Privacy Policy

Last Updated: February 14, 2025  |  Effective Date: February 14, 2025

1. Introduction & Scope

Anubris Inc. ("Anubris," "we," "us," or "our") is a corporation organized under the laws of the State of Delaware, United States. We provide enterprise information technology services, including managed IT solutions, cloud infrastructure, cybersecurity, software development, and strategic technology consulting.

This Privacy Policy applies to all personal data collected through:

• Our corporate website at anubris.com and all associated subdomains
• Our IT services, consulting engagements, and managed service agreements
• Our digital tools, including the IT Infrastructure Assessment Tool and the Cloud Migration ROI Calculator
• Newsletter subscriptions and marketing communications
• Client portals and service management platforms
• Employment and recruitment processes
• Any other interactions where you provide personal data to Anubris or where we collect personal data in connection with our services

For the purposes of the GDPR and other applicable data protection legislation, the data controller is:

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, you may contact our Data Protection Officer at any time at dpo@anubris.com.

2. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings set forth below:

• Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
• Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• Data Subject: An identified or identifiable natural person whose Personal Data is processed by Anubris.
• Data Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this Policy, Anubris Inc. is the Data Controller.
• Data Processor: A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller.
• Sub-processor: A third-party Data Processor engaged by Anubris to process Personal Data on our behalf in the course of providing our services.
• Consent: Any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
• Cookies: Small text files or pieces of data stored on a user's device by a web browser at the request of a website, used to remember information about the user.
• Device Identifiers: Unique identifiers associated with a device, including but not limited to browser fingerprints, advertising identifiers, and hardware identifiers, that may be used to recognize a device across sessions.
• Marketing Automation Platform: Our self-hosted Mautic instance (located at mautic.anubris.com) used for managing marketing campaigns, tracking website engagement, lead scoring, and automated communications.

3. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we are required to identify a lawful basis for each category of personal data processing we undertake. Anubris relies on the following legal bases:

3.1 Consent (Article 6(1)(a) GDPR)

Where you have given clear, affirmative consent for us to process your Personal Data for specific purposes. Examples include:

• Subscribing to our newsletter or marketing communications
• Accepting cookies and tracking technologies via our consent banner
• Opting in to receive personalized content recommendations
• Participating in surveys, webinars, or promotional events

You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

3.2 Contractual Necessity (Article 6(1)(b) GDPR)

Processing necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. Examples include:

• Processing client data to deliver managed IT services under a service agreement
• Managing your account on our client portal
• Processing payment information for services rendered
• Responding to requests for proposals, consultations, or service inquiries

3.3 Legitimate Interests (Article 6(1)(f) GDPR)

Processing necessary for the purposes of our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. Examples include:

• Improving our website, services, and user experience through analytics
• Ensuring network and information security
• Preventing fraud and unauthorized access to our systems
• Conducting internal business operations and administration
• Direct marketing to existing clients regarding similar services (subject to opt-out)

3.4 Legal Obligation (Article 6(1)(c) GDPR)

Processing necessary for compliance with a legal obligation to which Anubris is subject. Examples include:

• Retaining financial records as required by tax and accounting regulations
• Responding to lawful requests from law enforcement or regulatory authorities
• Complying with employment and labor laws
• Meeting regulatory reporting obligations

3.5 Vital Interests (Article 6(1)(d) GDPR)

In rare and exceptional circumstances, we may process Personal Data where it is necessary to protect the vital interests of the Data Subject or another natural person, such as in the case of a medical emergency on our premises.

4. Information We Collect

We collect and process various categories of Personal Data depending on how you interact with us. The following subsections describe each category in detail.

4.1 Information You Provide Directly

We collect Personal Data that you voluntarily provide to us when you:

• Submit Contact Forms: Name, email address, phone number, company name, job title, and the content of your message or inquiry.
• Request a Consultation: Business details, project requirements, budget range, timeline, and technology stack information.
• Subscribe to Our Newsletter: Email address, name, and communication preferences.
• Use Our Assessment Tools: Responses to our IT Infrastructure Assessment Tool, including information about your current technology environment, pain points, and operational challenges.
• Use Our Calculators: Input data provided to our Cloud Migration ROI Calculator, such as current infrastructure costs, workload specifications, and growth projections.
• Create an Account: Username, email address, password (stored in hashed form), company affiliation, and role information for our client portal.
• Communicate with Us: Content of emails, phone call records (if applicable), chat transcripts, and any attachments or documents you share with us.
• Apply for Employment: Resume, cover letter, work history, educational background, professional references, and other information relevant to the recruitment process.
• Attend Events: Registration information for webinars, workshops, conferences, or networking events hosted by Anubris.

4.2 Information Collected Automatically

When you visit our website or use our digital services, we automatically collect certain technical and behavioral information, including:

• IP Address: Your Internet Protocol address, which may be used to approximate your geographic location at the city or regional level.
• Browser Information: Browser type, version, language settings, and installed plugins.
• Device Information: Device type (desktop, tablet, mobile), operating system, screen resolution, and device identifiers.
• Page Visit Data: URLs of pages visited, sequence of pages viewed, and navigation paths through our website.
• Scroll Depth: How far you scroll on individual pages, measured at 25%, 50%, 75%, and 100% thresholds.
• Time on Page: Duration of time spent on each page and total session duration.
• Click Patterns: Elements clicked, including calls-to-action, navigation links, buttons, and interactive components.
• Referrer Information: The URL of the website or page that referred you to our site.
• UTM Parameters: Campaign source, medium, campaign name, term, and content identifiers from marketing links.
• Timestamps: Date and time of each page visit, interaction, or form submission.

4.3 Information from Third Parties

We may receive Personal Data about you from third-party sources, including:

• Business Partners: Companies with whom we maintain referral, reseller, or strategic partnership relationships may share contact information of prospective clients.
• Publicly Available Databases: Business registries, industry directories, and professional networking platforms that contain publicly accessible business contact information.
• Social Media Profiles: Publicly available information from professional networking platforms (such as LinkedIn) when you engage with our content or connect with our representatives.
• Data Enrichment Services: Business intelligence providers that help us verify and supplement business contact information for B2B outreach purposes.

4.4 Sensitive Information

5. Marketing Automation & Tracking

Anubris utilizes a marketing automation platform to understand how visitors and prospective clients engage with our website and digital content. Transparency about these practices is a core part of our commitment to privacy.

5.1 Our Platform: Self-Hosted Mautic

We use Mautic, an open-source marketing automation platform, self-hosted on our own infrastructure at mautic.anubris.com. This is not a third-party SaaS product. All data collected through Mautic is stored on servers owned and operated by Anubris, meaning your data is never transmitted to or processed by a third-party marketing platform vendor.

5.2 What We Track

After you provide consent via our cookie consent banner, the following engagement data may be collected:

• Page Visits: URLs of pages you view, including the sequence and frequency of visits.
• Scroll Depth: Measurement of how far you scroll on each page at four thresholds (25%, 50%, 75%, and 100%).
• Time on Page: Duration spent actively viewing each page.
• CTA Clicks: Interactions with calls-to-action, buttons, and interactive elements across the site.
• Form Submissions: Data entered into contact forms, newsletter signups, assessment tools, and calculators.
• UTM Parameters: Campaign source, medium, name, term, and content from marketing links that directed you to our site.
• Return Visits: Whether you are a returning visitor and the frequency and recency of your visits.
• Outbound Clicks: Links clicked that navigate away from our website to external destinations.
• Asset Downloads: Downloads of whitepapers, case studies, guides, or other resources hosted on our site.
• Social Shares: Interactions with social sharing buttons on our blog posts and resource pages.

5.3 Contact Scoring

We use a contact scoring model that assigns points based on two dimensions:

• Behavioral Score: Points assigned based on engagement actions such as page visits, form submissions, asset downloads, email opens, and link clicks.
• Demographic Score: Points assigned based on firmographic and professional attributes such as company size, industry, job title, and geographic location.

Contact scoring helps our sales and marketing teams prioritize outreach and tailor communications to the interests and needs of prospective clients. Scoring does not result in automated decision-making that produces legal or similarly significant effects on individuals.

5.4 Progressive Profiling

We employ progressive profiling, a technique in which we gradually collect additional information about you across multiple interactions rather than requesting all data in a single form. For example, after your initial contact form submission, subsequent forms may ask for additional details such as company size, project timeline, or technology preferences. This approach minimizes the amount of data requested at any one time and builds a more complete profile only as our relationship develops.

5.5 Dynamic Web Content Personalization

Based on the information you have provided and your engagement history, we may display personalized content on our website, including customized service recommendations, relevant case studies, industry-specific messaging, and tailored calls-to-action. Personalization is designed to improve your experience by presenting content most relevant to your interests and business needs.

5.6 Focus Items

Our marketing automation platform may display focused engagement elements on our website, including:

• Modal Overlays: Pop-up windows presenting relevant offers, newsletter signups, or resource downloads.
• Notification Bars: Top or bottom-of-page bars with announcements, promotions, or calls-to-action.
• In-Page Notifications: Contextual messages displayed within page content based on engagement triggers.

These elements are triggered based on behavioral data such as time on page, scroll depth, exit intent, or visit frequency, and are intended to enhance your experience rather than obstruct it.

5.7 Attribution Tracking

We track the source of your initial visit (first-touch attribution) and subsequent interactions to understand which marketing channels and campaigns are most effective. Attribution data includes referrer URLs, UTM parameters, direct/organic search identification, and social media source tracking.

6. How We Use Your Information

We process your Personal Data for the following purposes:

• Service Delivery: To provide, maintain, support, and improve the IT services, consulting engagements, and managed solutions that you have contracted or requested from us.
• Communication: To respond to your inquiries, provide technical support, send service-related notifications, and maintain ongoing communication about active projects and engagements.
• Marketing (Opt-In Only): To send newsletters, promotional materials, industry insights, event invitations, and other marketing communications, but only where you have provided affirmative opt-in consent. You may unsubscribe at any time.
• Analytics & Improvement: To analyze website traffic, user behavior, and service usage patterns in order to improve our website, optimize user experience, and develop new features and services.
• Security & Fraud Prevention: To detect, investigate, and prevent security incidents, unauthorized access, fraud, and other malicious activities targeting our systems and services.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests, including tax, accounting, and regulatory reporting requirements.
• Business Operations: To manage our internal business operations, including financial management, audit, corporate governance, and strategic planning.
• Product & Service Improvement: To conduct research and development, perform A/B testing, and analyze market trends to enhance our service offerings and develop innovative solutions.
• Recruitment: To process employment applications, evaluate candidates, conduct background checks (where legally permitted and with appropriate consent), and manage our talent acquisition pipeline.

7. Cookies & Tracking Technologies

We use cookies, local storage, session storage, and similar technologies to operate our website, remember your preferences, and analyze engagement. Below is a detailed breakdown of the specific tracking technologies deployed on our website.

7.1 Cookie Inventory

Category	Name	Type	Purpose	Duration
Essential	anubris_consent	localStorage	Stores your cookie consent choice	Persistent
Analytics	mautic_device_id	Cookie (Mautic)	Device identification for analytics	1 year
Session	anubris_utm	sessionStorage	Stores campaign tracking parameters	Session
Session	anubris_session_pages	sessionStorage	Counts pages viewed in current session	Session
Profile	anubris_profile_stage	localStorage	Tracks progressive profiling stage	Persistent
Known	anubris_known_contact	localStorage	Enables email prefill for known contacts	Persistent
Attribution	anubris_attribution	sessionStorage	Records first-touch referrer source	Session

7.2 How to Manage Cookies

You have several options for managing cookies and tracking technologies:

• Cookie Consent Banner: When you first visit our website, a consent banner is displayed allowing you to accept or decline non-essential cookies. Only essential cookies (such as your consent preference) are placed without your affirmative consent.
• Cookie Settings Link: You can revisit your cookie preferences at any time using the cookie settings option available in our website footer.
• Browser-Level Controls: Most modern web browsers allow you to manage cookies through their settings. You can typically block all cookies, accept all cookies, or be notified when a cookie is being set. Please note that blocking all cookies may impair certain website functionality.
• Local Storage & Session Storage: To clear locally stored data, you can use your browser's developer tools or clear all site data through your browser's privacy settings.
• Contact Us: You may request deletion of all data associated with your device by contacting us at dpo@anubris.com.

8. Data Sharing & Disclosure

We may share your Personal Data with the following categories of recipients, solely for the purposes described in this Privacy Policy:

8.1 Service Providers

We engage trusted third-party service providers who process data on our behalf under strict contractual obligations, including:

• Cloud Infrastructure Providers: For hosting our website, applications, and data storage.
• Email Service Providers: For delivering transactional and marketing email communications via SMTP relay services.
• Scheduling Platforms: Cal.com for managing consultation and meeting bookings.
• Payment Processors: For processing service invoices and payments (we do not store credit card information on our servers).
• Professional Service Firms: Including legal counsel, accountants, and auditors as necessary for business operations.

All service providers are contractually bound to process your data only as instructed by Anubris, to maintain its confidentiality, and to implement appropriate technical and organizational security measures.

8.2 Legal Requirements

We may disclose your Personal Data when we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request
• Respond to a valid subpoena, court order, or search warrant
• Cooperate with law enforcement agencies in the investigation of suspected or actual illegal activity
• Enforce our Terms of Service and other agreements

8.3 Business Transfers

In the event that Anubris is involved in a merger, acquisition, reorganization, bankruptcy, dissolution, or sale of all or a portion of its assets, your Personal Data may be transferred as part of that transaction. We will provide notice before your Personal Data becomes subject to a different privacy policy and will require that the acquiring entity honor the commitments made in this Privacy Policy.

8.4 Protection of Rights

We may disclose your Personal Data when we reasonably believe it is necessary to protect the rights, property, or safety of Anubris, our clients, employees, or the public.

8.5 International Transfers

Where your Personal Data is transferred outside of the European Economic Area (EEA) or other jurisdictions with data transfer restrictions, we ensure that appropriate safeguards are in place, including the EU Standard Contractual Clauses (SCCs) adopted by the European Commission, adequacy decisions, or other lawful transfer mechanisms as described in Section 12 of this Policy.

9. Data Security

Anubris implements a comprehensive, multi-layered security program to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

9.1 Encryption

• In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest version of Transport Layer Security.
• At Rest: Stored data is protected with AES-256 encryption, ensuring that data remains unreadable in the event of unauthorized physical access to storage media.

9.2 Access Controls

• Role-Based Access Control (RBAC): Access to Personal Data is restricted to authorized personnel on a need-to-know basis, with permissions assigned according to job function and responsibility.
• Multi-Factor Authentication (MFA): All administrative access to systems containing Personal Data requires multi-factor authentication.
• Principle of Least Privilege: Users and systems are granted only the minimum level of access necessary to perform their designated functions.

9.3 Security Monitoring

• 24/7 Security Operations Center (SOC): Continuous monitoring of our systems and infrastructure for security threats, anomalies, and unauthorized access attempts.
• Intrusion Detection & Prevention: Automated systems for detecting and blocking suspicious activity in real-time.
• Log Management: Comprehensive logging and auditing of all access to systems containing Personal Data, with logs retained for forensic analysis.

9.4 Vulnerability Management

• Regular vulnerability scanning of all public-facing and internal systems
• Timely application of security patches and updates
• Automated dependency monitoring for third-party software components

9.5 Penetration Testing

We conduct regular penetration testing of our systems, applications, and infrastructure, performed by qualified internal security engineers and independent third-party security firms, to identify and remediate vulnerabilities before they can be exploited.

9.6 Employee Training

All Anubris employees and contractors undergo mandatory security awareness training upon hire and annually thereafter. Training covers topics including phishing recognition, data handling procedures, incident reporting, and privacy obligations.

9.7 Incident Response

We maintain a documented Incident Response Plan that defines procedures for identifying, containing, eradicating, and recovering from security incidents. The plan includes defined roles and responsibilities, escalation procedures, communication protocols, and post-incident review processes.

9.8 Self-Hosted Infrastructure

Our marketing automation platform (Mautic) is self-hosted on Anubris-controlled infrastructure. This means your engagement data is not transmitted to third-party data brokers, advertising platforms, or external SaaS marketing tools. We maintain full control over the storage, processing, and security of this data.

9.9 Compliance & Certifications

• SOC 2 Type II: Our operational processes and security controls are audited annually under the SOC 2 Type II framework, covering security, availability, processing integrity, confidentiality, and privacy.
• ISO 27001 Aligned: Our information security management system (ISMS) is designed in alignment with the ISO/IEC 27001 international standard for information security management.

While we employ robust security measures, no system can guarantee absolute security. In the event of a security incident affecting your Personal Data, we will notify you in accordance with applicable law and our Data Breach Notification procedures described in Section 16.

10. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce our agreements. The following table summarizes our standard retention periods:

Data Category	Retention Period
Contact form submissions	3 years from date of submission
Newsletter subscribers	Until unsubscribe + 6 months
Website analytics data	24 months from date of collection
Client service data	Duration of contract + 7 years
Marketing automation data	24 months of inactivity, then purged
Employee application data	2 years from date of application

10.1 Anonymization

Where possible, we anonymize or pseudonymize Personal Data that is retained for analytics and statistical purposes beyond the retention periods stated above. Anonymized data, from which individuals cannot be re-identified, is not subject to this Privacy Policy and may be retained indefinitely for business intelligence and research purposes.

10.2 Deletion Procedures

When Personal Data reaches the end of its retention period, or upon a valid deletion request, we employ secure deletion procedures including:

• Permanent deletion from primary databases and active systems
• Removal from backup systems within 90 days (or at the next scheduled backup rotation cycle)
• Verification of deletion through audit logs and confirmation records
• Notification to any sub-processors who may hold copies of the data, requiring them to delete their copies

11. Your Privacy Rights

Anubris is committed to respecting and facilitating the exercise of your privacy rights under all applicable laws and regulations. The rights available to you may vary depending on your jurisdiction.

11.1 Universal Rights

Regardless of your location, all individuals interacting with Anubris have the following rights:

• The right to be informed about how your Personal Data is collected, used, and shared
• The right to opt out of marketing communications at any time
• The right to request information about the Personal Data we hold about you
• The right to request correction of inaccurate or incomplete data
• The right to submit complaints or concerns regarding our data processing practices

11.2 GDPR Rights (EU/EEA Residents)

If you are located in the European Union or European Economic Area, you are entitled to the following rights under the General Data Protection Regulation:

• Right of Access (Article 15): You have the right to obtain confirmation as to whether your Personal Data is being processed and, if so, to access that data along with supplementary information about the processing.
• Right to Rectification (Article 16): You have the right to have inaccurate Personal Data corrected and incomplete data completed.
• Right to Erasure (Article 17): Also known as the "right to be forgotten," you have the right to request deletion of your Personal Data under certain circumstances, including where the data is no longer necessary for its original purpose or where you withdraw consent.
• Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your Personal Data under certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interests.
• Right to Data Portability (Article 20): You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
• Right to Object (Article 21): You have the right to object to processing of your Personal Data based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing without exception.
• Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Anubris does not currently engage in solely automated decision-making that produces such effects.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU Data Protection Authorities can be found on the European Data Protection Board website.

11.3 CCPA/CPRA Rights (California Residents)

If you are a California resident, you are entitled to the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to Know: You have the right to know what categories and specific pieces of Personal Data we have collected about you, the categories of sources from which the data was collected, the business or commercial purpose for collecting the data, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request that we delete the Personal Data we have collected about you, subject to certain exceptions.
• Right to Opt-Out of Sale: You have the right to opt out of the "sale" of your Personal Data. Anubris does not sell your Personal Data and has not done so in the preceding twelve (12) months.
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising any of your CCPA/CPRA rights. We will not deny you services, charge different prices, provide a different level of service, or suggest any of the foregoing as a consequence of exercising your rights.
• Right to Correct: You have the right to request that we correct inaccurate Personal Data that we maintain about you.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your sensitive personal information. As noted in Section 4.4, Anubris does not intentionally collect sensitive personal information.

11.4 Other U.S. State Privacy Laws

Anubris also recognizes and respects the privacy rights granted by other U.S. state privacy laws, including but not limited to:

• Virginia Consumer Data Protection Act (VCDPA): Rights to access, correct, delete, obtain a copy of, and opt out of processing for targeted advertising, sale, or profiling.
• Colorado Privacy Act (CPA): Rights to access, correct, delete, obtain a portable copy of data, and opt out of targeted advertising, sale, and certain profiling.
• Connecticut Data Privacy Act (CTDPA): Rights to access, correct, delete, obtain a copy of, and opt out of processing for targeted advertising, sale, or profiling.
• Utah Consumer Privacy Act (UCPA): Rights to access, delete, and obtain a portable copy of data, and to opt out of the sale of personal data or targeted advertising.

We apply the substantive protections of these laws to all residents of the respective states, regardless of whether specific thresholds for applicability have been met.

11.5 How to Exercise Your Rights

12. International Data Transfers

Anubris is headquartered in the United States. If you are accessing our website or services from outside the United States, please be aware that your Personal Data may be transferred to, stored in, and processed in the United States or other countries where our service providers operate.

We ensure that all international transfers of Personal Data are conducted in compliance with applicable data protection laws, using one or more of the following safeguards:

• EU-U.S. Data Privacy Framework: Where applicable, we rely on the EU-U.S. Data Privacy Framework and its extensions as a valid mechanism for the transfer of Personal Data from the EU/EEA to the United States.
• Standard Contractual Clauses (SCCs): We execute the EU Standard Contractual Clauses, as adopted by the European Commission, with any sub-processors or service providers that process Personal Data transferred from the EU/EEA. These clauses provide contractual guarantees that your data will be protected to EU standards.
• Adequacy Decisions: Where the European Commission has determined that a third country ensures an adequate level of data protection, we may rely on such adequacy decisions as a basis for data transfers.
• Supplementary Measures: In addition to the transfer mechanisms above, we implement supplementary technical and organizational measures as recommended by the European Data Protection Board, including encryption, pseudonymization, access controls, and contractual restrictions on government access to data.

For further information about the safeguards we use for international data transfers, or to obtain a copy of the Standard Contractual Clauses, please contact our Data Protection Officer at dpo@anubris.com.

13. Third-Party Services

Our website and services may integrate with or link to third-party platforms. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party service before providing them with your Personal Data.

The following third-party services are used in connection with our website and operations:

• Mautic (Self-Hosted): Open-source marketing automation platform, hosted on Anubris-owned infrastructure at mautic.anubris.com. All data remains under our control. No data is transmitted to Mautic Inc. or any third-party service.
• Cal.com: Online scheduling platform used for booking consultations and meetings. When you use our scheduling links, Cal.com processes your name, email, and meeting preferences in accordance with their privacy policy.
• Cloud Infrastructure Providers: We use enterprise-grade cloud hosting providers for our website and application infrastructure. All data is encrypted in transit and at rest, and processing is governed by data processing agreements.
• SMTP Email Provider: We use a dedicated email relay service for sending transactional and marketing emails. Email delivery metadata (recipient address, delivery status) is processed by the provider under a data processing agreement.

14. Children's Privacy

Our website and services are directed to businesses and professionals, and are not intended for use by individuals under the age of sixteen (16). We do not knowingly collect, solicit, or process Personal Data from children under 16 years of age.

If you are a parent or guardian and believe that your child has provided Personal Data to us without your consent, please contact us immediately at dpo@anubris.com. Upon verification, we will promptly delete the child's Personal Data from our systems and take steps to ensure that it is not further processed.

In jurisdictions where the applicable age of digital consent is higher than 16, we comply with the relevant local requirement. Where parental or guardian consent is required for the processing of a minor's Personal Data, we will make reasonable efforts to verify that such consent has been obtained.

15. Do Not Track

Anubris honors Do Not Track ("DNT") signals transmitted by your web browser. When we detect a DNT signal, we treat it as an indication that you do not wish to be tracked, and we will refrain from setting non-essential cookies or initiating behavioral tracking on your device.

In addition to honoring DNT signals, we provide our own cookie consent banner that allows you to explicitly accept or decline tracking technologies. If you decline cookies through our consent banner, no analytics or marketing cookies will be placed, regardless of your browser's DNT setting.

We believe that users should have clear, granular control over how their data is collected and used, and we support industry efforts to establish a standardized approach to Do Not Track compliance.

16. Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, Anubris will take the following actions:

16.1 Notification to Supervisory Authorities

Where the breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. If notification is not made within 72 hours, we will provide a reasoned explanation for the delay.

16.2 Notification to Affected Individuals

Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected Data Subjects without unreasonable delay, providing:

• A clear description of the nature of the breach
• The categories and approximate number of individuals and data records affected
• The name and contact details of our Data Protection Officer
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects

16.3 Remediation & Support

In the event of a breach that exposes sensitive personal information, Anubris will:

• Immediately implement containment and remediation measures to prevent further unauthorized access
• Conduct a thorough forensic investigation to determine the root cause, scope, and impact of the breach
• Offer complimentary identity protection and credit monitoring services to affected individuals, where the nature of the compromised data warrants such measures
• Implement corrective actions to prevent recurrence, including updates to security controls, policies, and training programs
• Maintain a detailed breach register documenting all incidents, responses, and lessons learned

We also comply with all applicable U.S. state breach notification laws, which may require notification to state attorneys general and affected residents within specified timeframes.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. When we make changes, we will:

• Post the Updated Policy: The revised Privacy Policy will be published on this page with an updated "Last Updated" date at the top.
• Email Notification for Material Changes: For material changes that significantly affect how we collect, use, or share your Personal Data, we will send an email notification to the address associated with your account or contact record at least thirty (30) days before the changes take effect.
• Website Notice: We may display a prominent notice on our website to inform visitors of material changes to this policy.
• Right to Object: If you do not agree with the changes, you have the right to object and request deletion of your Personal Data before the updated policy takes effect. Continued use of our website and services after the effective date of the updated policy constitutes your acceptance of the revised terms.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. The "Last Updated" date at the top of this page indicates when the policy was most recently revised.

18. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy, our data processing practices, or your privacy rights, please do not hesitate to contact us using any of the methods below: