CAREBRIDGE VITAL NEXUS LTD. ("we," "us," or "our") operates a platform that connects patients with healthcare providers and treatment packages for medical travel and care coordination. We are committed to protecting your privacy and handling your personal and health information responsibly.

This Privacy Policy describes how we collect, use, disclose, and retain personal information when you use our websites, mobile applications, and related services (collectively, the "Platform"). The policy applies to all users of our Platform, including:

• Patients — individuals seeking medical treatments or consultations
• Providers — healthcare facilities, clinics, doctors, and local affiliates who offer services through our Platform
• Administrators — our staff who operate and maintain the Platform

Scope. This Privacy Policy applies to your use of the Platform regardless of where you are located. Depending on your country or region of residence, supplemental privacy notices or regional supplements may apply. Our practices are subject to applicable laws, including Taiwan's Personal Data Protection Act (PDPA, 個人資料保護法), Hong Kong's Personal Data (Privacy) Ordinance (PDPO), and other regional laws described in Section 9.

Geographic scope. The Platform is not offered to, and not intended for, residents of the European Economic Area (EEA), the United Kingdom, or Switzerland. Registration from these regions is restricted. If you are located in one of these regions, please do not submit personal information through the Platform.

Taiwan. If you are located in Taiwan, Section 9.1 applies in addition to the rest of this Policy. That section describes cross-border transfer (跨境傳輸) of sensitive personal data, including health and medical information, and how any standalone Cross-Border Personal Data Transfer Consent presented during registration works together with this Policy.

By creating an account, using our services, or otherwise accessing the Platform, you acknowledge that you have read and understood this Privacy Policy.

2.1 Distinction Between General Personal Information and Medical Information

We collect both general personal information and, in some cases, Medical Information subject to stricter protections under applicable law.

• Medical Information (醫療資訊) includes medical records, diagnoses, treatment history, symptoms, prescription information, communications with healthcare providers for treatment purposes, and other information you provide specifically for medical or clinical purposes. Under Taiwan's PDPA, such information is treated as sensitive personal data (特種個資) and is subject to heightened protection.
• General personal information (一般個人資訊) includes account details, contact information, payment data, and usage information that is not directly related to your medical care.

2.2 Our Role and Responsibilities

We act as a data processor or handler of Medical Information on behalf of, and at the direction of, the healthcare providers you interact with through our Platform. Providers that receive your Medical Information through the Platform remain subject to their own professional and legal obligations (including, for Taiwan providers, Taiwan's 醫療法 and related medical professional codes). We encourage you to review each provider's own privacy notice when engaging with them.

We do not use Medical Information for advertising or marketing. Where permitted by law, we may use de-identified or aggregated data for analytics, research, and platform improvement. De-identification (去識別化) is performed such that the data can no longer reasonably be linked to an identified individual; where data is only pseudonymized (i.e., direct identifiers replaced with a key), we continue to treat it as personal data subject to full protection.

2.3 AI Processing and Medical Information

We do not transmit Medical Information to third-party AI or machine learning providers for model training. Where AI features process health-related data (e.g., provider matching, treatment recommendations), such processing is performed using: (a) on-platform models operating within our secured infrastructure, or (b) contractually bound third-party providers (such as AWS Bedrock) operating under data processing agreements that prohibit use of your data for model training or any purpose other than performing the requested service. All AI inputs containing Medical Information are encrypted in transit and at rest. AI inputs and outputs containing Medical Information are retained in accordance with the medical record retention requirements described in Section 6.

We collect personal information from different sources and in various ways, depending on how you use the Platform and your role (patient, provider, or admin).

3.1 Methods of Collection

We collect personal information through:

3.2 Information You Provide Directly

We do not record voice or video calls on the Platform.

3.3 Information Collected When You Use the Platform

3.4 Information from Other Sources

We may receive personal information from:

• Other users — e.g., when a provider shares patient information (with consent) with a local affiliate for coordinated care
• Third-party services — identity verification providers, payment processors, social login (e.g., Google, Facebook)
• Referrals — when you are referred to the Platform by another user or organization

We use personal information for the purposes described below. Where we rely on legal bases under applicable privacy laws, we process data based on contract performance, consent, our legitimate business interests (where permitted by applicable law), or legal obligation.

4.1 Automated Processes

We use algorithms and automated processes for:

• Matching — Suggesting providers, treatments, or local affiliates based on your inputs and preferences
• Pricing — Calculating cost estimates and payment amounts
• Fraud prevention — Detecting fake profiles, unauthorized access, and suspicious activity
• Translation — AI-driven real-time translation of interfaces, chats, and documents

Your rights regarding automated decisions. Where an automated process produces a decision that meaningfully affects you (e.g., denial of a service, eligibility determination), you have the right to: (a) receive a general explanation of how the decision was made, (b) express your point of view, and (c) request human review of the decision. To exercise these rights, contact us using the information in Section 13.

We share personal information only as described below and in accordance with applicable law.

5.1 With Other Users (as necessary for services)

5.2 With Service Providers

We share personal information with the following categories of third parties. Each category receives only the data necessary for the stated purpose:

These providers are contractually required to protect your data and use it only for the purposes we specify. We do not sell your personal information. We do not share your personal information with advertising partners for cross-context behavioral advertising or targeted advertising.

5.3 For Legal and Safety Reasons

We may disclose personal information when required by law, regulation, legal process, or governmental request; to enforce our terms and policies; to protect the rights, safety, or property of users or the public; or in connection with claims or disputes.

5.4 In Connection with Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction, subject to this Privacy Policy.

We retain personal information only as long as necessary for the purposes described in this policy.

You may request deletion of your account and associated data. We will delete or anonymize data as permitted by law, except where retention is necessary for legal, safety, or fraud-prevention purposes.

We implement technical and organizational measures to protect your personal information, including:

• Encryption — Data encrypted in transit (TLS/SSL) and at rest (AES or equivalent) where appropriate
• Network security — Firewalls, intrusion detection and prevention systems, and secure network architecture
• Access controls — Role-based access limiting who can view or use sensitive data; principle of least privilege
• Authentication — Multi-factor authentication (MFA) for account access
• Audit trails — Logging of access and changes to sensitive data
• Monitoring — Fraud detection, security monitoring, and anomaly detection
• Physical and organizational safeguards — Secure data centers, employee training on data protection, and incident response procedures

We conduct Privacy Impact Assessments (PIAs) for processing activities that are likely to result in a high risk to individuals' rights and freedoms, including large-scale processing of health data, AI-based profiling, and cross-border data transfers.

Despite these measures, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials.

7.1 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within the timeframe required by applicable law (for example, prompt notification under Taiwan's PDPA and its Enforcement Rules after assessment of the incident; within 3 calendar days under Singapore's PDPA where the breach is notifiable; within 72 hours under Thailand's PDPA and Korea's PIPA where applicable).
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to your rights and freedoms, including a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.
• Document all breaches in an internal breach register, including the facts, effects, and remedial actions taken, regardless of whether notification to the supervisory authority is required.

Depending on where you live, you may have certain rights regarding your personal information.

8.1 Privacy Settings

Through your account settings, you may:

• Update your profile and contact information
• Manage medical record sharing permissions (e.g., grant or revoke access for specific providers or affiliates)
• Choose communication preferences (email, SMS, push notifications)
• Opt out of marketing communications — You can unsubscribe by: (1) clicking the "Unsubscribe" link in any marketing email, (2) going to Account > Settings > Communications and disabling marketing preferences, or (3) contacting us at the address in Section 13. Opting out does not affect transactional or legally required communications (e.g., appointment reminders, security alerts).

8.2 Data Access, Correction, and Portability

You may request access to, correction of, or a portable copy of your personal information. Portable copies will be provided in a structured, commonly used, machine-readable format (e.g., CSV or JSON) where technically feasible. You can access much of your data through your account. For additional requests, contact us using the information in Section 13.

8.3 Deletion

You may request deletion of your account and personal information. We will process such requests in accordance with applicable law, subject to retention requirements for legal, safety, or fraud-prevention purposes.

8.4 Objection and Restriction

Where we process data based on our business interests, you may object to such processing. You may also request that we restrict processing in certain circumstances. We will honor such requests where required by law.

8.5 Withdraw Consent

Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

8.6 Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. You will not receive different pricing, a different quality of service, or be denied service for making a privacy-related request.

8.7 Complaints

You may lodge a complaint with a supervisory authority in your country if you believe we have not handled your data properly. Contact details for relevant authorities can be found on their official websites.

9.1 Taiwan

• Cross-border transfers (PDPA / 個資法): We conduct cross-border data transfers in accordance with Taiwan's Personal Data Protection Act (PDPA, 個人資料保護法) and related regulations. Sensitive personal data (特種個資) under the PDPA—including health and medical information such as medical history, diagnoses, treatment information, and medical documents you upload (medical records; 病歷等醫療相關資料)—may be subject to stricter rules when it is collected from a user in Taiwan or held in a Taiwan-facing workflow and is then transferred outside Taiwan or made accessible from systems located outside Taiwan (e.g., for hosting, backup, support, or coordination with providers).
• Explicit consent (書面同意): Where applicable law requires, we obtain your separate, informed, and explicit consent before cross-border transfer of that sensitive medical personal data. Consent may be recorded through a written signature or a lawful electronic equivalent where permitted. A single acceptance of this Policy at sign-up may not, by itself, satisfy PDPA requirements for all such transfers; accordingly, we may present a standalone Cross-Border Personal Data Transfer Consent (跨境個資傳輸同意) during patient registration or before the first transfer or synchronization of the relevant data outside Taiwan.
• Territory and recipients (利用地區、對象): The regions outside Taiwan to which relevant personal data may be sent or accessed, and the categories of recipients (e.g., CAREBRIDGE VITAL NEXUS LTD. affiliates, cloud and infrastructure providers, identity verification, communications, analytics, and payment processors, as further described in Section 5.2), are communicated through this Policy and, where required, through registration notices and the transfer consent flow so that you receive required information on purpose, categories of personal data, retention period where applicable, territory, recipients, and methods of use in line with PDPA expectations. Actual locations may include Hong Kong or other jurisdictions where we or our subprocessors operate, as disclosed in-app or in the consent materials presented to you.
• Data from Taiwanese healthcare providers: If a hospital, clinic, or other healthcare provider in Taiwan uploads or discloses your information to the Platform, additional consent, authorization, or contractual conditions may apply under Taiwan law and professional obligations. We process such information only as permitted by our agreements with the provider, your instructions or authorizations, and applicable law.
• Designated-country restrictions: Where the central competent authority has issued restrictions on international transfers to specific countries, we comply with those restrictions or obtain the consent and follow the procedures required by law.
• Notification requirements: Before collecting your personal data, we provide the required PDPA notice, including the purpose of collection, the categories of data, the period, area, recipients, and method of use, and your rights under PDPA Articles 3 and 4.
• Contact: You may contact us regarding our compliance with Taiwan's PDPA using the information in Section 13.

9.2 United States (including California)

• California residents: You may have additional rights under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), including the right to know, delete, correct, and opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA. If our practices change, we will update this Policy and provide the required opt-out mechanisms (including recognition of Global Privacy Control (GPC) signals).
• Right to limit use of sensitive personal information: Under CPRA §1798.121, you have the right to limit our use and disclosure of sensitive personal information (including health data) to purposes necessary to provide the services you requested. We do not use sensitive personal information for purposes beyond those permitted under CCPA/CPRA.
• Non-discrimination: See Section 8.6.

9.3 Canada, Hong Kong, Japan, and Australia

• Canada: We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to access and correct your personal information, and withdraw consent.
• Hong Kong: We comply with the Personal Data (Privacy) Ordinance (PDPO) and the six Data Protection Principles (DPPs), including principles relating to collection purpose, accuracy and retention, use, security, openness, and data access and correction. You have the right to request access to and correction of your personal data held by us.
• Japan: We comply with the Act on the Protection of Personal Information (APPI). We will not provide your personal data to third parties without your consent, except as permitted by law. Where we transfer personal data outside Japan, we take the steps required under APPI to ensure an appropriate level of protection.
• Australia: We comply with the Privacy Act 1988 and the Australian Privacy Principles (APPs). You may access, correct, or complain about the handling of your personal information.

9.4 South Korea

If you are located in South Korea, we comply with the Personal Information Protection Act (PIPA, 개인정보 보호법).

• Separate consent for sensitive information: We obtain your separate consent before collecting or processing sensitive personal information, including health and medical information, and before transferring such information overseas.
• Chief Privacy Officer: We have designated a Chief Privacy Officer reachable at privacy@kibocare.com to handle user inquiries and grievances related to personal information.
• Your rights: You have the right to request access, correction, deletion, and suspension of processing of your personal information.
• Minors under 14: We require verifiable consent from a legal guardian before collecting personal information from a child under 14.
• Cross-border transfer notice: Where we transfer your personal information outside Korea, we will inform you of the recipient, purpose, categories of data, retention period, and jurisdiction, and obtain your consent where required.

9.5 Singapore

If you are located in Singapore, we comply with the Personal Data Protection Act (PDPA).

• Data Protection Officer: We have designated a Data Protection Officer whose business contact is privacy@kibocare.com. The DPO is responsible for ensuring our compliance with the Singapore PDPA and handling data protection inquiries.
• Consent and notification: We rely on consent (including deemed consent where permitted by law) and notify you of the purposes for which we collect, use, and disclose your personal data.
• Your rights: You have the right to request access to and correction of your personal data, and to withdraw consent for future processing.
• Data breach notification: Where a data breach is notifiable under the Singapore PDPA, we will notify the Personal Data Protection Commission (PDPC) within 3 calendar days and affected individuals where required.
• Do Not Call (DNC): We comply with DNC Registry requirements and will not send marketing messages to numbers registered on the DNC Registry without valid consent or exemption.

9.6 Thailand

If you are located in Thailand, we comply with the Personal Data Protection Act B.E. 2562 (PDPA).

• Legal basis and explicit consent: We rely on appropriate legal bases for processing, and we obtain explicit consent before processing sensitive personal data (including health and medical data).
• Your rights: You have the right to access, rectify, erase, restrict, object to processing, withdraw consent, and data portability, subject to the conditions under Thai law.
• Data breach notification: Where a breach is notifiable, we will notify the Personal Data Protection Committee within 72 hours of becoming aware of the breach, and affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
• Cross-border transfer: We transfer personal data outside Thailand only where the destination provides an adequate level of protection, or where appropriate safeguards (such as contractual clauses or your explicit consent) are in place.
• Contact: You may contact our Data Protection Officer at privacy@kibocare.com for Thailand PDPA inquiries.

For links to these regulations, please see Appendix A: Regulatory References.

We use cookies, web beacons (pixels), tracking scripts, and similar technologies to collect information automatically. These are indirect collection methods:

Purposes: Authenticate users and maintain sessions; remember preferences and settings; analyze traffic and usage (service improvement); improve security and detect fraud.

You can control cookies through your browser or device settings (e.g., block third-party cookies). Disabling certain cookies may limit Platform functionality. For more details, please refer to our Cookie Policy.

The Platform is primarily intended for adults (18 and older). We do not knowingly collect personal information from children under 13.

Children under 13 (COPPA — United States): In the United States, the Children's Online Privacy Protection Act (COPPA) requires special protections for children under 13. Our Platform is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we obtain actual knowledge that we have collected personal information from a child under 13 without verified parental consent, we will delete such information promptly.

Children under 14 (Korea PIPA): For users located in South Korea, we require verifiable consent from a legal guardian before collecting personal information from a child under 14.

Taiwan minors (限制行為能力人): Under Taiwan's Civil Code, minors who are not fully capable of legal acts require the consent or authorization of a legal representative for certain juristic acts. Where applicable, we will obtain such consent before allowing a Taiwan-based minor to use features that involve the processing of their personal data beyond routine browsing.

Minors 13–17: If you are between 13 and 17 (or the corresponding age threshold in your jurisdiction), you may use certain limited features of the Platform (e.g., browsing provider information, medical consultation for minor procedures such as acne treatment) only with verified parental or guardian consent as set forth in our Terms of Service. A parent or guardian must create the account and provide consent before the minor can access these limited features. We do not sell or use for advertising purposes the personal information of minors under 18.

Removal requests: Parents or guardians who believe we have collected information from a minor may contact us at the email address listed in Section 13 to request deletion. We will verify the requester's identity before processing.

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law.

How we will notify you:

• Material changes: For changes that materially affect how we collect, use, or share your personal information, we will provide reasonable advance notice through: (1) a prominent notice on our website or in our app, (2) email to the address associated with your account, and/or (3) an in-app notification. We may also obtain your consent where required by applicable law (e.g., for new uses of sensitive data).
• Non-material changes: For typographical corrections, clarifications, or other minor updates, we will update the "Last Updated" date at the top of this policy. We encourage you to review this policy periodically.
• Continued use: Your continued use of the Platform after the effective date of a material change constitutes acceptance of the updated policy to the extent permitted by law. If you do not agree, you may close your account and stop using our services before the change takes effect.

For questions about this Privacy Policy, your personal information, or to exercise your rights, please contact us:

• Email: privacy@kibocare.com
• Mail — United States: Attn: Privacy Officer, 17561 Hillside Ave, Suite 202 #1126, Queens, NY 11432, USA
• Mail — Hong Kong: Attn: Privacy Officer, Room A, 19/F, Max Share Centre, 367–373 King's Road, North Point, Hong Kong

• Taiwan PDPA: Personal Data Protection Act — https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=I0050021
• Taiwan 醫療法: Medical Care Act — https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=L0020021
• Hong Kong PDPO: Personal Data (Privacy) Ordinance — https://www.pcpd.org.hk/english/data_privacy_law/ordinance/ordinance.html
• Canada PIPEDA: Personal Information Protection and Electronic Documents Act — https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
• Japan APPI: Act on the Protection of Personal Information — https://www.ppc.go.jp/en/legal/
• Australia Privacy Act 1988 — https://www.oaic.gov.au/privacy/the-privacy-act
• South Korea PIPA: Personal Information Protection Act — https://www.pipc.go.kr/eng/
• Singapore PDPA: Personal Data Protection Act — https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act
• Thailand PDPA: Personal Data Protection Act B.E. 2562 — https://www.pdpc.or.th/
• US COPPA: Children's Online Privacy Protection Act — https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa
• California CCPA/CPRA: California Privacy Rights Act — https://oag.ca.gov/privacy/ccpa

This Privacy Policy is provided in English. In the event of a conflict with a translated version, the English version shall prevail to the extent permitted by applicable law.