Privacy Policy

ScrubUP Healthcare Staffing Platform

Your privacy matters deeply to us. This Policy explains how ScrubUP collects, uses, protects, and shares your personal information — including specialized data handling for healthcare credentials, HIPAA compliance, background checks, and financial information. We designed this Policy to be comprehensive, honest, and legally compliant across all applicable jurisdictions.

ScrubUP, LLC ("ScrubUP," "we," "us," or "our") is committed to protecting the privacy and security of all individuals who use the ScrubUP mobile application and related services (collectively, the "Platform"). This Privacy Policy ("Policy") explains how we collect, use, share, retain, and protect your personal information, and describes your rights and choices with respect to that information. This Policy applies to all users of the Platform, including Healthcare Professionals, Facilities (hospitals, clinics, and other healthcare entities), and visitors. It covers information collected through the Platform, our website, and any other interactions you have with ScrubUP. By using the Platform, you agree to the collection and use of information in accordance with this Policy. If you do not agree with this Policy, you must discontinue use of the Platform. This Policy incorporates and should be read together with our Terms of Service.

We collect the following categories of personal information: REGISTRATION & IDENTITY DATA • Full legal name, date of birth, gender • Email address, phone number, mailing address • Username and encrypted password • Profile photograph (optional) • Account type (Healthcare Professional or Facility) PROFESSIONAL CREDENTIALS (Healthcare Professionals) • Professional license number(s), type, and issuing state • License expiration dates • Specialty and sub-specialty designations • Certifications (e.g., BLS, ACLS, PALS) • Work history and references • National Provider Identifier (NPI) number where applicable FACILITY INFORMATION • Facility name, address, type, and licensing number • Authorized administrator names and contact details • Tax identification number (EIN) • Accreditation information BACKGROUND CHECK & SCREENING DATA • Criminal history records (with your written consent) • OIG and SAM exclusion list results • Sex offender registry checks • Drug screening results where applicable • Employment verification results SHIFT & ACTIVITY DATA • Shifts applied to, accepted, completed, or cancelled • Bid amounts and bidding history • Ratings and reviews given and received • Shift check-in and check-out timestamps • Messages and communications on the Platform FINANCIAL DATA • Bank account information (for ACH direct deposit — collected and secured by our payment processor) • Payment card information (collected by our PCI-DSS compliant payment processor; ScrubUP does not store full card numbers) • Payment history and transaction records • Tax identification information (SSN or EIN for 1099 purposes) DEVICE & TECHNICAL DATA • Device type, operating system, and version • Unique device identifiers (IDFA, GAID) • IP address and approximate geographic location • App version, crash logs, and performance data • Push notification tokens USAGE DATA • Pages and features accessed within the Platform • Tap and interaction patterns • Search queries within the Platform • Referral source and session duration COMMUNICATIONS • Messages sent through the Platform's in-app messaging • Emails and support tickets sent to ScrubUP • Responses to surveys or feedback forms

We use the information we collect for the following purposes: PLATFORM OPERATIONS • Create and manage your account • Match Healthcare Professionals with open Shift opportunities at Facilities • Process applications, bids, acceptances, and cancellations • Facilitate Shift scheduling and confirmation workflows • Enable in-app messaging between users IDENTITY VERIFICATION & SAFETY • Verify professional licenses, certifications, and credentials with relevant state boards and databases • Conduct background checks through our authorized third-party screening providers • Check against the OIG List of Excluded Individuals/Entities, SAM.gov exclusion lists, sex offender registries, and sanctions databases • Prevent fraud, abuse, and misrepresentation on the Platform PAYMENT PROCESSING • Calculate and collect Platform Fees • Distribute earnings to Healthcare Professionals via our payment processor • Issue IRS Form 1099-NEC to qualifying individuals • Maintain transaction records for accounting and audit purposes COMMUNICATIONS • Send shift-related notifications (confirmations, reminders, updates) • Deliver in-app alerts and push notifications (with your consent) • Respond to your support inquiries and complaints • Send important operational and legal notices ANALYTICS & PLATFORM IMPROVEMENT • Analyze usage patterns to improve Platform features and performance • Conduct internal research and development • Generate aggregate, de-identified statistics about Platform usage • Train and evaluate AI/machine learning models for shift matching (using de-identified data) LEGAL & COMPLIANCE • Comply with federal and state laws, including HIPAA, HITECH, IRS reporting requirements, and applicable labor laws • Respond to lawful subpoenas, court orders, and government investigations • Enforce our Terms of Service • Protect the rights, property, and safety of ScrubUP, its users, and the public

If you are located in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases to process your personal information: CONTRACT PERFORMANCE Processing necessary to perform the contract between you and ScrubUP — including account creation, shift facilitation, and payment processing. LEGITIMATE INTERESTS Processing necessary for our legitimate interests, such as fraud prevention, platform security, analytics, and improving our services, where these interests do not override your fundamental rights and freedoms. LEGAL OBLIGATION Processing necessary to comply with applicable laws and regulations, including tax reporting, anti-money laundering laws, and healthcare regulatory requirements. VITAL INTERESTS In emergency situations, processing that is necessary to protect the vital interests of any person. CONSENT Where we rely on your consent, such as for marketing communications or non-essential analytics, you may withdraw your consent at any time by contacting us at privacy@ScrubUP.com. Note: ScrubUP primarily operates within the United States. If you are accessing the Platform from the EEA, UK, or Switzerland, please contact us regarding your specific data protection rights.

We do not sell your personal information to third parties. We share your information only in the following limited circumstances: WITH FACILITIES (when you apply for a Shift) When a Healthcare Professional applies for or is matched to a Shift, we share the Professional's profile, credentials, ratings, and background check clearance with the Facility. Facilities are contractually prohibited from using this information for any purpose other than evaluating the application and managing the Shift. WITH HEALTHCARE PROFESSIONALS (when a Facility engages them) Facilities' verified contact information and Shift details are shared with matched Healthcare Professionals. WITH SERVICE PROVIDERS We engage carefully vetted third-party vendors who provide services on our behalf, including: • Payment processing (e.g., Stripe) • Background check and screening services • Cloud hosting and data storage • Analytics and crash reporting • Push notification delivery • Email and SMS communication services All service providers are bound by contractual data processing agreements and may only use your data to perform services for ScrubUP. WITH REGULATORY & GOVERNMENT AUTHORITIES We will disclose your information when required by applicable law, including responses to: subpoenas, court orders, regulatory investigations, tax authority requests, HIPAA mandates, and requests from law enforcement agencies with proper legal authority. IN BUSINESS TRANSACTIONS If ScrubUP undergoes a merger, acquisition, asset sale, bankruptcy, or similar corporate transaction, your information may be transferred to the acquiring entity, subject to the same protections described in this Policy. We will notify you via in-app notice or email of any such change in ownership. FOR SAFETY & FRAUD PREVENTION We may disclose information to protect the safety of users, patients, ScrubUP, or the public, including to prevent fraud, respond to imminent threats, or investigate potential violations of our Terms of Service. AGGREGATE / DE-IDENTIFIED DATA We may share de-identified, aggregated data that cannot reasonably be used to identify you with partners, researchers, or the public for industry research and analytics purposes.

ScrubUP takes its HIPAA obligations seriously. As a technology platform facilitating healthcare staffing: BUSINESS ASSOCIATE AGREEMENTS Where required by HIPAA, ScrubUP enters into Business Associate Agreements (BAAs) with Facilities that are Covered Entities under HIPAA. MINIMUM NECESSARY STANDARD ScrubUP accesses, uses, and discloses Protected Health Information ("PHI") only to the minimum extent necessary to perform Platform functions. NO PHI IN SHIFT POSTINGS Facilities are prohibited from including any patient PHI in shift postings, messages, or any other content submitted to the Platform. ScrubUP may immediately remove any content containing PHI posted in violation of this restriction. PROFESSIONAL PHI ACCESS Healthcare Professionals accessing patient PHI during a Shift do so as agents of the Facility, not of ScrubUP. ScrubUP is not a healthcare provider and does not access clinical records. BREACH NOTIFICATION In the event of a confirmed breach of unsecured PHI involving ScrubUP systems, ScrubUP will notify affected individuals, Facilities, and the U.S. Department of Health and Human Services as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). HIPAA COMPLAINTS Any HIPAA-related complaints may be directed to privacy@ScrubUP.com. You also have the right to file a complaint with the Office for Civil Rights (OCR) at www.hhs.gov/ocr.

We implement administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, use, alteration, and destruction: ENCRYPTION • All data transmitted between your device and our servers is encrypted using TLS 1.3 or higher • Sensitive data at rest (including credentials, financial data, and background check results) is encrypted using AES-256 ACCESS CONTROLS • Access to personal data is restricted to ScrubUP personnel and service providers with a legitimate need-to-know basis • Multi-factor authentication (MFA) is required for all ScrubUP administrative system access • Role-based access controls (RBAC) limit what each employee or system can access SECURITY MONITORING • Our systems are monitored 24/7 for unauthorized access attempts and anomalous activity • Intrusion detection and prevention systems are in place • Regular security vulnerability scans and penetration testing are conducted INCIDENT RESPONSE • ScrubUP maintains a documented Incident Response Plan • In the event of a security incident involving your personal data, we will notify you as required by applicable law, which may be within 72 hours for certain incidents PAYMENT SECURITY • ScrubUP uses PCI-DSS compliant payment processors • We do not store full payment card numbers, CVV codes, or other sensitive payment details on our servers IMPORTANT: No method of electronic transmission or storage is 100% secure. While we use commercially reasonable security measures, we cannot guarantee absolute security of your information. You use the Platform at your own risk.

We retain your personal information for as long as necessary to: • Maintain your active account and provide Platform services • Fulfill our legal and contractual obligations • Resolve disputes and enforce our agreements • Comply with applicable tax, accounting, and regulatory requirements RETENTION PERIODS BY DATA TYPE Account & Profile Data: Retained for the duration of your account plus 7 years after account closure (for potential dispute resolution and legal compliance). Shift & Transaction Records: Retained for 7 years following the Shift date, in accordance with IRS requirements and applicable state statutes of limitations. Background Check Results: Retained for the duration of your account plus 3 years, or as required by applicable state law (whichever is longer). Financial Records: Retained for 7 years as required by IRS regulations and applicable accounting standards. Communications & Messages: Retained for 3 years following account closure. Device & Usage Logs: Retained for 12 months for security analysis and troubleshooting. After the applicable retention period expires, we will securely delete or anonymize your information. You may request early deletion of your data subject to Section 9 and our legal retention obligations.

Depending on your location, you may have the following rights regarding your personal information: RIGHT TO ACCESS You may request a copy of the personal information we hold about you by contacting privacy@ScrubUP.com. We will respond within 30 days. RIGHT TO CORRECTION You may correct inaccurate or incomplete personal information through your account settings or by contacting us. RIGHT TO DELETION ("RIGHT TO BE FORGOTTEN") You may request deletion of your personal information. We will honor deletion requests subject to our legal retention obligations (e.g., tax records, legal disputes). Note that deleting your account will make your profile and Shift history inaccessible. RIGHT TO DATA PORTABILITY You may request a machine-readable copy of your personal data that you have provided to us. RIGHT TO RESTRICT PROCESSING You may request that we limit the way we use your data in certain circumstances. RIGHT TO OBJECT You may object to processing of your personal data based on legitimate interests, including direct marketing. RIGHT TO WITHDRAW CONSENT Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing. PUSH NOTIFICATIONS You may opt out of push notifications through your device's notification settings at any time. MARKETING COMMUNICATIONS You may opt out of marketing emails by using the "unsubscribe" link in any marketing email or by emailing privacy@ScrubUP.com. ANALYTICS OPT-OUT You may opt out of in-app analytics tracking in the Settings section of the Platform. HOW TO EXERCISE YOUR RIGHTS Submit your request to privacy@ScrubUP.com with your full name, registered email address, and a description of your request. We may need to verify your identity before processing your request. We will respond within 30 days (or 45 days for complex requests, with notice).

THE PLATFORM IS NOT INTENDED FOR USE BY ANYONE UNDER THE AGE OF 18. We do not knowingly collect, use, or disclose personal information from individuals under 18 years of age. If you are under 18, please do not use the Platform or submit any personal information. If we discover that we have inadvertently collected personal information from a person under 18, we will promptly delete that information. If you believe we have collected information from a minor, please notify us immediately at privacy@ScrubUP.com.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights: RIGHT TO KNOW You have the right to know what categories of personal information we collect, the purposes for which it is used, and the categories of third parties with whom it is shared. RIGHT TO DELETE You have the right to request deletion of your personal information, subject to certain exceptions. RIGHT TO CORRECT You have the right to request correction of inaccurate personal information. RIGHT TO OPT-OUT OF SALE OR SHARING We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. RIGHT TO LIMIT USE OF SENSITIVE PERSONAL INFORMATION You have the right to limit our use of sensitive personal information (such as SSN, health data, or precise geolocation) to purposes reasonably necessary to provide our services. RIGHT TO NON-DISCRIMINATION We will not discriminate against you for exercising your CCPA rights. CATEGORIES OF PERSONAL INFORMATION COLLECTED IN THE LAST 12 MONTHS: • Identifiers (name, email, phone, device ID) • Professional/employment information (credentials, license numbers) • Financial information (payment data via processor) • Protected characteristics (gender, age — for non-discrimination compliance only) • Commercial information (shift and transaction history) • Internet activity information (usage logs, device data) • Sensitive personal information (SSN for tax purposes, background check data) To exercise your California privacy rights, contact: privacy@ScrubUP.com or submit a request through the Platform's Settings. You may designate an authorized agent to make a request on your behalf.

ScrubUP is operated from and primarily stores data in the United States. If you access the Platform from outside the United States, your information will be transferred to, processed, and stored in the United States, where data protection laws may differ from those in your country of residence. For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure that any international transfer of personal data is subject to appropriate safeguards, including: • Standard Contractual Clauses (SCCs) approved by the European Commission • Adequacy decisions where applicable • Other lawful transfer mechanisms By using the Platform from outside the United States, you consent to the transfer of your information to the United States as described in this Policy.

PUSH NOTIFICATIONS When you install the ScrubUP app, we may request permission to send you push notifications for shift alerts, application updates, confirmations, and other Platform activities. You may manage push notification preferences in your device's Settings at any time. Disabling push notifications may affect your ability to receive time-sensitive shift information. LOCATION DATA ScrubUP may request access to your device's approximate location to help match you with Shifts in your geographic area and to display relevant job postings. We do not collect or store precise GPS coordinates continuously in the background. You may revoke location permission through your device settings at any time. Revoking location access may limit certain Platform features. NO BACKGROUND LOCATION TRACKING ScrubUP does not track your location in the background when you are not actively using the Platform.

ANALYTICS We use analytics services (such as Expo's analytics tools and similar providers) to help us understand how the Platform is used and to improve user experience. These services collect usage data such as screen views, session duration, and interaction patterns. This data is aggregated and de-identified to the extent possible. THIRD-PARTY SDKS Our app may integrate third-party software development kits (SDKs) for purposes including crash reporting, performance monitoring, and analytics. Each third-party SDK operates under its own privacy policy. We select SDK providers that offer strong data protection commitments. NO CROSS-APP ADVERTISING TRACKING ScrubUP does not use your personal information for targeted advertising outside the Platform. We do not share your data with advertising networks for the purpose of behavioral advertising. OPT-OUT You may opt out of analytics collection in the Settings section of the Platform.

We conduct background checks on Healthcare Professionals through authorized Consumer Reporting Agencies (CRAs) as defined by the Fair Credit Reporting Act (FCRA). YOUR FCRA RIGHTS Before conducting any background check, ScrubUP will obtain your written authorization. You have the right to: • Receive a copy of your background check report • Be notified before any adverse action (e.g., account denial or termination) is taken based on background check results • Dispute inaccurate information in your background check report directly with the CRA ADVERSE ACTION PROCESS If we intend to take adverse action based on a background check report, we will provide you with: (1) a pre-adverse action notice, (2) a copy of the report, and (3) a summary of your FCRA rights. You will have a reasonable opportunity to dispute inaccuracies before final adverse action is taken. RETENTION Background check data is retained for the duration of your account plus 3 years, or as otherwise required by applicable state law. Background check data is not shared with third parties except as required for Platform operations or by law.

In the event of a data breach that compromises your personal information, ScrubUP will: 1. INVESTIGATE promptly upon discovery of a potential breach 2. CONTAIN the breach and implement corrective measures 3. ASSESS the scope and nature of the information affected 4. NOTIFY affected individuals within the timeframe required by applicable law (which in many U.S. states is 30–72 hours for certain categories of data) 5. REPORT to relevant regulatory authorities (including HHS for HIPAA breaches) as required 6. PROVIDE guidance on steps you can take to protect yourself Notifications will be provided by email to your registered email address and/or via in-app notification. If we cannot reach you individually, we may provide notice by a prominent posting on the Platform. To report a potential security vulnerability or suspected data breach, contact: security@ScrubUP.com.

The Platform may contain links to third-party websites, services, or resources (such as licensing board websites, payment processors, or healthcare regulatory agencies). These third-party services are operated independently and governed by their own privacy policies. ScrubUP is not responsible for the privacy practices of any third-party service. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Platform. ScrubUP's payment processing is handled by a PCI-DSS compliant third-party processor. When you submit payment information, you are providing it directly to the payment processor under their privacy policy.

ScrubUP may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. Material changes will be communicated to you via: • In-app notification • Email to your registered email address • A prominent notice on the Platform We will indicate the effective date of the updated Policy at the top of this page. Where required by law, we will obtain your consent to material changes. We encourage you to review this Policy periodically. Your continued use of the Platform after the effective date of any update constitutes your acceptance of the updated Policy. For non-material changes (such as typographical corrections), we reserve the right to update the Policy without advance notice.

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Team: Privacy Officer ScrubUP, LLC Email: privacy@ScrubUP.com General Support: support@ScrubUP.com Security Concerns: security@ScrubUP.com HIPAA Inquiries: privacy@ScrubUP.com We aim to respond to all privacy inquiries within 5 business days. For formal rights requests (access, deletion, portability), we will respond within 30 days. If you are not satisfied with our response to a privacy complaint, you may have the right to lodge a complaint with your local data protection authority: • U.S. residents: Contact the FTC at www.ftc.gov • California residents: Contact the California Privacy Protection Agency • EU/UK residents: Contact your national Data Protection Authority • HIPAA concerns: Contact HHS Office for Civil Rights at www.hhs.gov/ocr

ScrubUP, LLC

This Privacy Policy was last updated on June 5, 2026. For privacy inquiries, contact privacy@ScrubUP.com.

© 2026 ScrubUP, LLC. All rights reserved.