# SEC-POL-012: Privacy Policy

**Effective Date:** 2025-06-01
**Revision:** 1.1
**Owner:** Legal Department

## 1. Purpose and Scope

This policy outlines our commitment to protecting the privacy of personal data related to our customers, employees, and other individuals. This policy applies to all processing of personal data by Innovate Inc. and is designed to comply with GDPR, CCPA, and other applicable privacy laws.

## 2. Principles of Data Privacy

We adhere to the following principles:

- **Lawfulness, Fairness, and Transparency:** We process personal data lawfully, fairly, and in a transparent manner.
- **Purpose Limitation:** We collect personal data for specified, explicit, and legitimate purposes.
- **Data Minimization:** We only collect and process personal data that is adequate, relevant, and necessary.
- **Accuracy:** We take reasonable steps to ensure that personal data is accurate and kept up to date.
- **Storage Limitation:** We keep personal data for no longer than is necessary for the purposes for which it is processed.
- **Integrity and Confidentiality:** We use appropriate technical and organizational measures to ensure the security of personal data.

## 3. Data Collection and Use

- **Customer Data:** We collect customer data to provide our services, process payments, and for marketing purposes. We will always obtain explicit consent for marketing communications.
- **Employee Data:** We collect employee data for HR, payroll, and benefits administration.
- **Consent:** Where consent is the legal basis for processing, it will be freely given, specific, informed, and unambiguous.

## 4. Data Subject Rights

Under applicable privacy laws, individuals have certain rights regarding their personal data, including:

- **Right to Access:** The right to obtain a copy of their personal data.
- **Right to Rectification:** The right to have inaccurate personal data corrected.
- **Right to Erasure (Right to be Forgotten):** The right to have their personal data deleted.
- **Right to Restrict Processing:** The right to limit the processing of their personal data.
- **Right to Data Portability:** The right to receive their data in a machine-readable format.
  To exercise these rights, individuals can contact our Data Protection Officer at `dpo@innovateinc.com`.

## 5. Data Sharing and Transfers

- **Third Parties:** We do not sell personal data. Data may be shared with trusted third-party service providers (sub-processors) only as necessary and under strict data processing agreements.
- **International Transfers:** We will ensure that appropriate safeguards are in place before transferring personal data outside of its country of origin.

## 6. Data Retention

- Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by law or regulation.
- A detailed data retention schedule is maintained by the Legal department.

## 7. Data Breach Notification

- In the event of a data breach that poses a significant risk to individuals, we will notify the affected individuals and the relevant regulatory authorities within 72 hours of discovery, in accordance with our **Information Security Policy (SEC-POL-011)**.

## 8. Related Policies

- **Information Security Policy (SEC-POL-011)**
- **Code of Business Conduct (SEC-POL-013)**

## 9. Revision History

- **v1.1 (2025-10-12):** Added data privacy principles and data subject rights.
- **v1.0 (2025-06-01):** Initial version.