Notice of Privacy Practices

This Notice of Privacy Practices ("Notice") describes how protected health information ("PHI") about you may be used and disclosed by olow ("olow") when we act as a Business Associate of a HIPAA-covered entity, and how you can access this information. Please review it carefully. We are required by the Health Insurance Portability and Accountability Act ("HIPAA") to maintain the privacy of your PHI, to provide you with this Notice, and to abide by the terms of the Notice currently in effect.

olow operates as a Business Associate to its healthcare provider clinic partners. This means: Covered Entities: Our clinic partners (the clinics that administer your STI tests) are HIPAA "covered entities." They have their own Notices of Privacy Practices that govern how they use and share your PHI. Business Associate: olow provides technology services to these covered entities under executed Business Associate Agreements (BAAs). We handle PHI only on their behalf and only for the purposes permitted by the BAA and HIPAA. Direct Relationship with You: When you interact with olow directly as a consumer (not through a clinic partner), we voluntarily apply HIPAA-equivalent protections to any health-related information, but technically we are not your covered entity. This Notice explains our practices in both contexts.

HIPAA permits us to use or disclose PHI without your authorization for the following purposes: Treatment: Sharing PHI with the clinic or laboratory that ordered your testing, so they can provide care. Payment: Supporting billing and collection activities of covered entity clinics (for example, confirming a credential was issued so a clinic can bill appropriately). Health Care Operations: Quality improvement, auditing, and compliance activities performed on behalf of covered entities. As Required by Law: When required by federal, state, or local law — for example, in response to a court order or subpoena. Public Health Activities: When required to report to public health authorities for purposes such as disease surveillance, but only as authorized by the applicable covered entity. Health Oversight Activities: For audits, investigations, and inspections authorized by law. To Avert a Serious Threat: To prevent or lessen a serious threat to health or safety.

We will not use or disclose your PHI for any purpose other than those listed above without your written authorization. You may revoke your authorization in writing at any time, except to the extent we have already relied on it. Marketing: We will not use your PHI for marketing purposes without your authorization. We do not sell PHI.

You have the following rights with respect to PHI we maintain: Right to Access: You have the right to inspect and obtain a copy of your PHI. To request access, email privacy@olow.io or request directly from the clinic that issued your credential. Right to Amend: If you believe PHI about you is incorrect or incomplete, you may request that we amend it. We may deny the request in limited circumstances permitted by HIPAA. Right to an Accounting of Disclosures: You have the right to request a list of certain disclosures we have made of your PHI in the six years before the request date. Right to Request Restrictions: You have the right to request a restriction on certain uses or disclosures. We will consider your request but are not required to agree in most cases. Right to Confidential Communications: You may request that we communicate with you about medical matters in a specific way or at a specific location. Right to a Paper Copy: You have the right to receive a paper copy of this Notice upon request at no charge. Right to be Notified of a Breach: You have the right to be notified if we discover a breach of your unsecured PHI.

To exercise any of these rights, contact: Privacy Officer: Rob Vido Email: privacy@olow.io Address: olow · 10940 South Parker Road · Parker, CO 80134 We will respond to most requests within 30 days. If we cannot fulfill a request within 30 days, we will notify you of the reason and expected response time.

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services. To file a complaint with olow: Email privacy@olow.io or write to the Privacy Officer at the address above. We will investigate all complaints. You will not be retaliated against for filing a complaint. To file a complaint with HHS: File a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/.

We reserve the right to change this Notice and to make the revised Notice effective for PHI we already have about you as well as any information we receive in the future. We will post a copy of the current Notice on our website. You may request a copy of any revised Notice by contacting the Privacy Officer.

This Notice is effective as of April 16, 2026. Privacy Officer: Rob Vido Email: privacy@olow.io Address: olow · 10940 South Parker Road · Parker, CO 80134 Phone: Available upon email request