Privacy Policy

Posted Date: July 1, 2025

Effective Date: July 1, 2025

This Privacy Policy ("Policy") describes how NYA Labs, LLC ("NYA," "we," "us," or "our") collects, uses, shares, discloses, and otherwise processes personal information from our enterprise customers, their users, and any other individuals ("User," "you," or "your") who interact with our websites, software, applications, and other services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read this Policy and agree to the collection, use, and disclosure of your personal information as described herein. If you do not agree with the terms of this Policy, please do not use our Services.

1. Personal Information

For the purposes of this Policy, "personal information" means any information that identifies or can reasonably be linked to an individual, including but not limited to names, contact details, device identifiers, and usage data. For users in the European Economic Area (EEA), this also includes "personal data" as defined under the General Data Protection Regulation (GDPR). Personal information may also include "protected health information" (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) when such data is created, received, or maintained in connection with healthcare-related activities.

2. Collection and Use of Information

The types of personal information we collect vary based on your interactions with NYA Labs, the specific Services you use, and relevant legal requirements. We gather data directly from you, automatically through your use of our Services, and from external sources such as third-party providers and partner organizations. NYA collects personal information as follows:

A. Information You Provide: We may collect personal information that you provide to us when you register for an account, administer the account, contact us, respond to interactive features (comments, forums, blogs, social media pages), apply to job applications, attend conferences, trade shows or other events we host or attend, provide directly or through third parties to assess business development activities, or use the Services, including your name, email address, mailing address, birthday, phone number, job title, business system information, and any other personal information that you provide or that we may collect directly or via third party services or sources or referral and sharing features. This may include PHI collected in association with purchases, bookings, customer or user interactions, and records retrieval.

B. Automatically Collected Information: Including IP address, browser type, operating system, device information, pages visited, cookies, pixel tags, web beacons, analytics, time spent using the Services, and other technologies.

C. Integrated Business Systems and Customer Records: Through integrations with your organization's customer relationship management (CRM) systems, electronic medical records (EMR), or other business platforms, we may access, collect, and/or receive information contained in or associated with customer, patient, or user records. This may include, but is not limited to, intake forms, interaction recordings, communications, and records related to services provided. The information collected may include personally identifiable information (PII) such as name, date of birth, phone number, address, insurance information, appointment history, and other data relevant to the services being performed or requested.

D. Recordings: We collect personal information through recordings of interactions with users of customer systems, such as CRMs or other integrated platforms. These recordings may include voice, text, or other communication data captured during customer service calls, chats, or other engagement sessions conducted through or on behalf of our customers. Such information may include customer names, birthdays, insurance information, contact details, booking information, payment data, and any other details shared during the interaction.

E. Usage and Analytics: We collect data about how users interact with our Services to improve functionality and performance.

We use this information for:

• Provide our Service:
  • Service provision and maintenance
  • Personalization and customization
  • Communications about the account, activities on our Services
  • Answering requests for customer or technical support
  • Allowing and processing event registrations, job applications
• Administrative purposes:
  • Security and fraud prevention
  • Legal and regulatory compliance
  • Improving, upgrading, or enhancing our Services
  • AI model training and improvement
  • Analytics and performance monitoring
  • Quality monitoring and performance
  • Debugging and repairing error
  • Authenticating individual identities
• Marketing our Services: We may use your personal information to customize and deliver marketing content and advertisements, in accordance with applicable laws. This may include outreach through email, SMS, targeted ad campaigns, and personalized advertising techniques—such as custom audience matching and cross-device tracking—to better align with your interests and engagement history.

3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area, Switzerland, or the United Kingdom, we process your personal data under the following legal bases:

• Performance of a contract: To provide the Services you or your organization have requested.
• Legitimate interests: To improve our Services, enhance security, and conduct business operations.
• Consent: For optional features such as marketing or training data use, subject to opt-out rights.
• Legal obligations: To comply with applicable laws and regulations, including healthcare and data protection regulations.

4. Your GDPR Rights

If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the following rights regarding your personal data:

• Right of access – You may request access to the personal data we hold about you.
• Right to rectification – You may request that we correct any inaccurate or incomplete data.
• Right to erasure – You may request that we delete your personal data, subject to legal or contractual obligations.
• Right to restrict processing – You may request that we limit the processing of your personal data under certain conditions.
• Right to object – You may object to our processing of your personal data based on legitimate interests.
• Right to data portability – You may request a copy of your data in a structured, commonly used, and machine-readable format.
• Right to withdraw consent – If processing is based on your consent, you may withdraw it at any time.

To exercise any of these rights, please contact us using the information provided in Section 17.

EEA Data Protection Authorities (DPAs)

Swiss Federal Data Protection and Information Commissioner (FDPIC)

UK Information Commissioner’s Office (ICO)

Right to Lodge a Complaint: If you are located in the EEA or UK and believe that we have violated applicable data protection laws, you have the right to lodge a complaint with your local supervisory authority. Contact details for EU data protection authorities are available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

5. HIPAA Compliance

Where applicable, we comply with HIPAA and maintain appropriate safeguards for PHI. When acting as a business associate to covered entities (e.g., service providers in regulated industries), we only use or disclose PHI as permitted by the applicable agreement and HIPAA rules. We implement administrative, technical, and physical safeguards to protect PHI and restrict access to authorized personnel only. NYA Labs applies the HIPAA "minimum necessary" standard to limit use, access, and disclosure of PHI to only what is necessary to perform our Services.

When acting as a Business Associate under HIPAA, NYA Labs enters into Business Associate Agreements (BAAs) with Covered Entities or other Business Associates, which govern the permissible use and disclosure of Protected Health Information (PHI) and require compliance with applicable privacy and security rules.

In the event of a breach of unsecured PHI, NYA Labs will notify the applicable Covered Entity without unreasonable delay and in no event later than 60 days following discovery, in accordance with HIPAA breach notification requirements.

6. Use for AI Training

We may use de-identified, anonymized, or aggregated data—including from customer interactions and records—for the purpose of training and improving our AI applications and models. We do not use identifiable personal information for training purposes unless permitted by applicable law and with the explicit consent of the data subject or our customer. Any use of identifiable personal information for training purposes will be done in accordance with GDPR, HIPAA, and other applicable laws, and only with consent or another valid legal basis. You may opt out of certain AI training-related data uses involving your information by contacting us (see Section 17).

Automated Decision-Making and Profiling: We do not use your personal data to make decisions that have a legal or similarly significant effect on you based solely on automated processing, including profiling. If we implement such processes in the future, we will notify you and ensure that you have the opportunity to exercise your rights under applicable data protection laws.

7. Investigations and Legal Requests

We may disclose personal information:

• To comply with legal obligations, such as court orders or regulatory requests
• To investigate misuse or unlawful activity
• To protect the rights, safety, or property of NYA Labs, its users, or the public

Disclosures will be limited to what is necessary and legally required.

8. Vendors and Service Providers

We engage third parties to support the Services, including:

• Cloud hosting and storage providers
• Third party subcontractors who provide components of the Services on our behalf
• Payment processors
• Customer support and analytics providers

These vendors process data on our behalf under written agreements that require compliance with applicable data protection and confidentiality obligations.

9. Business and International Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the successor entity, subject to continued protection consistent with this Policy.

If we transfer your personal data outside of the EEA or UK (e.g., to the United States), we ensure appropriate safeguards are in place. These may include entering into the European Commission's Standard Contractual Clauses or equivalent agreements approved under applicable data protection law. A copy of these safeguards may be requested by contacting us at privacy@nyalabs.ai

10. Log Data

We collect log data to troubleshoot, analyze, and improve the Services. This may include IP address, browser type, and time stamps.

11. Cookies and Tracking Technologies

We use cookies and similar technologies for:

• Authentication and user preferences
• Analytics and performance
• Personalized content and advertising

You can control cookie settings through your browser, though disabling cookies may limit some features. You may manage cookie or advertising preferences through:

• DAA Opt-Out
• NAI Opt-Out
• Google Ad Settings
• AppChoices for Mobile

12. Data Security

We use industry-standard security measures, including encryption, access controls, and secure data storage, to protect personal information and PHI. We also require similar safeguards from our vendors.

13. Retention

We retain personal information only as long as needed to:

• Provide and improve the Services
• Fulfill legal and contractual obligations
• Comply with retention periods required by law (e.g., under HIPAA or tax laws)

14. Links to Other Websites

This Policy does not apply to third-party websites linked through our Services. Please review their privacy policies independently.

15. Communications

By using our Services, you agree to receive electronic communications related to your use. You may unsubscribe from non-essential communications by following the instructions in those messages.

16. Governing Law

This Policy is governed by the laws of the United States and the State of Delaware, without regard to conflicts of law principles. Any legal action or proceeding arising under or relating to this Policy shall be brought exclusively in the state or federal courts located in Wilmington, Delaware, and the parties irrevocably submit to the exclusive jurisdiction of such courts.

17. Contact Information

For privacy questions or to exercise your rights:

Email: privacy@nyalabs.ai
Mail: 455 Market St, Suite 1940, PMB 34452, San Francisco, CA, 94105-2448, US

We will respond in accordance with applicable privacy regulations, including the GDPR, CCPA, and HIPAA.

18. Changes to This Policy

We may revise this Policy from time to time. Changes will be posted at https://nyalabs.ai/legal/privacy and become effective immediately unless otherwise stated. Material changes will be communicated via email or prominently posted on the Services.

19. California Privacy Rights (CCPA)

If you are a California resident, you may have the following rights under the California Consumer Privacy Act (CCPA), subject to exceptions:

• Right to Know: Request information about categories and specific pieces of personal information collected.
• Right to Delete: Request deletion of personal information, subject to legal exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising these rights.
• Right to Opt-Out: You may opt out of the sale or sharing of personal information (we do not sell personal information).

You may exercise these rights by contacting us using the information in Section 17. We will verify your request before processing any personal information-related request, and may ask for additional information if necessary to do so.

20. No Sale or Sharing of Personal Information

NYA Labs does not sell or share personal information as defined under the California Consumer Privacy Act (CCPA), including as amended by the California Privacy Rights Act (CPRA). We do not sell personal information to third parties for monetary or other valuable consideration, and we do not share personal information for purposes of cross-context behavioral advertising.

21. Severability

If any provision of this Policy is found to be unenforceable, the remaining terms shall remain in full force and effect.

22. Children's Privacy

Our Services are not directed to or intended for use by children under the age of 16, and we do not knowingly collect personal information from children.

If we learn that we have inadvertently collected personal information from a child without appropriate consent, we will take steps to delete such information as soon as possible. If you believe that we may have collected information from a child, please contact us at: privacy@nyalabs.ai

23. Privacy Governance and Oversight

NYA Labs maintains a comprehensive privacy governance program aligned with industry standards and the AICPA Trust Services Criteria.

We:

• Appoint designated personnel responsible for privacy and data protection oversight.
• Train our employees and contractors on data privacy and security obligations.
• Regularly review and audit our privacy and data handling practices.
• Maintain an incident response plan for identifying and responding to security incidents, including breach notification in accordance with applicable laws.

24. Entire Agreement

This Policy, together with our Terms of Use and any applicable Terms of Service or Master Services Agreement constitutes the entire agreement governing your use of the Services with respect to personal information.