Privacy Policy
Last Update: March 2026
1. Introduction
Innovative Data Systems Group LLC ("Company") provides software-as-a-service (SaaS) and software development services to organizations. This Privacy Statement describes Company's policies and practices regarding the collection, use, and protection of personal data across our website and platform services, and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Statement as we undertake new personal data practices or adopt new privacy policies. This Privacy Statement applies to all Company products and services. It is intended for website visitors, prospective customers, and the organizational customers ('Customers') who use our platforms.
2. Privacy and Security Officer
Company is headquartered in the United States. Company has designated a Technical Lead to oversee compliance with this Privacy Statement and applicable data protection laws. If you have questions or concerns about Company's personal data policies or practices, or would like to exercise your privacy rights, please contact us at info@indatsys.com.
3. How We Collect and Use Your Personal Information
Company collects personal information about website visitors, prospective customers, and organizational customers. With a few exceptions, this information is generally limited to: Name, Job title, Employer name, Work address, Work email address, Work phone number. We use this information to provide prospects and customers with services, respond to inquiries, and communicate about our products and platform updates. We do not sell personal information to anyone, and only share it with third parties who are facilitating the delivery of our services. From time to time, Company receives personal information about individuals from third parties. Typically, information collected from third parties will include further details about your employer or industry. We may also collect your personal data from third-party sources such as LinkedIn in the course of prospecting and business development activities.
4. Use of the Company Website
As is true of most websites, the Company website collects certain information automatically and stores it in log files. This information may include:
• Internet protocol (IP) addresses
• The region or general location from which your computer or device is accessing the internet
• Browser type and operating system
• Pages viewed and navigation history within our site
• Referring URLs
We use this information to help us design our site to better suit users' needs, diagnose server problems, administer our website, analyze trends, track visitor movements, and gather broad demographic information. Company has a legitimate interest in understanding how prospective customers and visitors use its website in order to provide more relevant products and services.
5. Cookies and Tracking Technologies
The Company website uses cookies and similar tracking technologies to support website functionality and analytics. We use the following categories of cookies:
• Strictly necessary cookies: Required for the website to function and cannot be switched off.
• Analytics cookies: Help us understand how visitors interact with our website so we can improve it.
• Preference cookies: Allow the website to remember choices you make to provide a more personalized experience.
You may configure your browser to refuse cookies or to alert you when cookies are being sent. Please note that some parts of the website may not function properly if cookies are disabled.
6. Use of Company Platform Services
When an organization subscribes to or uses the Company's platform, Company processes data on behalf of that Customer in order to provide the contracted services. In this context, Company acts as a data processor or service provider — the Customer retains control of the data and is responsible for its lawful collection and use. Data processed through the Company's platform may include:
• End-user account information (names, email addresses, roles) for the Customer's staff and authorized users
• Client and program participant records entered by Customer personnel
• Service delivery records, case notes, assessments, and program data
• System-generated audit logs and usage metadata
Company processes platform data solely for the purpose of delivering contracted services and does not use Customer data for Company's own marketing, advertising, or product development purposes without explicit Customer consent. Company does not use Customer data to train artificial intelligence or machine learning models without prior written permission from the Customer.
The terms governing Company's processing of platform data — including data handling obligations, security requirements, and data return or disposal upon contract termination — are set forth in the applicable Master Services Agreement and any supplemental data processing addenda executed with each Customer. Upon request or contract termination, Company will return Customer data in a commonly used, machine-readable format agreed upon in writing between Company and the Customer prior to export.
7. Healthcare Data and HIPAA-Regulated Customers
Note: This section applies only to Customers that are Covered Entities or Business Associates under HIPAA (45 CFR Parts 160 and 164). If your organization is not subject to HIPAA, this section does not apply to your engagement with Company, and your data is governed by this Privacy Statement and your applicable service agreement.
7.1 Company as a Business Associate
When Company provides services to a HIPAA Covered Entity or Business Associate that involve the creation, receipt, maintenance, or transmission of Protected Health Information (PHI), Company functions as a Business Associate as defined under 45 CFR §160.103. In those engagements, Company's use and disclosure of PHI is governed by a Business Associate Agreement (BAA) executed between Company and the Customer, in addition to HIPAA's applicable rules. The BAA, not this Privacy Statement, is the controlling document for all PHI-related obligations between Company and HIPAA-regulated Customers. Customers who require a BAA should contact Company prior to transmitting any PHI through the platform.
7.2 HIPAA Security Safeguards
For HIPAA-regulated engagements, Company implements the administrative, physical, and technical safeguards required under the HIPAA Security Rule (45 CFR Part 164, Subpart C).
7.3 Breach Notification
In the event of a breach of unsecured PHI, Company will notify affected HIPAA-regulated Customers without unreasonable delay and in accordance with the timelines set forth in the applicable BAA and the HIPAA Breach Notification Rule (45 CFR §164.400 et seq.). Company's obligations to notify the U.S. Department of Health and Human Services and affected individuals are governed by the BAA and applicable HIPAA requirements.
7.4 Minimum Necessary Standard
Company applies the HIPAA minimum necessary standard across all platform operations. Company staff access PHI only to the extent required to perform contracted services, and system access controls are configured to enforce this principle at the role level.
7.5 Subprocessors Handling PHI
Where Company engages subprocessors who may have access to PHI, those subprocessors are bound by BAAs or equivalent agreements that impose HIPAA-compliant data protection obligations.
8. When and How We Share Information with Third Parties
The personal information Company collects is stored in databases hosted by third-party infrastructure providers located in the United States. These providers do not use or have access to your personal information for any purpose other than cloud storage and retrieval. On occasion, Company engages third parties to send information to you, including information about our products, services, and events.
Company does not otherwise disclose your personal data to third parties for their independent use unless:
(1) you request or authorize it;
(2) it is provided to comply with applicable law (for example, in response to a lawful subpoena, court order, or law enforcement request);
(3) it is necessary to enforce an agreement we have with you, or to protect the rights, property, or safety of Company, its employees, or others;
(4) it is provided to our agents, vendors, or service providers who perform functions on our behalf and are bound by appropriate data protection obligations;
(5) it is necessary to address emergencies; or
(6) it is necessary to address disputes or legal claims, or to persons demonstrating legal authority to act on your behalf.
Company may gather aggregated, de-identified data about our services and website visitors and disclose the results of such aggregated (but not personally identifiable) information to partners, service providers, or other third parties for analytical or business purposes. Our website may connect with third-party services such as LinkedIn. If you choose to share information from our website through these services, you should review the privacy policy of that service.
9. Transferring Personal Data
Company is headquartered in the United States. Information we collect about you will be processed in the United States. By using Company's services, you acknowledge that your personal information will be processed in the United States. The United States has not sought nor received a finding of "adequacy" from the European Union under Article 45 of the GDPR. For transfers of personal data from individuals in the European Economic Area (EEA) or the United Kingdom, Company provides appropriate safeguards through binding standard data protection clauses pursuant to Article 46 of the GDPR, enforceable by data subjects in the EEA and the UK. Depending on the circumstance, Company also collects and transfers personal data to the U.S. with consent, to perform a contract with you, or to fulfill a compelling legitimate interest in a manner that does not outweigh your rights and freedoms. Company endeavors to apply suitable safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with Company and the practices described in this Privacy Statement.
10. Data Subject Rights
The EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable privacy laws provide certain rights to individuals regarding their personal data. These rights include:
• Right to be informed — to know how your personal data is collected and used
• Right of access — to obtain a copy of your personal data held by Company
• Right to rectification — to correct inaccurate or incomplete personal data
• Right to erasure — to request deletion of your personal data, subject to applicable legal obligations
• Right to restrict processing — to limit how Company uses your personal data in certain circumstances
• Right of data portability — to receive your personal data in a structured, machine-readable format
• Right to object — to object to processing based on legitimate interests or for direct marketing
• Rights related to automated decision-making — to not be subject to decisions based solely on automated processing that significantly affect you
If you are located in the European Union or the United Kingdom and have concerns about how Company processes your personal data, you also have the right to lodge a complaint with your national data protection authority or the European Data Protection Supervisor.
11. Security of Your Information
Company is committed to protecting the security of your personal data. We maintain an information security program that includes administrative, physical, and technical safeguards appropriate to the nature and sensitivity of the data we process. In the event of a data security incident affecting your personal data, Company will notify affected parties in accordance with applicable law and any contractual obligations. No security system is impenetrable, and Company cannot guarantee that its security measures will prevent every unauthorized access attempt.
12. Data Storage and Retention
Your personal data is stored on Company's servers and on the servers of third-party cloud infrastructure providers engaged by Company, all located in the United States. Company retains personal data for as long as necessary to provide our services and fulfill the purposes described in this Privacy Statement, or as required by applicable law. All personal data that Company controls may be deleted upon a verified request from a Data Subject or their authorized agent, subject to Company's legal retention obligations.
13. Children's Data
Company does not knowingly attempt to solicit or receive personal information from children under the age of 13. The Company's platform is designed for use by organizational customers and their professional staff. If you believe that a child under 13 has provided personal information to Company, please contact us at info@indatsys.com and we will promptly delete such information.
14. Questions, Concerns, or Complaints
If you have questions, concerns, or complaints about this Privacy Statement, or would like to exercise your data subject rights, please contact us at info@indatsys.com or indatsys.com/contact.