ELEPHAS LABORATORIES PRIVACY POLICY AND NOTICE AT COLLECTION

Effective Date: January 19, 2026

Elephas Laboratories, LLC ("Elephas Labs," "us," "we," or "our"), a CLIA-certified clinical laboratory and subsidiary of Elephas Biosciences Corporation, is committed to protecting your privacy. This Privacy Policy and Notice at Collection ("Privacy Notice") describes how we may collect and use information about you ("you," "user").

This Privacy Notice applies to: the Elephas Laboratories website; the Elephas Laboratories Order Management System Portal ("Portal"); and your interactions with us in the ordinary course of business, such as communications by phone, email, or in person (collectively, the "Services").

IMPORTANT NOTICE REGARDING PROTECTED HEALTH INFORMATION: This Privacy Notice describes our general privacy practices. If you are a patient whose specimen has been submitted for testing, or a healthcare provider submitting patient information through our clinical laboratory services, please refer to our HIPAA Notice of Privacy Practices, which describes how we use, disclose, and protect protected health information ("PHI") as required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH").

NOTICE AT COLLECTION

What Types of Personal Information Do We Collect?

We collect and generate different types of Personal Information depending on how you use or interact with our Services. For purposes of this Privacy Notice, "Personal Information" means information that identifies, describes, or is reasonably capable of being associated with you that we collect or generate when you use or interact with our Services. The following describe various categories and sources of Personal Information we have collected, may collect, or generate, including in the past 12 months.

Demographic and Contact Information. Information you provide to us such as your name, mailing address, email address, and telephone and fax number.

Professional Information. Information about your professional background, including your name, job title, National Provider Identifier (NPI) number, medical specialty, employer or organization, professional credentials (such as medical license number and National Provider Identifier), and business contact information.

Online or Other Account Information. Username, email address, passwords, security questions, and other information needed to permit access to the Portal or other components of our Services which require registration and/or credentials.

Webforms and Requests. Information you submit to us through online or interactive forms available within our Services, including test order forms, provider registration forms, "contact us" forms, feedback forms, and requests for information about our products and services.

Device Information. Device-specific information including Internet Protocol ("IP") address, hardware model, operating system, unique device identifiers, browser type, and mobile network information. We may also associate the information we collect from your different devices, which helps us provide consistent Services across your devices.

Log Information. Usage details of our Services, including the address (or URL) where you came from before visiting us, which pages or features you visit or utilize, search terms you enter, items you click on, time spent on pages, and audit logs of Portal activity. We may also create usage statistics and monitor the traffic from your use or interaction with our Services.

Internet Protocol (IP) Addresses. IP addresses are unique identifiers automatically assigned to each computer when logging onto the Internet. We generally collect IP address information from visitors using or interacting with the Services and we log them for system administration purposes.

Location Information. Your general location information may be collected in a variety of ways depending on how you use or interact with our Services, including from your IP address, location settings, or other location-based components of our Services.

Protected Health Information (PHI). When healthcare providers submit test orders or access patient information through the Portal, we receive PHI including patient names, dates of birth, diagnoses, specimen information, test results, and other health-related information. Our collection, use, and disclosure of PHI is governed by our HIPAA Notice of Privacy Practices and applicable law.

Clinical and Research Data. Information related to test orders, including specimen information, test requisition forms, test results, and follow-up treatment data collected as part of the Early Access Program ("EAP"). De-identified data may be used for research, quality improvement, and healthcare operations.

Business Interactions. Information derived from your business-related requests, communications, and dealings we have with you, or the company/organization you work(ed) for or are associated with, including information about products or services you expressed an interest in or purchased from us.

Tracking Technologies. Our Services may incorporate tracking technologies to provide you with certain functionalities. These tracking technologies may collect or generate Personal Information about you when you interact with us. You may adjust your preferences at any time through your Cookie Settings or individual browser settings. Our Services may incorporate the following tracking technologies:

  • Cookies: Small files that are transferred to your device's hard drive for a period of time to store user preferences and other types of information.
  • Web Beacons: Electronic images placed in the code of a webpage, application, or email that allow us to monitor things such as user activity and site traffic.
  • Tags: Pieces of code which gather information about users to better understand online usage patterns and trends.
  • Analytics Tools: We may use analytics tools such as Google Analytics to collect data about time of visit, pages visited, time spent on pages, IP address, and type of operating system.

HOW DO WE USE PERSONAL INFORMATION?

Depending on what Services you use and how you interact with us, we may use Personal Information about you in the following ways. We will generally rely on the following business purposes to collect and use Personal Information: performance of a contract, compliance with our legal obligations, pursuing our legitimate interests, consent, or protection of vital interests.

To administer and provide you with the Services. We use your information to create and administer your Portal account, authenticate your credentials, remember your preferences, process test orders, deliver test results, and provide access to our clinical laboratory services.

To manage test orders and results. We use information to process laboratory test orders, conduct testing, generate results, and deliver reports to ordering providers.

To respond to your inquiries and provide information about the Services. If you send us questions, make an inquiry or request, or ask for certain information, we may use Personal Information about you to respond to you.

To send you communications. We may use Personal Information about you to send you service-related communications, including test result notifications, account updates, clinical resources, and information about our Services.

For healthcare operations and quality assurance. We use information for quality assurance, quality improvement, and healthcare operations purposes as permitted by HIPAA and other applicable laws.

For research and development. We may use de-identified or aggregated data for research, analysis, and development of our testing services, including for the Early Access Program.

To improve the Services and user experience. We may use Personal Information to understand how users interact with our Services, personalize users' experiences, and improve the content and performance of our Services.

To comply with applicable laws and our legal obligations. We may use Personal Information to comply with applicable laws, regulations, industry codes of conduct, and our internal policies, including:

  • For compliance with applicable retention obligations;
  • For purposes of adverse event reporting, product safety, and other reporting obligations;
  • To respond to lawful requests by public authorities;
  • To investigate potential breaches; and
  • To protect our rights, property, safety, and those of our users.

Merger or Sale. If we are involved in a merger, acquisition, or sale of our assets (or a portion thereof), we may share Personal Information about you with a corporate purchaser, successor in interest, or prospect to the extent permitted by law.

Use of Non-Personally Identifiable Information. We may use non-personally identifiable information, such as anonymized and/or aggregated usage data, in any manner that does not identify individual users for the purpose of improving the operation and management of the Services, conducting internal research, and for security and compliance purposes.

DO WE SHARE PERSONAL INFORMATION WITH THIRD PARTIES?

Links to Third-Party Websites. As a resource to our users, we may provide links to other unaffiliated websites or services within our Services. If you choose to visit such third-party websites or services, please note that any information you submit to them is not subject to this Privacy Notice.

Elephas Affiliates and Subsidiaries. Elephas Labs shares Personal Information with its parent company, Elephas Biosciences Corporation, and affiliates for the purposes described in this Privacy Notice.

Service Providers. We may share Personal Information about you with third party service providers that we hire to help us administer and provide the Services to you, including IT service providers, cloud hosting providers, and business operations support. These third parties are required to treat Personal Information about you in accordance with appropriate contractual and legal privacy and security requirements.

Business Associates. For PHI, we enter into Business Associate Agreements with third parties as required by HIPAA before sharing PHI for permitted purposes.

Ordering Providers. We share test results and patient information with the ordering healthcare providers and their authorized delegates as necessary to provide our laboratory services.

Advertising and Analytics. We may engage third party service providers who utilize tracking technologies to serve advertisements and provide analytics services. Depending on where you live, we may be required to obtain your consent before we serve you with certain types of tracking.

DO WE SELL OR SHARE PERSONAL INFORMATION?

We do not sell Protected Health Information (PHI). We may disclose Personal Information (other than PHI) to a third party for a business purpose. When we disclose Personal Information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract.

We may "sell" or "share" (as those terms are defined under applicable state privacy laws) certain categories of Personal Information to third parties for purposes of targeted advertising or cross-contextual behavioral advertising. To opt-out of such sales or sharing, please visit our "Do Not Sell or Share My Personal Information" page or adjust your Cookie Settings.

In the preceding twelve (12) months, we have disclosed the following categories of Personal Information to the categories of third parties indicated in the chart below:

CATEGORIES OF THIRD PARTIES

Personal Information Category

Commercial or Business Purpose

Category of Third Party

Identifiers

Customer relationship management, web hosting, data storage, IT services

HubSpot, Azure, Google Analytics

Professional Information

Provider credentialing, account management, order processing

HubSpot, Azure, Google Analytics

Internet or Network Activity

Marketing, web hosting, analytics

HubSpot, Azure, Google Analytics

Geolocation Information

Marketing, web hosting

HubSpot, Azure, Google Analytics

We may also share Personal Information about you to:

  • Comply with any court order, law, or legal process, including responding to any government or regulatory request;
  • A buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Elephas Labs' assets;
  • If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Elephas Labs, our customers, or others; and
  • Enforce or apply our Terms of Service and other agreements.

HOW DO WE SECURE AND RETAIN PERSONAL INFORMATION?

We maintain appropriate administrative, technical, and physical safeguards to protect Personal Information and PHI, as required by HIPAA and other applicable laws. Our security program includes access controls, encryption, audit logging, and regular security assessments. For more information about Elephas's information security program, please visit our Trust Center at https://trustcenter.elephas.com. If you have any questions about the security of Personal Information about you, please contact us.

We will only store Personal Information as long as necessary to fulfill the purposes for which the information is collected and processed or, where the applicable law provides for longer storage and retention period, for the storage and retention period required by law. After that, Personal Information will be deleted, blocked, or anonymized, as provided by applicable law. In particular:

  • If you terminate your Portal account, your Personal Information will be marked for deletion except to the degree legal requirements or other prevailing legitimate purposes dictate a longer storage.
  • PHI and medical records will be retained in accordance with HIPAA and applicable state medical record retention requirements.
  • Certain transactional data may be retained under statutory commercial and tax law requirements.
  • If you withdraw your consent on which processing of your Personal Information is based, we will delete your Personal Information without undue delay to the extent that the collection and processing was based on the withdrawn consent.

DOES ELEPHAS LABS TRANSFER PERSONAL INFORMATION TO OTHER COUNTRIES?

To provide our Services, we may need to transfer and process Personal Information internationally (including to destinations outside the country in which you are located). As a result, your information may be transferred to and/or processed in countries which may not guarantee the same level of protection for Personal Information as the country in which you reside. However, we have taken appropriate safeguards to ensure that Personal Information about you will remain protected in accordance with this Notice. Further information can be provided on request: please contact us using the details found in the section "How can you Contact Elephas?"

HOW OLD DO I HAVE TO BE TO USE THE ELEPHAS LABS SERVICES?

Our website and Portal are not directed to children under the age of 13 (or 14, depending on where you reside), and we do not knowingly collect Personal Information via online Services from children under those ages. Our clinical laboratory services may process specimens from patients of all ages; however, such information is submitted by healthcare providers and is governed by our HIPAA Notice of Privacy Practices. If you think that we have collected Personal Information via an online Service from a child under those ages, please contact us as described below.

California Minors: If you are a California resident who is under age 18 and you are unable to remove publicly available content that you have submitted to us, you may request removal by contacting us at: elive@elephaslabs.com. We are not required to remove any content or information that: (1) federal or state law requires us or a third party to maintain; (2) was not posted by you; (3) is anonymized so that you cannot be identified; (4) you don't follow our instructions for removing or requesting removal; or (5) you received compensation or other consideration for providing the content or information.

WHAT ARE MY DATA PROTECTION CHOICES AND RIGHTS?

State consumer privacy laws may provide their residents with additional rights regarding our use of Personal Information. The following Section applies to individuals who reside in jurisdictions that provide additional privacy rights.

Your Rights and Choices

Right to Access Specific Information and Data Portability. You have the right to request that we disclose certain information to you about our collection and use of Personal Information over the past twelve (12) months, including: the categories of Personal Information we collected about you; the categories of sources for the Personal Information; our business or commercial purpose for collecting or selling that Personal Information; the categories of third parties with whom we share that Personal Information; and the specific pieces of Personal Information we collected about you.

Right to Correct Information. You have the right to request we update Personal Information about you that is incorrect in our systems. You can also review and change Personal Information about you by logging into the Portal and visiting your account profile page.

Right to Delete. You have the right to request that we delete any Personal Information about you that we collected from you and retained, subject to certain exceptions (including HIPAA and state medical record retention requirements). Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) the Personal Information from our records, unless an exception applies.

Right to Opt-out of the Sale or Sharing of Personal Information. You have the right to opt-out of the sale or sharing of your Personal Information for cross-contextual behavioral advertising. To exercise this right, visit our "Do Not Sell or Share My Personal Information" page.

Right to Limit Sensitive Personal Information Use. You have the right to limit the use of sensitive Personal Information regarding you.

Non-Discrimination. We will not discriminate against you for exercising any of your rights.

HIPAA Rights: If you are a patient or authorized representative, you may have additional rights under HIPAA, including the right to access your medical records, request amendments, and receive an accounting of disclosures. Please see our HIPAA Notice of Privacy Practices for more information.

How to Exercise These Rights. To submit a request to exercise these rights, you may use one of these methods:

  • Email: elive@elephaslabs.com
  • Phone: (608) 622-7954
  • Mail: Elephas Laboratories, LLC, Attn: Privacy Officer, 1 Erdman Place, Suite 100, Madison, WI 53717

For all requests, please clearly state that the request is related to "Your Privacy Rights," indicate which type of request you are making, and provide your name, street address, city, state, zip code, and an email address or phone number where we may contact you.

Appeals. To appeal a decision regarding a consumer rights request, please submit your appeal using one of the methods above. Your appeal should include an explanation of the reason you disagree with our decision. Within 60 days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.

Only you, or a person registered with the applicable Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to Personal Information about you. You may only make such a request for access or data portability twice within a 12-month period.

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.

Opt-out Preference Signals. Our website honors Global Privacy Control ("GPC") opt-out preference signals when such signals are configured through your browser. You can get further help in configuring your browser by visiting: https://globalprivacycontrol.org/

California Shine the Light Law. California Civil Code Section 1798.83 permits users who are California residents to obtain from us once a year, free of charge, a list of third parties to whom we have disclosed Personal Information (if any) for direct marketing purposes in the preceding calendar year. If you are a California resident and you wish to make such a request, please send an email with "California Privacy Rights" in the subject line to elive@elephaslabs.com or write us at: Elephas Laboratories, LLC, Attn: Privacy Inquiries, 1 Erdman Place, Suite 100, Madison, WI 53717.

DOES THIS PRIVACY NOTICE CHANGE?

We may periodically update this Privacy Notice to describe new Services and how such Services may affect our collection and use of Personal Information. If we make material changes to this Privacy Notice, we will post a notice of the material changes on our website. If we use Personal Information about you for other purposes not specified in this Privacy Notice, we will notify you and obtain your consent, to the extent required by applicable law. We encourage you to periodically review this Privacy Notice for the latest information on our privacy practices.

HOW CAN YOU CONTACT ELEPHAS LABS?

If you have questions or concerns about this Privacy Notice, our information practices, or any other aspect of the privacy and security of Personal Information about you, please contact us using the information below.

Elephas Laboratories, LLC

CLIA #52D2333937

Attn: Privacy Officer

1 Erdman Place, Suite 100

Madison, WI 53717

United States

Email: security@elephas.com

Phone: (608) 622-7954

Ready to order?

eLIVE is currently available to licensed healthcare providers only.
Patients seeking eLIVE should contact their clinicians. 

Order online

Order via our secure, HIPAA-compliant order management system. 

Access Ordering Portal

Email or eFax

Download the order form. Complete and return via email or fax to (855) 350-1433.

Download Order Form

Contact eLIVE support with questions.

Phone: (608) 622-7954 | Email: elive@elephaslabs.com

A dedicated support team is available Monday through Friday from 8 a.m. to 6 p.m. central time.  

References: 1.  T.S. Ramasubramanian, et al. Pichet Adstamongkonkul, Christina M. Scribano et al. A live tumor fragment platform to assess immunotherapy response in core needle biopsies while addressing challenges of tumor heterogeneity bioRxiv 2025.07.18.663728; doi: https://doi.org/10.1101/2025.07.18.663728   2.  Voabil P, de Bruijn M, Roelofsen LM, et al. An ex vivo tumor fragment platform to dissect response to PD-1 blockade in cancer. Nature medicine. 2021;27(7):1250-1261. doi:10.1038/s41591-021-01398-3