NextLevel Flex‑Fi, LLC — Privacy Policy

dba NextLevel Patient Financing
Effective Update: September 16, 2025

1) Who We Are

This Privacy Policy explains how NextLevel Flex‑Fi, LLC (“NLFF,” “we,” “us,” or “our”) and its dba NextLevel Patient Financing (“NLPF”) collect, use, disclose, and protect information in connection with our websites, portals, and back‑office services (collectively, the “Services”).

• NLPF & HIPAA. NLPF supports healthcare providers with financing tools and, when acting on their behalf in connection with patient financing, may handle Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 and its implementing rules (“HIPAA”). In those instances, NLPF acts as a Business Associate to covered entities and will enter into a Business Associate Agreement (BAA).
• NLFF (non‑healthcare contexts). Outside of the healthcare financing use case, NLFF does not seek to collect PHI and processes personal information pursuant to this Privacy Policy and applicable state privacy laws.

We partner with select technology, analytics, and operational providers to deliver the Services. We do not publicly disclose supplier names in this Policy; they are treated as “service providers” or “processors.”

2) Scope & Audience

This Policy applies to:

• Merchants, healthcare providers, clinics, and their staff using our back‑office portals;
• Consumers and patients completing a financing pre‑qualification or application journey; and
• Visitors to our websites and informational pages, including email, text/SMS, and other electronic messages between you and our sites.

This Policy also covers interactions with our advertising and applications on third‑party websites and services when those experiences link to this Policy. It does not apply to information collected by independent third parties that do not link to or reference this Policy.

This Policy does not replace a provider’s HIPAA Notice of Privacy Practices; patients should consult their provider’s NPP for details on how their medical information is used by the provider.

3) Definitions

• Personal Information (PI): Information that identifies or can be reasonably linked to a particular individual or household (e.g., name, email, phone, address, device IDs, IP, financial profile).
• PHI: Individually identifiable health information subject to HIPAA when NLPF acts as a Business Associate to covered providers.
• De‑identified/Anonymized Data: Data that cannot reasonably be linked to an individual.

4) Information We Collect

Depending on how you interact with the Services, we may collect:

A. Account & Business Profile Data
Contact information, merchant/provider details, licensing/credentials, business tax IDs, billing contacts, and user role/permissions.

B. Consumer/Patient Application Data
Information provided for financing pre‑qualification and applications, which may include identity and contact data, date of birth, partial or full SSN (as permitted), income, housing, employment, credit‑related information (including soft‑pull prequalification data), and, for NLPF when acting with a provider, limited PHI necessary to support financing (e.g., treatment category or cost estimate).

C. Transactional & Usage Data
Program enrollment, plan selections, fees, payouts, approvals/declines, timestamps, audit logs, device/browser metadata, IP address, cookies, page views, session recordings, and similar telemetry.

D. Communications
Support tickets, emails, chat messages, call recordings (where permitted by law), and survey responses.

E. Payment & Billing Data
Billing contacts, invoicing details, payment instrument tokens (handled by PCI‑compliant processors), and records of charges and refunds.

5) Sources of Information

• Directly from you (forms, uploads, support).
• From your organization (admin‑provided user accounts, program settings).
• From service providers (ID verification, credit bureaus via lenders, payment processors, fraud‑prevention vendors).
• From devices & cookies (analytics, security, session continuity).

6) How We Use Information

We use PI and PHI (where applicable) to:

1. Operate, secure, and improve the Services;
2. Facilitate financing pre‑qualifications and route applications to participating lenders;
3. Provide support, onboarding, training, and communications;
4. Process payments, payouts, and program fees;
5. Detect, prevent, and investigate fraud, abuse, or violations of our Terms;
6. Comply with laws, regulations, audits, and court orders; and
7. Create de‑identified or aggregated analytics to improve performance and approval rates.

We do not sell PI as commonly defined under U.S. state privacy laws. We may engage in limited “sharing” for cross‑context behavioral advertising only if/when you opt‑in (and you may opt‑out at any time).

7) How We Disclose Information

We disclose PI (and PHI under HIPAA‑permitted circumstances) to:

• Lenders and financing partners to evaluate and decision applications;
• Service providers/processors under contractual obligations of confidentiality, security, and permitted use;
• Your organization (merchant/provider admin visibility and reporting);
• Legal authorities when required by law or to protect rights, safety, or our Services; and
• Successors/assignees in connection with a corporate transaction, subject to continued protections.

We do not allow third parties to access PHI for advertising or marketing without appropriate HIPAA‑compliant authorization.

8) Cookies, Analytics & Tracking

We use cookies and similar technologies to remember preferences, maintain sessions, secure accounts, and analyze usage. You may manage cookie preferences via browser settings and any consent tools we provide. Some features may not function without essential cookies.

Technologies we may use include:

• Browser cookies & local storage. Small files that store settings and identifiers.
• Flash/Local Shared Objects. For certain media features (manage via Adobe settings).
• Pixels/Tags & SDKs. To measure usage and performance and to secure the Services.

Third‑party analytics & advertising. We may use third parties (e.g., Google Analytics) to measure usage and improve the Services. Where we offer interest‑based advertising, we do so only with your consent and provide opt‑out controls. You can learn about Google’s practices and opt out by using the Google Analytics Opt‑out Browser Add‑on (https://tools.google.com/dlpage/gaoptout). To opt out of interest‑based ads from Network Advertising Initiative members, visit http://www.networkadvertising.org/choices/.

9) Data Security

We employ administrative, technical, and physical safeguards reasonably designed to protect PI and PHI, including encryption in transit, access controls, logging, hardened infrastructure, and firewall‑protected environments. No method of transmission or storage is 100% secure; your use of the Services is at your own risk. Account security: You are responsible for keeping passwords confidential and for restricting access to your devices/accounts.

10) Data Retention

We retain PI/PHI for as long as necessary to provide the Services, comply with legal obligations (including HIPAA retention requirements when applicable), resolve disputes, and enforce agreements, then delete or de‑identify information consistent with our policies and the BAA (if applicable).

11) Your Privacy Rights (U.S. State Laws) & Your Choices

Depending on your state (e.g., CA, CO, CT, VA, UT), you may have rights to request access, correction, deletion, portability, and to opt‑out of certain processing. Submit requests via info@NextLevelFlexFi.com (Flex‑Fi Legal) or contact@NextLevelPatientFinancing.com (NLPF). We will verify your identity and respond within applicable timelines. Authorized agents may submit requests per state law.

Sensitive Data. We obtain your consent when required by law before processing sensitive data (e.g., SSN) and limit its use to necessary purposes.

Marketing communications. You can opt out of promotional emails using the unsubscribe link and texts by replying STOP (HELP for help). Transactional or service messages may still be sent where permitted.

Cookies & tracking controls. You can manage cookies in your browser; some features may not function without essential cookies. For analytics/ads choices, see Google Analytics Opt‑out and NAI choices noted above.

Do Not Sell/Share (CPRA). If we offer features that constitute a “sale” or “sharing” of PI under CPRA, we will provide a “Do Not Sell or Share My Personal Information” control and honor your choices.

12) Children’s Privacy

The Services are not intended for children under 16. We do not knowingly collect PI from children under 16. If you believe a child has provided PI, contact us to request deletion. California residents under 16 may have additional rights regarding the sale or sharing of their personal information; we do not knowingly sell or share the PI of consumers under 16.

13) HIPAA & PHI — NLPF Business Associate Commitment

When NLPF acts as a Business Associate:

• We use/disclose PHI only as permitted by the BAA and applicable law;
• We implement HIPAA‑required safeguards and workforce training;
• We ensure downstream subcontractors agree to the same restrictions;
• We provide breach notification without unreasonable delay as required by HIPAA;
• We make PHI available to the covered entity to support access, amendments, and accounting of disclosures; and
• Upon termination of the BAA, we return or destroy PHI, if feasible.

For care‑related questions or a provider’s HIPAA Notice of Privacy Practices, please contact your provider directly.

14) Changes to This Policy

We may update this Policy. Material changes will be posted with an updated Effective Date and, where required by law or at our discretion, we will notify you by email to your primary account email. Your continued use signifies acceptance of the revised Policy. You are responsible for maintaining a current, active, and deliverable email address and for reviewing updates.

15) Contact Us

NextLevel Flex‑Fi, LLC
dba NextLevel Patient Financing
Attn: Privacy
Email (Flex‑Fi Legal): info@NextLevelFlexFi.com
Email (NLPF): contact@NextLevelPatientFinancing.com
Mailing Address: One Atlantic Center 1201 W. Peachtree St. NW,  Suite 2300, Atlanta, GA 30309
Web: https://nextlevelpatientfinancing.com/contact-us