PRIVACY POLICY

RepsUp - Plan & Track Workouts
Data Controller: Barták Imre Gergő (Individual Sole Proprietor)
Last Updated: September 18, 2025
Effective Date: September 18, 2025
Version: 1.0

Our Core Privacy Commitment: RepsUp operates on a "privacy by design" principle. All your personal information, including workout and health data, is processed and stored exclusively on your personal device(s). We do not operate servers, and we have no technical means to access, view, collect, or share your data. You have complete and sole control over your information at all times.

Introduction and Data Controller Information
What Information is Processed
Sensitive Health Data and Special Category Information
Legal Basis for Processing
Data Sharing and Third Parties
Data Retention
Data Security
Children's Privacy
Your Privacy Rights
Data Breach Procedures
United States Residents - State Specific Rights
European, UK, and Swiss Residents - GDPR Rights
Canadian Residents - PIPEDA and Law 25
Indian Residents - DPDPA Rights
Other Regional Provisions
Data Protection Officers and Representatives
Consent Withdrawal Procedures
Policy Updates
Contact Information

1. INTRODUCTION AND DATA CONTROLLER INFORMATION

This Privacy Policy governs the processing of personal data by Barták Imre Gergő, an individual sole proprietor registered in Hungary ("we," "us," "our," "Data Controller," "Data Fiduciary"), in connection with the RepsUp mobile application ("App," "Service").

Data Controller Details:

Legal Name	Barták Imre Gergő (Individual Sole Proprietor)
Registered Address	Erdős köz 3, 8256 Ábrahámhegy, Veszprém, Hungary
Contact Email	privacy@repsup.app
EU/EEA Establishment	Hungary (EU Member State)

Our Role: Under applicable data protection laws including the GDPR, India's DPDPA, CCPA/CPRA, Washington's My Health My Data Act, and others, we are the Data Controller/Data Fiduciary. This means we determine the purposes and means of processing personal data within the App, even though all processing occurs locally on your device and we have no access to your data.

2. WHAT INFORMATION IS PROCESSED

The App processes the following categories of personal information exclusively on your device:

Data Category	Specific Data Types	Purpose of Processing	Sensitivity Level
Workout Data	• Workout plan names • Exercise names and descriptions • Sets, repetitions, rest times • Weight/resistance values • Personal notes and comments	Core app functionality for workout planning and tracking	Standard Personal Data
Health & Biometric Data	• Heart rate (BPM) - Read/Write • Active energy/calories - Read/Write • Workout sessions - Write only • Timestamped heart rate samples	Real-time performance monitoring and health tracking	Special Category/Sensitive
App Preferences	• Apple Watch usage preference • Display mode (Calendar/List) • Haptic feedback settings • Sound preferences	User experience customization	Standard Personal Data
Technical Data	• Device model • iOS/watchOS version • App version • Timezone	Technical support and data export functionality	Standard Personal Data
Age Verification Data	• Date of birth (momentary check) • Region (if under 18, momentary check)	Age verification only - NOT stored or saved	Not retained

NO Collection of: Names, email addresses, phone numbers, location data, IP addresses, device identifiers (IDFA), cookies, tracking data, browsing history, payment information, or any other identifying information.

3. SENSITIVE HEALTH DATA AND SPECIAL CATEGORY INFORMATION

Enhanced Protection Required: Health data is classified as "Special Category Data" (GDPR), "Sensitive Personal Information" (US states), "Consumer Health Data" (Washington MHMDA), "Health Information" (PIPEDA/Law 25), or equivalent high-protection categories across all jurisdictions.

3.1 Classification by Jurisdiction

Jurisdiction	Classification	Legal Requirement
EU/UK/EEA	Special Category Data (Article 9 GDPR)	Explicit consent required
Washington State	Consumer Health Data (MHMDA)	Separate consent for each type
California	Sensitive Personal Information	Opt-in consent required
Other US States	Sensitive Personal Information	Opt-in consent (varies by state)
Canada	Sensitive Information / Health Information	Express consent required
India	Sensitive Personal Data	Explicit consent required
Australia	Sensitive Information	Express consent required
New Zealand	Health Information	Individual's authority required
South Africa	Special Personal Information	Explicit consent required

3.2 Health Data We Process

With your explicit, granular, and informed consent, the App accesses the following health data from Apple HealthKit:

Heart Rate Data:
- Real-time heart rate during workouts (beats per minute)
- Timestamped heart rate samples for workout analysis
- Access: Read (live during watch workouts) and Write to HealthKit
- Purpose: Display workout intensity, create performance charts, and save a complete record to Apple Health
Active Energy/Calories:
- Energy expenditure during workouts (kilocalories)
- Access: Read and Write to HealthKit
- Purpose: Track calories burned and workout effectiveness
Workout Sessions:
- Complete workout summaries including duration, type, and metrics
- Access: Write-only to HealthKit
- Purpose: Save workout history to Apple Health

Medical Disclaimer: This health data is for fitness tracking purposes only. The App is not a medical device and should not be used for medical diagnosis or treatment. Heart rate and calorie measurements are estimates and may be inaccurate. Always consult a healthcare professional before starting any fitness program.

4. LEGAL BASIS FOR PROCESSING

4.1 General Principles

We process personal data only when we have a valid legal basis under applicable law. The legal basis varies by jurisdiction and data type:

4.2 Legal Basis by Jurisdiction

European Union, UK, EEA, and Switzerland (GDPR/UK GDPR/FADP)

Explicit Consent (Article 6(1)(a) + Article 9(2)(a)): For all health and biometric data
Performance of Contract (Article 6(1)(b)): For workout planning and core app functionality
Legitimate Interests (Article 6(1)(f)): For app preferences and technical data

India (DPDPA 2023)

Sole Legal Basis: Explicit, free, specific, informed, and unambiguous consent for ALL personal data processing. We do not rely on any other legal basis such as contract or legitimate interests for Indian users.

United States - Washington State (MHMDA)

Consumer Health Data: Requires separate, specific consent for each category of health data. We obtain this through granular HealthKit permissions.

United States - Other States

California (CCPA/CPRA): Consent for sensitive personal information
Colorado, Connecticut, Virginia, Utah: Consent for sensitive data
Other States: Consent or contract basis depending on data sensitivity

Canada (PIPEDA/Law 25)

Express Consent: For health data and sensitive information
Implied Consent: For non-sensitive app functionality data

Zero Third-Party Access: We do not share your personal data with any third parties because we do not have access to it. All data remains on your device.

5.1 Data Movement Scenarios

Your data only moves in the following user-initiated scenarios:

Scenario	Data Involved	Recipient	User Control
Apple Health Integration	Workout sessions, calories, heart rate	Apple Health app (on-device)	Requires explicit permission
Device Sync	Workout plans, settings, completed sessions	Your paired Apple Watch	Automatic with pairing
Data Export	All app data (JSON format)	User-selected location	User-initiated only

5.2 What We DON'T Do

We do NOT sell or rent personal information
We do NOT share data with advertisers
We do NOT use analytics or tracking services
We do NOT store data in the cloud
We do NOT transfer data internationally
We do NOT engage in profiling or automated decision-making

6. DATA RETENTION

6.1 General Retention Principle

Your data is retained on your device indefinitely until you choose to delete it. This aligns with the ongoing purpose of fitness tracking and progress monitoring.

6.2 Jurisdiction-Specific Requirements

Jurisdiction	Requirement	Our Implementation
EU/UK (GDPR)	No longer than necessary for purpose	User-controlled deletion at any time
New Zealand	Health records: 10-year minimum retention	User responsibility to maintain backups if required
India (DPDPA)	Delete when purpose fulfilled or consent withdrawn	User-initiated deletion available
Colorado (CPA)	Annual review for biometric data	User can review and delete via app
South Africa (POPIA)	Delete as soon as reasonably practicable	User-controlled deletion

6.3 Deletion Methods

Selective Deletion: Delete individual workouts or exercises within the app
Complete Deletion: Uninstall the app from all devices
Health Data: Revoke permissions in iOS Settings > Health > Data Access & Devices > RepsUp

7. DATA SECURITY

7.1 Technical Safeguards

Your data is protected by multiple layers of security:

Device-Level Encryption: iOS hardware encryption (AES-256)
Access Control: Face ID, Touch ID, or device passcode required
Application Sandboxing: iOS app isolation prevents other apps from accessing data
Secure Framework: Apple's SwiftData with built-in encryption
Network Security: No network transmission of personal data
Secure Communication: Apple Watch sync uses encrypted Bluetooth

7.2 Organizational Measures

Privacy by Design: Local-only architecture eliminates server breach risks
Data Minimization: Only essential data for fitness tracking
No Server Access: Technical impossibility of remote access
Regular Security Reviews: App security assessments with each update
Data Protection Impact Assessments: Conducted for health data processing
Secure Development: Following Apple's security best practices

8. CHILDREN'S PRIVACY

Age Requirements: This Service is not directed to children under the age of consent in their respective jurisdictions. We do not knowingly process personal information from children without verifiable parental consent.

8.1 Age Verification Process

During onboarding, we perform an age verification check:

Users must provide their date of birth
If under 18, users must also provide their region
This information is used solely for age verification
The data is NOT stored or saved
It is immediately discarded after the verification check

8.2 Minimum Age Requirements by Region

Region	Minimum Age	Legal Basis
India	18 years	DPDPA Section 9
EU/UK/EEA	16 years (or lower if permitted by member state, not below 13)	GDPR Article 8
Quebec, Canada	14 years	Law 25
United States & Other Regions	13 years	COPPA and local laws

8.3 Verifiable Parental Consent (VPC) for Minors

If a user is identified as being below the age of consent for their region, they are directed to our Verifiable Parental Consent (VPC) process. Access to the Service is only granted after a parent or legal guardian provides verified consent directly on the device.

Present Parental Gate: The App will display a dedicated screen for the parent or guardian, instructing the child to hand over the device.
Provide Direct Notice On-Screen: This screen serves as the legally required "Direct Notice." It clearly explains the types of personal information the app collects from their child (including workout and optional health data) and provides a direct link to this Privacy Policy.
Verify Consent with Passcode: The parent must confirm they have read the notice and agree to the terms by checking several boxes. To verify their consent, they are required to create a 4-digit "Parental Passcode." This action serves as a reasonable effort to ensure an adult is present and providing consent.
Activate Account: Once the parent creates the passcode and confirms consent, the child's access to the App is activated. A secure, scrambled (hashed) version of this passcode is stored locally on the device to serve as a record of consent.

8.4 Parental Rights

As a parent or guardian, you have full control over your child's data. Since all data is stored exclusively on your child's device, you can:

Review and Manage Data: Access the App on your child's device at any time to review their workout plans, health data, and other information.
Delete Data: You can delete specific data within the app or delete all data by uninstalling the app from the device.
Withdraw Consent: You can withdraw your consent at any time by deleting the app from your child's device. This action is permanent and will erase all associated data.
Contact Us for Assistance: If you have any questions or need help managing your child's data, please contact us at privacy@repsup.app.

If we become aware that we have collected personal information from a child in violation of applicable law, we will take immediate steps to delete that information.

8.5 Special Protections for Children

For users under 18 (or the age of majority in their jurisdiction):

No behavioral tracking or profiling
No targeted advertising (we have no ads at all)
No data sharing with third parties
Enhanced privacy protections by default

India-Specific: We are legally prohibited from and do not engage in any tracking, behavioral monitoring, or targeted advertising directed at children (users under 18) in compliance with the DPDPA.

9. YOUR PRIVACY RIGHTS

You have comprehensive rights over your personal data. These rights vary by jurisdiction but generally include:

9.1 Universal Rights

Right	Description	How to Exercise
Access	View and obtain a copy of your data	Use "Export My Data" in app settings
Rectification	Correct inaccurate data	Edit directly within the app
Erasure	Delete your data ("right to be forgotten")	Delete in app or uninstall
Portability	Transfer data to another service	Export as JSON file
Restrict Processing	Limit how data is used	Adjust app permissions
Object	Object to specific processing	Withdraw consent or stop using app
Withdraw Consent	Revoke previously given consent	Settings > Health > Data Access > RepsUp

9.2 How to Exercise Your Rights

Since all data is stored on your device, you can exercise most rights immediately through the app. For assistance or questions, contact us at privacy@repsup.app.

9.3 Response Timeline

If you contact us for assistance:

Acknowledgment: Within 48-72 hours
Response: Within 30 days (45 days for complex requests with notification)
No Fee: Generally free, except for manifestly unfounded or excessive requests

10. DATA BREACH PROCEDURES

Reduced Risk: Since data is stored only on your device with no server component, traditional data breaches affecting multiple users cannot occur. However, we maintain procedures for any security incidents.

10.1 Breach Response

In the unlikely event of a security incident affecting the app that could compromise data security:

Jurisdiction	Authority Notification	User Notification
EU/UK (GDPR)	72 hours to supervisory authority	Without undue delay if high risk
California (CCPA)	Not required	Without unreasonable delay
India (DPDPA)	72 hours to Data Protection Board	As directed by Board
Canada (PIPEDA)	As soon as feasible	As soon as feasible if risk of harm
Australia	72 hours to OAIC	As soon as practicable
South Africa	As soon as reasonably possible	As soon as reasonably possible

10.2 Breach Notification Content

Any breach notification will include:

Nature and date of the incident
Types of data potentially affected
Potential consequences
Measures taken to address the breach
Recommended protective actions
Contact information for questions

11. UNITED STATES RESIDENTS - STATE SPECIFIC RIGHTS

11.1 California - CCPA/CPRA Rights

Your California Privacy Rights:

Right to Know: What personal information we collect, use, and disclose
Right to Delete: Request deletion of your personal information
Right to Correct: Request correction of inaccurate information
Right to Limit Use and Disclosure: Limit use of sensitive personal information
Right to Non-Discrimination: Equal service regardless of exercising rights
Right to Opt-Out of Sale/Sharing: We do not sell or share personal information

Categories of Information:

Sensitive Personal Information: Health and biometric data (on-device only)
We do NOT sell or share personal information
We do NOT engage in targeted advertising
We do NOT profile for automated decisions

"Shine the Light" Law: We do not share information with third parties for their direct marketing purposes.

11.2 Washington - My Health My Data Act (MHMDA)

Consumer Health Data Specific Requirements:

Separate Consent: We obtain separate consent for each type of health data through granular HealthKit permissions
Right to Withdraw: Easily withdraw consent through iOS Settings
No Geofencing: We do not use location-based health data collection
Health Data Policy: This comprehensive section serves as our consumer health data privacy policy
Data Deletion: Delete health data at any time through the app
No Sale of Health Data: We never sell consumer health data

Private Right of Action: Washington residents may have the right to sue for violations of the MHMDA.

11.3 Colorado Privacy Act (CPA)

Your Colorado Rights:

Right to access, correct, and delete personal data
Right to data portability
Right to opt-out of targeted advertising (not applicable - we don't advertise)
Right to opt-out of sale (not applicable - we don't sell data)
Biometric Data: Requires consent and annual review

11.4 Connecticut Data Privacy Act (CTDPA)

Your Connecticut Rights:

Similar rights to Colorado
Health Data Controller: Enhanced obligations for health data processing
Right to appeal decisions regarding your requests

11.5 Virginia Consumer Data Protection Act (VCDPA)

Virginia residents have rights to access, correct, delete, and port their data, plus the right to opt-out of targeted advertising and sale (neither of which we do).

11.6 Utah Consumer Privacy Act (UCPA)

Utah residents have similar rights to other states. Note: Utah allows opt-out for sensitive data, but we require opt-in for better protection.

11.7 Other State Rights

Residents of Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, and Texas have similar rights including access, correction, deletion, and portability of personal data.

12. EUROPEAN, UK, AND SWISS RESIDENTS - GDPR RIGHTS

12.1 Your Rights Under GDPR/UK GDPR/Swiss FADP

Right to Information (Articles 13-14): This privacy policy fulfills this right
Right of Access (Article 15): Obtain confirmation and copy of your data
Right to Rectification (Article 16): Correct inaccurate data
Right to Erasure (Article 17): "Right to be forgotten"
Right to Restrict Processing (Article 18): Limit processing in certain circumstances
Right to Data Portability (Article 20): Receive data in structured, machine-readable format
Right to Object (Article 21): Object to processing based on legitimate interests
Rights Related to Automated Decision-Making (Article 22): Not applicable - we don't use automated decision-making

12.2 Special Category Data

Health data is "special category data" under Article 9 GDPR, requiring:

Explicit consent (Article 9(2)(a))
Enhanced security measures
Data Protection Impact Assessment (completed)
Clear purpose limitation

12.3 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority:

Hungary (Lead Authority): Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
Your Country: Find your authority at https://edpb.europa.eu/about-edpb/board/members_en

12.4 Data Transfers

No international data transfers occur as all data remains exclusively on your device.

13. CANADIAN RESIDENTS - PIPEDA AND LAW 25

13.1 PIPEDA Rights (Federal)

Right to know why information is collected
Right to access your personal information
Right to challenge accuracy and completeness
Right to withdraw consent (with legal consequences explained)
Right to complain to the Privacy Commissioner of Canada

13.2 Quebec Law 25 Additional Rights

Enhanced Consent: Clear, free, and informed consent required
Right to Data Portability: Receive data in structured, commonly used format
Right to De-indexation: Request removal from search engine results
Privacy by Default: Highest privacy settings are default
Age of Consent: 14 years for Quebec residents

Person in Charge of Privacy Protection (Quebec Law 25):
Barták Imre Gergő
Email: privacy@repsup.app

14. INDIAN RESIDENTS - DPDPA RIGHTS

Age Requirement: You must be 18 years or older to use RepsUp in India. We do not process personal data of individuals under 18 in compliance with the Digital Personal Data Protection Act, 2023.

14.1 Legal Basis - Consent Only

Important for Indian Users: Our SOLE legal basis for ALL personal data processing is your explicit consent, which must be:

Free (given voluntarily)
Specific (for identified purposes)
Informed (with clear information)
Unconditional (no bundled consent)
Unambiguous (clear affirmative action)

We do NOT rely on contract, legitimate interests, or any other legal basis for Indian users.

14.2 Your Rights as a Data Principal

Right to Information (Section 11): Obtain summary of personal data and processing activities
Right to Correction and Erasure (Section 12): Correct inaccurate data and request deletion
Right to Grievance Redressal (Section 13): File complaints with our Grievance Officer
Right to Nominate (Section 14): Nominate someone to exercise rights in case of death or incapacity
Right to Withdraw Consent: Withdraw consent as easily as it was given

14.3 Grievance Officer

Grievance Officer for India (DPDPA)
Name: Barták Imre Gergő
Email: privacy@repsup.app
Subject Line: "DPDPA Grievance"

Important: You must contact our Grievance Officer before approaching the Data Protection Board of India. We will acknowledge your grievance promptly and respond within the timeframe prescribed by law.

14.4 Sensitive Personal Data

Health and fitness data (heart rate, calories, workout metrics) is considered sensitive personal data under Indian law and receives enhanced protection.

15. OTHER REGIONAL PROVISIONS

15.1 Australia - Privacy Act 1988

Collection of sensitive information requires express consent
Right to access and correct personal information
Right to complain to the Office of the Australian Information Commissioner (OAIC)
Cross-border disclosure restrictions (not applicable - data stays on device)

15.2 New Zealand - Privacy Act 2020 & Health Information Privacy Code

Health Information Privacy Code 2020 applies to health data
10-year retention requirement: Health records should be kept for 10 years - users are responsible for maintaining backups if required
Right to access and correct information
Right to complain to the Privacy Commissioner

15.3 South Africa - POPIA

Special personal information requires explicit consent
Right to object to processing
Right to request correction or deletion
Data must be deleted when no longer needed
Right to complain to the Information Regulator

Information Officer (POPIA): Barták Imre Gergő - privacy@repsup.app

16. DATA PROTECTION OFFICERS AND REPRESENTATIVES

16.1 Appointed Officers

Role	Jurisdiction	Name	Contact
Data Protection Officer	EU/UK/EEA (GDPR)	Barták Imre Gergő	privacy@repsup.app (Subject: "DPO Inquiry")
Privacy Officer	Quebec (Law 25)	Barták Imre Gergő	privacy@repsup.app
Grievance Officer	India (DPDPA)	Barták Imre Gergő	privacy@repsup.app (Subject: "DPDPA Grievance")
Information Officer	South Africa (POPIA)	Barták Imre Gergő	privacy@repsup.app

16.2 EU Representative

Not required as we are established in Hungary, an EU member state.

16.3 Why We May Not Need All Officers

As a small-scale processor with all data stored on user devices, we may not meet the thresholds requiring certain officers. However, we have designated these roles to ensure compliance and provide clear points of contact.

17.1 How to Withdraw Consent

You can withdraw your consent at any time. Withdrawal is as easy as giving consent:

For Health Data (HealthKit):
- Go to Settings > Health > Data Access & Devices > RepsUp
- Toggle off specific permissions (Heart Rate, Active Energy, Workouts)
- Takes effect immediately
For All Data Processing:
- Stop using the app
- Uninstall from iPhone and Apple Watch
- All data is permanently deleted

17.2 Consequences of Withdrawal

Health tracking features will be disabled
Historical data remains on device unless you delete it
No penalty or discrimination for withdrawing consent
You can re-consent at any time to restore functionality

17.3 Partial Withdrawal

You can withdraw consent for specific data types while continuing to use other features:

Disable heart rate but keep workout tracking
Disable calorie tracking but keep exercise logging
Each permission is granular and independent

18. POLICY UPDATES

18.1 Notification of Changes

We will notify you of material changes through:

In-app notification upon next launch
App Store update description
Email notification (if you've contacted us and provided email)

18.2 Review and Acceptance

You'll have 30 days to review material changes
Continued use after notification constitutes acceptance
You can export your data and stop using the app if you disagree
Non-material updates take effect immediately

18.3 Version History

This is Version 2.1, effective September 18, 2025. Previous versions are available upon request.

19. CONTACT INFORMATION

Data Controller Contact

Barták Imre Gergő
Individual Sole Proprietor
Erdős köz 3
8256 Ábrahámhegy, Veszprém
Hungary

Email: privacy@repsup.app
Expected Response Time: 48-72 hours for acknowledgment

For Specific Inquiries:

Inquiry Type	Email Subject Line
EU/UK Data Protection	"DPO Inquiry"
India DPDPA Grievances	"DPDPA Grievance"
California CCPA/CPRA	"CCPA Request"
Washington MHMDA	"MHMDA Request"
General Privacy	"Privacy Inquiry"
Data Access Request	"Data Access Request"
Data Deletion Request	"Data Deletion Request"

PRIVACY POLICY

TABLE OF CONTENTS

1. INTRODUCTION AND DATA CONTROLLER INFORMATION

Data Controller Details:

2. WHAT INFORMATION IS PROCESSED

3. SENSITIVE HEALTH DATA AND SPECIAL CATEGORY INFORMATION

3.1 Classification by Jurisdiction

3.2 Health Data We Process

4. LEGAL BASIS FOR PROCESSING

4.1 General Principles

4.2 Legal Basis by Jurisdiction

European Union, UK, EEA, and Switzerland (GDPR/UK GDPR/FADP)

India (DPDPA 2023)

United States - Washington State (MHMDA)

United States - Other States

Canada (PIPEDA/Law 25)

5. DATA SHARING AND THIRD PARTIES

5.1 Data Movement Scenarios

5.2 What We DON'T Do

6. DATA RETENTION

6.1 General Retention Principle

6.2 Jurisdiction-Specific Requirements

6.3 Deletion Methods

7. DATA SECURITY

7.1 Technical Safeguards

7.2 Organizational Measures

8. CHILDREN'S PRIVACY

8.1 Age Verification Process

8.2 Minimum Age Requirements by Region

8.3 Verifiable Parental Consent (VPC) for Minors

8.4 Parental Rights

8.5 Special Protections for Children

9. YOUR PRIVACY RIGHTS

9.1 Universal Rights

9.2 How to Exercise Your Rights

9.3 Response Timeline

10. DATA BREACH PROCEDURES

10.1 Breach Response

10.2 Breach Notification Content

11. UNITED STATES RESIDENTS - STATE SPECIFIC RIGHTS

11.1 California - CCPA/CPRA Rights

Your California Privacy Rights:

11.2 Washington - My Health My Data Act (MHMDA)

Consumer Health Data Specific Requirements:

11.3 Colorado Privacy Act (CPA)

Your Colorado Rights:

11.4 Connecticut Data Privacy Act (CTDPA)

Your Connecticut Rights:

11.5 Virginia Consumer Data Protection Act (VCDPA)

11.6 Utah Consumer Privacy Act (UCPA)

11.7 Other State Rights

12. EUROPEAN, UK, AND SWISS RESIDENTS - GDPR RIGHTS

12.1 Your Rights Under GDPR/UK GDPR/Swiss FADP

12.2 Special Category Data

12.3 Supervisory Authority

12.4 Data Transfers

13. CANADIAN RESIDENTS - PIPEDA AND LAW 25

13.1 PIPEDA Rights (Federal)

13.2 Quebec Law 25 Additional Rights

14. INDIAN RESIDENTS - DPDPA RIGHTS

14.1 Legal Basis - Consent Only

14.2 Your Rights as a Data Principal

14.3 Grievance Officer

14.4 Sensitive Personal Data

15. OTHER REGIONAL PROVISIONS

15.1 Australia - Privacy Act 1988

15.2 New Zealand - Privacy Act 2020 & Health Information Privacy Code

15.3 South Africa - POPIA

16. DATA PROTECTION OFFICERS AND REPRESENTATIVES

16.1 Appointed Officers

16.2 EU Representative

16.3 Why We May Not Need All Officers

17. CONSENT WITHDRAWAL PROCEDURES

17.1 How to Withdraw Consent

17.2 Consequences of Withdrawal

17.3 Partial Withdrawal

18. POLICY UPDATES

18.1 Notification of Changes

18.2 Review and Acceptance

18.3 Version History