Victory AI — Confidential Page 1 of 7 VICTORY AI Privacy Policy Effective Date: April 14, 2026 | Last Updated: April 14, 2026 Victory AI, Inc. ("Victory AI," "we," "us," or "our") operates an opioid use disorder ("OUD") outcomes intelligence platform (the "Platform") that aggregates, analyzes, and reports on clinical, behavioral, and operational data to help healthcare providers, payers, treatment programs, research partners, and public health organizations improve outcomes for individuals affected by OUD. This Privacy Policy describes how we collect, use, disclose, and safeguard information in connection with the Platform and our website. Important notice regarding sensitive health information. The Platform handles protected health information ("PHI") under the Health Insurance Portability and Accountability Act ("HIPAA") and, in many cases, substance use disorder ("SUD") patient records governed by 42 C.F.R. Part 2 ("Part 2"). These categories of information receive heightened legal protection. Our obligations as a Business Associate, qualified service organization, or Part 2 lawful holder are governed primarily by our Business Associate Agreements ("BAAs"), Qualified Service Organization Agreements ("QSOAs"), Data Use Agreements ("DUAs"), or other written contracts with covered entities, Part 2 programs, and customers ("Customer Agreements"). In the event of any conflict between this Privacy Policy and an applicable Customer Agreement with respect to PHI or Part 2 records, the Customer Agreement controls. 1. Scope of This Policy This Privacy Policy applies to: • Information we collect through our website, marketing channels, and sales interactions; • Information we collect from authorized users of the Platform, including clinicians, administrators, case managers, analysts, and other personnel of our customers ("Authorized Users"); • Patient-level information that our customers transmit to or make available through the Platform, to the extent not otherwise governed by a Customer Agreement; and • Information we generate through operation of the Platform, including de-identified and aggregated data sets. This Policy does not apply to information handled by our customers in their own systems, by third- party integrations the customer selects, or by independent healthcare providers outside the Platform.

Victory AI — Confidential Page 2 of 7 2. Information We Collect 2.1 Information Provided by Customers and Authorized Users • Account and identity information for Authorized Users (name, work email, job title, organization, NPI where applicable, authentication credentials). • Clinical and behavioral health data relating to patients or members with or at risk for OUD, which may include demographics, diagnoses (including SUD diagnoses), medications (including medications for opioid use disorder such as buprenorphine, methadone, and naltrexone), laboratory and toxicology results, treatment encounters, care plans, social determinants of health, claims data, assessments (e.g., ASAM, PHQ-9, GAD-7), overdose events, and outcomes measures. • Operational and program data, such as referral sources, admissions, discharges, retention, no-shows, and utilization. • Communications and support requests you send to us. 2.2 Information Collected Automatically • Device and log data (IP address, browser type, operating system, timestamps, pages visited, referring URLs). • Usage analytics regarding Platform features, dashboards, and queries run by Authorized Users. • Security telemetry, including authentication events, access logs, and audit trails. • Cookies and similar technologies, as described in Section 8. 2.3 Information from Third Parties • Data from customer-authorized sources such as electronic health records, health information exchanges, pharmacy benefit managers, laboratories, state prescription drug monitoring programs (where permitted), claims clearinghouses, and public health registries. • Information from service providers that support identity verification, fraud prevention, and infrastructure. • Publicly available data sets used for benchmarking and research (e.g., CDC, SAMHSA, state public health data). We do not knowingly collect information directly from patients. Patients interact with our customers, not with Victory AI. If you are a patient and believe your information is on the Platform, please contact your healthcare provider or treatment program.

Victory AI — Confidential Page 3 of 7 3. How We Use Information We use information for the following purposes, in each case consistent with HIPAA, Part 2, applicable Customer Agreements, and applicable law: • Providing the Platform: delivering outcomes analytics, risk stratification, care coordination tools, reporting, and dashboards to authorized customers and users. • Improving outcomes and population health: generating quality measures, performance indicators, and cohort analyses to support OUD treatment and recovery. • Product development and machine learning: training, testing, validating, and improving algorithms and models used within the Platform, using de-identified or limited data sets to the maximum extent feasible and as permitted by Customer Agreements and law. • Security, fraud prevention, and audit: detecting, investigating, and responding to unauthorized access, breaches, and misuse. • Customer support and account management: responding to inquiries, troubleshooting, training, and communicating about the service. • Legal and regulatory compliance: complying with applicable law, responding to lawful requests, and cooperating with regulators. • Research and public health: supporting research activities only where permitted by law, IRB or privacy board approval (where required), and the applicable Customer Agreement; most research uses de-identified data sets. We do not sell PHI or Part 2 records. We do not use PHI or Part 2 records for targeted advertising. We do not permit re-identification of de-identified data except as expressly authorized by law and by contract. 4. Legal Bases and Permitted Disclosures We handle PHI only as permitted by HIPAA, applicable BAAs, and Customer Agreements. We handle Part 2 records only as permitted by Part 2, applicable QSOAs or DUAs, and, where required, written patient consent. Typical permitted disclosures include: • Disclosures back to the originating covered entity, Part 2 program, or customer. • Disclosures to subcontractors that have signed BAAs, QSOAs, or equivalent obligations. • Disclosures required by law, including in response to valid subpoenas, court orders, or regulatory process (for Part 2 records, only as specifically permitted by 42 C.F.R. Part 2). • Disclosures of de-identified information that no longer meets the definition of PHI under 45 C.F.R. § 164.514(b) or Part 2 records under 42 C.F.R. § 2.11.

Victory AI — Confidential Page 4 of 7 • Disclosures necessary to prevent or lessen a serious and imminent threat, to the extent permitted by law. 5. De-Identified and Aggregated Data We may create de-identified information in accordance with the HIPAA Safe Harbor or Expert Determination methods and, where applicable, the Part 2 de-identification standard. Once de- identified, such information is no longer PHI or a Part 2 record and may be used and disclosed for lawful purposes, including benchmarking, research, product development, and publication of aggregate statistics. We contractually prohibit recipients of de-identified data from attempting re- identification. 6. How We Share Information 6.1 Service Providers and Subcontractors We share information with vetted vendors who perform services on our behalf, including cloud hosting, data storage, security monitoring, analytics infrastructure, customer support tooling, and communications. These vendors are bound by written agreements that restrict use and disclosure, require appropriate safeguards, and, where applicable, include BAA, QSOA, or equivalent terms. 6.2 Customers Information submitted by or about a customer is made available to that customer and, subject to access controls the customer configures, to its Authorized Users. Each customer is responsible for its users' activities within the Platform. 6.3 Legal and Safety We may disclose information if required by law, subpoena, or legal process; to protect our rights, property, or safety or that of others; to enforce our agreements; or in connection with investigations of fraud, security incidents, or illegal activity. For Part 2 records, we follow the specific disclosure procedures in 42 C.F.R. §§ 2.61–2.67. 6.4 Business Transactions If Victory AI is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to customary confidentiality protections and to the continuing application of HIPAA, Part 2, and Customer Agreements.

Victory AI — Confidential Page 5 of 7 7. Data Security We maintain an information security program designed to protect the confidentiality, integrity, and availability of information on the Platform. Measures include encryption of data in transit and at rest, role-based access controls, multi-factor authentication, network segmentation, vulnerability management, continuous logging and monitoring, employee background checks and training, incident response procedures, and regular third-party assessments (e.g., SOC 2 Type II, HITRUST, or equivalent). No security program is perfect, and we cannot guarantee absolute security. Breach notification. In the event of a breach of unsecured PHI or a breach involving Part 2 records, we will notify affected customers without unreasonable delay and in accordance with HIPAA, Part 2, applicable state laws, and the applicable Customer Agreement. 8. Cookies and Tracking Technologies Our website and Platform use cookies, local storage, and similar technologies for authentication, session management, preferences, analytics, and security. We do not use third-party advertising cookies on portions of the Platform that present PHI. You can control cookies through your browser settings; disabling certain cookies may affect Platform functionality. 9. Data Retention We retain information for as long as needed to provide the Platform, to comply with legal, regulatory, tax, accounting, and audit obligations, to resolve disputes, and to enforce our agreements. Retention of PHI and Part 2 records is governed by the applicable Customer Agreement. Upon termination of a Customer Agreement, we return or destroy customer data as specified in that agreement, or retain it as required by law. 10. International Data Transfers The Platform is operated in the United States. If you access the Platform from outside the United States, you understand that information will be transferred to, stored in, and processed in the United States and potentially other jurisdictions where our service providers operate, which may have data protection laws different from your jurisdiction. 11. Your Rights and Choices 11.1 Patients Patients generally exercise privacy rights (including rights to access, amend, or request restrictions on PHI) directly with the covered entity or Part 2 program from which the information originated. If you are a patient, please contact your provider or treatment program. We will support

Victory AI — Confidential Page 6 of 7 customers in responding to such requests as required by HIPAA, Part 2, and the applicable Customer Agreement. 11.2 Authorized Users Authorized Users may update their account information through the Platform or by contacting their organization's administrator. You may also contact us to exercise rights described below. 11.3 State Privacy Rights Residents of certain U.S. states (including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as applicable) may have rights to access, correct, delete, port, or opt out of certain processing of personal information. Many of these laws do not apply to PHI governed by HIPAA, information collected in an employment or business-to-business context, or information held by a processor on behalf of a controller. To the extent these rights apply to information we control about you, you may submit a request using the contact information below. We will verify your request and respond as required by law. You may also designate an authorized agent to submit a request on your behalf. 11.4 Do Not Track Our website does not currently respond to "Do Not Track" browser signals. We treat Global Privacy Control signals as opt-out signals for sale and sharing of personal information where required by law, though we do not sell or share personal information for cross-context behavioral advertising. 12. Children's Privacy The Platform is not directed to children under 13, and we do not knowingly collect personal information from children under 13 except as part of authorized clinical or treatment data received from our customers in compliance with applicable law. Adolescents receiving OUD treatment may have heightened protections under state law, and those protections apply through our customers. 13. Changes to This Policy We may update this Privacy Policy from time to time. Material changes will be communicated by posting a notice on our website, updating the "Last Updated" date above, and, where appropriate, notifying customers through the Platform or by email. Continued use of the Platform after the effective date of changes constitutes acceptance of the updated Policy.

Victory AI — Confidential Page 7 of 7 14. Contact Us Questions, concerns, or requests regarding this Privacy Policy or our privacy practices should be directed to: Victory AI, Inc. — Privacy Office Attn: Privacy Officer / HIPAA Privacy Official Email: privacy@victory.ai Mailing address: [Insert Address] For security incident reports: security@victory.ai