Notice of Privacy Practices

Effective Date: May 10, 2026

1. Our Legal Duties

Nuvian Labs LLC ("Nuvian Labs," "we," "us," or "our"), as a provider of the Darael platform (the "Service") to healthcare providers, is committed to protecting the privacy and security of your protected health information ("PHI"). We are required by law to:

• Maintain the privacy of your PHI and to provide you with this Notice of our legal duties and privacy practices;
• Notify you following a breach of your unsecured PHI;
• Abide by the terms of this Notice currently in effect.

We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all PHI that we maintain. If we make material changes, we will post the revised Notice on our website at https://darael.com/privacy and notify our covered entity customers.

2. Your PHI Rights

You have the following rights regarding your PHI:

Right to Inspect and Copy

You have the right to inspect and obtain a copy of your PHI contained in a designated record set, including medical records, billing records, and other records used to make decisions about you. To request access, contact your healthcare provider directly — they are the covered entity responsible for your records.

Right to Amend

If you believe your PHI is incorrect or incomplete, you may request that your healthcare provider amend the information. Your provider has the right to accept or deny your request.

Right to an Accounting of Disclosures

You have the right to request an accounting of certain disclosures of your PHI made by your healthcare provider or by us on their behalf during the six years prior to your request.

Right to Request Restrictions

You have the right to request restrictions on certain uses and disclosures of your PHI for treatment, payment, or healthcare operations. Your provider is not required to agree to all requested restrictions.

Right to Request Confidential Communications

You have the right to request that your healthcare provider communicate with you about medical matters in a specific way or at a specific location.

Right to a Paper Copy of This Notice

You may request a paper copy of this Notice from your healthcare provider at any time, even if you have agreed to receive it electronically.

Right to Choose Someone to Act for You

If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights.

Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with:

• Your healthcare provider's Privacy Officer
• Nuvian Labs LLC at privacy@nuvianlabs.com
• The U.S. Department of Health and Human Services, Office for Civil Rights

We will not retaliate against you for filing a complaint.

3. How We May Use and Disclose Your PHI

As a business associate to your healthcare provider (the covered entity), we may use and disclose your PHI as follows:

For Treatment

We facilitate the use and disclosure of your PHI to provide, coordinate, and manage your healthcare and related services. This includes communication between your providers, clinical decision support tools, and AI-assisted treatment planning within the Darael platform.

For Payment

Your PHI may be used and disclosed to obtain payment for healthcare services provided to you, including billing, claims management, and collection activities.

For Healthcare Operations

We may use and disclose your PHI for healthcare operations of your provider, including quality assessment, practitioner evaluation, training, compliance, and business planning.

Business Associates

We may disclose your PHI to our service providers (subcontractors) who perform services on our behalf, provided they sign a Business Associate Agreement requiring them to protect your PHI.

As Required by Law

We will disclose your PHI when required to do so by federal, state, or local law.

To Avert a Serious Threat to Health or Safety

We may use and disclose your PHI when necessary to prevent a serious threat to your health or safety or the health or safety of others.

Public Health Activities

We may disclose your PHI for public health activities, including disease reporting, product recalls, and adverse event reporting.

Judicial and Administrative Proceedings

We may disclose your PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process.

Law Enforcement

We may disclose limited PHI for law enforcement purposes as required by law or in response to a valid legal process.

Workers' Compensation

We may disclose your PHI as authorized by workers' compensation laws.

Organ and Tissue Donation

If you are an organ donor, we may release your PHI to organ procurement organizations.

Research

We may use or disclose your PHI for research purposes when the research has been approved by an institutional review board or privacy board.

Marketing and Sale of PHI

We will never use or disclose your PHI for marketing purposes without your written authorization. We will never sell your PHI.

Psychotherapy Notes

Most uses and disclosures of psychotherapy notes require your written authorization.

4. Uses and Disclosures Requiring Your Authorization

The following uses and disclosures of your PHI require your written authorization:

• Uses and disclosures for marketing purposes that involve financial remuneration
• Disclosures that constitute a sale of PHI
• Most uses and disclosures of psychotherapy notes (where applicable)
• Any other uses and disclosures not described in this Notice

You may revoke your authorization in writing at any time, except to the extent that your provider or we have already relied on the authorization.

5. How We Protect Your PHI

We implement comprehensive administrative, physical, and technical safeguards to protect your PHI:

Administrative Safeguards

• Designated Privacy Officer and Security Officer
• Workforce HIPAA training and confidentiality agreements
• Business Associate Agreements with all subcontractors
• Risk analysis and management program
• Sanction policy for privacy violations

Physical Safeguards

• Facility access controls and visitor management
• Workstation security and screen privacy filters
• Secure destruction of PHI on decommissioned hardware
• Encrypted offsite backup storage

Technical Safeguards

• AES-256-GCM encryption for all PHI at rest
• TLS 1.3 encryption for all data in transit
• Multi-factor authentication for all user accounts
• Role-based access controls with least-privilege enforcement
• Comprehensive audit logging of all PHI access and modifications
• Automatic session timeouts after periods of inactivity
• Automated intrusion detection and 24/7 security monitoring
• Regular penetration testing and vulnerability assessments

6. Breach Notification

In the event of a breach of unsecured PHI, we will notify the affected covered entity (your healthcare provider) without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification will include:

• A description of what happened, including the date of the breach
• The types of PHI involved
• Steps you should take to protect yourself
• What we are doing to investigate, mitigate, and prevent future breaches
• Contact information for questions

Your healthcare provider is responsible for notifying affected individuals as required by the HIPAA Breach Notification Rule.

7. Our Role as a Business Associate

Nuvian Labs operates the Darael platform as a business associate to healthcare providers who are covered entities under HIPAA. This means:

• We process PHI only as permitted by our Business Associate Agreements (BAAs) with each provider
• We do not own or control your PHI — your healthcare provider is the covered entity responsible for your records
• Requests to access, amend, or restrict your PHI should be directed to your healthcare provider
• Your provider's Notice of Privacy Practices governs the use of your PHI beyond our role as their platform provider

8. State-Specific Privacy Rights

Depending on your state of residence, you may have additional privacy rights beyond those provided by HIPAA:

• California: California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) rights
• Texas: Texas Medical Records Privacy Act (TMRPA) provisions
• New York: SHIELD Act data security requirements
• Florida: Florida Information Protection Act (FIPA) breach notification

Contact your healthcare provider or our Privacy Office at privacy@nuvianlabs.com for information about state-specific rights that may apply to you.

9. Contact Information

For questions about this Notice, to exercise your rights, or to file a privacy complaint:

You may also contact the Secretary of Health and Human Services:

• Website: https://www.hhs.gov/hipaa/filing-a-complaint/
• Phone: 1-800-368-1019

10. Changes to This Notice

We reserve the right to change this Notice and to make the revised or changed Notice effective for PHI we already have about you as well as any PHI we receive in the future. The current Notice will be posted on our website at https://darael.com/privacy and include the effective date.