Privacy Policy

01

Information We Collect

We collect information you provide directly, information generated automatically when you use our services, and information we receive from third parties.

Information You Provide Directly

• Contact and account information — name, email address, phone number, job title, company name, and mailing address when you fill out forms, create an account, or contact us.
• Service-related information — technical details, system configurations, network diagrams, and business process information you share with us during onboarding or support engagements.
• Payment information — billing address and payment method details, processed through our PCI-DSS-compliant payment processor. We do not store full card numbers.
• Communications — messages, emails, support tickets, and survey responses you send us.

Information Collected Automatically

• Usage data — pages visited, features used, time spent, and navigation paths on our website and platforms.
• Device and log data — IP address, browser type and version, operating system, referring URLs, and timestamps.
• Cookies and similar technologies — see Section 8 for details.

Information from Third Parties

• Business contact information from public directories and professional networks for outreach purposes.
• Identity and authentication data from SSO providers (e.g., Microsoft Azure AD, Google Workspace) when you log in via those services.
• Fraud and security signals from our infrastructure and security partners.

02

How We Use Information

We use the information we collect for the following purposes:

• Delivering services — provisioning, managing, and supporting the IT services, cloud environments, EDI platforms, and software solutions you have engaged us to provide.
• Communications — responding to inquiries, sending service notifications, scheduling consultations, and providing technical support.
• Billing and contracts — processing payments, issuing invoices, and maintaining contract records.
• Security and compliance — monitoring for threats, auditing access, maintaining regulatory compliance (HIPAA, FDA 21 CFR Part 11, EDI X12 standards), and investigating incidents.
• Service improvement — analyzing usage patterns to improve reliability, performance, and feature development.
• Marketing — sending information about our services, industry insights, and events where you have consented or where permitted by applicable law. You may opt out at any time.
• Legal obligations — complying with applicable laws, regulations, court orders, or government requests.

03

Legal Basis for Processing

Where applicable law requires a legal basis for processing personal data (e.g., GDPR for EU/UK residents), we rely on the following:

• Contract performance — processing necessary to deliver the services you have contracted with us.
• Legitimate interests — operating and improving our business, preventing fraud and abuse, and marketing to existing clients, balanced against your privacy rights.
• Legal obligation — compliance with applicable laws and regulations.
• Consent — where we have obtained your explicit consent (e.g., marketing emails). You may withdraw consent at any time without affecting the lawfulness of prior processing.

04

Information Sharing

We do not sell your personal information. We may share it in the following circumstances:

Service Providers

We engage vetted third-party vendors who process data on our behalf under strict confidentiality agreements. These include cloud infrastructure providers (AWS, Microsoft Azure, Google Cloud), payment processors, CRM and support platforms, and security monitoring tools.

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected individuals as required by law.

Legal and Regulatory Disclosures

We may disclose information to government authorities, regulators, or law enforcement when required by law, to protect the safety of any person, or to enforce our agreements.

With Your Consent

We will share information with third parties when you have explicitly authorized us to do so.

05

HIPAA & Protected Health Information (PHI)

Constant Tech Systems provides services to covered entities and business associates operating under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Where our services involve access to, transmission of, or processing of Protected Health Information (PHI), we operate as a Business Associate as defined under HIPAA.

EDI & HIPAA Transaction Standards

Our EDI platform processes HIPAA-standard electronic transactions including, but not limited to: 270/271 (Eligibility), 276/277 (Claims Status), 278 (Authorization), 835 (Remittance), and 837 (Claims). All transactions are encrypted in transit and at rest. Audit logs are maintained in accordance with HIPAA requirements.

Breach Notification

In the event of a breach of unsecured PHI, we will notify affected covered entities without unreasonable delay and within the timeframes required by the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

FDA-Regulated Software

For clients subject to FDA regulatory requirements (including 510(k) submissions and Quality System Regulation under 21 CFR Part 820), we maintain validated software development lifecycle (SDLC) processes, document control procedures, and audit trails consistent with FDA guidance on software as a medical device (SaMD) and computerized systems used in clinical investigations (21 CFR Part 11).

06

Data Security

We implement a layered security program designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. Our measures include:

• Encryption of data in transit using TLS 1.2 or higher; encryption at rest using AES-256.
• Role-based access controls (RBAC) and multi-factor authentication (MFA) for all internal systems.
• Continuous intrusion detection, vulnerability scanning, and penetration testing.
• Security awareness training for all employees with access to client data.
• Incident response procedures with defined escalation paths and notification timelines.
• Physical access controls for any on-premises systems and data centers.

While we take reasonable and industry-standard precautions, no method of transmission or storage is 100% secure. If you believe your information has been compromised, contact us immediately at security@constanttechsystems.com.

07

Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, satisfy legal and contractual obligations, resolve disputes, and enforce our agreements. Specific retention periods are:

• Client service records — retained for the duration of the engagement plus seven (7) years, or longer if required by applicable law (e.g., HIPAA requires a minimum of six years for PHI-related documentation).
• Financial and billing records — retained for seven (7) years in accordance with tax and accounting regulations.
• Marketing contact data — retained until you opt out or request deletion, subject to legal hold requirements.
• Website analytics — aggregated data may be retained indefinitely; identifiable log data is deleted after 24 months.

When data is no longer needed, we securely delete or anonymize it using methods appropriate to the data sensitivity and media type.

08

Cookies & Tracking Technologies

Our website uses cookies and similar technologies to operate core functions, analyze traffic, and improve your experience.

Types of Cookies We Use

• Strictly necessary — required for the website to function (e.g., session management, security tokens). Cannot be disabled.
• Analytics — help us understand how visitors use the site (e.g., Google Analytics). Collected data is anonymized where possible.
• Preferences — remember your settings (e.g., language, region).
• Marketing — used to deliver relevant content and measure campaign effectiveness. Only set with your consent.

Managing Cookies

You can control cookies through your browser settings or our cookie consent banner. Disabling non-essential cookies may affect certain features of the website. For Google Analytics opt-out, visit tools.google.com/dlpage/gaoptout.

09

Third-Party Links

Our website and services may contain links to third-party websites, portals, or applications. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party services you access through our platforms. We are not responsible for the privacy practices or content of external sites.

10

Children's Privacy

Our services are designed for and directed to businesses and professionals. We do not knowingly collect personal information from individuals under the age of 16. If we learn that we have inadvertently collected information from a child under 16, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@constanttechsystems.com.

11

Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Access — request a copy of the personal data we hold about you.
• Correction — request that we correct inaccurate or incomplete data.
• Deletion — request that we delete your personal data, subject to legal retention obligations.
• Restriction — request that we limit how we process your data in certain circumstances.
• Portability — receive your data in a structured, machine-readable format where technically feasible.
• Objection — object to processing based on legitimate interests or for direct marketing.
• Opt-out of marketing — unsubscribe from marketing communications at any time via the unsubscribe link in our emails or by contacting us directly.

To exercise your rights, submit a request to privacy@constanttechsystems.com. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing requests. We will not discriminate against you for exercising your privacy rights.

California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you additional rights, including the right to know what categories of personal information we have collected and shared, the right to opt out of the "sale" or "sharing" of personal information (we do not sell or share your data as defined by the CCPA/CPRA), and the right to limit the use of sensitive personal information.

12

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Provide notice via email (for registered users or clients) or a prominent website notice, at least 30 days before the changes take effect where required by law.

Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

13

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us:

For HIPAA-related inquiries or to report a potential breach, contact our Privacy Officer directly at hipaa@constanttechsystems.com.