PRIVACY POLICY AND HIPAA NOTICE OF PRIVACY PRACTICES

Effective: April 27, 2026 · Last updated: April 27, 2026

This Privacy Policy describes how Aidaly Care Management Services Group LLC ("Aidaly," "we," "our," or "us") collects, uses, shares, and protects information when you use Aidaly Academy (the "Service"). It also includes our HIPAA Notice of Privacy Practices, which describes how we use and disclose Protected Health Information.

Aidaly operates as both a HIPAA Covered Entity (as a home health agency providing direct care) and a HIPAA Business Associate (when providing software and operational services to other covered entities). This Privacy Policy applies to both roles.

1. Information we collect

Information you provide directly

• Account information: Your name, email address, phone number, role (caregiver, registered nurse, supervisor, administrator), state of residence, and employment relationship with Aidaly or an affiliated home health agency.
• Authentication information: Password (stored in hashed form, never in plain text) or, if you sign in via Google, the identity token returned by Google's authentication service.
• Professional credentials: Where applicable, your professional license number, expiration date, and license-issuing state.
• Training content you submit: Knowledge check answers, reflection responses, on-site validation observations, and any photos or notes captured during on-site validation.

Information collected automatically

• Engagement data: The training modules and screens you view, time spent on each, completion status, quiz results, and the timestamps of these activities.
• Device and connection information: IP address, browser type, operating system, device identifier, and approximate location (derived from IP address).
• Audit logs: Authentication events (sign-in, sign-out, failed attempts), security-relevant actions, and administrative changes.

Information from third parties

• Identity providers: If you sign in with Google, we receive your name, email address, and a unique identifier from Google.
• Affiliated home health agencies: Your employment status, role, market assignment, and other operational information needed to grant you appropriate access.

2. How we use information

We use the information we collect to:

• Authenticate you and grant access to the Service;
• Deliver training content appropriate to your role, state, and assignment;
• Track training completion and generate Acknowledgments of Completion;
• Document on-site clinical validations performed by registered nurses;
• Support training-program quality improvement;
• Comply with regulatory recordkeeping obligations under federal and state law (HIPAA, Florida Administrative Code Rule 59A-8.0099, state Medicaid programs, and similar requirements in other states);
• Generate reports required by state agencies (such as the Florida Agency for Health Care Administration);
• Respond to your requests, questions, and support inquiries;
• Detect and prevent fraud, abuse, security incidents, and unauthorized access;
• Improve the Service, including identifying confusing content and refining the curriculum.

3. HIPAA Notice of Privacy Practices

This section describes how Protected Health Information ("PHI") about you may be used and disclosed and how you can get access to this information. Please review it carefully.

What is PHI?

PHI is information about you, including demographic information, that may identify you and that relates to your past, present, or future physical or mental health condition and related health care services. In the context of Aidaly Academy, PHI may include caregiver training records when those records are linked to specific patients and on-site validation observations performed at a patient's home.

How we may use and disclose PHI

For treatment. We may use and disclose PHI to provide, coordinate, or manage your health care and related services. For example, a registered nurse supervising a caregiver may review the caregiver's training history when planning patient care.

For payment. We may use and disclose PHI to obtain payment for services, including documenting that caregiver qualifications meet Medicaid requirements for reimbursement.

For health care operations. We may use and disclose PHI for activities necessary to operate Aidaly, including quality assessment, training program evaluation, credentialing, and accreditation.

As required by law. We will disclose PHI when required by federal, state, or local law, including reports to the Florida Agency for Health Care Administration and similar agencies in other states.

For public health activities. We may disclose PHI for public health activities, including reporting communicable diseases, child abuse or neglect, and adverse events.

To business associates. We may share PHI with vendors who help us operate the Service (such as cloud hosting providers and database services), but only under written Business Associate Agreements that require them to safeguard PHI.

Other uses and disclosures not described above will be made only with your written authorization, and you may revoke that authorization at any time except to the extent we have already acted in reliance on it.

Your rights regarding PHI

You have the following rights with respect to your PHI:

• Right to inspect and copy your PHI in our designated record set;
• Right to request amendment of PHI you believe is inaccurate or incomplete;
• Right to an accounting of disclosures made for purposes other than treatment, payment, or health care operations;
• Right to request restrictions on certain uses and disclosures (we are not required to agree to all requested restrictions);
• Right to request confidential communications by alternative means or at alternative locations;
• Right to a paper copy of this notice, even if you have agreed to receive it electronically; and
• Right to be notified if there is a breach of your unsecured PHI.

To exercise any of these rights, contact our Privacy Officer at privacy@aidaly.com.

Complaints

If you believe your privacy rights have been violated, you may file a complaint with us at privacy@aidaly.com or with the U.S. Department of Health and Human Services, Office for Civil Rights at https://www.hhs.gov/ocr/. We will not retaliate against you for filing a complaint.

4. How we share information

We share information in the following circumstances:

• With your employer or affiliated home health agency: Your training records, completion status, and on-site validation documentation are shared with the agency that employs or contracts with you, as needed for compliance.
• With service providers and business associates: Cloud hosting (Amazon Web Services), database services (MongoDB Atlas), authentication providers (Google, when you choose Google sign-in), and similar vendors that help us operate the Service. All such providers are bound by Business Associate Agreements where they may handle PHI.
• With state and federal regulators: When required by law, including reports to state Medicaid programs and Agencies for Health Care Administration.
• In legal proceedings: In response to a valid subpoena, court order, or as otherwise required by law.
• In a business transition: If Aidaly is acquired, merges, or sells assets, your information may transfer to the successor entity, subject to this Privacy Policy and applicable law.

We do not sell personal information. We do not share your information with advertisers or data brokers.

5. Data retention

We retain training records, completions, and on-site validation documentation for at least seven years from the date of completion, as required by Florida Administrative Code Rule 59A-8.0099 and similar regulations in other states. Some records may be retained longer to comply with HIPAA, state Medicaid program rules, or pending legal matters.

Account information is retained for as long as your account is active and for a reasonable period afterward to support recordkeeping and audit purposes.

6. Security

We implement administrative, technical, and physical safeguards designed to protect your information, including:

• Encryption of data in transit (TLS) and at rest (industry-standard encryption);
• Role-based access controls so users see only the information they need;
• Authentication via password (hashed with bcrypt) and, where enabled, multi-factor or single sign-on;
• Logging of authentication events and security-relevant actions;
• Regular review of vendor security practices and Business Associate Agreements;
• Training of Aidaly personnel on HIPAA and information security.

No security measure is perfect. If we discover a breach affecting your unsecured PHI, we will notify you as required by HIPAA and applicable state law.

7. Your choices and rights

Depending on your state, you may have additional rights under state law (such as the California Consumer Privacy Act, Colorado Privacy Act, or similar laws). These may include:

• The right to know what personal information we collect about you;
• The right to request deletion of your personal information, subject to retention requirements above;
• The right to correct inaccurate personal information;
• The right to opt out of certain types of processing (note: we do not sell personal information or use it for targeted advertising).

To exercise any of these rights, contact privacy@aidaly.com. We will respond within the timeframe required by applicable law.

8. Children's privacy

Aidaly Academy is designed for caregivers, registered nurses, supervisors, and administrative staff who are at least 18 years old. We do not knowingly collect information directly from children under 13. Aidaly's caregivers may provide care to medically fragile children, and information about those children that is processed through the Service in connection with caregiver training and supervision is treated as PHI under HIPAA and handled in accordance with this Privacy Policy.

9. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email, through the Service, or by another reasonable means at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when this Privacy Policy was last revised.