Notice of Privacy Practices

Effective Date: April 8, 2026

1. About NexGenHealth LLC

NexGenHealth LLC ("NexGenHealth," "we," "our," or "us") operates the NexGenHealth.io platform — a HIPAA-aware, cloud-based health platform accessible at https://nexgenhealth.io. The platform provides users with meal planning, health data tracking, medical record processing, AI-powered health analysis, and subscription-based wellness services.

As a covered entity or business associate subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, NexGenHealth is required by law to maintain the privacy of your Protected Health Information (PHI), provide you with this Notice of our legal duties and privacy practices, and notify you following a breach of your unsecured PHI.

We are required to abide by the terms of this Notice while it is in effect. We reserve the right to change the terms of this Notice at any time, provided the changes are permitted by applicable law. When we make a material change to this Notice, we will post the revised Notice on our website and make it available upon request.

2. What Is Protected Health Information?

Protected Health Information (PHI) is individually identifiable health information that we create, receive, maintain, or transmit in any form — electronic, paper, or oral. PHI includes information that relates to your past, present, or future physical or mental health condition; the provision of health care to you; or the past, present, or future payment for health care.

Under the HIPAA Safe Harbor de-identification standard (45 CFR §164.514(b)(2)), the following categories of information constitute PHI identifiers when linked to health data:

• Names and geographic data smaller than a state
• Telephone and fax numbers
• Email addresses and URLs
• Social Security Numbers and medical record numbers
• Health plan beneficiary numbers and account numbers
• Certificate and license numbers
• Vehicle identifiers and device identifiers or serial numbers
• IP addresses and biometric identifiers
• Full-face photographs and comparable images
• Ages over 89 and any other unique identifying numbers or characteristics

On the NexGenHealth.io platform, PHI may include medical records you upload for AI-powered analysis, health conditions and diagnoses you enter, medications and treatment information, and biometric or nutritional data linked to your identity.

3. How We May Use and Disclose Your PHI

3.1 Treatment

We may use and disclose your PHI to provide, coordinate, or manage your health care and related services. For example, we may use your health information to generate AI-powered meal plans and nutritional recommendations tailored to your medical conditions, or disclose relevant information to a healthcare provider you designate through the platform.

3.2 Payment

We may use and disclose your PHI to the extent necessary to obtain payment for services we provide to you. This may include verifying subscription eligibility, processing billing transactions, and responding to payment-related inquiries. Payment processing is handled exclusively through our Stripe integration; see Section 3.6 regarding information Stripe does and does not receive.

3.3 Health Care Operations

We may use and disclose your PHI for our health care operations, which include activities necessary to run our platform and maintain the quality and security of our services. Examples include quality assessment and improvement activities, evaluating platform performance, training and improving our AI models using de-identified data, conducting internal audits, and complying with HIPAA compliance obligations.

3.4 Other Permitted Uses and Disclosures Without Your Authorization

In addition to Treatment, Payment, and Operations, we may use or disclose your PHI without your written authorization in certain circumstances permitted or required by law, including:

• As required by law: To comply with federal, state, or local laws, including court orders, subpoenas, or administrative requests
• Public health activities: To public health authorities for disease reporting, vital statistics, or other public health purposes authorized by law
• Health oversight activities: To government agencies for audits, investigations, inspections, or licensure purposes related to the health care system
• Serious threats to health or safety: To prevent or lessen a serious and imminent threat to the health or safety of a person or the public
• Law enforcement: To law enforcement officials under specific circumstances defined by HIPAA, such as to identify or locate a suspect or to report a crime
• Business associates: To vendors and service providers (business associates) who perform functions on our behalf under written Business Associate Agreements that require them to safeguard your PHI
• Decedents: To coroners, medical examiners, or funeral directors as authorized by law

3.5 Uses and Disclosures Requiring Your Written Authorization

We will not use or disclose your PHI for any purpose other than those described in this Notice without your written authorization, except as required by law. Uses and disclosures that require your authorization include:

• Most uses and disclosures of psychotherapy notes
• Uses and disclosures of PHI for marketing purposes
• Sale of PHI
• Any other use or disclosure not described in this Notice

You may revoke an authorization at any time in writing, except to the extent that we have already taken action in reliance on the authorization.

3.6 Services That Do Not Receive Your PHI — Stripe and Twilio

Stripe (Payment Processing): NexGenHealth uses Stripe for subscription billing and payment processing. Stripe receives only the information necessary to process your payment transaction — such as your name, billing address, and payment card details. Stripe does not receive your medical records, health conditions, diagnoses, or any other health-related PHI. Your financial information is governed by Stripe's own Privacy Policy and PCI-DSS compliance program.

Twilio (SMS Notifications): NexGenHealth uses Twilio to send SMS notifications, such as meal sharing confirmations. Twilio receives your phone number and the text content of the message being sent. We do not transmit medical records, diagnoses, or detailed health data through Twilio SMS messages. Message content is limited to functional notifications and does not include sensitive PHI.

4. De-identification of Your Health Information

NexGenHealth operates a PHI scrubbing pipeline that processes medical records you upload to the platform. This pipeline applies automated de-identification to remove or transform the 18 Safe Harbor identifiers specified under 45 CFR §164.514(b)(2) before your health data is used for AI analysis, research, or platform improvement purposes.

Our de-identification approach includes:

• Automated Named Entity Recognition (NER): A clinical NLP model identifies and redacts names, locations, contact information, identifiers, and other PHI categories from uploaded documents
• Pattern-based scrubbing: Regular expression and heuristic patterns detect and remove structured identifiers such as Social Security Numbers, phone numbers, account numbers, and device identifiers
• Ages over 89: In accordance with 45 CFR §164.514(b)(2)(i)(C), ages greater than 89 are replaced with the category "90+" rather than preserved or redacted entirely
• Dates — Expert Determination: Dates (including admission dates, discharge dates, and dates of service) are retained in de-identified output pursuant to an Expert Determination analysis under 45 CFR §164.514(b)(1) (see ADR-003). Our determination concludes that dates alone, absent other identifying information, do not create a reasonable basis to believe that the information could be used to identify an individual. This determination is documented and available upon request by our Privacy Officer

De-identified information is no longer considered PHI under HIPAA and may be used or disclosed for any purpose, including research, analytics, and platform improvement. De-identification does not affect how we handle your identifiable PHI as described elsewhere in this Notice.

5. Your Rights Regarding Your PHI

You have the following rights with respect to your PHI. To exercise any of these rights, submit a written request to our Privacy Officer using the contact information in Section 9. We will not charge you for exercising your rights, though reasonable cost-based fees may apply in limited circumstances as permitted by law.

5.1 Right to Access and Inspect Your PHI

You have the right to inspect and obtain a copy of PHI that NexGenHealth maintains about you in a designated record set. We will provide access or copies within 30 days of receiving your written request (with one 30-day extension if we notify you in writing). We may provide PHI in electronic form if you request it and it is readily producible. We may deny access in limited circumstances permitted by law, and you may request that the denial be reviewed.

5.2 Right to Request Amendment

You have the right to request that we amend PHI about you that you believe is inaccurate or incomplete. We will respond to your request within 60 days (with one 30-day extension if we notify you in writing). We may deny your request if we determine the information is accurate and complete, was not created by us, is not part of a designated record set, or is not available for your inspection under applicable law. If we deny your request, you have the right to submit a written statement of disagreement.

5.3 Right to Request Restrictions on Use and Disclosure

You have the right to request restrictions on how we use or disclose your PHI for Treatment, Payment, or Health Care Operations. You also have the right to request that we restrict disclosure of your PHI to a health plan for payment or operations purposes when you have paid out of pocket in full for the item or service. We are not required to agree to other requested restrictions, but if we do agree, we will comply with that restriction (except in an emergency). We will notify you of our decision in writing.

5.4 Right to Request Confidential Communications

You have the right to request that we communicate with you about your PHI by alternative means or at an alternative location (for example, by email rather than postal mail, or only at a specific phone number). We will accommodate reasonable requests. Your request must be submitted in writing and must specify the alternative means or location you prefer.

5.5 Right to an Accounting of Disclosures

You have the right to request a list ("accounting") of certain disclosures we have made of your PHI during the six years prior to your request. This accounting right does not apply to disclosures made for Treatment, Payment, or Health Care Operations; disclosures made to you; disclosures authorized by you; or certain other disclosures permitted by law. We will provide the accounting within 60 days of your written request. The first accounting in any 12-month period is free; we may charge a reasonable fee for subsequent requests in the same period after notifying you of the cost.

5.6 Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice of Privacy Practices at any time, even if you have agreed to receive it electronically. To request a paper copy, contact our Privacy Officer using the information in Section 9, or use the print function below.

5.7 Right to Breach Notification

You have the right to be notified if a breach of your unsecured PHI occurs. In the event of a breach, we will notify you without unreasonable delay and within 60 days of discovering the breach. Notice will be provided by first-class mail to your last known address, or by email if you have previously agreed to receive communications electronically. If the breach affects 500 or more residents of a state, we will also provide notice to prominent media outlets in that state and to the Secretary of the U.S. Department of Health and Human Services (HHS).

6. Our Legal Duties

7. How to Exercise Your Rights or File a Complaint

To exercise any of your rights described in Section 5, or to ask questions about this Notice, contact our Privacy Officer:

All requests must be submitted in writing. We will respond to your request within the timeframes specified for each right in Section 5. We will not retaliate against you for exercising any of your rights under this Notice or under HIPAA.

Filing a Complaint

If you believe your privacy rights have been violated, you may file a complaint with NexGenHealth LLC using the contact information above, or directly with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR):

Complaints to HHS OCR must be filed within 180 days of when you knew or should have known that the act or omission complained of occurred. HHS may extend this deadline for good cause. You will not be penalized or retaliated against for filing a complaint with HHS OCR.

8. State Law

In some cases, state laws may provide stronger privacy protections for certain categories of health information than HIPAA. Where state law is more stringent than HIPAA, we will comply with the more protective state law. Categories of information that may be subject to heightened protection under applicable state laws include mental health records, substance use disorder treatment records, HIV/AIDS status, genetic information, and reproductive health information.

If you have questions about how state law applies to your health information, contact our Privacy Officer using the information provided in Section 7.