Business Associate Agreement

Last Updated: January 8, 2026

1. WHO WE ARE & WHAT THIS IS

At Sindi Inc. ("Sindi"), our mission is to facilitate referrals and the sharing of patient information between general practice dentists and specialist dentists by using our software platform and proprietary technology (the "Service"). To fulfil this mission, we collect information about (1) general dental health providers and dental specialists that use Sindi to support their dental practices, who we refer to collectively as "Dentists,"; (2) the patients who are referred from or to Dentists using Sindi, who we refer to as "Patients," and (3) our visitors to the Sindi website, or anyone contacting Sindi support, who we refer to as "Visitors." Collectively, we refer to Dentists, Patients, and Visitors in this policy as User, Users, or you. The websites and software applications governed by this policy include sindireferrals.com.

Your privacy is important to us. This privacy policy (this “Privacy Policy”) outlines:

• Why we collect personal information

• What personal information we collect and when it is collected

• How your information is used and protected

• When and with whom your information is shared

• Your choices regarding your personal information

We encourage you to read this Privacy Policy and our Terms of Use and Cookie Policy carefully. Capitalized terms used but not defined in this Privacy Policy have the meaning given them in the Terms of Use. We will post notices of all changes that materially affect the way in which your personally identifiable information may be used or shared in updates to our Privacy Policy.

Sindi reserves the right to modify this Privacy Policy at any time, in our sole discretion. We may modify this Privacy Policy by providing notice via one of the following methods. For material modifications, we provide notice by email to the email account used by you to access the Services. For other modifications, we update the ‘last updated’ date listed above. By continuing to use the Service you confirm that you agree to the modified Privacy Policy.

If you have any questions about this Privacy Policy, please contact us at:

Email address: info@sindireferrals.com

Postal address: Sindi Inc. 337 El Dorado Street, Suite A-1 Monterey, CA 93940

2. INFORMATION WE COLLECT

We get information about you in a range of ways.

Information You Give Us. We collect the following personal information when you sign up for Sindi, when you use our Services, or when you otherwise provide us information. Generally, we need this information for you to be able to use our Services. Information we collect from you may include:

• Personally identifiable information such as your and your employees or contractors’ names, email addresses, postal addresses, and telephone numbers.

• Financial information, such as your zip code, the last four digits of your credit card, and bank account information; and

• Feedback and correspondence, such as information you report a problem with Service, receive support or otherwise correspond with us.

Information We Get From Others. We may get information about you from other third-party sources and we may add this to information we get from your use of the Services. Such information may include:

• Payment using Third Party Payment Platform: To pay the fees associated with the Service, payment is processed using a Third-Party Payment Platform. By using a Third-Party Payment Platform, we never receive your complete financial information, such as your complete credit card number. We currently use Stripe to process payments and the processing of your payment is subject to Stripe's Privacy Policy.

• Personal Health Information: The Service allows Dentists to refer patients through the Service, and accordingly Dentists give us a Patient's insurance information, health records and other health-related content such as x-rays or diagnoses. These Patient health records may be uploaded to the Service for the purpose of a Dentist referral. While we are not a Covered Entity, as defined by the Health Insurance Portability and Accountability Act of 1996, Public Law No. 104-191 ("HIPAA"), the Dentist uploading Patient personal health information is and will be bound by HIPAA. We recommend reviewing our Business Associate Agreement in place with all Dentists BAA for more information.

Information Automatically Collected. We may automatically record certain information about how you use our Service. This may include information such as a User’s Internet Protocol (IP) address, device and browser type, operating system, the pages or features of our websites to which a User browsed and the time spent on those pages or features, the frequency with which the websites are used by a User, search terms, the links on our websites that a User clicked on or used, and other statistics. We use this information to administer the Service and we analyze (and may engage third parties to analyze) this information to improve and enhance the Service by expanding its features and functionality and tailoring it to our Users’ needs and preferences.

We also use cookies, local storage, or similar technologies to analyze trends, administer the websites, track Users’ movements around the websites, and to gather demographic information about our User base as a whole. Users can control the use of cookies and local storage at the individual browser level.

We also may use Google Analytics to help us offer you an optimized User experience. You can find more information about Google Analytics’ use of your personal data here.

For detailed information on the information we automatically collect, please see our Cookie Policy.

Others’ Personal Information.In using our Service, you may provide us with the personal information of others (for example, the names and addresses of your employees). Legally speaking, we are only a “service provider” of such information.

As your service provider, we only process (collect, use, disclose, etc.) such information as directed by you for the exclusive purpose of providing you our Service. For example, we will never use your employees’ information to independently market or advertise to them unless they are also using our Service directly. We also do not and will not “sell” information.

You are responsible for the personal information of others that you disclose to us via our Service and for ensuring that your instructions regarding the processing of such information complies with applicable data protection laws.

3. HOW WE USE AND SHARE THE INFORMATION WE COLLECT

Use: We use the personal information we collect from you to provide you with our Service, to fulfill a contractual obligation, to improve our Services or where we need your personal information for a legitimate business interest. These legitimate interests include:

• verifying your or your business’ identity;

• contacting you as needed to provide with the Service (including by sending you text or SMS messages, if you have opted in to receiving them);

• preventing risk and fraud (for example, to detect and protect Sindi and other third parties against error, negligence, breach of contract, fraud, theft and other illegal activity, and to audit compliance with Sindi’s policies and contractual obligations);

• answering questions or providing other types of support;

• providing, securing, debugging and improving our Services and website;

• providing reporting and analytics;

• testing out features or additional services;

• understanding your needs and eligibility for products and services;

• complying with legal and regulatory requirements; and

• enforcing our Terms of Use and / or compliance with this Privacy Policy.

We may also collect and use your personal information for any other purpose to which you consent. We only collect the personal information we consider necessary for achieving these purposes.

We may use information that is aggregated or de-identified so that it is no longer reasonably associated with an identified or identifiable natural person for any business purpose.

Share:We will not share your personal information or User data except to perform the Services as described herein or unless you authorize us to. We may provide aggregate usage and demographic reports and information to service partners to help them understand our audience and target their communications accordingly, but not in a way that could identify our Users personally.

In the normal course of business Sindi may share your information with individuals (such as employees, contractors and lawyers) and companies (such as consultants, partners, vendors, or service providers such as our hosting service provider, text messaging service provider, and compliance management provider) to perform tasks on our behalf and may need to share certain information, including your name and email address, with them in order to provide improved products or services to our Users. However, our agents do not have any right to use the information we share with them beyond what is necessary to assist us in providing the service to you as described in this Privacy Policy.

Sometimes we may be required to share your information in response to a regulation, court order or subpoena. We may also share information when we believe it's necessary to comply with the law or to respond to a government request or when we believe disclosure is necessary or appropriate to protect the rights, property or safety of Sindi, our Dentists, or others; to prevent harm or loss; or in connection with an investigation of suspected or actual unlawful activity.

We may also share your information in the event of a corporate sale, merger, acquisition, dissolution or similar event.

4. HOW WE STORE AND PROTECT THE INFORMATION WE COLLECT

Sindi uses reasonable security measures to store and protect the information under our control and appropriately limit access to it. However, we cannot ensure or warrant the security of any information you transmit to us, and you do so at your own risk.

We use a variety of information security measures to protect your online transactions with us. The Service uses encryption technology, such as Secure Sockets Layer (SSL), to protect your sensitive personal information during data transport.

We want you to feel confident using the Services. However, no system can be completely secure. Therefore, although we take steps to secure your information, we do not promise, and you should not expect, that your personally identifiable information, usage data or other communications will always remain secure. We will notify you by email if we have reason to believe that your personal information has been compromised due to a security breach or used in an unauthorized manner, but by using this Service, in accordance with the Terms of Use you agree to release us from any and all claims arising out of unauthorized use of your information.

5. YOUR CHOICES REGARDING THE INFORMATION WE COLLECT

You may choose to:

• Update and correct your personal information;

• Object to the processing of your personal information;

• Request to have your personal information or usage data deleted or restricted from our Service;

• Request for portability of your personal information;

• Cancel your account; and/or

• Stop receiving text or SMS messages or email communications from us.

To do any of these, simply notify us of this decision by one of these methods:

• Follow the unsubscribe link in any marketing email or following the directions included in any other promotional material received from Sindi;

• Send an email to us at info@sindireferrals.com; and/or

• To stop receiving text or SMS messages, follow the instructions in the text or SMS message (i.e., reply “STOP” to the text message) or at the bottom of the applicable email communication (i.e., click the “Unsubscribe” button).

We reserve the right to refuse to accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

Data Retention

We will retain your profile information and usage data for as long as your account is active or as needed to provide you services, comply with our legal obligations, resolve disputes, and enforce our agreements. If you close your account, we may still retain certain information associated with your account for a limited period of time thereafter unless you request that we delete it sooner in accordance with data privacy laws. We retain this information for analytical purposes and recordkeeping integrity, as well as to prevent fraud, collect any fees owed, enforce our terms and conditions, take actions we deem necessary to protect the integrity of our web site or our Users, or take other actions otherwise permitted by law. Deactivating your account does not automatically delete your account or usage data from our database, but regardless of any retention policy we will make reasonable efforts to enable you to delete your profile and personally identifiable information from our database upon request. To request that we delete your information, please contact us at info@sindireferrals.com.

6. THIRD PARTY SERVICES AND LINKS TO OTHER WEBSITES

Our website may contain links to other websites including those of our service partners and other service providers, many of which have their own privacy policies. Be sure to review the privacy policy on any site you are visiting, whether directly or through the Service.

Additionally, we integrate third party services into our Service. This policy only covers the collection and use of information by Sindi. Integrations may include, but are not limited to, the following:

For payment processing: As noted above, we currently use Stripe to process payments, which is subject to Stripe's Privacy Policy.

Other third party services are provided by Twilio, Slack, Auth0, Vanta and any other third party services.

8. NOTICE TO CALIFORNIA RESIDENTS

This Privacy Notice for California Residents supplements the information contained in this Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California. We adopt this notice to comply with the California Consumer Privacy Act of 2018 (the “CCPA”) and any terms defined in the CCPA have the same meaning when used in this Notice.

For more details about the personal information we collect from you, please see the “What We Collect” section above. We collect this information for the business and commercial purposes described in the “Information We Collect” section above. We share this information with the categories of third parties described in the “Share” section above. Sindi does not sell (as such term is defined in the CCPA) the personal information we collect (and will not sell it without providing a right to opt out).

Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the categories or specific pieces of personal information we collect (including how we use and disclose this information), to delete their personal information, to opt out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights. Please see the “Your Choices” section above or contact us at info@sindireferrals.com for more information about these rights or to exercise these rights.

Non-Discrimination:

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

• Deny you goods or services;

• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;

• Provide you a different level or quality of goods or services; or

• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to info@sindireferrals.com.

9. ADDITIONAL INFORMATION

Children's privacy

We restrict use of the Service to individuals age 18 and above, and do not knowingly seek or collect personal information from anyone under the age of 18.

Using the Services from outside the United States

This Privacy Policy is intended to cover collection of information from residents of the United States and is not intended for Users located outside the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located, and our central database is operated. The data protection and other laws of the United States and other countries might not be as comprehensive as those in your country. By using the Service, you understand that your information may be transferred to our facilities and those third parties with whom we share it as described in this Privacy Policy.