HCT IT Privacy Policy

---

### Privacy Compliance Policy

**Policy Owner:** HCT IT LLC 

**Effective Date:** January 1, 2024

#### Application

This policy applies to all employees, contractors, and vendors while doing business with HCT IT LLC, and others who have access to personally identifiable information (PII) or consumer information ("personal data") in connection with HCT IT LLC's operating activities.

#### Policy

HCT IT LLC is committed to protecting the security, confidentiality, and privacy of its information resources, including California consumers' personal data, in accordance with ISO 27701 and all relevant privacy frameworks, laws, and regulations. Personal data shall only be processed when there is a legal basis to do so, ensuring that security, confidentiality, and privacy are maintained, and data will be used only for authorized purposes. All employees and contractors of HCT IT LLC share the responsibility for safeguarding personal data to which they have access.

When performing commercial activities in support of HCT IT LLC products and services that impact consumer personal data (PII), HCT IT LLC may engage in activities that require it to receive, store, process, transmit, create, or access data, triggering compliance requirements with privacy regulations. This policy and the data privacy and information security policies adopted hereunder are intended to support the mission of HCT IT LLC and facilitate data processing activities important to HCT IT LLC by:

- Ensuring compliance with requirements imposed by relevant data privacy regulations.

- Establishing data privacy policies that set forth technical, physical, and administrative safeguards to maintain the security, confidentiality, and privacy of personal data.

- Defining roles and responsibilities necessary for HCT IT LLC to meet its obligations related to personal data processing.

HCT IT LLC shall post a public-facing Privacy Notice (i.e., Privacy Policy). The notice shall be available at or before the point of collection, easy to read, and:

- Use plain language and avoid jargon.

- Be in a format readable on small screens.

- Be available in the languages in which the company conducts business.

- Be reasonably accessible to consumers with disabilities in accordance with Web Content Accessibility guidelines version 2.1.

- Contain a meaningful description of categories of personal information collected.

- State the business purpose for collection.

- Include a link titled "Do-Not-Sell-My-Personal-Information" if the business sells personal information of California residents.

- Include a link to the privacy policy (if different).

If HCT IT LLC sells the personal information of California residents, a notice of the right to opt-out of the sale of personal information shall:

- Be posted on the web page to which the consumer is directed after clicking the "Do-Not-Sell-My-Personal-Information" link.

- Be provided within a mobile application, such as through the settings menu.

- Be provided through an offline method if the company does not have a website.

- Be provided orally if the information is collected over the phone.

The notice of the right to opt-out shall include:

- A description of the consumer's right to opt-out of the sale of their personal information.

- An interactive form by which consumers can opt-out.

- Offline or alternative methods to opt-out.

If HCT IT LLC markets goods or services in the EU or UK, the Privacy Notice shall include:

- Name and contact information for all GDPR Article 27 Local Representatives.

- Name and contact information for the Data Protection Officer (DPO), if applicable.

#### Roles and Responsibilities

##### Policy Adoption

HCT IT LLC shall, in cooperation with relevant stakeholders, develop and adopt necessary and appropriate data privacy policies, which will include technical, physical, and administrative safeguards required to ensure the confidentiality, integrity, and privacy of personal data, and protect it against reasonably anticipated threats, hazards, and unauthorized uses or disclosures. All relevant HCT IT LLC stakeholders shall cooperate in the development and implementation of these policies.

The HCT IT LLC Information Security and Data Privacy Policies are components of the policies and implement controls that support compliance with all relevant data privacy regulations.

##### Responsible Person

Simone Haddad has been assigned responsibility for overall oversight of HCT IT LLC's Data Privacy Compliance Program, also known as the Privacy Information Management System (PIMS).

##### Data Protection Officer (DPO)

Simone Haddad has been assigned the role of Data Protection Officer (DPO) for HCT IT LLC's Data Privacy Compliance Program (PIMS).

In accordance with Article 39 of the GDPR, the DPO shall perform the following tasks:

- Inform and advise the controller or processor and employees who carry out processing of their obligations pursuant to this Regulation and other Union or Member State data protection provisions.

- Monitor compliance with this Regulation, other Union or Member State data protection provisions, and the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits.

- Provide advice where requested regarding the data protection impact assessment and monitor its performance pursuant to Article 35.

- Cooperate with the supervisory authority.

- Act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and consult, where appropriate, on any other matter.

#### Implementation

##### Data Protection and Regulatory Compliance

All personal data requires a legal basis for processing and will be accessible on a strict need-to-know basis. Personal data is to be kept confidential and must be protected and safeguarded from unauthorized access, modification, and disclosure.

- **Storage and Transmission:** Personal data must be encrypted with strong cryptography whenever stored on or transmitted by HCT IT LLC systems.

- **Disposal:** Paper records must be securely shredded prior to disposal. Electronic media must be securely wiped, sanitized, or physically destroyed before disposal or reuse.

- **Awareness Training:** Relevant personnel will receive appropriate training on their information security and data privacy responsibilities with regard to relevant regulations and handling personal data, as well as the Consumer (Data Subject) Access Request (DSAR) procedure. Relevant persons shall be trained to properly direct consumers in exercising their privacy rights.

- **Third-Party Transmission:** HCT IT LLC will not transmit personally identifiable information (PII) to any third-party or vendor until an appropriate Data Protection Addendum (DPA) or sufficient contract language has been fully executed by HCT IT LLC and the third-party.

- **No Sale of Personal Information:** HCT IT LLC shall not sell the personal information of minors or persons who have previously opted out of sales without explicit permission and shall not ask for permission for at least twelve (12) months after a consumer has opted-out.

- **Service Providers:** HCT IT LLC shall ensure that no service providers continue to sell PII after a consumer has opted out. HCT IT LLC shall not use PII provided for opting-out of a sale for any other purpose.

- **Non-Discrimination:** HCT IT LLC shall not deny goods or services or otherwise discriminate against (e.g., charge different prices, offer different levels of service) persons for exercising their privacy rights.

- **Data Access Requests:** HCT IT LLC shall provide at least two methods for consumers to submit data access requests, including an email address or web form. Responses to access requests shall cover at least the preceding twelve (12) months. HCT IT LLC shall locate data in all relevant systems in response to access requests.

- **Privacy Policy:** A public-facing Privacy Policy shall include a description of consumers' rights and be updated at least every twelve (12) months. PII collected for responding to a SAR shall not be used for any other purpose.

HCT IT LLC shall not sell any PII without posting a "Do Not Sell My Personal Information" link on the company homepage and Privacy Policy for consumers to opt-out of any sale. HCT IT LLC shall provide at least two methods for opting out of sales of PII consistent with the manner in which the company typically interacts with customers. HCT IT LLC will allow consumers to opt-out of sales via web browser plugin or other privacy setting. When HCT IT LLC offers an opt-out of a specific use, it shall also offer a global opt-out. HCT IT LLC shall ensure that opt-out requests are honored as soon as feasibly possible and within fifteen (15) days in all cases. HCT IT LLC shall establish a process for consumers to submit requests via an authorized agent. HCT IT LLC shall ensure that a written contract is established with all service providers that prohibits the service provider from retaining, using, or disclosing the personal information for any purpose other than the specific purpose specified in the contract. Service providers shall only use, retain or disclose PII for the following purposes:

1. To provide service on behalf of the controller.

2. To employ another service provider.

3. To improve service quality.

4. To detect security incidents and/or fraud.

5. To comply with the law or law enforcement.

HCT IT LLC shall inform consumers of the company's privacy practices at or before any PII collection. The Privacy Notice shall be made available via a link titled "privacy" on the company's homepage. HCT IT LLC shall deny access requests where the requestor's identity cannot be reasonably verified. In any case where the company has a legal basis for denying a consumer request, HCT IT LLC shall provide an explanation of its decision to the consumer, including a reference to the relevant laws or regulations. HCT IT LLC shall provide an individual response to each requestor and not refer them to a policy or provide a generic response. HCT IT LLC may de-identify personal information in response to a request for deletion. HCT IT LLC shall not be required to delete personal information from backups unless the backups are restored, accessed, or disclosed. HCT IT LLC may retain records of completed deletion requests for compliance purposes. HCT IT LLC shall deny fraudulent requests with an explanation as to why they believe the request is fraudulent. Opt-out processes shall require minimal steps and no multi-step opt-out process shall have more steps than the #### Implementation (continued)

##### Data Protection and Regulatory Compliance (continued)

opt-in process. Opt-in processes shall have two steps: an opt-in request followed by a verification of the request. When consumers who have opted-out attempt to use a service that requires opt-in, the company shall inform the consumer how to opt-in. When the company collects personal information that a consumer would not reasonably expect from a mobile device, it shall provide a just-in-time notice containing a summary of categories collected and a link to the full notice.

##### Breach Notification

Notification of any reportable unauthorized use or disclosure of personal data will be sent to affected parties, Data Controllers, and relevant regulators in accordance with all applicable notification requirements and the Incident Response Policy.

##### Identity Verification

HCT IT LLC shall establish and document a reasonable method for verifying the identity of a requestor, which shall not require a fee from the consumer.

- The company shall implement reasonable security measures to detect and prevent fraudulent identity-verification activity.

- Where a consumer maintains a password-protected account with a company, the company may verify their identity using existing authentication practices.

- Before providing categories of personal information, the company shall verify the identity of requesters to a "reasonable degree of certainty." Before providing specific pieces of personal information or honoring a deletion request, a company shall verify the identity of requesters to a "high degree of certainty," depending on the sensitivity of the personal information or the risk of harm from an unauthorized deletion request.

- A company shall consider the following criteria when determining a verification method:

  - Whenever feasible, identifying information provided by a requestor should be matched with identifying information already maintained by the company, or use a third-party identification service.

  - Avoid collecting unnecessary personal information.

  - Consider the sensitivity of the information requested, the risk of harm to the consumer, the likelihood of fraud, the manner in which the business interacts with the consumer, and the availability of verification technology.

- A company shall avoid collecting personal information unless needed to verify the identity of the requestor. A company shall delete personal information collected for the purpose of verification as soon as possible after processing the request.

- If there is no reasonable method by which a company can verify the identity of the consumer to the degree of certainty required by this section, the business shall state so in response to any request and explain why it has no reasonable method by which it can verify the identity of the requestor. If the company has no reasonable method by which it can verify any consumer, the company shall explain why it has no reasonable verification method in its privacy policy. The company shall evaluate and document whether a reasonable method can be established at least once every 12 months.

##### Agent Verification

When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of the following:

- Verify their own identity directly with the company.

- Directly confirm with the company that they provided the authorized agent permission to submit the request.

##### Request Verification for Minors

When the company has actual knowledge that it sells the personal information of a consumer under the age of 13, it shall establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child. This affirmative authorization is in addition to any verifiable parental consent required under COPPA, if applicable. Methods that are reasonably calculated to ensure that the person providing consent is the child's parent or guardian include, but are not limited to:

- Providing a consent form to be signed by the parent or guardian under penalty of perjury and returned to the company by postal mail, facsimile, or electronic scan.

- Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder.

- Having a parent or guardian call a toll-free telephone number staffed by trained personnel.

- Having a parent or guardian connect to trained personnel via video conference.

- Having a parent or guardian communicate in person with trained personnel.

- Verifying a parent or guardian's identity by checking a form of government-issued identification against databases of such information, as long as the parent or guardian's identification is deleted by the business from its records promptly after such verification is complete.

The process for validating requests on behalf of minors and verifying the identity of parents or guardians shall be described in the public-facing Privacy Policy.

##### Consumer (Data Subject) Access Requests (DSAR/SAR)

Subject to the exceptions noted below in this policy, HCT IT LLC will comply with any SAR concerning the following rights of the consumer:

- Access (a copy of the personal data undergoing processing).

- Rectification of personal data (correction of data stored or processed).

- Erasure (‘right to be forgotten’).

- Notification regarding rectification or erasure.

- Objection to processing (withdrawal of consent to processing).

- Right to opt-out of any sale of PII (i.e., Do Not Sell requests).

SAR/DSAR Response Requirements:

Responses to access requests shall include the following data points as appropriate:

- Categories of PII collected.

- Categories of PII sold and disclosed to third parties.

SAR when HCT IT LLC is the data controller:

- A SAR must be made by sending an email to hello@hctit.tech. If the consumer has a password-protected account on HCT IT LLC systems, the company may provide an "interface" or self-service mechanism that the consumer is instructed to use to initiate the SAR process.

- Where required, the consumer must provide reasonable evidence of their identity in the form of valid identification, for example, email verification.

When submitting the SAR via the interface, the consumer must identify the SAR type that is being requested, e.g., erasure. If a SAR is submitted by an agent, the submission must include the identification of the consumer as well as a signed authorization from the consumer. HCT IT LLC must make reasonable efforts to verify the identity of the consumer and the legitimacy of all requests submitted by authorized agents. If a SAR is received that does not meet HCT IT LLC criteria, HCT IT LLC shall inform the consumer or agent how to correct the SAR to receive a response from HCT IT LLC.

SAR when HCT IT LLC is the data processor:

- The SAR must be submitted via email to HCT IT LLC Services.

- HCT IT LLC shall direct the consumer to the relevant Controller in accordance with all contractual commitments.

SAR requirements:

- The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded. HCT IT LLC will acknowledge any manual requests within 10 business days. The acknowledgment will describe the verification process and when the consumer should expect a response.

- HCT IT LLC has thirty (30) days from the initial request date to complete the request. If the company cannot respond within thirty days, it shall provide notice to the consumer. In California, the company may extend the response timeline up to an additional forty-five (45) days. 

- The SAR application will be documented and can be audited using Vanta or HCT IT LLC's internal processes. HCT IT LLC shall ensure that deletion and correction requests are sent to subprocessors as needed.

HCT IT LLC as the data controller:

- Collect the data specified by the consumer.

- Verify the identity of the consumer.

- Search all databases and all relevant filing systems (manual files) in HCT IT LLC, including all back-up and archived files, whether computerized or manual, and including all email folders and archives. HCT IT LLC maintains a record that identifies where personal data in HCT IT LLC is stored.

- HCT IT LLC will maintain a record of requests for data and of its receipt accessible by HCT IT LLC's CEO, and/or any other designated HCT IT LLC representatives. HCT IT LLC will also keep a record of processing to include dates.

- Provide consumers an online mechanism for making requests and all such requests will be logged.

- HCT IT LLC will acknowledge the SAR within ten (10) days of the initial request and respond to any SAR within 30 days of the initial request.

- SARs from employees or previous employees will be coordinated with HR and the employees' current or previous departmental leadership.

SAR Exemptions:

HCT IT LLC may withhold information requested under SAR in accordance with any exemption under applicable law. Any such exemption must be reviewed and approved by the Data Privacy Officer.

##### Compelled Disclosure

HCT IT LLC governs the compelled disclosure of customer Personally Identifiable Information pursuant to valid third-party legal demands for such information, such as court orders, search warrants, subpoenas, government investigations, and similar demands, and is incorporated by reference into HCT IT LLC's Privacy Policy.

In no case shall personal information be voluntarily provided to law enforcement or any regulatory agency without the express written consent of the Data Controller or Data Subject.

Upon receipt of legal demands for information, HCT IT LLC will immediately notify the CEO and Data Privacy Officer (DPO).

HCT IT LLC shall immediately notify any relevant Data Controllers unless prohibited by law.

The Chief Legal Officer, in connection with the CEO and Data Privacy Officer, will determine the response to law enforcement and affected third parties, including data subjects.

If determined to be appropriate by legal and executive management, HCT IT LLC will investigate the demands, and if it is determined at HCT IT LLC's sole discretion that they are valid, HCT IT LLC will search for and disclose the information that is specified and that we are reasonably able to locate and deliver within the prescribed deadline. 

#### Enforcement

Executive leadership at HCT IT LLC is responsible for ensuring adherence to this Privacy Compliance Policy. Non-compliance with this policy will be subject to disciplinary action, which may include termination of employment or contract.

#### Applicable Laws, Regulations, and Standards

- ISO 27701 Privacy Information Management System (PIMS)

- SOC 2 Privacy Criterion

- General Data Protection Regulation (GDPR)

- California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

- Personal Information Protection and Electronic Documents Act (PIPEDA)

- Colorado Privacy Act

- Connecticut Data Privacy Act

- Virginia Consumer Data Protection Act

- Utah Consumer Privacy Act

For any questions or to report policy violations, contact hello@hctit.tech.

### Summary

HCT IT LLC is committed to maintaining the privacy, security, and confidentiality of all personal data it handles. This policy outlines the measures we take to comply with relevant privacy laws and regulations, ensuring the protection of personal information through robust data privacy policies, employee training, and stringent access controls. By adhering to these practices, we aim to build and maintain the trust of our customers, employees, and partners.