CancerIQ, Inc.

Digital Healthcare Technology Platform Privacy Policy

Last Updated / Effective Date: May 7th, 2026

CancerIQ, Inc. (“CancerIQ,” “we,” “us,” or “our”) is a digital healthcare technology platform (“Platform”) used by healthcare providers to collect comprehensive patient data, assess hereditary cancer risk, and support clinical decision making. When patients use the CancerIQ platform at the direction of their healthcare provider, CancerIQ processes Protected Health Information (“PHI”) on behalf of that provider.

For the purposes of this Privacy Policy (“Policy”) , PHI means individually identifiable health information, such as your medical history, family history, and information you provide through the Platform, that is protected under HIPAA. “Other information” means non-PHI technical or operational information generated through use of the Platform such as system logs and support communications.

This Policy describes how CancerIQ handles PHI and other information within the CancerIQ Platform. This Policy does not apply to CancerIQ’s public websites or marketing activities. Those activities are governed by separate privacy notices available on CancerIQ’s website.

When CancerIQ processes PHI through the Platform, we do so as a Business Associate under the Health Insurance Portability and Accountability Act (“HIPAA”) and in accordance with the Business Associate Agreement (“BAA”) between CancerIQ and the healthcare provider.

Your use of the CancerIQ Platform within a healthcare institution’s environment is also subject to that institution’s own policies, terms, and privacy policy. CancerIQ does not control the healthcare institution’s internal systems or data practices. We encourage you to review the healthcare institution’s applicable policies to understand how it may collect, use, and disclose information when you access the Platform through its systems .

1. Scope of This Policy

This Policy applies only to patients and authorized users who access the CancerIQ Platform, and to the PHI and other information collected through the Platform. It also applies to CancerIQ’s role as a Business Associate when providing services to healthcare providers.

This Policy applies only to the CancerIQ Platform used within healthcare institutions. It does not apply to CancerIQ’s public websites, marketing activities, corporate operations, or any interactions you may have with CancerIQ outside of the Platform. Those activities are governed by separate privacy notices and are not subject to this Policy. Those other privacy notices can be found here: https://www.canceriq.com/privacy-policy-web.

2. No Medical Advice

The Platform is a clinical tool used by healthcare providers to support risk assessment and care planning. CancerIQ does not provide medical advice, diagnosis, or treatment. Any clinical decisions, recommendations, or actions based on information in the Platform are made solely by the healthcare provider. Patients should consult their healthcare provider with any questions about their medical care.

3. How PHI Is Provided To The Platform

PHI is entered into the Platform either by patients completing clinical questionnaires or by their healthcare providers as part of delivering care. This information may include medical and personal health history, family history of cancer and hereditary risk factors, demographic details relevant to clinical assessment, and other information the provider determines is necessary for evaluating hereditary cancer risk.

CancerIQ processes the PHI entered into the Platform solely to support clinical workflows and to provide services to the healthcare provider. All PHI handled through the Platform is processed in accordance with HIPAA and the BAA, and CancerIQ does not independently collect PHI outside of what is provided by the patient or the provider.

4. How PHI Is Used Within the Platform

PHI entered into the Platform is used as part of the healthcare provider’s clinical workflows, including hereditary cancer risk assessment, care coordination, and review of patient information. CancerIQ processes this PHI solely to support these provider directed activities and to operate, maintain, and secure the Platform. This may include enabling providers to review and interpret patient information, supporting clinical decision‑making tools, and providing technical support or troubleshooting.

CancerIQ uses PHI only as permitted under HIPAA and the BAA and does not determine independent purposes for using PHI. All use of PHI is carried out on behalf of, and under the direction of, the healthcare provider.

5. Restrictions on Use of PHI

CancerIQ does not use or disclose PHI for marketing, advertising, targeted advertising, or other non‑clinical purposes. CancerIQ does not sell PHI or combine PHI with third‑party tracking or analytics tools. PHI is used only as permitted under HIPAA and the BAA.

6. How PHI May Be Disclosed Through The Platform

PHI entered into the Platform may be accessed or disclosed as part of the healthcare provider’s treatment, care coordination, and healthcare operations. These disclosures are determined and controlled solely by the healthcare provider, and CancerIQ does not independently determine whether or how PHI is disclosed. Access to PHI within the Platform may include the provider’s authorized workforce, as well as CancerIQ personnel or subcontractors who require limited access to perform services on the provider’s behalf.

PHI may also be disclosed when required by law, such as in response to a court order or regulatory obligation, or when necessary to prevent or mitigate a serious threat to health or safety, consistent with HIPAA. CancerIQ does not disclose PHI to third parties for their independent use, and any subcontractors that may access PHI are bound by written agreements requiring HIPAA compliant safeguards.

7. Communications Related to Your Use of the Platform

We may use the contact information you provide to communicate with you about your use of the Platform. This includes sending service related messages, support communications, operational notices, and requests for feedback about your experience. We may also communicate with your healthcare provider or the organization that provisioned your access to support your participation in the clinical program or workflow in which the Platform is used.

These communications are part of the services we provide through the Platform and may not be subject to opt‑out, except where required by applicable law or by the policies of your healthcare provider.

8. Tracking Technologies and PHI

The CancerIQ Platform does not use third‑party analytics tools, advertising networks, pixel tags, cookies, or other tracking technologies that collect or transmit PHI. The Platform also does not incorporate cross‑site tracking or third‑party ad‑tech components. Any technical logging within the Platform is limited to functions necessary for security, performance, and operational integrity, and does not involve third‑party tracking technologies or marketing analytics.

9. Security of PHI

CancerIQ maintains reasonable administrative, technical, and physical safeguards designed to protect PHI in accordance with the HIPAA Security Rule. These safeguards are intended to protect PHI against unauthorized access, disclosure, alteration, or destruction and include measures such as encryption, access controls, monitoring, and secure development and operational practices. While no system can guarantee absolute security, CancerIQ implements safeguards appropriate to the sensitivity of PHI and the services provided to healthcare providers.

CancerIQ conducts security and privacy due diligence on subcontractors that may access PHI and requires them to implement safeguards consistent with HIPAA.

10. Patient Rights Under HIPAA

Patients exercise their HIPAA rights through their healthcare provider, as described in the provider’s privacy policy. The healthcare provider is solely responsible for responding to and fulfilling these rights. CancerIQ may provide support to the provider, as permitted and required under the BAA, but does not independently administer HIPAA rights or respond directly to patient requests.

11. Data Retention

CancerIQ retains PHI only for as long as necessary to provide services to the healthcare provider and as required under the BAA or applicable law. The healthcare provider determines how long PHI should be maintained within the Platform, and CancerIQ follows the provider’s instructions regarding retention.

When a healthcare provider instructs CancerIQ to delete or return PHI, CancerIQ carries out those instructions in accordance with HIPAA and the BAA including securely deleting or returning the information as directed.

12. Use of De-Identified and Aggregated Data

CancerIQ may create or use de‑identified or aggregated data derived from PHI processed through the Platform. De‑identified and aggregated data is created in accordance with HIPAA and does not identify you and cannot reasonably be used to re‑identify you. CancerIQ may use de‑identified or aggregated information for any purposes such as analytics, product improvement, research, or other activities permitted under HIPAA and the BAA.

13. Children’s Privacy

The Platform is used only as part of clinical care directed by a healthcare provider. CancerIQ does not interact directly with children or collect PHI from minors except as entered or provided by the healthcare provider in connection with clinical services.

14. Changes to This Policy

We may update this Policy from time to time. Any updates will not alter or diminish CancerIQ’s obligations under applicable law, including HIPAA, or under any BAA between CancerIQ and your healthcare provider.

15. Contact Information

For questions about this Policy or about how the CancerIQ Platform operates within your healthcare provider’s clinical environment, you may contact support@canceriq.com. Questions about your PHI, your medical information, or your rights under HIPAA should be directed to your healthcare provider, who is responsible for managing and responding to those requests.