Privacy Framework

Version 1.0,   Date : 4/09/2025

The purpose of this policy is to establish clear principles, responsibilities, and controls to ensure the secure handling of personal and sensitive information. This policy defines the lifecycle management of such data—including collection, processing, storage, transfer, and deletion—to protect individuals’ privacy and prevent unauthorized access, use, disclosure, disruption, modification, or destruction of data.

This Privacy Policy applies to all visitors and users accessing our website from any location globally. Our website and services are hosted in the United States, and any personal information submitted by users will be processed and stored in accordance with U.S. data protection laws, while also honoring privacy rights applicable under global frameworks (e.g., GDPR, CCPA, and other local data privacy laws).

Personal Data: Any data that identifies an individual directly or indirectly (e.g., names, email addresses, phone numbers, ID numbers).

​

• Sensitive Personal Data: Includes information such as biometric data, financial information, health records, government-issued identifiers, and authentication credentials.

• Data Subject: A person whose personal or sensitive data is collected and processed.

• Data Controller: The entity that determines how and why data is processed.

• Data Processor: Any third party or service provider that processes data on behalf of the Data Controller.

Classifications include:

​

• Public: No restrictions on access.

• Internal: Access limited to employees.

• Confidential: Requires protection from unauthorized disclosure.

• Restricted: Strictly limited access due to regulatory, contractual, or business risk.

We may collect the following types of personal data directly from users or automatically through our services:

• Full Name

• Email Address

• Phone Number

• IP Address and device-related information

• Interaction and usage data on our platform

Our services are **not intended for use by children under the age of 16**, and we do not knowingly collect or solicit personal information from individuals in this age group.

If you are a parent or guardian and believe that your child has provided us with personal data, please contact us immediately at **privacy@Opzen.ai**. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will take steps to delete the information promptly.

We encourage parents and legal guardians to monitor their children’s internet usage and help enforce this Privacy Policy by instructing children never to provide personal

information without parental permission.

Data may only be processed on one or more of the following grounds:

•  Performance of a contract

• Compliance with a legal obligation

•  Protection of vital interests

• Consent from the data subject

• Legitimate interest, balanced against data subject rights

• Processes must be implemented to ensure the data is accurate, complete, and up to date.

• Individuals must be given a means to update or correct their data.

• We retain your personal data only as long as necessary for the purposes outlined, or as required by law. After this period, data is securely deleted or anonymized.

• Access must be role-based and approved via an access request process.

• Access rights shall be reviewed quarterly.

• Authentication mechanisms shall include MFA for critical systems.

• Dormant or unused accounts must be deactivated after 90 days.

• All access to personal and sensitive data must be logged with timestamps.

• Logs must be retained for a minimum of 12 months.

• Centralized logging systems with alerting mechanisms shall be used.

• Anomalies and unauthorized access must trigger automated incident response

• workflows.
   

We may disclose your information to trusted third-party service providers for the purpose of delivering our services effectively. These providers include but are not limited to:

- Google Analytics (for tracking and analytics)
- Amazon Web Services (for cloud hosting and data storage)

All third-party processors are bound by contractual obligations to protect personal data and use it only for specified purposes

​

• Vendors must undergo due diligence and risk assessments prior to engagement.

• Third-party processing requires a signed data protection agreement.

• No data shall be transferred to third countries unless adequate safeguards (e.g.,

• encryption, legal contracts) are in place.

• All vendors shall be subject to annual

• Product and engineering teams must include privacy impact assessments during design.

• Data masking, pseudonymization, or anonymization must be applied where appropriate.

• Defaults in systems should restrict public exposure and enforce secure settings.

• All incidents must be reported within 2 hours of detection.

• The Incident Response Team (IRT) must initiate investigation and containment immediately.

• Affected individuals and supervisory authorities will be notified within required timelines.

• Post-incident review and documentation shall be maintained.

• All incidents must be reported within 2 hours of detection.

• The Incident Response Team (IRT) must initiate investigation and containment immediately.

• Affected individuals and supervisory authorities will be notified within required timelines.

• Post-incident review and documentation shall be maintained.

• Employees must complete privacy and security awareness training within 30 days of onboarding.

• Annual refresher training and tests shall be mandatory.

• Any suspected violations must be reported to the Data Protection Officer or InfoSec Team.​

• Internal audits shall be conducted semi-annually.

• Privacy compliance shall be a standing item in all vendor reviews.

• Non-compliance will result in disciplinary action and may include termination or legal recourse.​

• All incidents must be reported within 2 hours of detection.

• The Incident Response Team (IRT) must initiate investigation and containment immediately.

• Affected individuals and supervisory authorities will be notified within required timelines.

• Post-incident review and documentation shall be maintained.

If you are located in the European Union (EU) or California, United States, you are entitled to additional rights under the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), respectively.

Under GDPR, EU residents have the right to:

• Be informed about the collection and use of their personal data

• Access personal data held by us

• Rectify inaccurate or incomplete data

• Erase personal data (right to be forgotten’)

• Restrict processing and object to processing

• Data portability

• Lodge a complaint with a data protection authority

​

Under CCPA, California residents have the right to:

• Know what personal information is collected, used, shared, or sold

• Delete personal information held by the business (with certain exceptions)

• Opt-out of the sale of personal​

To exercise any of these rights, you may contact us at privacy@Opzen.ai

Right to Access:
You have the right to:

• Know if we are processing your personal data

• Request a copy of the personal data we hold about you

• Understand how your data is being used, including:

  • The purpose of processing

  • The categories of data we hold

  • The third parties with whom we share it

  • How long we retain it

Example: You can email us and request a full report of the personal data associated
with your account.​

​

Right to Rectify (Correction):

You have the right to:

• Request corrections to any personal data that is incorrect, outdated, or incomplete.

• This ensures that your data remains accurate and up to date.

Example: If you’ve changed your phone number or noticed a typo in your name, you

can ask us to update it.

Right to Erasure (Right to be Forgotten):

You have the right to:

• Request deletion of your personal data when:

  • The data is no longer needed for the purpose it was collected

  • You withdraw consent (where consent was the basis of processing)

  • You object to the processing and there are no overriding legitimate grounds

  • The data has been unlawfully processed

• Exceptions: We may retain your data if it's required by law (e.g., for tax compliance or legal claims).

Example: If you no longer use our services, you can request us to delete your account and personal information.

Right to Withdraw Consent:

You have the right to:

• Withdraw your consent at any time if data processing is based on your prior permission (such as for receiving newsletters or promotions).

• Once consent is withdrawn, we will stop processing your data for that specific purpose.

Example: You can opt out of marketing emails by clicking “Unsubscribe” or by emailing us.

⚖ Note:

These rights may vary slightly based on your country or region (e.g., GDPR in the EU, CCPA in California). However, Opzen.ai is committed to honoring these rights globally.

To exercise any of these rights, please email us at:

privacy@Opzen.ai

At Opzen.ai LLC, we value your trust and are committed to resolving any disputes related to your personal data and privacy in a fair and efficient manner.

Step 1: Informal Complaint Resolution

Before initiating any legal or arbitration proceedings, we encourage users to first contact us to attempt an informal resolution. You may do so by emailing:

privacy@Opzen.ai

• Your request should clearly include:

• Your full name and contact details

• A detailed description of the concern or dispute

• Any relevant supporting documentation

We will acknowledge your dispute within 5 business days and aim to resolve it within 30 calendar days.

Step 2: Formal Complaint Escalation

If you're not satisfied with the outcome of the informal process, you may escalate the

dispute by filing a formal complaint through either of the following channels:

Postal:

Data Protection Officer

Opzen.ai LLC

Easton Avenue 37

New Brunswick NJ 08901

United States

For EU Residents – You may also file a complaint with your local Data Protection

Authority (DPA).

For California Residents – You may contact the California Attorney General at

https://oag.ca.gov/privacy

• This policy will be reviewed annually or after any major organizational or regulatory change.

• Policy changes must be approved by the senior management committee.​

If you have any questions about this Data Privacy Policy, your rights, or our data
practices, please contact us at:
privacy@Opzen.ai

Address:
Opzen.ai LLC
Easton Avenue 37
New Brunswick NJ 08901
United States​