INTENDED FOR U.S. AUDIENCES ONLY

PRIVACY STATEMENT

EFFECTIVE DATE: December 2025

LEGAL NAME AND SUBSIDIARIES
Legal Name: Epitel, Inc. (Epitel)

Subsidiaries: None

INTRODUCTION

Epitel is a digital health company modernizing brain health solutions to improve seizure monitoring and detection. By leveraging our proprietary cloud-based wearable sensor system and other innovative AI technologies, we are empowering better treatment decisions by making EEG readily deployable and accessible. We are headquartered in Salt Lake City.

We’ve developed a wearable, wireless EEG monitoring platform to provide accessible, affordable, and reliable electrographic seizure detection. Epitel received FDA clearance for its first product, known as REMI™ Remote EEG Monitoring System, in 2021.

We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This Privacy Notice describes Epitel’s policies and practices regarding its collection and use of your personal data, and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.

ADHERENCE TO DATA PRIVACY FRAMEWORK PRINCIPLES

Epitel complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Epitel has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Epitel has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

DATA PROTECTION INQUIRIES

Epitel is headquartered in Salt Lake City, Utah in the United States. Epitel has internal data protection protocols. If you have any questions or concerns or if you would like to exercise your rights, please contact support@epitel.com.

HOW WE COLLECT AND USE (PROCESS) YOUR PERSONAL INFORMATION

Epitel collects personal information about its website visitors and customers. With a few exceptions, this information is generally limited to:

First Name
Last Name
Email
Phone Number
Institution

We use this information to provide prospects and customers with services.

We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of our services.

From time to time, Epitel receives personal information about individuals from third parties. Typically, information collected from third parties will include further details on your employer or industry. We may also collect your personal data from a third-party website (e.g. LinkedIn).

The company communicates corrections or erasures of an individual's personal information to authorized users and relevant third parties to whom the personal information has been shared or transferred.

USE OF EPITEL PRODUCTS

Epitel necessarily collects certain information about patients using Epitel products to support their care. The information included health data (i.e. electroencephalography data) and identifiers such as patient names, Medical Record Numbers, birthdates, and phone numbers. We use this information to support patients and healthcare providers throughout the duration of a healthcare monitoring session.

Epitel has a legitimate interest in understanding how patients and providers use its products. This assists Epitel with improving its products and services, with communicating to patients and providers as monitoring session needs arise, and with providing appropriate staffing to support patient and provider needs.

Should patients or providers choose not to share this information, they will be unable to use Epitel products to meet their health needs and will need to rely on alternative products and services.

USE OF THE EPITEL WEBSITE

As is true of most other websites, Epitel’s website collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of Epitel’s website, including a history of the pages you view. We use this information to help us design our site to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.

Epitel has a legitimate interest in understanding how members, customers and potential customers use its website. This assists Epitel with providing more relevant products and services, with communicating value to our sponsors and corporate members, and with providing appropriate staffing to meet member and customer needs.

There is no user authentication available on this website. Website hosting provided by Wix.

HUMAN RESOURCE DATA

Epitel may employ EU, UK, or Swiss citizens, and will necessarily collect information about employees to support their employment (e.g., names, addresses, phone numbers, bank routing numbers, etc.).

COOKIES AND TRACKING TECHNOLOGIES

Epitel makes available a comprehensive cookies notice that describes the cookies and tracking technologies used on Epitel’s website and provides information on how users can accept or reject them. To view the notice, please contact support@epitel.com. Upon visiting the Epitel website, visitors may choose the types of cookies that can be collected by Epitel (e.g., essential cookies, marketing cookies, functional cookies, analytics cookies).

SHARING INFORMATION WITH THIRD PARTIES

The personal information Epitel collects from you is stored in one or more databases hosted by third parties located in the United States. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval. On occasion, Epitel engages third parties to send Epitel-related information to you including information about our products, services, and events. Such information may be shared with contract resource managers, advertising networks, and communication networks to provide product updates, and to deliver relevant educational content, in accordance with applicable privacy laws. Epitel is potentially liable in cases of onward transfer of relevant data to third parties.

We do not otherwise reveal your personal data to non-Epitel persons or businesses for their independent use unless: (1) you request or authorize it; (2) the information is provided to comply with the law (for example, compelled by law enforcement to comply with a search warrant, subpoena, or court order), enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of our employees or others; (3) the information is provided to our agents, vendors or service providers who perform functions on our behalf; (4) to address emergencies or acts of God; or (5) to address disputes, claims, or to persons demonstrating legal authority to act on your behalf. We may also gather aggregated data about our services and website visitors and disclose the results of such aggregated (but not personally identifiable) information to our partners, service providers, advertisers, and/or other third parties for marketing or promotional purposes.

Epitel’s website connects with third party services such as Facebook, LinkedIn, X, and others. If you choose to share information from the Epitel website through these services, you should review the privacy policy of that service. If you are a member of a third-party service, the aforementioned connections may allow that service to connect your visit to our site to your personal data.

GOVERNMENT ACCESS TO DATA

Epitel may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. Since it was founded, Epitel has received zero government requests for information.

TRANSFERRING PERSONAL DATA TO THE U.S.

Epitel has its headquarters in the United States. Information we collect about you will be processed in the United States. By using Epitel’s services, you acknowledge that your personal information will be processed in the United States. The United States, under the EU-U.S. Data Privacy Framework, has achieved a finding of “adequacy” from the European Union under Article 45 of the GDPR.

Depending on the circumstance, Epitel also collects and transfers to the U.S. personal data with consent; to perform a contract with you; or to fulfill a compelling legitimate interest of Epitel in a manner that does not outweigh your rights and freedoms. Epitel endeavors to apply suitable safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with Epitel and the practices described in this Privacy Statement. Epitel also enters into data processing agreements and model clauses with its vendors whenever feasible and appropriate.

For more information or if you have any questions, please contact us at support@epitel.com.

DATA STORAGE AND RETENTION

Your personal data is stored by Epitel on its servers, and on the servers of the cloud-based database management services the Epitel engages, located in the United States. Epitel retains service data for the duration of the customer’s business relationship with Epitel and for a period of time thereafter, to analyze the data for Epitel’s own operations, and for historical and archiving purposes associated with Epitel’s services. Epitel retains prospect data until such time as it no longer has business value and is purged from Epitel systems. All personal data that Epitel controls may be deleted upon verified request from Data Subjects or their authorized agents. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact us at: support@epitel.com.

CHILDREN'S DATA

Epitel collects personal data from children who use Epitel products, to serve their health needs. Epitel does not knowingly attempt to solicit or receive any other information from children.

FOR EU INDIVIDUALS: YOUR RIGHTS UNDER THE GENERAL DATA PROTECTION REGULATION

The European Union’s General Data Protection Regulation (GDPR) and other countries’ privacy laws provide certain rights for data subjects. Data Subject rights under GDPR include the following:

Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right of data portability
Right to object
Rights related to automated decision making including profiling

This Privacy Notice is intended to provide you with information about what personal data Epitel collects about you and how it is used.

If you wish to confirm that Epitel is processing your personal data, or to have access to the personal data Epitel may have about you, please contact us.

You may also request information about: the purpose of the processing; the categories of personal data concerned; who else outside Epitel might have received the data from Epitel; what the source of the information was (if you didn’t provide it directly to Epitel); and how long it will be stored. You have a right to correct (rectify) the record of your personal data maintained by Epitel if it is inaccurate. You may request that Epitel erase that data or cease processing it, subject to certain exceptions. You may also request that Epitel cease using your data for direct marketing purposes. In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how Epitel processes your personal data. When technically feasible, Epitel will—at your request—provide your personal data to you.

Reasonable access to your personal data will be provided at no cost. If access cannot be provided within a reasonable time frame, Epitel will provide you with a date when the information will be provided. If for some reason access is denied, Epitel will provide an explanation as to why access has been denied.

For questions or complaints concerning the processing of your personal data, you can email us at support@epitel.com. Alternatively, if you are located in the European Union, you can also contact Epitel’s European Data Protection Supervisor (DataRep) or your nation’s data protection authority. A list of EU data protection authorities is available here: https://edpb.europa.eu/about-edpb/board/members_en.

DataRep EUROPEAN DATA PROTECTION REPRESENTATION

Epitel, Inc., which processes the personal data of individuals in the European Union, European Economic Area and UK, in either the role of 'data controller' or 'data processor', has appointed DataRep as its Data Protection Representative for the purposes of GDPR* in the EU/EEA and The Data Protection Act 2018 / UK GDPR (as amended) in the UK, and FADP** in Switzerland.

If Epitel, Inc. has processed or is processing your personal data, you may be entitled to exercise your rights under GDPR/FADP in respect of that personal data. For more details on the rights you have in respect of your personal data, please refer to the national Data Protection Authority in your country, the European Commission in the EU (https://ec.europa.eu/info/law/law-topiddata-protection/data-protection-eu en) or the Federal Data Protection and Information Commission In Switzerland (https://www.edoeb.admin.ch/edoeb/en/home.html).

Epitel, Inc. takes the protection of personal data seriously, and has appointed DataRep as their Data Protection Representative in the European Union and Switzerland so that you can contact them directly in your home country. Data Rep has locations in each of the 27 EU countries, the UK, and Norway & Iceland in the European Economic Area (EEA) and Switzerland, so that Epitel, lnc.'s customers can always raise the questions they want with them.

If you want to raise a question to Epitel, Inc., or otherwise exercise your rights in respect of your personal data, you may do so by:

● sending an email to DataRep at datarequest@datarep.com quoting <Epitel, Inc.> in the subject line,

● contacting DataRep on their online webform at www.datarep.com/data-request, or

● mailing your inquiry to Data Rep at the most convenient of the addresses listed below.

COUNTRY / ADDRESS

Austria / DataRep, City Tower, Bruckenkopfgasse 1/6. Stock, Graz, 8020, Austria
Belgium / DataRep, Rue des Colonies 11, Brussels, 1000
Bulgaria / DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria
Croatia / DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia
Cyprus / DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus
Czech Republic / DataRep, Platan Office, 28. Rfjna 205/45, Floor 3&4, Ostrava, 70200, Czech Republic
Denmark / DataRep, Lautruph0j 1-3, Ballerup, 2750, Denmark
Estonia / DataRep, 2nd Floor, Tornimae 5, Tallinn. 10145, Estonia
Finland / DataRep. Luna House, 5.krs. Mannerheimintie 12 B. Helsinki, 00100, Finland
France / DataRep. 72 rue de Lessard, Rouen, 76100, France
Germany / DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany
Greece / DataRep, lppodamias Sq. 8, 4th floor, Piraeus, Attica, Greece
Hungary / DataRep, President Centre, Kalman lmre utca 1. Budapest, 1054, Hungary
Iceland / DataRep, Kalkofnsvegur 2, 3rd Floor, 101 Reykjavik. Iceland
Ireland / DataRep, The Cube, Monahan Road, Cork. T12 HlXY. Republic of Ireland
Italy / DataRep, Viale Giorgio Ribotta 11. Piano 1. Rome, Lazio, 00144. Italy
Latvia / DataRep, 4th & 5th floors. 14 Terbatas Street, Riga, LV-1011, Latvia
Liechtenstein / DataRep. City Tower, Bruckenkopfgasse 1/6. Stock, Graz, 8020, Austria
Lithuania / DataRep. 44A Gedimino Avenue, 01110 Vilnius, Lithuania
Luxembourg / DataRep, BPM 335368, Banzelt 4 A. 6921. Roodt-sur-Syre, Luxembourg
Malta / DataRep. Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta
Netherlands / DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN. Netherlands
Norway / DataRep, CJ. Hambros Plass 2c, Oslo, 0164, Norway
Poland / DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland
Portugal / DataRep. Torre de Monsanto, Rua Afonso Prac;a 30, 7th floor, Alges, Lisbon, 1495-061. Portugal
Romania / DataRep, 15 Piata Charles de Gaulle, nr. 1-T. Bucure~ti, Sectorul 1, 011857, Romania
Slovakia / DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia
Slovenia / DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia
Spain / DataRep, Calle de Manzanares 4, Madrid, 28005, Spain
Sweden / Data Rep, S:t Johannesgatan 2, 4th floor, Malmo, SE - 211 46, Sweden
Switzerland / DataRep. Leutschenbachstrasse 95, ZURICH. 8050, Switzerland
United Kingdom / DataRep. 107-111 Fleet Street, London, EC4A 2AB. United Kingdom

PLEASE NOTE: when mailing inquiries. it is ESSENTIAL that you mark your letters for 'DataRep' and not 'Epitel, Inc.', or your inquiry may not reach us. Please refer clearly to Epitel, Inc. in your correspondence. On receiving your correspondence, Epitel, Inc. is likely to request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you.

If you have any concerns over how DataRep will handle the personal data that DataRep will require to undertake their services, please refer to the DataRep privacy notice at www.datarep.com/privacy-policy.

FOR EU, UK, AND SWISS INDIVIDUALS: DATA PRIVACY FRAMEWORK OBLIGATIONS

As stated above, Epitel complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

Pursuant to the DPF Program, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States in reliance on the DPF Program should direct their query to support@epitel.com. If requested to remove data, we will respond within a reasonable timeframe. Additionally, if personal data covered by this policy is to be used for a new purpose that is materially different from that for which the personal data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party in a manner not specified in this policy, we will provide you with an opportunity to choose whether to have your personal data so used or disclosed. Requests to opt out of such uses or disclosures of personal data should be sent to us at support@epitel.com. Certain personal data, such as information about medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, is considered "Sensitive Information." We will not use Sensitive Information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual unless we have received your affirmative and explicit consent (opt-in).

Dispute Resolution:

In compliance with the DPF Principles, Epitel commits to resolve DPF Principles-related complaints about your privacy and our collection or use of your personal information. European Union, United Kingdom, and Swiss individuals with inquiries or complaints regarding our handling of personal data in reliance on the DPF should first contact Epitel at: support@epitel.com

BBB National Programs’ is Epitel’s designated Independent Recourse Mechanism (IRM) for handling privacy complaints from EU, UK, and/or Swiss individuals. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by us, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

Under certain limited conditions, there is a possibility that individuals may invoke binding arbitration to address residual claims that have not been resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction for more information on this process.

ENFORCEMENT

Epitel is subject to the investigatory and enforcement powers of the Federal Trade Commission.

QUESTIONS, CONCERNS, OR COMPLAINTS

If you have questions, concerns, complaints, or would like to exercise your rights, please contact us at:

support@epitel.com

Epitel, Inc.
465 S. 400 E., Suite 250
Salt Lake City, UT 84111

Note: If your complaint involves human resources data transferred to the United States from the European Union, the United Kingdom, or Switzerland in the context of the employment relationship, and Epitel does not address it satisfactorily, Epitel commits to cooperate with the panel established by the EU data protection authorities (DPA Panel), the UK Information Commissioner’s Office, and the Swiss Federal Data Protection and Information Commissioner, as applicable, and to comply with the advice given by the DPA panel [ICO, or FDPIC, as applicable] with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Contact details for the EU data protection authorities can be found at https://edpb.europa.eu/about-edpb/board/members_en. For the UK, please visit: https://ico.org.uk/make-a-complaint/. For Switzerland, please visit: https://www.edoeb.admin.ch/en/contact-2. Complaints related to human resources data should not be addressed to the BBB NATIONAL PROGRAMS.

COOKIE POLICY

EFFECTIVE DATE: April 2023

1. APPLICATION

This policy applies to all employees, contractors, and vendors while doing business with Epitel and others who have access to European Union (EU) and the European Economic Area (EEA) data subject information (“personal data”) in connection with Epitel’s operating activities – including the UK and Switzerland.

2. POLICY

Epitel believes in transparency about collection and use of data. This policy provides information about how and when Epitel uses cookies for these purposes. Capitalized terms used in this policy but not defined have the meaning set forth in our Privacy Policy, which also includes additional details about the collection and use of information at Epitel.

WHAT IS A COOKIE?

Cookies are small text files sent by us to your computer or mobile device, which enable Epitel features and functionality. They are unique to your account or your browser. Session-based cookies last only while your browser is open and are automatically deleted when you close your browser. Persistent cookies last until you or your browser delete them or until they expire.

DOES EPITEL USE COOKIES?

Yes. Epitel uses cookies and similar technologies like single-pixel gifs and web beacons. Epitel uses session-based cookies. Epitel sets and accesses cookies on the domains operated by Epitel and its corporate affiliates (collectively, the “Sites”). In addition, Epitel uses third party cookies, like Google Analytics.

HOW IS EPITEL USING COOKIES?

Some cookies are associated with your account and personal information to remember that you are logged in and which workspaces you are logged into. Other cookies are not tied to your account but are unique and allow us to carry out analytics and customization, among other similar things.

Cookies can be used to recognize you when you visit a Site or use our Services, remember your preferences, and give you a personalized experience that is consistent with your settings. Cookies also make your interactions faster and more secure. Visit our cookies table to learn more.

Category of use: Performance, Analytics, and Research: Cookies help Epitel learn how well the Sites and Services perform. Epitel also uses cookies to understand, improve, and research products, features, and services, including to create logs and record when you access our Sites and Services from different devices, such as your work computer or your mobile device.

Security: Epitel uses cookies to enable and support security features, and to help detect malicious activity.

WHAT THIRD-PARTY COOKIES DOES EPITEL USE?

You can find a list of the third-party cookies that Epitel uses on our sites along with other relevant information in the cookie table. Epitel does its best to keep this table updated, but please note that the number and names of cookies, pixels, and other technologies may change from time to time.

WHAT CAN YOU DO IF YOU DON'T WANT COOKIES TO BE SET OR WANT THEM TO BE REMOVED?

You have the option to disable and delete cookies that may not be necessary for the basic functionality of our website. Please note, blocking categories may impact your experience on our website.

DOES EPITEL RESPOND TO DO NOT TRACK SIGNALS?

The Sites and Services do not collect personal information about your online activities over time and across third-party websites or online services. Therefore, “do not track” signals transmitted from web browsers do not apply to the Sites or Services, and Epitel does not alter any data collection and use practices upon receipt of such a signal.

support@epitel.com

www.epitel.com

(801) 497-6297

EPITEL SUBPROCESSORS

EFFECTIVE DATE: September 2023

To support delivery of our services, Epitel may engage and use data processors with access to certain Service Data (each a "Subprocessor"). This page provides important information about the identity, location, and role of each Subprocessor. Terms used on this page but not defined have the meaning set forth in the applicable agreement between Customer and Epitel (the "MSA").

THIRD PARTIES

Prior to engaging any third party Subprocessor, Epitel performs diligence to evaluate their privacy, security, and confidentiality practices and executes an agreement implementing its applicable obligations.

SUBPROCESSORS

Epitel Product Suite: