Effective date: September 1st 2025
Provider: Nuvio Software Inc. (NuvioLife, we, us)
Address: 333 Seymour St, Vancouver, British Columbia V6B 5A7, Canada
Contact: info@nuviolife.com
Security concerns: security@nuviolife.com
Privacy/GDPR inquiries: privacy@nuviolife.com
EU/UK Representative: privacy@nuviolife.com

1. Definitions

• Employer: A company or organization that sponsors or administers plans through the Service and authorizes users to access Employer functionality.
• Employee: An individual user employed by an Employer and participating in plans or benefits via the Service.
• Dependent: An eligible individual (e.g., spouse, partner, child) associated with an Employee’s plan profile under plan rules.
• Service: The NuvioLife app, website, cards, integrations, APIs, and related services.

2. Acceptance of Terms and Consent

• By creating an account, installing, accessing, using, or being shown/presented the Service (including demos, pilots, or evaluations), you agree to these Terms and our Privacy Policy.
• Explicit, informed consent: You consent to the collection, use, storage, and disclosure of personal information as described in our Privacy Policy. We document consent at signup and when material changes occur via checkbox/signature.
• Communication preferences: You may manage your communication preferences through your account settings. See Section 29 for detailed email communication terms and opt-out procedures.

3. Eligibility and Accounts

• The Service is available to Employers and their authorized users (including Employees and, where permitted, Dependents).
• Age restrictions: You must be at least 18 years old or the age of majority in your jurisdiction to create an account. For EU/EEA/UK users, you must be at least 16 years old or have parental consent if younger (subject to member state variations). Minor dependents may be covered under an Employee’s plan, but their data will be managed through the Employee’s account in compliance with applicable privacy laws.
• Employer administrators define user roles and authorizations; users must act only within assigned permissions.
• You must be legally capable of entering into these Terms in your jurisdiction.
• Account security obligations: You are responsible for:
  • Maintaining strong, unique passwords
  • Enabling multi-factor authentication when available
  • Protecting your login credentials from unauthorized access
  • Immediately notifying us of any suspected account compromise
  • All activities occurring under your account (whether authorized by you or not)

4. Regulatory Compliance and Verification

• We may perform identity verification and ongoing monitoring for compliance and risk management: KYC/AML/ATF, fraud prevention, security monitoring, audits, incident response, and regulatory reporting (e.g., FINTRAC), and comply with payment service provider obligations (e.g., RPAA/Payments Canada).
• We may collect/verify business and user information (e.g., legal business name, roles/authorizations, source of funds, and linkage to verified business accounts) for AML purposes.
• Export controls and sanctions: We comply with applicable export control laws and screen users against sanctions lists (including OFAC and other international sanctions lists). Service access may be restricted in certain jurisdictions.
• Audit rights: We reserve the right to audit Employer compliance with these Terms and applicable regulations. Users agree to cooperate with such audits and provide reasonable assistance. Non-compliance discovered during audits may result in service suspension or termination.

5. Privacy, Data Residency, and Security

• What we collect and why: App activity, device identifiers, IP address, email addresses and communication history, cookies/analytics, security logs, communications/support data, and information necessary to operate features, verify identity, enforce roles/permissions, process payments/claims, manage compliance/security/risk, and perform regulatory reporting. We process data only for specified, explicit, and legitimate purposes and do not further process in a manner incompatible with those purposes (purpose limitation principle). Disclosures to service providers are limited to what is needed (e.g., identity verification, AML/KYC screening, payment processors, card issuers, cloud hosting, email service providers, analytics) under contracts and safeguards.
• Data residency:
  • Canadian and worldwide customers: Data is stored in Canada.
  • U.S. customers: Data is stored in the United States.
  • EU/EEA/UK customers: Data may be transferred to and processed in Canada or the U.S. Such transfers are protected by Standard Contractual Clauses (SCCs), adequacy decisions (Canada has partial adequacy from the EU), or other appropriate safeguards under GDPR. We do not rely on Privacy Shield following its invalidation.
  • We maintain transparency about storage locations and comply with cross-border/provincial requirements (e.g., Quebec Law 25 assessments/consents where applicable).
• GDPR rights (EU/EEA/UK users): If you are located in the EU, EEA, or UK, you have additional rights including:
  • Right to access your personal data and receive a copy
  • Right to rectification of inaccurate data
  • Right to erasure (“right to be forgotten”) subject to legal retention requirements
  • Right to restrict processing in certain circumstances
  • Right to data portability in machine-readable format
  • Right to object to processing based on legitimate interests
  • Right to withdraw consent (without affecting lawfulness of prior processing)
  • Right to lodge a complaint with your local supervisory authority (you can find your authority at https://edpb.europa.eu/about-edpb/board/members_en)
  • To exercise these rights, contact privacy@nuviolife.com
  • We will respond to GDPR requests within one month (extendable by two months for complex requests)
• California privacy rights (CCPA/CPRA): California residents have additional rights including:
  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information (subject to exceptions)
  • Right to opt-out of sale or sharing of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising privacy rights
  • Right to correct inaccurate personal information
  • Right to limit use of sensitive personal information
  • To exercise these rights, contact privacy@nuviolife.com or call [toll-free number to be added]
• Other U.S. state privacy rights: Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights under their respective state laws. Contact privacy@nuviolife.com to exercise rights under applicable state law.
• Security: We maintain an information security program aligned with SOC 2 and use AES-256 encryption for sensitive data (at rest and in transit), along with access controls, monitoring, and other safeguards. We implement privacy by design principles and data minimization practices.
• Cookies and tracking: We use necessary cookies for authentication and security. Optional cookies for analytics and functionality require consent in EU/EEA/UK jurisdictions. You can manage cookie preferences through our cookie banner or browser settings.
• Data breach notification: In the event of a security breach affecting personal information, we will notify affected users and relevant regulators within timeframes required by applicable law (typically within 72 hours of discovery for GDPR, and as required by provincial and state laws). Notifications will include the nature of the breach, potential impacts, and remediation steps taken or recommended.
• Cybersecurity incident response: In case of a data breach or cybersecurity incident:
  • We will conduct forensic investigation to determine scope and impact
  • Implement immediate containment measures
  • Provide credit monitoring services where required by law or deemed appropriate
  • Reset passwords and authentication credentials as necessary
  • You agree to cooperate with investigation and remediation efforts
• Limitation of liability for breaches: While we maintain robust security measures, no system is completely secure. We are not liable for breaches caused by:
  • Third-party service providers or partners (subject to their own terms)
  • User negligence (weak passwords, phishing response, credential sharing)
  • Advanced persistent threats or zero-day exploits unknown at the time
  • Force majeure events including state-sponsored attacks
  • Breaches occurring after you should have reasonably updated credentials
  • Ransomware attacks where we have implemented industry-standard protections
• Ransomware and backup policy:
  • We maintain regular backups according to industry best practices
  • We will not pay ransoms to cybercriminals
  • Recovery time objectives depend on the severity and scope of the incident
  • Users should maintain their own records and documentation independently
• Third-party privacy practices: Partners’ privacy practices are governed by their own policies; please review them. International service providers and processors are subject to appropriate data processing agreements and safeguards (including Standard Contractual Clauses for EU data transfers). We do not transfer personal data to international organizations without appropriate safeguards.
• Automated decision-making: If we use automated decision-making that significantly affects you, we will provide meaningful information about the logic involved and allow you to request human review where required by law. EU/EEA/UK users have the right to not be subject to decisions based solely on automated processing (including profiling) that produces legal or similarly significant effects, except where necessary for contract performance, authorized by law, or based on explicit consent.

6. Account Deletion and Data Retention

• Right to request deletion: Users (including Employees and Dependents) may request account deletion via in-app controls or by contacting info@nuviolife.com. We will verify identity and delete/anonymize personal information within a reasonable time (within 30 days for GDPR requests).
• Legal/compliance exceptions: Deletion does not apply to information we must retain for legal, regulatory, tax, audit, fraud-prevention, dispute-resolution, or security purposes. Retention periods vary by jurisdiction and data type (e.g., 7 years for tax records, 3-6 years for business records depending on jurisdiction, longer periods if litigation is pending). Retention necessary for compliance may continue notwithstanding a request to withdraw consent, to the extent permitted by law.
• Claims retention for audits: Claims and related records are retained for seven (7) years for CRA/IRS audit and tax compliance. For CRA/IRS audits, we disclose only the minimum necessary non-diagnostic data elements (name, amount, general category of services, provider). After the retention period, we securely delete or anonymize these records.
• U.S. tax records: HSA-related records required for IRS reporting (Forms 1099-SA, 5498-SA) and state tax reporting are retained in accordance with federal and state requirements (generally 7 years). W-2 reporting information for employer contributions is retained as required by law.
• GDPR retention principles (EU/EEA/UK users): Personal data is retained only as long as necessary for the purposes for which it was collected, or as required by legal obligations. We maintain a data retention schedule documenting specific retention periods for different data categories based on purpose and legal requirements.
• Access/correction/withdrawal: Users retain rights to access and correct information and may withdraw consent subject to legal/contractual restrictions and reasonable notice. EU/EEA/UK users may export their data in a structured, commonly used, machine-readable format (data portability).

7. Services; Benefits Administration; U.S. Participants; HIPAA

• PHSP/HSA/FSA/HRA administration: We administer plans in line with CRA rules for PHSPs, including eligible expenses, proper tax treatment, and records retention. For U.S. participants, we maintain records and reporting for HSAs (Health Savings Accounts), FSAs (Flexible Spending Accounts), and HRAs (Health Reimbursement Arrangements) as applicable.
• U.S. tax reporting: For U.S. HSA participants, we:
  • File IRS Forms 1099-SA (distributions) and 5498-SA (contributions) as required
  • Provide necessary information for Form 8889 (HSA tax form) completion
  • Report employer contributions for W-2 reporting purposes
  • Provide year-end tax statements to account holders
  • Apply backup withholding (24% as of 2024) if required due to missing or incorrect TIN
  • Comply with state tax reporting requirements where applicable
  • Note: California and New Jersey do not recognize HSA tax benefits at the state level
  • May be required to withhold for state tax purposes in certain jurisdictions
• Tax document delivery: Tax forms are provided electronically by default (with consent) or via mail by January 31 for 1099s and May 31 for 5498s, per IRS requirements. State tax forms follow applicable state deadlines.
• HIPAA (when applicable): When acting as a business associate to a covered entity or group health plan, we comply with HIPAA, enter BAAs, apply the minimum necessary standard, and obtain authorization for non-permitted uses/disclosures.
• Plan modifications: Changes to benefit plans will be communicated with at least 30 days’ notice where possible (60 days for material modifications to U.S. ERISA plans). Grace periods for submitting claims under previous plan terms will be specified in change notifications. Pending claims will be processed under the plan terms in effect at the time of service. COBRA continuation coverage obligations remain with the Employer for U.S. plans.

8. Claims Processing, Verification, and Fraud Prevention

Claim Review and Verification Rights

• Right to verify claims: We reserve the absolute right to:
  • Review, audit, and verify any claim before, during, or after payment
  • Request additional documentation, receipts, or proof of service
  • Contact service providers directly to verify services rendered, amounts charged, and dates of service
  • Require itemized receipts (credit card statements alone are insufficient)
  • Conduct random audits of claims at any time, including previously paid claims
• Claim holds and delays: We may place claims on hold for up to 30 days (or longer if fraud is suspected) to:
  • Verify authenticity of documentation
  • Contact healthcare or service providers
  • Investigate unusual claim patterns
  • Await additional requested information
  • Coordinate with Employers regarding suspicious activity

Claim Denial and Suspension Rights

• Grounds for denial: We may deny or reverse claims for:
  • Ineligible expenses under plan terms
  • Insufficient or altered documentation
  • Services not actually rendered
  • Duplicate submissions
  • Submission after plan deadlines
  • Suspected or confirmed fraudulent activity
  • Non-response to verification requests within specified timeframes
  • Violation of plan terms or these Terms
• Account suspension for fraud: If we suspect fraudulent activity, we may immediately:
  • Suspend all pending claims
  • Freeze account access
  • Initiate recovery of improperly paid claims
  • Report to law enforcement and regulatory authorities
  • Terminate account access permanently

Provider Verification and Communication

• Direct provider contact: You authorize us to:
  • Contact any service provider named in your claims
  • Verify services, amounts, dates, and patient identity
  • Request clinical notes where permitted by law
  • Share claim information with providers for verification purposes
  • Report suspected provider fraud to appropriate authorities
• Provider requirements: Service providers must be:
  • Properly licensed in their jurisdiction
  • Operating within scope of practice
  • Providing services actually rendered to the claimant

Employer Notification and Coordination

• Fraud notification to Employers: We will notify Employers when we identify:
  • Confirmed fraudulent claims by Employees or Dependents
  • Patterns suggesting systematic abuse
  • Criminal investigations involving plan participants
  • Material violations of plan terms
• Information sharing with Employers: While maintaining privacy obligations, we may share:
  • Aggregated fraud statistics
  • Specific fraud incidents affecting plan integrity
  • Recommendations for plan modifications to prevent abuse
  • Required information for Employer’s own investigations

Recovery and Legal Action

• Recovery rights: We maintain the right to:
  • Recover improperly paid claims through any legal means
  • Offset future claims against amounts owed
  • Initiate collections proceedings
  • Report debts to credit agencies where permitted
  • Pursue criminal charges for fraud
• Your cooperation obligations: You agree to:
  • Respond to verification requests within 10 business days
  • Provide original documentation upon request
  • Cooperate with fraud investigations
  • Repay improperly paid claims upon demand
  • Authorize providers to release information for verification

Consequences of Fraud

• Penalties for fraudulent claims:
  • Immediate account termination
  • Recovery of all improperly paid amounts plus interest
  • Potential criminal prosecution
  • Permanent ban from Service
  • Reporting to professional licensing bodies where applicable
  • Civil litigation for damages including legal costs
• No limitation period: There is no time limit on our right to investigate, reverse, or recover fraudulent claims.

Modification of Procedures

• Right to modify procedures: We reserve the right to modify claim processing procedures, verification requirements, and anti-fraud measures at any time to address emerging threats, regulatory requirements, or operational needs. Such modifications are effective immediately upon implementation and do not require prior notice when necessary for fraud prevention or security.

9. Service Level and Availability

• Service availability: We target 99.9% uptime for core services, excluding scheduled maintenance.
• Maintenance windows: Scheduled maintenance will typically occur during off-peak hours (11 PM – 3 AM PT) with at least 48 hours’ advance notice for non-emergency maintenance.
• Emergency maintenance: We reserve the right to perform emergency maintenance without advance notice to address critical security or operational issues.
• Response times: We aim to acknowledge critical issues within 2 hours and provide resolution timelines based on severity levels defined in our support documentation.

10. Cards, Funds, and Partners

• Cards and partners: If you receive a prepaid or other payment card, you agree to issuer/network terms. General prepaid and financial regulatory requirements (including AML/KYC) apply.
• Custodial/trust funds: Funds may be held pending disbursement; interest may accrue and, unless otherwise required by law or agreement, may be retained to offset program costs. Deposit insurance depends on partner institutions and account structures; see partner disclosures.
• Currency and payment methods: Services are priced in Canadian Dollars (CAD) for Canadian customers and U.S. Dollars (USD) for U.S. customers. We accept payment via ACH, wire transfer, credit card, and other methods as specified. Foreign exchange rates, if applicable, will be clearly disclosed.

11. Fees, Taxes, and Refunds

• You agree to pay fees communicated at signup, in an order form, fee schedule, or within the Service. Fees may include onboarding/setup (covering KYC/AML and integrations), custom integrations, late payment fees, and network/processing or card-related fees.
• Canadian taxes: Applicable taxes including GST/HST/QST apply as required.
• U.S. taxes:
  • Federal and state taxes apply where applicable
  • Backup withholding may apply if valid TIN is not provided
  • State sales tax collected where required by nexus laws
  • Employers are responsible for employment tax obligations on contributions
• Tax liability: You are responsible for determining and fulfilling your tax obligations. We provide tax forms but do not provide tax advice. Consult a tax professional for guidance.
• Refund policy: Refund requests must be submitted within 30 days of the charge. Setup fees are non-refundable. Monthly/annual fees may be prorated for partial periods at our discretion.
• Error resolution: Payment errors, duplicate charges, or claim disputes must be reported within 60 days. We will investigate and resolve errors within 10 business days of notification.
• Chargeback procedures: Initiating a chargeback without first contacting us may result in immediate account suspension.

12. Acceptable Use

You will not use the Service for unlawful, fraudulent, or prohibited activities. Specifically, you will not:

• Engage in money laundering, terrorist financing, sanctions evasion, or violations of RPAA, Payments Canada, or other applicable laws/regulations
• Bypass security measures, reverse engineer, scrape data, or access systems without authorization
• Submit false claims or misrepresent eligibility for benefits
• Share account credentials or allow unauthorized access
• Use the Service to harass, defame, or harm others
• Upload malicious code or attempt to disrupt service operations
• Violate intellectual property rights of others
• Engage in any activity that could damage our reputation or operations

13. Employer Rights and Responsibilities

• Administrator obligations: Employers must maintain accurate plan information, promptly update employee eligibility, and ensure proper authorization for all administrator actions.
• Data access: Employer administrators may access aggregated plan usage data and individual employee data only as necessary for plan administration and in compliance with privacy laws.
• Data processing agreements: For EU/EEA/UK Employers, we will enter into appropriate Data Processing Agreements (DPAs) as required under GDPR Article 28, defining roles, responsibilities, and security measures for processing employee personal data.
• Payment obligations: Employer non-payment may result in suspension of services. Employees will receive 30 days’ notice before service termination due to Employer non-payment, where legally required.
• Compliance responsibility: Employers are responsible for ensuring their use of the Service complies with their obligations under employment law, benefits regulations (including ERISA for U.S. plans where applicable), and collective agreements.
• Fraud response obligations: Employers agree to:
  • Cooperate with fraud investigations involving their Employees or Dependents
  • Take appropriate employment actions for confirmed fraud cases
  • Implement recommended controls to prevent future fraud
  • Not rehire individuals terminated for benefits fraud without disclosure to us

14. API and Integration Terms

• API access: If granted API access, you must comply with our API documentation, rate limits, and technical requirements.
• Rate limits: API calls are subject to rate limits specified in our developer documentation. Exceeding limits may result in temporary throttling or suspension.
• Data standards: All data exchanged via API must conform to our specified formats and validation rules.
• Integration security: You are responsible for securing your integration credentials and any data received through our APIs.

15. Non-Compete and Non-Circumvention

• To the maximum extent permitted by applicable law, for twenty-four (24) months from the later of (a) your first access to the Service or (b) the date the Service was shown/presented to you (including demos, pilots, proofs of concept, or evaluations), you will not directly or indirectly design, develop, market, or assist any third party in designing, developing, or marketing any product or service that is substantially similar to or competes with the Service.
• Exceptions: This does not prohibit independent development that does not use NuvioLife confidential information or IP, or activities expressly permitted by a separate written agreement.
• Scope: This provision applies primarily to Employer accounts and enterprise users, not individual Employees using the Service solely for personal benefit claims.
• Enforceability: Applies only where lawful and enforceable. If any portion is unenforceable, it will be narrowed to the maximum extent permitted or severed, with the remainder continuing in effect.

16. Suspension, Freezes, and Termination

• We reserve the right, in our sole discretion, to cancel, freeze, hold, suspend, or terminate any account or transaction (Employer or Employee/Dependent) for any reason, including suspected fraud, misuse, policy violations, non-payment, risk concerns, or to meet legal/regulatory obligations (e.g., KYC/AML/ATF, RPAA/Payments Canada, audits, incident response).
• You may stop using the Service at any time; termination does not relieve you of accrued fees or obligations.
• Effect on pending claims: Upon termination, pending eligible claims will be processed according to plan terms, subject to applicable cutoff dates.

17. Intellectual Property; License; Feedback

• We and our licensors own all rights in the Service (software, documentation, designs, trademarks). We grant you a limited, revocable, non-exclusive, non-transferable license to use the Service as permitted by these Terms.
• You grant us a royalty-free, irrevocable license to use feedback you provide to improve the Service.

18. Third-Party Services

• The Service may rely on or link to third-party services (e.g., identity verification, card issuers, processors, insurers, hosting, analytics). Their terms and privacy practices are governed by their own policies.

19. Accessibility

• We strive to maintain WCAG 2.1 Level AA compliance for our web and mobile applications.
• We comply with applicable accessibility laws including the Americans with Disabilities Act (ADA) for U.S. users and the Accessibility for Ontarians with Disabilities Act (AODA) where applicable.
• If you encounter accessibility barriers, please contact us at info@nuviolife.com for assistance.

20. Changes to the Service and to These Terms

• Right to modify: We reserve the right to modify these Terms, the Privacy Policy, and the Service at any time at our sole discretion. This includes the right to add, modify, or remove features, functionality, or benefits; change eligibility requirements; modify claim procedures; or discontinue the Service entirely.
• Notice requirements:
  • Material changes: Changes that materially affect your rights or obligations will be communicated via email or prominent in-app notification at least 30 days before taking effect, unless required sooner by law or urgent security needs
  • Non-material changes: Minor updates, clarifications, or corrections may be made without prior notice but will be posted with an updated effective date
  • Emergency changes: Changes required for security, fraud prevention, or legal compliance may take effect immediately with simultaneous or prompt subsequent notice
• Continued use constitutes acceptance: Your continued use of the Service after changes take effect constitutes acceptance of the modified Terms. If you do not agree to the changes, you must stop using the Service before the changes take effect.
• Review responsibility: You are responsible for regularly reviewing these Terms. The “Effective Date” at the top of this document indicates when Terms were last updated. We may maintain a change log or version history at our discretion, but you should not rely on this and must review the full Terms periodically.
• Special consent requirements: Where required by law (e.g., GDPR for material privacy changes), we will seek explicit renewed consent rather than relying on continued use. Changes to arbitration or class action waiver provisions require separate notice and may require affirmative consent in some jurisdictions.
• No waiver of rights: Our ability to modify these Terms does not waive your statutory rights under applicable consumer protection, privacy, or other laws that cannot be contracted away.

21. Disclaimers

• The Service is provided “as is” and “as available.” To the extent permitted by law, we disclaim warranties of merchantability, fitness for a particular purpose, and non-infringement.
• We do not guarantee that the Service will be error-free, uninterrupted, or secure against all threats.

22. Limitation of Liability

• To the extent permitted by law, NuvioLife and its affiliates are not liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or lost profits, revenues, data, or goodwill.
• Our aggregate liability will not exceed the amounts you paid for the Service in the 12 months preceding the event giving rise to the claim.
• Cybersecurity incidents: Notwithstanding the above, our liability for data breaches or cybersecurity incidents is limited to:
  • Direct damages proven to result from our gross negligence or willful misconduct
  • Credit monitoring services as required by applicable breach notification laws
  • Statutory damages only where mandated by applicable privacy laws (e.g., GDPR)
  • We are not liable for breaches resulting from vulnerabilities disclosed but not patched by users within reasonable timeframes

23. Indemnification

• You will defend, indemnify, and hold harmless NuvioLife and its affiliates against claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to your use of the Service, your breach of these Terms, or your violation of applicable law.

24. Dispute Resolution

• Informal resolution: Before initiating formal proceedings, parties agree to attempt good faith resolution through direct communication for at least 30 days.
• Arbitration: Except where prohibited by law, disputes will be resolved through binding arbitration under the rules of the ADR Institute of Canada. Arbitration will be conducted in Vancouver, British Columbia, or virtually by agreement.
• Class action waiver: To the extent permitted by law, you waive any right to bring claims as a plaintiff or class member in any purported class action, class arbitration, or representative proceeding.
• Exceptions: Claims for injunctive relief, intellectual property disputes, or claims within small claims court jurisdiction may be brought in court.

25. Force Majeure

• Neither party will be liable for delays or failures in performance resulting from causes beyond reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, riots, embargoes, acts of civil or military authorities, fire, floods, accidents, pandemic, network infrastructure failures, strikes, or shortages of transportation facilities, fuel, energy, labor, or materials.
• The affected party must promptly notify the other party and use reasonable efforts to mitigate the impact of the force majeure event.

26. Governing Law and Venue

• These Terms are governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein, without regard to conflicts of law principles.
• Jurisdiction:
  • Courts in Vancouver, British Columbia have exclusive jurisdiction, except where applicable law provides otherwise for consumers or as specified in the Dispute Resolution section.
  • EU/EEA/UK users: Nothing in these Terms affects your rights to bring claims in your local courts as permitted under GDPR and local consumer protection laws.
  • U.S. users: State consumer protection laws may provide additional rights and remedies.

27. Notices

• Legal notices should be sent to: Nuvio Software Inc., 333 Seymour St, Vancouver, British Columbia V6B 5A7, Canada. Privacy inquiries can be sent to privacy@nuviolife.com.
• Electronic notices to you: Will be sent to your registered email address and deemed received 24 hours after sending, unless we receive an automated bounce-back message. For critical legal notices that bounce, we will attempt alternative contact methods as specified in Section 30.
• Email validity: You are responsible for ensuring your registered email address remains valid and functional. See Section 30 for detailed email communication terms.
• Notices to us are effective upon receipt.

28. Assignment; Severability; Entire Agreement; Survival

• You may not assign these Terms without our prior written consent. We may assign these Terms without restriction. If any provision is held invalid, it will be limited or severed to the minimum extent necessary, and the remainder will remain in effect.
• These Terms, together with the Privacy Policy and any applicable order forms or addenda, constitute the entire agreement between you and NuvioLife. All updates and modifications to these Terms become part of this agreement when effective.
• Binding effect: These Terms, including all updates and modifications made in accordance with Section 20, are binding upon and inure to the benefit of the parties and their respective successors and permitted assigns.
• Survival: The following sections survive termination: Definitions, Privacy provisions, Retention requirements, Email retention and security obligations, Claims verification and fraud prevention rights, Recovery and legal action rights, Intellectual Property, Disclaimers, Limitation of Liability, Indemnification, Dispute Resolution, Governing Law, provisions regarding changes to Terms, and this Survival clause.

29. Text Messaging and Communications

• SMS/text consent (U.S. users): By providing a mobile phone number, you consent to receive text messages about your account, claims, and services. Message and data rates may apply.
• TCPA compliance: For U.S. users, we comply with the Telephone Consumer Protection Act (TCPA). You may opt out of text messages by replying STOP.
• Communication channels: We may communicate via email, in-app notifications, SMS (where consented), or mail. You are responsible for maintaining current contact information.

20. Email Communications and Compliance

Email Consent and Categories

• Regulatory compliance: We comply with Canada’s Anti-Spam Legislation (CASL) and the U.S. CAN-SPAM Act for all email communications.
• Email categories and consent:
  • Transactional emails (no opt-out): Security alerts, password resets, claim confirmations, payment receipts, account suspensions, terms updates, and other critical service-related messages
  • Administrative emails (opt-out available): Benefit information, plan updates, wellness programs, and service announcements
  • Marketing/promotional emails (explicit opt-in required): Product features, partner offers, surveys, and promotional content
• Express consent: By providing your email address, you explicitly consent to receive transactional and administrative emails. Marketing emails require separate opt-in consent, which can be managed in your account settings.

Email Management

• Email verification: You must verify your email address upon registration. We may periodically require re-verification to maintain account security.
• Unsubscribe mechanisms: All non-transactional emails include a one-click unsubscribe link. Unsubscribe requests are processed within 10 business days. You may also manage email preferences in your account settings.
• Email address changes: Changes to your primary email address require verification through both the old and new email addresses, where possible, for security purposes.

Email Delivery and Security

• Delivery limitations: We do not guarantee email delivery. Emails may be blocked by spam filters, server issues, or incorrect addresses. You are responsible for:
  • Maintaining a valid email address
  • Checking spam/junk folders regularly
  • Whitelisting nuviolife.com domain
  • Ensuring your email service provider accepts our messages
• Bounce handling: If your email address generates repeated hard bounces, we may:
  • Suspend email communications
  • Attempt contact through alternative methods
  • Require email address verification before resuming service
• Email security:
  • Sensitive information in emails is minimized or encrypted where technically feasible
  • We will never request passwords, full payment card numbers, or SIN/SSN via email
  • Report suspected phishing emails to security@nuviolife.com

Third-Party Email Services

• Service providers: We may use third-party email service providers (e.g., SendGrid, AWS SES) to send emails. These providers are bound by contractual obligations to protect your information.
• Email tracking: We may use standard email tracking technologies to monitor open rates, click rates, and delivery success for service improvement and security purposes.

Email Retention and Data

• Retention period: Email communication logs are retained for 24 months for security, compliance, and dispute resolution purposes.
• Email sharing: Your email address is not sold or rented to third parties. It may be shared with service providers solely for delivering our services and only under strict confidentiality agreements.

Anti-Phishing and Security

• Legitimate emails: All legitimate NuvioLife emails will:
  • Come from an @nuviolife.com domain
  • Include your name or account identifier
  • Never request sensitive information via email
  • Include our physical mailing address (333 Seymour St, Vancouver, British Columbia V6B 5A7, Canada) in the footer
• Phishing protection: If you receive suspicious emails claiming to be from NuvioLife:
  • Do not click links or download attachments
  • Forward the email to security@nuviolife.com
  • Delete the suspicious email
  • Log into your account directly through our official website to verify any claimed account issues

Alternative Communication

• Failed email delivery: If we cannot reach you via email for critical matters (e.g., security breaches, legal notices), we may attempt contact through:
  • SMS (if consented)
  • In-app notifications
  • Postal mail
  • Phone (for urgent security matters only)
• Your obligations: You agree to:
  • Maintain a current, valid email address
  • Promptly update your email if it changes
  • Review emails from us in a timely manner
  • Configure email filters to accept our messages