Data protection Policy

Data Protection Policy – Bioptics Imaging, LLC

Data Protection Policy

Bioptics Imaging, LLC

Last Updated: October 14, 2025

  1. Definitions
    • Organization: Bioptics Imaging, LLC, a Limited Liability Company registered in Kentucky.
    • Responsible Person: Cindy Sun, CEO/Founder
    • Personal Data: Any information that identifies or can be used to identify an individual, including but not limited to names, addresses, email addresses, biometric data, geolocation, and online identifiers.
    • Register of Systems: A register of all systems or contexts in which personal data is processed by the Organization.
  2. Scope & Applicability

    This policy applies to all personal data processed by Bioptics Imaging, LLC, regardless of format or location, and covers employees, contractors, customers, and third-party service providers.

  3. Legal Framework

    Bioptics Imaging, LLC complies with:

    • All applicable federal laws (e.g., FTC Act, HIPAA, GLBA, COPPA, CAN-SPAM).
    • Kentucky state privacy law (effective July 1, 2025).
    • Other relevant state laws where business is conducted (e.g., California CCPA/CPRA, Colorado, Virginia, etc.).
    • FTC guidance and enforcement actions, including requirements for meaningful consent, protection of sensitive data, and breach notification.
  4. Data Protection Principles

    Personal data shall be:

    • Processed lawfully, fairly, and transparently.
    • Collected for specified, explicit, and legitimate purposes.
    • Adequate, relevant, and limited to what is necessary.
    • Accurate and, where necessary, kept up to date.
    • Retained only as long as necessary for the stated purpose.
    • Protected by appropriate technical and organizational security measures.
    • Subject to individual rights, including access, correction, deletion, and opt-out.
  5. Lawful Bases for Processing

    All data processing must be based on one of the following:

    • Consent (with clear opt-in and opt-out mechanisms).
    • Contractual necessity.
    • Legal obligation.
    • Vital interests.
    • Public task.
    • Legitimate interests (with documented balancing tests).
  6. Individual Rights

    Individuals have the right to:

    • Access their personal data.
    • Correct inaccurate data.
    • Delete their data (“right to be forgotten”).
    • Opt out of data sales, targeted advertising, and profiling (where applicable).
    • Receive notice of data collection, use, and sharing practices.
    • Be notified in the event of a data breach affecting their information.
  7. Data Minimization & Purpose Limitation
    • Only collect and retain data necessary for business operations or legal compliance.
    • Prohibit use of personal data for marketing, targeting, or third-party purposes without explicit consent.
  8. Accuracy & Data Quality
    • Implement processes to keep personal data accurate and up to date.
    • Promptly delete or correct obsolete or inaccurate data.
  9. Data Retention & Archiving
    • Maintain a documented data retention schedule for each category of personal data.
    • Review retention schedules annually.
    • Securely delete or anonymize data when no longer needed.
  10. Security Measures
    • Use modern, up-to-date software and hardware security controls.
    • Limit access to personal data to personnel with a legitimate need (“least privilege” principle).
    • Encrypt sensitive data at rest and in transit.
    • Conduct regular security assessments and risk analyses, including for AI/ML systems impacting privacy.
    • Maintain robust backup and disaster recovery solutions.
  11. Third-Party Processors
    • Conduct due diligence and require contracts with third-party processors to ensure compliance with applicable laws.
    • Require third parties to implement equivalent security and privacy controls.
  12. Children’s Data
    • Comply with COPPA and state laws regarding children’s privacy.
    • Do not knowingly collect personal data from children under 13 without parental consent.
  13. Data Breach Response
    • Promptly assess and respond to any data breach.
    • Notify affected individuals and regulators as required by law (e.g., FTC, state AGs).
    • Follow FTC’s Data Breach Response Guide: FTC Data Breach Response Guide.
  14. AI & Automated Decision-Making
    • Conduct privacy impact assessments for AI/ML systems.
    • Implement safeguards to mitigate risks of bias, discrimination, and privacy harms.
  15. Policy Review & Updates
    • Review this policy at least annually or whenever there are significant legal or business changes.
    • Document all updates and communicate changes to relevant stakeholders.
  16. Dispute Resolution

    Any dispute related to this policy or data processing activities shall be arbitrated by state and/or federal court in Kentucky. By using this site or services, you consent to exclusive jurisdiction and venue of such courts.

________________________________________

END OF POLICY