Master Privacy, Data Protection, Security & Compliance Policy**

Effective Date: December 20, 2025
Last Updated: December 20, 2025

Axendra Group, Inc. (“Axendra,” “we,” “us,” or “our”) is committed to maintaining the highest standards of data privacy, information security, regulatory compliance, and risk management. Protecting personal data, healthcare information, and confidential business information is a core operational responsibility and a foundational element of how we deliver services.

Axendra Group, Inc. is incorporated and headquartered in the Republic of the Philippines and provides technology-enabled healthcare services to organizations worldwide.

This Policy describes how Axendra collects, uses, processes, stores, discloses, transfers, safeguards, and governs personal data across its websites, platforms, services, and internal operations (collectively, the “Services”).

Axendra has designed its privacy and security program to align with applicable global laws, regulations, and industry standards, including but not limited to:

• Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and implementing rules
   
• EU General Data Protection Regulation (GDPR)
   
• U.S. healthcare and privacy regulations, including the Health Insurance Portability and Accountability Act (HIPAA), where applicable
   
• Contractual privacy, confidentiality, and data protection obligations imposed by clients and partners
   

Axendra continuously evaluates regulatory developments and updates internal policies, procedures, and safeguards to maintain compliance and manage evolving risk.

Axendra maintains a structured approach to data protection governance, including:

• Designated responsibility for privacy, security, and compliance oversight
   
• Documented internal policies governing data protection, security, and acceptable use
   
• Workforce training on confidentiality, privacy obligations, and security awareness
   
• Risk-based assessments of systems, vendors, and processing activities
   
• Incident response and escalation procedures
   

Privacy and data protection considerations are integrated into operational planning, system design, and service delivery.

This Policy applies to all personal data processed by Axendra relating to:

• Website visitors
   
• Clients and prospective clients
   
• Business partners and vendors
   
• Event participants
   
• Job applicants and personnel
   
• Individuals whose personal data is processed in connection with healthcare-related services
   

This Policy does not apply to third-party websites or services not operated or controlled by Axendra.

• Personal Data / Personal Information: Any information relating to an identified or identifiable natural person.
   
• Sensitive Personal Information: Personal data requiring a higher level of protection, including health data, financial data, government identifiers, and other data classified as sensitive under applicable law.
   
• Protected Health Information (PHI): Individually identifiable health information as defined under HIPAA.
   
• Processing: Any operation performed on personal data, whether automated or manual.
   
• Data Subject: An individual to whom personal data relates.
   
• Controller / Processor: As defined under GDPR and applicable laws.
   

• Full name
   
• Business contact details (email, phone, address)
   
• Employer and professional information
   
• Communications, inquiries, and submissions
   
• Event registrations and preferences
   
• Job application materials, including employment and education history
   
• Payment and billing information (processed by third-party providers)
   

• IP address
   
• Browser and device information
   
• Operating system and device identifiers
   
• Usage data, page interactions, and session metadata
   
• Security logs and error reports
   

Axendra uses cookies and similar technologies strictly for:

• Site functionality
   
• Performance and analytics
   
• Security monitoring
   
• Marketing and communications (where permitted)
   

Users may manage cookie preferences through browser settings or consent mechanisms.

Axendra may receive information from analytics platforms, recruitment services, professional networks, or marketing partners, subject to contractual and legal safeguards.

Where GDPR applies, Axendra processes personal data based on one or more lawful bases:

• Consent
   
• Performance of a contract
   
• Compliance with legal obligations
   
• Legitimate interests, balanced against individual rights
   
• Vital interests, where applicable
   

Axendra adheres to the principles of:

• Purpose limitation – data is collected for specified, explicit, and legitimate purposes
   
• Data minimization – only data necessary for those purposes is collected and processed
   

Personal data is not processed in a manner incompatible with its original purpose without appropriate notice or consent.

Where Axendra processes health-related data or PHI:

• Axendra acts as a Business Associate or Data Processor, as contractually defined
   
• Processing is governed by written agreements, including Business Associate Agreements (BAAs) and Data Processing Addenda (DPAs)
   
• PHI access is restricted to authorized personnel on a least-privilege basis
   
• HIPAA-aligned administrative, technical, and physical safeguards are enforced
   

Axendra does not use PHI for advertising or unauthorized purposes.

Axendra:

• Uses PHI solely for permitted purposes
   
• Implements safeguards consistent with the HIPAA Privacy Rule and Security Rule
   
• Ensures subcontractors handling PHI agree to HIPAA-equivalent obligations
   
• Maintains breach detection and response procedures
   
• Notifies Covered Entities of breaches of unsecured PHI without unreasonable delay and no later than 60 days
   
• Supports Covered Entity obligations regarding access, amendment, and accounting of disclosures
   
• Returns or securely destroys PHI upon termination of services, where feasible
   

Personal data may be shared only:

• With vetted service providers under written confidentiality and data protection agreements
   
• Within the Axendra corporate group for legitimate business purposes
   
• With regulators or authorities when legally required
   
• In connection with corporate transactions, subject to safeguards
   
• With explicit consent
   

Axendra does not sell personal data.

Axendra applies risk-based vendor due diligence, including:

• Assessment of security and privacy practices
   
• Contractual data protection obligations
   
• Ongoing monitoring and accountability
   

Subprocessors are authorized only where appropriate safeguards are in place.

Axendra operates internationally. Personal data may be transferred to and processed in jurisdictions including the Philippines and the United States.

Safeguards include:

• Contractual protections
   
• Security controls
   
• Access restrictions
   
• Compliance with applicable cross-border transfer requirements
   

Personal data is retained only for as long as necessary to:

• Fulfill contractual and operational purposes
   
• Comply with legal and regulatory requirements
   
• Resolve disputes
   
• Enforce agreements
   

Secure disposal and deletion methods are applied when data is no longer required.

Axendra maintains an information security program designed to protect confidentiality, integrity, and availability of data, including:

• Role-based access controls
   
• Secure authentication mechanisms
   
• Encryption where appropriate
   
• Network monitoring and logging
   
• Incident detection and response procedures
   
• Workforce confidentiality and security training
   

Security controls are reviewed and updated based on risk assessments.

Axendra maintains documented procedures to:

• Detect and assess security incidents
   
• Contain and remediate threats
   
• Notify affected parties and authorities where required
   
• Conduct post-incident reviews to prevent recurrence
   

Subject to applicable law, individuals may exercise rights including:

• Access
   
• Rectification
   
• Erasure
   
• Restriction
   
• Objection
   
• Data portability
   
• Withdrawal of consent
   

Requests are handled in accordance with legal timelines and verification requirements.

EU/EEA data subjects are informed of:

• Controller/Processor identity
   
• Processing purposes and legal bases
   
• International transfers and safeguards
   
• Retention periods
   
• Rights and complaint mechanisms
   

Axendra does not engage in automated decision-making producing legal or similarly significant effects unless expressly disclosed.

Axendra uses cookies responsibly and transparently. Users are provided with notice and choice mechanisms consistent with applicable law.

Axendra does not knowingly collect personal data from children under 13 years of age.

Axendra regularly reviews and enhances its privacy, security, and compliance controls to address emerging risks, regulatory changes, and industry best practices.

For privacy, data protection, or compliance inquiries:

Axendra Group, Inc.
Email: camille@axendrasolutions.com

All feedback, comments, requests for technical support, and other communications relating to the Sites and our data   collection and processing activities should be directed to:  camille@axendrasolutions.com

Last updated: December 20, 2025