Privacy Policy

The following privacy policy ("Privacy Policy") supplements and is subject to CoreVitals’ (“Company”) Universal Terms of Use (“UToS”) or Master Subscription Agreement (“MSA”), which are incorporated herein by this reference. Capitalized terms used and not otherwise defined herein shall have the meanings set forth in the UToS/MSA. In the event of a conflict between this Privacy Policy and the UToS/MSA, this Privacy Policy shall control. Customer acknowledges that Customer has read this Privacy Policy, Company’s Data Processing Addendum (DPA), and, where applicable, Company's Business Associate Agreement (BAA).

Important Distinction: Account Data vs. Compliance Data

As a Governance, Risk, and Compliance (GRC) platform, CoreVitals processes two distinct categories of data:

1. Account and Marketing Data: Information collected to manage your account, bill you, and market our services. This Privacy Policy governs our handling of Account and Marketing Data.
2. Compliance Data: Audit evidence, cybersecurity artifacts, Protected Health Information (PHI), and other data uploaded into the CoreVitals platform to manage PCI, HIPAA, SOC 2, and other frameworks. The processing and security of Compliance Data are strictly governed by our DPA and/or BAA.

Agreement to Abide by Privacy Policy

BY ACCESSING THE WEBSITES OR CUSTOMER ACCOUNT, SIGNING UP FOR OR USING THE PRODUCTS, CUSTOMER AGREES TO BE BOUND BY THIS PRIVACY POLICY AND THE AGREEMENTS. Company’s collection of Personal Information (as defined below) is required by Company to serve the Website and deliver the Products. Refusal to provide required Personal Information to Company may delay or prevent access to the Website and/or providing the Products.

Privacy Policy Overview

This Privacy Policy explains how and what data Company collects and how Company uses Personal Information (as defined herein). This Privacy Policy also describes options Company provides for Customer to access, update, or otherwise take control of Personal Information that Company or its sub-processors process. For questions about Company’s practices or Customer’s rights described below, please contact Company’s Data Protection Team by email at privacy@corevitals.com. Please allow 2 to 5 business days for a response.

Changes to the Privacy Policy

Company reserves the right, in its sole and absolute discretion, to amend this Privacy Policy at any time, for any reason, which amendment(s) will be effective upon posting to the Website(s). The date of the last revision to this Privacy Policy will be indicated by the “Last Updated” date located at the top of this Privacy Policy. By accessing the Websites or Customer Account, signing up for or using the Products after such changes or modifications have been made shall constitute Customer’s acceptance of this Privacy Policy as of the “Last Updated” date. Company may occasionally notify Customer of changes or modifications to this Privacy Policy by email, but is not required to do so. It is Customer’s responsibility to log into and keep Customer Account information accurate.

Information Company Collects

Personal Information: Company may collect information (i.e., via telephone, text, email, paper, and/or other interactions through the Account, with the Websites, or Products) when Customer provides such information on the Website(s) or through Customer Account, signing up for or using the Products, or otherwise interacts with Company (collectively, “Personal Information”). The types of Personal Information collected may include, but are not limited to, Internet Protocol (IP) address, name, business address, telephone number, billing information, email address, corporate role, and credit card or other financial account information. We use this information to:

• Registration: Register and manage the Account, including to allow access to and use of the Products; process payments or credits; and enforce role-based access controls necessary for GRC environments.
• Improve the Website and Products: Use information for analytical purposes and to enable Company to improve the Website and Products; and provide tailored and/or optimized experiences.
• Individualization: Notify Customer about special offers and products or services available from Company, its affiliates, or partners.
• Communication: Communicate with Customer or facilitate communication between Customer and Company; conduct, monitor, and record interactions with Company, Website, and the Products; respond to requests, questions, and comments.
• Platform Security and Legal Compliance: Maintain strict audit logs of user activity for security and compliance troubleshooting; prevent fraud and other potentially prohibited or unlawful activities; comply with relevant regulations and laws; respond to legal requests, prevent harm, and protect Company rights.

Non-Personal Data: Company may also collect information about Customer’s browsing activities and history or other information that is not considered Personal Information through Customer’s use of and visits to the Website, Products, or Company’s resources through a variety of technologies, including, but not limited to, cookies, tags, beacons, and other tracking tools. Types of non-personal data collected may include search terms, browser information, computer type, operating system, internet service providers, website usage, date/time stamps, and industry or company size.

• Company uses cookies to improve the Websites and Products.
• Customer can instruct a browser to refuse all cookies or to indicate when a cookie is being implemented.
• If Customer does not accept cookies, use of some features of the Websites and/or Products may not be available.

Do Not Track Disclosure: Company does not support Do Not Track (“DNT”).

How Company Uses and Shares Personal Information

Company strongly believes in both minimizing the data collected and limiting its use and purpose to only that (a) for which Company has been given permission, (b) as necessary to deliver the Websites or Products, or (c) as Company might be required or permitted for legal compliance or other lawful purposes.

Use of Personal Information: Once collected, Company may use Personal Information to provide service communications, respond to requests, personalize usability, share with third parties as required by law, diagnose security risks, and detect fraud.

Transfer of Data Abroad: Utilization of the Websites or Products from a country other than the country where Company’s servers are located may result in transferring Personal Information across international borders. In such cases, Personal Information data is handled according to this Policy and the DPA.

Sharing to Fulfill Service Requests and Perform Business Functions: Personal Information may be shared with certain third parties (Sub-processors) to fulfill the Customer’s service requests or perform business functions. Company only provides data to service providers that have taken appropriate measures to protect such information under strict contractual obligations, ensuring compliance with standards such as SOC 2 and GDPR.

Sharing Personal Information When Legally Necessary: Company may disclose Personal Information if required to do so by law or in the good-faith belief that such action is necessary to conform to legal requirements or comply with legal process served on Company. To the extent legally permitted, Company will take reasonable steps to notify Customer in the event that Company is required to provide Customer Personal Information to third parties as part of a legal process.

How to Manage the Sharing of Personal Information

To access, view, or update Customer’s personal data, Customer can sign into the Customer’s Account. Customer may also request a deletion of personal data by emailing privacy@corevitals.com. The request will apply only to the extent that it is no longer necessary for any Products or required for Company's legitimate business purposes or legal/contractual record-keeping requirements (e.g., maintaining audit logs for compliance).

How Long Personal Information Will Be Kept

Company will keep Personal Information while Customer maintains a Customer Account or while Company provides the Products to Customer. Company will keep Personal Information for as long as is necessary to respond to questions/claims, show fair treatment, or keep records required by law and applicable compliance frameworks. When Personal Information is no longer necessary to be retained, Company will securely delete or anonymize the information.

Online Tracking Technologies and Advertising

Company and certain third-party service providers operating on Company’s behalf collect information using tracking and analytical technologies. Company uses remarketing services to advertise on third-party websites after visiting the Websites or Products. You may opt out of receiving certain advertising by visiting: https://app.retention.com/optout.

Privacy Rights and Reporting

Under California’s Consumer Privacy Act (“CCPA”) and the European General Data Protection Regulation (“GDPR”), Customers or Website visitors who provide personal information are entitled to specific rights regarding their data. Company receives and responds to all data subject requests and grants the same rights to all, regardless of country, province, or state of residence. Submit any data subject request online, email to privacy@corevitals.com, or send via postal mail to: TBD.

Canada Anti-Spam Law (“CASL”) and GDPR

Website visitors or users who have provided Company a Canadian or European Union mailing address will not receive unauthorized Commercial Electronic Messages (CEMs) unless these individuals have opted-in. Residents of the European Economic Area (EEA) who believe Company maintains Personal Information subject to the GDPR may direct questions, requests, or complaints to their local supervisory authority or the UK’s Information Commissioner’s Office at www.ico.org.uk.

Age Restrictions

The Websites and Products are strictly intended for business use by individuals over eighteen (18) years of age. Company does not knowingly collect Personal Information from individuals under eighteen (18).

Information Security

As a Governance, Risk, and Compliance platform, security is paramount. Company implements commercially reasonable and framework-aligned security measures to help protect against unauthorized access to or unauthorized alteration, disclosure, or destruction of data. We restrict access to Personal Information to authorized personnel and sub-processors who require the information to operate or improve the Products. These individuals and organizations are bound by strict confidentiality obligations. While we implement robust security controls, Company cannot guarantee the absolute security of any information Customer transmits over the internet.

Linking to Other Internet Websites

Internet websites linked from the Websites or Products may contain privacy provisions that differ from this Policy. Company recommends that Customer review the privacy statements of these other linked websites.

Contact Information

For a full list of Company Data Sub-Processors, or to view the Data Processing Addendum, please refer to your Customer Account or contact us. For any questions, concerns, or complaints about this Policy, please email privacy@corevitals.com or send in writing to: TBD.

Company will attempt to resolve any complaints regarding the use of Personal Information in accordance with this Policy and will respond to all requests within thirty (30) calendar days of receipt or as required by law.