Omi Scribe Cloud — United States Privacy Addendum

Version: 1.0

Effective: 11 May 2026

Provider: Omi Health B.V., Eindhoven, Netherlands

Contact: [email protected] · [email protected]

This addendum supplements the Omi Scribe Cloud — Privacy Notice at /legal/cloud-privacy and the Omi Scribe Cloud — Data Processing Addendum (DPA) for Customers established in, or processing personal information subject to the laws of, the United States.

Where this addendum conflicts with the Privacy Notice or DPA, this addendum controls for US personal information.

US HIPAA-regulated workflows additionally require a signed Business Associate Agreement (BAA); contact [email protected] to request the BAA template.

1. Hosting region

US Customers are served from the US region (Azure Central US). Customer Content is stored and processed in the United States. AI inference uses Azure AI Foundry (US Data Zone Standard) to keep model processing within the US data zone.

2. HIPAA

2.1 Business Associate Agreement

If the Service is used by a HIPAA Covered Entity or a Business Associate of a Covered Entity to process Protected Health Information (PHI), a written Business Associate Agreement between Omi Health and the Customer must be in effect before any PHI is submitted to the Service. Contact [email protected] to request the standard BAA template.

2.2 PHI restrictions

In the absence of a BAA:

• The Customer must not submit PHI to the Service
• Customer Content submitted by the Customer is treated as non‑PHI personal information

2.3 Breach notification

Where a Breach of Unsecured PHI (as defined by 45 CFR § 164.402) occurs, Omi Health will notify the Covered Entity Customer in accordance with the BAA and 45 CFR § 164.410 timelines. Omi Health will not notify HHS directly except as instructed by the Covered Entity or as required by law for incidents involving 500 or more individuals.

2.4 Subcontractors

Omi Health’s sub‑processors that may handle PHI (principally Microsoft Corporation for Azure infrastructure and Azure AI Foundry) have executed Business Associate Agreements with Omi Health.

3. State consumer privacy laws

The Service may be subject to one or more US state consumer privacy laws depending on Customer and end‑user residency, including:

• California: California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
• Virginia: Virginia Consumer Data Protection Act (VCDPA)
• Colorado: Colorado Privacy Act (CPA)
• Connecticut: Connecticut Data Privacy Act (CTDPA)
• Utah: Utah Consumer Privacy Act (UCPA)
• Texas: Texas Data Privacy and Security Act (TDPSA)
• Oregon, Montana, Iowa, Tennessee, Delaware, New Hampshire, New Jersey, and other states with comprehensive consumer privacy laws

Where these laws apply, Customer-resident data subjects have rights including (depending on state):

• Right to know / access
• Right to delete
• Right to correct
• Right to opt out of sale, sharing for cross‑context behavioural advertising, and certain profiling decisions
• Right to limit use of sensitive personal information
• Right to data portability

To exercise rights: [email protected]. Where Omi Health is a Processor for Customer Content, requests should be directed to the Customer (the Controller / Business) in the first instance.

3.1 No sale, no behavioural sharing

Omi Health does not sell personal information and does not share personal information for cross‑context behavioural advertising under CCPA/CPRA or analogous provisions of other state laws.

3.2 Sensitive personal information

Health information processed by the Service is sensitive personal information under several state laws. Omi Health processes such information only as necessary to provide the Service under the Customer’s documented instructions, consistent with applicable state law limitations on use of sensitive personal information.

3.3 Universal opt-out signals

Where state law requires honouring Universal Opt-Out Mechanisms (such as Global Privacy Control (GPC)) on consumer-facing surfaces, Omi Health will honour such signals on its public website. Within the Service itself, Customer-side consent and configuration governs.

4. Children

The Service is not directed to children. The Customer remains responsible for compliance with COPPA and equivalent state laws for any paediatric care setting.

5. International transfers

US Customers’ Customer Content is processed in the US region and does not leave the United States in the ordinary course of operation. Where authorised remote support access from outside the United States is required (for example, from Omi Health’s headquarters in the Netherlands), transfers are governed by:

• EU Standard Contractual Clauses for any access by EU/EEA-based personnel
• The EU‑U.S. Data Privacy Framework (DPF), where applicable through Microsoft Corporation’s certification, for the Azure platform underlying the Service
• Encryption, access controls, and audit logging as supplementary measures

6. Government access requests

Omi Health will not disclose Customer Content to government authorities except as required by valid legal process. Where legally permitted, Omi Health will:

• Notify the Customer before disclosure
• Challenge requests that appear overbroad or unlawful
• Provide the Customer with information about the request

Omi Health publishes aggregate statistics of government access requests on a yearly basis where transparency reporting is supported by counsel.

7. Supervisory authorities and complaints

US privacy rights are enforced state-by-state by State Attorneys General and (for HIPAA) by the HHS Office for Civil Rights (OCR) at https://www.hhs.gov/ocr. The Federal Trade Commission has unfair-and-deceptive-practice jurisdiction for some matters.

US data subjects may submit complaints to their state attorney general or, for HIPAA matters, to HHS OCR. For California residents: California Attorney General’s Office at https://oag.ca.gov.

8. Sub‑processors

The list of sub‑processors at /legal/sub-processors applies, with the US region detail in Section 1.3 of that document.

9. Liability and order of precedence

In the event of conflict between this addendum, a BAA, and the Privacy Notice or DPA, the order of precedence is:

1. Executed BAA (for PHI processing)

2. This US Privacy Addendum (for non-PHI US personal information)

3. The DPA

4. The Privacy Notice

10. Contact

• General privacy enquiries: [email protected]
• BAA execution and US contracting: [email protected]
• Security incidents: [email protected]

Omi Health B.V. — Eindhoven, Netherlands