Effective Date: 10/07/2025

Our Legal Duty to Protect Health Information

Lead Profit, LLC (Lead Profit) is committed to maintaining the privacy and security of Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and applicable federal and state privacy regulations.

Lead Profit operates as a Business Associate that provides marketing attribution and analytics services to healthcare organizations and their authorized Business Associates. We receive, maintain, or transmit PHI solely to perform those contracted services. This Notice describes how we protect that information and the rights of individuals whose data we handle on behalf of our clients.

Who Does This Notice Apply To

This Notice applies to all PHI handled by Lead Profit systems, workforce members, contractors, and approved vendors operating under our Business Associate Agreements (BAAs).

Subcontractor vendors that create, receive, maintain, or transmit PHI for Lead Profit are bound by written agreements to the same restrictions, conditions, and safeguards that apply to Lead Profit under applicable BAAs.

What Is PHI

PHI includes any information that identifies or could reasonably identify an individual and relates to their past, present, or future physical or mental health, the provision of health care, or payment for health care. Examples include patient names, contact details, appointment information, or other identifiers combined with health-related information.

Personal Information Collection and Purpose of Processing

a. Information We Receive Directly from Clients

Lead Profit may receive limited contact-level PHI such as patient names, phone numbers, email addresses, appointment details, or related metadata needed to perform attribution and conversion reporting. We do not receive or collect clinical charts, diagnostic results, treatment notes, or insurance claim records.

Lead Profit does not store PHI or Personal Information beyond transient routing or matching operations.

b. Information Collected Indirectly

Lead Profit’s websites and platform may automatically collect limited technical information such as IP address, browser type and device identifiers through cookies, web beacons, or other tracking technologies used for security, performance, and service optimization. Cookies used are limited to essential site functionality, security, and aggregated analytics.

These technologies are configured not to capture or link PHI to individual users. We do not use cookies or similar technologies to view, extract, or reconstruct clinical records, treatment information, or other sensitive health details.

Lead Profit may, in the future, implement additional cookies or analytics tools for marketing, advertising, or audience-measurement purposes. When that occurs, the company will provide clear notice and obtain consent where legally required.

Purpose of Collecting and Using PHI

Lead Profit uses and discloses PHI only to:

• Perform contracted analytics and attribution services on behalf of Covered Entity clients;
• Maintain, secure, and improve the accuracy of reporting systems;
• Conduct permissible management and administrative activities and carry out legal responsibilities, and (where applicable) provide data aggregation services as permitted under HIPAA and our BAAs;
• Comply with legal or regulatory requirements; and

• Support audits, incident response, or quality-assurance processes as permitted under HIPAA.

We do not use PHI for marketing to individuals, sell PHI, or combine PHI across unrelated clients for marketing or sales purposes. Lead Profit applies the minimum necessary standard to all uses and disclosures of PHI.

Our Legal Basis for Processing

Lead Profit processes PHI only as permitted or required under HIPAA and solely to perform services on behalf of the Covered Entities or authorized Business Associates that engage us. Lead Profit does not use or disclose PHI for its own purposes; all processing occurs strictly within the scope of our BAAs and applicable Privacy Regulations.

Who We Disclose PHI to

We disclose personal information and limited PHI only as necessary to achieve the purposes described in this Notice. Disclosures are limited, governed by contract, and subject to technical and organizational safeguards. They include:

• Within Lead Profit: Authorized workforce members (such as engineering, security, support, and leadership) who need access to perform their roles and are bound by confidentiality and access-control requirements.
• Covered Entities and Business Associate clients: Healthcare organizations and their authorized partners who engage Lead Profit for attribution and analytics services.
• Service providers and integration partners: Vendors who support our services and process PHI only under written agreements that require them to follow HIPAA safeguards, including BAAs where PHI is involved.
• Government authorities and regulators: When we are legally required to respond to a valid court order, subpoena, investigation, or other compulsory legal process.

• Others at the direction of our clients: In limited cases where a Covered Entity or Business Associate instructs us to disclose information in accordance with HIPAA and our agreements.

Lead Profit does not sell or rent PHI or Personal Information and does not disclose it to third parties for their own marketing or advertising purposes.

Special Notices

Lead Profit does not contact individuals for fundraising, marketing, or promotional purposes and does not maintain a patient contact list for such activities. If this ever changes, individuals will receive advance notice with an option to opt out.

Privacy Regulations

We Comply With Lead Profit complies with:

• HIPAA Privacy, Security, and Breach Notification Rules (45 CFR Part 164, Subparts C, D, and E);
• The HITECH Act; and

• Relevant U.S. state privacy regulations governing PHI and personal information.

Where privacy regulations differ, Lead Profit applies the standard offering the strongest privacy protection.

How we Protect PHI

Lead Profit protects PHI using layered safeguards. These include strong encryption when data is stored and sent, limited access based on job role, multi-factor sign-in for administrators, ongoing activity monitoring, and required workforce training and confidentiality commitments. We review these controls regularly as part of our security program, and all access to PHI is logged and checked for any unauthorized activity.

We also require our service providers to implement contractual, technical, and organizational safeguards consistent with HIPAA and this Notice.

How we Transfer

PHI Lead Profit processes PHI in secure cloud environments but does not store PHI long-term. PHI is processed transiently and discarded once the processing task is complete. Where PHI is transferred or accessed outside the United States, Lead Profit ensures the PHI is protected by appropriate administrative and technical safeguards.

How we Store and Retain PHI

Lead Profit does not maintain long-term storage of PHI. Any PHI received through integrated platforms is processed only as necessary to perform attribution and analytics services and is handled within secure, encrypted, access-controlled environments. Temporary PHI used for routing, matching, or conversion processing is automatically deleted or discarded once the processing task is complete.

Lead Profit retains PHI only for the duration necessary to fulfill the purposes permitted by our BAAs and applicable regulation. We do not create independent patient records, clinical files, or archives of PHI.

Although PHI itself is not stored, Lead Profit does retain required compliance documentation such as BAAs, privacy-right request logs, breach notifications, audit records, and system activity reviews for at least six (6) years, as required under HIPAA.

Privacy Rights under HIPAA

Individuals whose PHI we process through client relationships have the following rights, exercised through their healthcare provider or Covered Entity:

• Access: To receive a copy of their PHI.
• Amendment: To request corrections of inaccurate or incomplete PHI.
• Accounting of Disclosures: To know when PHI has been shared.
• Restrictions: To request limits on certain uses or disclosures.
• Confidential Communications: To request alternative communication methods.
• Complaints: To file a complaint if they believe their privacy rights have been violated.

Lead Profit cooperates fully with its clients to fulfill individual privacy rights within the timelines set by HIPAA. If Lead Profit receives an individual rights request directly, we acknowledge and route it through our compliance process to the appropriate Covered Entity.

Personal Information Breach Notification

Lead Profit has procedures in place to deal with any suspected or confirmed breach involving PHI including notifying covered entity and, where required, regulators without unreasonable delay and within the statutory timeframes.

How to contact our Privacy Officer

For questions about this Notice or our privacy practices, you may contact our Privacy Office at compliance@leadprofit.io

Questions, access requests, or complaints about this Notice or our data-handling practices may be directed to the Privacy Officer. Individuals may also file complaints directly with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) at https://www.hhs.gov/hipaa/filing-a-complaint/index.html without fear of retaliation.

How we Update this Privacy Notice

Lead Profit may update this Notice to reflect material changes in our privacy practices or regulatory requirements. The effective date at the top of this document will be updated, and the revised Notice will be posted on our website.