Terms and Conditions for KIT

PART I – CORE AGREEMENTS (UserFacing)

1) Terms and Conditions of Use

1.1 Introduction and Agreement to Terms. These Terms and Conditions of Use (“Terms,” “Agreement”) govern access to and use of KIT, including websites, mobile applications, APIs, documentation, and any related services (collectively, the “Services”), provided by Sevakit Healthcare IT LLC, a Virginia limited liability company (“Company,” “we,” “our,” or “us”). By creating an account, clicking “I Agree,” or accessing the Services, you (“User,” “you,” or “your”) acknowledge that you have read, understood, and agree to be bound by this Agreement. If you do not agree, you must not use the Services.

1.2 Eligibility. You represent that you are at least 18 years old and have legal capacity to enter a binding contract. If you access the Services on behalf of an organization, you represent that you have authority to bind that organization; in that case, “you” also refers to that organization.

1.3 Nature of Services; No Medical Advice. KIT is an informationmanagement tool that allows Users to organize, store, and share personal and healthrelated information for their convenience. The Services are not a medical device, electronic health record (EHR), personal health record (PHR) subject to certification, or a substitute for professional medical advice, diagnosis, or treatment. No provider–patient relationship is created by your use of KIT. Always seek the advice of a qualified healthcare professional with any questions regarding a medical condition.

1.4 Changes to Terms. We may modify these Terms at any time in our sole discretion. We will post updated Terms with a new “Last Updated” date. Material changes will be highlighted or otherwise communicated where feasible. Your continued use after changes become effective constitutes acceptance.

1.5 Accounts and Security. You are responsible for maintaining the confidentiality of login credentials, enabling multifactor authentication where available, and for all activities that occur under your account. You must promptly notify us of suspected unauthorized access. We are not liable for any loss arising from unauthorized use of your account.

1.6 Acceptable Use; Prohibited Conduct. You agree to comply with the Acceptable Use Policy attached to this document and incorporated by reference. Without limitation, you will not: (a) misuse PHI of others; (b) upload malware or attempt to bypass security; (c) scrape, spider, or harvest data without written consent; (d) infringe intellectual property; (e) harass, threaten, or defame; (f) use the Services to build a competing product; (g) interfere with, disrupt, or degrade the Services or networks.

1.7 Privacy and PHI Handling. Our Privacy Policy is incorporated by reference. You understand and agree that (a) no system is entirely secure, (b) breaches or unauthorized access may occur, and (c) you assume all risks associated with uploading, storing, transmitting, or sharing personal information or PHI through the Services.

1.8 ThirdParty Services. The Services may interoperate with or link to ThirdParty Services. We are not responsible for thirdparty content, availability, security, or privacy practices. Your use of ThirdParty Services is governed solely by their terms and policies.

1.9 Beta Features and AI Outputs. We may offer experimental or beta features, including AIassisted functionalities, which are provided “as is,” may produce inaccurate or incomplete outputs (“hallucinations”), and may be modified or discontinued at any time. You are solely responsible for independently verifying any output before relying on it.

1.10 Intellectual Property; License. We and our licensors retain all right, title, and interest in and to the Services, including software, interfaces, designs, logos, trade dress, text, graphics, and other materials (collectively, “KIT IP”). Subject to these Terms, we grant you a limited, revocable, nonexclusive, nontransferable, nonsublicensable license to access and use the Services for your lawful, personal purposes. No other rights are granted by implication or otherwise.

1.11 User Content; License to Company. As between you and Company, you retain ownership of Content you upload to the Services (“User Content”). To operate, improve, secure, and provide the Services, you grant Company a worldwide, nonexclusive, royaltyfree license to host, store, transmit, display, reproduce, and process User Content solely to provide and protect the Services, to comply with law, and to create anonymized or aggregated data. You represent and warrant that you have all rights necessary to grant this license and that your User Content does not infringe any thirdparty rights or violate law.

1.12 Feedback. If you submit ideas, suggestions, or feedback, you grant Company a perpetual, irrevocable, worldwide, royaltyfree license to use and exploit such feedback without restriction or compensation.

1.13 Suspension and Termination. We may suspend or terminate access immediately for any reason, including suspected violation of this Agreement, risk to the Services or other users, requests by law enforcement, or extended periods of inactivity. Upon termination, your right to use the Services ceases; certain provisions survive (see Survival).

1.14 No Warranties. To the maximum extent permitted by law, the Services and all related materials are provided “AS IS” and “AS AVAILABLE” without warranties of any kind, whether express, implied, statutory, or otherwise, including implied warranties of merchantability, fitness for a particular purpose, noninfringement, accuracy, quiet enjoyment, or that the Services will be uninterrupted, errorfree, secure, or free of harmful components.

1.15 Limitation of Liability. To the fullest extent permitted by law, Company and its affiliates, officers, directors, employees, agents, suppliers, and licensors will not be liable for indirect, incidental, special, consequential, exemplary, enhanced, or punitive damages; loss of profits, revenues, goodwill, data, or use; personal injury or death; medical outcomes; or any damages related to privacy or cybersecurity incidents, even if advised of the possibility. Company’s total liability for all claims in the aggregate shall not exceed the greater of US$50 or the amounts you paid (if any) for the Services in the twelve (12) months preceding the claim.

1.16 Indemnification. You agree to defend, indemnify, and hold harmless Company and its affiliates, officers, directors, employees, agents, suppliers, and licensors from and against any claims, damages, obligations, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to (a) your use of the Services; (b) your User Content (including PHI); (c) your breach of this Agreement or law; or (d) your violation of any thirdparty rights.

1.17 Dispute Resolution; Arbitration; Class Waiver. Except as otherwise provided, all disputes will be resolved exclusively by binding arbitration as set forth in the Arbitration Agreement contained in this Pack. You waive any right to a jury trial and to participate in a class or representative action. A smallclaims court option may apply as detailed in the Arbitration Agreement.

1.18 Export Controls and Sanctions. You represent that you are not located in a country embargoed by the United States and are not on a U.S. government restrictedparty list. You shall comply with U.S. export control and sanctions laws (including EAR and OFAC).

1.19 Government Use. The Services are commercial items, developed at private expense. If acquired by or on behalf of a U.S. Government agency, use is subject to these Terms as restricted rights for commercial computer software per applicable FAR/DFARS provisions.

1.20 App Store Terms; ThirdParty Beneficiary. If you downloaded the app from Apple App Store or Google Play, you agree to their terms. For iOS users, Apple is a thirdparty beneficiary of these Terms and may enforce them against you. Company, not Apple or Google, is responsible for support and warranty (disclaimed here), and for addressing claims relating to the App (subject to these limitations).

1.21 Notices; Electronic Communications. You consent to receive notices electronically via the Services, email, SMS, or push notifications. Legal notices to Company must be sent to: Sevakit Healthcare IT LLC, [Insert Address], Attn: Legal; and to legal@sevakit.com (or replacement address designated in the Services).

1.22 Force Majeure. We will not be liable for delay or failure to perform due to events beyond our reasonable control, including natural disasters, acts of government, war, terrorism, labor disputes, utility failures, or internet/hosting interruptions.

1.23 Severability; Waiver; Assignment; Entire Agreement. If any provision is held invalid, the remainder stays in effect. No waiver is effective unless in writing. You may not assign this Agreement without our written consent; we may assign to an affiliate or in connection with a merger, acquisition, or sale of assets. This Agreement, including incorporated policies, is the entire agreement between you and Company and supersedes all prior understandings.

1.24 Survival. Sections concerning ownership, User Content license, disclaimers, limitations, indemnification, arbitration, export, government use, and other terms that by their nature should survive, will survive termination.

2) Privacy Policy

2.1 Scope. This Privacy Policy explains how Company collects, uses, shares, and safeguards personal information, including PHI that you voluntarily upload, when you use the Services. This Policy is incorporated into the Terms.

2.2 Categories of Data We Collect. (a) Account Data (name, contact info, credentials); (b) User Content (documents, images, notes, lists, PHI you choose to upload); (c) Device/Usage Data (IP address, device identifiers, OS/app version, log files, crash reports, diagnostics, cookies, pixel tags); (d) Transaction Data (if paid tiers become available); (e) Support Communications.

2.3 Sources. We collect data directly from you, from your devices, and through integrations you authorize. We do not collect data from providers or payors unless you or a sponsor explicitly connects such sources.

2.4 Purposes of Use. Provide, operate, secure, personalize, support, and improve the Services; analyze usage; prevent fraud, abuse, and security incidents; comply with law; and create anonymized or aggregated data for analytics, research, and business purposes.

2.5 Sharing. We do not sell PHI. We may share personal data with: (a) service providers and subprocessors under contract; (b) affiliates for operational purposes; (c) authorities when required by law or to protect rights, safety, or property; (d) a successor entity in a merger, acquisition, or reorganization; and (e) with third parties at your direction (e.g., when you share via the Services).

2.6 Cookies and Tracking. We use strictly necessary, functional, analytics, and (if enabled) advertising cookies. You can manage preferences in your browser or device settings; however, some features may not function without certain cookies. See Cookies Appendix for details.

2.7 Data Retention. We retain personal data for as long as your account is active, as needed to provide the Services, to comply with legal obligations, resolve disputes, enforce agreements, and maintain business records. Backups and logs may persist for limited periods after deletion.

2.8 Security. We implement commercially reasonable administrative, technical, and physical safeguards designed to protect personal data. No method of transmission or storage is 100% secure. You assume risk for any data you upload or transmit.

2.9 Your Choices and Rights. Depending on your state of residence (e.g., CA, VA, CO, CT, UT), you may have rights to access, correct, delete, or obtain a copy of personal data; to opt out of certain processing; or to appeal a denial. Submit requests to privacy@sevakit.com with sufficient information to verify your identity.

2.10 Children’s Privacy. The Services are not directed to children under 13 and should not be used by them. If you believe we have collected personal data from a child under 13 without parental consent, contact us to request deletion.

2.11 International Transfers. We may process data in the United States or other countries with different data protection laws than your jurisdiction. By using the Services, you consent to such transfers.

2.12 Health Breach Notification. Where the FTC Health Breach Notification Rule or applicable state breach laws apply, we will provide legally required notices following a qualifying security incident.

2.13 Changes to this Policy. We may update this Privacy Policy; material changes will be highlighted. Continued use after changes indicates acceptance.

3) HIPAA / PHI Disclaimer & User Authorization

3.1 No HIPAA Covered Entity or Business Associate Status. Company is not a HIPAA Covered Entity or Business Associate as those terms are defined by HIPAA and its implementing regulations. Company does not create, receive, maintain, or transmit PHI on behalf of a Covered Entity except as may be separately agreed in a signed Business Associate Agreement (“BAA”).

3.2 No Provider–Patient Relationship. Your use of the Services does not create a provider–patient, fiduciary, or professional relationship with Company.

3.3 User Authorization. By uploading PHI to the Services, you authorize Company to store, host, process, and transmit PHI solely to provide and protect the Services and as otherwise permitted by law and this Agreement. You acknowledge that you control any sharing of your PHI using the Services and are solely responsible for such sharing.

3.4 Assumption of Risk. You understand that uploading or transmitting PHI carries inherent risks. You agree that Company is not liable for any unauthorized access, disclosure, or use of PHI except to the minimal extent liability cannot be disclaimed under applicable law.

3.5 Provider and Sponsor Responsibilities. If you are a healthcare provider or sponsor, you are solely responsible for your own legal compliance, including HIPAA, state privacy laws, and professional obligations. Company disclaims any responsibility for your regulatory duties.

3.6 Revocation. You may delete PHI or close your account at any time; backups and logs may persist briefly as part of routine operations, after which data is purged on a scheduled basis.

4) End User License Agreement (EULA)

4.1 License Grant. Subject to these terms, Company grants you a limited, nonexclusive, nontransferable, nonsublicensable, revocable license to install and use the KIT mobile application on devices you own or control for your personal, lawful use.

4.2 Restrictions. You shall not copy, modify, translate, adapt, create derivative works, reverse engineer, decompile, or disassemble the App, nor circumvent technological measures, nor rent, lease, lend, sell, or sublicense the App to any third party.

4.3 Updates; Changes. We may provide automatic updates or patches. We may modify, suspend, or discontinue features at any time without liability.

4.4 Platform Terms. Your use of the App is subject to the terms and policies of the platform from which you downloaded it (e.g., Apple App Store, Google Play).

4.5 Export Control. You will comply with U.S. export and sanctions laws. You represent you are not located in an embargoed country or on restricted lists.

4.6 Open Source Components. The App may include thirdparty open source software. Applicable open source licenses govern those components; to the extent of any conflict with this EULA, the open source license controls for the relevant component only.

5) Consent to Electronic Communications (ESign Agreement)

5.1 Consent. You agree to receive all notices, disclosures, records, and communications electronically, including via email, inApp messages, SMS, and postings in the Services.

5.2 Hardware/Software Requirements. You must maintain a compatible device, internet access, and current software to receive and retain electronic records.

5.3 Withdrawing Consent. You may withdraw consent by closing your account. We may terminate or limit the Services if you withdraw consent where electronic delivery is required.

5.4 Paper Copies. You may request a paper copy of legally required notices by emailing support@sevakit.com; fees may apply.

PART II – ENTERPRISE / SPONSOR AGREEMENTS

6) Data Processing Agreement (DPA)

6.1 Roles. For enterprise/sponsor relationships, the sponsor is the “Controller” and Company is the “Processor.” For California, Company acts as a “Service Provider.”

6.2 Instructions. Company processes personal data only on documented instructions from Controller, including transfers, unless required by law.

6.3 Confidentiality. Company ensures personnel are bound by confidentiality obligations.

6.4 Security Measures. Company implements appropriate technical and organizational measures (see Security Appendix) considering the nature, scope, context, and purposes of processing and risks.

6.5 Subprocessors. Controller authorizes Company to engage subprocessors; Company will maintain a list upon request and impose equivalent dataprotection obligations on subprocessors.

6.6 Assistance. Taking into account the nature of processing, Company assists Controller with data subject requests, security, breach notifications, DPIAs, and consultations where required by law.

6.7 International Transfers. Where applicable, Company will implement appropriate transfer mechanisms (e.g., SCCs).

6.8 Audits. Upon reasonable written request and subject to confidentiality and frequency limits, Company will make available audit reports or allow inspections to demonstrate compliance.

6.9 Return/Deletion. Upon termination or at Controller’s direction, Company will delete or return personal data, unless retention is required by law or legitimate business records obligations.

6.10 Liability. Each party’s liability is limited as set forth in the governing commercial agreement and these Terms.

7) Business Associate Agreement (BAA) – Template

7.1 Applicability. This BAA applies only when Company performs functions or activities that involve the creation, receipt, maintenance, or transmission of PHI on behalf of a HIPAA Covered Entity (“CE”).

7.2 Permitted Uses and Disclosures. Company may use PHI solely to perform services for CE as specified in the underlying agreement, for proper management and administration, and as required by law.

7.3 Safeguards. Company will implement administrative, physical, and technical safeguards reasonably designed to protect the confidentiality, integrity, and availability of PHI.

7.4 Reporting. Company will report to CE any Security Incident or Breach of Unsecured PHI without unreasonable delay and no later than the time required by law upon discovery.

7.5 Subcontractors. Company shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on Company’s behalf agrees to substantially similar restrictions and conditions.

7.6 Access, Amendment, Accounting. To the extent CE is obligated, Company will reasonably cooperate to facilitate access, amendment, and accounting of disclosures of PHI.

7.7 Term and Termination. CE may terminate for cause if Company materially breaches this BAA and fails to cure. Upon termination, Company will return or destroy PHI if feasible; if not feasible, extended protections apply.

7.8 Miscellaneous. This BAA is subject to and incorporates applicable HIPAA provisions and does not expand Company’s liability beyond that permitted by law.

PART III – RISK CONTROL POLICIES

8) Acceptable Use Policy (AUP)

8.1 Prohibited Conduct. You will not: (a) violate law or thirdparty rights; (b) harass, threaten, defame, or abuse others; (c) upload or distribute malware; (d) probe, scan, or test the vulnerability of systems without authorization; (e) interfere with users or networks (e.g., DDoS, flooding, mailbombing); (f) access accounts or data without permission; (g) send unsolicited or unauthorized advertising, spam, or mass communications; (h) infringe IP rights or misappropriate trade secrets; (i) share content that is obscene, exploitative, hateful, or incites violence; (j) use automated means to extract data; (k) circumvent usage limits or authentication; (l) use the Services to create a competing product; (m) resell, rent, or lease access without authorization.

8.2 Enforcement. We may monitor compliance and investigate suspected violations. We may remove content, suspend, or terminate access at our discretion, and may refer matters to law enforcement where appropriate.

8.3 Reporting. Report abuse or suspected violations to abuse@sevakit.com.

9) Community Guidelines / Code of Conduct

9.1 Respect. Treat others with dignity. No hate speech, discrimination, or harassment.

9.2 Health Information. Do not spread misinformation or unverified medical claims. Cite reputable sources when discussing health topics.

9.3 Spam and Commercial Content. No unsolicited promotions or repetitive posting.

9.4 Enforcement. We may remove content, restrict features, or terminate accounts that violate these Guidelines.

10) Arbitration Agreement & Class Action Waiver

10.1 Agreement to Arbitrate. You and Company agree that any dispute, claim, or controversy arising out of or relating to the Services or this Agreement shall be resolved exclusively by binding arbitration, rather than in court, except that either party may seek individual relief in smallclaims court for disputes within that court’s jurisdiction.

10.2 Rules and Forum. Arbitration will be administered by the American Arbitration Association (“AAA”) under its Consumer Arbitration Rules, as modified by this Agreement, and conducted in Fredericksburg, Virginia, in English. The Federal Arbitration Act governs the interpretation and enforcement of this arbitration agreement.

10.3 Procedures. The arbitrator has exclusive authority to resolve all issues regarding arbitrability and the scope, enforceability, and interpretation of this arbitration agreement. The arbitrator may award the same damages and relief as a court on an individual basis.

10.4 Class and Representative Actions Waiver. YOU AND COMPANY AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS, COLLECTIVE, REPRESENTATIVE, OR PRIVATE ATTORNEY GENERAL ACTION.

10.5 OptOut. You may opt out of this arbitration agreement within thirty (30) days of first agreeing to these Terms by sending a written notice to: Sevakit Healthcare IT LLC, [Insert Address], Attn: Arbitration OptOut. Your optout will not affect other provisions of this Agreement.

10.6 Fees. AAA rules govern payment of all filing, administration, and arbitrator fees, subject to applicable law. Each party bears its own attorneys’ fees unless the arbitrator awards fees under applicable law.

10.7 Injunctive Relief. Nothing prevents either party from seeking temporary or preliminary injunctive relief in a court of competent jurisdiction to protect intellectual property or confidential information pending arbitration.

11) COPPA Parental Consent & Children’s Privacy Notice

11.1 No Direct Use by Children Under 13. The Services are not directed to children under 13 and should not be used by them. Parents or legal guardians may choose to store information about a child within their own account, but must not create direct accounts for children under 13.

11.2 Parental Consent. Where a feature expressly contemplates participation by a minor, we will request verifiable parental consent in accordance with COPPA. If we learn that a child under 13 submitted personal information without verifiable parental consent, we will delete it.

11.3 Teen Users. Additional state rules may apply for teens ages 13–17; parents and guardians should supervise use.

PART IV – MISCELLANEOUS

12) Notices, Contact, and Governing Law

12.1 Governing Law. This Agreement is governed by the laws of the Commonwealth of Virginia, without regard to conflictoflaws principles, and the Federal Arbitration Act for arbitration matters.

12.2 Contact. Legal notices: Sevakit Healthcare IT LLC, [Insert Address], Attn: Legal; legal@sevakit.com. Support: support@sevakit.com.

12.3 Language. The controlling language is English. Translations are for convenience only.

12.4 Headings; Interpretation. Headings are for convenience and do not affect interpretation. “Including” means “including without limitation.”

13) Survival of Terms

All provisions that by their nature should survive termination, including ownership, licenses, indemnities, warranty disclaimers, limitations of liability, arbitration, and governing law, will survive.

APPENDICES (Incorporated by Reference)

Appendix A – Cookies & Tracking Technologies

A1. Categories: (a) Strictly Necessary; (b) Functional; (c) Analytics; (d) Advertising (if enabled).

A2. Controls: Browser settings, device settings, inapp preferences. Disabling certain cookies may impair functionality.

Appendix B – Security Overview (Summary)

ïÄB1. Access Controls: Rolebased access, leastprivilege, MFA for admin consoles where available.

ïÄB2. Data Protection: Encryption in transit (TLS) and at rest (where supported), key management by cloud provider.

ïÄB3. Development Practices: Code review, dependency management, vulnerability scanning where feasible.

ïÄB4. Operations: Backups with rolling retention; logging and monitoring; incident response procedures.

ïÄB5. Subprocessors: Cloud hosting and ancillary vendors under contractual safeguards; list available upon request.

Appendix C – Data Subject Rights (DSR) Procedure

1. C1. Verification: We will verify identity using reasonable methods before responding to requests.

2. C2. Scope: Access, correction, deletion, copy/export, optout of certain processing (where applicable).

3. C3. Response Times: We aim to respond within timeframes required by applicable law.

4. C4. Appeals: If your request is denied, you may appeal by emailing privacy@sevakit.com with “Appeal” in the subject line.

Appendix D – DMCA Policy

D1. If you believe content infringes your copyright, send a DMCA notice to dmca@sevakit.com with: (a) identification of the copyrighted work; (b) identification of infringing material; (c) contact information; (d) a statement of goodfaith belief; (e) a statement under penalty of perjury; and (f) your signature. We may remove or disable access to the content and terminate repeat infringers. Counternotices should follow 17 U.S.C. §512 requirements.

Appendix E – Security Incident & Breach Notification Overview

5. E1. Detection & Triage: Internal intake, logging, initial assessment.

6. E2. Containment & Eradication: Limit impact, patch vulnerabilities, rotate credentials as needed.

7. E3. Notification: Where required by law (e.g., state breach laws, FTC HBNR, HIPAA if applicable via BAA), notify affected parties and/or authorities within required timelines.

8. E4. PostIncident Review: Root cause analysis, corrective actions, and documentation.

Appendix F – Data Retention & Deletion Schedule (Template)

ïÄF1. Account Data: Retained for life of account plus 12 months, unless earlier deletion requested or law requires longer/shorter.

ïÄF2. User Content/PHI: Retained until user deletion or account closure; backups/logs persist for limited periods per operational policy.

ïÄF3. Support Tickets: Retained up to 24 months for quality and compliance.

ïÄF4. Audit Logs: Retained 12–24 months depending on system.

Appendix G – JurisdictionSpecific Addendum (U.S. States)

G1. California (CPRA). You may have rights to know, access, delete, correct, and optout of “sharing” or “selling” personal information; we do not sell PHI. Sensitive personal information is used only for limited purposes permitted by CPRA. Do Not Sell/Share and Limit Use links (if applicable) will be provided in the Services.

G2. Virginia (VCDPA). Virginia residents may exercise rights to access, correct, delete, obtain a copy of personal data, and opt out of targeted advertising or profiling where applicable.

G3. Colorado/Connecticut/Utah. Similar rights may apply; we provide mechanisms to submit requests and to appeal denials.

Appendix H – Subprocessors (List on Request)

H1. We rely on reputable cloud and service providers (e.g., hosting, analytics, email, support) under contractual safeguards. A current list of subprocessors can be requested at privacy@sevakit.com.

Appendix I – Open Source Licenses (If Applicable)

I1. The App may include thirdparty open source components. Their license texts will be made available within the App or upon request.

Acceptance

By clicking “I Agree,” creating an account, or using the Services, you acknowledge that you have read, understood, and consent to be bound by the Master User Agreement Pack, including all incorporated policies, appendices, and addenda.