This Privacy Policy explains how BLITZ ENTERPRISES S.R.L. ("BlitzClinic", "we", "us") collects, uses, shares, and protects personal data when you use our platform and website. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and all applicable data protection laws.

1. Data Controller

The data controller for personal data processed through the BlitzClinic platform and website is: BLITZ ENTERPRISES S.R.L. Address: București Sectorul 1, Strada Pitar Moș, Nr. 27, Etaj 5, Ap. 17, Romania CUI: 54399335 Trade Registry: J2026021644001 EUID: ROONRC.J2026021644001 Email: [email protected] Data Protection Officer: [email protected] When clinics use BlitzClinic to process patient data, the clinic acts as the data controller and BlitzClinic acts as the data processor under a Data Processing Agreement.

2. Data We Collect

We collect the following categories of personal data: Account & Contact Data: name, email address, phone number, job title, clinic name, tax identification number (CUI/CIF), billing address. Health Data (Special Category): patient medical records, treatment plans, dental charts, prescriptions, clinical notes, medical imaging, health history — processed only on behalf of clinic data controllers. Usage Data: IP address, browser type and version, device information, operating system, pages visited, time spent on pages, referral source, click patterns. Cookie Data: preferences, session identifiers, analytics identifiers, marketing identifiers. See our Cookie Policy for details. Communication Data: messages sent through the platform, support tickets, video consultation metadata. Payment Data: transaction records, subscription details. Full payment card details are processed by Revolut and are never stored on our servers.

3. Legal Basis for Processing

We process personal data under the following legal bases as defined in GDPR Article 6: Contract Performance (Art. 6(1)(b)): Processing necessary to provide the BlitzClinic platform, manage your account, process payments, and deliver customer support. Legitimate Interest (Art. 6(1)(f)): Platform security and fraud prevention, service improvement and analytics, marketing communications to existing customers (with opt-out). Consent (Art. 6(1)(a)): Marketing cookies and tracking (Google Analytics, Facebook Pixel), marketing communications to prospective customers, AI feature usage involving data processing. Legal Obligation (Art. 6(1)(c)): Tax and accounting records, responding to lawful requests from authorities, healthcare record retention requirements. For health data (GDPR Article 9), processing is based on explicit consent of the data subject (Art. 9(2)(a)) and/or the provision of healthcare (Art. 9(2)(h)), as applicable.

4. How We Use Your Data

We use personal data for the following purposes: • Providing and maintaining the BlitzClinic platform and its features • Creating and managing user accounts and clinic tenants • Processing payments and managing subscriptions • Sending transactional communications (account confirmations, payment receipts, service notifications) • Providing customer support and responding to inquiries • Ensuring platform security, detecting fraud, and preventing abuse • Analyzing usage patterns to improve platform performance and user experience • Generating anonymized and aggregated analytics and reports • Sending marketing communications about our services (with your consent or based on legitimate interest, with opt-out available) • Complying with legal and regulatory obligations • Facilitating AI-powered features such as clinical documentation assistance and workflow automation

5. Data Sharing & Processors

We share personal data with the following categories of third-party processors, each bound by data processing agreements: Cloudflare, Inc. (United States, EU data centers) — Content delivery network (CDN), DDoS protection, R2 object storage for files and documents, Turnstile bot protection. Cloudflare processes data primarily in EU data centers. Google LLC (United States) — Google Analytics for website traffic analysis and user behavior insights. Data is anonymized where possible. Meta Platforms, Inc. (United States) — Facebook/Meta Pixel for measuring advertising effectiveness and remarketing. Only activated with user consent. Hetzner Online GmbH (Germany) — Dedicated server hosting and Kubernetes infrastructure. All production data is hosted in Hetzner's German data centers within the EU. Microsoft Corporation — Azure (EU West region) — Azure Key Vault for secrets management and Azure Kubernetes Service (AKS) for container orchestration. Data processed within the EU. Revolut Ltd (United Kingdom / EU) — Payment processing for subscription billing and clinic payment features. Revolut is authorized by the Financial Conduct Authority and complies with PSD2. Anthropic PBC (United States) — AI features powered by Claude for clinical documentation assistance, workflow automation, and intelligent suggestions. Data sent to Anthropic is minimized and does not include direct patient identifiers where technically feasible. We do not sell personal data to third parties. We may disclose data if required by law, court order, or to protect our legal rights.

6. International Data Transfers

Your data is primarily stored and processed within the European Union (Germany and EU West regions). Where data is transferred to processors outside the EU/EEA (United States, United Kingdom), we ensure adequate protection through: • EU Standard Contractual Clauses (SCCs) as approved by the European Commission • Adequacy decisions where applicable (e.g., UK under the EU-UK Trade and Cooperation Agreement) • Supplementary technical measures including encryption in transit and at rest All international transfers are documented and assessed for risk in accordance with GDPR Chapter V requirements. You may request a copy of the relevant transfer safeguards by contacting [email protected].

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected: • Account data: retained for the duration of the subscription plus 30 days for data export after termination • Health/patient records: retained as required by applicable healthcare regulations (minimum 10 years in Romania under healthcare legislation, or as specified by the clinic data controller) • Audit logs: access logs retained for a minimum of 3 years; health record audit logs retained for a minimum of 7 years • Payment and invoicing records: retained for 10 years as required by Romanian fiscal legislation • Marketing consent records: retained for the duration of consent plus 3 years • Usage and analytics data: retained in anonymized form; raw data deleted after 26 months • Cookie data: retention varies by cookie type (see Cookie Policy) When data is no longer needed, it is securely deleted or anonymized using industry-standard methods.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data: Right of Access (Art. 15): Request a copy of the personal data we hold about you. Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data. Right to Erasure (Art. 17): Request deletion of your personal data where there is no compelling reason for continued processing. Right to Restriction (Art. 18): Request that we limit the processing of your data in certain circumstances. Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (CSV, JSON). Right to Object (Art. 21): Object to processing based on legitimate interest or for direct marketing purposes. Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing. Right Not to Be Subject to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If your request is complex, we may extend this by an additional 60 days with notice. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.

9. Health Data

BlitzClinic processes special categories of personal data, including health data, as defined under GDPR Article 9. This data is processed with the highest level of protection. Legal basis for health data processing: • Explicit consent of the patient (Art. 9(2)(a)), obtained and managed by the clinic through the platform's consent management features • Provision of healthcare or treatment (Art. 9(2)(h)), where processing is necessary for medical diagnosis, treatment, or health system management under the responsibility of a healthcare professional bound by professional secrecy Technical safeguards for health data: • Encryption at rest using AES-256 and in transit using TLS 1.2+ • Multi-tenant data isolation — each clinic's data is logically separated by clinic identifier • Role-based access control with principle of least privilege • Immutable audit trails for all access to and modifications of health data • Data minimization — AI features process the minimum data necessary Clinics are responsible for obtaining valid patient consent and maintaining records of consent as required by GDPR and applicable healthcare regulations.

10. Cookies

We use cookies and similar technologies on our website. For detailed information about the types of cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy available at https://blitzclinic.com/legal/cookies. You can manage your cookie preferences at any time through the cookie consent banner on our website.

11. Data Security

We implement comprehensive technical and organizational measures to protect personal data: • Encryption: AES-256 at rest, TLS 1.2+ in transit for all data • Infrastructure: Production systems hosted in certified EU data centers (Hetzner, Germany) with Kubernetes orchestration • Access Control: Role-based access control (RBAC), multi-factor authentication, principle of least privilege • Monitoring: Continuous security monitoring, intrusion detection, and automated alerting • Backups: Automated encrypted backups with tested disaster recovery procedures (RPO: 1 hour, RTO: 4 hours) • Secrets Management: All credentials and API keys stored in Azure Key Vault, never in source code • Audit Logging: Immutable, append-only audit logs for all data access and modifications • Network Security: Kubernetes network policies restricting pod-to-pod communication, HTTPS-only traffic • Incident Response: Documented incident response plan with defined roles, escalation procedures, and notification timelines compliant with GDPR Article 33 (72-hour breach notification) We regularly review and update our security measures to address emerging threats.

12. Children's Privacy

The BlitzClinic platform is designed for use by healthcare professionals and clinic staff. It is not intended for direct use by children under the age of 16. Where patient records of minors are processed through the platform, this is done under the responsibility of the clinic (data controller) with appropriate parental or guardian consent as required by applicable law. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to registered users via email and/or in-platform notification at least 30 days before taking effect. The "Last updated" date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

14. DPO Contact & Supervisory Authority

Data Protection Officer Email: [email protected] BLITZ ENTERPRISES S.R.L. București Sectorul 1, Strada Pitar Moș, Nr. 27, Etaj 5, Ap. 17, Romania You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. The competent supervisory authority for Romania is: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 București, Romania Phone: +40.318.059.211 Email: [email protected] Website: https://www.dataprotection.ro If you are located in another EU/EEA member state, you may also contact your local data protection authority.