1. Introduction

EPSoft Software, LLC and its affiliated companies ("Company," "we," "us," "our") recognize that privacy is a fundamental right. This Privacy Policy outlines our commitment to protecting personal information collected through our website (www.epsoftinc.com) and related web-based applications and services (collectively, the "Services").

This policy applies to all individuals whose personal information we collect, process, store, use, or disclose, including users of our Services, website visitors, prospective customers, employees, contractors, and other data subjects ("you" or "your").

Our Commitment to Transparency and Accountability

We are committed to operating with transparency regarding how we handle your personal information. We maintain documented processes, regular audits, and monitoring mechanisms to ensure our practices align with this policy and applicable privacy laws. Our data governance framework ensures personal information is collected, used, and protected appropriately at every stage of its lifecycle.

2. Scope and Applicability

This Privacy Policy applies to:

• Website visitors and prospective customers accessing www.epsoftinc.com
• Service users accessing our online applications and cloud-based services
• Employees and contractors providing services to or on behalf of EPSoft
• Third parties whose information we collect in connection with our business operations

Exclusions: This policy does not govern information collected by third-party websites we link to or reference. We encourage you to review the privacy practices of any third-party site before providing personal information.

3. Categories of Personal Information We Collect

We collect personal information that is necessary to provide our Services, manage customer relationships, and comply with legal obligations. The categories of personal information we collect include:

3.1 Information Provided Directly by You:

• Contact Information: Name, email address, phone number, postal address, company affiliation
• Account Information: Login credentials, account preferences, communication preferences
• Transactional Information: Payment details, subscription preferences, service usage data
• Communication Data: Messages, feedback, inquiries submitted through our Services or website
• Professional Information: Job title, organizational role, department, work history (for employment or partnership purposes)

3.2 Information Collected Automatically

• Device and Access Information: IP address, device type, operating system, browser type, device identifier
• Service Usage Data: Features accessed, pages viewed, content interacted with, time spent on Services, clickstream data
• Location Information: General geographic location (derived from IP address; we do not collect precise GPS location)
• Cookies and Similar Technologies: Information collected through cookies, web beacons, pixels, and similar tracking technologies

3.3 Information from Third Parties

• Background Verification Data: When our Services are used for background verification purposes, information provided by third-party verification providers
• Business Partners: Information shared by resellers, partners, or service providers about potential customers or service referrals
• Public Sources: Publicly available information relevant to business operations or customer interactions

3.4 Sensitive Information

We do not intentionally collect sensitive personal information (such as race, ethnicity, religious beliefs, political affiliations, union membership, genetic data, or biometric data) unless explicitly required for specific Services you request and with your express written consent.

4. Legal Basis for Processing Personal Information

We collect and process personal information on the following legal bases:

4.1 Consent

We obtain explicit, informed consent before collecting and processing personal information for purposes that are not strictly necessary to provide our Services or comply with legal obligations. You have the right to withdraw consent at any time by contacting us at the email address provided in Section 15 (Contact Information).

4.2 Contractual Necessity

We process personal information necessary to establish, maintain, and fulfill agreements with you, including service delivery, account management, and billing.

4.3 Legal Obligation

We process personal information as required by applicable laws, regulations, court orders, government requests, or legal processes.

4.4 Legitimate Business Interest

We process personal information to pursue legitimate business interests, including:

• Fraud prevention and security measures
• Service improvement and optimization
• Customer communications and support
• Business analytics and reporting
• System administration and network security

In all cases, we balance our legitimate interests against your privacy rights and expectations.

4.5 Vital Interests

We may process personal information when necessary to protect your vital interests or the vital interests of others.

5. How We Use Personal Information

We use personal information we collect for the following purposes:

5.1 Service Delivery

• Providing, maintaining, and improving our Services
• Creating and managing user accounts
• Processing transactions and payments
• Delivering customer support and technical assistance
• Fulfilling requests for information or Services

5.2 Communication

• Sending service-related announcements and updates
• Responding to inquiries and support requests
• Sending newsletters, marketing communications, and promotional materials (with consent or where permitted by law)
• Notifying you of changes to our Services or policies

5.3. Security and Fraud Prevention

• Detecting, preventing, and addressing fraud, security threats, and unauthorized access
• Protecting against malicious, deceptive, or unlawful activity
• Enforcing our Terms of Service and other agreements
• Complying with legal obligations and court orders

5.4 Legal & Compliance

• Complying with applicable laws, regulations, and legal processes
• Establishing, exercising, or defending legal claims
• Fulfilling government or regulatory requests
• Maintaining records required by law

5.5 Business Operations and Analytics

• Conducting data analysis, research, and analytics to improve Services
• Generating reports on Service usage, performance, and trends
• Understanding user preferences and behavior patterns
• Developing new Services and features
• Testing and troubleshooting Services

5.6 Organizational Operations

• Managing employment relationships
• Organizing and managing organizational communications
• Conducting internal audits and compliance reviews
• Managing vendor and service provider relationships

5.7 Consent-based Uses

Any other purpose for which we have obtained your express consent

We will not use personal information for purposes materially different from those disclosed in this policy without first obtaining your consent.

6. Data Minimization and Collection Practices

We adhere to the principle of data minimization—collecting only personal information that is necessary and relevant to the stated purposes.

6.1 Necessity Assessment

Before collecting personal information, we assess whether the collection is:

• Necessary to provide the requested Service or fulfill a legal obligation
• Proportionate to the purpose for which it will be used
• Limited to information that directly supports the stated objective

6.2 Collection Methods and Standards

• We collect information through direct interaction with you (e.g., form submissions, account registration)
• We collect information automatically through standard technologies where necessary for Service operation
• We verify the accuracy of information collected from third parties
• We do not collect information through deceptive or unlawful means

6.3 Limiting Access and Use

• Access to personal information is restricted to employees, contractors, and service providers with a documented business need
• We implement granular access controls and role-based permissions
• Staff members receive training on proper data handling and privacy obligations
• We maintain logs of who accesses personal information and when

7. Sharing and Disclosure of Personal Information

We maintain strict controls over the disclosure of personal information. We only share personal information with third parties in the following circumstances:

7.1 Service Providers and Vendors

We share personal information with third-party service providers who perform services on our behalf, such as:

• Cloud hosting and infrastructure providers
• Payment processors and financial institutions
• Email and communication service providers
• Customer support platforms
• Analytics and reporting services
• Security and compliance service providers

All service provider agreements include:

• Written commitments to maintain confidentiality
• Requirements to implement appropriate security measures
• Restrictions on use of personal information
• Data protection and processing terms consistent with this policy
• Audit and compliance verification rights
• Liability and indemnification provisions

7.2 Business Partners and Resellers

We may share limited personal information with authorized business partners and resellers for purposes of:

• Service delivery and customer support
• Coordinated marketing initiatives (with consent)
• Joint service offerings

All partners are bound by written agreements requiring equivalent privacy and security protections.

7.3 Legal Requirements and Compliance

We may disclose personal information when required by law, including:

• Court orders, subpoenas, or legal processes
• Government and regulatory agency requests
• Investigation of violations of our Terms of Service
• Protection of our legal rights or the rights of others
• Prevention of fraud or security threats

Notice of Legal Requests: Where permitted by law, we will provide prompt written notice to affected individuals before disclosing personal information in response to legal processes, unless legally prohibited from doing so.

7.4 Business Transitions

If EPSoft undergoes a merger, acquisition, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice and, where required by law, obtain consent before such transfer.

7.5 Aggregate and De-identified Information

We may share aggregate, anonymized, or de-identified information that cannot be linked back to you with third parties for research, marketing, analytics, and other purposes without restriction.

7.6 Prohibited Disclosures

• Sell personal information to third parties for their independent commercial use
• Share personal information for purposes materially different from those disclosed in this policy without consent
• Disclose sensitive personal information without explicit consent

8. International Data Transfers

EPSoft operates globally and transfers personal information across borders to provide Services and conduct business operations.

8.1 Transfer Mechanisms

We transfer personal information internationally using:

• Adequacy determinations and legal mechanisms recognized by applicable data protection laws
• Standard contractual clauses (SCCs) approved by relevant regulatory authorities
• Binding corporate rules and inter-company agreements
• Your explicit consent

8.2 Data Protection Standards

We ensure that personal information transferred internationally receives equivalent protection to that provided in the country where it originated.

8.3 Safeguards for Transfers from the EU/EEA

For data subjects in the European Union, European Economic Area, and Switzerland, we comply with additional requirements for international transfers, including compliance with GDPR Chapter V requirements.

9. Data Retention and Disposal

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

9.1 Retention Periods

Service-Related Information:

• Active user account information is retained while the account is active
• Information necessary to deliver Services is retained for the duration of the service relationship
• Transaction records are retained for periods required by law (typically 7 years)

Communication and Support Records:

• Email correspondence and support tickets are retained for 3 years after resolution
• Marketing communications data is retained for the duration of consent

Security and Audit Logs:

• System access logs and security event records are retained for 2 years
• Incident response and breach documentation is retained for 7 years

Legal and Compliance:

• Information subject to legal holds or regulatory requirements is retained for periods specified by law
• Employment and contractor records are retained per legal requirements (typically 3-7 years)

Aggregate and De-identified Data:

• Aggregate and de-identified data that cannot be linked to individuals may be retained indefinitely

9.2 Retention Schedule

We maintain a documented data retention schedule that specifies:

• Categories of personal information and retention periods
• Legal basis for each retention period
• Responsible parties for each data category
• Review intervals and update procedures

9.3 Secure Disposal Procedures

When personal information is no longer needed, we securely dispose of it using methods appropriate to the sensitivity of the data, including:

• Secure deletion and formatting of electronic data
• Physical destruction of paper records
• Certified data destruction services
• Cryptographic erasure methods

9.4 Verification of Disposal

We maintain documentation verifying disposal of personal information, including:

• Certificates of destruction from third parties
• System logs confirming deletion
• Audit records of disposal activities

9.5 Exceptions to Standard Retention

Personal information may be retained beyond standard retention periods when:

• Required by law or court order
• Subject to legal holds in connection with litigation
• Necessary to protect against fraud or security threats
• You explicitly request extended retention

10. User Rights and Individual Rights Management

We recognize that you have rights regarding your personal information. We provide mechanisms to exercise these rights and respond to requests in a timely manner.

10.1 Right of Access

You have the right to request access to personal information we hold about you. Upon request, we will provide:

• Confirmation of whether we are processing your personal information
• A copy of the personal information we hold about you
• Information about how we use and protect your information
• Information about recipients of your information

How to Request: Email your request to hello@epsoftinc.com with "Data Access Request" in the subject line. We will respond within 30 days of receiving a verifiable request.

10.2 Right to Correction and Rectification

You have the right to request correction of inaccurate or incomplete personal information. We will:

• Update inaccurate information in our systems
• Notify relevant third parties of corrections (where practicable)
• Maintain a record of the correction
• Provide confirmation of updates

How to Request: Contact us at hello@epsoftinc.com with details of the information you believe is inaccurate.

10.3 Right to Deletion ("Right to Be Forgotten")

You have the right to request deletion of your personal information, subject to certain exceptions. We will delete personal information when:

• It is no longer necessary for the purposes for which it was collected
• You withdraw consent on which processing was based
• You object to processing and we have no legal basis to continue
• The information was unlawfully processed

Exceptions: We may retain personal information when required by law, necessary for legal compliance, or necessary to establish or defend legal claims.

How to Request: Email hello@epsoftinc.com with "Data Deletion Request" in the subject line. We will respond within 30 days and complete deletions within 90 days unless exceptions apply.

10.4 Right to Restrict Processing

You have the right to restrict our processing of your personal information when:

• You contest the accuracy of the information
• Processing is unlawful and you object to deletion
• We no longer need the information but you require it for legal purposes
• You have objected to processing and we are determining our legal basis

How to Request: Contact us at hello@epsoftinc.com requesting processing restrictions. We will implement restrictions within 30 days.

10.5 Right to Data Portability

You have the right to obtain a copy of personal information we hold about you in a structured, commonly used, machine-readable format and to transmit it to another controller. This right applies when:

• Processing is based on consent or contract
• Processing is carried out by automated means
• You wish to transmit the data to another service provider

How to Request: Email hello@epsoftinc.com with "Data Portability Request" in the subject line. We will provide data in CSV, JSON, or other agreed format within 30 days.

10.6 Right to Object

You have the right to object to our processing of your personal information when:

• Processing is based on legitimate interests
• We process information for marketing purposes
• We process information for other consent-based purposes

How to Request: Contact us at hello@epsoftinc.com with details of your objection. We will cease processing within 30 days unless we have compelling legal reasons to continue.

10.7 Right to Withdraw Consent

You have the right to withdraw consent you have provided at any time. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

How to Request: Email hello@epsoftinc.com stating "Withdraw Consent" and specifying which processing activities you object to. We will confirm receipt and implement changes within 10 business days.

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a relevant data protection authority if you believe we have violated your privacy rights.

10.9 Verification of Requests

We will verify your identity before processing requests using methods appropriate to the sensitivity of the information requested. Verification may include:

• Matching personal information on file
• Request for government-issued identification
• Account login verification
• Other reasonable authentication methods

10.10 Response Timeline and Procedure

We are committed to responding to all requests within the following timelines:

• Requests for access, deletion, or portability: 30 days
• Requests for correction: 20 days
• Requests to restrict processing: 30 days
• Requests to object: 30 days
• Withdrawal of consent: 10 business days

We will provide clear communication about actions taken in response to your request. If we cannot fully comply, we will explain the reasons and inform you of any applicable exceptions.

11. Children's Privacy

Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

11.1 Parental Consent for Minors

If a minor (defined as under 18 in applicable jurisdictions) uses our Services, a parent or legal guardian must review and complete the account registration process on the minor's behalf.

11.2 Removal of Children's Information

If we become aware that we have collected personal information from a child under 18 without parental consent, we will take prompt action to:

• Delete such information from our systems
• Notify the parent or guardian
• Cease further collection of information from that individual

To Report: If you believe we have collected information from a child under 18, please contact us immediately at hello@epsoftinc.com.

12. Security and Data Protection Measures

We implement comprehensive security measures to protect personal information from unauthorized access, disclosure, alteration, and destruction.

12.1 Encryption and Data Protection

Data in Transit:

• We use industry-standard encryption protocols (TLS 1.2 or higher) for all data transmitted between your devices and our servers
• Secure authentication mechanisms are employed for all transmissions containing sensitive information

Data at Rest:

• Personal information stored in our systems is encrypted using AES-256 or equivalent standards
• Encryption keys are managed using secure key management practices
• Database encryption is implemented at the application and storage layers

12.2 Access Controls

• Authentication: Multi-factor authentication is required for administrative and privileged access
• Authorization: Role-based access control (RBAC) limits access to personal information by need-to-know basis
• Granular Permissions: Access is restricted at the data, system, and feature level
• Monitoring: All access to sensitive personal information is logged and monitored for suspicious activity

12.3 Network Security

• Firewalls: Network firewalls protect against unauthorized access to our systems
• Intrusion Detection: We deploy intrusion detection and prevention systems (IDS/IPS)
• Network Segmentation: Sensitive systems are isolated from less critical infrastructure
• VPNs and Secure Connections: Remote access is secured using VPN and encrypted channels

12.4 Personnel Security

• Background Verification: All personnel with access to personal information undergo background verification
• Confidentiality Obligations: All employees and contractors sign confidentiality and data protection agreements
• Training: Regular training is provided on data protection, privacy, and information security
• Access Revocation: Access is promptly revoked upon termination of employment

12.5 Vulnerability and Threat Management

• Patch Management: Security patches are deployed promptly to address vulnerabilities
• Penetration Testing: We conduct regular penetration testing to identify security gaps
• Vulnerability Scanning: Automated and manual vulnerability assessments are performed
• Threat Monitoring: Security monitoring systems detect and alert on potential threats in real-time
• Security Incident Response: A documented incident response plan is activated upon discovery of security incidents

12.6 Availability and Business Continuity

• System Redundancy: Critical systems have failover and redundancy mechanisms
• Backups: Regular backups of personal information are maintained in secure, geographically dispersed locations
• Recovery Time Objectives (RTO): Recovery time objectives are defined and tested
• Disaster Recovery: A documented disaster recovery plan is tested regularly
• Service Level Agreements (SLAs): We maintain uptime commitments documented in our SLAs

12.7 Data Integrity and Accuracy

• Input Validation: Systems validate data input to prevent injection attacks and ensure data quality
• Error Detection: Checksums and integrity checks detect unauthorized data modifications
• Audit Trails: Comprehensive audit logs track all changes to personal information
• Change Management: All changes to systems processing personal information follow documented change management procedures
• Data Quality Reviews: Periodic data quality audits verify accuracy and completeness

12.8 Monitoring and Logging

• Activity Logging: All access, modifications, and deletions of personal information are logged
• Log Retention: Security logs are retained for a minimum of 2 years
• Real-Time Monitoring: Security events are monitored in real-time and escalated
• Log Protection: Logs are protected from unauthorized modification or deletion
• Review and Analysis: Logs are regularly reviewed for security incidents and policy violations

13. Privacy Incident Response and Breach Notification

We maintain a documented incident response plan to identify, investigate, contain, and remediate privacy breaches and security incidents.

13.1 Incident Response Procedures

Upon discovery of a suspected privacy incident or security breach, we will:

Immediate Actions (within 24 hours):

• Activate the incident response team
• Isolate affected systems to prevent further unauthorized access
• Preserve evidence for investigation
• Document the discovery and initial assessment

Investigation (within 72 hours):

• Investigate the scope and nature of the breach
• Identify affected individuals and personal information
• Determine the cause and timeline of the incident
• Assess the risk of harm to individuals

Notification (within applicable regulatory timelines):

• Notify affected individuals if there is a reasonable belief that breach notification is required
• Notify relevant regulatory authorities as required by law
• Provide notification to business partners and service providers where necessary
• Document all notifications and responses

Remediation and Prevention:

• Implement measures to contain the incident and prevent recurrence
• Notify individuals of steps we are taking to address the incident
• Enhance security controls to address vulnerabilities exposed by the incident
• Conduct post-incident review to identify lessons learned

13.2 Breach Notification Content

Notifications to affected individuals will include:

• Description of the personal information involved
• General description of what occurred
• Steps affected individuals should take to protect themselves
• Summary of steps we are taking to respond to the incident
• Contact information for questions or additional information
• Information about available credit monitoring or fraud protection services, if applicable

13.3 Notification Timelines

We will notify affected individuals without unreasonable delay and comply with applicable regulatory timelines, which typically require notification:

• Within 30 days of becoming aware of a breach (European Union)
• Without unreasonable delay following discovery (CCPA/CPRA)
• Without unreasonable delay (most U.S. states)
• As expeditiously as possible without further compromising the integrity of the investigation (GDPR)

13.4 Regulatory Notifications

We will notify relevant regulatory authorities, data protection authorities, and government agencies as required by applicable laws, including:

• Data protection authorities in affected jurisdictions
• Law enforcement agencies where appropriate
• Industry regulators and government agencies with jurisdiction

13.5 Incident Documentation

We maintain comprehensive documentation of all security incidents and breaches, including:

• Incident discovery date and time
• Description of personal information involved
• Scope of affected individuals
• Cause of the incident
• Timeline of discovery and response actions
• Notification records and responses
• Remediation measures implemented
• Lessons learned and preventive measures

14. Cookies, Tracking Technologies, and Analytics

We use cookies and similar tracking technologies to enhance your experience, improve our Services, and conduct analytics.

14.1 Types of Cookies

Essential Cookies:

• Required for basic Service functionality (e.g., authentication, security)
• Cannot be disabled without impairing Service functionality

Performance and Analytics Cookies:

• Measure how you interact with our Services
• Analyze usage patterns and performance metrics
• Help us understand which features are most valuable

Marketing and Preference Cookies:

• Remember your preferences and settings
• Support personalized content and recommendations
• Enable retargeting for marketing purposes

14.2 Cookie Management and Consent

• Consent: We obtain consent before placing non-essential cookies on your device
• Browser Controls: You may disable cookies through your browser settings; however, this may limit functionality
• Opt-Out: We provide mechanisms to opt-out of analytics and marketing cookies
• Third-Party Cookies: Third-party partners may set cookies on our Services subject to their privacy policies

14.3 Tracking Technologies

We use the following tracking technologies:

• Cookies: Text files stored on your device
• Web Beacons: Transparent images used to track page views
• Pixels: Similar to web beacons, used for analytics
• Local Storage: Browser-based storage mechanisms

14.4 Analytics and Reporting

We use analytics services to understand user behavior and improve our Services. These services may collect:

• Pages visited and duration
• Links clicked
• Referral sources
• Device and browser information
• Geographic location (general)

Analytics are performed in compliance with privacy and data protection requirements.

14.5 Do Not Track Signals

Some browsers include "Do Not Track" functionality. We currently do not change our data collection practices based on Do Not Track signals; however, you may manage cookie preferences through your browser settings.

15. Policy Updates and Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

15.1 Notification of Changes

When we make material changes to this Privacy Policy, we will:

• Update the "Last Updated" date at the top of this policy
• Post the updated policy on our website
• Send email notification to registered users (for material changes)
• Display a prominent notice on our website

15.2 Effective Date of Changes

Changes to this Privacy Policy are effective upon posting unless otherwise specified. Your continued use of our Services after changes are posted constitutes acceptance of the updated policy.

15.3 Minor vs. Material Changes

• Minor Changes: Clarifications, formatting corrections, and non-substantive updates take effect immediately
• Material Changes: Changes that materially affect privacy rights or data practices are provided with 30 days' notice

15.4 Right to Object to Changes

If you do not accept changes to this Privacy Policy, you may cease use of our Services and request deletion of your personal information per Section 10.3.

16. Third-Party Links and Services

Our website and Services may contain links to third-party websites, applications, and services that are not operated by EPSoft.

16.1 Third-Party Privacy Policies

• We are not responsible for the privacy practices of third-party sites
• We encourage you to review the privacy policies of any third-party site before providing personal information
• Third-party privacy policies are separate from this policy

16.2 Third-Party Service Providers

When we integrate third-party services (e.g., payment processors, analytics providers), we:

• Ensure they maintain equivalent privacy and security standards
• Execute data processing agreements outlining privacy obligations
• Verify compliance with applicable laws
• Limit data sharing to necessary information only

16.3 Your Privacy on Third-Party Sites

We have no control over third-party sites and are not responsible for:

• Collection or use of information by third parties
• Security of information on third-party sites
• Compliance with privacy laws by third parties

17. Consent Management and Communication Preferences

We provide mechanisms for you to manage your privacy preferences and communication choices.

17.1 Marketing Communications

You have the right to opt-out of marketing communications, including:

• Promotional emails
• Newsletters
• Product announcements
• Special offers and discounts

How to Opt-Out:

• Click the "Unsubscribe" link in marketing emails
• Contact us at hello@epsoftinc.com with "Opt-Out" in the subject line
• Adjust communication preferences in your account settings

17.2 Consent Preferences

You may manage your consent preferences by:

• Visiting your account settings
• Contacting us at hello@epsoftinc.com with "Manage Preferences" in the subject line
• Responding to consent requests in email communications

17.3 Transactional Communications

Transactional communications regarding your account, services, and legal obligations are not optional and cannot be opted-out of entirely. However, you may manage:

• Frequency of communications
• Delivery method (email, SMS, phone)
• Communication channels

18. Service Provider and Vendor Management

We maintain strict requirements for all service providers and vendors that access personal information.

18.1 Vendor Selection and Evaluation

Before engaging any service provider, we:

• Conduct due diligence on their privacy and security practices
• Assess their compliance with applicable laws
• Evaluate their financial stability and security posture
• Review customer references and audit reports (where available)
• Require proof of security certifications and compliance frameworks

18.2 Data Processing Agreements

All service providers who process personal information execute written data processing agreements that:

• Define the scope and purpose of processing
• Establish data protection requirements (encryption, access controls, etc.)
• Require sub-processor notification and management
• Mandate confidentiality and non-disclosure commitments
• Specify handling of requests from individuals (access, deletion, etc.)
• Outline breach notification and incident response procedures
• Include audit rights and compliance verification
• Address termination and return/deletion of data

18.3 Service Provider Monitoring

We:

• Conduct annual compliance reviews of service providers
• Perform on-site audits or request audit reports (SOC 2, ISO 27001, etc.)
• Monitor compliance with contractual data protection requirements
• Maintain a registry of all service providers and sub-processors
• Require prompt notification of any security incidents or breaches

18.4 Sub-processor Management

Service providers may engage sub-processors only with:

• Our prior written approval
• Execution of equivalent data protection agreements
• Notification to affected individuals (where required)
• Documentation of all sub-processor relationships

18.5 Termination and Data Handling

Upon termination of a service provider relationship, we require:

• Return or certified destruction of personal information
• Certification of deletion or return
• Continued compliance with confidentiality obligations for a defined period
• Remediation of any breaches or non-compliance

19. Compliance with Laws and Regulations

We comply with applicable privacy and data protection laws in all jurisdictions where we operate.

19.1 Jurisdiction-Specific Compliance

We comply with privacy laws applicable to our operations, including:

• GDPR (EU): General Data Protection Regulation for European Union and EEA residents
• CCPA/CPRA (California, USA): California Consumer Privacy Act and California Privacy Rights Act
• PIPEDA (Canada): Personal Information Protection and Electronic Documents Act
• Other U.S. State Laws: State-specific privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and others)
• International Laws: Data protection laws in jurisdictions where we operate

19.2 Legal Requests and Compliance

We comply with valid legal requests from authorized government agencies, including:

• Court orders and subpoenas
• Regulatory investigations
• Law enforcement requests
• National security letters (where legally permitted)

Where permitted by law, we will provide notice to affected individuals before responding to legal requests.

19.3 Data Protection Officer

We maintain a data protection compliance function responsible for:

• Monitoring compliance with this policy and applicable laws
• Responding to individual rights requests
• Investigating privacy complaints
• Coordinating with regulators
• Overseeing vendor and third-party compliance

20. Contact Information and Dispute Resolution

20.1 Questions and Requests

For questions about this Privacy Policy, requests to exercise your rights, or privacy concerns, contact us at:

Email: hello@epsoftinc.com

Telephone: 844-437-7638

Mailing Address:

EPSoft
Head Quarters , USA
1303 W Walnut Hill, Suite 260 Irving TX 75038

Data Protection Compliance:

Email: hello@epsoftinc.com

20.2 Response Timeline

We will acknowledge receipt of your inquiry within 5 business days and provide a substantive response within 30 days, or within applicable legal timelines.

20.3 Dispute Resolution Process

If you believe we have violated your privacy rights or this policy:

• Contact Us: Send a detailed written complaint to hello@epsoftinc.com
• Internal Review: Our privacy team will review your complaint and respond within 30 days
• Escalation: If unresolved, the matter may be escalated to senior management
• Alternative Dispute Resolution: We may offer mediation or other alternative dispute resolution mechanisms
• Regulatory Complaint: You have the right to lodge a complaint with relevant data protection authorities

20.4 Data Protection Authority Contact

For EU/EEA Residents: You have the right to lodge a complaint with your national data protection authority:

List of EU Data Protection Authorities: https://edpb.ec.europa.eu/about-edpb/members_en

For CCPA/CPRA (California): You may contact the California Attorney General's office.

21. Additional Information

21.1 Data Retention Summary

A summary of retention periods for personal information is provided in Section 9.1. Detailed retention schedules are maintained internally and are available upon request where permitted by law.

21.2 Policy Interpretation

This Privacy Policy is intended to comply with applicable privacy and data protection laws. In the event of any inconsistency between this policy and applicable law, the applicable law shall govern.

21.3 Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect.

21.4 Entire Agreement

This Privacy Policy, together with our Terms of Service and any applicable service agreements, constitutes the entire agreement regarding privacy and data protection between you and EPSoft Software, LLC.

22. Acknowledgment and Acceptance

By accessing or using EPSoft Services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein.

© 2026 EPSoft Software, LLC. All rights reserved.