Privacy Policy

Last updated March 23, 2026

This Privacy Notice for Psykit LLC (“we,” “us,” or “our”) describes how and why we might access, collect, store, use, and/or share (“process”) your personal information when you use our services (“Services”), including when you:

• Visit our website at https://www.psykit.ai or any website of ours that links to this Privacy Notice

• Use PsyKit. PsyKit is a clinical visualization SaaS platform designed for mental health professionals. The platform securely processes clinician‑entered patient notes and historical data to generate intuitive, actionable clinical maps, including genograms, timelines, and diagnostic visualizations. Our services facilitate better clinical insight and patient care through structured data representation and visual analysis, including the use of agentic AI to help clinicians with patient outcomes.

• Engage with us in other related ways, including any marketing or events

Questions or concerns?
Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at psykitllc@gmail.com.

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice, but you can learn more about any of these topics by reading the full sections below.

What personal information do we process?
When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.

Do we process any sensitive personal information?
Some of the information may be considered “special” or “sensitive” in certain jurisdictions (for example, health data or information about race, ethnic origin, or sexual orientation). We may process sensitive personal information when necessary with your consent or as otherwise permitted by applicable law.

Do we collect any information from third parties?
We do not collect any information from third parties.

How do we process your information?
We process your information to provide, improve, and administer our Services, communicate with you, support security and fraud prevention, and comply with law. We may also process your information for other purposes with your consent.

In what situations and with which parties do we share personal information?
We may share information in specific situations and with specific third parties, for example in connection with business transfers or as required by law.

How do we keep your information safe?
We use appropriate organizational and technical safeguards to protect your personal information. However, no system is 100% secure, and we cannot guarantee that unauthorized third parties will never be able to defeat our security measures.

What are your rights?
Depending on where you are located, applicable privacy law may give you certain rights regarding your personal information, such as rights of access, correction, deletion, objection, or portability.

How do you exercise your rights?
You can exercise your rights by submitting a data subject access request or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?

2. HOW DO WE PROCESS YOUR INFORMATION?

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

6. DO WE OFFER ARTIFICIAL INTELLIGENCE–BASED PRODUCTS?

7. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

8. HOW LONG DO WE KEEP YOUR INFORMATION?

9. HOW DO WE KEEP YOUR INFORMATION SAFE?

10. DO WE COLLECT INFORMATION FROM MINORS?

11. WHAT ARE YOUR PRIVACY RIGHTS?

12. CONTROLS FOR DO‑NOT‑TRACK FEATURES

13. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

14. DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?

15. CONTROLLER VS. PROCESSOR

16. CLINICAL VISUALIZATION & DECISION SUPPORT DISCLAIMER

17. AI TRANSPARENCY & AUTOMATED PROCESSING (2026 UPDATE)

18. SUBSTANCE USE DISORDER (SUD) RECORDS (42 CFR PART 2)

19. MINIMUM NECESSARY ACCESS STANDARD

20. SECURITY & ENCRYPTION STANDARDS

21. BREACH NOTIFICATION PROTOCOL

22. DATA RETENTION & POST‑TERMINATION DELETION

23. DO WE MAKE UPDATES TO THIS NOTICE?

24. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

25. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, participate in activities on the Services, or otherwise contact us.

Personal information provided by you.
The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include:

• Names

• Phone numbers

• Email addresses

• Mailing addresses

• Job titles

• Usernames

• Passwords

• Contact preferences

• Contact or authentication data

• Billing addresses

• Debit/credit card numbers

Sensitive information.
When necessary, with your consent or as otherwise permitted by applicable law, we may process the following categories of sensitive information:

• Health data

• Genetic data

• Data about a person’s sex life or sexual orientation

• Information revealing race or ethnic origin

• Information revealing political opinions

• Information revealing religious or philosophical beliefs

• Information revealing trade union membership

Payment data.
We may collect data necessary to process your payment if you choose to make purchases, such as your payment instrument number and the security code associated with your payment instrument. All payment data is handled and stored by Stripe. You can read Stripe’s privacy notice here: https://stripe.com/privacy.

Social media login data.
We may provide you with the option to register using your existing social media account details (for example, Facebook or X). If you choose this option, we will receive certain profile information from the social media provider, as described in the section “HOW DO WE HANDLE YOUR SOCIAL LOGINS?”.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes.

Information automatically collected

In Short: Some information — such as your IP address and browser/device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as:

• IP address

• Browser and device characteristics

• Operating system and language preferences

• Referring URLs

• Device name

• Country and general location

• Information about how and when you use our Services

This information is primarily needed to maintain the security and operation of our Services and for our internal analytics and reporting.

Like many businesses, we also collect information through cookies and similar technologies.

The information we collect includes:

• Log and usage data. Service‑related, diagnostic, usage, and performance information (such as IP address, device information, browser type, pages and files viewed, searches, features used, and timestamps).

• Device data. Information about the device you use, such as hardware model, operating system, browser type, unique identifiers, and network information.

• Location data. Approximate or precise location information, depending on your device settings. You can disable location access in your device settings, though some features may not work properly if you do so.

Google API
Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements:
https://developers.google.com/terms/api-services-user-data-policy

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, support security and fraud prevention, and comply with law. We may also process your information for other purposes with your consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• To facilitate account creation and authentication and manage user accounts.
  We process your information so you can create and log in to your account and keep it in working order.

• To deliver and facilitate delivery of services to you.
  We process your information to provide you with the Services you request, including clinical visualization tools, AI‑assisted workflows, and related features.

• To respond to user inquiries and provide support.
  We process your information to respond to your questions, troubleshoot issues, and provide technical and customer support.

• To send administrative information.
  We process your information to send you details about our products and services, security updates, changes to our terms and policies, and other similar information.

• To fulfill and manage orders.
  We process your information to fulfill and manage subscriptions, payments, invoices, and other transactions made through the Services.

• To request feedback.
  We process your information to request feedback about your use of the Services so we can improve our platform.

• To send marketing and promotional communications.
  We process the personal information you provide for our marketing purposes, in line with your communication preferences. You can opt out of marketing emails at any time.

• To deliver targeted content and advertising.
  We may process your information to develop and display personalized content and advertising tailored to your interests, location, and usage patterns, where permitted by law and your preferences.

• To protect our Services and users.
  We process your information as part of our efforts to keep the Services safe and secure, including fraud monitoring, abuse detection, access control, and security logging.

• To identify usage trends.
  We process information about how you use the Services to understand performance, feature adoption, and areas to improve.

• To measure the effectiveness of our marketing.
  We process your information to understand how our marketing and promotional campaigns perform and to make them more relevant.

• To save or protect an individual’s vital interests.
  We may process your information when necessary to help prevent serious harm, for example as required by law or professional obligations.                                                                                                                    3.WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal basis under applicable law, such as your consent, contract performance, legitimate interests, legal obligations, or vital interests.

If you are located in the EU or UK, this section applies to you.

Under the GDPR and UK GDPR, we rely on the following legal bases to process your personal information:

• Consent.
  We may process your information if you have given us permission (consent) for a specific purpose. You can withdraw your consent at any time (see the “WHAT ARE YOUR PRIVACY RIGHTS?” section).

• Performance of a contract.
  We process your personal information when it is necessary to fulfill our contractual obligations to you, including providing and supporting the Services you subscribe to.

• Legitimate interests.
  We process your information when it is reasonably necessary for our legitimate business interests and those interests do not override your rights and freedoms. For example, we may:

  • Send information about updates or relevant offerings

  • Develop and display personalized content and ads

  • Analyze how our Services are used to improve them

  • Support and improve our security and fraud‑prevention practices

  • Understand how users interact with our platform to improve user experience

• Legal obligations.
  We process your information where it is necessary to comply with legal obligations, such as responding to lawful requests, maintaining required records, or complying with regulatory requirements (including health‑related or financial regulations, where applicable).

• Vital interests.
  We process your information where it is necessary to protect your vital interests or those of another person, for example in situations involving potential threats to safety.

If you are located in Canada, this section applies to you.

We may process your information if you have given us:

• Express consent, when you clearly agree to a specific use; or

• Implied consent, where your actions reasonably indicate that you agree to a particular use (for example, when you submit information to use our Services and it is clear how it will be used).

You can withdraw your consent at any time. In some cases, we may process your information without consent where permitted by law, for example:

• If collection is clearly in the interests of an individual and consent cannot be obtained in time

• For investigations, fraud detection, or prevention

• For certain business transactions that meet legal requirements

• To comply with subpoenas, warrants, court orders, or other legal processes

• To identify injured, ill, or deceased individuals and communicate with next of kin

• Where we have reasonable grounds to believe an individual may be a victim of financial abuse

• Where consent would compromise the availability or accuracy of the information and the collection is reasonable for investigating a legal or contractual violation

• Where information is publicly available and allowed by regulation

  • For approved research or statistical purposes under appropriate safeguards.                                                                                                                                                                                                                                          4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We may share information in specific situations described below and/or with specific third parties.

We may share your personal information in the following situations:

• Business transfers.
  We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.

• Service providers and subprocessors.
  We may share your information with trusted vendors, service providers, and subprocessors who perform services for us or on our behalf, such as hosting, data storage, analytics, communications, payments, and security. These parties are only allowed to process your information according to our instructions and under appropriate data protection safeguards.

• Legal and compliance.
  We may share information when we believe it is necessary to comply with applicable law, governmental requests, legal processes, or enforceable regulatory requirements, or to protect the rights, property, and safety of PsyKit, our users, or others.

• Professional advisors.
  We may share information with our legal, financial, and compliance advisors where necessary for audits, regulatory reviews, or the management of legal matters.

If we ever need to share de‑identified or aggregated information (for example, usage statistics across all users), we will take reasonable steps to ensure that the data cannot reasonably be used to re‑identify an individual.

5.DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We may use cookies and similar tracking technologies to collect and store information.

We may use cookies and similar tracking technologies (like web beacons and pixels) when you interact with our Services. These technologies help us:

• Keep the Services secure

• Prevent crashes and fix bugs

• Remember your preferences and settings

• Understand how the Services are being used

• Improve performance and user experience

We may also allow certain third parties to use cookies and similar technologies on our Services for analytics and advertising purposes, such as:

• Measuring traffic and usage patterns

• Delivering and measuring the effectiveness of ads

• Showing content that is more relevant to your interests

Where required by law, we will request your consent before using non‑essential cookies or similar technologies.

To the extent that these technologies are considered a “sale” or “sharing” of personal information or “targeted advertising” under applicable US state laws, you may have the right to opt out. See the section “DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?” for more information.

Specific information about how we use cookies and how you can control them may be described in a separate Cookie Notice, if provided.

Google Analytics
We may use Google Analytics to help us understand how the Services are used and to improve performance and user experience. You can learn more about how Google uses data here:
https://policies.google.com/technologies/partner-sites

You can opt out of Google Analytics by installing the browser add‑on available at:
https://tools.google.com/dlpage/gaoptout

You can also manage some advertising settings via:

• https://adssettings.google.com/

• http://optout.networkadvertising.org/ 

6. DO WE OFFER ARTIFICIAL INTELLIGENCE–BASED PRODUCTS?

In Short: Yes. PsyKit uses AI to support clinical documentation, visualization, and insights, but it does not replace the professional judgment of a licensed clinician.

PsyKit offers AI‑driven features to help clinicians:

• Structure and summarize therapist‑entered notes and clinical data

• Generate visual representations such as timelines, genograms, and patient rings

• Highlight patterns or risk factors based on information provided by the clinician

• Draft or assist with clinical documentation and care planning

Key points about AI use:

• Clinician‑entered data.
  AI‑generated outputs are based on information that clinicians or authorized users input into the platform or data that is lawfully integrated from other systems under the customer’s control.

• Decision support, not replacement.
  AI features are intended as decision‑support tools. They are not a substitute for independent clinical judgment, diagnosis, or treatment decisions by a licensed professional.

• Data handling and security.
  Personal and sensitive information used by AI components is processed under the same security, access control, and data protection standards described in this Privacy Notice and in our security documentation.

• Model improvement.
  Where applicable and permitted by law and contract, we may use de‑identified or aggregated data to improve our models, algorithms, and Services. We do not use identifiable patient data for broader model training outside the scope allowed by our agreements and applicable law.

• Transparency and control.
  We aim to clearly indicate when AI is involved in a feature or workflow. Depending on your role and configuration, you may be able to adjust or disable certain AI‑driven features.

Additional AI‑specific details are described in the section “AI TRANSPARENCY & AUTOMATED PROCESSING (2026 UPDATE)” below.

7.HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: If you choose to register or log in using a social media account, we receive certain information from that provider.

Our Services may allow you to sign up or log in using your existing social media account details (such as Facebook or X). Where you choose this option, the social media provider will share certain information with us, such as:

• Name and display name

• Email address

• Profile picture

• Other information you choose to make public via that provider

Exactly what we receive depends on the provider and your privacy settings with them.

We use the information we receive from social logins to:

• Create and manage your account

• Authenticate your access

• Provide features that integrate with that social network

• Communicate with you as needed

We do not control the way social media providers collect, use, or share your information. We encourage you to review their privacy notices and adjust your settings directly with those providers.

8.HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as needed to fulfill the purposes described in this Notice, unless a longer retention period is required or permitted by law.

We retain personal information only for as long as:

• It is necessary for the purposes described in this Privacy Notice

• We have an ongoing legitimate business need to do so (for example, to provide you with the Services, comply with legal, tax, or accounting requirements, or maintain security logs)

When we no longer have a legitimate need to process your personal information, we will:

• Delete or anonymize it; or

• If deletion is not immediately possible (for example, in backup archives), we will securely store the information and isolate it from further processing until deletion is feasible.

Clinical and health‑related records may be subject to additional legal or contractual retention requirements, depending on the jurisdiction and the role of PsyKit (for example, as a service provider or business associate to a covered entity).

9.HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We use appropriate technical and organizational measures to protect your personal information, but no method is completely secure.

We use a combination of technical, administrative, and physical safeguards designed to protect the confidentiality, integrity, and availability of personal information, including:

• Encryption in transit (e.g., HTTPS/TLS) and at rest where appropriate

• Access controls based on roles and least‑privilege principles

• Logging and monitoring of system access and key security events

• Secure development and testing practices

• Vendor due diligence and data protection agreements with subprocessors

However, no internet or electronic storage system can be guaranteed to be 100% secure. While we work hard to protect your information, we cannot guarantee that unauthorized third parties will never be able to defeat our security measures.

If we become aware of a data incident that affects your personal information, we will investigate and notify affected parties in accordance with applicable law and our contractual obligations.

10.DO WE COLLECT INFORMATION FROM MINORS?

In Short: Our Services are intended for professional and organizational use and are not directed to children.

PsyKit is designed for licensed clinicians, rehabilitation programs, and related organizations. We do not knowingly market our Services directly to children or allow children to create accounts.

Any personal information about minors processed through PsyKit is entered and controlled by clinicians or organizations in their professional capacity, in accordance with applicable law and professional standards. Those clinicians and organizations are responsible for:

• Obtaining any necessary consents or authorizations

• Complying with applicable protections for minors’ data (such as HIPAA or other health privacy laws)

If we learn that an individual has created a user account on our Services who is not permitted to do so under our terms or applicable law, we will take reasonable steps to close the account and remove or anonymize related data.

If you believe we have collected personal information directly from a child in a way that is not permitted, please contact us at psykitllc@gmail.com.

11.WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on your location, you may have rights over your personal information, such as access, correction, deletion, restriction, objection, and portability.

Your rights may include:

• Access.
  The right to request confirmation of whether we process your personal information and to receive a copy.

• Correction.
  The right to request that we correct inaccurate or incomplete personal information.

• Deletion.
  The right to request that we delete your personal information in certain circumstances.

• Restriction.
  The right to request that we limit how we use your personal information in certain situations.

• Objection.
  The right to object to certain types of processing, including direct marketing or processing based on legitimate interests.

• Portability.
  The right to request a copy of your personal information in a structured, commonly used, and machine‑readable format, and to transmit it to another controller where technically feasible.

• Withdraw consent.
  Where processing is based on consent, the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

How to exercise your rights
You can exercise many of these rights by contacting us at psykitllc@gmail.com or by using any self‑service tools we provide (such as account settings pages).

We will consider and act upon any request in accordance with applicable data protection laws. Depending on your request and location, we may:

• Ask you to verify your identity

• Ask for more information to understand your request

• Deny your request where an exemption applies (for example, to comply with legal obligations or protect the rights of others), but we will explain our reasons where required by law

If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority.

Marketing communications
You can opt out of marketing emails by following the unsubscribe instructions in those emails or by contacting us. Even if you opt out of marketing, we may still send you non‑marketing messages, such as important service or account notices.

12.CONTROLS FOR DO‑NOT‑TRACK FEATURES

Many web browsers and some mobile operating systems include a Do‑Not‑Track (“DNT”) feature or setting. At this time, there is no uniform technology standard for recognizing and responding to DNT signals, so we do not currently respond to them.

If a standard for online tracking is adopted in the future that we must follow, we will describe that practice in an updated version of this Privacy Notice.

13.DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

Depending on your US state of residence, you may have additional rights under state privacy laws, such as rights to:

• Know what categories of personal information we collect, use, disclose, or “sell”/“share”

• Request access to or deletion of certain personal information

• Opt out of “sales,” “sharing,” or targeted advertising where applicable

• Correct inaccurate personal information

• Limit the use and disclosure of certain sensitive personal information

We do not sell your personal information in exchange for money. However, some uses of cookies and similar technologies for analytics or advertising may be considered a “sale,” “sharing,” or targeted advertising under certain state laws.

If you are a US resident and wish to exercise state‑specific rights, you may contact us at psykitllc@gmail.com with “Privacy Request” in the subject line. We will explain which rights apply to you based on your state and how we handle your request.

We may need to verify your identity before fulfilling certain requests and may decline a request where a legal exception applies, but we will explain our response as required by law.

14.DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?

If you are located outside the United States, the EU, UK, or Canada, your local laws may still provide you with privacy rights similar to those described in this Notice (for example, access, correction, deletion, objection, or complaint to a regulator).

We will honor rights requests where required by applicable law. You can contact us at psykitllc@gmail.com for more information about how your local rules apply.

15.CONTROLLER VS. PROCESSOR

PsyKit may act as:

• Controller when we determine the purposes and means of processing certain personal information (for example, information about our website visitors, prospects, and business contacts).

• Processor (or service provider or business associate) when we process information on behalf of a customer organization (such as a clinic, practice group, or rehabilitation program) under a separate contract.

When we act as a processor or business associate, our customer is primarily responsible for:

• Defining the legal basis for processing

• Providing notices to end users (such as patients or clients)

• Responding to individual rights requests

In those cases, we will refer certain privacy requests to the relevant customer and support them in meeting their obligations, in line with our contracts and applicable law.

16.CLINICAL VISUALIZATION & DECISION SUPPORT DISCLAIMER

PsyKit is designed to support, not replace, professional clinical judgment. Specifically:

• AI‑generated outputs, visualizations, or suggestions are based on data entered or approved by clinicians or authorized users.

• PsyKit does not provide medical diagnoses, prescribe treatment, or make independent clinical decisions.

• Clinicians remain responsible for verifying all information, interpreting visualizations, and determining appropriate care, interventions, and communication with patients or families.

Use of PsyKit does not change or reduce the professional duties, ethical obligations, or regulatory responsibilities of licensed clinicians or organizations.

17.AI TRANSPARENCY & AUTOMATED PROCESSING (2026 UPDATE)

We use AI‑enabled components to enhance documentation, visualization, and analysis. Key points:

• Types of AI‑assisted processing.

  • Summarizing and structuring clinical notes

  • Generating or updating visual representations like timelines and genograms

  • Identifying potential patterns or risk indicators in the data you enter

  • Drafting suggested language for documentation or reports

• Human oversight.
  AI outputs are intended to be reviewed, edited, and approved by clinicians. They should not be accepted blindly or used as a sole basis for clinical decisions.

• Data used for AI.
  AI models may rely on:

  • Data you or your organization provide

  • Configuration data (for example, templates or workflow rules)

  • De‑identified or aggregated data used to improve system performance, where allowed by law and contract

• No fully automated decision‑making about individuals.
  We do not use AI to make binding, fully automated decisions about patient access to care, clinical diagnoses, or legal rights without human involvement.

If your local law grants specific rights related to automated decision‑making, you may contact us for information about how those rights apply in the context of PsyKit’s features.

18.SUBSTANCE USE DISORDER (SUD) RECORDS (42 CFR PART 2)

For US customers subject to 42 CFR Part 2:

• PsyKit may process SUD‑related data as a service provider or business associate under your control and in accordance with your instructions.

• Any SUD information covered by 42 CFR Part 2 will be subject to the stricter rules under that regulation, including limits on disclosure and redisclosure.

• We will not use or disclose SUD records in a way that would violate 42 CFR Part 2 or relevant contractual terms, and we will support you in meeting your obligations under those rules.

• 19.MINIMUM NECESSARY ACCESS STANDARD

We apply a “minimum necessary” approach to access and use of personal information:

• Access to data is limited to personnel and subprocessors who need it to perform their duties.

• Role‑based permissions are used to help ensure users and administrators only see data relevant to their responsibilities.

• Customers can configure user roles and permissions in line with their internal policies and regulatory obligations.

• 20.SECURITY & ENCRYPTION STANDARDS

We aim to align our security program with recognized industry and healthcare‑appropriate practices, which may include:

• Encryption of data in transit (e.g., TLS/HTTPS) and at rest where appropriate

• Network segmentation, firewalls, and intrusion detection or prevention tools

• Strong authentication mechanisms and options for multi‑factor authentication

• Regular security patching, vulnerability management, and system monitoring

• Vendor risk assessments and contractual security requirements for subprocessors

More detailed technical information may be provided to customers under separate security documentation or agreements.

21.BREACH NOTIFICATION PROTOCOL

If we become aware of a security incident that compromises the confidentiality, integrity, or availability of personal information:

• We will investigate and take appropriate remedial steps.

• Where required by law or contract, we will notify affected customers or individuals without undue delay, providing information we are reasonably able to share at that time.

• If we act as a processor or business associate, we will notify the relevant customer so they can meet any direct notification obligations they may have toward regulators or individuals.

• 22.DATA RETENTION & POST‑TERMINATION DELETION

When a customer’s subscription or contract ends:

• We will follow the data return and deletion terms in the applicable agreement and this Privacy Notice.

• Upon request and where feasible, we may provide exports of certain data to the customer.

• After the applicable retention or transition period, we will delete or anonymize customer data from active systems, and subsequently from backups as part of our normal backup lifecycle.

Some data may be retained longer where required by law, regulation, or to establish or defend legal claims.

23. DO WE MAKE UPDATES TO THIS NOTICE?

Yes. We may update this Privacy Notice from time to time.

When we make material changes, we will:

• Update the “Last updated” date at the top of this Notice, and

• Provide additional notice where required by law (for example, via email or an in‑app notification).

Your continued use of the Services after an updated Privacy Notice becomes effective means that you have read and understood the changes, to the extent permitted by law.

24. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this Privacy Notice, you may contact us at:

Psykit LLC
Email: psykitllc@gmail.com

25. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

You can request to review, update, or delete your personal information by:

• Emailing us at psykitllc@gmail.com with “Data Request” in the subject line, or

• Using any self‑service tools we make available within the Services (such as account settings or export features), where applicable.

We will handle your request in accordance with applicable data protection laws, our contracts with customer organizations, and any professional or regulatory obligations that apply.