Experience.com HIPAA Statement (2026 Edition)

Effective Upon Publication

Entity: BuyersRoad, Inc. d/b/a Experience.com

Address: 2010 Crow Canyon Place, Suite 100, San Ramon, CA 94583-1344 USA

Business Associate Agreement for Experience.com "Covered Entity" Customers

These Standard HIPAA Business Associate Agreement Terms and Conditions ("HIPAA Addendum") are incorporated into the Master Services Agreement for Customers that are Covered Entities (as defined below) and that provide Protected Health Information ("PHI") to BuyersRoad, Inc. d/b/a Experience.com ("Experience.com") in connection with the Experience.com for Local Business and Enterprise services they have purchased.

This HIPAA Addendum supplements and is incorporated by reference into Experience.com's Privacy Notice and Terms of Use. It applies only to Covered Entity customers that have executed a Master Services Agreement including these HIPAA terms.

Experience.com is headquartered at 2010 Crow Canyon Place, Suite 100, San Ramon, CA 94583-1344 USA.

1. Catch-All Definitions

The following terms have the meanings assigned to them in 45 C.F.R. Parts 160 and 164: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

2. Specific Definitions

Unless otherwise defined, terms have the same meaning as in the Privacy Rule or HITECH Act.

• Breach — As defined in 42 U.S.C. § 17921.
• Business Associate — Experience.com, as that term is defined in 45 C.F.R. § 160.103.
• Covered Entity — Clients of Experience.com subject to HIPAA.
• HIPAA Rules — The Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164.
• Protected Health Information (PHI) — Individually identifiable health information as defined in 45 C.F.R. § 160.103, limited to information created or received by Experience.com from or on behalf of the Covered Entity.
• Unsecured PHI — As defined by the HITECH Act and guidance issued thereunder.

3. Obligations and Activities of Experience.com

Use and Disclosure of PHI

Experience.com shall not use or disclose PHI other than as permitted by this HIPAA Addendum or as Required by Law. It shall not use or disclose PHI for marketing or fundraising, nor receive remuneration for PHI except as allowed by the HITECH Act and approved in writing by the Covered Entity.

Safeguards

Experience.com shall use appropriate administrative, physical, and technical safeguards and comply with Subpart C of 45 C.F.R. Part 164 to prevent unauthorized use or disclosure. Experience.com encrypts PHI in transit and at rest, employs role-based access control, and maintains audit logs for all access to PHI.

Mitigation

Experience.com shall mitigate, to the extent practicable, any harmful effect resulting from an unauthorized use or disclosure of PHI.

Reporting

Experience.com shall promptly report to the Covered Entity any use or disclosure of PHI not provided for by this Addendum, including any breach of unsecured PHI or security incident of which it becomes aware. Experience.com will notify the Covered Entity within thirty (30) business days of discovery. The Covered Entity remains responsible for notifying affected individuals and regulators unless otherwise agreed in writing.

Subcontractors

Experience.com shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees to the same restrictions and requirements. All such subcontractors must sign a Business Associate Agreement or equivalent security addendum and maintain SOC 2 or comparable security controls.

Access and Amendment

Experience.com shall provide access to PHI in a Designated Record Set as requested by the Covered Entity to meet 45 C.F.R. § 164.524. Requests will be fulfilled within thirty (30) days where applicable.

Accounting of Disclosures

Experience.com shall maintain the information required to provide an accounting of disclosures under 45 C.F.R. § 164.528 and make it available to the Covered Entity upon request.

Security Obligations

Experience.com shall comply with 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316. It shall ensure its agents and subcontractors implement reasonable and appropriate safeguards to protect PHI and shall report any security incident promptly.

Pattern of Breach by Covered Entity

If Experience.com becomes aware of a pattern of activity by the Covered Entity that constitutes a material violation of this Addendum, Experience.com shall take reasonable steps to cure the breach or end the violation. If unsuccessful, it shall terminate the Underlying Agreement if feasible or report the violation to HHS.

4. Permitted Uses and Disclosures by Experience.com

Experience.com may use or disclose PHI to perform functions, activities, or services for the Covered Entity as specified in the Underlying Agreement, provided such use or disclosure would not violate the Privacy Rule if done by the Covered Entity.

• Management and Administration: Experience.com may use PHI for its own management or legal responsibilities and disclose PHI as Required by Law or with reasonable assurances of confidentiality.
• Minimum Necessary: Experience.com and its subcontractors shall limit use and disclosure to the minimum necessary to accomplish the purpose.
• Data Aggregation: Experience.com may use PHI to provide data aggregation services related to health care operations for the Covered Entity.
• Report Violations of Law: Experience.com may use PHI to report violations of law to appropriate authorities.

No Sale or Sharing for Advertising: Experience.com does not sell or share PHI for analytics or advertising purposes as defined under the California Privacy Rights Act (CPRA).

5. Covered Entity Responsibilities

• Notice of Privacy Practices: Covered Entity shall notify Experience.com of any limitations in its privacy practices that affect Experience.com's use or disclosure of PHI.
• Changes in Permissions or Restrictions: Covered Entity shall inform Experience.com of any revocation or restriction affecting PHI.
• Permissible Requests: Covered Entity shall not request Experience.com to use or disclose PHI in a manner not permitted by HIPAA.
• Audit and Legal Disclosure: Experience.com may disclose limited PHI to auditors or regulators solely for compliance verification. Such disclosures shall not constitute a breach.

6. Term and Termination

Term

This Addendum is effective on the date the Covered Entity first provides PHI to Experience.com and remains in effect until all PHI is returned or destroyed.

Termination for Cause

Either party may terminate this Addendum for material breach after providing sixty (60) days' written notice and failure to cure. Experience.com may also terminate if the Covered Entity fails to meet its HIPAA obligations and creates regulatory risk.

Post-Termination Obligations

Upon termination, Experience.com shall return or destroy all PHI received from the Covered Entity or created on its behalf. If return or destruction is infeasible, Experience.com shall extend the protections of this Addendum to such PHI and limit further use to the purposes that make return or destruction infeasible.

Experience.com may alternatively de-identify PHI in accordance with 45 C.F.R. § 164.514(b) and retain such de-identified data for lawful analytics, research, or benchmarking purposes.

7. Miscellaneous Terms

• Regulatory References: References to the Privacy Rule or HITECH Act mean those sections as amended.
• No Third-Party Beneficiaries: This Addendum confers no rights on any third party.
• Independent Contractor: Experience.com acts as an independent contractor under this Addendum.
• Amendments: Experience.com may update this HIPAA Addendum with thirty (30) days' notice by email or website posting. Continued use of services after such notice constitutes acceptance.
• Governing Law: This HIPAA Addendum is governed by the laws of the State of California and interpreted consistently with Experience.com's Terms of Use.

8. Contact Information

Questions about this HIPAA Addendum or Experience.com's data-protection practices may be directed to:

Privacy Office

privacy@experience.com

compliance@experience.com

(925) 815-8114

BuyersRoad, Inc. d/b/a Experience.com

2010 Crow Canyon Place, Suite 100

San Ramon, CA 94583-1344 USA