Acceptable Use Policy

PaiKnight LLC Effective Date: June 19, 2026 Version: 0.1 (Draft)

Defined Terms

For purposes of this Acceptable Use Policy (“AUP”), the following terms have the meanings set forth below. Terms defined in the Terms of Service and not otherwise defined herein have the meanings ascribed to them in the Terms of Service.

• “PaiKnight” means PaiKnight LLC, a Delaware limited liability company, and its officers, directors, employees, contractors, and agents.

• “Provider” means the licensed U.S. dental or oral-surgery practice, clinic, or professional entity that has executed the Terms of Service and any associated Business Associate Agreement (“BAA”) with PaiKnight and whose account grants access to the Services.

• “Authorized Users” means the employees, contractors, and representatives of the Provider who have been granted access credentials to the Services by the Provider, in accordance with the Terms of Service.

• “Services” means the administrative revenue-cycle-management platform operated by PaiKnight, including any associated software, workflows, templates, dashboards, reports, communications tools, and support offerings made available to the Provider and its Authorized Users under the Terms of Service. The Services are limited to administrative coordination in connection with dental and oral-surgery insurer reimbursement (pre-authorization, gap exceptions, denials, administrative appeals, and related functions). The Services do not include the practice of law, the practice of medicine or dentistry, insurance adjusting, or debt collection by PaiKnight in its own name.

• “PHI” means “Protected Health Information” as defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, “HIPAA”), as that definition may be amended from time to time.

1. Purpose and Scope

1.1 Purpose

This AUP establishes the rules governing acceptable and prohibited conduct in connection with the Provider’s and its Authorized Users’ access to and use of the Services. This AUP is designed to protect the security, integrity, and legal compliance posture of the Services; to safeguard PHI handled through the Services; to reinforce PaiKnight’s status as an administrative Business Associate under HIPAA; and to prevent uses of the Services that could expose PaiKnight, the Provider, Authorized Users, or patients to legal, regulatory, or financial harm.

1.2 Incorporation into Terms of Service

This AUP is incorporated by reference into, and forms an integral part of, the Terms of Service between PaiKnight and the Provider. References herein to the “Terms of Service” mean the then-current PaiKnight Terms of Service, as may be updated from time to time. In the event of a conflict between this AUP and the Terms of Service, the Terms of Service shall control unless this AUP expressly states otherwise. Violations of this AUP constitute violations of the Terms of Service and are subject to all remedies available under the Terms of Service, including suspension and termination of access, as further described in Section 5 below.

1.3 Who Is Bound

This AUP applies to the Provider and to each of its Authorized Users. The Provider is responsible for ensuring that all of its Authorized Users are made aware of, and comply with, this AUP. The Provider’s acceptance of the Terms of Service constitutes the Provider’s agreement to this AUP on behalf of itself and all of its Authorized Users.

1.4 Administrative Posture

PaiKnight operates exclusively as an administrative Business Associate, as that term is defined under HIPAA. The Services are limited to pre-litigation, administrative coordination on behalf of Providers in connection with insurer reimbursement for dental and oral-surgery procedures. Nothing in the Services, and nothing generated or produced through use of the Services, constitutes the practice of law, the rendering of legal advice, the practice of medicine or dentistry, a clinical determination, utilization review on behalf of an insurer, or debt collection by PaiKnight in its own name. The Provider and its Authorized Users must use the Services in a manner consistent with this administrative posture.

2. Prohibited Uses

The Provider and its Authorized Users must not use the Services for any of the following purposes or in any of the following ways. This list is illustrative, not exhaustive.

2.1 Unlawful, Infringing, or Harmful Activity

No person may use the Services to:

1. violate any applicable federal, state, or local law, rule, or regulation, including without limitation HIPAA, the Health Information Technology for Economic and Clinical Health Act (“HITECH”), the Federal Trade Commission Act, the Telephone Consumer Protection Act, the CAN-SPAM Act, the Fair Debt Collection Practices Act (“FDCPA”), or applicable state consumer-protection, privacy, or debt-collection statutes;

2. infringe, misappropriate, or violate any third party’s intellectual-property rights, including copyrights, trademarks, trade secrets, or patents;

3. engage in fraudulent, deceptive, or misleading conduct in connection with insurer communications, patient communications, or Provider billing; or

4. engage in any activity that could expose PaiKnight, the Provider, or any patient to civil or criminal liability.

2.2 Unauthorized or Improper PHI Upload or Disclosure

No person may use the Services to upload, transmit, or disclose PHI:

1. that the Provider lacks the legal authority or patient authorization to disclose under HIPAA, applicable state law, or the Provider’s own HIPAA policies and procedures;

2. for any purpose that exceeds the minimum necessary standard under HIPAA;

3. on behalf of any patient or covered entity other than the Provider itself; or

4. in a manner that violates the executed BAA between the Provider and PaiKnight.

2.3 No Legal or Medical Advice; No Medical-Necessity Determinations

No person may use the Services, or any output, document, template, letter, or communication generated through the Services, as:

1. legal advice, a legal opinion, or a substitute for advice from a licensed attorney;

2. medical advice, a clinical recommendation, or a substitute for advice from a licensed healthcare professional; or

3. a determination, recommendation, or statement of medical necessity or clinical appropriateness for any patient.

PaiKnight does not author clinical judgment. All clinical content — including, without limitation, Letters of Medical Necessity, cephalometric analyses, and treatment-plan documentation — must originate with and be independently reviewed and approved by the Provider’s licensed clinical personnel. The Provider and its Authorized Users must not represent or imply to any third party (including insurers or patients) that any output of the Services constitutes a legal or medical determination.

2.4 No Debt Collection in PaiKnight’s Name

No person may use the Services to collect, attempt to collect, or represent to any patient, insurer, or third party that PaiKnight is collecting any debt, balance, or amount owed. All patient-balance reminders and collection-related communications generated through the Services must be sent in the Provider’s name and on the Provider’s behalf. Authorized Users must not alter templates, branding, or sender-identification fields in any way that represents PaiKnight as the collecting party or as acting in its own name.

2.5 No Percentage-of-Recovery or Volume-Based Compensation Arrangements

No person may use the Services, or any fee schedule, agreement, or arrangement entered into in connection with the Services, to:

1. structure, represent, negotiate, or accept any fee, compensation, or benefit payable to PaiKnight that is calculated as, or functions as, a percentage of any recovery, collection, reimbursement, procedure value, or treatment volume;

2. structure, represent, negotiate, or accept any fee, compensation, or benefit payable to PaiKnight that is tied to the number of patient referrals generated for, or by, the Provider; or

3. mischaracterize any fixed administrative fee charged by PaiKnight as a contingency arrangement or a percentage of any recovery or collection.

All fees payable to PaiKnight are fixed administrative fees as set forth in the applicable PriceBook and billed at defined case milestones. No fee is based on, or varies with, the amount recovered, the procedure value, treatment volume, or referral activity.

2.6 No Operation Outside Approved Launch States

No Provider may use the Services to onboard or manage patients, cases, or insurer communications in any state that is not included in the then-current approved launch-state list maintained by PaiKnight. Authorized Users must not circumvent, override, or attempt to bypass the geographic restrictions built into the Services. The approved launch-state list is published by PaiKnight and may be updated from time to time as PaiKnight obtains or confirms the applicable licenses and compliance postures required to operate in additional states. Operating in an unapproved state may constitute an unauthorized use of the Services and a violation of applicable state licensure requirements.

2.7 No Circumvention of the Administrative-Only Posture

No person may use the Services to:

1. generate, draft, prepare, or transmit any legal demand letter, litigation filing, statutory notice of rights (in a legal-advocacy context), or other document designed to assert legal entitlement in a judicial or quasi-judicial proceeding, other than through the attorney-gated escalation pathway available in the Services (which routes to an independent, U.S.-licensed attorney);

2. represent PaiKnight, the Provider, or any Authorized User as appearing in a legal capacity before any court, arbitration panel, administrative tribunal, or similar body;

3. represent or imply that PaiKnight is acting as the insured’s representative in a disputed insurance claim, as a public adjuster, or as a utilization reviewer on behalf of any insurer; or

4. use the appeal-template or document-drafting features of the Services to generate communications that assert legal entitlement, threaten litigation, or use language that implies the retention or involvement of legal counsel where no such counsel has been separately engaged.

2.8 Security Violations

No person may use the Services to:

1. probe, scan, test, or attempt to circumvent, disable, or bypass any security control, access-control mechanism, firewall, encryption layer, or authentication system of the Services or any related infrastructure;

2. share, disclose, transfer, or make available access credentials (usernames, passwords, API keys, session tokens, MFA codes) to any person who is not an Authorized User authorized to hold those specific credentials;

3. use the account credentials of another Authorized User without that person’s knowledge and authorization;

4. scrape, harvest, or systematically extract data from the Services through automated means (bots, crawlers, scripts) other than through PaiKnight’s documented API features and within applicable rate limits;

5. introduce, upload, or transmit any virus, worm, Trojan horse, ransomware, spyware, adware, denial-of-service tool, or other malicious code or software into the Services or any connected system; or

6. attempt to access any account, system, data store, or resource of the Services that the accessing person is not authorized to access.

2.9 Misuse of Provider or Patient Data

No person may use the Services to:

1. access, view, use, copy, export, or disclose another Provider’s patient data, case data, or account information without that Provider’s express written authorization;

2. access PHI relating to a patient for any purpose other than the specific administrative case for which the Provider has engaged PaiKnight’s Services;

3. correlate, aggregate, or re-identify de-identified data to reconstruct PHI or to identify individual patients; or

4. use any PHI or patient data accessed through the Services for any commercial purpose outside the scope of the Services, including for marketing, profiling, solicitation, or sale to any third party.

2.10 Reverse Engineering and Intellectual Property Violations

No person may:

1. reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code, underlying algorithms, trade secrets, or proprietary methodologies of the Services;

2. copy, reproduce, distribute, sublicense, sell, or create derivative works of any portion of the Services or its documentation without PaiKnight’s prior written consent;

3. remove, alter, or obscure any proprietary notices, copyright notices, or trademarks displayed in or through the Services; or

4. use the Services or any output of the Services to develop or train a competing product or service.

3. Security Obligations

3.1 Credential Protection

The Provider is responsible for protecting all access credentials (usernames, passwords, MFA codes, API keys, and session tokens) issued to, or created by, the Provider or its Authorized Users. The Provider must:

1. ensure that each Authorized User has a unique set of credentials and that credentials are not shared among multiple individuals;

2. require Authorized Users to use strong, unique passwords and to change passwords promptly upon any suspected compromise;

3. revoke access credentials promptly — and in any event within one (1) business day — upon the departure, termination, or role change of an Authorized User whose access is no longer appropriate; and

4. notify PaiKnight immediately upon becoming aware of any unauthorized use of, or unauthorized access to, any account credentials.

3.2 Multi-Factor Authentication

The Provider must ensure that all Authorized Users enable and maintain multi-factor authentication (“MFA”) for their accounts with the Services, to the extent that MFA is offered by PaiKnight. PaiKnight reserves the right to require MFA as a condition of continued access.

3.3 Least-Privilege Access

The Provider is responsible for assigning and maintaining access roles and permissions within the Provider’s organization that are consistent with the principle of least privilege — meaning each Authorized User should have access only to the patient cases, PHI, and functions of the Services that are necessary for that individual’s specific job duties. The Provider must periodically review its Authorized Users’ access rights and revoke or adjust any access that is no longer necessary.

3.4 Incident Reporting

If the Provider or any of its Authorized Users discovers or reasonably suspects any of the following, the Provider must notify PaiKnight at abuse@paiknight.com as promptly as practicable, and in any event within the time period required under the BAA:

1. any unauthorized access to, disclosure of, or acquisition of PHI stored or transmitted through the Services;

2. any compromise, theft, or unauthorized use of account credentials;

3. any introduction of malicious software into the Services; or

4. any other security incident or breach (as defined under HIPAA or applicable state law) involving the Services.

The obligation to report under this Section 3.4 is in addition to, and does not limit, any obligation under the BAA, HIPAA, or applicable state breach-notification law.

4. Data and PHI Handling Expectations

4.1 Provider as Covered Entity

The Provider is the HIPAA Covered Entity. PaiKnight acts as the Provider’s Business Associate pursuant to the executed BAA. The Provider retains ultimate responsibility for its obligations as a Covered Entity under HIPAA, including ensuring that its use of the Services, and its Authorized Users’ use of the Services, complies with HIPAA and all applicable state health-privacy laws.

4.2 Minimum Necessary Standard

The Provider and its Authorized Users must upload, access, use, and disclose PHI through the Services only to the extent that such access, use, or disclosure is the minimum necessary to accomplish the specific administrative purpose for which the Services have been engaged for that patient case. Authorized Users must not access PHI beyond the scope of their assigned cases or job duties.

4.3 Authorized Users Only

PHI accessible through the Services may be accessed and used only by Authorized Users who (a) have a current, valid business need to access the PHI in connection with an active administrative case, (b) have completed any HIPAA training required by PaiKnight or the Provider, and (c) whose access has not been suspended or revoked. The Provider must not share PHI accessible through the Services with any person who is not an Authorized User.

4.4 Breach Reporting to PaiKnight

Upon discovering or reasonably suspecting a Breach of Unsecured PHI (as defined in HIPAA and the BAA) involving PHI stored or transmitted through the Services, the Provider must report such Breach to PaiKnight in accordance with the procedures, timelines, and notice requirements set forth in the BAA. Such reporting obligations are in addition to, and do not limit, the Provider’s independent breach-reporting obligations to patients, the U.S. Department of Health and Human Services, and applicable state regulators.

4.5 No Unauthorized Secondary Use

The Provider and its Authorized Users must not use PHI obtained through the Services for any purpose other than the administrative revenue-cycle-management services for which PaiKnight has been engaged. Unauthorized secondary uses include, without limitation, marketing, research (without proper IRB authorization and patient consent), or any use that is not authorized under the BAA and the Provider’s HIPAA policies.

5. Monitoring, Enforcement, and Cooperation

5.1 PaiKnight’s Right to Monitor

PaiKnight reserves the right, but has no obligation, to monitor use of the Services to verify compliance with this AUP and the Terms of Service, to investigate suspected violations, and to protect the security and integrity of the Services, including PHI stored therein. Monitoring activity may include review of access logs, audit trails, communications logs, and document activity records maintained within the Services.

5.2 Suspension and Termination

Violations of this AUP are violations of the Terms of Service. Without limiting the remedies available under the Terms of Service, PaiKnight may, at its sole discretion and without prior notice where circumstances warrant:

1. suspend access to the Services for the offending Authorized User, the Provider’s account, or both;

2. terminate the Terms of Service and the Provider’s account, including all access to the Services, in accordance with the termination provisions of the Terms of Service; and

3. report the suspected violation to appropriate law-enforcement authorities, regulatory agencies (including the U.S. Department of Health and Human Services Office for Civil Rights), or other relevant third parties.

Suspension or termination under this Section 5.2 does not limit PaiKnight’s right to seek any other remedy available at law or in equity, including injunctive relief and monetary damages.

5.3 Preservation of Evidence

Upon notice or reasonable suspicion of a security incident, breach, or material AUP violation, PaiKnight may preserve any relevant logs, records, documents, or communications related to the incident, including audit-trail records, access logs, PHI transaction logs, and communications sent through the Services. The Provider must cooperate with PaiKnight’s reasonable requests for information in connection with any such investigation.

5.4 Cooperation with Investigations

The Provider and its Authorized Users must cooperate fully and promptly with any investigation by PaiKnight, law-enforcement agencies, or regulatory authorities (including HHS OCR) relating to conduct that may constitute a violation of this AUP, the Terms of Service, the BAA, HIPAA, or applicable law. Cooperation includes, without limitation, preserving relevant records, providing access to relevant personnel and documentation within the Provider’s control, and refraining from taking any action that would destroy, alter, or conceal relevant evidence.

6. Reporting Abuse

If the Provider, any Authorized User, or any other person becomes aware of a suspected violation of this AUP — including a security incident, unauthorized PHI disclosure, suspected misuse of the Services, or any activity that appears to violate applicable law — that person should report the suspected violation to PaiKnight at:

Email: abuse@paiknight.com

PaiKnight will review all reports submitted in good faith and take such action as it deems appropriate in its sole discretion. PaiKnight will use commercially reasonable efforts to maintain the confidentiality of the reporter’s identity, to the extent consistent with applicable law and PaiKnight’s legal obligations.

7. Changes to This AUP

PaiKnight reserves the right to modify this AUP at any time by providing notice to the Provider in accordance with the notice provisions of the Terms of Service. The updated AUP will be effective as of the date specified in the notice, which will be no less than thirty (30) days after notice is provided, unless a shorter period is required by law or necessary to address an imminent security risk or legal compliance issue. Continued use of the Services after the effective date of the updated AUP constitutes the Provider’s acceptance of the updated terms. If the Provider does not agree to the updated AUP, the Provider’s sole remedy is to terminate the Terms of Service in accordance with the termination provisions therein prior to the effective date of the updated AUP.

8. General Provisions

8.1 Governing Law

This AUP is governed by the laws of the State of Delaware, without regard to its conflict-of-laws principles, consistent with the governing-law provision of the Terms of Service.

8.2 Severability

If any provision of this AUP is held to be invalid, illegal, or unenforceable, that provision will be modified to the minimum extent necessary to make it enforceable, or if modification is not possible, severed from this AUP, and the remaining provisions will continue in full force and effect.

8.3 No Waiver

PaiKnight’s failure to enforce any provision of this AUP on any occasion does not constitute a waiver of PaiKnight’s right to enforce that provision on any other occasion or to enforce any other provision.

8.4 Entire Agreement on Acceptable Use

This AUP, together with the Terms of Service, the BAA, and any other agreements incorporated by reference into the Terms of Service, constitutes the entire agreement between PaiKnight and the Provider with respect to acceptable use of the Services and supersedes all prior and contemporaneous understandings on that subject.

8.5 Contact

Questions about this AUP may be directed to: abuse@paiknight.com

Document: Acceptable Use Policy | Company: PaiKnight LLC | Version: 1.0 | Last Updated: June 19, 2026