Terms and Conditions

SOFTWARE AS A SERVICE TERMS OF SERVICE AGREEMENT PLEASE READ THESE TERMS OF SERVICE CAREFULLY. BY CLICKING “ACCEPTED AND AGREED,” EACH CUSTOMER AGREES TO THESE TERMS OF SERVICE.

These Terms of Service constitute an agreement (this “Agreement”) by and between NuLease Medical Solutions, a limited liability company organized under the laws of the state of Kentucky and having a place of business located at 5722 Outer Loop, Louisville, KY 40219 (“Provider”) and each customer of Provider’s online personal medical data management service (“Recipient”).

1. Definitions. (a) “Account” refers to the Service plans and features selected by Recipient through Provider’s customer portal at the time of enrollment and accepted by Provider, as such plans and features may change by mutual consent of the parties, as recorded by Provider through such portal. (b) “Authorized Representative” refers to an officer of the Provider, or the Provider’s duly authorized agent; and, the Recipient’s attorney-in-fact or court-appointed guardian. (c) “Effective Date” refers to the date of commencement of the Service as listed in Recipient’s Account. (d) “Materials” refers to written and graphical content provided by or through the Service, including, without limitation, text, photographs, illustrations, and designs, whether provided by Provider, another customer of the Service, or any other third party. (e) “Recipient Data” refers to data in electronic form input or collected through the Service by or from Recipient. (f) “Service” refers to Provider’s medical information management service.

• Service & Payment. (a) Service. Provider will provide the Service to Recipient pursuant to its standard policies and procedures then in effect. This Service is provided free of charge.

• Service Level Agreement. In the event of any Service failure whatsoever including, without limitation, hardware or software malfunctions, service unavailability, data loss including Recipient data loss, or Recipient’s loss of access to the Service for any reason the Provider is not liable to Recipient for any damages whatsoever including actual, consequential, indirect, incidental, special, or punitive of any kind regardless of the cause of such failure, including force majeure, and even if such failure is due to Provider’s negligence. In the event of a failure of Service, Provider will make reasonable efforts to resolve the failure, but makes no representation, promise, or warranty as to the speed with which a failure shall be resolved or the nature or extent of services that are restored, if any. Provider further makes no representation, promise, or warranty as to the percentage of system up-time that a Recipient may expect. Recipient has no right to demand or require restoration of service, return or restoration of Recipient’s data, or any element of the Service provided prior to a failure of Service. The Service is provided as-is and without warranty of any kind.

• Materials, Software, & IP. (a) Materials. Recipient recognizes and agrees that: (i) the Materials are the property of Provider or its licensors and are protected by copyright, trademark, and other intellectual property laws; and (ii) Recipient does not acquire any right, title, or interest in or to the Materials except the limited and temporary right to use them as necessary for Recipient’s use of the Service. (b) IP in General. Provider retains all right, title, and interest in and to the Service, including without limitation all software used to provide the Service and all logos and trademarks reproduced through the Service, and this Agreement does not grant Recipient any intellectual property rights in or to the Service or any of its components.

• Online Policies. (a) Authorized Use Policy (AUP). Recipient agrees to comply with the AUP as set forth in Appendix A. In the event of Recipient’s material breach of the AUP, including without limitation any copyright infringement, Provider may suspend or terminate Recipient’s access to the Service, in addition to such other remedies as Provider may have at law or pursuant to this Agreement. Neither this Agreement nor the AUP requires that Provider take any action against Recipient or any other customer for violating the AUP, but Provider is free to take any such action it sees fit. (b) Privacy Policy. The Privacy Policy set forth in Appendix B applies only to the Service and does not apply to any third party site or service linked to the Service or recommended or referred to through the Service or by Provider’s employees.

• Each Party’s Warranties. (a) Recipient’s Identity. Recipient warrants: (i) that it has accurately identified itself through its Account and will maintain the accuracy of such identification; and (ii) that it is an individual 18 years or older. (b) Right to Do Business. Each party warrants that it has the full right and authority to enter into, execute, and perform its obligations under this Agreement and that no pending or threatened claim or litigation known to it would have a material adverse impact on its ability to perform as required by this Agreement. (c) Disclaimers. Except for the express warranties specified in this section six (6), THE SERVICE IS PROVIDED “AS IS” AND AS AVAILABLE, AND PROVIDER MAKES NO WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. Without limiting the generality of the foregoing, (i) PROVIDER HAS NO OBLIGATION TO INDEMNIFY OR DEFEND RECIPIENT AGAINST CLAIMS RELATED TO INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS; and (ii) Provider does not warrant that the Service will perform without error or material interruption.

• Limitation of Liability. IN NO EVENT: (a) WILL PROVIDER’S LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED $1; AND (b) WILL PROVIDER BE LIABLE FOR ANY CONSEQUENTIAL, INDIRECT, SPECIAL, INCIDENTAL, OR PUNITIVE DAMAGES. THE LIABILITIES LIMITED BY THIS SECTION 7 APPLY: (i) TO LIABILITY FOR NEGLIGENCE; (ii) REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, STRICT PRODUCT LIABILITY, OR OTHERWISE; (iii) EVEN IF PROVIDER IS ADVISED IN ADVANCE OF THE POSSIBILITY OF THE DAMAGES IN QUESTION AND EVEN IF SUCH DAMAGES WERE FORESEEABLE; AND (iv) EVEN IF RECIPIENT’S REMEDIES FAIL OF THEIR ESSENTIAL PURPOSE. If applicable law limits the application of the provisions of this Section 7, Provider’s liability will be limited to the maximum extent permissible.

• Data Management. (a) Access, Use, & Legal Compulsion. Unless it receives Recipient’s prior written consent, Provider will not give any third party access to Recipient Data. Notwithstanding the foregoing, Provider may disclose Recipient Data as required by applicable law or by proper legal or governmental authority. Provider will give Recipient prompt notice of any such legal or governmental demand and reasonably cooperate with Recipient in any effort to seek a protective order or otherwise to contest such required disclosure, at Recipient’s expense. (b) Recipient’s Rights. Recipient possesses and retains all right, title, and interest in and to Recipient Data, and Provider’s use and possession thereof is solely as Recipient’s agent. (c) Retention & Deletion.

Provider will retain all Recipient Data until erased pursuant to the Data Policy set forth in Appendix C. (d) Injunction. Provider agrees that violation of the provisions of this Section 8 might cause Recipient irreparable injury, for which monetary damages would not provide adequate compensation, and that in addition to any other remedy, Recipient will be entitled to injunctive relief against such breach or threatened breach, without proving actual damage or posting a bond or other security.

• Term & Termination. (a) Term. This Agreement will continue for one month following the Effective Date (a “Term”). Thereafter, this Agreement will renew for subsequent terms (“Terms”) of one month, unless either party notifies the other of its intent not to renew ten (10) or more days before the beginning of the next Term. (b) Termination for Cause. The Provider may terminate this Agreement for material breach without notice, unless the other party first cures such breach. (c) Effects of Termination. The following provisions will survive termination of this Agreement: (i) Sections 4, 5(b), 6(c), and 7 of this Agreement; and (ii) any other provision of this Agreement that must survive termination to fulfill its essential purpose.

1. Miscellaneous. (a) Notices. Provider may send notices pursuant to this Agreement to Recipient’s contact points listed in Recipient’s Account, and such notices will be deemed received ten (10) days after they are sent. Recipient may send notices pursuant to this Agreement to 5722 Outer Loop, Louisville, KY 40219, and such notices will be deemed received ten (10) days after they are sent. (b) Amendment. Provider may amend this Agreement, including the Data Policy, from time to time by posting an amended version at its website and sending Recipient written notice thereof. Such amendment will be deemed accepted and become effective 30 days after such notice (the “Proposed Amendment Date”) unless Recipient first gives Provider written notice of rejection of the amendment. In the event of such rejection, this Agreement will continue under its original provisions, and the amendment will become effective at the start of Recipient’s next Term following the Proposed Amendment Date (unless Recipient first terminates this Agreement pursuant to Section 9 above). Recipient’s continued use of the Service following the effective date of an amendment will confirm Recipient’s consent thereto. This Agreement may not be amended in any other way except through a written agreement executed by the parties or their Authorized Representatives. Notwithstanding the foregoing, Provider may amend the AUP or Privacy Policy at any time by posting a new version at its website and sending Recipient notice thereof, and such amended version will become effective 30 business days after such notice is sent. (c) Independent Contractors. The parties are independent contractors and will so represent themselves in all regards. Neither party is the agent of the other and neither may bind the other in any way. (d) No Waiver. Neither party will be deemed to have waived any of its rights under this Agreement by lapse of time or by any statement or representation other than (i) by an Authorized Representative and (ii) in an explicit written waiver. No waiver of a breach of this Agreement will constitute a waiver of any prior or subsequent breach of this Agreement. (e) Force Majeure. To the extent caused by force majeure, no delay, failure, or default will constitute a breach of this Agreement. (f) Assignment & Successors. Neither party may assign this Agreement or any of its rights or obligations hereunder without the other’s express written consent, except that either party may assign this Agreement to the surviving party in a merger of that party into another entity. Except to the extent forbidden in the previous sentence, this Agreement will be binding upon and inure to the benefit of the respective successors and assigns of the parties. (g) Choice of Law & Jurisdiction. This

Agreement will be governed solely by the internal laws of the State of Ohio, without reference to the principles of conflicts of law. The parties consent to the personal and exclusive jurisdiction of the federal and state courts of the State of Kentucky. (h) Severability. To the extent permitted by applicable law, the parties hereby waive any provision of law that would render any clause of this Agreement invalid or otherwise unenforceable in any respect. In the event that a provision of this Agreement is held to be invalid or otherwise unenforceable, such provision will be interpreted to fulfill its intended purpose to the maximum extent permitted by applicable law, and the remaining provisions of this Agreement will continue in full force and effect. (i) Certain Notices. Provider hereby notifies Recipient that parental control protections (such as computer hardware, software, or filtering services) are commercially available that may assist in limiting access to material that is harmful to minors. Information regarding providers of such protections may be found on the Internet by searching “parental control protection” or similar terms. (j) Conflicts among Attachments. In the event of any conflict between the terms of this main body of this Agreement and those of the Data Policy, the terms of this main body will govern. In the event of any conflict between this Agreement and any Provider policy posted online, including without limitation the AUP and Privacy Policy, the terms of this Agreement will govern. (k) Entire Agreement. This Agreement sets forth the entire agreement of the parties and supersedes all prior or contemporaneous writings, negotiations, and discussions with respect to the subject matter hereof. Neither party has relied upon any such prior or contemporaneous communications.

Appendix A.

Authorized Use Policy A. General Provisions Provider requires that all customers and other users of Provider’s Service (the “Service”) conduct themselves with respect for others. In particular, please observe the following rules in your use of the Service: 1) Abusive Behavior: Do not harass, threaten, or defame any person or entity. Do not contact any person who has requested no further contact. Do not use ethnic or religious slurs against any person or group. 2) Privacy: Do not violate the privacy rights of any person. Do not collect or disclose any personal address, social security number, or other personally identifiable information without each holder’s written permission. Do not cooperate in or facilitate identity theft. 3) Intellectual Property: Do not infringe upon the copyrights, trademark rights, trade secret rights, or other intellectual property rights of any person or entity. Do not reproduce, publish, or disseminate software, audio recordings, video recordings, photographs, articles, or other works of authorship without the written permission of the copyright holder. 4) Hacking, Viruses, & Network Attacks: Do not access any computer or communications system without authorization, including the computers used to provide the Service. Do not attempt to penetrate or disable any security system. Do not intentionally distribute a computer virus, launch a denial of service attack, or in any other way attempt to interfere with the functioning of any computer, communications system, or website.

Do not attempt to access or otherwise interfere with the accounts of other users of the Service. 5) Spam: Do not send bulk unsolicited e-mails (“Spam”) or sell or market any product or service advertised by or connected with Spam. Do not facilitate or cooperate in the dissemination of Spam in any way. Do not violate the CAN-Spam Act of 2003. 6) Fraud: Do not issue fraudulent offers to sell or buy products, services, or investments. Do not mislead anyone about the details or nature of a commercial transaction. Do not commit fraud in any other way. 7) Violations of Law: Do not violate any law. B. Consequences of Violation Violation of this Acceptable Use Policy (this “AUP”) may lead to suspension or termination of the user’s account or legal action. In addition, the user may be required to pay for the costs of investigation and remedial action

related to AUP violations. Provider reserves the right to take any other remedial action it sees fit.

C. Reporting Unauthorized Use Provider requests that anyone with information about a violation of this AUP report it via an email to the following address: NuLease Medical Solutions, c/o Shannon Cales, 5722 Outer Loop, Louisville, KY 40219.

Please provide the date and time (with time zone) of the violation and any identifying information regarding the violator, including e-mail or IP (internet protocol) address if available, as well as details of the violation. D. Revision of AUP Provider may change this AUP at any time by posting a new version on this policy to its website and sending the user written notice thereof. The new version will become effective on the date of such notice.

Appendix B.

Privacy Policy Effective Date: April 18, 2018 We collect certain information through our website, located at www.nulease.com (our “Website”). This page (this “Privacy Policy”) lays out our policies and procedures surrounding the collection and handling of any such information that identifies an individual user or that could be used to contact or locate him or her (“Personally Identifiable Information” or “PII”). As used herein, Personally Identifiable Information includes Personal Healthcare Information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA). This Privacy Policy applies only our Website. It does not apply to any third party site or service linked to our Website or recommended or referred by our Website or by our staff. And it does not apply to any other website or online service operated by our company, or to any of our offline activities. A. PII We Collect We collect the following Personally Identifiable Information from users who buy our products and services: name, e-mail address, telephone number, address, and credit card number, personal medical history, pre- existing medical conditions, current medical conditions, insurance providers identity and billing information, prescription medications, diagnostic test results, diagnoses, treatment regimes, doctors and other care givers responsible for treatment, emergency contact information, guardian identity and contact information, and attorney-in-fact identity and contact information. We also use “cookies” to collect certain information from all users, including non-subscribing website visitors. A cookie is a string of data our system sends to your computer and then uses to identify your computer when you return to our Website. Cookies give us usage data, like how often you visit, where you go at the site, and what you do. B. Our Use of PII Except for HIPAA-controlled PHI, we use your Personally Identifiable Information to create your account, to communicate with you about your current subscription, and to offer you additional products and services. We also use that information to the extent necessary to enforce our Website terms of service and to prevent imminent harm to persons or property. HIPAAcontrolled PHI is not used by Provider, its agents, or contractors in any way except as necessary for provision of the Service. We use cookies so that our Website can remember you and provide you with the information you are most likely to need. For instance, when you return to our Website, cookies identify you and prompt the site to provide your username (not your password), so you can sign in more quickly. Finally, we use information gained through cookies to compile statistical information about use of our Website, such as the time users spend at the site and the pages they visit most often. Those statistics do not include PII. C. Protection of PII We employ the following data security tools to protect Personally Identifiable Information: secure server with Secure Socket Layer (SSL).

Unfortunately, even with these measures, we cannot guarantee the security of PII. By using our Website, you acknowledge and agree that we make no such guarantee, and that you use our

Website at your own risk. D. Contractor and Other Third Party Access to PII We give certain independent contractors access to Personally Identifiable Information. All contractors are required to sign contracts in which they promise to protect PII using procedures reasonably equivalent to ours. Users are not third party beneficiaries of those contracts. We also may disclose PII to attorneys, collection agencies, or law enforcement authorities to address potential AUP violations, other contract violations, or illegal behavior. And we disclose any information demanded in a court order or otherwise required by law or to prevent imminent harm to persons or property. As noted above, we compile Website usage statistics from data collected through cookies. We may publish those statistics or share them with third parties, but they don’t include PII. E. Accessing and Correcting Your PII You can access and change any Personally Identifiable Information we store through your “My Account” page. F. DNT Policy Disclosure This section outlines how we apply Do Not Track ‘DNT’ regulatory requirements per California’s Online Privacy Protection Act’s (CalOPPA) effective January 1, 2014. We do not recognize DNT mechanisms that have been designed to prevent tracking of Personal Identifying Information (PII). Please read your rights carefully. We will track unique identifiers, and passively collected information such as device identifiers and geolocation data about California residents’ online activities over time and across third-party websites or services, including via mobile apps. G. Amendment of this Privacy Policy We may change this Privacy Policy at any time by posting a new version on this page or on a successor page. The new version will become effective on the date it’s posted, which will be listed at the top of the page as the new Effective Date.

Appendix C.

Data Policy 1. Access, Use, & Legal Compulsion. Unless it receives Recipient’s prior written consent, Provider: (i) will not access or use data in electronic form collected through the Services from Recipient, or accessible directly from Recipient, (collectively, “Recipient Data”) other than as necessary to facilitate the provision of Service; and (ii) will not give any third party access to Recipient Data that is regulated under HIPAA. Notwithstanding the foregoing, Provider may disclose Recipient Data as required by applicable law or by proper legal or governmental authority. Provider will give Recipient prompt notice of any such legal or governmental demand and reasonably cooperate with Recipient in any effort to seek a protective order or otherwise to contest such required disclosure, at Recipient’s expense. 2. Recipient’s Rights. Recipient possesses and retains all right, title, and interest in and to Recipient Data, and Provider’s use and possession thereof is solely as Recipient’s agent. Recipient may access and copy any Recipient Data in Provider’s possession at any time using tools provided to Recipient as part of the Service. 3. Retention & Deletion. Provider will retain any Recipient Data in its possession until Erased (as defined below) pursuant to this Subsection (3), or until 90 days following termination or expiration of the Recipient’s subscription to the Service. After termination or expiration of the Recipient’s subscription to the Service, the Provider shall Erase the Recipient Data within thirty

(30) days. Notwithstanding the foregoing, Recipient may at any time instruct Provider to retain and not to Erase or otherwise delete Recipient Data, provided Recipient may not require retention of Recipient Data for more than 120 days after termination or expiration of this Agreement. Promptly after Erasure pursuant to this Subsection (3), Provider will certify such Erasure in writing to Recipient which may be provided via email. As used herein, “Erase” and “Erasure” refer to the destruction of data so that no copy of the data remains or can be accessed or restored in any way. 4. Individuals’ Access. Provider will not allow any of its employees to access Recipient Data, except to the extent that an employee needs access in order to facilitate

the Services and executes a written agreement with Provider agreeing to comply with Provider’s obligations set forth in this Appendix C. Provider will perform a background check on any individual it gives access to Recipient Data. Such background check will include, without limitation, a review of the individual’s criminal history, if any. Provider will not grant access to Recipient Data if the background check or other information in Provider’s possession would lead a reasonable person to suspect that the individual has committed identity theft or otherwise misused third party data or that the individual presents a threat to the security of Recipient Data.

5. Compliance with Law & Policy. Provider will comply with all applicable federal and state laws and regulations governing the handling of Recipient Data including requirements for special handling of HIPAA-controlled PHI. 6. Leaks. Provider will promptly notify Recipient of any actual or potential exposure or misappropriation of Recipient Data (any “Leak”) that comes to Provider’s attention. Provider will cooperate with Recipient and with law enforcement authorities in investigating any such Leak, at Provider’s expense. Provider will likewise cooperate with Recipient and with law enforcement agencies in any effort to notify injured or potentially injured parties, and such cooperation will be at Provider’s expense, except to the extent that the Leak was caused by Recipient. The remedies and obligations set forth in this Subsection (6) are in addition to any others Recipient may have. 7. Injunction. Provider agrees that violation of the provisions of this Appendix C might cause Recipient irreparable injury, for which monetary damages would not provide adequate compensation, and that in addition to any other remedy, Recipient will be entitled to injunctive relief against such breach or threatened breach, without proving actual damage or posting a bond or other security