Privacy Policy

Effective Date: August 27, 2025
Last Updated: August 27, 2025

ARTICLE I. SCOPE, APPLICATION, AND DEFINITIONS

Section 1.01 Scope and Territorial Application

This Privacy Policy and Data Protection Statement (this "Privacy Policy") governs the collection, processing, use, disclosure, retention, and protection of Personal Data by Assivo, Inc., an Illinois corporation ("Assivo," "we," "us," or "our"), in connection with our global business operations, service delivery platforms, and digital infrastructure.

This Privacy Policy applies worldwide to all Assivo entities, subsidiaries, and controlled affiliates, and governs our data processing practices across all jurisdictions where we maintain operations or process Personal Data, including without limitation the United States, Mexico, and India.

Section 1.02 Definitions and Interpretation

For purposes of this Privacy Policy, the following capitalized terms shall have the meanings set forth below:

(a) "Applicable Data Protection Laws" means all laws, regulations, directives, and binding regulatory guidance relating to the processing of Personal Data that are applicable to the circumstances, including without limitation the EU General Data Protection Regulation 2016/679 and its UK equivalent, the California Consumer Privacy Act as amended by the California Privacy Rights Act, the Health Insurance Portability and Accountability Act, and any successor or amended versions thereof.

(b) "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing Personal Data.

(c) "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

(d) "Personal Data" means any information relating to an identified or identifiable natural person, including without limitation name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

(e) "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

(f) "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of a Controller.

Section 1.03 Controller and Processor Determinations

(a) Controller Capacity. Assivo acts as a Data Controller when we determine the purposes and means of Personal Data processing in connection with our business operations, client relationship management, marketing activities, and internal service delivery optimization.

(b) Processor Capacity. Assivo may act as a Data Processor when processing Personal Data on behalf of clients pursuant to their documented instructions and the terms of applicable service agreements, data processing addenda, or similar contractual arrangements.

ARTICLE II. LAWFUL BASIS AND PROCESSING PRINCIPLES

Section 2.01 Lawful Basis for Processing Activities

Assivo processes Personal Data only where we have established a valid lawful basis under Applicable Data Protection Laws, including without limitation:

(a) Consent: Where Data Subjects have provided specific, informed, unambiguous, and freely given consent to the processing of their Personal Data for one or more specified purposes;

(b) Contract Performance: Where processing is necessary for the performance of a contract to which the Data Subject is party, or for the implementation of pre-contractual measures taken at the Data Subject's request;

(c) Legal Obligation: Where processing is necessary for compliance with a legal obligation to which Assivo is subject under applicable law;

(d) Vital Interests: Where processing is necessary to protect the vital interests of the Data Subject or another natural person;

(e) Public Task: Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Assivo; or

(f) Legitimate Interests: Where processing is necessary for the purposes of legitimate interests pursued by Assivo or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.

Section 2.02 Data Processing Principles

All Personal Data processing activities conducted by Assivo are governed by and conducted in strict accordance with the following fundamental principles:

(a) Lawfulness, Fairness, and Transparency: Processing is conducted in a lawful, fair, and transparent manner in relation to the Data Subject;

(b) Purpose Limitation: Personal Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes;

(c) Data Minimization: Processing is adequate, relevant, and limited to what is necessary in relation to the purposes for which the Personal Data is processed;

(d) Accuracy: Personal Data is accurate and, where necessary, kept up to date, with every reasonable step taken to ensure that Personal Data that is inaccurate is erased or rectified without delay;

(e) Storage Limitation: Personal Data is kept in a form that permits identification of Data Subjects for no longer than necessary for the purposes for which the Personal Data is processed;

(f) Integrity and Confidentiality: Personal Data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures; and

(g) Accountability: Assivo is responsible for and able to demonstrate compliance with the foregoing principles through appropriate policies, procedures, and technical and organizational measures.

ARTICLE III. CATEGORIES OF PERSONAL DATA AND COLLECTION METHODS

Section 3.01 Personal Data Categories and Sources

We collect and process the following categories of Personal Data through various legitimate business channels:

3.01.1 Professional Identity and Contact Information

  • Data Elements: Full name, professional title, business designation, company affiliation, industry sector, organizational hierarchy position
  • Contact Details: Business email addresses, direct telephone numbers, business addresses, professional social media profiles
  • Professional Credentials: Certifications, qualifications, educational background, professional memberships, areas of expertise
  • Collection Purpose: Business relationship development, service delivery, professional communications

3.01.2 Commercial and Transactional Data

  • Relationship History: Duration of business relationship, engagement timeline, interaction frequency, relationship status
  • Service Information: Service requirements, project specifications, technical requirements, performance preferences
  • Commercial Terms: Pricing discussions, contract negotiations, commercial preferences, procurement criteria
  • Performance Data: Service satisfaction metrics, feedback evaluations, performance assessments, quality indicators

3.01.3 Communication and Interaction Records

  • Direct Communications: Email correspondence, meeting transcripts, call summaries, written communications
  • Service Interactions: Support requests, technical consultations, service inquiries, escalation records
  • Marketing Engagement: Campaign responses, event participation, content engagement, preference indicators
  • Digital Interactions: Website navigation patterns, content consumption, system usage analytics, engagement metrics

3.01.4 Technical and System Information

  • Network Data: IP addresses, device identifiers, network configurations, connection parameters
  • Device Information: Browser types and versions, operating systems, hardware specifications, software configurations
  • Usage Analytics: Access logs, session information, feature utilization, system performance metrics
  • Security Data: Authentication records, access controls, security events, compliance monitoring data

Section 3.02 Data Collection Methods and Sources

Personal Data is collected through the following methods and from the following categories of sources:

(a) Direct Collection from Data Subjects: Information provided voluntarily through business interactions, formal communications, service requests, account registrations, and authorized data submission processes;

(b) Automated Digital Collection: Technical data collected automatically through website analytics, system logs, performance monitoring tools, and authorized tracking technologies deployed in accordance with applicable cookie and privacy laws;

(c) Authorized Third-Party Sources: Information obtained from legitimate business sources including industry directories, professional networks, public databases, business intelligence platforms, and authorized integration partners operating under appropriate data sharing agreements; and

(d) Service Integration Platforms: Data collected through authorized connections with third-party business applications, API integrations, and cloud-based service platforms where Data Subjects have provided appropriate consent or authorization.

ARTICLE IV. PURPOSES AND LEGAL BASES FOR PROCESSING

Section 4.01 Primary Business Processing Activities

4.01.1 Service Delivery and Client Relationship Management

  • Processing Purpose: Delivering contracted services, managing ongoing client relationships, fulfilling contractual obligations, and maintaining service level agreements
  • Legal Basis: Contract performance, legitimate business interests
  • Data Categories Processed: Professional identity data, commercial information, communication records, performance metrics
  • Retention Period: Duration of active business relationship plus seven (7) years for commercial records

4.01.2 Quality Assurance and Performance Optimization

  • Processing Purpose: Monitoring service quality, conducting performance assessments, implementing continuous improvement initiatives, and optimizing service delivery methodologies
  • Legal Basis: Legitimate business interests, contract performance
  • Data Categories Processed: Performance data, interaction records, feedback evaluations, technical metrics
  • Retention Period: Three (3) years from completion of relevant service engagement

4.01.3 Business Development and Relationship Enhancement

  • Processing Purpose: Developing new business relationships, identifying service opportunities, conducting market research, and providing industry insights and thought leadership
  • Legal Basis: Legitimate business interests, consent for direct marketing communications
  • Data Categories Processed: Professional contact information, business development interactions, engagement preferences, market research data
  • Retention Period: Until consent withdrawal or legitimate interest cessation, subject to applicable statutory limitations

Section 4.02 Compliance and Risk Management Processing

4.02.1 Legal and Regulatory Compliance

  • Processing Purpose: Complying with applicable laws, regulations, and industry standards, responding to legal process, and fulfilling regulatory reporting obligations
  • Legal Basis: Legal obligation, legitimate interests
  • Data Categories Processed: All categories as necessary to meet specific compliance requirements
  • Retention Period: As required by applicable legal and regulatory retention requirements

4.02.2 Security and Risk Management

  • Processing Purpose: Implementing cybersecurity measures, conducting risk assessments, preventing fraud and unauthorized access, and maintaining business continuity
  • Legal Basis: Legitimate interests, legal obligation
  • Data Categories Processed: Technical system data, communication records, security monitoring information, access logs
  • Retention Period: Security logs retained for two (2) years, incident records retained for seven (7) years

ARTICLE V. DISCLOSURE AND INTERNATIONAL TRANSFERS

Section 5.01 Categories of Personal Data Recipients

5.01.1 Authorized Service Providers and Processors

We may disclose Personal Data to the following categories of carefully vetted service providers operating under strict contractual data protection obligations:

  • Cloud infrastructure and hosting providers maintaining industry-standard security certifications
  • Professional services organizations including legal counsel, accounting firms, and specialized consulting providers
  • Technology vendors providing software solutions, analytics platforms, and technical support services
  • All such disclosures are governed by comprehensive data processing agreements ensuring appropriate protection levels

5.01.2 Legal and Regulatory Authorities

Personal Data may be disclosed to governmental authorities and regulatory bodies solely as required by applicable law:

  • Regulatory agencies in response to lawful information requests within their jurisdiction
  • Law enforcement authorities pursuant to valid legal process including subpoenas, court orders, and search warrants
  • Courts and administrative tribunals in connection with legal proceedings where disclosure is legally mandated
  • Such disclosures are limited to the minimum necessary to satisfy legal requirements and include appropriate procedural safeguards

5.01.3 Corporate Transaction Recipients

In connection with potential or actual corporate transactions, Personal Data may be disclosed to:

  • Prospective acquirers, merger partners, or asset purchasers conducting due diligence activities
  • Investment banks, legal advisors, and other professional service providers facilitating transaction processes
  • All such transfers are subject to comprehensive confidentiality protections and regulatory compliance requirements

Section 5.02 International Transfer Mechanisms and Safeguards

5.02.1 Cross-Border Processing Framework

As a global organization maintaining operations in Chicago, Mexico City, Mumbai, and Chennai, we regularly transfer Personal Data across international borders to our global workforce and to authorized service providers in various jurisdictions worldwide.

5.02.2 Transfer Protection Mechanisms

All international Personal Data transfers are protected through one or more of the following legally recognized safeguards:

(a) Adequacy Decisions: Transfers to countries that have been formally recognized by competent data protection authorities as providing an adequate level of protection for Personal Data;

(b) Standard Contractual Clauses: Implementation of standard contractual clauses approved by the European Commission, UK Information Commissioner's Office, or other relevant supervisory authorities;

(c) Binding Corporate Rules: Internal data protection policies approved by relevant supervisory authorities governing intra-corporate data transfers;

(d) Certification Mechanisms: Adherence to approved certification programs and codes of conduct recognized under applicable data protection frameworks;

(e) Specific Derogations: Reliance on specific situation derogations provided under applicable data protection laws where other transfer mechanisms are unavailable and transfers are necessary for legitimate purposes.

ARTICLE VI. DATA RETENTION AND SECURE DELETION

Section 6.01 Retention Principles and Governance Framework

Personal Data retention is governed by a comprehensive framework incorporating the following core principles:

(a) Necessity Principle: Personal Data is retained only for as long as necessary to fulfill the specific purposes for which it was originally collected and processed;

(b) Legal Compliance: Retention periods are determined based on applicable legal requirements, regulatory obligations, and legitimate business needs;

(c) Regular Review: Systematic and periodic reviews ensure continued justification for retention and identify data eligible for secure deletion;

(d) Automated Management: Where technically feasible, automated systems facilitate consistent application of retention policies and secure deletion procedures.

Section 6.02 Category-Specific Retention Schedules

6.02.1 Business Relationship and Commercial Data

  • Active Client Data: Retained throughout the duration of active business relationships plus seven (7) years following relationship termination to satisfy commercial law requirements and potential legal claims
  • Prospect and Lead Data: Retained for three (3) years from last meaningful interaction unless consent is withdrawn earlier
  • Contract and Commercial Records: Retained in accordance with applicable commercial law statute of limitations periods, typically seven (7) to ten (10) years

6.02.2 Marketing and Communication Data

  • Email Marketing Lists: Retained until explicit consent withdrawal plus ninety (90) days for processing opt-out requests
  • Website Analytics: Retained for twenty-four (24) months unless longer retention is justified by legitimate business interests
  • Communication Records: Business communications retained for seven (7) years; general inquiries and non-commercial communications retained for two (2) years

6.02.3 Technical and Security Data

  • System Access Logs: Retained for two (2) years for security monitoring and incident response purposes
  • Security Incident Records: Retained for seven (7) years to support potential legal proceedings and regulatory requirements
  • Performance and Analytics Data: Retained for three (3) years to support service optimization and trend analysis

Section 6.03 Secure Deletion and Data Destruction Procedures

(a) Automated Deletion Systems: Technical infrastructure implements automated secure deletion upon expiration of applicable retention periods using cryptographically secure methods;

(b) Manual Review Processes: Complex retention scenarios undergo manual review by qualified data protection personnel to ensure appropriate handling and compliance with all applicable requirements;

(c) Anonymization Procedures: Where permissible and technically feasible, Personal Data is anonymized using industry-standard techniques rather than deleted to preserve legitimate business analytics value while eliminating personal identification risks;

(d) Physical Destruction Protocols: Electronic storage media containing Personal Data is destroyed using certified data destruction services meeting recognized industry standards, with certificates of destruction maintained for audit purposes.

ARTICLE VII. DATA SUBJECT RIGHTS AND EXERCISE PROCEDURES

Section 7.01 Comprehensive Data Subject Rights Framework

Data Subjects have the following rights under Applicable Data Protection Laws, subject to applicable legal limitations, exceptions, and balancing with other legitimate interests:

7.01.1 Right of Access and Information (GDPR Article 15)

Data Subjects may request confirmation of Personal Data processing activities and obtain access to their Personal Data, including comprehensive information about processing purposes, data categories, recipients, retention periods, sources of data, and the existence of automated decision-making processes.

7.01.2 Right to Rectification and Completion (GDPR Article 16)

Data Subjects may request prompt correction of inaccurate Personal Data and completion of incomplete Personal Data, including through provision of supplementary statements where appropriate.

7.01.3 Right to Erasure and "Right to be Forgotten" (GDPR Article 17)

Data Subjects may request deletion of Personal Data where specific legal conditions are satisfied, including withdrawal of consent, fulfillment of processing purposes, unlawful processing, or satisfaction of legal obligations for erasure.

7.01.4 Right to Restriction of Processing (GDPR Article 18)

Data Subjects may request limitation of processing activities where specific conditions are met, including accuracy disputes, unlawful processing objections, or pending verification of override legitimate grounds.

7.01.5 Right to Data Portability (GDPR Article 20)

Data Subjects may request receipt of Personal Data in a structured, commonly used, and machine-readable format and transmission of such data to another controller where technically feasible and legally permissible.

7.01.6 Right to Object to Processing (GDPR Article 21)

Data Subjects may object to processing based on legitimate interests or performance of public tasks, and have an absolute right to object to direct marketing processing.

7.01.7 Rights Related to Automated Decision-Making and Profiling (GDPR Article 22)

Data Subjects have specific rights regarding automated decision-making, including profiling, that produces legal effects or similarly significantly affects the individual.

Section 7.02 Rights Exercise Procedures and Response Framework

7.02.1 Request Submission and Authentication

Data Subject rights requests may be submitted through multiple channels:

  • Primary Channel: Direct submission to privacy@assivo.com with clear identification of requested rights and supporting information
  • Alternative Channels: Submission through existing client service representatives, general counsel contacts, or designated regional coordinators
  • Authentication Requirements: Reasonable identity verification measures may be required to prevent unauthorized access and protect Personal Data security

7.02.2 Response Timelines and Communication Standards

(a) Initial Acknowledgment: All requests receive written acknowledgment within seventy-two (72) hours of receipt, including reference number and expected response timeline;

(b) Substantive Response Period: Complete responses provided within one (1) month of receipt, with possible extension to three (3) months for complex requests involving extensive searches or multiple systems;

(c) Information Provision: Clear, comprehensive explanations of actions taken or detailed reasons for any request refusals, including information about appeal procedures and supervisory authority complaint rights;

(d) Complex Request Management: Multi-faceted requests are handled systematically with interim progress updates and clear communication about different elements and timelines.

ARTICLE VIII. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Section 8.01 Information Security Management System

8.01.1 Security Governance and Oversight

Our comprehensive information security management system includes:

  • Executive Accountability: Technology Officer serves as executive sponsor for information security strategy, implementation, and performance
  • AI & Technology Committee: Cross-functional governance body providing strategic oversight, risk assessment, and policy development
  • Professional Security Management: Dedicated information security professionals responsible for day-to-day security operations, incident response, and compliance monitoring
  • Regular Assessment and Audit: Systematic internal audits, third-party security assessments, and continuous monitoring programs

8.01.2 Security Standards and Framework Alignment

Our security program is designed to meet or exceed recognized industry standards and incorporates principles from:

  • ISO/IEC 27001 Information Security Management Systems frameworks and methodologies
  • SOC 2 Type II security, availability, and confidentiality control objectives and benchmarks
  • Industry-specific security frameworks applicable to our service offerings and client requirements
  • Regular third-party security assessments, penetration testing, and vulnerability management programs aligned with industry best practices

Section 8.02 Technical Security Controls and Safeguards

8.02.1 Data Protection and Encryption

(a) Encryption Standards: Implementation of Advanced Encryption Standard (AES-256) or equivalent cryptographic protection for Personal Data at rest and in transit;

(b) Access Control Systems: Multi-factor authentication, role-based access controls, privileged access management, and principle of least privilege enforcement;

(c) Network Security Architecture: Layered firewall protection, intrusion detection and prevention systems, network segmentation, and secure communication protocols;

(d) Endpoint Protection: Anti-malware solutions, device encryption, mobile device management, and endpoint detection and response capabilities;

(e) Continuous Monitoring: Real-time security monitoring, logging and analysis, anomaly detection, and automated threat response systems.

8.02.2 Organizational Security Measures and Controls

(a) Personnel Security: Comprehensive background verification processes, confidentiality agreements, regular security awareness training, and role-specific security education programs;

(b) Physical Security: Secure facility access controls, environmental monitoring, equipment protection, and visitor management systems;

(c) Vendor Security Management: Third-party security assessments, contractual security requirements, ongoing monitoring programs, and supply chain security controls;

(d) Business Continuity: Disaster recovery procedures, data backup systems, incident response plans, and service continuity management.

ARTICLE IX. BREACH NOTIFICATION AND INCIDENT RESPONSE

Section 9.01 Personal Data Breach Response Framework

9.01.1 Incident Classification and Assessment

Personal Data breaches are systematically classified and assessed based on: (a) Risk Level: Evaluation of likelihood and severity of adverse consequences to Data Subject rights, freedoms, and legitimate interests; (b) Scope and Scale: Assessment of the number of affected individuals, categories of Personal Data involved, and geographic impact; (c) Root Cause Analysis: Investigation of underlying causes, system vulnerabilities, and contributing factors; (d) Containment Assessment: Evaluation of implemented safeguards, containment measures, and residual risks.

9.01.2 Immediate Response and Containment Procedures

(a) Rapid Response Team Activation: Immediate activation of designated incident response personnel with clearly defined roles and responsibilities; (b) Containment and Mitigation: Swift action to contain the breach, prevent further unauthorized access, and minimize potential harm to affected individuals; (c) Forensic Investigation: Comprehensive technical and procedural investigation to determine breach scope, affected data categories, and potential impact; (d) Evidence Preservation: Systematic preservation of digital evidence, system logs, and related documentation for regulatory reporting and potential legal proceedings.

Section 9.02 Regulatory and Individual Notification Obligations

9.02.1 Supervisory Authority Notification Requirements

Where required by Applicable Data Protection Laws: (a) Notification Timeline: Submission of initial breach notification to relevant supervisory authorities within seventy-two (72) hours of becoming aware of qualifying Personal Data breaches; (b) Notification Content: Comprehensive description of breach nature, affected data categories and approximate numbers, likely consequences, and remedial measures taken or planned; (c) Follow-up Information: Provision of additional information as investigation progresses and more details become available; (d) Documentation Maintenance: Comprehensive record-keeping of all Personal Data breaches for supervisory authority review and audit purposes.

9.02.2 Data Subject Notification Procedures

(a) Risk Threshold Assessment: Notification to affected Data Subjects required where breach is likely to result in high risk to rights and freedoms; (b) Communication Timeline: Notification without undue delay after determining that individual notification is necessary and appropriate; (c) Communication Content: Clear and plain language description of breach nature, likely consequences, and recommended protective measures individuals may take; (d) Communication Methods: Direct individual communication preferred; public communication utilized only where direct contact is disproportionately difficult or impossible.

ARTICLE X. COOKIES AND ONLINE TRACKING TECHNOLOGIES

Section 10.01 Cookie Policy Framework and Legal Basis

This section describes our use of cookies, web beacons, and similar online tracking technologies on our digital platforms, implemented in compliance with applicable privacy and electronic communications laws.

10.01.1 Cookie Categories and Processing Purposes

(a) Strictly Necessary Cookies: Essential cookies required for website operation, security authentication, and core functionality delivery - these cookies are deployed based on legitimate interests and technical necessity;

(b) Performance and Analytics Cookies: Cookies that collect aggregated information about website usage, performance metrics, and user navigation patterns for website optimization and service improvement purposes;

(c) Functional Enhancement Cookies: Cookies that enable enhanced website functionality, personalization features, and improved user experience based on previous visits and preferences;

(d) Marketing and Advertising Cookies: Cookies used for targeted advertising delivery, marketing campaign effectiveness measurement, and personalized content presentation across digital platforms.

10.01.2 Consent Management and User Control

(a) Granular Consent Mechanisms: Implementation of sophisticated consent management platforms enabling category-specific consent choices for non-essential cookies; (b) Clear Information Provision: Comprehensive information about cookie purposes, data collected, retention periods, and third-party sharing arrangements; (c) Easy Withdrawal Options: User-friendly mechanisms for consent withdrawal and preference management accessible at any time; (d) Technical Implementation: Respect for Do Not Track signals and other user preference indicators where technically feasible and legally required.

ARTICLE XI. JURISDICTION-SPECIFIC PROVISIONS

Section 11.01 European Union and United Kingdom Compliance

11.01.1 GDPR and UK GDPR Implementation

For EU and UK Data Subjects, additional enhanced rights and protections include: (a) Enhanced Transparency: Detailed information about legal bases, legitimate interests assessments, and balancing tests conducted; (b) Complete Rights Portfolio: Full implementation of all GDPR rights including data portability, automated decision-making protections, and supervisory authority complaint rights; (c) Supervisory Authority Cooperation: Proactive cooperation with data protection authorities and participation in regulatory guidance development; (d) EU Representative Designation: Appointment of EU representative where required by applicable law for cross-border processing activities.

Section 11.02 California Consumer Privacy Act Compliance

11.02.1 Enhanced California Consumer Rights

California residents benefit from specific enhanced rights under the California Consumer Privacy Act and California Privacy Rights Act: (a) Right to Know: Detailed disclosure of Personal Information collection, use, sharing, and sale practices with category-specific information; (b) Right to Delete: Comprehensive deletion rights subject to enumerated business and legal exceptions; (c) Right to Opt-Out: Explicit opt-out mechanisms for Personal Information sales, though Assivo does not engage in Personal Information sales as defined under California law; (d) Non-Discrimination Protection: Robust protections against discriminatory treatment for exercising CCPA rights; (e) Authorized Agent Rights: Recognition of authorized agent submissions with appropriate verification procedures.

Section 11.03 HIPAA Compliance Framework

Where applicable to healthcare-related services, protected health information processing complies with comprehensive HIPAA requirements: (a) Business Associate Obligations: Full compliance with HIPAA Business Associate requirements including appropriate contractual protections; (b) Minimum Necessary Standard: Implementation of minimum necessary principles limiting protected health information use and disclosure; (c) Administrative, Physical, and Technical Safeguards: Comprehensive safeguards implementation meeting or exceeding HIPAA Security Rule requirements; (d) Individual Rights Recognition: Full recognition and implementation of individual rights regarding protected health information under HIPAA Privacy Rule.

ARTICLE XII. THIRD-PARTY PLATFORMS AND EXTERNAL LINKS

Section 12.01 Third-Party Website and Service Disclaimer

Our digital platforms may contain hyperlinks to third-party websites, services, and platforms operated by independent organizations. This Privacy Policy does not apply to such external platforms, and Assivo assumes no responsibility for the privacy practices, data collection activities, or content accuracy of third-party services. We strongly encourage Data Subjects to carefully review the privacy policies and terms of service of any third-party platforms before providing Personal Data or engaging with such services.

Section 12.02 Social Media and External Platform Interactions

Interactions with our corporate presence on social media platforms, professional networks, and other external services are governed by the respective platform's privacy policies, terms of service, and data processing practices. Such interactions may be subject to different privacy protections and data subject rights than those provided under this Privacy Policy.

ARTICLE XIII. PRIVACY POLICY UPDATES AND CHANGE MANAGEMENT

Section 13.01 Policy Modification Procedures and Communication

(a) Regular Review Schedule: This Privacy Policy undergoes systematic review on an annual basis and is updated as necessary to reflect changes in business practices, legal requirements, or regulatory guidance;

(b) Material Change Communication: Significant changes affecting Data Subject rights or processing practices are communicated through prominent website notices and direct communication to affected individuals where appropriate and technically feasible;

(c) Effective Date Management: Policy changes become effective thirty (30) days following notification unless immediate implementation is required by applicable law or urgent security considerations;

(d) Continued Processing Consent: Continued use of our services following policy updates constitutes acceptance of revised privacy practices, with explicit opt-in consent obtained for material expansions of processing purposes or data categories.

ARTICLE XIV. CONTACT INFORMATION AND DATA PROTECTION GOVERNANCE

Section 14.01 Privacy Inquiries and Data Subject Rights Requests

For all privacy-related inquiries, Data Subject rights requests, or concerns regarding our data processing practices:

Assivo, Inc.
Attention: General Counsel - Privacy Officer
444 West Lake Street, Suite 1700
Chicago, Illinois 60606
Telephone: (312) 416-8649
Email: privacy@assivo.com

Section 14.02 Supervisory Authority Contact Information

EU and UK Data Subjects have the right to lodge complaints with relevant supervisory authorities:

  • European Union: Contact information for all EU supervisory authorities available at https://edpb.europa.eu/about-edpb/members_en
  • United Kingdom: Information Commissioner's Office contact information available at https://ico.org.uk/

Section 14.03 Response Commitment and Service Standards

We are committed to providing prompt, professional responses to all privacy inquiries and rights requests. Initial acknowledgment is provided within seventy-two (72) hours, with substantive responses delivered within the timeframes mandated by Applicable Data Protection Laws and consistent with our commitment to privacy excellence and Data Subject service.

This Privacy Policy represents our comprehensive commitment to data protection excellence and transparent privacy practices. It should be interpreted in conjunction with our Terms and Conditions, applicable service agreements, and other relevant contractual documentation governing our business relationships.

© 2025 Assivo, Inc. All rights reserved.