Privacy Notice – NonHR Data

I. DATA PRIVACY FRAMEWORK POLICY

Purpose

Elevate Services, Inc. (“Elevate”) and ElevateNext US, LLC comply with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. Elevate and ElevateNext US LLC have certified to the U.S. Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Elevate and ElevateNext US LLC hve certified to the U.S. Department of Commerce that they adhere to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

This Policy is separate from the Privacy Statement applicable to users of Elevate’s website and privacy policies governing human resources data of Elevate’s Associates. For human resource data transferred from the EU, UK, and Switzerland in the context of the employment relationship, Elevate commits to cooperate with the EU data protection authorities (“DPAs”), the UK Information Commissioner’s Office (“ICO”), and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”).

Policy

1. Collection of Personal and Sensitive Data
   Elevate provides services to corporate legal departments and law firms globally. These services include, but are not limited to, litigation support services, including data processing, document review and production, medical bill review, legal process services, business administration services, information technology services, and consulting services. While providing services to its customers, Elevate may, directly or through an Elevate Affiliate, receive or collect Personal Data or Sensitive Information from its customers. This data may be disclosed to third-party service providers to assist Elevate in providing services to Elevate’s customers. Human resource data may be disclosed to third-party service providers to assist with background checks, payroll, and other human resources activities.
2. Use of Personal and Sensitive Data
   Elevate will only access or use Personal Data or Sensitive Information while performing services requested by its customers under its contractual obligations.
3. Onward Transfer/Potential Liability for Acts of Third-Party
   Elevate is a B2B company and does not disclose Personal Data or Sensitive Information to third parties unless done under the direction and consent of its customers. Elevate’s accountability for data received under the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF and subsequent transfer of that data to third parties is detailed in the DPF Principles. In cases of onward transfer to third parties of data of EU individuals received under the EU-U.S. DPF, UK individuals received under the UK Extension, and Swiss individuals received under the Swiss-U.S. DPF, Elevate is potentially liable. In particular, Elevate remains responsible and liable under the DPF Principles if third-party agents that it engages to process Personal Data or Sensitive Information on its behalf do so in a manner inconsistent with the DPF Principles unless Elevate proves that it is not responsible for the event giving rise to the damage.
4. Access
   EU, UK, and Swiss individuals have the right to access Personal Information or Sensitive Information about them, and the choice to limit the use and disclosure of their Personal or Sensitive Data. If you wish to request access to your Personal or Sensitive Data for such purposes, please contact our privacy team at dpo@elevate.lawor send a written request to the contact information in the “Recourse Mechanism” section.
   If your Personal Information or Sensitive Information changes or you change your preference for receiving information from us, send us a request specifying your updated information or your new choice. Send such requests to dpo@elevate.law or mail with the contact information in the “Recourse Mechanism” section.
5. Choice
   If Personal Data covered by this Privacy Policy is to be used for a new purpose that is materially different for which the personal data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party in a manner not specified in the Policy, Elevate will provide you with an opportunity to choose whether to have your personal data to be used or disclosed. Requests to opt-out of such uses or disclosures of personal data should be sent to us as specified in the “Recourse Mechanism” section.
   Certain Personal Data, such as information about medical health conditions, racial or ethnic origin, political opinions, religious, or philosophical beliefs, is considered “Sensitive Personal Information.” Elevate will not use Sensitive Personal Information for a purpose different from the purpose for which it was originally collected or subsequently authorized by the individual unless Elevate has received your affirmative and explicit consent (i.e. opt-in).
6. Safeguards
   Elevate, its Affiliates, and its third-party contractors maintain physical, electronic, and procedural safeguards designed to secure Personal and Sensitive Data and to prevent against the unauthorized or unlawful destruction, loss, alteration, or disclosure of the same. Elevate, its Affiliates, and its third-party contractors perform their own assessments of their compliance with this Privacy Policy and all applicable laws and regulations.
7. Recourse Mechanism
   In compliance with the DPF Principles, Elevate commits to resolving complaints about your privacy and our collection or use of your Personal Information or Sensitive Information. European Union, UK, and Swiss individuals with inquiries or complaints regarding this privacy policy should first contact Elevate using the following information:

   Elevate Services, Inc.
   Attn: General Counsel
   2375 E. Camelback Rd, Suite 690, Phoenix, AZ, 85016
   E-mail: dpo@elevate.lawWhile Elevate commits to resolving complaints in the processing of personal data, if we have not resolved your complaints to your satisfaction, you can alternatively contact the responsible organization for more information or to file a complaint. Elevate has further committed to refer unresolved Data Privacy Framework complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit JAMS for more information or to file a complaint. The services of JAMS are provided at no cost to you.

8. Arbitration
   Under certain conditions, an individual can invoke binding arbitration regarding complaints of Elevate’s DPF compliance not resolved by any of the other recourse mechanisms provided. For more information visit the Data Privacy Framework website.
9. Lawful Disclosure
   Elevate is required to disclose information in response to lawful requests by public authorities. This includes meeting national security or law enforcement requirements placed on Elevate. Elevate may voluntarily issue a periodic transparency report on the number of requests for Personal Information or Sensitive Information it has received by public authorities for law enforcement or national security purposes. Such reports will only be issued to the extent such disclosures are permissible under applicable law.
10. Enforcement and Investigative Power
    Elevate is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Changes to this Privacy Policy. Elevate reserves the right to change this Privacy Policy from time to time consistent with applicable privacy laws and principles. Unless such changes afford greater protections regarding Personal or Sensitive Data, such changes will apply only to Personal or Sensitive Data received after the effective date of such change.

Definitions of Terms Used in this Privacy Policy:

“Affiliates” means any corporation, partnership, limited liability company, or other entity directly or indirectly controlled by, or under the common control of, Elevate Services, Inc.

“Associates” means an employee or independent contractor of Elevate or an Elevate Affiliate.

“Data Subject” means the natural person who is the subject of, and identified in, Personal or Sensitive Data.

“Elevate” means Elevate Services, Inc., incorporated under the laws of the state of Delaware having its corporate headquarters in Phoenix, Arizona, USA.

“European Union” or “EU” means the European Union consisting of its Member States, covered by the European Union Data Protection Directive.

“Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person; an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, or social identity. By way of example, data such as an individual’s name, address, phone number, email address, user ID and password, personal billing information or credit card information. Personal Data does not include data that is encoded or anonymized, or publicly available information that has not been combined with non-public Personal Data.

“Sensitive Information” or references to “Sensitive Data” means personal information specifying medical or health condition, race, or ethnicity, political, religious, or philosophical affiliations or opinions, sexual orientation, or trade union membership.

“EU-U.S. Data Privacy Framework (EU-U.S. DPF) or the UK Extension to the EU-U.S. DPF, or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)” means the adequacy decision that allows for legal collection, use or retention of transfers of personal data of EU, UK, and Swiss persons outside of the EU, UK, and Switzerland to the United States. Certified DPF members must abide by the DPF Principles which are available at the DPF website provided below. All certified members of the framework are also available for viewing via a list provided on the DPF website.