Purpose
This policy defines how Perseptex collects, uses, stores, shares, and protects personal data. It ensures compliance with applicable data-protection laws, including the EU GDPR, UK GDPR, California Consumer Privacy Act (CCPA/CPRA), CAN-SPAM Act, and HIPAA where applicable.
Scope
This policy applies to all personal data processed by Perseptex, including data collected from website visitors, customers, and platform users. This policy does not cover personal data processed by Perseptex solely as a data processor on behalf of a customer (see the Data Processor Role section below).
In limited circumstances where required by client relationships, Perseptex may enter into Business Associate Agreements (BAAs) to handle Limited Data Sets in compliance with HIPAA requirements. Where Perseptex processes Protected Health Information (PHI) or medical information on behalf of a healthcare customer, Perseptex acts strictly as a Data Processor and a HIPAA Business Associate. Such processing is governed by the applicable Business Associate Agreement (BAA), the customer’s Notice of Privacy Practices (NPP), and California Civil Code § 56.06 (CMIA).
Roles and Responsibilities
| Role | Responsibility |
|---|---|
| CIO | Policy owner; approves data processing activities; oversees privacy compliance; oversees GDPR Article 9 compliance, CCPA ADMT assessments, and HIPAA Business Associate obligations. |
| VP of Development (or delegate) | Implements and maintains technical privacy controls; manages sub-processor integrations; enforces AI Attribute-Based Access Controls (ABAC). |
| All personnel | Handle personal data in accordance with this policy; report suspected privacy incidents promptly. |
| Client | See “Client Responsibilities” below. |
Data Controller
Perseptex is a US-based company that builds and operates AI-assisted software products, including AI-powered Contract Lifecycle Management (CLM) platforms. Perseptex is the data controller for personal data described in this policy, except where it acts as a data processor on behalf of a customer. In the provision of healthcare AI services, Perseptex operates as a Business Associate and implements technical, physical, and administrative safeguards in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C) and 42 CFR Part 2 regarding Substance Use Disorder records.
EU Representative (GDPR Art. 27): To be appointed. Contact privacy@perseptex.com in the interim.
UK Representative (UK GDPR Art. 27): To be appointed. Contact privacy@perseptex.com in the interim.
Personal Data We Collect and Why
Website Visitors
| Data | Purpose | Lawful Basis (GDPR) |
|---|---|---|
| IP address, browser type, pages visited | Website analytics; security monitoring | Legitimate interests |
| Contact form submissions (name, email, message) | Responding to inquiries | Legitimate interests / pre-contractual steps |
| Cookies | Session management (strictly necessary only) | Legitimate interests |
Platform Users (Customers)
Platform user data is processed under Perseptex’s agreement with the customer organization. Individual users should also refer to their organization’s privacy policy.
| Data | Purpose | Lawful Basis (GDPR) |
|---|---|---|
| Name, work email address | Account creation; authentication | Performance of contract |
| Session activity, audit log entries | Security monitoring; audit trail | Legitimate interests |
| Search queries, annotations | Delivering the service | Performance of contract |
Vendor Contacts
- CCPA/CPRA: If Perseptex processes personal information, including Sensitive Personal Information, under 2026 CCPA definitions, sensitive information includes health data, biometric data, and neural data (information generated by measuring central or peripheral nervous system activity). Perseptex does not sell or share sensitive data and restricts its use solely to delivering the platform services.
- GDPR/UK GDPR: EU/UK vendor contacts retain all applicable data subject rights.
| Data | Purpose | Lawful Basis (GDPR) |
|---|---|---|
| Name, work email, business phone, company | Identifying authorized contacts; B2B contract management | Legitimate interests |
| Upload activity logs | Security and audit trail | Legitimate interests |
Job Applicants
| Data | Purpose | Lawful Basis (GDPR) |
|---|---|---|
| Name, email, phone, resume, work history | Evaluating suitability for the role | Legitimate interests (recruitment); pre-contractual steps |
| Background screening results | Personnel security evaluation | Legitimate interests |
Employees and Contractors
EU/UK employees: Criminal records processing (GDPR Art. 10) is only conducted where a specific legal basis exists under the relevant member-state law.
| Data | Purpose | Lawful Basis (GDPR) |
|---|---|---|
| Name, email, address, payment details | Employment/engagement administration; payment | Performance of contract; legal obligation |
| Device security status (OS version, browser management, disk encryption) | Security compliance | Performance of contract; legitimate interests |
| System access logs | Security monitoring; access review | Legitimate interests |
| Policy acknowledgments, training records | Compliance record-keeping | Legal obligation; legitimate interests |
Marketing Communications
| Data | Purpose | Lawful Basis (GDPR) |
|---|---|---|
| Email address (opt-in) | Product updates, company news | Consent |
All marketing emails include a physical mailing address and a clear unsubscribe mechanism. Opt-out requests are honored within 10 business days per CAN-SPAM (15 U.S.C. § 7701). For EU/UK recipients, marketing emails are sent only with prior consent per GDPR Art. 6(1)(a).
Data Retention
When the earlier of retention periods or legal requirements expire, data is securely deleted or anonymized.
| Category | Retention |
|---|---|
| Website visitor analytics | 13 months rolling |
| Platform user data | Duration of customer contract + as required by that contract |
| Vendor contact data | Duration of contract + 1 year |
| Job applicant data (unsuccessful) | 12 months from close of process |
| Employee / contractor records | Duration of engagement + 7 years (tax and legal recordkeeping) |
| Audit logs and access records | 13 months |
Data Sharing
Perseptex does not sell personal data and does not share personal data for third-party marketing or advertising purposes. Data is shared only with the following categories of service providers, all of whom are required to maintain appropriate safeguards under written contracts.
| Category | Data Shared | Purpose |
|---|---|---|
| Cloud infrastructure provider | All platform data (processed in US) | Hosting and infrastructure |
| AI inference provider | Contract text excerpts (platform data only) | AI-assisted analysis; zero data retention configured |
| Payroll and accounting provider | Employee/contractor name, payment details | Payment processing |
| Compliance management platform | Employee policy acknowledgments, system evidence | Compliance record-keeping |
| Background check provider | Applicant identity and screening data | Personnel security evaluation |
| EU/UK representative service | Privacy inquiry contact details | Regulatory correspondence |
| Outside counsel | As needed for legal matters | Legal advice |
| Regulators and law enforcement | As required by law | Legal obligation |
A current list of named sub-processors is available on request.
Data Processor Role
Where Perseptex operates software on behalf of a customer organization, it processes personal data as a data processor under that customer’s instructions. In these cases:
- The customer is the data controller.
- The customer’s privacy policy governs data subject rights.
- Obligations are defined in the Data Processing Agreement (DPA) with the customer.
- Data subjects should direct privacy rights requests to the customer organization.
Data Subject Rights
Depending on location, individuals may have the following rights:
| Right | Applies To |
|---|---|
| Access — obtain a copy of personal data | EU/UK residents (GDPR); all individuals as practice |
| Rectification — correct inaccurate data | EU/UK residents; all as practice |
| Erasure (“right to be forgotten”) | EU/UK residents; California residents |
| Restriction — limit processing during a dispute | EU/UK residents |
| Portability — receive data in a machine-readable format | EU/UK residents |
| Object — object to legitimate interests processing | EU/UK residents |
| Withdraw consent | Anyone |
| Non-discrimination | California residents |
To exercise any right, email privacy@perseptex.com. Requests will be acknowledged within 5 business days and responded to within 30 days. Complex requests may take up to 90 days with notice. Identity will be verified before responding.
International Data Transfers
Perseptex is based in the United States. Personal data may be processed and stored in the United States. Where personal data is transferred from the EU/UK to the United States or another third country, appropriate safeguards are applied:
- Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (2021 version).
- UK International Data Transfer Addendum (IDTA): Appended to applicable SCCs for UK transfers.
Appropriate transfer mechanisms are included in agreements with all sub-processors.
Security
Perseptex protects personal data using administrative, technical, and organizational safeguards appropriate to the sensitivity of the data, including:
- Encryption at rest and in transit using industry-standard algorithms.
- Role-based access controls with multi-factor authentication.
- Development performed in hardened, cloud-managed environments.
- Managed browser policies enforced on all endpoints.
- Audit logging of access to personal data.
- Documented incident response procedures.
Security incidents affecting personal data will be assessed promptly. Where required by law, affected individuals and relevant authorities will be notified without undue delay.
Client Responsibilities
Clients remain responsible for compliance with all applicable laws, including:
- HIPAA (for US-based healthcare entities).
- GDPR (for EU data subjects).
- State privacy laws applicable to the Data Controller’s jurisdiction and operations, to the extent such laws impose obligations on data processors or data handlers, and only as expressly required by applicable law.
- Other international data protection laws (based on the data source or the mutually agreed-upon jurisdiction).
And clients must:
- Properly de-identify all data (or ensure it strictly qualifies as a Limited Data Set under an approved agreement) before transmission to Perseptex.
- Never transmit fully identifiable PHI or unsecured health information.
- Transmit all data to Perseptex only through Perseptex-approved secure transmission methods, which may include encrypted file transfer protocols (SFTP), secure APIs, or encrypted email systems meeting current industry standards. Client shall never transmit any data containing personal information, de-identified data, or Limited Data Sets via unencrypted email or other unsecured communication channels.
- Maintain their own HIPAA compliance, Business Associate Agreements, and security safeguards.
Cookies
perseptex.com uses only strictly necessary cookies required for site functionality (e.g., session management). No analytics, tracking, or advertising cookies are used. No third-party cookies are placed.
Strictly necessary cookies do not require consent under the EU ePrivacy Directive or UK PECR. If non-essential cookies are introduced in the future, this section will be updated and a consent mechanism will be implemented before deployment.
Artificial Intelligence
Perseptex uses AI to power features within its products, such as contract analysis and metadata extraction:
- Customer data is used exclusively to deliver the service requested. Perseptex strictly prohibits the secondary use of customer PHI or CMIA-regulated medical information for the training, fine-tuning, or optimization of public or proprietary Large Language Models (LLMs) or generative AI systems, unless explicitly authorized by a BAA and rendered completely de-identified in strict adherence to the HIPAA Expert Determination or Safe Harbor methodologies (45 CFR § 164.514).
- Where AI inference is performed by a third-party provider, it is governed by a Data Processing Agreement and a legally executed HIPAA-compliant Business Associate Subcontractor Agreement. Third-party inference pipelines are configured for zero data retention, and Attribute-Based Access Controls (ABAC) enforce the HIPAA Minimum Necessary standard, ensuring AI agents only access the specific data fields required to execute the user prompt.
- No personal data from one customer is used to improve services for another customer.
- Automated Decision-Making Technology (ADMT) Pre-Use Notice: Under the CCPA (effective Jan 1, 2026), California residents have the right to know when ADMT is used to make significant decisions. Where Perseptex’s AI tools are utilized by our customers for decisions regarding employment, performance profiling, or access to healthcare, the AI evaluates text to extract metadata and summarize findings. Consumers have the right to access information regarding the logic of these AI outputs and the right to opt-out of ADMT processing. Opt-out requests will result in manual, human-reviewed document processing. To exercise this right, contact your data controller (the healthcare provider or employer) or privacy@perseptex.com.
If AI practices change materially, this policy will be updated and affected customers will be notified before any change takes effect.
HIPAA
Perseptex is not a HIPAA Covered Entity. When providing SaaS solutions to Covered Entities, Perseptex operates as a Business Associate. In this capacity, Perseptex securely receives, maintains, and processes electronic Protected Health Information (ePHI) strictly in accordance with executed Business Associate Agreements (BAAs). Perseptex assumes direct liability for compliance with the HIPAA Security Rule and the Breach Notification Rule. In the event of an unauthorized re-identification of data, Perseptex will enact its incident response protocols in compliance with the HIPAA Breach Notification Rule and the FTC Health Breach Notification Rule (HBNR).
Children’s Privacy
Perseptex products and website are not directed at children under 13 (US) or under 16 (EU/UK). Perseptex does not knowingly collect personal data from children. If personal data from a child is discovered, it will be deleted.
CMIA
California Confidentiality of Medical Information Act (CMIA): As a provider of software designed to maintain medical information, Perseptex complies with Cal. Civ. Code § 56.06. Any processing of medical information outside of standard B2B operational exceptions requires a valid authorization formatted in typeface no smaller than 14-point font, clearly separate from other agreements. Perseptex systems are engineered to segregate sensitive reproductive and mental health data to prevent unauthorized out-of-state disclosures, in compliance with AB 352 and AB 2089.
Substance Use Disorder (SUD) Records (42 CFR Part 2): Perseptex strictly adheres to the confidentiality requirements for SUD records. Perseptex prohibits the redisclosure or use of SUD records in civil, criminal, administrative, or legislative proceedings without explicit patient consent or specific court order. AI models are prohibited from indexing this data for secondary analytics.
Changes to This Policy
This policy is updated when data practices change or following the annual review. Material changes will be communicated to:
- Employees and contractors: directly via company communication channels.
- Platform customers: via the communication channel specified in agreements.
- Website visitors: notice on perseptex.com with the updated effective date.
Contact and Complaints
Privacy contact: privacy@perseptex.com or Perseptex LLC, 1212 Broadway Plaza, Ste 2100-220, Walnut Creek, CA 94596.
EU/UK residents who are not satisfied with a response to a privacy concern have the right to lodge a complaint with their local supervisory authority:
- EU: national data protection authority (list at edpb.europa.eu).
- UK: Information Commissioner’s Office (ico.org.uk).
Revision History
| Version | Date | Editor | Approver | Description |
|---|---|---|---|---|
| 0.1 | April 8, 2026 | Yakov Shkolnikov | — | Created |
| 1.0 | April 9, 2026 | Yakov Shkolnikov | Hamed Adib | Finalized |
