Effective Date: October 10, 2025

These Terms of Use (“Agreement” or “Terms”) govern access to, and use of the Care Bravo™ Autonomous Care OS™ platform and related services (the “Product” or “Services”) provided by Caryfy, LLC (“Caryfy,” “we,” “us,” or “our”). By executing an Order Form or using the Product, the entity or individual identified on an Order Form (“Customer”) agrees to be bound by these Terms.

1.DEFINITIONS

Affiliate means any entity controlling, controlled by, or under common control with a party.

BAA means the Business Associate Agreement attached as Exhibit A.

Breach has the meaning given in 45 C.F.R. § 164.402.

Business Associate has the meaning given in 45 C.F.R. § 160.103.

Covered Entity has the meaning given in 45 C.F.R. § 160.103.

Customer means the individual or entity that purchases or uses the Product under an Order Form.

Customer Data means all data, content, and information submitted to or made available through the Product by Customer or its Users, including Personal Data and, where applicable under an executed BAA, PHI.

GDPR means the General Data Protection Regulation (EU) 2016/679.

Order Form means the ordering document executed between Customer and Caryfy that references these Terms and specifies scope, fees, term, and Product levels.

Personal Data means information relating to an identified or identifiable natural person as defined under applicable law (e.g., CCPA, GDPR).

PHI means Protected Health Information as defined in 45 C.F.R. § 160.103, created, received, maintained, or transmitted by Caryfy on behalf of a Covered Entity.

Processing means any operation performed on Personal Data, whether automated or manual, including collection, storage, use, disclosure, and deletion.

Privacy Policy means the Caryfy Privacy Policy, incorporated by reference and available at the URL specified on the Order Form or Caryfy website.

Sub‑Processor means any third party engaged by Caryfy to Process Customer Data on behalf of Caryfy.

Term means the duration of Customer’s subscription as set forth in the applicable Order Form.

User means an individual authorized by Customer to use the Product, including Customer’s employees, contractors, agents, or clients.

2.LICENSE AND ACCESS

2.1 License Grant. Subject to these Terms and the Order Form, Caryfy grants Customer a limited, non-exclusive, non-transferable, revocable license to access and use the Product during the Term.

2.2 Use Restrictions. Customer shall not (and shall not permit others to):

• modify, adapt, translate, or create derivative works of the Product;
• reverse engineer, decompile, or disassemble the Product;
• use the Product to infringe third‑party rights or violate law;
• share or misuse User credentials or circumvent access controls;
• use automated scripts, bots, or scraping tools without Caryfy’s prior written consent;
• interfere with or disrupt the Product, introduce malware, or attempt unauthorized access.

2.3 Sub‑Processors. Caryfy may engage Sub‑Processors to support the Product. A current list is available upon request. For EU Customers, Caryfy will provide 30 days’ prior notice of material changes, during which Customers may object on GDPR‑based grounds. If an objection cannot be resolved, Customer may terminate the affected services.

3. CUSTOMER DATA; PRIVACY; HIPAA

3.1 Ownership. Customer retains all rights in Customer Data.

3.2 Data Processing. Caryfy will Process Customer Data solely to provide and improve the Product, comply with legal obligations, and develop analytics and AI/ML models using only de‑identified or aggregated data consistent with applicable standards (HIPAA de‑identification, CCPA, GDPR).

3.3 Security. Caryfy implements administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, disclosure, and loss.

3.4 Data Retention and Deletion. (a) US Customers: Customer may export Customer Data while the account is active. Within 30 days of termination, upon written request, Caryfy will provide client and caregiver profile data in CSV format only. Caryfy has no obligation to produce data in other formats or reconstruct data from backups. Remaining data will be deleted within 60 days, unless legally prohibited. (b) EU Customers: Customer may export Customer Data via the Product within 45 days following expiration or termination. Caryfy will delete remaining data within 90 days, except as required by law.

3.5 Goodwill Reactivation. At Caryfy’s discretion, it may temporarily reactivate an account to allow self‑export of data as a courtesy only, without creating any continuing obligation.

3.6 HIPAA Compliance and Business Associate Agreement. If Customer is a Covered Entity or Business Associate under HIPAA and requires Caryfy to create, receive, maintain, or transmit PHI, the Parties’ rights and obligations are governed by the Business Associate Agreement attached as Exhibit A (the “BAA”), which is incorporated by reference. By accepting these Terms (including via click-through) or executing an Order Form, Customer agrees to and is deemed to have executed the BAA. In any conflict between these Terms and the BAA, the BAA controls with respect to PHI and HIPAA compliance obligations.

3.7 Security Rule and Breach Notification. Caryfy shall implement safeguards compliant with 45 C.F.R. §§ 164.308–312 and shall notify Customer of any Breach of Unsecured PHI without unreasonable delay and in no event later than sixty (60) days after discovery, including the information required by 45 C.F.R. § 164.410(c). Unsuccessful security incidents (e.g., pings, blocked malware, failed log‑ins) are deemed reported by this Section; summaries are available upon request.

3.8 Subcontractors and Affiliates. Caryfy may engage subcontractors and Affiliates to perform functions or services involving access to Customer Data or PHI, provided each is bound by written obligations no less protective than those set forth herein and in the HIPAA Rules. Upon written request, Caryfy will provide a list of material subcontractors or Affiliates with access to PHI.

3.9 Interoperability and Information Blocking. Nothing in these Terms restricts lawful access, exchange, or use of Electronic Health Information under the 21st Century Cures Act and 45 C.F.R. Part 171. Caryfy will implement reasonable and appropriate measures to support such exchange and may rely on any regulatory exceptions under Part 171.

3.10 Data Processing under GDPR. Where the General Data Protection Regulation (EU 2016/679) (“GDPR”) applies, Customer acts as Data Controller and Caryfy acts as Data Processor. Caryfy shall process Personal Data only on Customer’s documented instructions, ensure persons authorized to process such data are bound by confidentiality, and implement appropriate technical and organizational measures in accordance with Article 32 GDPR. The Parties agree this Section constitutes a Data Processing Addendum as required by Article 28 GDPR.

4. FEES AND PAYMENT

4.1 Fees. Customer shall pay all fees specified in the Order Form. Unless otherwise specified, fees are non‑refundable.

4.2 Payment Terms. Payment is due upon invoice. If not received within five (5) days, Caryfy may suspend access. A $250 reactivation fee plus bank charges may apply.

4.3 Billing Disputes. Any invoice disputes must be raised in writing within thirty (30) days of receipt; Caryfy will investigate and adjust billing as appropriate.

4.4 Taxes. Fees are exclusive of taxes. Customer is responsible for all applicable taxes.

4.5 Credit Card Processing Fees. Caryfy may apply a surcharge to cover actual credit‑card processing costs, not to exceed 3% of the transaction amount.

4.6 Surcharge Policy. (a) U.S. Customers: Surcharges apply only to B2B card payments in U.S. jurisdictions that permit surcharging and will be disclosed at payment. (b) EU Customers: No surcharges on consumer transactions where prohibited under PSD2; B2B payments may incur a surcharge within these limits. (c) Network Compliance: Surcharges reflect Caryfy’s actual cost of acceptance and comply with card‑network rules, including any advance notification requirements. (d) Disclosure: Any surcharge will be clearly disclosed prior to payment, on the checkout screen or invoice.

5. CHANGES TO PRODUCT AND TERMS

5.1 Product Updates. Caryfy may add, modify, or remove Product features, functionality, or content at any time; major removals or deprecations will be communicated via release notes or the customer portal.

5.2 Terms Amendments. Caryfy may amend these Terms upon thirty (30) days’ prior notice. Continued use after the Effective Date constitutes acceptance of the amended Terms.

6. INTELLECTUAL PROPERTY

6.1 Caryfy IP. All rights in the Product, including software, trademarks, and documentation, are owned by Caryfy or its licensors.

6.2 Customer IP. Customer retains all rights in Customer Data. Caryfy is granted a limited, non‑exclusive, worldwide license to use Customer Data solely to perform and improve the Product.

6.3 AI Outputs. Customer is granted a perpetual, royalty‑free license to use AI‑generated outputs for its business purposes. Caryfy retains no ownership in such outputs but may use aggregated, de‑identified insights for lawful business purposes.

6.4 Feedback. Customer grants Caryfy a royalty‑free, perpetual license to use suggestions or feedback provided.

6.5 Trademarks. Customer grants Caryfy a non‑exclusive license to use Customer’s trademarks and logos solely to perform the Services and market integrations, subject to Customer’s brand guidelines.

7. WARRANTIES AND DISCLAIMERS

7.1 Mutual Warranties. Each party represents it has the right and authority to enter into these Terms.

7.2 Caryfy Warranty. Caryfy warrants the Product will materially conform to documentation, as unmodified by any party other than Caryfy.

7.3 Disclaimer. EXCEPT AS EXPRESSLY PROVIDED, THE PRODUCT IS PROVIDED “AS IS” AND CARYFY DISCLAIMS ALL WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON‑INFRINGEMENT.

8. LIMITATION OF LIABILITY

8.1 Exclusion of Damages. NEITHER PARTY SHALL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS OR DATA LOSS.

8.2 General Liability Cap. EXCEPT AS PROVIDED IN SECTION 8.3, EACH PARTY’S TOTAL AGGREGATE LIABILITY UNDER THESE TERMS SHALL NOT EXCEED THE FEES PAID BY CUSTOMER DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY OR FIVE HUNDRED U.S. DOLLARS (USD $500), WHICHEVER IS GREATER.

8.3 HIPAA Breach Exception. For any Breach of Unsecured PHI resulting from Caryfy’s failure to comply with its obligations under these Terms or the HIPAA Rules, or resulting from Caryfy’s gross negligence or willful misconduct, Caryfy’s aggregate liability shall not exceed the greater of (a) the fees paid during the twelve (12) months preceding the Breach or (b) Fifty Thousand U.S. Dollars (USD $50,000). Neither Party shall be liable for regulatory fines or penalties to the extent such indemnification is prohibited by law.

8.4 Sub‑Processor Interruptions. CARYFY SHALL NOT BE LIABLE FOR SERVICE INTERRUPTIONS, DATA LOSS, RANSOMWARE ATTACKS, OR OTHER FAILURES CAUSED BY SUB‑PROCESSORS OR THIRD‑PARTY HOSTING/VENDOR SERVICES, PROVIDED THAT CARYFY USES REASONABLE COMMERCIAL EFFORTS TO MONITOR AND COORDINATE WITH SUB‑PROCESSORS.

8.5 Force Majeure. Neither party is liable for delays or failures caused by events beyond reasonable control, including natural disasters, labor disputes, or internet outages.

9. INDEMNIFICATION

9.1 By Caryfy. Caryfy will defend Customer against third‑party claims alleging that the Product infringes any U.S. patent, copyright, or trademark and will pay any final award or settlement, provided Customer gives prompt notice, reasonable cooperation, and sole control of the defense to Caryfy.

9.2 By Customer. Customer will defend Caryfy against claims arising from Customer Data, misuse of the Product, or breach of these Terms, and will pay any final award or settlement.

9.3 Third‑Party Products and Services. Customer shall indemnify, defend, and hold harmless Caryfy and its Affiliates from and against claims, damages, losses, and expenses arising out of or in connection with any third‑party products or services, including those provided by Sub‑Processors, or any invoicing activities conducted by Caryfy acting as an agent.

9.4 GDPR Indemnification. Where GDPR applies, Customer acts as Data Controller and Caryfy acts as Data Processor. Customer shall indemnify Caryfy from fines, penalties, or third‑party claims arising from Customer’s failure to comply with Controller obligations, except to the extent caused by Caryfy’s gross negligence or willful misconduct.

9.5 Survival. Indemnification obligations survive for two (2) years following termination.

10. TERM AND TERMINATION

10.1 Term. These Terms continue for the Term set forth in the Order Form.

10.2 Termination for Cause. Either party may terminate for material breach if the other party fails to cure within thirty (30) days’ written notice.

10.3 Effect of Termination. Upon termination, licenses granted herein terminate. Each party shall return or delete the other’s Confidential Information, and Caryfy will handle Customer Data in accordance with Section 3.4.

11. CONFIDENTIALITY

Each party shall protect the other’s Confidential Information with at least the same degree of care it uses for its own confidential information (but not less than reasonable care) and shall not use or disclose such information except to perform under these Terms. PHI and Customer Data are Confidential Information.

12. GOVERNING LAW AND DISPUTES; ARBITRATION

These Terms are governed by the laws of the State of Georgia, without regard to conflict‑of‑law principles. Disputes must first be submitted to mediation in Fulton County, Georgia. If unresolved within sixty (60) days, disputes will be finally resolved by binding arbitration administered by the American Arbitration Association under its rules, before a single arbitrator in Fulton County, Georgia. Arbitration is on an individual basis only, and class or representative proceedings are waived. Caryfy may seek injunctive or equitable relief in court to protect intellectual property or prevent unauthorized use. 

13. MISCELLANEOUS

13.1 Assignment. Neither party may assign these Terms without the other’s consent, except to an Affiliate or in connection with a merger, reorganization, or sale of substantially all assets, provided the assignee assumes all obligations.

13.2 Severability. If any provision is held invalid or unenforceable, the remainder remains in full force and effect.

13.3 Entire Agreement. These Terms, the Privacy Policy, the Order Form, and Exhibit A (BAA) constitute the entire agreement and supersede prior or contemporaneous agreements concerning the subject matter.

13.4 Affiliate Services. If Customer accesses services from Caryfy Affiliates the Affiliate’s terms and privacy policy govern those services. These Terms apply only to the Care Bravo™ Product.

13.5 Notices. Notices shall be sent to the addresses in the Order Form or to the email designated by each party and are deemed received when delivered by email with confirmation of receipt or by nationally recognized overnight courier.

Exhibit A

Business Associate Agreement (Care Bravo™ Platform)

This Business Associate Agreement (“Agreement”) is incorporated by reference into the Care Bravo™ Terms of Use between Caryfy, LLC (“Business Associate” or “Caryfy”) and the Customer identified in the applicable Order Form (“Covered Entity” or “Customer”). 

RECITALS

WHEREAS, the Parties have entered into the Care Bravo™  Terms of Use (the “Underlying Contract”), pursuant to which Caryfy provides certain software, platform, and related support services to the Customer;

WHEREAS, in connection with the Underlying Contract, Business Associate may receive, create, maintain, or transmit Protected Health Information (“PHI”) on behalf of Covered Entity that is subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and their implementing regulations at 45 C.F.R. Parts 160 and 164;

WHEREAS, the Parties desire to comply with the Privacy Rule, Security Rule, and Breach Notification Rule under HIPAA and to set forth their respective duties and responsibilities regarding PHI; and

WHEREAS, the Parties intend that this Agreement supplement and be incorporated into the Underlying Contract, and that this Agreement shall control with respect to the use and protection of PHI.

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the Parties agree as follows:

1. Definitions

Terms not defined here have the meanings given in 45 C.F.R. Parts 160 and 164.

1.1 Breach – The acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI (45 C.F.R. § 164.402).

1.2 Electronic PHI (ePHI) – Electronic protected health information as defined in 45 C.F.R. § 160.103.

1.3 HIPAA Rules – The Privacy, Security, Breach Notification, and Enforcement Rules (45 C.F.R. Parts 160 & 164).

1.4 Individual – The person who is the subject of PHI and includes a personal representative under the Privacy Rule.    

                
1.5 Protected Health Information (PHI) – Individually identifiable health information transmitted or maintained by Caryfy on behalf of Customer, as defined in 45 C.F.R. § 160.103.

1.6 Required by Law – Has the meaning assigned in 45 C.F.R. § 164.103.

1.7 Security Incident – The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations (45 C.F.R. § 164.304).

1.8 Subcontractor – A person or entity to whom Caryfy delegates a function or service involving PHI.

1.9 Unsecured PHI – PHI not secured in accordance with guidance issued under Section 13402(h)(2) of the HITECH Act.

2. Permitted Uses and Disclosures

2.1 Services. Caryfy may use and disclose PHI solely to perform the Care Bravo™ Services described in the Underlying Contract and as permitted by this Agreement and the HIPAA Rules.

2.2 Management and Administration. Caryfy may use PHI for its own management and administration or to carry out its legal responsibilities if (a) the disclosure is Required by Law, or (b) the recipient gives reasonable assurances of confidentiality and reports any known breach.

2.3 Data Aggregation and De-Identification. Caryfy may use PHI to provide data-aggregation services and may de-identify PHI consistent with 45 C.F.R. § 164.514(a)–(c). De-identified data may be used for analytics, platform improvement, and other lawful purposes.

2.4 Minimum Necessary. Caryfy shall limit uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose.

3. Obligations of Caryfy

3.1 Safeguards. Caryfy shall implement administrative, physical, and technical safeguards meeting 45 C.F.R. §§ 164.308–312 to protect the confidentiality, integrity, and availability of PHI.

3.2 Subcontractors and Affiliates. Caryfy may engage subcontractors and Affiliates, including those located outside the U.S., provided each is bound by a written agreement imposing HIPAA-equivalent protections.

3.3 Mitigation. Caryfy shall mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI in violation of this Agreement.

3.4 Reporting. Caryfy shall report to Customer (a) any use or disclosure of PHI not permitted by this Agreement, (b) any Security Incident, and (c) any Breach of Unsecured PHI, in each case without unreasonable delay, and in no event later than sixty (60) days after discovery including: identities of affected Individuals; dates and description of the incident; types of PHI involved; mitigation steps taken; contact information for follow-up.

3.5 Access and Amendment. Caryfy shall provide access to and amend PHI in a Designated Record Set as directed by Customer (45 C.F.R. §§ 164.524–526).

3.6 Accounting of Disclosures. Caryfy shall document disclosures as necessary for Customer to provide an accounting under 45 C.F.R. § 164.528.

3.7 Government Access. Caryfy shall make relevant records available to HHS for purposes of determining Customer’s compliance.

3.8 Compliance with Privacy Rule. To the extent Caryfy carries out any obligation of Customer under the Privacy Rule, Caryfy shall comply with the requirements of 45 C.F.R. Part 164, Subpart E that apply to Customer in the performance of such obligation, including responding to requests for access, amendment, or accounting of PHI, applying the minimum-necessary standard, and coordinating with Customer to ensure timely fulfillment of individual rights.

3.9 Right to Audit and Verification. Upon Customer’s reasonable written request, Caryfy shall make available information reasonably necessary to demonstrate its compliance with this Agreement, which may include summaries of third-party security or compliance audits (e.g., SOC 2 Type II, HIPAA assessments) and relevant security policies. If a material Security Incident or Breach involving Customer’s PHI is suspected, Customer may, upon reasonable notice and during normal business hours, conduct a focused audit of Caryfy’s records relevant to PHI handling, provided that such audit (a) does not unreasonably interfere with Caryfy’s operations, and (b) does not compromise the confidentiality or security of other customers’ data. Caryfy shall also make such information available as necessary to assist Customer in responding to audits or inquiries by HHS or other regulatory authorities concerning HIPAA compliance.

4. Obligations of Customer

Customer shall (a) not request Caryfy to use or disclose PHI in any manner prohibited by HIPAA, (b) obtain all consents and authorizations required for Caryfy’s permitted uses, and (c) notify Caryfy of any restriction, revocation, or change affecting PHI use or disclosure.

5. Term and Termination

5.1 Term. This Agreement begins on the Effective Date of the Underlying Contract and continues until all PHI is returned or destroyed.

5.2 Termination for Cause. Either Party may terminate upon written notice if the other materially breaches this Agreement and fails to cure within thirty (30) days.

5.3 Effect of Termination. 

(a) Upon termination of this Agreement for any reason, Caryfy shall promptly return to Customer or, if agreed to by Customer, destroy all PHI that Caryfy maintains in any form, and shall require any subcontractors or affiliates to do the same.

(b) If Caryfy determines that return or destruction is infeasible, Caryfy shall (i) extend the protections of this Agreement to the retained PHI, (ii) limit further use or disclosure of such PHI to those purposes that make return or destruction infeasible, and (iii) destroy the PHI as soon as the reason for retention no longer applies.

(c) For clarity, data return and destruction conducted in accordance with Section 3.4 (Data Retention and Deletion) of the Caryfy Terms of Use shall be deemed to satisfy this Section with respect to PHI, provided that Caryfy certifies destruction upon Customer’s written request.

(d) All protections, restrictions, and obligations under this Agreement shall remain in effect with respect to any PHI retained pursuant to this Section until such PHI is destroyed.

5.4 Survival. Sections 3, 5.3, 6, and 7 survive termination.

6. Indemnification

6.1 By Caryfy. In the event of conflict, this Section shall control with respect to any claim arising from the use, disclosure, or safeguarding of PHI. Caryfy shall indemnify and hold harmless Customer from third-party claims, damages, or losses arising from Caryfy’s (a) breach of this Agreement, (b) violation of the HIPAA Rules, or (c) gross negligence or willful misconduct, subject to Section 7.

6.2 By Customer. Customer shall indemnify and hold harmless Caryfy from claims or losses arising from Customer’s breach of this Agreement or violation of HIPAA Rules, except to the extent caused by Caryfy’s gross negligence or willful misconduct.

THIS INDEMNIFICATION OBLIGATION IS IN ADDITION TO, AND NOT IN LIMITATION OF, THE INDEMNIFICATION OBLIGATIONS SET FORTH IN THE CARE BRAVO™  TERMS OF USE.

7. Miscellaneous

7.1 Amendment. The Parties shall amend this Agreement as necessary to comply with changes in the HIPAA Rules.

7.2 Conflict. The terms of this Agreement shall prevail in the case of any conflict with the terms of any Underlying Contract to the extent and only to the extent of the conflict and only to the extent that it is reasonably impossible to comply with both the terms of the Underlying Contract and the terms of this Agreement.

7.3 Assignment. Neither Party may assign this Agreement without the other’s written consent, except to an Affiliate or successor in interest assuming all obligations.

7.4 Notices. All notices under this Agreement must be in writing and delivered (a) by email to the notice addresses specified in the applicable Order Form (or as updated in writing by a Party), (b) via the Customer portal/administrative console where expressly permitted for operational notices, or (c) by nationally recognized overnight courier. Notices are deemed given: (i) for email, when sent with confirmation of transmission and no bounce-back or system error is received; (ii) for portal postings/messages, when posted to the Customer’s designated administrative account; and (iii) for courier, upon documented delivery. Each Party is responsible for keeping its notice contact information current. Breach and Security Incident notices to Customer shall be sent by email to Customer’s designated privacy/security contact(s) listed in the Order Form (with a copy to legal, if provided) and may also be posted in the Customer portal. Either Party may update its notice details by notice given in accordance with this Section.

7.5 Governing Law. This Agreement is governed by the laws of the State of Georgia and shall be enforceable in the courts of the State of Georgia, or in the Atlanta Division of the U.S. District Court for the Northern District of Georgia. The Parties irrevocably submit to the exclusive jurisdiction of such courts.

7.6 Counterparts. This Agreement is accepted electronically through Customer’s acceptance of the Care Bravo™ Terms of Use and does not require separate physical or digital signatures to be valid and enforceable under applicable electronic signature laws (including the U.S. E-SIGN Act and state UETA statutes).

7.7 No Third-Party Beneficiaries. Nothing in this Agreement shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.