Privacy Policy

15.1 Purpose

This Privacy Policy establishes Blue Whale Apps’ commitment to protecting personal information privacy rights, defines responsibilities for collecting, using, storing, and disposing of personal data, ensures compliance with privacy regulations including GDPR and CCPA, and builds trust through responsible data stewardship.

15.2 Scope

Applies to all personal information collected, processed, or stored by Blue Whale Apps including customer personal data, employee and contractor information, website visitor data, business contact information, and Protected Health Information (PHI) when specifically required by contract.

15.3 Definitions

• Personal Data: Information relating to identified or identifiable individual (name, email, IP address, location, identifiers).
• Sensitive Personal Data: Racial/ethnic origin, political opinions, religious beliefs, health information, biometric data, sexual orientation.
• Data Subject: Individual to whom personal data relates.
• Data Controller: Entity determining purposes and means of processing (Blue Whale Apps for customer data).
• Data Processor: Entity processing data on behalf of controller (cloud providers, service vendors).
• Processing: Any operation on personal data (collection, storage, use, disclosure, deletion).

15.4 Privacy Principles

• Lawfulness, Fairness, Transparency: Data processed lawfully, fairly, transparently with clear privacy notices.
• Purpose Limitation: Data collected for specified, explicit, legitimate purposes.
• Data Minimization: Only adequate, relevant, necessary data collected.
• Accuracy: Data kept accurate and up-to-date with correction/deletion of inaccurate data.
• Storage Limitation: Data retained only as long as necessary, then securely deleted.
• Integrity and Confidentiality: Data processed securely with appropriate protections.
• Accountability: Blue Whale Apps demonstrates compliance through documentation, policies, training, governance.

15.5 Legal Bases for Processing

Data processed only with valid legal basis:

• Consent: Clear affirmative consent
• Contract: Necessary for performance
• Legal Obligation: Required by law
• Legitimate Interests: Necessary for business interests balanced against rights
• Vital Interests: Protect someone’s life
• Public Task: Official function or public interest

15.6 Data Subject Rights

• Right to Access: Request copy of personal data and information about processing.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion in certain circumstances.
• Right to Restriction: Request limitation of processing in certain situations.
• Right to Data Portability: Receive data in structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Rights Related to Automated Decision-Making: Protection against decisions based solely on automated processing with significant effects.

Request Process: Requests submitted to privacy@bluewhaleapps.com, identity verification required, response within 30 days (extendable to 60 with notification), no fee unless excessive or unfounded, denials explained.

15.7 Protected Health Information (PHI)

Blue Whale Apps collects PHI only when specifically required by contract and with appropriate safeguards.

• PHI Safeguards: HIPAA-compliant BAAs, enhanced security controls (encryption, access restrictions), minimum necessary principle, breach notification procedures, regular HIPAA assessments, staff training, audit logging.
• PHI Handling: Separate systems or logical separation, role-based access strictly enforced, encrypted storage and transmission, secure disposal upon retention expiration, no PHI in test/development.

Blue Whale Apps does not collect PHI for general operations. PHI collection occurs only for specific contracted services requiring health data processing.

15.8 Privacy by Design

Privacy integrated into system design: privacy impact assessments for new systems, default settings maximize protection, data minimization in collection and retention, privacy-enhancing technologies, regular privacy reviews.

15.9 Data Security

Personal data protected through encryption, access controls and authentication, network security and firewalls, security monitoring and incident response, regular assessments, vendor security requirements, employee training.

15.10 Data Breach Notification

Immediate containment and investigation, assessment of scope and impact, notification to supervisory authorities within 72 hours (GDPR), notification to affected individuals without undue delay, documentation of breach and response, remediation to prevent recurrence.

15.11 International Data Transfers

When data transferred internationally: adequacy decisions relied upon, Standard Contractual Clauses used, Binding Corporate Rules for intra-company transfers, Data Processing Agreements with recipients, documentation of transfer mechanisms.

15.12 Third-Party Processing

Vendors require Data Processing Agreements, privacy and security assessments, contractual data protection requirements, vendor compliance monitoring, sub-processor approval and documentation.

15.13 Website and Cookies

Privacy notice posted on website, cookie consent mechanisms, analytics data anonymization where possible, third-party tracking disclosure, user choices respected.

Cookie Types:

• Essential: Necessary for operation
• Functional: Remember preferences
• Analytics: Understand usage
• Marketing: Targeted advertising

User consent obtained for non-essential cookies.

15.14 Children’s Privacy

Blue Whale Apps does not knowingly collect information from children under 13 (or applicable age). If discovered, data immediately deleted and parents notified.

15.15 Privacy Governance

• Data Privacy Officer: Oversees compliance program, advises on privacy matters, monitors policy compliance, handles data subject requests, liaison with supervisory authorities, conducts privacy training.
• Privacy Compliance: Regular privacy audits, privacy impact assessments, training for personnel handling personal data, privacy metrics and reporting, continuous improvement.