1. Introduction

AP Copilot offers an application that is used by our customers to make business payments. This Privacy Policy applies to all of our customers as well as visitors.

This Privacy Policy describes how AP Copilot collects, uses and discloses information, and what choices you have with respect to the information.

2. EU-US, Swiss-US and UK Extension to the EU-U.S. Data Privacy Framework(DPF)

AP Copilot complies with the EU-U.S. DPF, Swiss-U.S. DPF and UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce, the European Commission, the UK Government, and the Swiss Federal Administration regarding the collection, use, and retention of personal information transferred from the European Union, Switzerland, and UK to the United States. AP Copilot has certified to the Department of Commerce that it adheres to the Data Privacy Framework principles. If there is any conflict between the terms in this privacy policy and the DPF Principles, the Data Privacy Framework Principles shall govern.

To learn more about the Data Privacy Framework, and to view our certification, please visit https://www.dataprivacyframework.gov/

The Federal Trade Commission has jurisdiction over AP Copilot’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

3. Services

It is AP Copilot's policy to respect your privacy regarding any information we may collect while you are using our software applications and websites, collectively called the Services.

This Privacy Policy applies when you use our Services. For our customers and their employees, a link to this Privacy Policy is also available in the “My Profile” section of the application.

AP Copilot operates a web-based application named AP Copilot that is part of the services that we offer. The application consists of various modules and all such products, applications, websites are collectively called “Services”.

4. Data Controller and Data Processor

We process two main types of personal data.

1) Customer Data - Personal data that forms part of the data provided by our customers and their end-users for processing.

2) Other Data - Personal data about our customers, visitors and other individuals that is collected and processed directly by us.

Our Customers are the controller of their Customer Data. AP Copilot is the processor of Customer Data and the controller of Other Data.

5. Information We Collect

Customer Data

As customers, you provide data to us for processing as part of usage of our AP Copilot applications.

Customer Data may be processed by us as a result of a customer’s use of the Services when our customers, or their end-users, input or upload information into the Service. For example, customers who use our AP Copilot application may upload Customer Data about themselves or their employees.

This data includes name, email address, phone number, landline number, job title for employees. We collect billing details for invoice purposes. AP Copilot also collects customer data, on our customer’s instruction, from third parties on their behalf.

Other Data

Customers provide data that is necessary to create user accounts.

For creation of user accounts, you provide your name, email address, password, telephone number and correspondence address.

We also collect data when you use our applications and websites.

• Log Data - Our servers automatically collect information when you access or use our applications and services. This data is recorded in log files. Examples of such data include IP Address
• Subscription Data – You provide personal data to us as part of signing up for AP Copilot applications.
• Contact Us Data – When you enquire about our products and services, we collect and store this data to communicate with you and respond to your enquiry

6. Cookies

We collect data through cookies.

AP Copilot uses cookies to help AP Copilot identify and track visitors, their usage of AP Copilot website, and their website access preferences. AP Copilot visitors can control cookies through your browser settings.

The information we collect from cookies may include your IP address, browser and device characteristics, referring URLs, and a record of your interactions with our Service. We will respect your choices relating to on-line tracking, whether you choose to reject individual cookies or set your web browser to reject cookies and other tracking technology. However, refusing a cookie may, in some cases, preclude you from using, or negatively impact the display or function of, the Service or certain areas or features of the Service.

7. How We Use Your Data

How we use your personal data will depend on which Services you use and how you use those Services.

Customer Data will be used by AP Copilot in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement and as required by applicable law. AP Copilot is a processor of Customer Data and Customer is the controller.

Other Data is used by us to provide our services, send our newsletters and to communicate with you by responding to your requests, comments and questions.

Lawful bases for processing

We have lawful bases to process your personal data. We have a legitimate interest in processing, also may in some cases use your consent as basis for lawfully processing your personal data.

We process your personal data only when we have a lawful basis. Presently, we have a legitimate interest and, in some cases, your consent as the lawful basis for processing. Our legitimate interest is to deliver the services to our customers. We have determined that our processing of your personal data is necessary to deliver the services to our customers, and that our processing of such data is no more intrusive than other ways of delivering the services to our customers. Finally, we believe that our processing of personal data will not cause unjustified harm in a way that would override our legitimate interest basis as provided under the Data Protection Regulations.

In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.

Where you have consented to a particular processing, you have a right to withdraw the consent at any time.

How we use Customer data

We use your data to authenticate you and authorize access to our services.

We only process Customer Data on behalf of our customers and in accordance with their instructions provided in the applicable Services agreement with us. We use the data that we have about you to provide our services and provide support to you. In each case, AP Copilot collects such information only in so far as is necessary or appropriate to fulfil the purpose of the interaction with our services.

• To send emails and other communications. We may send you service, technical and other administrative emails, messages and other types of communications. We may also contact you to inform you about changes in our Services and our Services offerings. These communications are considered part of the Services and you may not opt out of them unless you choose to not use our Services.
• Aggregated Analytics. We also use our Customer Data to derive aggregated analytics such as average cost at given location.
• Customer Support. If you send us a request (for example via a support email or via one of our feedback mechanisms), we respond to your request or to help your issues.
• For any other purpose as provided for in the Services Agreement between us and the customer, or as otherwise authorized by the customer.
• In accordance with or as may be required by law.

How we use Other data

We may send you service related messages or marketing / promotional materials. You may choose to restrict the collection or use of your personal information

We will update you with improvements in our services, new features and from time to time also carry out direct marketing of our products and services. Direct marketing is carried out only if you consent to receiving such communications from us.

Users under 16 years of age

The Sites and Services do not knowingly collect personal information from users under the age of 16

If you are under the age of 16, you are not permitted to use the Sites and Services or to disclose Personal Information. If we learn we have collected or received Personal Information from a child under 16, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us.

Data Retention Policy

We will retain your personal information for as long as is needed to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements).

Customer Data - We retain your information for as long as you have an active Services account. We may also retain your personal information for extended period under applicable statutory laws.

AP Copilot will retain Customer Data in accordance with a Customer’s instructions, including any applicable terms in the Customer Agreement and as required by applicable law. When you decide to close your account, we delete all personal information about you.

Other Data - We retain your information for as long as necessary for the purposes that we have described in this Privacy Policy

AP Copilot may retain Other Information pertaining to you for as long as necessary for the purposes described in this Privacy Policy.

8. Your Rights

How we use your personal data will depend on which Services you use and how you use those Services.

Customer Data will be used by AP Copilot in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement and as required by applicable law. AP Copilot is a processor of Customer Data and Customer is the controller.

Other Data is used by us to provide our services, send our newsletters and to communicate with you by responding to your requests, comments and questions.

Lawful bases for processing

We have lawful bases to process your personal data. We have a legitimate interest in processing, also may in some cases use your consent as basis for lawfully processing your personal data.

We process your personal data only when we have a lawful basis. Presently, we have a legitimate interest and, in some cases, your consent as the lawful basis for processing. Our legitimate interest is to deliver the services to our customers. We have determined that our processing of your personal data is necessary to deliver the services to our customers, and that our processing of such data is no more intrusive than other ways of delivering the services to our customers. Finally, we believe that our processing of personal data will not cause unjustified harm in a way that would override our legitimate interest basis as provided under the Data Protection Regulations.

In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.

Where you have consented to a particular processing, you have a right to withdraw the consent at any time.

How we use Customer data

We use your data to authenticate you and authorize access to our services.

We only process Customer Data on behalf of our customers and in accordance with their instructions provided in the applicable Services agreement with us. We use the data that we have about you to provide our services and provide support to you. In each case, AP Copilot collects such information only in so far as is necessary or appropriate to fulfil the purpose of the interaction with our services.

• To send emails and other communications. We may send you service, technical and other administrative emails, messages and other types of communications. We may also contact you to inform you about changes in our Services and our Services offerings. These communications are considered part of the Services and you may not opt out of them unless you choose to not use our Services.
• Aggregated Analytics. We also use our Customer Data to derive aggregated analytics such as average cost at given location.
• Customer Support. If you send us a request (for example via a support email or via one of our feedback mechanisms), we respond to your request or to help your issues.
• For any other purpose as provided for in the Services Agreement between us and the customer, or as otherwise authorized by the customer.
• In accordance with or as may be required by law.

How we use Other data

We may send you service related messages or marketing / promotional materials. You may choose to restrict the collection or use of your personal information

We will update you with improvements in our services, new features and from time to time also carry out direct marketing of our products and services. Direct marketing is carried out only if you consent to receiving such communications from us.

Users under 16 years of age

The Sites and Services do not knowingly collect personal information from users under the age of 16

If you are under the age of 16, you are not permitted to use the Sites and Services or to disclose Personal Information. If we learn we have collected or received Personal Information from a child under 16, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us.

Data Retention Policy

We will retain your personal information for as long as is needed to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements).

Customer Data - We retain your information for as long as you have an active Services account. We may also retain your personal information for extended period under applicable statutory laws.

AP Copilot will retain Customer Data in accordance with a Customer’s instructions, including any applicable terms in the Customer Agreement and as required by applicable law. When you decide to close your account, we delete all personal information about you.

Other Data - We retain your information for as long as necessary for the purposes that we have described in this Privacy Policy

AP Copilot may retain Other Information pertaining to you for as long as necessary for the purposes described in this Privacy Policy.

9: Your Information Shared With Others

Recipients of your data

Your data will be shared with other recipients in order to provide you with services.

While we aim to limit the sharing of your data, at times, it is necessary to share your data with certain service providers. Examples of when and for what purpose your data is shared include data center / hosting services, email marketing services, etc.

The following categories of recipient will most likely receive your data in order for us to provide services to you

• Third Party Data Center Services
• Third Party SMTP Services 
• Hubspot CRM for direct marketing

To Comply with Laws. If we receive a request for information, we may disclose if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation or legal process. We may also share your data to an acquirer in the event of a sale of substantially all of our assets or other change of control transaction.

Please be aware that AP Copilot may be required to disclose an individual's personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

AP Copilot will be liable in cases of onward transfers to third parties

Cross-Border Data Transfers

Your data will be stored and processed in multiple countries including outside of the European Union (EU) Region

Since we are an international company, your data will be processed outside of the EU region. Your data will be processed within Third Party Data Centers in USA. Some countries where we process data may not have as protective laws as your own country and there are risks associated with such transfer.

AP Copilot offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Union, and other international transfers of Customer Data. These clauses are contractual commitments between parties transferring personal data (for example, between AP Copilot and its Clients, suppliers or data processors outside the EU), binding them to protect the privacy and security of the data.

10. Security Measures to Protect your Data

Security Measures

We implement security controls to prevent breaches and unauthorised access to your data.

We maintain reasonable and appropriate security measures to protect Customer Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.

Examples of security measures include physical access controls, encryption, HTTPS, restricted access to data, monitoring for threats and vulnerabilities etc.

We also subject our services to internationally recognised certification and attestation standards. Details about our security measures are available at www.AP Copilot.com/ 

Protection of personal information

Protection of personal information

AP Copilot takes all measures reasonably necessary to protect against the unauthorized access, use, alteration or destruction of potentially personally-identifying and personally-identifying information.

AP Copilot's Notice of Privacy Practices for Medical Information

THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Effective date: August 11, 2020

Summary

This is a summary of how we may use and disclose your protected health information and your rights and choices when it comes to your information. We will explain these in more detail on the following pages.

Our Uses and Disclosures

We may use and disclose your information as we:

• Bill for services.
• Run our organization.
• Do internal research in connection with our own product and system development.
• Comply with the law.
• Address workers' compensation, law enforcement, or other government requests.
• Respond to lawsuits and legal actions.

Your Choices

You have some choices about how we use and share information as we:

• Communicate with you.
• Tell family and friends about your condition.
• Provide disaster relief.
• Market our services.

Your Rights

You have the right to:

• Get a copy of your paper or electronic protected health information.
• Correct your protected health information.
• Ask us to limit the information we share, in some cases.
• Get a list of those with whom we've shared your information.
• Request confidential communication.
• Get a copy of this privacy notice.
• File a complaint if you believe we have violated your privacy rights.

Purpose

At AP Copilot, we respect your privacy. We are also legally required to maintain the privacy of your protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) and other federal and state laws. We follow state privacy laws when they are stricter or more protective of your PHI than federal law.

As part of our commitment and legal compliance, we are providing you with this Notice of Privacy Practices (Notice). This Notice describes:

• Our legal duties and privacy practices regarding your PHI, including our duty to notify you following a data breach of your unsecured PHI.
• Our permitted uses and disclosures of your PHI.
• Your rights regarding your PHI.

Contact

If you have any questions about this Notice, please contact support@apcopilot.com

PHI Defined

Your PHI:

Is health information about you:

• which someone may use to identify you; and
• which we keep or transmit in electronic, oral, or written form..

Includes information such as your:

• name;
• contact information;
• past, present, or future physical or mental health or medical conditions;
• payment for health care products or services; or
• prescriptions

Scope

If we receive a record of the care and health services, you receive this Notice applies to all the PHI that we receive or generate.

If we receive a record of the care and health services, you receive this Notice applies to all the PHI that we receive or generate.

Changes to this Notice

We can change the terms of this Notice, and the changes will apply to all information we have about you. The new notice will be available on request, in our office, and on our website.

Uses and Disclosures of Your PHI

The law permits or requires us to use or disclose your PHI for various reasons, which we explain in this Notice. We have included some examples, but we have not listed every permissible use or disclosure. When using or disclosing PHI or requesting your PHI from another source, we will make reasonable efforts to limit our use, disclosure, or request about your PHI to the minimum we need to accomplish our intended purpose.

Uses and Disclosures for Treatment, Payment, or Health Care Operations

• We may use or disclose your PHI and share it with professionals who are treating you, including doctors, nurses, technicians, medical students, or hospital personnel involved in your care. For example, we might disclose information about your overall health condition to physicians who are treating you for a specific injury or condition.
• Business Operations. We may use and disclose your PHI to run our business. For example, we may use your PHI to improve or manage our services or to monitor the quality of our services.

Other Uses and Disclosures

We may share your information in other ways, usually for public health or research purposes or to contribute to the public good. For more information on permitted uses and disclosures, see www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html. For example, these other uses and disclosures may involve:

• Our Business Associates. We may use and disclose your PHI to outside persons or entities that perform services on our behalf, such as auditing, legal, or transcription (Business Associates). The law requires our business associates and their subcontractors to protect your PHI in the same way we do. We also contractually require these parties to use and disclose your PHI only as permitted and to appropriately safeguard your PHI.
• Legal Compliance. For example, we will share your PHI if the Department of Health and Human Services requires it when investigating our compliance with privacy laws.
• Legal Compliance. For example, we will share your PHI if the Department of Health and Human Services requires it when investigating our compliance with privacy laws.
• report injuries, births, and deaths;
• prevent disease;
• report adverse reactions to medications or medical device product defects;
• report suspected child neglect or abuse or domestic violence; or
• avert a serious threat to public health or safety.
• Responding to Legal Actions. For example, we may share your PHI to respond to:
• a court or administrative order or subpoena;
• discovery request; or
• another lawful process.
• For example, we may use your PHI for internal research for product and services development and improvement.
• Workers' Compensation, Law Enforcement, or Other Government Requests. For example, we may use and disclose your PHI for:
• workers' compensation claims;
• health oversight activities by federal or state agencies;
• law enforcement purposes or with a law enforcement official; or
• specialized government functions, such as military and veterans' activities, national security and intelligence, presidential protective services, or medical suitability.

Your Choices

For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, please contact us and we will make reasonable efforts to follow your instructions.

You have both the right and choice to tell us whether to:

• Share information, such as your PHI, general condition, or location, with your family, close friends, or others involved in your care.
• Share information in a disaster relief situation, such as to a relief organization to assist with locating or notifying your family, close friends, or others involved in your care.
• Exclude your information, such as your name, room number, or general condition] from a hospital directory.

We may share your information if we believe it is in your best interest, according to our best judgment, and:

• If you are unable to tell us your preference, for example, if you are unconscious.
• When needed to lessen a serious and imminent threat to health or safety.

Uses and Disclosures that Require Authorization

In these cases, we will only share your information if you give us written permission:

• Most sharing of a mental health care professional's notes (psychotherapy notes) from a private counseling session or a group, joint, or family counseling session.
• Marketing our services.

Other uses and disclosures not described in this Notice.

You may revoke your authorization at any time, but it will not affect information that we already used and disclosed.

Your Rights

When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.

You have the right to:

• Inspect and Obtain a Copy of Your PHI. You have the right to see or obtain an electronic or paper copy of the PHI that we maintain about you (right to request access). Alternatively, you may request a summary of your PHI or an explanation of your PHI. Some clarifications about your access rights:
• we may require you to make access requests in writing/by submitting an electronically signed form;
• we may charge a reasonable, cost-based fee for the costs of copying, mailing, or other supplies associated with your request, in compliance with applicable law.;
• if you request a copy of your PHI, we will generally decide to provide or deny access within 30 days, however, if we cannot act within 30 days, we will give you a reason for the delay in writing and when you can expect us to act on your request; and
• we may deny your request for access in certain limited circumstances, however, if we deny your access request, we will provide a written denial with the basis for our decision and explain your rights to appeal or file a complaint.
• Make Amendments. You may ask us to correct or amend PHI that we maintain about you that you think is incorrect or inaccurate. For these requests:
• you must submit requests in writing/electronically, specify the inaccurate or incorrect PHI, and provide a reason that supports your request. Contact us to do so.;
• we will generally decide to grant or deny your request within 60 days. If we cannot act within 60 days, we will give you a reason for the delay in writing and include when you can expect us to complete our decision, which will be no longer than an additional 30 days.;
• we may deny your request for an amendment if you ask us to amend PHI that is not part of our record, that we did not create, that is not part of a designated record set, or that is accurate and complete;
• if we deny your request, we will tell you why in writing. You will have the right to submit a written statement disagreeing with the denial and, if you opt not to submit this statement, you may request that we provide your original request for amendment and the denial with any future disclosures of PHI subject to the amendment. However, we may prepare a written rebuttal to any individual's statement of disagreement; and
• we will append the material created or submitted in accordance with this paragraph to your designated record.
• Request Additional Restrictions. You have the right to ask us to limit what we use or share about your PHI (right to request restrictions). You can contact us and request us not to use or share certain PHI for treatment, payment, or operations or with certain persons involved in your care. We require that you submit this request in writing. For these requests:
• we are not required to agree;
• we may say "no" if it would affect your care; but
• we will agree not to disclose information to a health plan for purposes of payment or health care operations if the requested restriction concerns a health care item or service for which you or another person, other than the health plan, paid in full out-of-pocket, unless it is otherwise required by law.
• Request an Accounting of Disclosures. You have the right to request an accounting of certain PHI disclosures that we have made. For these requests:
• we will respond no later than 60 days after receiving the request. We may ask for an additional 30 days during this 60-day period, but if we do, we will only do it once, provide a written statement of why, and indicate the date by which we intend to send the response;
• we will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures, such as any you asked us to make; and
• we will provide one accounting a year for free, but will charge a reasonable, cost-based fee if you ask for another one within 12 months. We will notify you about the costs in advance and you may choose to withdraw or modify your request at that time.
• Choose Someone to Act for You. If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your PHI. We will confirm the person has this authority and can act for you before we take any action.
• Request Confidential Communications. You have the right to request that we communicate with you about health matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or at a specific address. For these requests:
• we will not ask for the reason;
• you must specify how or where you wish to be contacted; and
• we will accommodate reasonable requests.
• Make Complaints. You have the right to complain if you feel we have violated your rights. We will not retaliate against you for filing a complaint. You may either file a complaint:
• directly with us by contacting. All complaints must be submitted in writing]; or
• with the Office for Civil Rights at the US Department of Health and Human Services. Send a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/

11. Other Information

Contact Information

You can contact us about this Privacy Policy or use of our services.

If you have questions or complaints regarding this Policy, you may contact us through email at support@AP Copilot.com . You may contact us at our mailing address below:

AP Copilot Inc,
44 Lake St, Suite 210
Burlington, VT 05401

If you are a resident of the European Economic Area and we maintain your Personal Data within the scope of the General Data Protection Regulation (GDPR), you have additional rights. If you are not satisfied with the resolution, you can also lodge a complaint with the Supervisory Authority in the country of your residence.

Dispute Resolution

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, AP Copilot commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact AP Copilot at privacy@AP Copilot.com and at address

AP Copilot Inc,
44 Lakeside Avenue, Suite 111
Burlington, VT 05401

AP Copilot has further committed to cooperate with the panel established by the EU data protection authorities (DPAs),the Swiss Federal Data Protection and Information Commissioner (FDPIC), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) with regard to unresolved DPF complaints concerning data transferred from the EU, Switzerland and the UK.

Finally, as a last resort and in limited situations, EU, Swiss and UK individuals may seek redress from the DPF Panel, a binding arbitration mechanism.

Privacy Policy change

AP Copilot may change this Privacy Policy from time to time, at our sole discretion.

AP Copilot encourages visitors and customers to frequently check this page for any changes to its Privacy Policy. We will notify you of material changes in advance by email or by notice when you log in to the Sites and Services or both. You confirm that your continued use of our services after any change in this Privacy Policy will constitute your acceptance of such changes and agree to be subject to the revised privacy policy.