SMS and Email Communications Policy

Opt-In, Opt-Out, Privacy, and Anti-Fraud Standards

1. Overview and Purpose

StrokePages, a service operated by Upper East Care LLC ("StrokePages," "we," "us," or "our"), provides a stroke activation notification platform used by hospitals and healthcare organizations to alert their clinical staff of stroke activations and related operational events, and operates a separate business line used for customer support and general business communications.

This policy explains how StrokePages handles SMS (text message) and email communications across both channels, how recipients are enrolled (opt-in), how they can stop receiving messages (opt-out), how we protect message channels against fraud and impersonation, and how this policy aligns with applicable U.S. federal and state laws and industry standards.

This policy applies to all SMS and email messages sent by or on behalf of StrokePages.

2. Who Receives Messages and What We Send

StrokePages operates two distinct SMS channels, each with its own purpose, its own audience, and its own separately registered messaging program. Understanding the difference between them is important because it helps recipients identify legitimate StrokePages communications and recognize suspicious or fraudulent messages.

2.1 Stroke Alert Channel (clinical operational alerts)

The Stroke Alert Channel is used to deliver time-critical operational notifications to clinical staff. Messages on this channel are sent only to clinical staff and authorized hospital personnel who have been enrolled in the StrokePages platform by an authorized hospital administrator as part of a stroke team or covered service.

Message types on this channel include:

• Stroke activation alerts — operational notifications generated when a hospital initiates a stroke activation through the StrokePages platform.
• Account and system notifications — messages related to a recipient's enrollment, device assignment, access credentials, scheduled maintenance, service status, and similar operational matters.

StrokePages does not send marketing, promotional, or advertising messages on the Stroke Alert Channel. Stroke alert messages never contain Protected Health Information (PHI), consistent with the StrokePages HIPAA Risk Assessment Attestation dated November 20, 2025.

2.2 Customer Support Channel (main business line)

The Customer Support Channel is the main StrokePages business line. It is used for one-to-one conversational messaging in response to inbound inquiries and for ordinary business communications. Messages on this channel are sent to hospital staff, hospital administrators, prospective customers, existing customers, vendors, and other contacts who reach out to StrokePages or who have an existing business relationship with StrokePages.

Message types on this channel include:

• Replies and responses — answers to inbound questions, requests for support, and inbound texts initiated by the contact.
• Appointment and meeting confirmations — confirmations and reminders for scheduled demos, training sessions, calls, and meetings the contact has requested or agreed to.
• Business and account communications — follow-ups, document requests, and ordinary business communications with hospital customers, prospects, and partners.

All texting on the Customer Support Channel is one-to-one or in direct response to a message initiated by the contact. StrokePages does not send bulk marketing or promotional campaigns on this line, and messages on this channel do not contain Protected Health Information.

2.3 What StrokePages does not do

• StrokePages does not text patients, family members, or the general public on either channel.
• StrokePages does not send Protected Health Information by SMS or email on any channel.
• StrokePages does not sell or share recipient phone numbers or email addresses with third parties for their marketing.

3. Consent and Opt-In

3.1 Hospital-mediated enrollment (Stroke Alert Channel)

Because the Stroke Alert Channel is a business-to-business clinical service, enrollment is initiated by the contracting hospital or healthcare organization. An authorized hospital administrator adds clinical staff and their assigned devices (personal smartphones, shared mobile devices, and shared clinical communication devices) to the StrokePages platform under the hospital's service agreement with StrokePages.

The hospital represents to StrokePages that it has obtained any consent or acknowledgment required under its internal policies, applicable employment terms, and applicable law before enrolling staff or assigning a device to receive StrokePages stroke alerts.

3.2 Individual confirmation (Stroke Alert Channel)

Each newly enrolled mobile recipient receives an initial confirmation message that identifies StrokePages as the sender, describes the purpose of the alerts, references this policy, and explains how to opt out. The first message a recipient receives from a new short code or long code will include the disclosures required by the CTIA Messaging Principles and Best Practices and standard wireless carrier requirements, including: program name, message frequency, help instructions, opt-out instructions, and the disclosure that message and data rates may apply.

3.3 Email enrollment

Email recipients are enrolled by the hospital administrator using the recipient's professional email address. Operational and transactional emails are sent under the transactional message provisions of the CAN-SPAM Act (15 U.S.C. § 7701 et seq.). StrokePages will honor any individual request to stop receiving non-essential email even where the message qualifies as transactional.

3.4 Consent for the Customer Support Channel

Consent for SMS communications on the Customer Support Channel is established when a contact initiates a text conversation with the StrokePages business line, when a contact provides their phone number to StrokePages in a business context (such as a demo request, sales inquiry, or support request), or when a contact has an active business relationship with StrokePages. By contacting StrokePages or providing your phone number to us in a business context, you consent to receive replies and related business communications from us by SMS.

Recipients may opt out of the Customer Support Channel at any time using the methods described in Section 4.

4. Opt-Out (How to Stop Receiving Messages)

StrokePages honors opt-out requests from individual recipients at all times, on both SMS channels and for email. Opt-out is always free and does not require the recipient to log in, contact the hospital, or provide a reason.

4.1 SMS opt-out

Recipients can stop receiving SMS messages from StrokePages by replying to any StrokePages text with any of the following standard keywords:

• STOP — immediately removes the recipient's number from the StrokePages messaging program for the channel that received the STOP reply.
• END, CANCEL, UNSUBSCRIBE, QUIT — treated as equivalent to STOP, consistent with CTIA carrier requirements.

After an opt-out, StrokePages will send one final confirmation message acknowledging that no further SMS messages will be sent to that number on the affected channel, and will then cease messaging to that number on that channel.

Opt-out from one StrokePages channel does not automatically opt the recipient out of the other channel, because the two channels serve different purposes and are operated as separately registered messaging programs. A recipient who wishes to opt out of both channels can do so by replying STOP to a message on each channel, or by contacting StrokePages at info@strokepages.com.

4.2 Re-subscription

A recipient who has opted out may resume receiving StrokePages messages by replying:

• START or UNSTOP — re-enables messages from the channel on which the reply is sent.

Re-subscription to the Stroke Alert Channel may also be initiated by an authorized hospital administrator on behalf of the recipient, with the recipient's acknowledgment.

4.3 Help

Recipients can reply HELP at any time to receive program identification, support contact information, and opt-out instructions.

4.4 Email opt-out

Every StrokePages email includes an unsubscribe link or clear opt-out instructions. Recipients can also email info@strokepages.com to opt out of non-essential email communications. Opt-out requests are processed within ten (10) business days, consistent with the CAN-SPAM Act.

4.5 Patient-safety acknowledgment (Stroke Alert Channel)

Because stroke alerts can be safety-critical for stroke care, StrokePages will notify the hospital administrator when a clinical recipient assigned to an active stroke team opts out, so the hospital can reassign coverage and ensure that the on-call role remains reachable. StrokePages will never override an individual recipient's opt-out.

5. Message Frequency, Charges, and Carrier Disclosures

Stroke Alert Channel: message frequency varies and depends on stroke activation volume at the recipient's facility. Recipients should expect operational alerts and occasional system notifications only.

Customer Support Channel: message frequency varies and depends on the recipient's own activity, since this channel is conversational and primarily reply-driven.

Standard message and data rates may apply on either channel, depending on the recipient's wireless plan. StrokePages does not charge recipients for messages. Wireless carriers are not liable for delayed or undelivered messages.

6. SMS Registration and Carrier Compliance

U.S. wireless carriers require that any business sending text messages from local (10-digit) phone numbers register the business and its messaging program before messages can be delivered. This is true whether the messages are marketing, transactional, operational, or one-to-one in nature.

StrokePages maintains separately registered 10DLC messaging campaigns for each of its two SMS channels:

• Stroke Alert Channel — registered under an operational notifications use case appropriate for time-critical clinical alerts.
• Customer Support Channel — registered under a conversational customer-care use case appropriate for one-to-one business communications.

Each registration is filed with The Campaign Registry (TCR) and with the corresponding wireless carriers, and includes a description of the StrokePages use case for that channel, the method by which recipients are enrolled or how consent is obtained, the opt-in and opt-out language used, and a link to this policy.

Registered messaging campaigns are reviewed by carriers and the central registry to confirm that the messaging program is legitimate, that the sender is identifiable, and that opt-in and opt-out practices meet industry standards. Recipients can rely on the presence of these registrations as one signal that messages identified as coming from StrokePages are authentic. Unregistered or spoofed messages claiming to be from StrokePages can be reported using the instructions in Section 8 of this policy.

7. Privacy, Security, and PHI

StrokePages is built to avoid the transmission of Protected Health Information in SMS, email, push, and voice channels. Alert messages on the Stroke Alert Channel contain only non-identifiable activation metadata (such as event identifiers, role-based routing information, and timestamps), and never include patient names, dates of birth, medical record numbers, diagnostic detail, or other PHI. Messages on the Customer Support Channel are ordinary business communications and likewise do not contain PHI.

The StrokePages platform is hosted in secure U.S.-region cloud infrastructure, uses TLS encryption for data in transit and AES-256 encryption for data at rest, restricts access by IP allow-listing and role-based access control, and maintains immutable audit logs. These safeguards are documented in the StrokePages HIPAA Risk Assessment Attestation and the StrokePages Data Flow Overview, available to authorized hospital reviewers on request.

For full details, see the StrokePages HIPAA & Compliance page at /hipaa-compliance.

8. Anti-Fraud, Anti-Phishing, and Impersonation Protection

StrokePages takes active steps to protect recipients against fraudulent messages that may impersonate StrokePages, our hospital customers, or clinical leadership.

How to identify legitimate StrokePages messages

• StrokePages messages are sent from registered, carrier-approved phone numbers and from email domains controlled by StrokePages. The current authorized email domain is strokepages.com.
• Stroke Alert Channel messages clearly identify the hospital program, describe an operational stroke or system event, and include role-based routing information. They do not request credentials, payment, or personal information of any kind.
• Customer Support Channel messages are conversational in nature, sent in reply to a contact's inbound message or in connection with an active business relationship. They do not request credentials, payment, or financial information.
• StrokePages will never ask a recipient by SMS or email for a password, multi-factor authentication code, payment information, credit card number, banking detail, or Social Security Number on either channel.
• StrokePages will never ask a recipient to install software, click links to log in to third-party portals, or transfer funds.

Reporting suspicious messages

If a recipient receives a message that appears to be from StrokePages but is suspicious — for example, a stroke alert from an unfamiliar number, a customer-support message requesting credentials or payment, or any message that does not match the descriptions above — the recipient should:

• Not click any links and not reply with personal or credential information.
• Forward the suspicious SMS to 7726 (SPAM) to report it to their wireless carrier.
• Forward suspicious email, with full headers if possible, to info@strokepages.com.
• Notify their hospital IT or security team, particularly if the message references a specific patient, activation, or hospital workflow.

StrokePages investigates every report of impersonation and works with carriers, email providers, and law enforcement as needed.

9. Data Retention and Audit Logs

StrokePages retains non-identifiable activation metadata, opt-in and opt-out records, conversational message logs, and audit logs for at least one (1) year, or longer where required by applicable law or by hospital contract, to support quality review, audit, and compliance. Retention and deletion are governed by the StrokePages Data Retention Policy.

10. Legal and Regulatory Framework

This policy is designed to be consistent with applicable U.S. federal and state communications and healthcare laws and industry standards, including:

• Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227 and FCC implementing rules at 47 C.F.R. § 64.1200.
• CAN-SPAM Act, 15 U.S.C. § 7701 et seq., and FTC implementing rules.
• CTIA Messaging Principles and Best Practices, current edition, including 10DLC and short code requirements.
• The Campaign Registry (TCR) 10DLC registration requirements and corresponding wireless carrier requirements for application-to-person messaging.
• Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Parts 160 and 164. StrokePages does not transmit PHI.
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), to the extent applicable.
• Other applicable state laws governing automated messages, consent, and consumer protection.

Where any provision of this policy conflicts with an applicable law or a hospital's signed agreement with StrokePages, the more protective standard governs.

11. Changes to This Policy

StrokePages may update this policy from time to time to reflect changes in our services, in carrier or industry standards, or in applicable law. Material changes will be posted on the StrokePages website with an updated effective date. Continued use of the StrokePages platform or continued texting with the StrokePages business line after a material update constitutes acknowledgment of the updated policy.

12. Contact Information

StrokePages — a division of Upper East Care LLC

• Email: info@strokepages.com
• Website: https://www.strokepages.com
• Phone: 646.568.6566

13. Revision History

This policy is informational and does not create a contract or business associate relationship between StrokePages and any individual recipient. Hospital customer agreements govern the contractual relationship between StrokePages and the hospital.