1. ABOUT THIS PRIVACY POLICY

This Privacy Policy (the "Policy") applies to the website located at eschedule.it (the "Site") and all related services, applications, mobile applications, and platforms (collectively, the "Services") owned and operated by ESCHEDULEIT INC., a Florida limited liability company ("eScheduleIt," "we," "us," or "our").

For purposes of this Policy, the following definitions apply:

• "Personal Information" means any information about an identifiable individual, including but not limited to name, email address, telephone number, mailing address, payment information, IP address, device identifiers, and any other information that can be used to directly or indirectly identify an individual. This term encompasses "personal information" as defined under the Personal Information Protection and Electronic Documents Act (PIPEDA) and "individually identifiable health information" as defined under the Health Insurance Portability and Accountability Act (HIPAA).
• "Personal Health Information" or "PHI" means individually identifiable health information as defined under HIPAA (45 CFR §160.103), and "personal health information" as defined under the Personal Health Information Protection Act, 2004 (PHIPA), including information about an individual's physical or mental health, the provision of healthcare to the individual, or payment for healthcare, that identifies the individual or could reasonably be used to identify the individual.
• "Customer Data" means all data, including Personal Information and PHI, that is submitted to or collected through the Services by or on behalf of our customers in connection with their use of the Services.

This Policy describes our practices regarding the collection, use, disclosure, retention, and protection of Personal Information. This Policy is governed by applicable United States federal and state laws, including HIPAA and the HIPAA Privacy Rule (45 CFR Parts 160 and 164), and, where applicable to users located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) and the Personal Health Information Protection Act, 2004 (PHIPA, S.O. 2004, c. 3, Sched. A).

By accessing or using the Services, you acknowledge that you have read, understood, and consent to the practices described in this Policy. If you do not agree with this Policy, you must discontinue use of the Services immediately. Your use of the Services is also governed by our Terms of Service.

2. INFORMATION WE COLLECT

We collect the following categories of information in connection with your use of the Services:

(a) Information You Provide Directly

• Account Registration Information: When you create an account, we collect your name, email address, password (stored in hashed form), and role within your organization.
• Organization and Practice Information: Practice name, address, phone number, business type, license information, and other details about your healthcare practice or organization.
• Scheduling Data: Appointment details, resource assignments, availability schedules, service types, locations, client or patient names and contact information, and other scheduling-related data you enter into the platform.
• Contact Information for Resources and Clients: Names, email addresses, phone numbers, and other contact details for staff, practitioners, and clients or patients managed within the platform.
• Profile Information: Preferences, settings, profile photographs, and other information you choose to provide in your account profile.
• Payment Information: Billing details and payment card information. Payment information is processed by our third-party payment processors and is not stored on our servers. We retain only transaction identifiers and billing records necessary for account management.
• Communications: Information contained in support requests, feedback, survey responses, and other communications you send to us.

(b) Information Collected Automatically

When you access or use the Services, we automatically collect certain information, including:

• Internet Protocol (IP) address
• Browser type, version, and language preferences
• Device information, including hardware model, operating system and version, and unique device identifiers
• Referring and exit URLs
• Pages viewed, features used, and actions taken within the Services
• Date, time, and duration of visits
• Usage patterns and interaction data
• Information collected through cookies, web beacons, and similar technologies (see Section 14)

(c) Information from Third Parties

• Google Calendar Data: If you enable Google Calendar integration, we receive calendar event data as described in Section 13.
• Social Login Providers: If you choose to authenticate using a third-party provider (such as Google, Microsoft, Facebook, or X/Twitter), we receive your name, email address, and profile information as authorized by the provider and your privacy settings.
• Publicly Available Information: We may collect information from publicly available sources to verify account information or for fraud prevention.

3. HOW WE USE YOUR INFORMATION (PURPOSE LIMITATION)

We use Personal Information solely for the following purposes:

1. Providing and Maintaining the Services: To operate, deliver, and maintain the scheduling, appointment management, resource optimization, and other features of the Services, including processing your requests and transactions.
2. AI-Powered Scheduling Features: To provide AI-assisted scheduling optimization, automated appointment reminders, AI chat assistance, AI phone agent services, and AI SMS agent services, as described in our AI Policy.
3. Communicating with You: To send service-related notifications, appointment reminders, account updates, security alerts, and administrative messages necessary for the operation of the Services.
4. Improving and Optimizing the Services: To analyze usage patterns, diagnose technical issues, conduct research and development, and improve the functionality, performance, and user experience of the Services.
5. Ensuring Security and Preventing Fraud: To detect, investigate, and prevent unauthorized access, security incidents, fraud, and other harmful or unlawful activities.
6. Complying with Legal Obligations: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests.
7. Enforcing Our Terms of Service: To enforce our Terms of Service and other agreements, and to protect the rights, property, and safety of eScheduleIt, our users, and the public.

We do NOT:

1. Sell your Personal Information to third parties, under any circumstances;
2. Use your data for advertising or marketing by third parties;
3. Use Customer Data or Personal Health Information to train artificial intelligence or machine learning models.

This limitation on use is a core commitment of our Services and is reflected in our contractual agreements with sub-processors, including our data processing agreement with OpenAI, which expressly prohibits the use of Customer Data for model training purposes.

4. CONSENT

We obtain consent for the collection, use, and disclosure of Personal Information as follows:

(a) Express Consent

Express consent is required for:

• Collection, use, and disclosure of Personal Health Information;
• Enabling AI-powered outreach features, including automated phone calls and SMS messages to clients or patients;
• Cross-border transfer of Personal Information from Canada to the United States (see Section 8);
• Any use of Personal Information beyond the purposes stated in this Policy.

(b) Implied Consent

By voluntarily providing Personal Information to us and using the Services, you imply consent to the collection, use, and disclosure of that information as described in this Policy and as would be reasonably expected in connection with the Services.

(c) Withdrawing Consent

You may withdraw your consent to our collection, use, or disclosure of your Personal Information at any time by:

• Contacting us at privacy@eschedule.it; or
• Adjusting your preferences through your account settings where such options are available.

Upon receiving your withdrawal request, we will inform you of the likely consequences of withdrawing consent, which may include our inability to provide certain Services to you. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. We will process your withdrawal request within a reasonable timeframe, and no later than thirty (30) days from receipt.

5. LIMITING COLLECTION

In accordance with PIPEDA Principle 4 (Limiting Collection) and the HIPAA "minimum necessary" standard (45 CFR §164.502(b)), we collect only the Personal Information that is necessary to fulfill the purposes identified in Section 3 of this Policy. We do not collect Personal Information indiscriminately, and we do not collect information by misleading or deceptive means.

For Personal Health Information specifically, we apply the "minimum necessary" standard required by HIPAA, which means we access, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose. Our systems are designed to limit access to PHI based on role-based permissions, ensuring that workforce members and sub-processors can access only the PHI required for their specific functions.

6. DATA RETENTION

We retain Personal Information only for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal and regulatory obligations, to resolve disputes, and to enforce our agreements. In accordance with PIPEDA Principle 5 (Limiting Use, Disclosure, and Retention), we have established the following retention periods:

Data Type	Retention Period
Account information	Duration of active account plus thirty (30) days after a deletion request is processed
Scheduling and appointment data	Duration of active account, plus any additional period required by applicable healthcare record retention laws
AI chat conversation logs	Ninety (90) days from the date of the conversation
Voice call recordings and transcripts	Ninety (90) days from the date of the call, or longer if required by applicable law
SMS message logs	Ninety (90) days from the date of the message
Usage analytics and server logs	Twenty-four (24) months
HIPAA compliance documentation	Six (6) years, as required by 45 CFR §164.530(j)
Payment records	As required by applicable tax, financial, and accounting regulations

Upon expiration of the applicable retention period, Personal Information is securely deleted or de-identified using industry-standard methods, including cryptographic erasure and secure overwriting, in accordance with NIST SP 800-88 guidelines. You may request earlier deletion of your Personal Information, subject to our legal retention obligations (see Section 10).

7. DISCLOSURE OF INFORMATION

We may disclose Personal Information in the following limited circumstances:

(a) With Your Consent

When you have provided explicit authorization for a specific disclosure.

(b) To Provide the Services (Sub-Processors)

We engage trusted third-party service providers ("Sub-Processors") who process data on our behalf, under strict contractual obligations that require them to protect Personal Information in a manner consistent with this Policy and applicable law. Our Sub-Processors include:

• Microsoft Azure — Cloud hosting and infrastructure services. Data is hosted in the US East region.
• Twilio Inc. — Voice calling and SMS messaging services for AI phone and SMS agent features.
• OpenAI — AI language model services for the AI chat assistant and scheduling optimization features. Our data processing agreement with OpenAI expressly prohibits the use of Customer Data for model training.
• Stripe and/or other payment processors — Payment processing only. Payment processors receive only the information necessary to process transactions.
• Brevo — Transactional email delivery for service notifications and account communications.

(c) Legal Compliance

When required by law, regulation, court order, subpoena, or enforceable governmental request. We will, to the extent permitted by law, provide you with notice of such a request before disclosing your information.

(d) Protection of Rights

When we believe in good faith that disclosure is necessary to protect the rights, property, or safety of eScheduleIt, our users, or the public, including to detect, prevent, or address fraud, security issues, or technical problems.

(e) Business Transfers

In connection with a merger, acquisition, reorganization, asset sale, bankruptcy proceeding, or other business transfer. In such an event, we will provide notice to you before your Personal Information is transferred and becomes subject to a different privacy policy. You will have the opportunity to withdraw consent to the transfer of your Personal Information in connection with such a transaction.

We require all Sub-Processors to maintain security standards consistent with this Policy and applicable law, through binding contractual provisions that include confidentiality obligations, data security requirements, breach notification obligations, and restrictions on further sub-processing. Sub-Processors are prohibited from using Personal Information for any purpose other than providing the contracted services to eScheduleIt.

8. CROSS-BORDER DATA TRANSFERS

Your Personal Information, including any Personal Health Information, is stored and processed on servers located in the United States (US East region). eScheduleIt does NOT maintain servers or data centers in Canada.

For users located in Canada: By using the Services, you expressly acknowledge and consent to the transfer of your Personal Information, including any Personal Health Information, from Canada to the United States for storage and processing. In accordance with PIPEDA Principle 1 (Accountability), eScheduleIt remains responsible for Personal Information transferred to our Sub-Processors in the United States.

Important Notice Regarding U.S. Law: While stored in the United States, your information may be accessed by United States federal, state, and local law enforcement agencies, courts, and national security authorities pursuant to U.S. law. This includes, but is not limited to, the USA PATRIOT Act (Pub. L. 107-56) and the Clarifying Lawful Overseas Use of Data Act (CLOUD Act, Pub. L. 115-141), which may permit access to your data without prior notice to you or to eScheduleIt. Canadian courts have recognized that data stored in the United States is subject to U.S. legal process.

We have implemented the following safeguards designed to provide a level of protection for Personal Information comparable to that required under Canadian privacy legislation:

• Encryption of data in transit using Transport Layer Security (TLS) 1.2 or higher, and encryption of data at rest using Advanced Encryption Standard (AES-256);
• Binding contractual obligations with our cloud service providers and Sub-Processors requiring security standards equivalent to or exceeding those set out in this Policy;
• Role-based access controls that limit data access to authorized personnel with a legitimate need to access such information;
• Comprehensive audit logging of all access to Personal Information and PHI;
• Incident response and breach notification procedures consistent with HIPAA, PIPEDA, and PHIPA requirements;
• Regular security assessments and vulnerability testing of our infrastructure and applications.

Despite these safeguards, we cannot guarantee that Personal Information will not be accessed by U.S. government authorities operating under U.S. law. If you do not consent to the transfer of your Personal Information to the United States under the conditions described in this Section, you should not use the Services.

For Ontario healthcare providers subject to PHIPA: If you are a Health Information Custodian as defined under PHIPA, you are responsible for obtaining express consent from your patients before transferring their Personal Health Information to the eScheduleIt platform. Such consent must include clear disclosure that the patient's Personal Health Information will be stored and processed in the United States, and that it may be subject to access by U.S. authorities under U.S. law.

9. SECURITY SAFEGUARDS

We implement administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, disclosure, alteration, and destruction, consistent with the requirements of the HIPAA Security Rule (45 CFR Part 164, Subpart C) and PIPEDA Principle 7 (Safeguards).

(a) Technical Safeguards

• Encryption of data at rest using AES-256 and in transit using TLS 1.2 or higher;
• Role-based access controls with principle of least privilege, enforced at the application and database layers;
• Multi-factor authentication (MFA) available for all user accounts and required for administrative access;
• Automated detection and sanitization of personally identifiable information in AI processing pipelines;
• Intrusion detection and prevention systems;
• Regular vulnerability assessments and penetration testing;
• Automated security monitoring and alerting;
• Secure software development lifecycle practices, including code review and security testing.

(b) Administrative Safeguards

• Written security policies and procedures, reviewed and updated at least annually;
• Workforce privacy and security training for all employees and contractors with access to Personal Information;
• Designated Privacy Officer responsible for oversight of privacy and security compliance;
• Documented incident response plan with defined roles, escalation procedures, and communication protocols;
• Regular risk assessments conducted in accordance with HIPAA requirements (45 CFR §164.308(a)(1));
• Business Associate Agreements with all Sub-Processors that access or process PHI.

(c) Physical Safeguards

• Data hosted in Microsoft Azure data centers that maintain SOC 1, SOC 2, and SOC 3 certifications, as well as ISO 27001, ISO 27017, and ISO 27018 compliance;
• Physical access controls including biometric authentication, 24/7 surveillance, and environmental protections at data center facilities;
• Redundant power systems and environmental controls to ensure data availability and integrity.

No method of electronic transmission or storage is completely secure. While we employ commercially reasonable measures to protect your Personal Information, we cannot guarantee absolute security. In the event of a security incident, we will follow the breach notification procedures described in Section 16 of this Policy.

10. YOUR PRIVACY RIGHTS

Depending on your jurisdiction and applicable law, you may have the following rights with respect to your Personal Information:

(a) Right to Access

You have the right to request a copy of the Personal Information we hold about you. Upon receiving your verified request, we will provide you with a copy of your Personal Information in a commonly used, readable format within thirty (30) days. We will provide this information at minimal or no cost, except where requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee.

(b) Right to Correction

You have the right to request correction of Personal Information that is inaccurate, incomplete, or out of date. Upon verification of the inaccuracy, we will correct the information promptly and, where applicable, notify any third parties to whom we previously disclosed the incorrect information so that they may also update their records. Where we disagree with the requested correction, we will annotate the information to note the disagreement and the correction requested.

(c) Right to Deletion

You have the right to request deletion of your Personal Information from our active systems. We will comply with verified deletion requests within thirty (30) days, subject to the following exceptions where retention is required: compliance with HIPAA documentation requirements (45 CFR §164.530(j)), applicable tax and financial record retention laws, pending legal proceedings or investigations, enforcement of our Terms of Service, and other applicable legal obligations. Where we cannot delete specific information due to a legal retention obligation, we will inform you of the reason and the expected retention period.

(d) Right to Data Portability

You have the right to request an export of your Personal Information in a commonly used, structured, machine-readable format (such as CSV or JSON). We will fulfill portability requests within thirty (30) days of receiving a verified request.

(e) Right to Withdraw Consent

You have the right to withdraw consent for future processing of your Personal Information at any time, as described in Section 4(c) of this Policy.

(f) Right to Lodge Complaints

If you believe your privacy rights have been violated, you have the right to lodge a complaint with the applicable regulatory authority:

• Canadian users: Office of the Privacy Commissioner of Canada (www.priv.gc.ca); for PHIPA matters in Ontario, the Information and Privacy Commissioner of Ontario (www.ipc.on.ca).
• U.S. users: The U.S. Department of Health and Human Services, Office for Civil Rights (www.hhs.gov/ocr) for HIPAA-related matters.
• All users: We encourage you to contact us first at privacy@eschedule.it. We will investigate and respond to all complaints within thirty (30) days.

To exercise any of these rights, please contact us at privacy@eschedule.it. We may need to verify your identity before processing your request to protect against unauthorized access to Personal Information.

11. PERSONAL HEALTH INFORMATION (PHI)

This Section applies to healthcare providers and other entities that use the Services to manage scheduling involving Personal Health Information.

(a) Roles and Responsibilities

You, the healthcare provider or organization, remain the "Covered Entity" as defined under HIPAA (45 CFR §160.103), or the "Health Information Custodian" as defined under PHIPA (Section 3(1)), with respect to your patients' Personal Health Information. eScheduleIt operates as your "Business Associate" under HIPAA (45 CFR §160.103) or as your "Agent" under PHIPA (Section 17(1)), processing PHI solely on your behalf and as directed by you. The relationship between eScheduleIt and you with respect to PHI is that of a service provider acting under the direction and control of the data controller.

(b) Business Associate Agreement

The handling of PHI is governed by our Business Associate Agreement ("BAA"), which establishes the permitted uses and disclosures of PHI, security obligations, breach notification requirements, and other terms required by HIPAA. The BAA is incorporated by reference into our Terms of Service. You may review the BAA at Business Associate Agreement. The BAA must be executed before any PHI is processed through the Services.

(c) Your Obligations as Covered Entity / Health Information Custodian

As the Covered Entity (HIPAA) or Health Information Custodian (PHIPA), you are responsible for:

• Obtaining any required patient consent, authorization, or notice before entering PHI into the eScheduleIt platform;
• Ensuring your use of the Services complies with HIPAA, PHIPA, and all other applicable healthcare privacy laws and regulations;
• Configuring appropriate access controls, user roles, and permissions within your account to protect PHI;
• Maintaining your own HIPAA compliance program, including policies, procedures, workforce training, and risk assessments;
• Notifying patients of the use of eScheduleIt as a service provider and that their data will be stored in the United States (particularly relevant for PHIPA-covered providers).

(d) Our Obligations as Business Associate / Agent

eScheduleIt will:

• Use and disclose PHI only as permitted by the BAA and applicable law;
• Implement administrative, technical, and physical safeguards as described in Section 9 of this Policy;
• Report breaches of unsecured PHI as described in Section 16 of this Policy;
• Ensure that Sub-Processors that access PHI agree to the same restrictions and conditions that apply to eScheduleIt under the BAA;
• Make available information necessary to support your compliance obligations as described in the BAA;
• Return or destroy PHI upon termination of the BAA, to the extent feasible.

12. AI FEATURES AND AUTOMATED PROCESSING

Our Services include artificial intelligence-powered features that process Personal Information and, in some cases, Personal Health Information. For complete details on how AI is used within the Services, what data it processes, the safeguards we implement, and your rights regarding AI-assisted processing, please refer to our AI Policy.

Summary of AI Features:

• AI Chat Assistant: A GPT-powered conversational assistant that helps with scheduling tasks, answers questions about availability, and assists with platform navigation.
• The Scheduler (Voice): An automated voice agent powered by AI that can make and receive telephone calls via Twilio for appointment scheduling, confirmations, and reminders.
• The Scheduler (SMS): An automated text messaging agent that sends and receives SMS messages for appointment reminders, scheduling confirmations, and related communications.
• The Scheduler (Optimization): Algorithms that analyze scheduling patterns and constraints to recommend optimal appointment configurations.
• The Scheduler (Transcription): Automated transcription of voice calls for record-keeping and quality assurance purposes.

Key Commitments:

• We do NOT use Customer Data or PHI to train AI models. Our data processing agreement with OpenAI expressly prohibits the use of Customer Data for model training.
• AI features are supplementary tools designed to assist with scheduling tasks. They do not provide medical advice, make clinical decisions, or replace professional healthcare judgment.
• You have the right to opt out of AI-powered outreach (phone calls and SMS messages) through your account settings or by contacting us.
• You have the right to request human assistance at any time during an AI-assisted interaction.
• Automated PII detection and sanitization is applied to data processed through AI features to minimize unnecessary exposure of Personal Information.

13. GOOGLE CALENDAR INTEGRATION

Scope and Purpose of Data Access

If you choose to connect your Google Calendar account to eScheduleIt, we will request and use access to your Google Calendar data solely to synchronize your appointments between eScheduleIt and Google Calendar. This integration is intended to improve your experience by reducing double entry and ensuring that appointments created or updated in eScheduleIt are reflected in your Google Calendar, and vice versa.

Types of Data Collected and Used

When you authorize the integration, eScheduleIt will have the ability to:

• Read: View your calendar events to ensure we display and synchronize correct availability and prevent double bookings.
• Write: Add, update, or delete appointment events in your Google Calendar to keep your schedules aligned.

Data Use and Storage

• Limited Use: We use your Google Calendar data only to provide and improve the appointment scheduling functionality. We do not use this data for advertising purposes, share it for marketing campaigns, or sell it to third parties.
• Data Retention: Your Google Calendar data is not stored on our servers beyond what is necessary to facilitate and maintain synchronization. Any cached data is used solely for operational reasons and is not used for any other purpose.

Third-Party Access

Except for the integration with Google Calendar as you have authorized, we do not share your Google Calendar data with third parties unless required by law or as needed to fulfill your requests and provide our Services (for example, if a third-party infrastructure provider securely hosts our platform).

User Control and Revocation of Access

You remain in control of your data. You can revoke eScheduleIt's access to your Google Calendar at any time by:

1. Adjusting the connected account settings within your eScheduleIt account.
2. Revoking access directly through your Google Account security settings at https://myaccount.google.com/permissions.

Upon revoking access, eScheduleIt will no longer have the ability to read or write to your Google Calendar, and any cached event data will be removed from our systems as soon as is reasonably practicable.

Compliance with Google's Policies

We adhere to Google's API Services User Data Policy and any other applicable guidelines. Our use of data obtained through Google APIs will comply with the Google API Services User Data Policy, including the Limited Use requirements, ensuring that your information is protected and used solely for the stated purposes.

14. COOKIES AND TRACKING TECHNOLOGIES

We use cookies, web beacons, and similar technologies in connection with the Services for the following purposes:

• Session Management and Authentication: To maintain your logged-in session, authenticate your identity, and ensure the security of your account.
• Preferences and Settings: To remember your language preferences, display settings, and other customizations.
• Analytics and Performance: To analyze usage patterns, measure the performance of the Services, and identify areas for improvement.
• Security: To detect and prevent fraudulent activity, unauthorized access, and other security threats.

Types of Cookies We Use

• Essential Cookies: Required for the operation of the Services. These cookies enable core functionality such as authentication, session management, and security features. The Services cannot function properly without these cookies.
• Analytics Cookies: Used to collect information about how you use the Services, including pages visited, features used, and error messages encountered. This information is used to improve the Services.
• Preference Cookies: Used to remember your settings and preferences so that we can personalize your experience.

We do NOT use advertising cookies or third-party tracking cookies for targeted advertising purposes.

Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling essential cookies may impair the functionality of the Services, and some features may not work as intended.

Third-Party Analytics

We may use third-party analytics services, such as Google Analytics, to help us understand how the Services are used. These services may collect information sent by your browser as part of a web page request, including your IP address and cookies. The use of such information by these third-party services is governed by their respective privacy policies. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

15. CHILDREN'S PRIVACY

The Services are not directed to, and are not intended for use by, individuals under sixteen (16) years of age. We do not knowingly collect Personal Information from children under 16. eScheduleIt is a business-to-business platform designed for use by healthcare practices, organizations, and their authorized adult users.

If we become aware that we have inadvertently collected Personal Information from a child under 16, we will take immediate steps to delete such information from our systems. If you are a parent or guardian and believe that a child under 16 has provided Personal Information to eScheduleIt, please contact us immediately at privacy@eschedule.it so that we can take appropriate action.

Nothing in this Section limits the ability of a healthcare provider to use the Services to schedule appointments for minor patients, provided that the provider does so in compliance with applicable law and with appropriate parental or guardian consent where required.

16. BREACH NOTIFICATION

In the event of a security breach involving unauthorized access to, acquisition of, use of, or disclosure of Personal Information or Personal Health Information, eScheduleIt will take the following steps:

(a) HIPAA-Covered Data

For breaches involving unsecured PHI as defined under the HIPAA Breach Notification Rule (45 CFR §§164.400–414), we will notify the affected Customer (Covered Entity) without unreasonable delay, and in no event later than sixty (60) calendar days from the date of discovery of the breach. The notification will include all information required under 45 CFR §164.410, including identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed. The Customer (Covered Entity) is responsible for providing notification to affected individuals and to the Secretary of the U.S. Department of Health and Human Services as required under HIPAA.

(b) PHIPA-Covered Data (Ontario)

For breaches involving Personal Health Information subject to PHIPA, we will notify the affected Customer (Health Information Custodian) at the first reasonable opportunity after discovery of the breach, to enable the Custodian to fulfill its notification obligations to affected individuals and to the Information and Privacy Commissioner of Ontario as required under PHIPA Section 12(2).

(c) Content of Breach Notifications

Breach notifications provided by eScheduleIt will include:

• A description of the nature and circumstances of the incident, including the types of Personal Information involved;
• The date or estimated date of the breach and the date of discovery;
• A description of the steps eScheduleIt has taken and is taking to investigate, mitigate harm, and prevent future occurrences;
• Recommended steps that affected individuals can take to protect themselves from potential harm;
• Contact information for eScheduleIt's Privacy Officer for further inquiries.

(d) General Notification

Where required by applicable state or provincial privacy breach notification laws, we will directly notify affected individuals in accordance with the requirements of such laws. We maintain an incident response plan that is tested and updated regularly to ensure timely and effective response to security incidents.

17. PRIVACY ACCOUNTABILITY

In accordance with PIPEDA Principle 1 (Accountability), eScheduleIt is responsible for Personal Information under its control. We have implemented the following accountability measures:

(a) Privacy Officer

We have designated a Privacy Officer who is responsible for overseeing eScheduleIt's compliance with this Policy and all applicable privacy legislation, including HIPAA, PIPEDA, and PHIPA. The Privacy Officer is responsible for:

• Implementing and maintaining privacy policies and procedures;
• Responding to privacy inquiries, access requests, and complaints;
• Ensuring workforce training on privacy and security obligations;
• Overseeing compliance by Sub-Processors;
• Conducting and overseeing privacy impact assessments where appropriate.

The Privacy Officer may be contacted at: privacy@eschedule.it.

(b) Complaint Handling

If you have a privacy concern or complaint, please contact our Privacy Officer at privacy@eschedule.it. We will:

• Acknowledge receipt of your complaint within five (5) business days;
• Investigate the complaint thoroughly and in good faith;
• Provide a written response within thirty (30) days, including a description of our findings, any corrective action taken or proposed, and an explanation of any further recourse available to you.

If you are not satisfied with our response, you have the right to escalate your complaint to the applicable privacy commissioner or regulatory authority as described in Section 10(f) of this Policy.

18. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, applicable law, or for other operational, legal, or regulatory reasons. When we make changes to this Policy:

• For material changes: We will provide notice by (i) posting the updated Policy on the Site with a revised "Last Updated" date, and (ii) sending email notification to the email address associated with your account at least thirty (30) days before the changes take effect.
• For non-material changes: We will post the updated Policy on the Site with a revised "Last Updated" date.

Material changes include, but are not limited to, changes in the categories of Personal Information collected, the purposes for which Personal Information is used, the categories of third parties with whom Personal Information is shared, and changes to your privacy rights.

Your continued use of the Services after the effective date of a revised Privacy Policy constitutes your acceptance of the updated Policy. If you do not agree with the changes, you must discontinue use of the Services before the effective date. We encourage you to review this Policy periodically to stay informed about how we protect your Personal Information.

19. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy, our privacy practices, or the handling of your Personal Information, please contact us using any of the following methods:

• Privacy Officer: privacy@eschedule.it
• General Inquiries: Visit the Contact Us form on the Site
• Mailing Address:
  ESCHEDULEIT INC.
  Plantation, Florida, USA

For privacy rights requests (access, correction, deletion, or portability), please include sufficient information for us to verify your identity (such as your name, email address associated with your account, and organization name) and clearly specify the right you wish to exercise. We will respond to all verified requests within thirty (30) days.

---

Last Updated: March 22, 2026

Related Documents

• Terms of Service
• AI Policy
• HIPAA Business Associate Agreement