Privacy Policy

1. Introduction

Houston IT Developers LLC, a Texas limited liability company ("Company," "we," "us," or "our"), operates the VisitNote AI mobile application and related services (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, retain, and protect information when you access or use the Service from anywhere in the world.

We are committed to protecting the privacy, confidentiality, and security of your personal information and any Protected Health Information ("PHI") you create or store using the Service. This Privacy Policy is designed to comply with applicable data protection laws worldwide, including but not limited to the U.S. Health Insurance Portability and Accountability Act ("HIPAA"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the European Union General Data Protection Regulation ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"), the Brazilian General Data Protection Law ("LGPD"), the Australian Privacy Act 1988, and the South African Protection of Personal Information Act ("POPIA").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, you must discontinue use of the Service immediately.

2. Definitions

For the purposes of this Privacy Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to name, email address, phone number, IP address, device identifiers, location data, and professional credentials.
• "Protected Health Information" or "PHI" means individually identifiable health information created, received, maintained, or transmitted in connection with the provision of healthcare, as defined under HIPAA.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Data Controller" means the entity that determines the purposes and means of Processing Personal Data. For Personal Data you provide directly to us, we act as the Data Controller. For Clinical Data you create using the Service, you (or your organization) act as the Data Controller, and we act as a Data Processor.
• "Data Processor" means the entity that Processes Personal Data on behalf of the Data Controller.
• "Sub-Processor" means a third party engaged by us to Process Personal Data on our behalf.
• "Clinical Data" means patient information, visit documentation, SOAP notes, vital signs, medications, care plans, audio recordings, and any other healthcare-related information you create or store using the Service.
• "Data Subject" means the individual to whom Personal Data relates.

3. Information We Collect

3.1 Account Information

When you register for an account, we collect your first and last name, email address, phone number, mailing address, and professional credentials (license type, license number, discipline, NPI number where applicable). If you use social sign-in (Google or Apple), we receive your name and email address from the identity provider. We do not receive or store your social sign-in password.

3.2 Clinical Data

The Service allows you to create and store clinical visit documentation including patient demographics, SOAP notes (Subjective, Objective, Assessment, Plan), vital signs, medications, skilled interventions, care plans, and digital signatures. This Clinical Data is created by you in your capacity as a licensed healthcare professional and is stored on your behalf. You are the Data Controller of all Clinical Data you create.

3.3 Audio Recordings

With your explicit permission (via device microphone access), the Service records audio during clinical visits for the purpose of generating AI-assisted documentation. Audio files are encrypted in transit and at rest. Audio recording occurs only when you actively initiate a recording session and can be stopped at any time.

3.4 Location Data

With your explicit permission (via device location access), the Service collects precise GPS coordinates during active visits for time-and-attendance verification and mileage calculation. Location data is collected only while the visit timer is actively running and is associated with the specific visit record. We do not collect background location data or track your location outside of active visit sessions.

3.5 Device and Technical Information

We automatically collect device identifiers for push notification delivery (Firebase Cloud Messaging token), device type and model, operating system and version, app version, IP address, and time-zone setting. This information is used for service delivery, troubleshooting, and security purposes.

3.6 Usage Data

We collect anonymized and aggregated usage data including feature usage patterns, session duration, app performance metrics, crash reports, and error logs. This data does not identify you personally and is used solely to improve the Service.

3.7 Payment Information

Subscription payments are processed entirely by the Apple App Store or Google Play Store. We do not collect, process, or store your credit card number, bank account information, or other financial payment instrument details. We receive only a transaction confirmation and subscription status from the respective app store.

3.8 Communications

If you contact us for support or other purposes, we collect the content of your communications, your email address, and any information you voluntarily provide.

4. Legal Bases for Processing (GDPR, UK GDPR, and Equivalent Laws)

Where applicable data protection law requires a legal basis for Processing your Personal Data, we rely on the following:

• Performance of a Contract (Art. 6(1)(b) GDPR): Processing necessary to provide the Service under our Terms of Service, including account management, clinical documentation features, visit tracking, and subscription management.
• Consent (Art. 6(1)(a) GDPR): Processing based on your freely given, specific, informed, and unambiguous consent, including audio recording, GPS tracking during visits, push notifications, and marketing communications. You may withdraw consent at any time without affecting the lawfulness of Processing performed prior to withdrawal.
• Legitimate Interests (Art. 6(1)(f) GDPR): Processing necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. This includes security monitoring, fraud prevention, service improvement, analytics, and enforcement of our Terms.
• Legal Obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with applicable laws, regulations, court orders, or other legal processes, including healthcare record retention requirements, tax obligations, and regulatory reporting.
• Vital Interests (Art. 6(1)(d) GDPR): In rare circumstances, Processing necessary to protect the vital interests of a Data Subject or another natural person.

For special categories of Personal Data (e.g., health data), we rely on explicit consent (Art. 9(2)(a) GDPR) or the fact that Processing is necessary for the provision of health or social care (Art. 9(2)(h) GDPR), as applicable.

5. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, operate, and maintain the Service, including processing and storing your clinical documentation, generating AI-assisted SOAP notes from audio recordings, tracking visit times and GPS coordinates, facilitating secure messaging, managing patient records, and processing subscription transactions.
• Account Management: To create and manage your account, verify your identity and professional credentials, authenticate your access, and process account changes.
• Organization Features: To facilitate organization membership, team collaboration, data sharing with authorized organization administrators, and organization-managed billing.
• Communication: To send you service-related communications including visit reminders, push notifications, messages from team members, credential expiration alerts, and subscription status updates.
• Service Improvement: To analyze usage patterns, diagnose technical issues, optimize performance, and develop new features.
• Security and Fraud Prevention: To detect, investigate, and prevent fraudulent, unauthorized, or illegal activity, and to protect the security and integrity of the Service.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests, including healthcare record retention requirements.
• Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance.

We will not use your Personal Data for purposes materially different from those described in this Privacy Policy without providing you with prior notice and, where required, obtaining your consent.

6. AI-Powered Processing and Automated Decision-Making

6.1 How AI Processing Works

The Service uses artificial intelligence and machine learning technologies to transcribe audio recordings and generate structured SOAP notes (Subjective, Objective, Assessment, Plan). When you record a clinical visit, your audio is transmitted securely to our AI processing pipeline, which produces a structured documentation draft. Each section includes a confidence score indicating the AI's certainty level.

6.2 Human Oversight

AI-generated content is always presented as a draft for your review. You must review, edit, and approve all AI-generated documentation before signing or submitting it. No clinical decisions are made by the AI — all final documentation decisions rest with you as the licensed healthcare professional. The Service does not engage in fully automated decision-making that produces legal or similarly significant effects on individuals without human intervention.

6.3 AI Sub-Processors

Audio transcription and note generation may be performed by third-party AI model providers acting as Sub-Processors under contractual obligations to protect the confidentiality and security of your data. These providers are prohibited from using your data for their own training purposes or any purpose other than providing the contracted service. A list of current Sub-Processors is available upon request.

6.4 Right to Object (GDPR Art. 22)

If you are located in the EU/EEA or UK, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. As our AI features require your active initiation and human review before any documentation is finalized, they do not constitute solely automated decision-making. If you have concerns, you may contact us at sales@houstonitd.com.

7. Data Storage and Security

7.1 Local Storage (On-Device)

The Service uses an offline-first architecture. Your data is stored locally on your device in a SQLite database encrypted with AES-256 via SQLCipher and synchronized to our servers when an internet connection is available. This ensures uninterrupted access regardless of connectivity.

Authentication credentials are stored using platform-native secure storage mechanisms — iOS Keychain and Android EncryptedSharedPreferences — rather than in plain text. Database encryption keys are likewise stored in platform secure storage, inaccessible to other applications. All locally stored Protected Health Information (PHI), including clinical notes, patient records, visit data, transcripts, and audio file references, is encrypted at rest on the device.

7.2 Server-Side Storage

Server-side data is hosted on secure, access-controlled infrastructure located in the United States. Data at rest is encrypted using AES-256 encryption. Audio files are stored in Amazon Web Services (AWS) S3 with server-side encryption (SSE-S3/SSE-KMS). Database backups are encrypted and stored in geographically separate locations.

7.3 Data in Transit

All data transmissions between the Service and our servers use TLS 1.2 or higher encryption. API communications are authenticated using JSON Web Tokens (JWT) with secure token storage on-device. Real-time messaging is encrypted via secure WebSocket connections.

7.4 Access Controls

Access to production systems and Personal Data is restricted to authorized personnel on a need-to-know basis. We employ role-based access controls, multi-factor authentication for administrative access, and audit logging of all data access events. Passwords are hashed using industry-standard cryptographic algorithms (bcrypt) and are never stored in plain text.

A full local data wipe is performed when you log out or delete your account. This permanently removes all locally stored data from your device, including database contents, cached records, audio files, and authentication credentials.

7.5 Security Testing and Monitoring

We conduct regular security assessments, vulnerability scanning, and code reviews. We monitor our systems for unauthorized access attempts, anomalous activity, and security incidents on an ongoing basis.

7.6 Incident Response

We maintain a documented incident response plan that includes procedures for identifying, containing, investigating, and remediating security incidents. In the event of a data breach, we will notify affected users and relevant authorities in accordance with applicable law (see Section 18).

8. HIPAA Compliance

8.1 Safeguards

We implement administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C) to protect electronic Protected Health Information (ePHI). These safeguards include access controls, audit controls, integrity controls, transmission security, and workforce training.

8.2 Business Associate Agreement

If you are a HIPAA Covered Entity or Business Associate, we will enter into a Business Associate Agreement ("BAA") with you upon request. The BAA governs our obligations with respect to PHI we receive, create, maintain, or transmit on your behalf. Please contact us at sales@houstonitd.com to request a BAA.

8.3 Minimum Necessary Standard

We limit our use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, consistent with the HIPAA Minimum Necessary Rule.

8.4 Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals, the U.S. Department of Health and Human Services (HHS), and, where required, the media, in accordance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

9. Data Sharing and Disclosure

We do not sell, rent, or trade your Personal Data or Clinical Data to third parties for their marketing purposes. We have not sold Personal Data in the preceding twelve (12) months.

We may share your information in the following limited circumstances:

9.1 Organization Members

If you join an organization within the Service, your visit data, clinical documentation, schedule, and credentials may be visible to authorized administrators within that organization as necessary for care coordination, compliance, quality assurance, and billing. Organizations act as independent Data Controllers for data they access through their administrative portals.

9.2 Sub-Processors and Service Providers

We engage third-party Sub-Processors to help us operate the Service. These providers are contractually bound to protect your data, process it only on our instructions, and maintain appropriate security measures. Our Sub-Processors include:

• Cloud Infrastructure: Amazon Web Services (AWS) — data hosting, storage, and computing
• AI Processing: Third-party language model providers — audio transcription and SOAP note generation
• Payment Processing: Apple Inc. and Google LLC — in-app subscription payments
• Push Notifications: Google Firebase Cloud Messaging — delivery of push notifications
• Authentication: Google and Apple — social sign-in identity verification

A complete and up-to-date list of Sub-Processors is available upon request by contacting sales@houstonitd.com.

9.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process (such as a court order or subpoena), or governmental request. Where legally permitted, we will make reasonable efforts to notify you before such disclosure.

9.4 Protection of Rights

We may disclose your information when we believe disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to a government request.

9.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your Personal Data may be transferred to the acquiring entity. We will provide notice before your Personal Data becomes subject to a different privacy policy. If a BAA is in place, its terms will transfer to or be assumed by the acquiring entity.

9.6 De-Identified and Aggregated Data

We may use and disclose de-identified or aggregated data that does not reasonably identify any individual for research, analytics, business purposes, and service improvement. De-identification is performed in accordance with HIPAA Safe Harbor or Expert Determination methods, as applicable.

9.7 API Integrations

Organizations may connect their systems to the Service via our REST API. Data shared through API integrations is governed by the organization's own privacy policies, data processing agreements, and applicable laws. We are not responsible for the data handling practices of organizations that access data through our API.

10. International Data Transfers

The Service is operated from and data is primarily stored in the United States. If you access the Service from outside the United States, your Personal Data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

10.1 EU/EEA and UK Transfers

For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States or other countries not deemed to provide an adequate level of data protection, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
• The UK International Data Transfer Addendum to the EU SCCs
• Supplementary technical and organizational measures where necessary to ensure the level of protection required by the GDPR

You may request a copy of the applicable transfer mechanism by contacting us at sales@houstonitd.com.

10.2 Other International Transfers

For transfers from other jurisdictions that impose restrictions on cross-border data transfers (including Canada, Brazil, Australia, South Africa, and others), we ensure that appropriate safeguards are in place as required by the applicable local law, including contractual protections, consent where required, and data protection impact assessments where appropriate.

10.3 Your Consent to Transfer

By using the Service, you acknowledge and consent to the transfer, storage, and processing of your Personal Data in the United States and other countries where our Sub-Processors operate, subject to the safeguards described in this section. Where applicable law requires a specific legal basis for such transfer beyond consent, we rely on the mechanisms described above.

11. Data Retention

We retain your information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods are as follows:

• Account Information: Retained for the duration of your active account plus thirty (30) days following account deletion, after which it is permanently deleted from our active systems.
• Clinical Documentation: Retained in accordance with applicable healthcare record retention laws. In the United States, this is typically seven (7) to ten (10) years from the date of the last entry, or longer where required by state law or regulation. For organization members, the organization's retention policies may apply.
• Audio Recordings: Audio recordings remain on your device, encrypted at rest, until you choose to delete them, sync them to our servers (at which point they are stored encrypted on our servers), or delete your account. Server-side audio recordings are retained for ninety (90) days following AI processing to allow for reprocessing if needed, then automatically deleted. You may request earlier deletion at any time.
• Location Data: Associated with specific visit records and retained for the same period as the corresponding Clinical Documentation.
• Usage and Analytics Data: Retained in anonymized form for up to twenty-four (24) months.
• Communication Records: Retained for up to twelve (12) months for support purposes.
• Server Logs: Retained for up to twelve (12) months for security and troubleshooting purposes.

Data stored locally on your device is encrypted at rest and remains under your control. All local data — including database contents, audio recordings, and authentication credentials — is permanently and irreversibly deleted when you log out or delete your account. Uninstalling the app will also remove locally stored data from your device.

Where Clinical Data must be retained beyond account deletion for legal compliance, it will be archived securely and access will be restricted to the minimum necessary for compliance purposes only.

12. Your Privacy Rights — United States

12.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of Personal Data we have collected, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of your Personal Data, subject to certain exceptions (e.g., legal retention obligations for clinical records).
• Right to Correct: You have the right to request correction of inaccurate Personal Data.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your Personal Data for cross-context behavioral advertising purposes. Therefore, there is no need to opt out.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive Personal Information (such as health data) to purposes necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise these rights, contact us at sales@houstonitd.com. We will verify your identity before processing your request. You may also designate an authorized agent to submit a request on your behalf.

12.2 Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy legislation may have similar rights including access, correction, deletion, data portability, and the right to opt out of targeted advertising, sale of personal data, and profiling. To exercise your rights under any applicable state law, contact us at sales@houstonitd.com.

13. Your Privacy Rights — European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR (and equivalent local laws):

• Right of Access (Art. 15): You have the right to obtain confirmation as to whether your Personal Data is being processed and to receive a copy of that data.
• Right to Rectification (Art. 16): You have the right to request correction of inaccurate or incomplete Personal Data.
• Right to Erasure (Art. 17): You have the right to request deletion of your Personal Data where it is no longer necessary for the purposes for which it was collected, you withdraw consent, or the data has been unlawfully processed, subject to applicable legal retention requirements.
• Right to Restriction of Processing (Art. 18): You have the right to request that we restrict Processing of your Personal Data in certain circumstances, such as when you contest the accuracy of the data.
• Right to Data Portability (Art. 20): You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to Object (Art. 21): You have the right to object to Processing based on legitimate interests. We will cease Processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to Withdraw Consent: Where Processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of Processing carried out before withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority (data protection authority). A list of EU/EEA supervisory authorities is available at edpb.europa.eu. For the UK, complaints may be directed to the Information Commissioner's Office (ICO).

To exercise any of these rights, contact us at sales@houstonitd.com. We will respond to your request within thirty (30) days, as required by applicable law.

14. Your Privacy Rights — Other Jurisdictions

14.1 Canada (PIPEDA)

Canadian residents have the right to access their Personal Data held by us, challenge the accuracy and completeness of the data, and have it amended as appropriate. We will obtain meaningful consent for the collection, use, and disclosure of Personal Data and limit collection to purposes that a reasonable person would consider appropriate. To exercise your rights or file a complaint, contact us at sales@houstonitd.com. You may also file a complaint with the Office of the Privacy Commissioner of Canada.

14.2 Brazil (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD) including: confirmation of Processing, access to data, correction of incomplete or inaccurate data, anonymization or deletion of unnecessary data, data portability, information about entities with which data has been shared, information about the possibility of denying consent, and revocation of consent. To exercise your rights, contact us at sales@houstonitd.com.

14.3 Australia (Privacy Act 1988)

Australian residents may access their Personal Data held by us and request correction of any inaccurate information. We handle Personal Data of Australian residents in compliance with the Australian Privacy Principles (APPs). If you believe we have breached an APP, you may lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC).

14.4 South Africa (POPIA)

South African residents have rights under the Protection of Personal Information Act including the right to be notified of data collection, the right to access, the right to request correction or deletion, and the right to object to Processing. To exercise your rights, contact us at sales@houstonitd.com. You may also lodge a complaint with the Information Regulator of South Africa.

14.5 Other Jurisdictions

If you are located in a jurisdiction with data protection laws not specifically addressed above, we will comply with the applicable local requirements regarding the collection, use, storage, and disclosure of your Personal Data. To exercise any rights available to you under your local law, contact us at sales@houstonitd.com.

15. Do Not Track / Do Not Sell

We honor Do Not Track (DNT) browser signals. We do not track users across third-party websites for advertising purposes.

We do not sell your Personal Data. We do not share your Personal Data for cross-context behavioral advertising. As such, there is no "Do Not Sell or Share My Personal Information" opt-out mechanism required; however, if you wish to confirm this or exercise any related right, you may contact us at sales@houstonitd.com.

16. Cookies and Tracking Technologies

16.1 Website

Our website (visitnoteai.com) may use strictly necessary cookies for website functionality and analytics cookies to understand visitor behavior. We do not use advertising cookies or tracking pixels. You may control cookies through your browser settings.

16.2 Mobile Application

The VisitNote AI mobile application does not use cookies, advertising identifiers (IDFA/GAID for advertising), or third-party tracking SDKs for advertising purposes. Device identifiers are collected solely for push notification delivery and service functionality.

17. Children's Privacy

The Service is intended exclusively for use by licensed healthcare professionals who are at least eighteen (18) years of age. The Service is not directed at and is not intended for use by children under the age of eighteen (18). We do not knowingly collect Personal Data from children under eighteen (18). If we become aware that we have inadvertently collected Personal Data from a child under eighteen (18), we will take immediate steps to delete such information from our systems. If you believe that a child has provided Personal Data to us, please contact us at sales@houstonitd.com.

18. Data Breach Notification

In the event of a security breach that results in the unauthorized access, disclosure, or loss of your Personal Data:

• We will investigate the breach promptly and take steps to contain it and mitigate any resulting harm.
• GDPR (EU/EEA/UK): We will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals, unless the breach is unlikely to result in such a risk. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.
• HIPAA: We will notify affected individuals, HHS, and where applicable, the media, in accordance with the HIPAA Breach Notification Rule.
• U.S. State Laws: We will comply with applicable state data breach notification laws, which generally require notification to affected residents within thirty (30) to ninety (90) days, depending on the jurisdiction.
• Other Jurisdictions: We will comply with breach notification requirements under all other applicable laws, including PIPEDA (Canada), LGPD (Brazil), the Australian Privacy Act, and POPIA (South Africa).

Notification will include the nature of the breach, the types of data affected, the likely consequences, and the measures taken or proposed to address the breach.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. For material changes, we will provide at least thirty (30) days' advance notice through the Service (via in-app notification) and/or by email to the address associated with your account before the changes take effect. Non-material changes may be posted with an updated "Last Updated" date.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the revised Privacy Policy, you must discontinue use of the Service.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Prior versions of this Privacy Policy are available upon request.

20. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, our data practices, or your privacy rights, please contact us:

• Email: sales@houstonitd.com
• Company: Houston IT Developers LLC
• Location: Houston, Texas, United States

For GDPR-specific inquiries, you may also contact our designated point of contact for data protection matters at the email address listed above. We will respond to all data protection inquiries within the timeframes required by applicable law, and in any event no later than thirty (30) days from receipt of the request.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority or supervisory authority, as described in Sections 12, 13, and 14 above.