Effective Date: February 27, 2026
Last Updated: February 27, 2026

This Privacy Policy (the "Policy") is issued by Inspyrd Inc ("Inspyrd," "Company," "we," "us," or "our") and governs the collection, use, disclosure, transfer, storage, retention, and other processing of Personal Data in connection with our website and associated communications (collectively, the "Services"). This Policy is intended to provide transparent and comprehensive notice regarding our data governance practices, including our processing purposes, lawful bases, privacy rights mechanisms, international transfer safeguards, and organizational controls. Inspyrd applies a consent-first collection model: we do not collect Personal Data unless and until you provide explicit consent, and we collect Personal Data only when you (i) book an appointment or (ii) sign up for the waitlist. By accessing or using the Services, you acknowledge receipt of this Policy. If you do not agree with this Policy, you should discontinue use of the Services.

1. Scope, Territorial Reach, and Legal Framework

1.1 Scope of Application

This Policy applies to Personal Data processed by Inspyrd in its capacity as controller/business (or equivalent legal role) and, where expressly stated, as processor/service provider on behalf of enterprise customers.

1.2 Jurisdictional Coverage

This Policy is drafted for global applicability and is designed to align, where relevant, with privacy and data protection frameworks including:

Regulation (EU) 2016/679 (EU GDPR);

UK GDPR and UK Data Protection Act 2018;

Swiss Federal Act on Data Protection (revFADP), as applicable;

California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), and relevant regulations;

Other U.S. state privacy laws where applicable (including Virginia, Colorado, Connecticut, Utah, and analogous statutes);

Brazil’s Lei Geral de Proteção de Dados (LGPD);

Canada’s PIPEDA and substantially similar provincial statutes;

Japan’s Act on the Protection of Personal Information (APPI);

South Africa’s Protection of Personal Information Act (POPIA);

Additional laws in jurisdictions where we operate or direct Services.

Where mandatory local law conflicts with this Policy, the mandatory local standard prevails for data subjects in that jurisdiction.

1.3 Service-Specific Notices

Certain Services may be governed by supplemental privacy notices, contract terms, or product-specific disclosures. In case of conflict, the more specific notice governs for the relevant processing activity.

2. Definitions and Interpretive Terms

For purposes of this Policy:

"Personal Data" / "Personal Information" means information relating to an identified or reasonably identifiable natural person.

"Sensitive Personal Data" means categories of data subject to enhanced protections under applicable law, including, where relevant, precise geolocation, financial account credentials, biometric identifiers, health data, racial or ethnic origin, religious beliefs, sexual orientation, or other specially protected categories.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transfer, alignment, restriction, erasure, and destruction.

"Controller" / "Business" means the entity determining processing purposes and means.

"Processor" / "Service Provider" / "Operator" means an entity processing Personal Data on behalf of a controller/business.

"Data Subject" / "Consumer" / "User" means an identifiable individual whose Personal Data is processed.

"Sell," "Share," and "Targeted Advertising" have the meanings assigned by applicable U.S. state privacy laws.

3. Categories of Personal Data Processed

Subject to your interactions with the Services, we process Personal Data only in connection with appointment booking and waitlist signup, and only after explicit consent.

3.1 Identity and Contact Information

Full name;

Email address and telephone number;

Optional contact details you voluntarily provide in appointment or waitlist forms.

3.2 Appointment and Waitlist Submission Data

Appointment date/time preferences, service-interest details, and scheduling notes you provide;

Waitlist submission details, including stated preferences and signup metadata;

Consent capture records associated with each submission.

3.3 Communications Data

Communications sent in relation to appointment booking or waitlist administration;

Confirmation, reminder, and follow-up correspondence metadata.

3.4 Minimal Technical Metadata

Limited technical metadata strictly necessary to submit and secure appointment/waitlist forms (for example, anti-abuse and submission integrity signals);

Such metadata is used solely for security, integrity, and lawful operation of the submission process.

3.5 Sensitive Personal Data

We do not intentionally request or process Sensitive Personal Data in appointment or waitlist workflows unless required for a lawful purpose and permitted by applicable law. If Sensitive Personal Data is processed, we apply heightened access controls, minimization protocols, and legal basis validation.

3.6 Data We Do Not Collect by Default

Outside appointment booking and waitlist signup, we do not collect Personal Data from general website browsing.

4. Sources of Personal Data

We collect Personal Data from the following sources:

Directly from you: information you submit when booking an appointment or joining our waitlist;

From consent records: affirmative consent states tied to your submission;

From service providers acting on our instructions: only to process, secure, and administer appointment/waitlist submissions.

5. Processing Purposes and Lawful Bases

We process Personal Data for specific and proportionate purposes. We do not process Personal Data for unrelated purposes beyond appointment and waitlist operations unless we obtain additional legally valid consent.

Processing PurposeCategories Typically InvolvedPrimary Lawful Basis (EEA/UK Standard)Appointment scheduling and administrationIdentity, appointment/waitlist submission, communicationsConsent and/or pre-contractual steps at your requestWaitlist enrollment and updatesIdentity, appointment/waitlist submission, communicationsConsentSecurity, anti-abuse, and form integrityMinimal technical metadata, submission recordsLegitimate interests / legal obligationCompliance, rights handling, and records retentionIdentity, consent records, communicationsLegal obligationDispute management and legal defenseRelevant submission and communication recordsLegitimate interests / legal claims

Consent is the default basis for collection of Personal Data in our workflows. You may withdraw consent at any time. Withdrawal does not affect processing lawfully conducted before withdrawal.

6. Legal Grounds by Region (Summary)

6.1 EEA/UK/Switzerland

We process Personal Data on a consent-first basis and, where required, on additional applicable legal grounds such as legal obligation or legitimate interests for security, fraud prevention, and legal compliance.

6.2 United States (State Privacy Laws)

We process Personal Data for the limited purposes disclosed in this Policy and honor applicable rights. We do not use Personal Data for targeted advertising, and we do not sell or share Personal Data.

6.3 Brazil (LGPD)

Processing is based principally on consent, supplemented where applicable by legal/regulatory obligation and regular exercise of rights.

6.4 Canada, Japan, South Africa, and Other Jurisdictions

We process Personal Data in accordance with local legal requirements, including notice, purpose limitation, reasonable safeguards, and rights response obligations.

7. Cookies, Tracking Technologies, and Consent Management

7.1 Technologies Used

We may use: Strictly necessary session technologies required for secure form submission and service continuity.

7.2 Cookie Categories
Strictly Necessary: essential for security, network management, and core functionality of appointment/waitlist submission.

7.3 Consent and Control

We do not deploy non-essential personal-data tracking technologies by default. If this changes, we will obtain legally required opt-in consent before activation. Blocking strictly necessary technologies may impair submission functionality.

7.4 Do Not Track and Similar Signals

Where legally mandated, we honor qualifying opt-out preference signals (e.g., browser-based global privacy controls) for relevant processing. In jurisdictions where such obligations are not yet standardized, signal handling may vary.

8. Disclosure of Personal Data and Recipient Categories

We disclose Personal Data only where permitted by law and subject to contractual and technical safeguards.

8.1 Recipient Categories

Corporate Affiliates: internal administration, shared services, security, compliance, and reporting.

Infrastructure and Cloud Vendors: hosting, storage, backup, and observability services.

Identity, Security, and Risk Vendors: authentication, anti-abuse, and threat detection.

Communications Vendors: providers used to deliver appointment and waitlist confirmations, reminders, and status communications.

Professional Advisors: legal counsel, auditors, accountants, and insurers.

Regulators and Authorities: where compelled by lawful request, court order, subpoena, or statutory duty.

Corporate Transaction Counterparties: in financing, merger, acquisition, reorganization, or asset sale contexts.

8.2 Sale/Sharing and Targeted Advertising Statements

We do not sell Personal Data. We do not share Personal Data for cross-context behavioral advertising.

9. International Data Transfers and Transfer Safeguards

Inspyrd operates internationally; therefore, Personal Data may be transferred across national borders. For restricted transfers, we implement legally recognized safeguards, including:

European Commission Standard Contractual Clauses;

UK International Data Transfer Addendum/Agreement where required;

Equivalent contractual transfer mechanisms recognized by applicable law;

Supplemental controls (encryption, access restrictions, and transfer impact assessments where required).

We evaluate transfer risks and adopt proportionate technical and organizational controls for cross-border processing.

10. Data Retention and Records Management

We retain Personal Data only for the duration reasonably necessary for disclosed purposes and legal obligations.

10.1 Retention Criteria

Retention decisions consider:

Nature, volume, and sensitivity of the data;

Processing purpose and operational necessity;

Security and confidentiality risks;

Statutory and regulatory retention requirements;

Limitation periods for claims and dispute defense.

10.2 Illustrative Retention Framework

Data CategoryTypical Retention TriggerTypical Retention Window*Appointment recordsAppointment completion/cancellationUp to 24 months unless legal obligations require longerWaitlist recordsWaitlist removal or closureUp to 24 months unless legal obligations require longerConsent recordsConsent withdrawal or purpose completionRetained as legally required to demonstrate complianceSecurity logs for submission integrityEvent creation6–24 months based on risk and legal requirementsRights request recordsRequest closureAs required by applicable privacy laws and limitation periods

*Actual periods may vary by jurisdiction, legal hold status, and applicable contractual obligations.

10.3 Legal Holds

Where litigation, investigation, or audit is reasonably anticipated, deletion may be suspended for relevant records until hold release.

11. Data Security Program

We maintain a security program proportionate to processing risk, including administrative, technical, and physical safeguards.

11.1 Representative Controls

Encryption in transit and at rest where appropriate;

Role-based access controls and least-privilege principles;

Security monitoring, logging, and alerting;

Vulnerability management and patch governance;

Vendor risk assessment and contractual security obligations;

Workforce confidentiality and periodic training;

Incident response and business continuity procedures.

No data transmission or storage method is guaranteed to be absolutely secure. We nevertheless maintain controls aligned with recognized security practices.

12. Your Privacy Rights and Request Procedures

Subject to local law, you may have rights to:

Know whether we process your Personal Data;

Access and obtain a copy of Personal Data;

Correct inaccurate Personal Data;

Request deletion of Personal Data;

Restrict or object to certain processing activities;

Request data portability in a structured, commonly used format where applicable;

Withdraw consent for consent-based processing;

Opt out of sale/sharing/targeted advertising where applicable;

Limit use of sensitive personal data where provided by law;

Receive non-discriminatory treatment for exercising rights;

Lodge complaints with relevant supervisory or regulatory authorities.

12.1 Submission Methods

Rights requests may be submitted using the contact methods in Section 24. Authorized agents may submit requests where permitted by law, subject to verification.

12.2 Verification

We may request information necessary to verify identity, residency, and request authority. Verification requirements may differ based on request type and sensitivity.

12.3 Response Timing

We respond within legal deadlines applicable to your jurisdiction. Where permitted, response periods may be extended for complex or high-volume requests with appropriate notice.

12.4 Grounds for Denial

Certain requests may be denied in whole or part where lawful exemptions apply, including trade secrets, legal privilege, fraud prevention, legal obligations, or inability to verify identity.

12.5 Appeals

Where required by local law, users may appeal adverse rights determinations. Appeal instructions are provided with denial responses where applicable.

13. Jurisdiction-Specific Privacy Disclosures

13.1 EEA/UK/Switzerland Supplemental Notice

Data subjects may contact relevant supervisory authorities in their habitual residence, workplace, or place of alleged infringement. Where required, we appoint local representatives and/or a Data Protection Officer.

13.2 California and U.S. State Supplemental Notice

For the preceding 12 months (or other statutory lookback period), we collect, use, and disclose Personal Data in line with this consent-first and limited-purpose model, principally identifiers/contact details, appointment or waitlist submission details, communications related to those submissions, and associated consent records.

Where required by law, residents may exercise rights to know, delete, correct, opt out, and appeal. We do not discriminate for exercising rights.

13.3 Brazil (LGPD) Supplemental Notice

Data subjects may request confirmation of processing, access, correction, anonymization/blocking/deletion, portability, information regarding shared use, and consent revocation, subject to legal limits.

13.4 Canada Supplemental Notice

Users may request information on our privacy practices and challenge compliance through available complaint mechanisms under applicable federal or provincial law.

13.5 Japan (APPI) Supplemental Notice

Where required, we provide notices concerning purpose of use, overseas transfer safeguards, and rights procedures under APPI.

13.6 South Africa (POPIA) Supplemental Notice

Data subjects may object to processing and submit complaints to the Information Regulator in accordance with POPIA.

14. Sensitive Personal Data and High-Risk Processing

Where Sensitive Personal Data is processed, we implement additional controls, including necessity review, purpose limitation, enhanced access restriction, and, where required, explicit consent or other valid legal basis.

We do not use Sensitive Personal Data for materially different, unrelated, or incompatible purposes without lawful basis and required notice.

15. Automated Decision-Making and Profiling

We may perform limited automated processing for security detection, fraud mitigation, and submission integrity controls associated with appointment and waitlist workflows. We do not conduct solely automated decision-making with legal or similarly significant effects unless legally authorized and subject to required safeguards and rights.

Where applicable, you may request additional information regarding logic, significance, and expected consequences of such processing.

16. De-Identified and Aggregated Data

We may create de-identified, anonymized, or aggregated data sets derived from appointment and waitlist operations that no longer reasonably identify individuals. Such data may be used for internal reporting, compliance assurance, and service reliability analysis to the extent permitted by law.

Where legally required, we implement commitments not to re-identify de-identified data except as permitted for validation or compliance purposes.

17. Third-Party Websites, Integrations, and Social Features

The Services may link to, embed, or integrate with third-party products, services, and platforms not controlled by Inspyrd. Third-party data practices are governed by their respective notices and terms. We encourage users to review those notices prior to engagement.

18. Children and Minors

The Services are not directed to children below the minimum age for valid consent under applicable law. We do not knowingly collect Personal Data from children in violation of legal requirements. If we become aware of such collection, we take steps to delete or otherwise remediate the data as required. Parents or guardians who believe unlawful collection has occurred may contact us using Section 24.

19. Communications Preferences and Direct Marketing

Users may opt out of non-essential communications by contacting us directly. Operational communications may continue where necessary for appointment scheduling, waitlist administration, security, or legal matters.

Opt-out requests are processed within timelines required by applicable law.

20. Enterprise/B2B Processing Roles

Where Inspyrd provides Services to enterprise customers, we may process Personal Data under customer instructions as a processor/service provider. In those contexts:

The enterprise customer is generally the controller/business;

Processing is governed by contract (including data processing addenda);

We provide assistance with rights requests and incident management as contractually required;

Customer-specific retention and deletion obligations may supersede default retention practices.

21. Data Protection Governance and Accountability

We maintain privacy governance measures that may include:

Internal policies and standards;

Privacy-by-design and data minimization controls;

Contractual data protection terms with vendors and partners;

Incident and breach management procedures;

Workforce privacy and security training;

Periodic control assessments and remediation tracking.

22. Data Breach Notification

In the event of a confirmed breach affecting Personal Data, we will undertake investigation, containment, and remediation. Where notification is legally required, we will notify affected persons and/or authorities within applicable statutory timelines.

23. Policy Changes and Version Control

We may amend this Policy periodically to reflect legal, regulatory, technical, or operational developments. Material changes will be communicated through legally appropriate channels, including website notices, account notifications, or direct communication where required.

The "Last Updated" date at the beginning of this Policy indicates the date of latest revision.

24. Contact Information and Rights Requests

For privacy inquiries, rights submissions, complaints, or transfer safeguard requests, contact:

Inspyrd Inc

Attn: Privacy Office / Data Protection Team
Email: [email protected]

Mailing Address:

If legally required in your jurisdiction, we will provide details of our Data Protection Officer and/or local representative upon request.

25. Controller Identification

Unless otherwise stated in a service-specific notice or contractual document, Inspyrd Inc acts as the controller (or equivalent legal role) for Personal Data processed under this Policy.

26. Governing Language

This Policy is drafted in English. Where translations are provided, the English version controls except to the extent mandatory local law requires otherwise.

27. Non-Waiver and Severability

Failure to enforce any provision of this Policy shall not constitute a waiver of such provision. If any provision is determined unenforceable by a competent authority, remaining provisions remain in full force to the extent legally permissible.

By submitting an appointment booking or waitlist signup form, you acknowledge this Policy and provide consent to the processing described herein, to the extent consent is required by law.