and harm prevention. We share Personal Data as we believe necessary: (i) to comply with applicable law, or payment method rules; (ii) to enforce our contractual rights; (iii) to protect the rights, privacy, safety and property of CoFi, you or others; and (iv) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence. Your Failure to Provide Personal Data. Your provision of Personal Data is required in order to use certain parts of our Sites and Services. If you fail to provide such Personal Data, you may not be able to access and use our Services. Your Rights and Choices. You have choices regarding our use and disclosure of your Personal Data: a. Opting out of receiving electronic communications from us. If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you important administrative messages that are required to provide you with our Services. b. How you can see or change your account Personal Data. If you would like to review, correct, or update Personal Data that you have previously disclosed to us, you may do so by signing in to your CoFi account or by contacting CoFi. c. Requests to Change or Delete Information. Whenever you use our Services, we aim to provide you with choices about how we use your Personal Data. We also aim to provide you with access to your Personal Data. If that information is wrong, we strive to give you ways to update it quickly or to delete it – unless we have to keep that information for legitimate business or legal purposes. Subject to applicable law, you may obtain a copy of Personal Data we maintain about you or you may update or correct inaccuracies in that information by contacting us. To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to the information. In addition, if you believe that Personal Data we maintain about you is inaccurate, subject to applicable law, you may have the right to request that we correct or amend the information by contacting us as indicated in the How to Contact Us section below. You may update or correct information about yourself by emailing us at privacy@CoFimd.com. If you completely delete all such information, then your account may become deactivated. We may retain an archived copy of your records as required by law, to comply with our contractual or legal obligations, to resolve disputes, to enforce our agreements or for other legitimate business purposes. We may contact you to request that you update your Personal Data on a regular basis to ensure its integrity for the purposes of ongoing data management. We make reasonable efforts to ensure a level of security appropriate to the risk associated with the processing of Personal Data. We maintain organizational, technical and administrative measures designed to protect Personal Data within our organization against unauthorized access, destruction, loss, alteration or misuse. Your Personal Data is only accessible to a limited number of personnel who need access to the information to perform their duties. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please contact us immediately. We retain your Personal Data as long as we are providing the Services to your company. We retain Personal Data after we cease providing Services directly or indirectly to you, even if you close your CoFi account or complete a transaction with a CoFi Customer, to the extent necessary to comply with our legal and regulatory obligations, and for the purpose of fraud monitoring, detection and prevention. We also retain Personal Data to comply with our tax, accounting, and financial reporting obligations, where we are required to retain the data by our contractual commitments to our financial partners, and where data retention is mandated by the payment methods that we support. Where we retain data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law. Direct Marketing and “Do Not Track” Signals. CoFi does not track its users over time and across third party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals. However, some third party sites do keep track of your browsing activities when they serve you content, which enables them to tailor what they present to you. If you are visiting such sites, your browser may include controls to block and delete cookies, web beacons and similar technologies, to allow you to opt out of data collection through those technologies. California residents are entitled to contact us to request information about whether we have disclosed Personal Data to third parties for the third parties’ direct marketing purposes. Under the California “Shine the Light” law, California residents may opt-out of our disclosure of Personal Data to third parties for their direct marketing purposes. You may choose to opt-out of the sharing of your Personal Data with third parties for marketing purposes. To make such a request you should send (a) an email to privacy@CoFimd.com with the subject heading “California Privacy Rights,” or (b) a letter addressed to CoFi, Inc., 23 Water Street, Suite 301, Holliston, MA 01746. In your request, please attest to the fact that you are a California resident and provide a current California address for our response. Please be aware that not all information sharing is covered by the California privacy rights requirements and only information on covered sharing will be included in our response. We reserve our right not to respond to requests submitted to addresses other than the addresses specified in this paragraph. Use by Minors. The Site and Services are not directed to individuals under the age of thirteen (13). If you are under the age of 13 (or a minor in the jurisdiction in which you are accessing our Sites or Services), do not use the Services, or make purchases via the Services, use any interactive features of the Services, or post any Personal Data to our Sites or submit any Personal Data via the Services. We do not knowingly or intentionally gather Personal Data about children who are under the age of 13. If a child has provided us with Personal Data, a parent or guardian of that child may contact us to have the information deleted from our records. If you believe that we might have any information from a child under age 13 in the applicable jurisdiction, please contact us privacy@CoFimd.com. If we learn that we have inadvertently collected the Personal Data of a child under 13, we will take steps to delete the information as soon as possible and cease the use of that information in accordance with applicable law. CoFi Customers. CoFi customers, including health care providers and medical facilities (“CoFi Customers”), engage us to deliver Services to their employees, patients and other users. Customer Information, Information about our Customer’s Contacts and Archival Information (each defined below) are governed by this Privacy Policy, the CoFi Terms and Conditions and any other services agreements between CoFi and the applicable Customer. • CoFi Customer Information. We collect information about individuals within our CoFi Customer organization (“Customer Information”). Customer Information may include information related to the Customer’s account, name, work email address, work phone number, job title or similar kinds of information. We use Customer Information to support the Customer account, maintain our business relationship with the Customer, respond to Customer inquiries, or perform accounting functions. CoFi Customers may update Personal Data and passwords by logging into the CoFi Platform and updating their account. CoFi Customer may contact CoFi support in order to delete their Personal Data. In some cases, we may not be able to delete Customer Information, and in such cases we will tell you why. • Information about our Customers’ Contacts. We collect information about any contacts, such as practice groups, employees, insured parties, and others, that may be uploaded into the CoFi Platform (“Information about our Customers’ Contacts”). Information about our Customers’ Contacts may include name, e-mail address, phone number, job title, or similar kinds of information. We use Information about our Customers’ Contacts for the purposes of providing Services to such contacts. CoFi Customers may update or delete Information about their contacts in the CoFi Platform. CoFi Customers may also contact CoFi support in order to update and delete such information. In some cases, we may not be able to delete such information, and in such cases we will tell you why. • Archival Information. We collect User information for archival purposes on behalf of, and as directed by, our CoFi Customers for the purpose of improving health management. This information may include User Personal Data, User communications, among other forms of data or electronic communications (“Archival Information”). Our CoFi Customer’s privacy policies or practices apply to Archival Information, the purposes for which the CoFi Customer collects Archival Information, how the CoFi Customer may use Archival Information and what choices the individual may have with respect to Archival Information. Individuals must contact the applicable CoFi Customer in order to correct, amend, or delete their information, or to opt out of any collection, uses or disclosure of their information by our CoFi Customer. • Automatically Collected Information. We collect information automatically about how our CoFi Customer use our services (“Automatically Collected Information”). We do this via data collection technologies such as cookies, web beacons, gifs or other tracking technologies. We collect this information in order to monitor, support and improve our services or to provide CoFi Customers with certain customized features. We may use Automatically Collected Information to tell us how our CoFi Customer s use our services, to improve our services or develop new products, services or features. We may combine this information with other information we collect. • Health and Other Special Categories of Personal Data. Under a federal law called the Health Insurance Portability and Accountability Act (“HIPAA”), some demographic, health and/or health-related information that CoFi collects as part of providing the Services to Customers may be considered “protected health information” or “PHI.” HIPAA provides specific protections for the privacy and security of PHI and restricts how PHI is used and disclosed. CoFi handles all PHI in strict accordance with applicable laws and regulations. In addition, CoFi Customers shall be contractually bound to protect PHI to the same degree as set forth in this Privacy Policy. All Protected Health Information that CoFi processes is used and disclosed by us as a Business Associate (as defined by HIPAA) according to the terms of a Business Associate Agreement between us and that healthcare provider. CoFi Customers, to the extent they are bound by HIPAA, are also required to describe their privacy practices. We treat Customer Information, Information about our Customer’s Contacts, Archival Information and Automatically Collected Information as the confidential and proprietary information of our CoFi Customer, subject to the terms of the CoFi Terms and Conditions and any other service agreement between CoFi and the Customer. We do not share Customer Information, Information about our Customer’s Contacts, Archival Information or Automatically Collected Information with third parties unless directed to do so by our Customer, as may be necessary to provide services to the Customer, to our advisors, affiliates, representatives, agents, service providers, in connection with a business transaction (such as a merger or sale), as allowed under the terms of our agreement with our Customer, or in response to a court order, subpoena, warrant or to comply with a legal requirement or to cooperate with an investigation. We may disclose Customer Information, Information about our Customer’s Contacts, Archival Information or Automatically Collected Information for the aforementioned reasons, or in order to protect our rights or the rights of our affiliates, CoFi Customer, business partners or service providers. We will retain Customer Information we process on behalf of our CoFi Customers for as long as needed to provide services to our Customer, or for the period of time requested by a particular Customer. Updates To this Privacy Policy and Notifications. We may change this Privacy Policy from time to time to reflect new services, changes in our Personal Data practices or relevant laws. The “Last updated” legend at the top of this Privacy Policy indicates when this Privacy Policy was last revised. Any changes are effective when we post the revised Privacy Policy on the Services. We may provide you with disclosures and alerts regarding the Privacy Policy or Personal Data collected by posting them on our website and, if you are a User, by contacting you through your CoFi Dashboard, email address and/or the physical address listed in your CoFi account. Links To Other Websites. The Services may provide the ability to connect to other websites. These websites may operate independently from us and may have their own privacy notices or policies, which we strongly suggest you review. If any linked website is not owned or controlled by us, we are not responsible for its content, any use of the website or the privacy practices of the operator of the website. Our inclusion of links to such websites does not imply any endorsement of the material on such websites or any association with their operators. Further, it is up to the User to take precautions to ensure that whatever links the User selects or software the User downloads (whether from this Site or other websites) is free of such items as viruses, worms, trojan horses, defects and other items of a destructive nature. These websites and services may have their own privacy policies, which the User will be subject to upon linking to the third party's website. CoFi strongly recommends that each User review the third party's terms and policies. How to Contact Us. If you have any questions, comments or concerns about this Privacy Policy, or if you would like to exercise the choices discussed above, please contact us: Via e-mail: privacy@CoFimd.com By writing to us: CoFi, Inc. Attn: Privacy Policy Inquiry 23 Water Street, Suite 301 Holliston, MA 01746