Introduction

Effective date: September 11, 2024

In its daily business operations, Nua Coach uses a variety of personal data, including data about:

1. Current, past, and prospective employees

2. Clients

3. Users and visitors of its websites

4. Subscribers

5. Other stakeholders

As it collects and uses this data, the organization is subject to various laws regulating how these activities can be carried out and the security measures that must be implemented to protect them. The purpose of this policy is to establish the relevant legislation and describe the steps that Nua Coach is taking to ensure compliance. This control applies to all systems, persons, and processes that are part of the organization’s information systems, including board members, directors, employees, suppliers, and other third parties who have access to Nua Coach's systems.

Privacy and Data Protection Policy

Applicable Privacy Legislation

The following list shows the main elements of privacy legislation that apply to the countries (or groups of countries) and states in which Nua Coach operates.

• [Argentina] - [Personal Data Protection Law (PDPL)]

• [Australia] - [Privacy Act]

• [Australia] - [Personal Information and Privacy Protection Act]

• [Brazil] - [General Data Protection Law (LGPD)]

• [Canada] - [Personal Information Protection and Electronic Documents Act (PIPEDA)]

• [Canada - Quebec] - [Personal Information Protection Act in the Private Sector]

• [European Union] - [General Data Protection Regulation (GDPR)]

• [Singapore] - [Personal Data Protection Act]

• [United Kingdom] - [UK GDPR Data Protection Act]

• [U.S. - California] - [California Consumer Privacy Act (CCPA)]

Nua Coach is legally obligated to comply with the provisions of this legislation at all times. While there may be variations in these provisions, this policy establishes the key principles that generally must be observed in such legislation.

Significant fines may apply if a breach is deemed to have occurred under the applicable privacy legislation, designed to protect the personal data of citizens of the involved country (or state, region, or countries). It is Nua Coach's policy to ensure that our compliance with the applicable legislation is clear and demonstrable at all times.

Definitions

The definitions used in privacy legislation vary, and it is not appropriate to reproduce them all here. However, the common terms used in this policy are as follows:

• Personal data: Any information that (a) can be used to identify the data subject to whom such data refers, or (b) is or may be directly or indirectly linked to a data subject.

• Data subject: An individual to whom the personal data belongs. This term is also referred to as the data subject.

• Processing of personal data: Operation or set of operations performed on personal data. Examples of personal data processing operations include, among others, collection, storage, modification, retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination, or any other form of making available, deletion, or destruction of personal data.

• Data controller: Stakeholder in privacy (or stakeholders in privacy) who determines the purposes and means of processing personal data, excluding individuals who use data for personal purposes.

• Data processor: Stakeholder in privacy that processes personal data on behalf of and in accordance with the instructions of a data controller.

Principles Related to the Processing of Personal Data

1. Legality, fairness, and transparency: personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.

2. Purpose limitation: personal data shall be collected for specified, explicit, and legitimate purposes and not processed further in a manner incompatible with those purposes.

3. Data minimization: personal data collected and stored shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

4. Accuracy: personal data shall be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that inaccurate personal data is erased or rectified without delay.

5. Storage limitation: personal data shall be retained in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which the data are processed.

6. Integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

The processing of special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, and the processing of genetic data, biometric data for uniquely identifying a person, health-related data, or sexual life or sexual orientation data of an individual shall be prohibited. Exceptions to this restriction apply only to legal exceptions, including, without limitation, necessary processing for reasons of public interest, preventive medicine, and the defense or exercise of a legal right.

Nua Coach shall ensure compliance with these principles both in processing and in introducing new processing methods, such as new computer systems.

Individual Rights

The data subject also has rights regarding their personal data. These rights generally consist of:

• The right to be informed

• The right of access

• The right to rectification

• The right to erasure

• The right to restrict processing

• The right to data portability

• The right to object

• Rights related to automated decision-making and profiling.

Each of these rights is backed by appropriate procedures within Nua Coach, allowing the required action to be carried out within the timeframes specified in the applicable privacy legislation. These timeframes are outlined below:

1. The right to be informed: When data is collected (if provided by the data subject) or within one month (if not provided by the data subject).

2. The right of access: One month.

3. The right to rectification: One month.

4. The right to erasure: Without undue delay.

5. The right to restrict processing: Without undue delay.

6. The right to data portability: One month.

7. The right to object: Upon receiving the objection.

8. Rights related to automated decision-making and profiling: Not specified.

If Nua Coach does not take action on the data subject's request, Nua Coach will inform the data subject, no later than one month after receiving the request, of the reasons for not acting.

In cases where requests from a data subject are unfounded or excessive, Nua Coach may: charge a reasonable fee considering the administrative costs of providing the information/communication or taking the requested action; or refuse to act on the request.

Furthermore, Nua Coach may request additional information necessary to confirm the identity of the data subject making the request. The information provided to data subjects will be understandable and clearly legible, with an overview of the intended processing.

Nua Coach will also take reasonable steps to inform the data controllers, data processors, and relevant recipients (as applicable) of requests for rectification/deletion/restriction of processing by the data subject, unless this proves impossible or involves a disproportionate effort.

Legality of Processing

Depending on the applicable legislation, there may be various alternative ways to establish the legality of a specific case of personal data processing. It is Nua Coach’s policy to identify the appropriate basis for processing and document it, in accordance with the applicable legislation. The main options are briefly described below.

Consent

Where appropriate, Nua Coach will obtain the consent of a data subject to collect and process their data. In the case of children under the age specified by applicable legislation, parental consent will be obtained. Transparent information regarding the use of their personal data will be provided to data subjects at the time consent is obtained, and their rights regarding their data, such as the right to withdraw consent, will be explained. This information will be provided in an accessible form, written in clear language and free of charge. If the personal data collected was not obtained directly from the data subject, the mentioned information will be provided within a reasonable timeframe, not exceeding one month.

Fulfillment of a Contract

When the personal data collected and processed is necessary to fulfill a contract with the data subject, consent is not required. This is usually the case when the contract cannot be completed without the personal data in question, such as when a delivery cannot be made without an address.

Legal Obligation

If personal data must be collected and processed to comply with applicable law, consent is not required. This may apply to certain data related to employment and taxation, for example, and in many areas handled by the public sector. For example, processing of personal data related to criminal convictions and offenses or security measures.

Vital Interests of the Data Subject

In cases where personal data is necessary to protect the vital interests of the data subject or another person, this can be used as the legal basis for processing. Nua Coach will maintain reasonable documented evidence to support this justification whenever it is used as the legal basis for processing personal data. For example, this may be utilized in aspects of social care, particularly in the public sector.

Task Carried Out in the Public Interest

When Nua Coach needs to carry out a task it considers to be in the public interest or as part of an official duty, the consent of the data subject will not be sought. The assessment of public interest or official duty will be documented and available as evidence when necessary.

Legitimate Interests

If the processing of certain personal data is in the legitimate interests of Nua Coach and is judged not to significantly affect the rights and freedoms of the data subject, this may be defined as the legal reason for processing. Again, the justification behind this opinion will be documented.

Privacy by Design

Nua Coach has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly modified systems that collect or process personal data are subject to due consideration of privacy issues, including conducting one or more privacy impact assessments.

The privacy impact assessment will include:

1. Consideration of how, as well as what types of personal data will be processed and for what purposes.

2. Assessment of whether the proposed processing of personal data is necessary and proportionate to the purposes.

3. Assessment of the risks to individuals in processing the personal data.

4. What controls are necessary to address identified risks and demonstrate compliance with applicable legislation.

5. Consideration will be given to using techniques such as data minimization/pseudonymization/encryption when applicable and appropriate, including at the end of processing, and mechanisms used to achieve them will be documented.

6. When a data protection impact assessment indicates that processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, Nua Coach will consult with the supervisory authority before processing.

Contracts Involving the Processing of Personal Data

Nua Coach will ensure that all relationships in which it engages involving the processing of personal data are subject to a documented contract that includes the specific information and terms required by applicable legislation.

International Transfers of Personal Data

Transfers of personal data between countries will be carefully reviewed prior to being made to ensure they comply with limits imposed by applicable legislation. This partly depends on the judgment of the relevant authority (for example, in the case of GDPR, the European Commission) regarding the adequacy of the safeguards for applicable personal data in the receiving country, and this may change over time.

Where there is no adequacy decision (or similar declaration) for a destination country, an appropriate safeguard, such as standard contractual clauses, will be used, or a relevant exception permitted by applicable legislation will be identified.

Data Protection Officer

The defined role of Data Protection Officer (DPO) is generally required under privacy legislation if an organization is a public authority, performs large-scale monitoring, or processes particularly sensitive types of data on a large scale. The DPO must have an adequate level of knowledge and may be an internal resource or outsourced to an appropriate service provider.

Based on these criteria, Nua Coach has designated an internal Data Protection Officer.

Data Breach Notification

Nua Coach's policy is to be fair and proportionate when considering the actions to take to inform affected parties about data breaches. In accordance with applicable legislation, when it is known that a breach has occurred that is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within the specified timeframe (for example, in the case of GDPR, within 72 hours). If acting as a data processor, Nua Coach will notify the data controller of the security incident of the data breach. This will be managed in accordance with our Security Incident Response Policy, which outlines the overall process for handling information security incidents.

Under privacy legislation, the relevant authority may have the right to impose a variety of fines, often based on a percentage of global annual income or a specific amount, for violations of regulations.

Compliance with Applicable Privacy Legislation

The following actions are taken to ensure that Nua Coach complies at all times with the accountability principle of privacy legislation within the countries in which it operates:

1. The legal basis for the processing of personal data is clear and unambiguous.

2. A Data Protection Officer with specific responsibility for data protection in the organization is designated (if required).

3. All staff involved in handling personal data understand their responsibilities to follow good data protection practices.

4. Data protection training has been provided to all staff.

5. Rules regarding consent are followed.

6. Routes are available for data subjects wishing to exercise their rights regarding personal data, and such inquiries are managed effectively.

7. Regular reviews of procedures involving personal data are conducted.

8. Privacy by design is adopted for all new systems and changed processes.

The following documentation of processing activities is recorded:

1. Organization name and relevant details.

2. Purposes of processing personal data.

3. Categories of individuals and personal data processed.

4. Categories of recipients of personal data.

5. Agreements and mechanisms for transfers of personal data to other countries, including details of implemented controls.

6. Retention periods for personal data.

7. Relevant technical and organizational controls implemented.

These actions are regularly reviewed as part of the management process related to privacy and data protection.

Exceptions

Nua Coach's business needs, local circumstances, laws, and regulations may occasionally require an exception to this policy or another Nua Coach policy. If an exception is needed, Nua Coach management will determine an acceptable alternative approach.

Compliance

Any violation of this policy or another Nua Coach policy or procedure may result in disciplinary actions, including termination of employment. Nua Coach reserves the right to notify the relevant law enforcement authorities about any unlawful activity and cooperate in any investigation of such activity. Nua Coach does not consider conduct that violates this policy to be within the course and scope of an employee's or contractor's work.

Anyone receiving a request to perform an activity they believe violates this policy must submit a written or verbal complaint to their manager or any other Nua Coach manager as soon as possible.

The disciplinary process will also be used as a deterrent to prevent employees and contractors from violating the organization's security policies and procedures and any other security breaches.

Accountability, Review, and Audit

Nua Coach reviews and updates its policies and security plans to maintain organizational security objectives and comply with regulatory requirements at least annually. The results are shared with appropriate internal parties, and findings are tracked to resolution. Any changes are communicated throughout the organization.