Privacy PolicyEffective Date: 28th November 2025

Overview

This Privacy Policy explains in detail how Doceree Inc. (“Doceree,” “we,” “our,” or “us”) collects, uses, discloses, and safeguards information when you access or interact with Doceree’s Spark Platform (“Spark” or the “Spark Platform”). We understand that the environments in which Spark operates, electronic health records (EHRs), health-system applications, and clinical workflows, require the highest standards of privacy, security, and regulatory compliance. We do not collect, receive, or process personal health information (PHI) through Spark, and we are committed to ensuring that all information handled through the Spark Platform is protected with rigorous administrative, technical, and physical safeguards.

The Spark Platform is a proprietary, cloud-based, clinical-context messaging platform that enables the delivery of Spark Messages, including Co-Pay Spark, Trial Spark, and Drug Spark, within participating EHR systems and health-system digital environments. As reflected on our Spark Platform website , Spark Messages are surfaced based on real-time, workflow-aligned, de-identified contextual signals generated within the publisher’s environment. Spark is not an advertising network, does not manage ad inventory, and does not use cookies, pixels, device identifiers, or behavioral tracking technologies to deliver Spark Messages. Instead, Spark facilitates compliant, context-aware messaging that helps inform providers with relevant program information at appropriate points in their clinical workflows.

Your primary interactions with Spark occur through the Spark Platform Portal, a secure, web-based administrative interface used by publishers, health-system partners, and authorized users to configure Spark integrations, manage settings, review aggregated reporting, and monitor operational performance. While using the Portal, you may also interact with certain third-party service providers, such as cloud hosting vendors, security tools, analytics platforms, or workflow-support utilities, that help operate or enhance the Spark Platform. This Privacy Policy describes Doceree’s data practices relating to the Spark Platform and the limited circumstances in which information may be accessed by or shared with such service providers, as well as the choices and rights you may exercise under applicable privacy laws.

This Privacy Policy provides transparency on the following:

• The types of personal, technical, and platform-level information we collect through the Spark Platform Portal;
• The purposes for which we use this information, the legal bases supporting our practices, and our strict limitations on data related to Spark Message delivery;
• The privacy rights you may have under applicable U.S. and international laws;
• The administrative, technical, and organizational safeguards we maintain to protect information within the Spark Platform; and
• How you may contact us to exercise your privacy rights or raise questions or concerns.

We encourage you to review this Privacy Policy carefully and in its entirety. By accessing or using the Spark Platform Portal, you acknowledge and accept the practices described herein. If you do not agree with the terms of this Privacy Policy, you should not use the Spark Platform Portal.

Information We Collect

Doceree collects a limited set of information from users of the Spark Platform Portal in order to operate, secure, and improve the service, support authorized user access, maintain system integrity, and comply with applicable legal and regulatory obligations. Spark does not collect, receive, or process personal health information (PHI), and Spark Message delivery inside EHR or health-system environments does not rely on cookies, tracking technologies, device identifiers, behavioral data, or personalized targeting. This section explains the types of information collected through the Spark Platform Portal, how that information is obtained, and the context in which collection occurs.

1. Information You Voluntarily Provide

We collect information you choose to submit when interacting with the Spark Platform Portal, including when you register for an account, configure Spark integrations, participate in onboarding, manage publisher or system settings, engage with customer support, or submit feedback. This may include:

• Account and Business Details – such as your name, business email address, organization or health-system affiliation, role, and other profile details you provide for authentication or account administration.
• Inventory and Preference Data – such as integration settings, module-level configuration options, workflow preferences, reporting parameters, and Spark Message placement choices you set within the Portal.
• Communications and Submissions – including support tickets, onboarding requests, documentation uploads, training submissions, or other information you voluntarily provide during operational interactions.

This information may be associated with a unique internal identifier solely to maintain session continuity, enforce security controls, prevent misuse, preserve audit trails, and ensure proper functioning of the Spark Platform Portal.

2. Information Collected Automatically

When you access or use the Spark Platform Portal, Doceree and authorized service providers automatically collect certain technical and usage information through Cookies (limited to Portal functionality), log files, and similar technologies. This may include:

• Device and Technical Identifiers – including IP address, browser type, operating system, device configuration, language preferences, and system settings necessary to display the Portal correctly and maintain security.
• Platform Interaction Data – such as pages visited, features accessed, time spent within specific Portal sections, configuration actions, navigation patterns, and error logs used to diagnose performance issues and improve functionality..
• Approximate Location Data – derived from IP address solely to support security protections, detect anomalous access patterns, and comply with regional access or regulatory requirements.

This automatically collected information is used only to operate, secure, and improve the Spark Platform Portal. It is not used to deliver Spark Messages, perform behavioral analysis, target individuals, or build user profiles. Additional details on Cookies used within the Portal are provided in our Cookie Policy.

3. Information Received from Third Parties

Doceree may receive limited information about you or your organization from trusted third-party partners that support the secure and compliant operation of the Spark Platform Portal. Such partners may include:

• Identity and Security Providers – used to authenticate users, verify authorized access, detect fraud, enhance security controls, or enable enterprise-grade login and credential management.
• Cloud Hosting, Performance, and Analytics Providers – that supply aggregated or de-identified operational insights to help maintain system performance, identify errors, and improve Portal functionality.
• Publisher or Health-System Partners – who may provide business contact information or integration metadata necessary to support configuration, onboarding, or system interoperability.

Any information received from such partners is protected under the same administrative, technical, and contractual safeguards that apply to information collected directly from you. No information received from external sources is ever used for advertising, targeting, or marketing purposes.

Sensitive Information Notice Disclaimer: The Spark Platform does not request, collect, or process sensitive personal identifiers such as Social Security numbers, driver’s license numbers, passport numbers, bank account numbers, protected biometric identifiers, or personal health information (PHI). Spark Messages delivered inside EHR workflows rely solely on de-identified contextual signals generated within the publisher’s environment, and no identifiable patient or clinician data is transmitted to Doceree.

How We Use Your Information

We use the information collected through the Spark Platform Portal solely for operational, administrative, security, and legal purposes. Our processing supports the configuration, management, reporting, and secure functioning of the Spark Platform and does not involve targeted advertising, behavioral profiling, campaign optimization, or tracking of clinical activity within EHR systems. Spark Message delivery is powered exclusively by de-identified, workflow-based contextual signals generated within publisher environments, and Doceree does not receive, use, or process personal health information (PHI).

Below, we describe the specific purposes for which information may be used:

1. To Provide and Maintain the Spark Platform: We use your information to deliver the core services available through the Spark Platform Portal and to ensure its reliability, security, and functionality. This includes creating and managing user accounts, authenticating logins, enabling administrative controls, maintaining audit logs, facilitating configuration of Spark integrations, and supporting access to reporting dashboards that display aggregated, non-identifiable performance insights.
   
   Information you provide also allows us to maintain system performance, troubleshoot issues, prevent unauthorized access, and ensure secure, uninterrupted access across sessions. When you contact us for assistance, we use the information you provide to respond to inquiries, resolve technical problems, and offer operational guidance.
   
   If you choose to set user preferences or customize your Portal experience, such as dashboard layouts, reporting filters, notification settings, or configuration selections, we retain these preferences to streamline future access and provide a consistent, frictionless user experience.


2. To Personalize and Improve the Spark Platform: We analyze how authorized users interact with the Spark Platform Portal to improve its usability, performance, and feature design. This may include understanding which tools are used most frequently, identifying friction points or errors, and assessing how users navigate the Portal.
   
   Where permitted by law, we may use Cookies or analytics technologies to support performance insights, reduce operational redundancy, and enhance the overall Portal experience. Any such use is limited to Portal functionality and never applies to Spark Message delivery within EHR workflows. We do not use collected information to personalize marketing, target individuals, or perform behavioral profiling.


3. Use of Automated Tools and AI Features: The Spark Platform Portal may use automated technologies, including artificial intelligence (AI) or machine-assisted processing, to support system diagnostics, error detection, reporting enhancements, or workflow efficiency improvements. These tools may help identify technical issues, generate operational insights, or suggest configuration optimizations, but they do not access PHI, perform user profiling, or influence Spark Message delivery inside EHR systems.

AI-generated outputs are advisory in nature and do not make automated decisions that create legal, financial, or clinically significant consequences. Users remain responsible for applying their professional judgment and organizational policies when acting on such insights


4. To Communicate with You: We use your information to send transactional notices (such as account updates, security alerts, integration notifications, or support responses), as well as to inform you of Platform improvements or administrative changes. If you opt in, we may send communications about new features or enhancements to the Spark Platform Portal. You may opt out of such non-essential communications at any time.
   
   We do not send marketing communications without legally required consent, and we honor all opt-out requests promptly.


5. To Enforce Terms, Comply with Legal Obligations, and Protect Users: We may use your information to enforce our Terms of Use and policies, investigate potential misuse, detect or prevent fraud or unauthorized access, and comply with applicable legal obligations, regulatory inquiries, or lawful requests from courts or government authorities.
   
   We also use this information to protect the integrity of the Spark Platform, safeguard user accounts, and ensure the security of publisher environments and Doceree systems.


6. For Aggregated and De-Identified Insights: We may use aggregated or de-identified information for analytics, research, reporting, benchmarking, service optimization, and general product improvement. Such information does not identify individuals or organizations and is used exclusively to enhance the Spark Platform. Aggregated or de-identified data is never used for advertising, targeting, or marketing.

How We Share Your Information

We do not sell your personal information. However, in operating, securing, and maintaining the Spark Platform Portal, we may share certain limited categories of information with trusted third parties under controlled and contractually restricted circumstances. All disclosures are narrowly tailored to support Platform functionality, security, compliance, and business continuity. We do not share information for advertising purposes, behavioral targeting, or profiling, and Spark Message delivery inside EHR or health-system workflows does not rely on or require the sharing of personal information.

Below are the specific circumstances in which information may be shared:

1. With Service Providers and Operational Vendors: We engage a limited number of third-party service providers who assist with delivering, supporting, and enhancing the Spark Platform Portal. These providers act solely on our behalf and are bound by strict contractual obligations, including confidentiality, data protection, and use-limitation requirements. Depending on your use of the Portal, these vendors may include:
   
   
   • Cloud hosting and infrastructure providers that operate secure environments for the Platform
   • Security and identity-management tools used to authenticate users, prevent unauthorized access, and detect threats
   • Analytics and performance-monitoring tools used to identify errors, measure system performance, and improve Portal functionality
   • Support, ticketing, and communication tools used to manage customer-service interactions
   • Email or notification services for transactional messages or Platform updates (with opt-in for non-essential communications)
   Service providers are prohibited from using your information for any purpose other than providing services to Doceree.


2. With Third-Party Analytics Providers: We may share limited technical or usage information—such as browser type, access times, features used, and error logs—with trusted analytics providers for the sole purpose of:
   
   
   • monitoring Portal performance
   • diagnosing issues
   • improving usability
   • supporting system optimization
   These analytics tools operate only within the Spark Platform Portal and never within EHR environments. They do not receive PHI, do not receive identifying clinical data, and do not support marketing, advertising, or behavioral profiling.
   
   We do not share personally identifiable information with analytics providers unless required by law or necessary for security operations.


3. With Publisher and Health-System Partners: If you are a user operating within a publisher, EHR, or health-system organization, we may share limited operational or account-level information with your organization to support secure access, coordinate onboarding, validate integration settings, and enable the proper functioning of Spark Message delivery within workflow environments. This may include sharing user administration details, configuration metadata, or technical information required to maintain interoperability between the Spark Platform Portal and your organization’s systems. We do not share personal health information (PHI), behavioral data, or any information used for marketing or targeting. All disclosures to publisher or health-system partners are strictly limited to what is necessary for operational support and are subject to contractual obligations that ensure the information is used only to facilitate Spark Platform functionality.
   
   
4. For Legal, Security, and Compliance Purposes: We may disclose information when required to comply with applicable laws, regulatory obligations, court orders, or lawful requests from government authorities. We may also use or share information to enforce our Terms of Use and other policies, investigate or prevent fraud, misuse, unauthorized access, or security incidents, and protect the rights, safety, and integrity of the Spark Platform, its users, and Doceree’s systems. These disclosures are made only when legally necessary and are limited to the minimum amount of information required to fulfill the relevant legal, regulatory, or security purpose.
   
   Such disclosures are limited to what is legally permissible and necessary and are made in accordance with applicable due process standards.


5. With Affiliates or in Business Transfers: We may share information with our parent company, subsidiaries, or other Doceree entities under common ownership where necessary to operate the Spark Platform, maintain internal records, or ensure business continuity. All affiliates are bound by equivalent privacy and security obligations.
   
   In the event of a merger, acquisition, financing, reorganization, or sale of assets, relevant information may be shared with prospective or actual transaction participants under strict confidentiality terms. If ownership of the Spark Platform changes, your information will remain subject to this Privacy Policy unless otherwise notified.


6. With Your Consent: We will share information with third parties for any purpose not already described in this Privacy Policy only when you provide explicit, informed consent. This may occur, for example, if you choose to enable a third-party integration within the Spark Platform Portal or request optional services that require external data sharing.

At the time consent is requested, we will clearly explain the purpose, scope, and the categories of recipients.

Your Rights and Choices

We recognize that the information you provide or generate through the Spark Platform Portal, including account details, configuration selections, audit logs, technical data, and operational or performance-related interactions, is important and deserves clear, meaningful, and enforceable controls. The Spark Platform is designed to provide transparency and allow you to manage how your information is accessed, stored, used, and shared. These rights apply regardless of how you access the Spark Platform Portal, whether through a web interface, a supported device, or enterprise-authenticated login. These controls ensure that users maintain full visibility over their information while allowing the Spark Platform to operate securely, reliably, and in compliance with applicable global privacy laws.

1. Right to Access Your Information: You may request access to the categories and specific pieces of personal information we have collected about you through the Spark Platform Portal. This may include account profile data, administrative identifiers, configuration preferences, audit logs, session metadata, and records of your interactions with the Platform Portal. Before providing access, we take appropriate steps to verify your identity to prevent unauthorized disclosure. Where feasible, and consistent with applicable law, we will provide this information in a structured, machine-readable, and portable format so that you may review or transfer it for your own purposes. In some cases, access may be subject to limitations imposed by security, legal, or operational requirements, and we will inform you if such limitations apply.


2. Right to Request Deletion of Your Information: You may request that we delete personal information collected through the Spark Platform Portal. Upon receiving and verifying your request, we will delete the information unless an exception applies. Certain categories of information may be retained when necessary to fulfill ongoing operational requirements, maintain audit trails, prevent fraud or misuse, comply with contractual commitments, satisfy legal or regulatory obligations, or preserve security and integrity of the Spark Platform. Examples of permissible exceptions include detecting security incidents, resolving system errors, maintaining documentation required by law, completing internal or external audits, and supporting business continuity. If full deletion is not possible, we will restrict further use to the specific lawful purpose that requires retention and will not process the information for unrelated operational or commercial reasons.
   
   
3. Right to Correct Inaccurate Information: If any personal or account-related information maintained within the Spark Platform Portal is inaccurate, outdated, or incomplete, you may request that we correct it. Depending on the nature of the information and applicable legal requirements, we may request supporting documentation or verification before making changes. We will update or amend the information where appropriate or provide a clear explanation if a correction cannot be made, for example, where retention is required for security, auditing, or compliance purposes or where the information is derived from system-generated logs that cannot be altered.


4. Right to Restrict Use of Certain Information: You may request that specific categories of information collected through the Spark Platform Portal, such as account details, usage data, or certain technical identifiers, be used only for essential purposes. Essential purposes include authentication, security, system performance, compliance, and operational maintenance. Where technically and operationally feasible, we will honor your restriction request and limit our use of restricted information accordingly. When we cannot restrict certain data (for example, if it is required to maintain login integrity, enforce system security, or comply with legal obligations), we will inform you of the reasons.


5. Right to Control Cookies and Tracking Technologies: The Spark Platform Portal uses Cookies and similar technologies solely for purposes that support the secure, reliable, and efficient functioning of the Portal. These technologies are used only for authentication, session integrity, security protections, performance monitoring, and optional analytics that help us understand how the Portal is used. Cookies are not used to deliver Spark Messages in EHR or health-system workflows and are not used for advertising, behavioral tracking, profiling, or any activity involving personal health information (PHI). You maintain several options to manage or disable these technologies, depending on your browser, device, and platform settings.



Categories of Cookies and Tracking Technologies We Use

The Cookies and similar technologies used within the Spark Platform Portal, or by third-party service providers acting strictly on our behalf, fall into the following categories:


• Strictly Necessary Technologies: These technologies are essential for the secure and reliable operation of the Spark Platform Portal. They enable core functions such as user authentication, session management, secure navigation, fraud prevention, and protection against unauthorized access. Without these technologies, key features of the Portal may not function properly or may become inaccessible.
• Performance and Analytics Technologies: These tools collect aggregated, non-identifiable, or anonymized information about how users interact with the Spark Platform Portal. Examples include the pages or dashboards accessed, features utilized, error logs, and session duration. This information allows us to monitor system performance, identify usage patterns, diagnose technical issues, and improve Portal’s reliability and user experience. Third-party analytics services may be used subject to their own privacy policies and are contractually restricted from using collected data for any unrelated purposes.
• Functional Technologies: These technologies support user-selected configurations and enhance usability. They remember login preferences, reporting filters, dashboard layouts, and other configuration settings that help maintain a consistent and efficient user experience across sessions and devices. Disabling these technologies may require users to re-enter preferences or configurations with each session.
• Operational Measurement Technologies: Where permitted by law and applicable only within the Spark Platform Portal, we may use cookies or similar technologies to evaluate how specific Portal features perform, measure loading or processing times, assess user engagement with interface elements, or improve operational workflows. These tools are never used for advertising, personalized marketing, behavioral targeting, or cross-site tracking, and they do not interact with Spark Messages delivered inside EHR environments.
Third-Party Use of Cookies: Some Cookies and tracking technologies on the Spark Platform Portal may be deployed by third-party providers acting strictly under contract with Doceree. These may include analytics firms, cloud infrastructure vendors, performance-monitoring tools, security service providers, or other operational partners supporting the Portal. Such third parties may use the information collected through Cookies only to perform services that Doceree has explicitly contracted them to provide. They are prohibited from using the information for their own business purposes or for any form of advertising, targeting, or unrelated analytics.



Your Cookie Choices: You have multiple options to manage or disable Cookies and tracking technologies used within the Spark Platform Portal:

• Cookie Preferences Tool: Where available, you may adjust your settings for non-essential Cookies through the Cookie Preferences tool offered within the Portal. This allows you to toggle functional or analytics technologies while retaining strictly necessary Cookies required for secure operation.
• Browser Settings: Most modern browsers allow you to block, limit, or delete Cookies using built-in privacy controls. These may include options to clear stored data, restrict third-party Cookies, or manage site-specific preferences. You may also enable browser features such as Global Privacy Control (GPC). Please note that while we honor GPC signals where required by law, the Spark Platform Portal does not currently respond to legacy “Do Not Track (DNT)” signals due to the lack of an industry standard.
• Developer and Operation System Settings: Some devices and operating systems provide system-level controls for managing application data, permissions, and tracking settings. Adjusting these controls may limit Cookie storage or access on certain devices.
Please be aware that disabling certain categories of Cookies, particularly strictly necessary or functional technologies, may impair the availability, stability, or functionality of some Spark Platform Portal features.

Additional Information: For more detailed information about the Cookies and related technologies used in the Spark Platform Portal, including the specific tools deployed, their retention periods, and options for managing them, you may refer to our Cookie Policy and Preferences or contact us at privacy@doceree.com for assistance. We are committed to ensuring transparency and providing clear guidance so that you can make informed decisions about how your information is used within the Portal.


6. Right to Opt-Out of Marketing and Personalized Communications: You may choose to opt out of optional communications, such as updates about new Spark Portal features, educational resources, or product enhancements. If you no longer wish to receive such communications, you may unsubscribe using the link in our emails or adjust your notification settings within the Portal (where available). Please note that opting out of promotional or optional communications does not affect your receipt of essential transactional messages, including security alerts, system notices, integration updates, or responses to your inquiries.


7. Right to Withdraw Consent: If we process certain information based on your explicit consent, for example, in connection with optional analytics features, optional integrations, or other elective services, you may withdraw that consent at any time. Withdrawal will prevent further processing for the specific purpose for which consent was provided, but it will not affect the lawfulness of processing performed before the withdrawal. Some Platform functionality may be unavailable after consent is withdrawn.



8. Right to Submit a Complaint or Raise a Concern: If you believe your privacy rights have been violated or have a concern about how your information is being handled, you may contact us directly at legal@doceree.com / privacy@doceree.com or by mail at:

   Doceree Inc.
   150 John F Kennedy Parkway, Suite 403
   Short Hills, NJ 07078

   We will investigate legitimate concerns in a timely and thorough manner and will communicate the outcome or any remediation steps. Depending on your jurisdiction, you may also have the right to escalate your concern to a regulatory authority or data protection agency. If such escalation rights exist, we will provide guidance on how to proceed.

Data Retention

Doceree retains personal, technical, and platform-related information collected through the Spark Platform Portal only for as long as necessary to fulfill the operational, security, legal, and compliance purposes described in this Privacy Policy, unless a longer retention period is required or permitted under applicable laws, regulations, industry standards, or contractual obligations with publishers and health-system partners. Our retention practices are guided by principles of necessity, proportionality, accountability, and strict adherence to privacy and security obligations. Importantly, the Spark Platform does not store, process, or retain personal health information (PHI), as Spark Messages are triggered solely through de-identified contextual signals generated within publisher-controlled environments.

Categories of Retained Information

We may retain different categories of information for varying periods depending on the context and purpose of collection:

1. Account and Communication Records: Information associated with your Spark Platform Portal account, including registration details, authentication credentials, administrative roles, user preferences, notification settings, configuration selections, audit trails, and communication history, is retained as necessary to maintain your account, support ongoing operational use, respond to inquiries, fulfill administrative obligations, and ensure continuity across sessions.


2. Device, Technical, and Interaction Data: Technical information such as IP addresses, browser metadata, device type, session identifiers, access logs, system events, and interactions collected through Cookies and performance technologies within the Portal may be retained for purposes including security monitoring, fraud detection, performance optimization, troubleshooting, auditing, and maintaining the stability and integrity of the Platform. Retention periods depend on the nature of the data, the technology used, and security or compliance requirements.


3. Consent, Preference, and Rights Request Logs: Records reflecting your cookie preferences, consent selections, opt-out choices, privacy requests, access or deletion logs, and other privacy-related actions are retained as required for regulatory compliance, audit readiness, dispute resolution, and verification of rights fulfillment under applicable laws such as GDPR, CPRA, or MHMDA.


4. Operational and Performance Data: Aggregated or de-identified usage data, performance metrics, error logs, and operational insights generated by the Spark Platform Portal may be retained for internal analytics, benchmarking, product improvement, system diagnostics, historical recordkeeping, and compliance reporting. Such data does not identify individuals or organizations and is processed strictly in non-identifiable form.

Retention Criteria: The duration for which information is retained on the Spark Platform is determined by several key factors:

1. Legal, Statutory, and Regulatory Obligations: We retain information for periods required by applicable laws, health-system obligations, contractual agreements, or industry standards. This may include retention of audit logs, security records, consent logs, and operational documentation necessary for compliance with regulatory authorities or accreditation requirements.


2. Business and Operational Necessity: Information may be retained to support the secure and reliable operation of the Spark Platform Portal, maintain system performance, support account-related activities, preserve operational continuity, improve platform features, ensure disaster recovery capabilities, or fulfill internal governance responsibilities.


3. User-Driven Requests: When you submit a request to delete, correct, or transfer your information, we will take appropriate action in accordance with applicable laws. Only information necessary to comply with legal obligations, settle outstanding transactions, complete initiated services, or support legitimate internal processes will be retained.


4. Dispute Resolution and Enforcement: Relevant information may be retained to investigate or address security incidents, enforce the Spark Platform’s Terms of Use, detect or prevent misuse, respond to legal claims, comply with subpoenas or court orders, or defend Doceree’s legal rights. Retention is limited to what is reasonably necessary for these purposes.

Deletion and De-identification Practices

Once information is no longer needed for the purposes for which it was collected, and no applicable legal, operational, contractual, or regulatory requirement compels continued retention, we implement appropriate measures to ensure the secure disposition of the information. These measures may include:

• Removal of information from active systems and, where feasible, from backups or archives so that it is no longer accessible or recoverable.


• Transforming the information in accordance with applicable laws and recognized de-identification standards so that it can no longer reasonably be linked to any individual or account.


• Converting information into aggregated, non-identifiable datasets for statistical analysis, operational monitoring, benchmarking, or system improvement.

If immediate deletion is not feasible due to technical constraints, system integrity requirements, or active legal holds, the information will be isolated from normal operations, access will be restricted, and the information will not be used for any purpose other than compliance with the applicable retention obligation.

User Inquiries About Retention

If you have questions regarding how long a particular type of personal or technical information is retained in relation to your use of the Spark Platform, you may contact us at:

• Email: privacy@doceree.com
• Mail: Doceree Inc.
  150 John F Kennedy Parkway, Suite 403
  Short Hills, NJ 07078

We will respond to reasonable and verifiable inquiries in a timely manner, in accordance with applicable law.

How We Protect Your Information

At Doceree, we take the security and protection of your personal, account, and technical information extremely seriously. Safeguarding the information processed through the Spark Platform Portal is fundamental to maintaining trust, supporting our publisher and health-system partners, and ensuring the safe and reliable operation of the Spark Platform. To achieve this, we maintain a comprehensive privacy and security program that incorporates administrative, technical, and physical safeguards designed to prevent unauthorized access, maintain data integrity, and ensure that information is used only for lawful and authorized purposes. While Spark does not collect or store personal health information (PHI) and does not process clinical workflow data beyond de-identified contextual signals controlled by publishers, we apply rigorous protections to all information entrusted to us.

• Administrative Measures: We implement internal governance policies and procedures to ensure responsible handling of information within the Spark Platform. These measures include role-based access controls, mandatory staff training on privacy, confidentiality, and secure data practices, and ongoing monitoring of how information is collected, stored, accessed, and used. Access to personal or account information is limited strictly to authorized personnel who require such access to perform operational or support functions. All third-party service providers acting on our behalf are subject to binding contractual obligations requiring them to maintain privacy and security protections consistent with Doceree’s standards and applicable laws.


• Technical Protections: The Spark Platform uses a wide range of technical safeguards to protect information against unauthorized access, alteration, or misuse. These protections include data encryption in transit and at rest, secure transmission protocols, network and application-level security controls, firewalls, intrusion detection and prevention systems, continuous monitoring for anomalies, and regular vulnerability assessments. The Spark Platform is designed using secure development practices and undergoes ongoing security reviews to maintain confidentiality, integrity, and availability of system data. We continuously evaluate and enhance these controls to adapt to evolving threats and to uphold a robust security posture.


• Physical Safeguards: The physical infrastructure supporting the Spark Platform, including data centers, hosting environments, and operational facilities, is protected using controlled access mechanisms, environmental protections, monitoring systems, and additional physical security measures implemented by trusted infrastructure providers. These safeguards help prevent unauthorized physical access, interference, or disruption to the systems that support the Spark Platform Portal.


• Security Incident Notification: If a security incident occurs that could affect the confidentiality, integrity, or availability of your information, we will promptly investigate the incident, take appropriate corrective measures, and work to mitigate any potential harm. Where required by applicable law, we will notify you or your organization without undue delay through email, in-platform notifications, or other direct communication. Any legally required notifications will include information about the nature of the incident, the categories of data involved (if known), steps taken to address the issue, and recommended actions you can take to protect your information.
  
  While no platform can guarantee absolute protection against every potential threat, Doceree is committed to maintaining, reviewing, and enhancing its security measures to address emerging risks and industry best practices. For any security concerns, you may contact us at privacy@doceree.com.

Children’s Privacy

The Spark Platform and the Spark Platform Portal are intended exclusively for use by adults in professional, institutional, or organizational settings, such as publishers, EHR partners, health systems, and authorized enterprise users. Spark is not directed to children, is not designed for personal or consumer use, and does not collect personal information from minors in any context. We do not knowingly request, collect, or process information from individuals under the age of 18, and we specifically do not knowingly collect personal information from children under the age of 13.

If you are under 13 years of age, you must not access or use the Spark Platform Portal, submit any personal information, or attempt to register for an account. All Spark Platform functionality is intended for professional use and requires authorized access, which is not made available to minors.

If we become aware that personal information has been collected from a child under 13 without appropriate verified consent or in violation of applicable laws or this Privacy Policy, we will take prompt and appropriate steps to delete the information and, if applicable, disable the associated account, credentials, or access pathway. We encourage parents, guardians, and organizational administrators to contact us immediately if they believe that a child may have accessed the Spark Platform Portal or that information about a minor may have been inadvertently collected.

If you have reason to believe that we may have received information from or about a child in violation of this policy, please contact us promptly at privacy@doceree.com , and we will investigate the matter in accordance with our security and compliance procedures.

Third-Party Services and Integration

The Spark Platform Portal may integrate with, or provide access to, a range of third-party services and technologies that support its operation, performance, and security (collectively, “Third-Party Services”). These Third-Party Services may include cloud hosting providers, identity and access management tools, security monitoring systems, analytics platforms, performance-measurement tools, operational utilities, and communication or support systems essential to delivering and maintaining the Spark Platform Portal. These services operate under strict contractual obligations and are permitted to process only the information necessary to provide their respective functions.

When you interact with Third-Party Services, such as by accessing reporting dashboards, receiving system notifications, engaging with support features, or enabling optional integration tools, certain technical, operational, or account-related information may be shared with these service providers to support functionality, maintain system integrity, or facilitate communication. These interactions are governed by the privacy policies and terms of use of the respective third parties, and we encourage you to review those policies to understand how information may be processed in the context of their services.

Doceree does not control, endorse, or assume responsibility for the independent practices, security controls, or privacy policies of any Third-Party Services. Although we select third-party partners with strong security and compliance capabilities, each service provider maintains its own data handling obligations and may offer rights or choices that differ from those provided under this Privacy Policy.

Examples of how Third-Party Services may interact with the Spark Platform Portal include:

• Analytics and System Performance Tools: Third-party analytics providers may process aggregated, de-identified, or technical information, such as page access patterns, feature utilization, load times, or error logs, to help us diagnose issues, understand user interactions, improve Portal performance, and enhance system reliability. These tools do not receive PHI and do not perform behavioral tracking, advertising analytics, or cross-site profiling


• Cloud Hosting and Infrastructure Services: : Trusted infrastructure partners provide secure environments for storing, processing, and transmitting information necessary for Portal operation. These providers may access limited technical data solely as needed to maintain availability, security, resilience, uptime, and continuity of service.


• Security, Compliance, and Identity-Management Tools: We may use third-party technologies to authenticate users, manage access permissions, monitor for threats, detect anomalies, or prevent unauthorized access. These providers may process login metadata, device or browser details, or security-related events strictly to fulfill these protective functions.


• Support, Communication, and Ticketing Providers: If you interact with Doceree for support, training, or troubleshooting, third-party communication tools may process account details, support logs, or messages to facilitate assistance and recordkeeping. These services operate under confidentiality and data-use restrictions and do not process PHI.

Please note that any information you provide directly to a third party outside the Spark Platform Portal, such as through independent websites, external systems, or vendor-owned applications, is not governed by this Privacy Policy. Doceree disclaims responsibility for the handling of information submitted voluntarily to external third-party providers that are not integrated into the Spark Platform Portal.

If you have questions regarding specific third-party integration, you may contact us at privacy@doceree.com, and we will endeavor to provide clarification to the extent possible in our role as the provider of the Spark Platform.

Geographical Scope of Services

The Spark Platform and the Spark Platform Portal are accessible to authorized users in multiple regions worldwide, including the United States, the United Kingdom, India, and other jurisdictions in which Doceree operates or provides enterprise services. Because Spark supports publishers, EHR partners, and health-system organizations across diverse regulatory environments, the collection, processing, and transfer of personal information through the Platform Portal are conducted in accordance with the privacy, data protection, and security laws applicable to the region in which you access or use the Platform.

Certain features, administrative capabilities, or data-handling practices may be adapted or restricted based on jurisdiction-specific requirements, including obligations under laws such as the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CPRA), the Washington My Health My Data Act (MHMDA), India’s Digital Personal Data Protection Act (DPDPA), and other regional or national privacy regulations. When your information is processed in a jurisdiction different from your own, we apply appropriate safeguards, such as contractual protections, cross-border transfer mechanisms, or equivalent security and compliance controls, to protect the information in accordance with applicable law and recognized standards.

By using the Spark Platform Portal, you acknowledge and consent to the processing and transfer of your information in accordance with this Privacy Policy and the laws of the jurisdiction in which you reside or access the Platform. If you have questions about regional data practices, cross-border transfers, or jurisdiction-specific rights, you may contact us at privacy@doceree.com, and we will provide clarification based on the location in which the Spark Platform is accessed.

Changes to this Privacy Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our data practices, technologies, regulatory obligations, operational requirements, or enhancements to the Spark Platform and Spark Platform Portal. When updates are made, we will revise the “Effective Date” at the top of this Privacy Policy. If the changes are material, or if applicable law requires that we provide advance notice or obtain additional consent, we will do so through appropriate means, such as email notifications, in-Portal alerts, or other direct communications.

Your continued use of the Spark Platform Portal following the posting of an updated Privacy Policy constitutes your acknowledgment and acceptance of the revised terms, except where applicable law requires separate consent. We encourage you to review this Privacy Policy periodically to remain informed about how we collect, use, disclose, retain, and protect your information, as well as the safeguards we maintain to ensure compliance and support your privacy rights.

Contacting Us

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, including requests to access, correct, delete, or restrict the use of your personal information collected through the Spark Platform Portal, you may contact our Legal Department using the information below. You may also contact us if you have concerns about how your information is handled, or if you would like clarification regarding any aspect of our privacy, security, or data management practices.

Attn: Legal Department
Doceree Inc.
150 John F Kennedy Parkway, Suite 403
Short Hills, NJ 07078
Email: legal@doceree.com

We will review and respond to all privacy-related inquiries in a timely and appropriate manner, consistent with applicable data protection laws, contractual obligations, and Doceree’s internal compliance procedures. We appreciate your trust in the Spark Platform and remain committed to protecting your information and supporting your privacy rights.